Towards Weakest Precondition Calculus for Local Store Miriam Polzer - - PowerPoint PPT Presentation

Towards Weakest Precondition Calculus for Local Store

Miriam Polzer

February 5, 2019

wp semantics via modality1

τ : T(T1) → T1

Example (Powerset Monad P)

P1 = 2 = {⊤, ⊥} τ : P2 → 2 {}, {⊤} τ − → ⊤ {⊥}, {⊥, ⊤} τ − → ⊥ Given postcondition φ : Y → 2 and program p : X → P(Y) wp(p, φ) = (X

p

− → P(Y)

Pφ

− − → P2

τ

− → 2) returns ⊤ is φ is true for every possible result of p.

1Hasuo, “Generic Weakest Precondition Semantics from Monads Enriched

with Order”.

1 29

wp semantics via modality1

τ : T(T1) → T1

Example (Powerset Monad P)

P1 = 2 = {⊤, ⊥} τ : P2 → 2 {⊥, ⊤}, {⊤}

τ

− → ⊤ {}, {⊥}

τ

− → ⊥ Given postcondition φ : Y → 2 and program p : X → P(Y) wp(p, φ) = (X

p

− → P(Y)

Pφ

− − → P2

τ

− → 2) returns ⊤ is φ is true for some possible result of p.

1Hasuo, “Generic Weakest Precondition Semantics from Monads Enriched

with Order”.

1 29

modality for the state monad

State Monad

Let S be a set of states. Define T : Set → Set: TX = (X × S)S T1 ∼ = SS T is not commutative. There are p, q ∈ SS and s ∈ S such that p(q(s)) = q(p(s)) ⇒ Using T to obtain truth values does not seem feasible

2 29

wp for the state monad

Reader Monad

Define R ֒ → T: RX = XS Given (uncurried) postcondition φ : Y × S → 2 and program p : X × S → (Y × S), define wp(p, φ) : X × S → 2 X × S

p

− → Y × S

φ

− → 2

3 29

wp for the state monad

Reader Monad

Define R ֒ → T: RX = XS T R

ρ υ

ρX = ((X × S)S

prS

1

− − → XS) υ = (R ֒ → T) τ = (TR2

Tρ

− → TT2

µ

− → T2

υ

− → R2) Yoneda: Set(TR2, R2) ∼ = Nat(Set(−, R2), Set(T−, R2))

4 29

T-algebras

Theorem

τ : TΩ → Ω is a T-algebra if and only if for the corresponding wp

• perator

wp(η(x), φ) = φ wp(g∗ ◦ f, φ) = wp(f, wp(g, φ)) Verify this for τ : TR2 → R2 from before.

Theorem

τ : TRX → RX is T-algebra if there are maps T R

ρ υ

such that

• 1. ρ ◦ υ = id
• 2. ρ is a monad morphism

5 29

The category of heap layouts W

L = {l1, l2, l3, . . . } is a set of locations

• bjects of W are finite heap layouts

w ⊆fin L W(w, w′) are injections ρ : w → w′ We will use [W, Set], the (covariant) presheaf category

Example (Location Presheaf)

W : W → Set W(w) = w W(ρ) = ρ

6 29

The contravariant store presheaf

Let V be a set of values. We construct a store presheaf. Unfortunately, that is not covariant. H : Wop → Set Hw = Vw l1 l2 w ρ l1 l2 l3 w′ v1 v2 Vw Hρ v3 v2 v1 Vw′ ⇒ Introduce some more structure and switch categories.

7 29

Independence structures 1

Definition (Independent Coproduct)

W is a strict monoidal category. ⊕ : W × W → W w1 ⊕ w2 = w1 ∪ {li+max(w1) | li ∈ w2} l1 l2 w1 ι⊕

1

l1 l2 l3 l4 w ι⊕

2

l1 l2 w2

8 29

Independence structures 2

Definition (Complement)

Let ρ : w → w′, define w′ ⊖ ρ = w′ \ img(ρ) and ρ∁ = (w′ ⊖ ρ ֒ → w′) l1 l2 w ρ l1 l2 l3 w′ ρ∁ l2 w′ ⊖ ρ

9 29

moving to the category of initializations E

Definition (Category E)

• bjects are finite heap layouts w ⊆fin L

(|W| = |E|) E(w, w′) = {(ρ, η) | ρ : w → w′, η ∈ Vw′⊖ρ} There is a forgetful functor U : E → W. Denote ǫ ∈ E(w, w′) and Uǫ ∈ W(w, w′), ηǫ ∈ Vw′⊖Uǫ H : E → Set Hw = Vw (H(ρ, η))(s ∈ Vw) = (w′ ∼ = (w′ ⊖ ρ) ⊕ w

[η,s]

− − → V)

10 29

Relating H and H

Extending and then reducing

(ρ, η) ∈ E(w, w′) s ∈ Vw s s s′ η

H(ρ, η) Hρ Hρ∁

v1 v2 s Hρ v1 v3 v2 s′ H(ρ∁) v3 η

11 29

Relating H and H

Reducing and then extending

ρ ∈ W(w, w′) s′ ∈ Vw′ s s′ s′ η

H(ρ, η) Hρ Hρ∁

v1 v2 s Hρ v1 v3 v2 s′ H(ρ∁) v3 η

12 29

the store monad on [E, Set]

[E, Set] [E, Set]

− × H

⊥

(−)H

(TX)w = (Xw × Vw)Vw wp can be defined as done before for the store monad.

13 29

allocation: the hiding monad

P : [E, Set] → [E, Set] PXw = ρ:w→w′∈w↓U Xw′

The category w ↓ U

• bjects are morphisms with domain w, ρ : w → w′

morphism ǫ : ρ1 → ρ2 is an initialization such that w1 w w2

Uǫ ρ1 ρ2

14 29

allocation: the hiding monad

(PX)w = ρ:w→w′∈w↓U Xw′

This coend is just an undercover colimit

Recall that colimits in sets are formed via equivalence classes. ρ:w→w′∈w↓U Xw′ =  

ρ:w→w′

Xw′   / ∼ (ρ1 : w → w1, x1 ∈ Xw1) ∼ (ρ2 : w → w2, x2 ∈ Xw2) if there exists ǫ : ρ1 → ρ2 such that (Xǫ)x1 = x2.

15 29

hiding example

(PH)w = ρ:w→w′∈w↓U Hw′ Think of w as public and w′ ⊖ ρ as private. w = {l1, l2} l1 : v1 l2 : v2 s1 ∼ l1 : v1 l2 : v2 l3 : v3 s2 ∼ l1 : v1 l2 : v2 l3 : v4 s3

16 29

hiding store

(PH)w = ρ:w→w′∈w↓U Hw′

Theorem

PH ∼ = H

Proof.

Isomorphism: [ρ : w → w′, s ∈ Vw′] → Hρ(s)

17 29

making cells public

(P(H × WU))w = ρ:w→w′∈w↓U Hw′ × WUw′ Recall W : W → Set, Ww = w.

Example

({l1} ֒ → {l1, l2},[l1 → v1, l2 → v2], l2) ∼ ({l1} ֒ → {l1, l3, l4},[l1 → v1, l3 → v3, l4 → v2], l4) We can not remove the additional cell and its content.

18 29

Local store on [E, Set]

We would like to work with the monad (TX)w = ρ:w→w′ Xw′ × Vw′ Vw [E, Set] [E, Set]

− × H

⊥

(−)H P

Problem: P is not strong

19 29

P is not strong

Would like to define τX,Yw : Xw × ρ:w→w′∈w↓U Yw′ → ρ:w→w′∈w↓U (Xw′ × Yw′) τX,Yw(x ∈ Xw, [(ρ : w → w′, y ∈ Yw′)]) = [(ρ : w → w′, (?? ∈ Xw′, y))] ρ is not an initialization, we cannot map x ∈ Xw to Xw′.

20 29

Implications of P not being strong

Can not show that (TX)w = ρ:w→w′ Xw′ × Vw′Vw is strong Can not show that (RX)w = ρ:w→w′ Xw′Vw is a monad However, for X : W → Set, we can define strength: τX,Y : XU × PY → P(XU × Y) τX,Yw(x ∈ Xw, [(ρ : w → w′, y ∈ Yw′)]) = [(ρ : w → w′, (Xρ)x, y))] (Recall U : E → W forgetful)

21 29

moving back to W via a geometric morphism

We arrive at the full ground storage monad T2: T = [W, Set] [E, Set] [E, Set]

U∗

⊥ ⊥

− × H U∗ (−)H P

U∗(X) = XU U∗X = RanU(X) (U∗, U∗) is a geometric morphism

2Kammar et al., “A monad for full ground reference cells”.

22 29

Exponentials and the Kan extension

Theorem

Let X : E → Set. U∗(XH) = X(−)V(−) where X(−)V(−) : W → Set with (X(−)V(−))(ρ : w → v)(p ∈ XwVw)(s ∈ Vv) = (X(δ, Vρ∁(s)))(p((Hρ)s)) The theorem enables one to unify developments by Plotkin/Power3 and Kammar et al.4.

3Plotkin and Power, “Notions of Computation Determine Monads”. 4Kammar et al., “A monad for full ground reference cells”.

23 29

subobject classifier in presheaf categories

We still need to come up with a reader monad... Let C be a small category.

Definition

Let c ∈ |C|. A set C of morphisms with domain c is a cosieve on c if whenever ρ : c → c′ ∈ C and ρ′ : c′ → c′′ then ρ′ ◦ ρ ∈ C.

Theorem

The subobject classifier in [C, Set] is the functor that maps c ∈ C to the set of cosieves on c. Ωc = {C | C cosieve on c}

24 29

hiding the subobject classifier

Theorem

Let Ω be the subobject classifier in [E, Set]. PΩ ∼ = 2

Proof.

[(ρ : w → w′,¯ t ∈ Ωw′)] ∈ ρ:w→w′(Ωw′) Case 1 ¯ t = ∅ = ⊥ Case 2 ǫ : w′ → w′′ ∈ ¯ t. [(ρ : w → w′,¯ t ∈ Ωw′)] = [(Uǫ ◦ ρ, ⊤w′′ ∈ Ωw′′)] = [(idw, ⊤w ∈ Ωw)]

25 29

duck duck duck duck duck

Theorem

Duck duck duck : duck → duck, duck duck duck duck duck duck : duck → duck⊥. Duck⊥ = {¯ d ∈

• duck↓DUCK

(duck + ⊥) | ∀duck : duck → duck′ prduck(¯ d) = ⊥ ⇒ DUCK(prduck(¯ d))} duck⊥ ∼ = Goose

26 29

partial map classifiers in presheaf categories

Theorem

For every B : C → Set, the following functor forms a partial map classifier together with the canonical map ηB : B → B⊥. B⊥c = {¯ b ∈

• ρ:c→c′∈c↓idC

(Bc′ + ⊥) | ∀ρ : c → c′, δ : c′ → c′′, prρ(¯ b) = ⊥ ⇒ Bδ(prρ(¯ b)) = prδ◦ρ(¯ b)} 1⊥ ∼ = Ω

27 29

the reader monad and its simplification

R = [W, Set] [E, Set]

U∗

⊥

U∗ (−)H

⊥

By abstract nonsense one can show R is a strong, commutative and copyable monad R1 is a complete internal Heyting algebra (i.e. supports logical operators) The functor simplifies: (RX)w = X⊥EwVw (R1)w = ΩVw

28 29

weakest preconditions

τ : TR1 → R1 (U∗(−)HP(− × H)U∗U∗(−)H(−)⊥U∗)(1)

ǫU

− → (U∗(−)HP(− × H)(−)H(−)⊥U∗)(1)

ev

− → (U∗(−)HP(−)⊥U∗)(1)

• −

→ (U∗(−)H(−)⊥U∗)(1) As P(Ω) ∼ = 2, there is only one reasonable way to define : P(Ω) → Ω in [E, Set].

29 / 29

Hasuo, Ichiro. “Generic Weakest Precondition Semantics from Monads Enriched with Order”. In: Coalgebraic Methods in Computer Science - 12th IFIP WG 1.3 International Workshop, CMCS 2014, Colocated with ETAPS 2014, Grenoble, France, April 5-6, 2014, Revised Selected Papers. 2014, pp. 10–32. doi: 10.1007/978-3-662-44124-4\_2. url: https://doi.org/10.1007/978-3-662-44124-4\_2. Kammar, Ohad et al. “A monad for full ground reference cells”. In: 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, June 20-23, 2017. 2017,

• pp. 1–12. url:

https://doi.org/10.1109/LICS.2017.8005109.

Plotkin, Gordon D. and John Power. “Notions of Computation Determine Monads”. In: Foundations of Software Science and Computation Structures, 5th International Conference, FOSSACS

• 2002. Held as Part of the Joint European Conferences on Theory

and Practice of Software, ETAPS 2002 Grenoble, France, April 8-12, 2002, Proceedings. 2002, pp. 342–356. doi: 10.1007/3-540-45931-6\_24. url: https://doi.org/10.1007/3-540-45931-6\_24. Simpson, Alex. “Category-theoretic Structure for Independence and Conditional Independence”. In: Electr. Notes Theor.

• Comput. Sci. 336 (2018), pp. 281–297. doi:

10.1016/j.entcs.2018.03.028. url: https://doi.org/10.1016/j.entcs.2018.03.028.

Independence structures5

ρ1 : w → w1 ρ2 : w → w2 w w1 w2 ρ1 ⊕w ρ2

ρ1 ρ2 ρ∗

1 ρ2

ρ∗

2 ρ2

ρ1 ⊕w ρ2 = w ⊕ (w1 ⊖ ρ1) ⊕ (w2 ⊖ ρ2)

5Simpson, “Category-theoretic Structure for Independence and Conditional

Independence”.

partial maps

Definition

In a category with pullbacks, a partial morphism f : A ⇀ B is a span D B A

partial map classifier

Definition

Partial map classifier for B is (B⊥, ηB : B ֌ B⊥) such that for any partial morphism f : A → B there exists a unique f⊥ : A → B⊥ with X B A B⊥

f m ηB f⊥

a pullback.