Theories of Programming Languages Assignment 5

Transcription

1 Theories of Programming Languages Assignment 5 December 17, Lambda-Calculus (see Fig. 1 for initions of = β, normal order evaluation and eager evaluation). (a) Let Ω = ((λx. x x) (λx. x x)), and M = (λx. λy. x x) Ω. i. Give the normal order evaluation sequence of M. ii. Does the eager evaluation of M terminate? If yes, give the whole evaluation sequence. Otherwise, give the first two steps of the evaluation and briefly explain why it does not terminate. (b) Let A = λx.λy.y(xxy), Θ = A A, and Y = λf.(λx.f(xx))(λx.f(xx)). i. (*) Show that for all F we have Θ F = β F (Θ F ); ii. Show that for all F we have Y F = β F (Y F ). 2. Below is the IMP language we have learned in class. (intexp) e ::= n x -e e+e e-e... where n represents natural numbers (boolexp) b ::= true false e=e e < e e < e... b b b b b... (comm) c ::= x := e skip c ; c if b then c else c while b do c Fill in the preconditions for the following specifications to make them valid. The preconditions should be as weak as possible. Then prove that the completed specifications could be derived from the Hoare-logic rules (see Fig. 2 in the appendix). In each step of your proof, you must show which rule is applied. You only need to select one from (a) and (b) below. (c) is required. (a) {?} while true do skip {true} (b) [? ] while true do skip [true] (c) (*) [? ] while (a > b) do (b := b + 1; y := x y) [y = x a ] 1

2 3. We extend the IMP language above with the following new commands, and get a new language IMP h. Selected rules for the operational semantics are given in the appendix (Fig. 3). (comm) c ::=... x := [e] [e] := e x := cons(e, e) dispose(e) repeat c until b (a) Let s 0 = {x 100, y 110} and h 0 =. Give two different execution sequences for the following command. One leads to a final heap containing a memory cell with value 3, and the other leads to a heap containing a memory cell with value 5. x := cons(3, 5) ; if (x = y) then dispose(y) else dispose(x + 1) (b) Give the operational semantics for the repeat command. (c) (*) We want a new instruction x := sbrk4, which allocates 4 consequtive memory cells with initial value 0. Different from cons, the starting address of the new memory cells will be max(dom(h)) + 1 if h, and 100 otherwise. Give the operational semantics for x := sbrk4. 4. Separation Logic. (a) The following two assertions are not valid (see Fig. 4 for assertion semantics). For each of them, find instantiations of p, q (and r), and the corresponding states in which the assertions are false. i. p r q r (p q) r; ii. (*) (p (p q)) q (b) We use SafeMono(c) and Frame(c) to represent c has safety monotonicity and the frame property, respectively. Their initions are given in the appendix (Fig. 4). i. Give a formal inition of SafeMono(c) using the predicate logic language (i.e. do not use any words of natural languages). You could use Safe(c, (s, h)) to represent c is safe at (s, h). ii. Let c be x := cons(e 1, e 2 ). Prove Frame(c) holds. iii. Is Frame(sbrk4) true? If yes, prove it; otherwise, explain why. Here sbrk4 is the command desribed in Problem 3 above. iv. (*) In the appendix (Fig. 4) we give another version of the frame property, i.e. Frm(c). Let c be x := cons(e 1, e 2 ). Is Frm(c) true? If yes, prove it; otherwise, explain why. 5. Let Γ =, c 0 = (y := [x + 1]), c 0 = (y := [x]), and c 1 = (z := [x]). (a) Fill in the preconditions of the judgment below. i. Γ {?}(c 0 c 1 ){(x m, n) y = n z = m} 2

3 ii. Γ {?}(c 0 c 1 ){(x m, n) y = m z = m} (b) (*) Concurrent separation logic does not allow simultaneous access of the same memory location, even if both access are read operations (like c 0 c 1 above). To support simultaneous read, we introduce fractional permissions e π n in the appendix (Fig. 5). To write a memory cell at location e, we need a full permission e 1 (which can be written as e ). To read, we only need e π for any 0 < π 1. i. Give the separation logic rules for (x := [e]), ([e] := e ) and c 1 c 2. For (x := [e]), assume x is not free in e. ii. Fill in the precondition of the judgment below Γ {?} (c 0 c 1 ) {(x 0.5 m) y = m z = m}. A Auxiliary Definitions (λx.m) N = β M[N/x] (β) M = β M M N = β M N (c1) N = β N M N = β M N (c2) M = β M λx.m = β λx.m (c3) (λx.m) N N M[N/x] (β-n) M n M M N n M N (nc1) (λx.m) (λy.n) E M[(λy.N)/x] (β-e) M E M M N E M N (ec1) N E N (λx.m) N E (λx.m) N (ec2) Figure 1: beta-equivalence, normal order evaluation, and eager evaluation 3

4 {p[e/x]}x := e{p} (as) {p}c 1{q} {q}c 2{r} {p}c 1 ; c 2{r} (sq) {p}skip{p} (sk) {p }c{q } p p q q {p}c{q} (csq) {i b}c{i} {i}while b do c{i b} (whp) [ i b e = x 0 ]c[ i e < x 0 ] i b e 0 (wht) [ i ]while b do c[ i b ] where x 0 is not free in c, e, b and i. {p 1} c {q 1} {p 2} c {q 2} {p 1 p 2} c {q 1 q 2} (disj) Figure 2: Selected Hoare Logic rules for IMP (all the rules for partial correctness except the whp rule could also be used for total correctness) (store) s Var Z (locs) l N (heap) h locs fin Z (state) σ store heap where fin means a set of partial functions whose domains are finite. {l, l + 1} dom(h) = s = s{x l} h = h{l e 1 s, l+1 e 2 s} (x := cons(e 1, e 2 ), (s, h)) (skip, (s, h )) l = e s l dom(h) h = h \ {l} (x := dispose(e), (s, h)) (skip, (s, h )) (c 1, σ) (c 1, σ ) (c 1 ; c 2, σ) (c 1 ; c 2, σ ) (skip ; c, σ) (c, σ) b s = true (if b then c 1 else c 2, (s, h)) (c 1, (s, h)) b s = false (if b then c 1 else c 2, (s, h)) (c 2, (s, h)) (while b do c, σ) (if b then (while b do c) else skip, σ Figure 3: Operational semantics for IMP h (only some selected rules are shown) 4

5 Semantics of separaiton logic assertions: h 1 h 2 = dom(h 1 ) dom(h 2 ) = h 1 h 2 = h 1 h 2 (s, h) = e e iff h = {(l, n)}, where e s = l, and e s = n (s, h) = p 1 p 2 iff there exist h 1, h 2 such that h 1 h 2, h = h 1 h 2, (s, h 1) = p 1, and (s, h 2) = p 2 (s, h) = p q iff for all h, if h h and (s, h ) = p, then (s, h h) = q SafeMono(c) iff for all h, h 0, h 1 and s, if h = h 0 h 1, h 0 h 1, and c is safe at (s, h 0), then c is safe at (s, h). Frame(c) iff for all h, h 0, h 1, s, h and s, if h = h 0 h 1, h 0 h 1, (c, (s, h)) (skip, (s, h )), and c is safe at (s, h 0 ), then there exists h 0 such that (c, (s, h 0 )) (skip, (s, h 0)), h 0 h 1, and h = h 0 h 1. Frm(c) iff for all h 0, h 1, s, h 0 and s, if h 0 h 1, (c, (s, h 0 )) (skip, (s, h 0)), then h 0 h 1 and (c, (s, h 0 h 1 )) (skip, (s, h 0 h 1 )). x not free in e Γ {e n}x := [e]{e x} Γ {e }[e] := e {e e } Γ {p 1 } c 1 {q 1 } Γ {p 2 } c 2 {q 2 } Γ {p 1 p 2 } c 1 c 2 {q 1 q 2 } c 1 (or c 2 ) does not update free variables in p 2 (or p 1 ), q 2 (or q 1 ), and Γ Figure 4: Separation Logic Assertions and Selected Rules (perm) π (0, 1] h 1 h 2 h 1 h 2 (heap) h locs fin Z perm = l (dom(h 1) dom(h 2)), n 1, π 1, n 2, π 2. h 1(l) = (n 1, π 1) h 2(l) = (n 2, π 2) (n 1 =n 2) (π 1+π 2 1) = λl. h 1 (l) l (dom(h 1 ) dom(h 2 )) h 2 (l) l (dom(h 2 ) dom(h 1 )) (n, π) exist π 1, π 2 such that h 1 (l) = (n, π 1 ), h 2 (l) = (n, π 2 ), π = π 1 + π 2, and π (0, 1] unined otherwise (s, h) = e π e iff h = {(l, (n, π))}, where e s = l, and e s = n (s, h) = p 1 p 2 iff there exist h 1, h 2 such that h 1 h 2, h = h 1 h 2, (s, h 1) = p 1, and (s, h 2) = p 2 Figure 5: Fractional Permissions: States and Assertions 5