Constraints: A Uniform Approach to Aliasing and Typing Leslie Lamport * Fred B. Schneider+ SRI International Cornell University Abstract between the values of variables, with no implication about storage allocation, allows more general kinds of aliasing and A constraint is a relation among program variables that is leads to a simple method for reasoning about aliasing. maintained throughout execution. Type declarations and To express a more general form of aliasing, we introduce a very general form of aliasing can be expressed as con- the var statement. To illustrate its use, suppose a pro- straints. A proof system based upon the interpretation of gram computes a temperature, and that some times it is Hoare triples as temporal logic formulas is given for rea- convenient to refer to that temperature in degrees Fahren- soning about programs with constraints. The proof system heit and other times in degrees Celsius. We will write the is shown to be sound and relatively complete, and example statement program proofs are given. var f, c : real constraints / = 9 * c/5 + 32 in S 1 Introduction which declares variables / and c within statement S to be of type real and to be oliosed, so that if the value of f is Type declarations and aliasing relations have traditionally a temperature in degrees Fahrenheit, then the value of c been thought of as unrelated concepts. However, both is that t,emperature in degrees Celsius. Changing / causes can be viewed as specifying properties that do not change a corresponding change to c, and vice-versa. Notice that during program execution. This view leads to a uniform this more general form of aliasing cannot be implemented method for reasoning about types and aliasing in which simply by allocating overlapping memory locations to j and the usual Hoare logic triples are regarded as temporal logic c. formulas. The constraints clause of a var statement is a directive Aliasing two variables z and y means they always have that a specified predicate-in our example, the aliasing re- the same value. This is usually implemented by allocating lation / = 9*c/5+32-b e maintained as an invariant, which the same memory location to z and y, thereby ensuring means that execution is aborted if the predicate becomes that both variables are changed whenever either is assigned false. a new value. However, they could be allocated separate A type declaration can also be viewed as an invariant., so memory locations and both updated on an assignment to it can be specified in a constraints clause. If we take the either. viewing aliasing as defining certain relationships view that the type of a variable defines the set of values *Work supported in part by the National Science Foundationunder that variable can have, then declaring a variable ,* to be of grant numberMCS-8104459 and by the Army ResearchOffice under type real is the same as requiring that the prerlicate / E R grant number DAAG29-83-K-0119. Current address: SRI Intcrna- be true throughout execution, where R is the set of real tional, 333 Ravenswood Ave., Menlo Park, CA 94025. numbers.’ Thus, we could eliminate the “: real” from the ‘Research supported in part by NSF grant DCR-8320274and by a above var statement and add the constraint 2, y E R. Since Faculty Development Award from IBM Corp. Current address: De- doing so would make the statement less readable, we will partment of Computer Science, Cornell University, Ithaca, NY 14853. retain the customary syntax for type declarations. Aliasing and typing can be viewed in terms of constraints Permission to copy without fee all or part of this materialis granted because they are static properties. While dynamic proper- provided that the topics arc not made or distributed for direct commercialadvantage, the ACM copyright notice and the title of the ties, such as the values of variables, can be changed by publication and its date appear, and notice is given that copying is by execution of a program statement, static properties can- permissionof the Association for Computing Machinery. To copy not. (In most languages, like the one considered here, a otherwise, or to republish, requires a fee and/or specific permission. ‘For simplicity, we assume R is the in6nite set that mathematicians call the real numbers, thereby avoiding tbe problems that round-off “1984 ACM O-89791-147-4/85/001/0205 $00.75 errors would introduce tor reasooing about equality of expressions. ‘Lo5 declaration is not a complete statement but rather part of programming language with primitives to perform buffered a statement.) The methods we develop for reasoning about message-passing, messages sent but not yet delivered are aliasing and types can be used to reason about any static part of the state that must be described by implicit vari- property. ables. (The p and u multisets of 1181 are such variables.) Returning to aliasing, consider a more complicated ex- Implicit variables often involve complex aliasing relations. ample in which a program refers a point in terms of both For some message-passing schemes, a channel is modelled its Cartesian coordinates z, y and its polar coordinates t‘, 0. by having an implicit variable in a sender aliased to an im- variables z, y, r, and 0 are declared as follows. plicit variable in the receiver. Even more complex aliasing occurs when a channel emanating from a network is aliased var 2,y,t: real, B : [O, 2 * 7r) to the union of the channels emanating from its compo- constraints z = r * cos(6) and y = r * sin(B) nents. The CSP language [IO] supports such a hierarchical in S channel-naming scheme. (The type declaration for 6’ states that it is a real in the In the Generalized Hoare Logic (GHL) [ 12,141, a logic for range 0 5 6 < 27r.) We would like this declaration to mean concurrent programs, one must reason about state compo- that when z is changed, r and 8 are changed according nents that describe the control state. In the original pre- to the constraints, but y is not. However, the fact that y sentation of GHL, the control state was modelled by al, in, should not change is based upon the knowledge that z and and alter predicates, where at(S) is true when control is y are independent coordinates, which is not something dis- at the entry point of statement S, after(S) is true when cernible in the above statement. An additional constraint control is at the exit point of statement S, and in(S) is is needed to specify that assigning to z should not change true when at(S) is true or control is at a component of S. the value of y and vice-versa; we write this constraint as Axioms were given to describe the relations among these 2 I y. Similarly, r and B should be independent, so as- predicates. Thus, if S is the statement Sr; S’s, the axioms signing a value to either r or 8 does not change the other. of GHL state: Hence, the additional constraint r I B is needed. The fol- at(S) I at(&) lowing declaration of 2, y, r, and 8 gives the desired aliasing relations. alter(S) E a/ter(Sz) in(S) E at(S) V in($) V in(&) var z, y,r : real, e : [0,2* n) ajter(St) i at(&) constraints z = r * cos(8) and y = r * sin(e) andzIyandrl0 GHL included ad hoc rules for reasoning about these control in S predicates. However, by viewing the control predicates as Finally, observe that the var statement can express forms implicit variables, and considering the above relations not of aliasing traditionally implemented by overlapping stor- as equality of predicates but as aliasing relations among age. The statement variables, we can reason about the control state with ex- actly the same rules used to reason about the values of ordi- var full, right-4 : natural nary program variables. This is described in detail in [i5]. constraints righf.4 = jufl mod 16 in S 2 Primitives for Constrained aliases variable righf-4 to the right-most four bits of jull, where natural denotes the nonnegative integers. Moreover, Execution the decl:lration ensures the desired semantics even on a A var statement, like the one for the Cartesian/polar co- computer where integers are not stored in binary. ordinate example, specifies three things: It is probably impossible for a compiler to handle our form of aliasing in all its generality. W’hile the Fahren- l The names of new variables-z, y, r, and 0 in the heit/Celsius and jufl/righf.4 examples do not pose difficult example. compiling problems, consider what happens if the follow- ing statements appear in the body of the above var 2, y, r, B l Constraints the new variables must satisfy, including statement: those given explicitly by the constraints clause and those implicit in the type declarations. In the example, read(z, y) ; write(O) the constraints are: Input. values a,6 with a # 0 produce the output value XER 2 = r t c0s(e) arctan(b/a)-something no present-day compiler is likely YCR y = t * sin(l) to figure out. rcR ZlY We are interested in our general form of aliasing in order ee hose<2f de to reason about implicit rariables-variables representing portions of the program state that are not directly vis- l Other independence constraints invohing the new vari- ible to the programmer. For example, in a roncurrrnt ables. In the example, there is the implicit assumption that z, y, r, and B are not abased to any other vari- z = r * cc@) and y = r * sin(e) ables, except perhaps variables declared in the body andzIyandrlB of the var statement.