Verifying Higher-Order Imperative Programs with Higher-Order Separation Logic Neelakantan R. Krishnaswami CMU-CS-12-127 1 June 2012 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Thesis Committee: Jonathan Aldrich, Co-chair John C. Reynolds, Co-chair Robert Harper Lars Birkedal, IT University of Copenhagen Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright c 2012 Neelakantan R. Krishnaswami This research was partially supported by National Science Foundation Grant CCF-0916808. The views and conclusions presented in this document are those of the author and do not reflect the official opinions of the NSF or the U.S. government. Keywords: Separation Logic, Design Patterns, Verification, Specification, Type Theory, De- notational Semantics, Program Logic, Program Correctness I would like to thank my wife, Rachel, for her love, patience, and logistical support. My parents encouraged me to study computers. I am not at all sure this was what they had in mind. iv Abstract In this thesis I show is that it is possible to give modular correctness proofs of interesting higher-order imperative programs using higher-order separation logic. To do this, I develop a model higher-order imperative programming language, and develop a program logic for it. I demonstrate the power of my program logic by verifying a series of examples. This includes both realistic patterns of higher-order imperative programming such as the subject-observer pattern, as well as examples demonstrating the use of higher-order logic to reason modularly about highly aliased data structures such as the union-find disjoint set algorithm. vi Acknowledgments I would like to begin by thanking my advisors for giving me perhaps more rope than was advisable. John and Jonathan were both very tolerant of my sudden enthu- siasms, my half-baked ideas, and general tendency to wander off in peculiar direc- tions. Lars was an invaluable source of support and advice, and after every trip to Den- mark I returned significantly more knowledgeable than before I left. I would like to thank Bob for an act he may not even recall any more: as a new graduate student, he informed me that I would be coming to ConCert group meetings, despite technically not even being part of the ConCert project. As a consequence, I have the need and the pleasure to thank the whiteboard gang for their willingness to talk. Noam Zeilberger and Jason Reed were particularly in- spiring examples of people following their mathematical muse, and William Lovas, Daniel Licata, Kevin Watkins, Joshua Dunfield, Carsten Varming, and Rob Simmons were reliable sources of type-theoretic and semantic inspiration. Whenever I needed a different perpsective, the Plaid group was there. I’d like to thank Donna Malayeri, Kevin Bierhof, and Nels Beckman in particular. Hongseok Yang, Peter O’Hearn, Philippa Gardner, and Matthew Parkinson were all encouraging above and beyond the call of duty to a random student from thou- sands of miles away. viii Contents 1 Introduction 1 1.1 Motivation . .1 1.2 Programming Language . .2 1.3 Higher Order Separation Logic . .2 1.4 Verifying Programs . .4 1.4.1 Design Patterns . .4 1.4.2 The Union-Find Algorithm . .5 1.5 Related Work . .5 1.5.1 Immediate Predecessors . .5 1.5.2 Program Logics and Type Theories . .6 1.5.3 Program Proofs for Design Patterns . .9 2 Type Structure 13 2.1 Syntax of Types and Kinds . 13 2.1.1 The Syntactic Theory of Kinds . 15 2.1.2 Semantics of Kinds . 16 2.2 Semantics of Types . 18 2.2.1 The Overall Plan . 18 2.2.2 Interpreting Monotypes . 19 2.2.3 Interpreting Polytypes . 20 2.2.4 Interpreting Heaps and Basic Continuations . 21 2.3 Solving Domain Equations . 22 2.3.1 Local Continuity . 22 2.3.2 The Inverse Limit Construction . 25 2.4 Solving Our Recursive Domain Equation . 31 2.4.1 Computations form a Monad . 31 2.5 The Programming Language . 33 2.6 Denotational Semantics . 35 2.6.1 Proofs . 36 3 The Semantics of Separation Logic 61 3.1 BI Algebras . 61 3.1.1 Partial Commutative Monoids . 62 3.1.2 BI-Algebras over Partial Commutative Monoids . 62 x CONTENTS 3.1.3 Sets of Heaps Form the BI Algebra of Heap Assertions . 68 3.2 Challenges in Interpreting Specifications . 69 3.2.1 Admissibility and Fixed Point Induction . 70 3.2.2 The Frame Rule . 70 3.3 Basic Hoare Triples . 71 3.3.1 Approximating Postconditions . 71 3.3.2 Defining the Basic Hoare Triples . 73 3.4 Kripke Hoare Triples . 74 3.4.1 World Preorders . 74 3.4.2 Heyting Algebras over Preorders . 74 3.4.3 Defining Kripke Hoare Triples . 78 3.4.4 The Framing Operator . 81 3.5 Syntax of Assertions and Specifications . 85 3.5.1 Substitution Properties . 90 3.6 Semantics . 91 3.6.1 Interpretation of Sorts . 91 3.6.2 Interpretation of Terms and Specifications . 92 3.6.3 Substitution Properties . 92 3.7 The Program Logic . 96 3.8 Correctness Proofs . 101 3.8.1 Substitution Theorems . 101 3.8.2 Soundness of Assertion Logic Axioms . 131 3.8.3 Soundness of Program Logic Axioms . 132 3.8.4 The Syntactic Frame Property . 146 4 Proving the Correctness of Design Patterns 151 4.1 Introduction . 151 4.2 Iterators and Composites . 152 4.2.1 The Iterator Specification . 153 4.2.2 Example Implementation . 160 4.3 The Flyweight and Factory Patterns . 173 4.3.1 Verification of the Implementation . 176 4.4 Subject-Observer . 178 4.4.1 Correctness Proofs for Subject-Observer . 181 5 Proving the Union-Find Disjoint Set Algorithm 185 5.1 Introduction . 185 5.2 The Specification . 186 5.3 Correctness Proofs . 191 5.3.1 Proof of find ................................ 191 5.3.2 Proof of newset ............................... 195 5.3.3 Proof of union ............................... 197 List of Figures 2.1 Syntax of the Types and Kinds of the Programming Language . 13 2.2 Kinding Rules for Monotypes . 14 2.3 Kinding Rules for Polytypes . 15 2.4 Equality Rules for Monotypes . 16 2.5 Equality Rules for Polytypes . 17 2.6 Locally Continuous Functor Interpreting Monotypes . 19 2.7 Locally Continuous Functor Interpreting Polytypes . 21 2.8 Syntax of the Programming Language . 33 2.9 Typing of the Pure Expressions . 34 2.10 Typing of Monadic Expressions . 35 2.11 Interpretation of Program Contexts . 36 2.12 Interpretation of Pure Terms . 37 2.13 Interpretation of Computations . 38 2.14 Equality Rules for Sums, Products, Exponentials, and Suspended Computations . 39 2.15 Equality Rules for Numbers, Universals, and Existentials . 40 2.16 Equality Rules for Computations . 40 2.17 Congruence Rules for Equality . 41 3.1 Syntax of Assertions and Specifications . 87 3.2 Well-sorting of Sorts and Contexts . 88 3.3 Well-sorting of Assertions . 89 3.4 Well-sorting of Specifications . 90 3.5 Interpretation of Sorts and Contexts . 92 3.6 Interpretation of Terms . 93 3.7 Interpretation of Specifications . 94 3.8 Basic Axioms of Specification Logic . 96 3.9 Structural Axioms of the Program Logic . 97 3.10 Axioms of Assertion Logic . 98 3.11 Equality Judgment for Assertions . 98 4.1 Interface to the Iterator Library . 155 4.2 Auxilliary Functions Used in the Iterator Specification . 156 4.3 Type and Predicate Definitions of the Iterator Implementation . 161 4.4 Implementation of Collections and Iterators . 162 xii LIST OF FIGURES 4.5 Flyweight Specification . 174 4.6 Flyweight Factory Specification . 174 4.7 Flyweight Implementation . ..