Separation Logic 2/4. Chapter 7. Preservation of independent state. The frame rule. The Frame Rule. Arthur Charguéraud.

Size: px

Start display at page:

Download "Separation Logic 2/4. Chapter 7. Preservation of independent state. The frame rule. The Frame Rule. Arthur Charguéraud."

Priscilla Stanley
5 years ago
Views:

1 Separation Logic 2/4 Arthur Charguéraud Chapter 7 The Frame Rule Febuary 8th, / 75 2 / 75 Preservation of independent state The frame rule We have: tr ÞÑ 2u pincr rq tλ. r ÞÑ 3u Principle: a triple remains valid when both the pre-condition and the post-condition are extended with a same heap predicate. We also have: tr ÞÑ 2 s ÞÑ 7u pincr rq tλ. r ÞÑ 3 s ÞÑ 7u More generally: tr ÞÑ 2 Hu pincr rq tλ. r ÞÑ 3 Hu General form: th 1 u t tλx. H 1 1u th 1 H 2 u t tλx. H 1 1 H 2 u 3 / 75 4 / 75

2 Frame rule and allocation Length of a mutable list, recursively We have: t r s u pref 3q tλr. pr ÞÑ 3qu By the frame rule, we have: ts ÞÑ 5u pref 3q tλr. pr ÞÑ 3q ps ÞÑ 5qu let rec mlength (p: a cell) = if p == null then 0 else let n = mlength p.tl in 1 + n Specification: This post-condition ensures r tp Mlist Lu pmlength pq tλn. rn length Ls p Mlist Lu The reference cell r is thus guaranteed to be distinct from any cell that might exist prior to the allocation of r. We prove this specification by induction on L. 5 / 75 6 / 75 Verification of mlength: nil case Verification of mlength: frame tp Mlist Lu pmlength pq tλn. rn length Ls p Mlist Lu Case p null. Goal is: tp Mlist Lu p0q tλn. rn length Ls p Mlist Lu Assume L x :: L 1. Exploit: p Mlist L pre-condition null Mlist L Ź rl nils null Mlist L p t hd=x; tl=p 1 u p 1 Mlist L 1 by unfolding and: 0 length nil p 1 Mlist L 1 p 1 Mlist L 1 rn 1 L 1 s frame begins by induction p t hd=x; tl=p 1 u p 1 Mlist L 1 rn 1 L 1 s frame ends p Mlist L rn 1 ` 1 x :: L 1 s by folding p Mlist L rn L s post-condition 7 / 75 8 / 75

3 Instantiation of the frame rule Verification of in-place increment Induction hypothesis: By the frame rule: tp 1 Mlist L 1 u pmlength p q tλn 1. rn length L 1 s p 1 Mlist L 1 u tp 1 Mlist L 1 p t hd=x; tl=p 1 u u pmlength p q tλn. rn length L 1 s p 1 Mlist L 1 p t hd=x; tl=p 1 u u let rec list_incr (p: a cell) = if p!= null then begin p.hd <- p.hd + 1; list_incr p.tl tp Mlist Lu plist incr pq tλ. p Mlist pmap p`1q Lqu Exercise: describe the frame process for in-place increment. 9 / / 75 Verification of in-place increment: frame process Specification of tree tp Mlist Lu plist incr pq tλ. p Mlist pmap p`1q Lqu Assume L x :: L 1. p Mlist L pre-condition p t hd=x; tl=p 1 u p 1 Mlist L 1 by unfolding p t hd=x ` 1; tl=p 1 u p 1 Mlist L 1 incrementing p 1 Mlist L 1 frame begins p 1 Mlist pmap p`1q L 1 q by induction p t hd=x ` 1; tl=p 1 u p 1 Mlist pmap p`1q L 1 q frame ends p Mlist ppx ` 1q :: pmap p`1q L 1 qq by folding p Mlist pmap p`1q Lq by rewriting post-condition 11 / 75 let rec copy (p:node) : node = if p == null then null else let p1 = copy p.left in let p2 = copy p.right in { item = p.item; left = p1 ; right = p2 } Exercise: specify the tree copy tp Mtree T u pcopy pq tλp 1. p Mtree T p 1 Mtree T u Exercise: describe the frame process for tree copy. 12 / 75

4 Verification of tree copy: frame process p Mtree T by pre-condition p ÞÑ t x; p 1 ; p 2 u p 1 Mtree T 1 p 2 Mtree T 2 by unfolding p 1 Mtree T 1 frame begins p 1 Mtree T 1 p 1 1 Mtree T 1 by induction p ÞÑ t x; p 1 ; p 2 u p 1 Mtree T 1 p 2 Mtree T 2 p 1 1 Mtree T 1 frame ends p 2 Mtree T 2 frame begins p 2 Mtree T 2 p 1 2 Mtree T 2 by induction p ÞÑ t x; p 1 ; p 2 u p 1 Mtree T 1 p 2 Mtree T 2 p 1 1 Mtree T 1 p 1 2 Mtree T 2 frame ends p ÞÑ t x; p 1 ; p 2 u p 1 Mtree T 1 p 2 Mtree T 2 p 1 ÞÑ t x; p 1 1 ; p1 2 u p1 1 Mtree T 1 p 1 2 Mtree T 2 by allocation p Mtree T p 1 Mtree T by folding Summary th 1 u t tλx. H 1 1u th 1 H 2 u t tλx. H 1 1 H 2 u frame In-place mutable list increment, when L x :: L 1. p Mlist L p t hd=x; tl=p 1 u p 1 Mlist L 1 by unfolding p t hd=x ` 1; tl=p 1 u p 1 Mlist L 1 p 1 Mlist L 1 p 1 Mlist pmap p`1q L 1 q p t hd=x ` 1; tl=p 1 u p 1 Mlist pmap p`1q L 1 q p Mlist ppx ` 1q :: pmap p`1q L 1 qq p Mlist pmap p`1q Lq incrementing frame begins by induction frame ends by folding by rewriting 13 / / 75 Small footprint access to records p t hd=v; tl=q u p.hd ÞÑ v p.tl ÞÑ q Chapter 8 Small footprint specifications Specification of a write on the head field: tp t hd=w; tl=q u u pp.hd <- vq tλ. p t hd=v; tl=q u u Same, but with a smaller footprint: or tp.hd ÞÑ wu pp.hd <- vq tλ. p.hd ÞÑ vu tp.hd ÞÑ u pp.hd <- vq tλ. p.hd ÞÑ vu From small to large footprint using frame: tp.hd ÞÑ w p.tl ÞÑ qu pp.hd <- vq tλ. p.hd ÞÑ v p.tl ÞÑ qu 15 / / 75

5 Representation predicate for arrays Representation predicate for C arrays: ç p Array L pris ÞÑ v v at index i in L where: pris ÞÑ v pp ` iq ÞÑ v Representation predicate for ML arrays: ç p Array L p.length ÞÑ L pris ÞÑ v v at index i in L where p.length ÞÑ n and pris ÞÑ v are abstract definitions for the user. Small footprint specifications of array operations i P dom L ñ tp Array Lu parray.get i pq tλx. rx Lriss p Array Lu tp Array Lu parray.set i p vq tλ. p Array plri : vsqu tp Array Lu parray.length pq tλn. rn L s p Array Lu Exercise: give small footprint specifications for array operations. How to derive the large footprint specifications from them? tpris ÞÑ vu parray.get i pq tλx. rx vs pris ÞÑ vu tpris ÞÑ u parray.set i pq tλ. pris ÞÑ vu tp.length ÞÑ nu parray.length pq tλx. rx ns p.length ÞÑ nu p Array L pris ÞÑ Lris p.length ÞÑ L Ç v at index j in L with j i prjs ÞÑ v 17 / / 75 Access to a memory cell Quicksort code In C, record and array accesses are treated uniformly: p.hd = v compiles to *(p+hd)=v p[i] = v compiles to *(p+i)=v Common small footprint specification for accessing a memory cell: tp ÞÑ u p*p = vq tλ. p ÞÑ vu tp ÞÑ vu p*pq tλx. rx vs p ÞÑ vu All other specifications for read and write operations are derivable. let rec qsort i j t = if j - i > 1 then begin let m = pivot i j t in qsort i (m-1) t; qsort (m+1) j t; end 19 / / 75

6 Large-footprint specification of where: sortedseg i j L 1 0 ď i ď j ă L ñ tp Array Lu pqsort i j pq tλ. DL 1. pp Array L 1 q rsortedseg i j L 1 s rpermut L L 1 s r@a P [0, iq Y pj, L q. L 1 ras b P [i, j]. a ď b ñ L 1 ras ď L 1 rbs. u Group of array cells Definition æ p Cells M pris ÞÑ v pi,vqpm where M has type map int A, for some A. Conversions: p Array L p.length ÞÑ L p Cells pmapoflist Lq p Cells H r s p Cells tpi, vqu pris ÞÑ v p Cells pm 1 Z M 2 q p Cells M 1 p Cells M 2 pwhen M 1 KM 2 q where: mapoflist L tpi, vq v at index i in Lu. 21 / / 75 Small-footprint specification of quicksort Segment splitting in Quicksort Exercise: give a small-footprint specification for quicksort. use p Cells M with some constraints to describe a segment, use sortedseg i j M to assert that a segment is sorted, use permut M M 1 to assert that values in a segment are dom M [i, j] ñ tp Cells Mu pqsort i j pq tλ. DM 1. p Cells M 1 rsortedseg i j M 1 s rpermut M M 1 s u Assume dom M [i, j] with j i ą 1. Then: p Cells M p Cells pm [i,m 1] q p Cells pm [m,m] q p Cells pm [m`1,j] q Note that: p Cells pm [m,m] q prms ÞÑ Mrms In recursive calls, we frame over the cells that are not involved. 23 / / 75

7 Operations on groups of cells Convenient specifications for operating directly on groups of cells: Summary Representation of a full array using a list: p Array L p.length ÞÑ L ç v at index i in L pris ÞÑ v i P dom M ñ tp Cells Mu parray.get i pq tλx. rx Mriss p Cells Mu tp Cells Mu parray.set i p vq tλ. p Cells pmri : vsqu Small footprint accesses: tpris ÞÑ u parray.get i pq tλ. pris ÞÑ vu tpris ÞÑ vu parray.set i p vq tλx. rx vs pris ÞÑ vu tp.length ÞÑ nu parray.length pq tλx. rx ns p.length ÞÑ nu Representation of a set of array cells using a finite map: æ p Cells M pris ÞÑ v pi,vqpm 25 / / 75 Definition of Hprop Chapter 9 Heap entailment Let: For example: Hprop Heap Ñ Prop r s : Hprop l ÞÑ v : Hprop H 1 H 2 : Hprop In particular: p q : Hprop Ñ Hprop Ñ Hprop 27 / / 75

8 The separation algebra Extensionality Associativity: ph 1 H 2 q H 3 H 1 ph 2 H 3 q Commutativity: H 1 H 2 H 2 H 1 Functional extensionality: Propositional extensionality: p@x. f x g xq ñ pf gq pif f,g:añbq Neutral element: H r s H pp ô Qq ñ pp Qq pif P,Q:Propq Predicate extensionality: Extrusion of existentials: pdx. H 1 q H 2 Dx. ph 1 H 2 q pif xrh 2 q p@x. P x ô Q xq ñ pp Qq pif P,Q:AÑPropq Extrusion of pure facts: prp s Hq m P ^ ph mq Heap predicate extensionality: p@m. H m ô H 1 mq ô ph H 1 q pif H,H 1 :Hpropq 29 / / 75 Heap entailment Heap entailment as a partial order Definition: H 1 Ź H H 1 m ñ H 2 m H 1 Ź H H 1 m ñ H 2 m For example: pr ÞÑ 6q Ź Dn. pr ÞÑ nq reven ns Thanks to pźq, we never need to manipulate heaps explicitly. The relation pźq defines a partial order on the type Hprop: reflexivity H Ź H transitivity H 1 Ź H 2 H 2 Ź H 3 H 1 Ź H 3 antisymmetry H 1 Ź H 2 H 2 Ź H 1 H 1 H 2 31 / / 75

9 Frame property for heap entailment Heap implications: true or false? For example, to prove: it suffices and prove: H 1 Ź H 1 1 H 1 H 2 Ź H 1 1 H 2 entail-frame pr ÞÑ 2q ps ÞÑ 3q Ź pr ÞÑ 2q pt ÞÑ nq ps ÞÑ 3q Ź pt ÞÑ nq. 1. pr ÞÑ 3q ps ÞÑ 4q Ź ps ÞÑ 4q pr ÞÑ 3q 2. pr ÞÑ 3q Ź ps ÞÑ 4q pr ÞÑ 3q 3. ps ÞÑ 4q pr ÞÑ 3q Ź pr ÞÑ 4q 4. ps ÞÑ 4q pr ÞÑ 3q Ź pr ÞÑ 3q 5. rfalses pr ÞÑ 3q Ź ps ÞÑ 4q pr ÞÑ 4q 6. pr ÞÑ 4q ps ÞÑ 3q Ź rfalses 7. pr ÞÑ 4q pr ÞÑ 3q Ź rfalses 8. pr ÞÑ 3q pr ÞÑ 3q Ź rfalses true false false false true false true true 33 / / 75 Instantiation of existentials and propositions pr ÞÑ 6q Ź pdn. pr ÞÑ nq reven nsq To prove the above, we exhibit an even number n for which r ÞÑ n. Rules: H 1 Ź prx Ñ vs H 2 q ph 1 Ź H 2 q P exists-r H 1 Ź pdx. H 2 q H 1 Ź ph 2 rp sq prop-r Example: pr ÞÑ 6q Ź pr ÞÑ 6q refl even 6 math prop-r pr ÞÑ 6q Ź pr ÞÑ 6q reven 6s pr ÞÑ 6q Ź rn Ñ 6s ppr ÞÑ nq reven nsq subst pr ÞÑ 6q Ź Dn. pr ÞÑ nq reven ns exists-r Extraction of existentials and propositions pdn. reven ns pr ÞÑ nqq Ź pdm. reven ms pr ÞÑ m ` 2qq To prove the above, we show that for any even number n, we have: pr ÞÑ nq Ź Dm. reven ms pr ÞÑ m ` 2q Reasoning ph 1 Ź H 2 q P ñ ph 1 Ź H 2 q exists-l prop-l pdx. H 1 q Ź H 2 prp s H 1 q Ź H 2 Same with explicit proof contexts: Γ, x : A $ H 1 Ź H 2 Γ $ pdpx : Aq. H 1 q Ź H 2 pxrh 2 q Γ, h : P $ H 1 Ź H 2 Γ $ prp s H 1 q Ź H 2 35 / / 75

10 Heap implications: true or false? Proving heap entailment relations 1. pr ÞÑ 3q Ź Dn. pr ÞÑ nq 2. Dn. pr ÞÑ nq Ź pr ÞÑ 3q 3. Dn. pr ÞÑ nq rn ą 0s Ź Dn. rn ą 1s pr ÞÑ pn 1qq 4. pr ÞÑ 3q ps ÞÑ 3q Ź Dn. pr ÞÑ nq ps ÞÑ nq 5. Dn. pr ÞÑ nq rn ą 0s rn ă 0s Ź pr ÞÑ nq pr ÞÑ nq true false true true true Systematic approach to dealing with heap entailment: 1. extract from left hand side, 2. instantiate in right hand side, 3. cancel equal predicates on both sides. Example: a : int, a ą 5 $ pr ÞÑ 3q ps ÞÑ aq Ź pr ÞÑ 3q ps ÞÑ aq a : int, a ą 5 $ pr ÞÑ 3q ps ÞÑ aq Ź pr ÞÑ 3q ps ÞÑ 3 ` pa 3qq a : int, a ą 5 $ pr ÞÑ 3q ps ÞÑ aq Ź Dm. pr ÞÑ 3q ps ÞÑ 3 ` mq a : int, a ą 5 $ pr ÞÑ 3q ps ÞÑ aq Ź Dnm. pr ÞÑ nq ps ÞÑ n ` mq H $ Da. ra ą 5s pr ÞÑ 3q ps ÞÑ aq Ź Dnm. pr ÞÑ nq ps ÞÑ n ` mq H $ pr ÞÑ 3q Da. ra ą 5s ps ÞÑ aq Ź Dnm. ps ÞÑ n ` mq pr ÞÑ nq 37 / / 75 Summary p q is associative, commutative, and has r s as neutral element. Existentials and pure facts may be extruded from stars. pźq is a partial order, satisfying the frame property. rfalses Ź H is always true. Chapter 10 Structural rules pr ÞÑ nq pr ÞÑ mq is equivalent to rfalses. Strategy: extract from the right, instantiate on the left, then cancel out. 39 / / 75

11 Frame rule Consequence rule th 1 u t tλx. H 1 1u th 1 H 2 u t tλx. H 1 1 H 2 u H Ź H 1 th 1 u t tq 1 u Q 1 Ź Q consequence Reformulation: th 1 u t tq 1 u th 1 H 2 u t tq 1 H 2 u frame with the overloading: Q 1 Ź pq 1 x Ź Q xq with the overloading: Q H λx. pq x Hq Note that H and H 1 must cover the same set of memory cells, that is, no garbage collection is allowed here. Similarly for Q and Q / / 75 Recall the need for garbage collection Garbage collection rule let myref x = let r = ref x in let s = ref r in r thu t tq GCu gc-post where: GC DH 1. H 1 From: To: tr su pmyref xq tλr. r ÞÑ x Ds. s ÞÑ ru tr su pmyref xq tλr. r ÞÑ xu Same as: thu t tλx. pq x DH 1. H 1 qu Can the following rule be used? thu t tq H 1 u gc-post Observe that H 1 may depend on the return value x: For pλr. r ÞÑ x Ds. s ÞÑ rq, we may instantiate H 1 as pds. s ÞÑ rq. 43 / / 75

12 Garbage collection in the pre-condition th GCu t tqu gc-pre th H 1 u t tqu gc-pre Exercise: show that gc-pre is derivable from gc-post and frame. Combined structural rule H Ź H 1 th 1 u t tq 1 u Q 1 Ź Q consequence thu t tq GCu gc-post th 1 u t tq 1 u th 1 H 2 u t tq 1 H 2 u frame Proof: thu t tq GCu gc-post th 1 u t tq 1 u th 1 H 2 u t tq 1 H 2 u frame th GCu t tq GCu frame gc-post th GCu t tqu H H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Q frame H Ź H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Ź Q GC combined 45 / / 75 Extraction of existentials and propositions Application: copying a tree with invariants tdn. pr ÞÑ nq reven nsu p!rq tλx....u To prove the above, we need to show that: even n ñ tr ÞÑ nu p!rq tdx. Hu t tqu exists P ñ trp s Hu t tqu prop Specification of copy for binary trees: tp Mtree T u pcopy pq tλp 1. p Mtree T p 1 Mtree T u Description of complete binary trees: p MtreeComplete T Dn. pp Mtree T q rdepth n T s Exercise: give a specification of copy in terms of MtreeComplete; which rules are used to derive this specification? tp MtreeComplete T u pcopy pq tλp 1. p MtreeComplete T p 1 MtreeComplete T u 47 / / 75

13 Proof of the derived specification (1) By unfolding of MtreeComplete: tdn. pp Mtree T q rdepth n T su pcopy pq tλp 1. Dn. pp Mtree T q rdepth n T s Dn. pp 1 Mtree T q rdepth n T s u (2) By the exists and prop depth n T ñ tp Mtree T u pcopy pq tλp 1. Dn. pp Mtree T q rdepth n T s Dn. pp 1 Mtree T q rdepth n T s u (3) By the consequence rule: p Mtree T p 1 Mtree T Ź Dn. pp Mtree T q rdepth n T s Dn. pp 1 Mtree T q rdepth n T s (4) Conclude using comm., assoc., extrusion, and exists-r and prop-r. 49 / 75 Summary Structural rules: H Ź H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Ź Q GC tdx. Hu t tqu exists Other structural rules are derivable. P ñ trp s Hu t tqu prop 50 / 75 Reasoning rule for sequences Chapter 11 Reasoning rules for terms Example: tr ÞÑ nu pincr rq tλ. r ÞÑ n ` 1u tr ÞÑ n ` 1u p!rq tλx. rx n ` 1s r ÞÑ n ` 1u tr ÞÑ nu pincr r;!rq tλx. rx n ` 1s r ÞÑ n ` 1u Exercise: complete the rule for sequences. t...u t 1 t...u t...u t 2 t...u thu pt 1 ; t 2 q tqu 51 / / 75

14 Reasoning rule for sequences Reasoning rule for let-bindings Solution 1: thu t 1 tλ. H 1 u thu pt 1 ; t 2 q tqu th 1 u t 2 tqu Exercise: complete the reasoning rule for let-bindings. t...u t 1 `t...u t 2 t...u thu plet x t 1 in t 2 q tqu Solution 2: thu t 1 tq 1 u tq 1 pqu t 2 tqu thu pt 1 ; t 2 q tqu seq Solution: thu t 1 tq 1 tq 1 xu t 2 tqu thu plet x t 1 in t 2 q tqu let Remark: Q 1 λ. H 1 is equivalent to Q 1 pq H / / 75 Example of let-binding thu t 1 tq 1 tq 1 xu t 2 tqu thu plet x t 1 in t 2 q tqu Exercise: instantiate the rule for let-bindings on the following code. Solution: tr ÞÑ 3u plet a =!r in a+1q tqu H pr ÞÑ 3q Q λx. rx 4s pr ÞÑ 3q Q 1 λy. ry 3s pr ÞÑ 3q Reasoning rule for values Example: Rule: t r s u 3 tλx. rx 3su t r s u v tλx. rx vsu val Exercise: state a reasoning rule for values using a heap implication. Solution:... Ź... thu v tqu H Ź Q v thu v tqu val-frame 55 / / 75

15 Derivability of the val-frame rule Reasoning rule for conditionals Proof: H Ź Q v thu v tqu val-frame H Ź Q v hypothesis t r s u v tλx. rx vsu x v ñ ph Ź Q xq subst thu v tλx. rx vs Hu prx vs Hq Ź pq xq prop-l def of Ź pλx. rx vs Hq Ź Q conseq thu v tqu Rule: pv true ñ thu t 1 tquq pv false ñ thu t 2 tquq thu pif v then t 1 else t 2 q tqu Transformation to A-normal form: pif t 0 then t 1 else t 2 q plet v t 0 in pif v then t 1 else t 2 qq 57 / / 75 Reasoning rule for top-level functions Verification of a simple function Rule: v 1 λx. t thu prx Ñ v 2 s tq tqu thu pv 1 v 2 q tqu Transformation to A-normal form: pt 1 t 2 q plet f t 1 in let v t 2 in pf vqq Specification: let incr r = let a =!r in r := tr ÞÑ nu pincr rq tλ. r ÞÑ n ` 1u Verification: Fix r and n. We need to prove that the body satisfies the specification: tr ÞÑ nu plet a =!r in r := a+1q tλ. r ÞÑ n ` 1u We conclude using the let-binding rule: Q 1 λx. rx ns pr ÞÑ nq. 59 / / 75

16 Reasoning rule for top-level recursive functions Verification of a recursive function Rule: v 1 μf.λx.t thu prf Ñ v 1 s rx Ñ v 2 s tq tqu thu pv 1 v 2 q tqu Specification of recursive functions may be established by induction. let rec mlength (p: a cell) = if p == null then 0 else let p = p.tl in let n = mlength p in 1 + n tp Mlist Lu pmlength pq tλn. rn L s p Mlist Lu We prove this specification by induction on L. Consider p and L. Apply the if rule. 61 / / 75 Verification of mlength: nil case Case p null. Goal is: tp Mlist Lu p0q tλn. rn L s p Mlist Lu Replace p with null. Rewrite null Mlist L to rl nils in the pre and the post. By the prop rule: Replace L with nil. L nil ñ tr su p0q tλn. rn L s rl nilsu Apply the val-frame rule. tr su p0q tλn. rn nil s rnil nilsu r s Ź r0 0s rnil nils Verification of mlength: cons case (1/2) Case p null. Goal is: tp Mlist Lu plet p = p.tl in let n = mlength p in 1 + n q tλn. rn L s p Mlist Lu Unfold Mlist in pre and post, and decompose L as x :: L 1 : p 1 Mlist L 1 p t hd=x; tl=p 1 u Apply the let-binding rule, and the read axiom. Remains: tp 1 Mlist L 1 p t hd=x; tl=p 1 u u plet n = mlength p in 1 + n q tλn. rn L s p 1 Mlist L 1 p t hd=x; tl=p 1 u u Apply the frame rule to remove: p t hd=x; tl=p 1 u. Apply the let-binding rule with : Q λn 1. rn 1 L 1 s p 1 Mlist L / / 75

17 Verification of mlength: cons case (2/2) Reasoning rule for local functions There remains to prove the two premises of the let-rule. First branch, exploit the induction hypothesis: tp 1 Mlist L 1 u pmlength p q tλn 1. rn L 1 s p 1 Mlist L 1 u Second branch: tp 1 Mlist L 1 rn 1 L 1 su p1 + n q tλn. rn L s p 1 Mlist L 1 u Apply the prop rule and the val-frame rule. n 1 L 1 ñ p 1 Mlist L 1 Ź r1 ` n 1 L s p 1 Mlist L 1 Cancel equal parts, conclude using L x :: L 1 1 ` L 1 1 ` n 1. Rule p...q ñ thu t 2 tqu thu plet rec f x t 1 in t 2 q tqu Hypothesis about 1 Q 1. th 1 u t 1 tq 1 u ñ th 1 u pf xq tq 1 u `@xh 1 Q 1. th 1 u t 1 tq 1 u ñ th 1 u pf xq tq 1 u ñ thu t 2 tqu thu plet rec f x t 1 in t 2 q tqu 65 / / 75 Summary t r s u v tλx. rx vsu thu t 1 tq 1 tq 1 xu t 2 tqu thu plet x t 1 in t 2 q tqu Summary of Course 2 v true ñ thu t 1 tqu v false ñ thu t 2 tqu thu pif v then t 1 else t 2 q `@xh 1 Q 1. th 1 u t 1 tq 1 u ñ th 1 u pf xq tq 1 u ñ thu t 2 tqu thu plet rec f x t 1 in t 2 q tqu 67 / / 75

18 Summary of chapter 7 th 1 u t tλx. H 1 1u th 1 H 2 u t tλx. H 1 1 H 2 u frame In-place mutable list increment, when L x :: L 1. p Mlist L p t hd=x; tl=p 1 u p 1 Mlist L 1 by unfolding p t hd=x ` 1; tl=p 1 u p 1 Mlist L 1 p 1 Mlist L 1 p 1 Mlist pmap p`1q L 1 q p t hd=x ` 1; tl=p 1 u p 1 Mlist pmap p`1q L 1 q p Mlist ppx ` 1q :: pmap p`1q L 1 qq p Mlist pmap p`1q Lq incrementing frame begins by induction frame ends by folding by rewriting Summary of chapter 8 Small footprint specification for C-style memory accesses: tp ÞÑ wu p*p = vq tλ. p ÞÑ vu tp ÞÑ vu p*pq tλx. rx vs p ÞÑ vu Representation of a full array using a list: p Array L p.length ÞÑ L ç v at index i in L Representation of a set of array cells using a finite map: æ p Cells M pris ÞÑ v pi,vqpm pris ÞÑ v 69 / / 75 Summary of chapter 9 Summary of chapter 10 p q is associative, commutative, and has r s as neutral element. pźq is a partial order, regular w.r.t. p q. rfalses Ź H is always true. pr ÞÑ nq pr ÞÑ mq is equivalent to rfalses. Strategy: extract from the right, instantiate on the left, then cancel out. Structural rules: H Ź H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Ź Q GC tdx. Hu t tqu exists Other structural rules are derivable. P ñ trp s Hu t tqu prop 71 / / 75

19 Summary of chapter 11 Exercises t r s u v tλx. rx vsu thu t 1 tq 1 tq 1 xu t 2 tqu thu plet x t 1 in t 2 q tqu v true ñ thu t 1 tqu v false ñ thu t 2 tqu thu pif v then t 1 else t 2 q tqu Exam from 2015, Exercise 2: Operations on binary search trees. Available from the webpage of the `@xh 1 Q 1. th 1 u t 1 tq 1 u ñ th 1 u pf xq tq 1 u ñ thu t 2 tqu thu plet rec f x t 1 in t 2 q tqu 73 / / 75 The end! 75 / 75

Focus rules for segments. Focus and defocus rules for concatenation. Mlength with a while loop. Mlength with a while loop.

Focus rules for segments. Focus and defocus rules for concatenation. Mlength with a while loop. Mlength with a while loop. The function nth-cell Separation Logic Part 2 Returns the i-th cell of a list: Arthur Charguéraud February 2015 let rec nth_cell (i:int) (p: a cell) = if i = 0 then p else nth_cell (i-1) (p.tl) Why is