LINEAR LOGIC AND IMPERATIVE PROGRAMMING LIMIN JIA ADISSERTATION PRESENTED TO THE FACULTY OF PRINCETON UNIVERSITY IN CANDIDACY FOR THE DEGREE OF DOCTOR OF PHILOSOPHY RECOMMENDED FOR ACCEPTANCE BY THE DEPARTMENT OF COMPUTER SCIENCE JANUARY 2008 c Copyright by Limin Jia, 2008. All rights reserved. iii Abstract One of the most important and enduring problems in programming languages research involves verification of programs that construct, manipulate and dispose of complex heap- allocated data structures. Over the last several years, great progress has been made on this problem by using substructural logics to specify the shape of heap-allocated data structures. These logics can capture aliasing properties in a concise notation. In this dissertation, we present our work on using an extension of Girard’s intu- itionistic linear logic (a substructural logic) with classical constraints as the base logic to reason about the memory safety and shape invariants of programs that manipulate complex heap-allocated data structures. To be more precise, we have defined formal proof rules for an intuitionistic linear logic with constraints, ILC, which modularly com- bines substructural reasoning with general constraint-based reasoning. We have also defined a formal semantics for our logic – program heaps – with recursively defined predicates. Next, we developed verification systems using different fragments of ILC to verify pointer programs. In particular, we developed a set of sound verification generation rules that are used to statically verify pointer programs. We also demonstrated how to interpret the logical formulas as run-time assertions. In the end, we developed a new imperative language that allows programmers to define and manipulate heap-allocated data structures using ILC formulas. The main contributions of this thesis are that (1) the development of a substructural logic that is capable of general constraint-based reasoning; and (2) the idea of incorpo- rating high-level logical formulas into imperative languages; either as dynamic contract specifications, which allow clear, compact and semantically well-defined documentation of heap-shape properties; or as language constructs, which drive safe construction and manipulation of sophisticated heap-allocated data structures. iv Acknowledgments First, I would like to thank my advisor, David Walker, for his guidance and support throughout my graduate study. His door was always open. I will be forever indebted to him for what he has taught me. I would also like to thank my thesis readers, Andrew Appel and Frank Pfenning, for spending their valuable time reading my thesis and giving me many helpful comments. Andrew taught my first Programming Languages class. He showed me how much fun it is to play with proofs, which ultimately drew me into Programming Language research. I am extremely fortunate to have Frank on my thesis committee. His rigor and intuitions in logic has helped me to significantly improve the quality of my thesis work. My friends have made my life in graduate school more enjoyable. I would like to thank Yong Wang and Ge Wang for their encouragement and support, especially in my first year at Princeton. I would also like to thank Frances Perry for the wonderful afternoon tea times. I am grateful to all the grad students who made the department a happy place to stay, especially Ananya Misra, Shirley Gaw, Yun Zhang, Melissa Carroll, Bolei Guo, Dan Dantas, Georg Essl, Xinming Ou, Zhiyan Liu, and Ruoming Pang. I would like to thank my parents for their love and support. My parents are my first teachers of math and sciences. I am also very grateful to them for shaping my mathematical reasoning abilities at a young age. Finally, I would like to thank Lujo for his companionship in the good times, and his support through the tough times in graduate school. The research described in this dissertation was supported in part by ARDA Grant no.NBCHC030106 and National Science Foundation grants CCR-0238328 and CCR- 0208601. This work does not necessarily reflect the opinions or policies of the NSF or ARDA and no endorsement should be inferred. Contents Abstract . iii 1 Introduction 1 1.1 Background . 2 1.2 Outline of This Thesis . 5 2 Brief Introduction to Linear Logic 6 2.1 Basics . 6 2.2 Proof Rules of Linear Logic . 7 2.3 Sample Deductions . 10 3 Linear Logic with Constraints 11 3.1 Describing the Program Heap . 11 3.1.1 The Heap . 11 3.1.2 Basic Descriptions of the Heap . 12 3.1.3 Expressing the Invariants of Data Structures . 15 3.2 Syntax, Semantics, and Proof Rules . 17 3.2.1 Syntax . 17 3.2.2 Semantics . 18 3.2.3 Proof Rules . 21 3.2.4 Formal Results . 24 3.3 A Sound Decision Procedure . 26 3.3.1 ILCa− ................................ 26 3.3.2 Linear Residuation Calculus . 30 3.4 Additional Axioms . 32 3.4.1 More Axioms About Shapes . 33 3.4.2 Inequality . 34 3.4.3 Extending Residuation Calculus . 34 3.5 Discussion . 36 4 Static Verification Using ILC 37 4.1 Syntax . 37 v CONTENTS vi 4.2 Operational Semantics . 39 4.3 Verification Condition Generation . 41 4.3.1 System Setup . 42 4.3.2 Verification Condition Generation Rules . 43 4.3.3 Verification Rule for Programs . 46 4.4 An Example . 46 4.5 Soundness of Verification . 48 4.6 Further Examples . 50 5 Dynamic Heap-shape Contracts 54 5.1 Using Formal Logic as a Contract Language . 54 5.1.1 Syntax & Operational Semantics . 55 5.1.2 Example Specifications . 56 5.1.3 Example Assertions . 58 5.2 Implementation . 59 5.2.1 The MiniC Language . 59 5.2.2 Checking Assertions . 60 5.2.3 Mode Analysis . 60 5.2.4 Source to Source Translation . 61 5.3 Combining Static and Dynamic Verification . 62 6 Shape Patterns 64 6.1 System Overview . 65 6.1.1 Logical Shape Signatures . 65 6.1.2 The Shape Pattern Language . 67 6.1.3 An Example Program . 70 6.1.4 What Could Go Wrong . 71 6.1.5 Three Caveats . 72 6.2 Logical Shape Signatures . 73 6.2.1 Syntax . 73 6.2.2 Semantics, Shape Pattern Matching and Logical Deduction . 75 6.2.3 Simple Type Checking for Shape Signatures . 77 6.2.4 Mode Analysis . 77 6.2.5 Requirements for Shape Signatures . 81 6.2.6 Correctness and Memory-safety of Matching Procedure . 81 6.3 The Programming Language . 83 6.3.1 Syntax . 84 6.3.2 Operational Semantics . 84 6.3.3 Type System . 87 6.3.4 Type Safety . 94 6.4 A Further Example . 95 CONTENTS vii 6.5 Implementation . 98 7 Related Work 101 7.1 Logics Describing Program Heaps . 101 7.2 Verification Systems for Imperative Languages . 104 7.3 Safe Imperative Languages . 106 8 Conclusion and Future Work 108 8.1 Contributions . 108 8.2 Future work . 109 A Proofs in Logic Section 111 A.1 Proofs of Cut-Elimination of ILC . 111 A.2 Proof for the soundness of logical deduction . 116 A.3 Proofs Related to ILCa− .......................... 119 A.4 Proof of the Soundness of Residuation Calculus . 122 A.4.1 An Alternative Sequent Calculus for Constraint Reasoning . 123 A.4.2 Soundness Proof . 127 B Summary of Verification Generation Rules 137 C Proofs for the Soundness of VCGen 139 D Proofs About the Shape Pattern Matching 146 E Type-safety of the Shape Patterns Language 151 F Code for the Node Deletion Function 160 Bibliography 163 List of Figures 2.1 Structural rules . 6 2.2 Sample derivations . 10 3.1 Memory containing a linked list. 12 3.2 ILC syntax . 18 3.3 Syntax for clauses . 18 3.4 The store semantics of ILC formulas . 19 3.5 Indexed semantics for inductively defined formulas . 20 3.6 LK sequent rules for classical first-order Logic . 22 3.7 Sequent calculus rules for ILC . 23 3.8 Sequent calculus rules for ILCa− ...................... 29 3.9 Linear residuation calculus . 31 4.1 Syntactic constructs . 38 4.2 Runtime syntactic constructs . 39 4.3 Operational semantics . 41 4.4 Derivation of Pre entails VC ........................ 47 4.5 Semantics of Hoare triples . 49 4.6 Derivation for example insertion . 50 4.7 Sample derivation . 51 4.8 Sample derivation . 53 5.1 Syntactic construct for contracts . 55 5.2 An adjacency list. 57 5.3 Definition of an adjacency list . 58 6.1 Singly linked list shape signature . 67 6.2 The function delete ............................. 70 6.3 Syntax of logical constructs . 74 6.4 Pattern-matching algorithm . 76 6.5 Typing rules for shape signatures . 78 6.6 Selected and simplified mode analysis rules . ..