1: \documentclass[fleqn]{modacmtrans2e}
2: %\documentclass[draft,fleqn]{acmtrans2e}
3: %\documentclass[draft,fleqn]{elsart}
4:
5: \usepackage{amsmath}
6: \usepackage{amssymb}
7: \usepackage{latexsym}
8: \usepackage{stmaryrd}
9: \usepackage{url}
10: \usepackage{verbatim}
11: \usepackage{ifthen}
12: %\usepackage{hhline}
13: \usepackage{pstricks}
14: \usepackage{graphicx}
15: \usepackage{rotating}
16: \usepackage{enumerate}
17: %\usepackage[nocites,norefs]{refcheck}
18:
19: \allowdisplaybreaks
20:
21: \newcommand*{\coanote}[1]{\footnote{\textbf{For co-authors:} {#1}}}
22: %\newcommand*{\coanote}[1]{}
23:
24:
25: %% Proof trees.
26: \message{<Paul Taylor's Proof Trees, 2 August 1996>}
27: %% Build proof tree for Natural Deduction, Sequent Calculus, etc.
28: %% WITH SHORTENING OF PROOF RULES!
29: %% Paul Taylor, begun 10 Oct 1989
30: %% *** THIS IS ONLY A PRELIMINARY VERSION AND THINGS MAY CHANGE! ***
31: %%
32: %% 2 Aug 1996: fixed \mscount and \proofdotnumber
33: %%
34: %% \prooftree
35: %% hyp1 produces:
36: %% hyp2
37: %% hyp3 hyp1 hyp2 hyp3
38: %% \justifies -------------------- rulename
39: %% concl concl
40: %% \thickness=0.08em
41: %% \shiftright 2em
42: %% \using
43: %% rulename
44: %% \endprooftree
45: %%
46: %% where the hypotheses may be similar structures or just formulae.
47: %%
48: %% To get a vertical string of dots instead of the proof rule, do
49: %%
50: %% \prooftree which produces:
51: %% [hyp]
52: %% \using [hyp]
53: %% name .
54: %% \proofdotseparation=1.2ex .name
55: %% \proofdotnumber=4 .
56: %% \leadsto .
57: %% concl concl
58: %% \endprooftree
59: %%
60: %% Within a prooftree, \[ and \] may be used instead of \prooftree and
61: %% \endprooftree; this is not permitted at the outer level because it
62: %% conflicts with LaTeX. Also,
63: %% \Justifies
64: %% produces a double line. In LaTeX you can use \begin{prooftree} and
65: %% \end{prootree} at the outer level (however this will not work for the inner
66: %% levels, but in any case why would you want to be so verbose?).
67: %%
68: %% All of of the keywords except \prooftree and \endprooftree are optional
69: %% and may appear in any order. They may also be combined in \newcommand's
70: %% eg "\def\Cut{\using\sf cut\thickness.08em\justifies}" with the abbreviation
71: %% "\prooftree hyp1 hyp2 \Cut \concl \endprooftree". This is recommended and
72: %% some standard abbreviations will be found at the end of this file.
73: %%
74: %% \thickness specifies the breadth of the rule in any units, although
75: %% font-relative units such as "ex" or "em" are preferable.
76: %% It may optionally be followed by "=".
77: %% \proofrulebreadth=.08em or \setlength\proofrulebreadth{.08em} may also be
78: %% used either in place of \thickness or globally; the default is 0.04em.
79: %% \proofdotseparation and \proofdotnumber control the size of the
80: %% string of dots
81: %%
82: %% If proof trees and formulae are mixed, some explicit spacing is needed,
83: %% but don't put anything to the left of the left-most (or the right of
84: %% the right-most) hypothesis, or put it in braces, because this will cause
85: %% the indentation to be lost.
86: %%
87: %% By default the conclusion is centered wrt the left-most and right-most
88: %% immediate hypotheses (not their proofs); \shiftright or \shiftleft moves
89: %% it relative to this position. (Not sure about this specification or how
90: %% it should affect spreading of proof tree.)
91: %
92: % global assignments to dimensions seem to have the effect of stretching
93: % diagrams horizontally.
94: %
95: %%==========================================================================
96:
97: \def\introrule{{\cal I}}\def\elimrule{{\cal E}}%%
98: \def\andintro{\using{\land}\introrule\justifies}%%
99: \def\impelim{\using{\Rightarrow}\elimrule\justifies}%%
100: \def\allintro{\using{\forall}\introrule\justifies}%%
101: \def\allelim{\using{\forall}\elimrule\justifies}%%
102: \def\falseelim{\using{\bot}\elimrule\justifies}%%
103: \def\existsintro{\using{\exists}\introrule\justifies}%%
104:
105: %% #1 is meant to be 1 or 2 for the first or second formula
106: \def\andelim#1{\using{\land}#1\elimrule\justifies}%%
107: \def\orintro#1{\using{\lor}#1\introrule\justifies}%%
108:
109: %% #1 is meant to be a label corresponding to the discharged hypothesis/es
110: \def\impintro#1{\using{\Rightarrow}\introrule_{#1}\justifies}%%
111: \def\orelim#1{\using{\lor}\elimrule_{#1}\justifies}%%
112: \def\existselim#1{\using{\exists}\elimrule_{#1}\justifies}
113:
114: %%==========================================================================
115:
116: \newdimen\proofrulebreadth \proofrulebreadth=.05em
117: \newdimen\proofdotseparation \proofdotseparation=1.25ex
118: \newdimen\proofrulebaseline \proofrulebaseline=2ex
119: \newcount\proofdotnumber \proofdotnumber=3
120: \let\then\relax
121: \def\hfi{\hskip0pt plus.0001fil}
122: \mathchardef\squigto="3A3B
123: %
124: % flag where we are
125: \newif\ifinsideprooftree\insideprooftreefalse
126: \newif\ifonleftofproofrule\onleftofproofrulefalse
127: \newif\ifproofdots\proofdotsfalse
128: \newif\ifdoubleproof\doubleprooffalse
129: \let\wereinproofbit\relax
130: %
131: % dimensions and boxes of bits
132: \newdimen\shortenproofleft
133: \newdimen\shortenproofright
134: \newdimen\proofbelowshift
135: \newbox\proofabove
136: \newbox\proofbelow
137: \newbox\proofrulename
138: %
139: % miscellaneous commands for setting values
140: \def\shiftproofbelow{\let\next\relax\afterassignment\setshiftproofbelow\dimen0 }
141: \def\shiftproofbelowneg{\def\next{\multiply\dimen0 by-1 }%
142: \afterassignment\setshiftproofbelow\dimen0 }
143: \def\setshiftproofbelow{\next\proofbelowshift=\dimen0 }
144: \def\setproofrulebreadth{\proofrulebreadth}
145:
146: %=============================================================================
147: \def\prooftree{% NESTED ZERO (\ifonleftofproofrule)
148: %
149: % first find out whether we're at the left-hand end of a proof rule
150: \ifnum \lastpenalty=1
151: \then \unpenalty
152: \else \onleftofproofrulefalse
153: \fi
154: %
155: % some space on left (except if we're on left, and no infinity for outermost)
156: \ifonleftofproofrule
157: \else \ifinsideprooftree
158: \then \hskip.5em plus1fil
159: \fi
160: \fi
161: %
162: % begin our proof tree environment
163: \bgroup% NESTED ONE (\proofbelow, \proofrulename, \proofabove,
164: % \shortenproofleft, \shortenproofright, \proofrulebreadth)
165: \setbox\proofbelow=\hbox{}\setbox\proofrulename=\hbox{}%
166: \let\justifies\proofover\let\leadsto\proofoverdots\let\Justifies\proofoverdbl
167: \let\using\proofusing\let\[\prooftree
168: \ifinsideprooftree\let\]\endprooftree\fi
169: \proofdotsfalse\doubleprooffalse
170: \let\thickness\setproofrulebreadth
171: \let\shiftright\shiftproofbelow \let\shift\shiftproofbelow
172: \let\shiftleft\shiftproofbelowneg
173: \let\ifwasinsideprooftree\ifinsideprooftree
174: \insideprooftreetrue
175: %
176: % now begin to set the top of the rule (definitions local to it)
177: \setbox\proofabove=\hbox\bgroup$\displaystyle % NESTED TWO
178: \let\wereinproofbit\prooftree
179: %
180: % these local variables will be copied out:
181: \shortenproofleft=0pt \shortenproofright=0pt \proofbelowshift=0pt
182: %
183: % flags to enable inner proof tree to detect if on left:
184: \onleftofproofruletrue\penalty1
185: }
186:
187: %=============================================================================
188: % end whatever box and copy crucial values out of it
189: \def\eproofbit{% NESTED TWO
190: %
191: % various hacks applicable to hypothesis list
192: \ifx \wereinproofbit\prooftree
193: \then \ifcase \lastpenalty
194: \then \shortenproofright=0pt % 0: some other object, no indentation
195: \or \unpenalty\hfil % 1: empty hypotheses, just glue
196: \or \unpenalty\unskip % 2: just had a tree, remove glue
197: \else \shortenproofright=0pt % eh?
198: \fi
199: \fi
200: %
201: % pass out crucial values from scope
202: \global\dimen0=\shortenproofleft
203: \global\dimen1=\shortenproofright
204: \global\dimen2=\proofrulebreadth
205: \global\dimen3=\proofbelowshift
206: \global\dimen4=\proofdotseparation
207: \global\count255=\proofdotnumber
208: %
209: % end the box
210: $\egroup % NESTED ONE
211: %
212: % restore the values
213: \shortenproofleft=\dimen0
214: \shortenproofright=\dimen1
215: \proofrulebreadth=\dimen2
216: \proofbelowshift=\dimen3
217: \proofdotseparation=\dimen4
218: \proofdotnumber=\count255
219: }
220:
221: %=============================================================================
222: \def\proofover{% NESTED TWO
223: \eproofbit % NESTED ONE
224: \setbox\proofbelow=\hbox\bgroup % NESTED TWO
225: \let\wereinproofbit\proofover
226: $\displaystyle
227: }%
228: %
229: %=============================================================================
230: \def\proofoverdbl{% NESTED TWO
231: \eproofbit % NESTED ONE
232: \doubleprooftrue
233: \setbox\proofbelow=\hbox\bgroup % NESTED TWO
234: \let\wereinproofbit\proofoverdbl
235: $\displaystyle
236: }%
237: %
238: %=============================================================================
239: \def\proofoverdots{% NESTED TWO
240: \eproofbit % NESTED ONE
241: \proofdotstrue
242: \setbox\proofbelow=\hbox\bgroup % NESTED TWO
243: \let\wereinproofbit\proofoverdots
244: $\displaystyle
245: }%
246: %
247: %=============================================================================
248: \def\proofusing{% NESTED TWO
249: \eproofbit % NESTED ONE
250: \setbox\proofrulename=\hbox\bgroup % NESTED TWO
251: \let\wereinproofbit\proofusing
252: \kern0.3em$
253: }
254:
255: %=============================================================================
256: \def\endprooftree{% NESTED TWO
257: \eproofbit % NESTED ONE
258: % \dimen0 = length of proof rule
259: % \dimen1 = indentation of conclusion wrt rule
260: % \dimen2 = new \shortenproofleft, ie indentation of conclusion
261: % \dimen3 = new \shortenproofright, ie
262: % space on right of conclusion to end of tree
263: % \dimen4 = space on right of conclusion below rule
264: \dimen5 =0pt% spread of hypotheses
265: % \dimen6, \dimen7 = height & depth of rule
266: %
267: % length of rule needed by proof above
268: \dimen0=\wd\proofabove \advance\dimen0-\shortenproofleft
269: \advance\dimen0-\shortenproofright
270: %
271: % amount of spare space below
272: \dimen1=.5\dimen0 \advance\dimen1-.5\wd\proofbelow
273: \dimen4=\dimen1
274: \advance\dimen1\proofbelowshift \advance\dimen4-\proofbelowshift
275: %
276: % conclusion sticks out to left of immediate hypotheses
277: \ifdim \dimen1<0pt
278: \then \advance\shortenproofleft\dimen1
279: \advance\dimen0-\dimen1
280: \dimen1=0pt
281: % now it sticks out to left of tree!
282: \ifdim \shortenproofleft<0pt
283: \then \setbox\proofabove=\hbox{%
284: \kern-\shortenproofleft\unhbox\proofabove}%
285: \shortenproofleft=0pt
286: \fi
287: \fi
288: %
289: % and to the right
290: \ifdim \dimen4<0pt
291: \then \advance\shortenproofright\dimen4
292: \advance\dimen0-\dimen4
293: \dimen4=0pt
294: \fi
295: %
296: % make sure enough space for label
297: \ifdim \shortenproofright<\wd\proofrulename
298: \then \shortenproofright=\wd\proofrulename
299: \fi
300: %
301: % calculate new indentations
302: \dimen2=\shortenproofleft \advance\dimen2 by\dimen1
303: \dimen3=\shortenproofright\advance\dimen3 by\dimen4
304: %
305: % make the rule or dots, with name attached
306: \ifproofdots
307: \then
308: \dimen6=\shortenproofleft \advance\dimen6 .5\dimen0
309: \setbox1=\vbox to\proofdotseparation{\vss\hbox{$\cdot$}\vss}%
310: \setbox0=\hbox{%
311: \advance\dimen6-.5\wd1
312: \kern\dimen6
313: $\vcenter to\proofdotnumber\proofdotseparation
314: {\leaders\box1\vfill}$%
315: \unhbox\proofrulename}%
316: \else \dimen6=\fontdimen22\the\textfont2 % height of maths axis
317: \dimen7=\dimen6
318: \advance\dimen6by.5\proofrulebreadth
319: \advance\dimen7by-.5\proofrulebreadth
320: \setbox0=\hbox{%
321: \kern\shortenproofleft
322: \ifdoubleproof
323: \then \hbox to\dimen0{%
324: $\mathsurround0pt\mathord=\mkern-6mu%
325: \cleaders\hbox{$\mkern-2mu=\mkern-2mu$}\hfill
326: \mkern-6mu\mathord=$}%
327: \else \vrule height\dimen6 depth-\dimen7 width\dimen0
328: \fi
329: \unhbox\proofrulename}%
330: \ht0=\dimen6 \dp0=-\dimen7
331: \fi
332: %
333: % set up to centre outermost tree only
334: \let\doll\relax
335: \ifwasinsideprooftree
336: \then \let\VBOX\vbox
337: \else \ifmmode\else$\let\doll=$\fi
338: \let\VBOX\vcenter
339: \fi
340: % this \vbox or \vcenter is the actual output:
341: \VBOX {\baselineskip\proofrulebaseline \lineskip.2ex
342: \expandafter\lineskiplimit\ifproofdots0ex\else-0.6ex\fi
343: \hbox spread\dimen5 {\hfi\unhbox\proofabove\hfi}%
344: \hbox{\box0}%
345: \hbox {\kern\dimen2 \box\proofbelow}}\doll%
346: %
347: % pass new indentations out of scope
348: \global\dimen2=\dimen2
349: \global\dimen3=\dimen3
350: \egroup % NESTED ZERO
351: \ifonleftofproofrule
352: \then \shortenproofleft=\dimen2
353: \fi
354: \shortenproofright=\dimen3
355: %
356: % some space on right and flag we've just made a tree
357: \onleftofproofrulefalse
358: \ifinsideprooftree
359: \then \hskip.5em plus 1fil \penalty2
360: \fi
361: }
362:
363: %==========================================================================
364: % IDEAS
365: % 1. Specification of \shiftright and how to spread trees.
366: % 2. Spacing command \m which causes 1em+1fil spacing, over-riding
367: % exisiting space on sides of trees and not affecting the
368: % detection of being on the left or right.
369: % 3. Hack using \@currenvir to detect LaTeX environment; have to
370: % use \aftergroup to pass \shortenproofleft/right out.
371: % 4. (Pie in the sky) detect how much trees can be "tucked in"
372: % 5. Discharged hypotheses (diagonal lines).
373: \newcommand*{\nohyp}{\phantom{x}}
374:
375: %% C++.
376: \newcommand*{\Cplusplus}{{C\nolinebreak[4]\hspace{-.05em}\raisebox{.4ex}
377: {\tiny\bf ++}}}
378:
379: %% BNF rules.
380: \newcommand*{\vbar}{\mathrel{\mid}}
381:
382: %% Abstract syntax of the analyzed language.
383: \newcommand*{\Type}{\mathrm{Type}}
384: \newcommand*{\dType}{\mathrm{dType}}
385: \newcommand*{\dT}{\mathrm{dT}}
386: \newcommand*{\sType}{\mathrm{sType}}
387: \newcommand*{\sT}{\mathrm{sT}}
388: \newcommand*{\cType}{\mathrm{cType}}
389: \newcommand*{\cT}{\mathrm{cT}}
390: \newcommand*{\Integer}{\mathrm{Integer}}
391: \newcommand*{\Bool}{\mathrm{Bool}}
392: \newcommand*{\Id}{\mathrm{Id}}
393: \newcommand*{\id}{\mathrm{id}}
394: \newcommand*{\rId}{\mathrm{rId}}
395: \newcommand*{\idx}{\mathrm{x}}
396: \newcommand*{\ridx}{\underline{\mathrm{x}}}
397: \newcommand*{\Exp}{\mathrm{Exp}}
398: \newcommand*{\Exps}{\mathrm{Exps}}
399: \newcommand*{\Decl}{\mathrm{Decl}}
400: \newcommand*{\exceptDecl}{\mathrm{exceptDecl}}
401: \newcommand*{\Catch}{\mathrm{Catch}}
402: \newcommand*{\Stmt}{\mathrm{Stmt}}
403: \newcommand*{\Label}{\mathrm{Label}}
404: \newcommand*{\Con}{\mathrm{Con}}
405: \newcommand*{\con}{\mathrm{con}}
406: \newcommand*{\fps}{\mathrm{fps}}
407: \newcommand*{\funBody}{\mathrm{Body}}
408: \newcommand*{\funbody}{\mathrm{body}}
409: \newcommand*{\main}{\mathrm{main}}
410: \newcommand*{\es}{\mathrm{es}}
411: \newcommand*{\formParams}{\mathrm{formParams}}
412: \newcommand*{\emptysequence}{\boxempty}
413: \newcommand*{\Glob}{\mathrm{Glob}}
414:
415: %% Sets of configurations
416: \newcommand*{\NTe}{\Gamma_\mathrm{e}}
417: \newcommand*{\NTb}{\Gamma_\mathrm{b}}
418: \newcommand*{\NTd}{\Gamma_\mathrm{d}}
419: \newcommand*{\NTg}{\Gamma_\mathrm{g}}
420: \newcommand*{\NTs}{\Gamma_\mathrm{s}}
421: \newcommand*{\NTk}{\Gamma_\mathrm{k}}
422: \newcommand*{\Te}{T_\mathrm{e}}
423: \newcommand*{\Tb}{T_\mathrm{b}}
424: \newcommand*{\Td}{T_\mathrm{d}}
425: \newcommand*{\Tg}{T_\mathrm{g}}
426: \newcommand*{\Ts}{T_\mathrm{s}}
427: \newcommand*{\Tk}{T_\mathrm{k}}
428:
429: %% Lambda notation.
430: \newcommand*{\lambdaop}{\mathop{\lambda}\nolimits}
431:
432: %% Sets of (no better specified) configurations.
433: \newcommand*{\NT}[1]{\Gamma_{#1}}
434: \newcommand*{\NTq}{\Gamma_q}
435: \newcommand*{\Tq}{T_q}
436:
437: %% Denotable values.
438: \newcommand*{\dVal}{\mathrm{dVal}}
439: %% Storeable values.
440: \newcommand*{\sVal}{\mathrm{sVal}}
441: \newcommand*{\sval}{\mathrm{sval}}
442:
443: %% Control modes.
444: \newcommand*{\CtrlMode}{\mathord{\mathrm{CtrlMode}}}
445: \newcommand*{\cm}{\mathrm{cm}}
446: %% Branch modes.
447: %\newcommand*{\BranchMode}{\mathord{\mathrm{BranchMode}}}
448: \newcommand*{\GotoMode}{\mathord{\mathrm{GotoMode}}}
449: \newcommand*{\SwitchMode}{\mathord{\mathrm{SwitchMode}}}
450: \newcommand*{\cmgoto}{\mathop{\mathrm{goto}}\nolimits}
451: \newcommand*{\cmswitch}{\mathop{\mathrm{switch}}\nolimits}
452: \newcommand*{\cmbreak}{\mathop{\mathrm{break}}\nolimits}
453: \newcommand*{\cmcontinue}{\mathop{\mathrm{continue}}\nolimits}
454: \newcommand*{\cmreturn}{\mathop{\mathrm{return}}\nolimits}
455: %% Exec mode.
456: \newcommand*{\cmexec}{\mathrm{exec}}
457: %% Value mode.
458: \newcommand*{\ValMode}{\mathord{\mathrm{ValMode}}}
459: \newcommand*{\cmvalue}{\mathop{\mathrm{value}}\nolimits}
460: %% Environment mode.
461: \newcommand*{\EnvMode}{\mathord{\mathrm{EnvMode}}}
462: \newcommand*{\cmenv}{\mathrm{env}}
463: %% Exception modes.
464: \newcommand*{\ExceptMode}{\mathord{\mathrm{ExceptMode}}}
465: \newcommand*{\cmexcept}{\mathrm{except}}
466:
467: %% Control states.
468: \newcommand*{\CtrlState}{\mathord{\mathrm{CtrlState}}}
469: \newcommand*{\cs}{\mathord{\mathrm{cs}}}
470: %% Value states.
471: \newcommand*{\ValState}{\mathord{\mathrm{ValState}}}
472: \newcommand*{\valstate}{\upsilon}
473: %% Environment states.
474: %\newcommand*{\EnvState}{\mathord{\mathrm{EnvState}}}
475: %% Exception states.
476: \newcommand*{\ExceptState}{\mathord{\mathrm{ExceptState}}}
477: \newcommand*{\exceptstate}{\varepsilon}
478:
479: %% Keywords.
480: \newcommand*{\kw}[1]{\mathop{\textup{\textbf{#1}}}}
481:
482: \newcommand*{\bop}{\mathbin{\mathrm{bop}}}
483: %\newcommand*{\uop}{\mathop{\mathrm{uop}}}
484:
485: %% Things that hold by definition.
486: \newcommand{\defrel}[1]{\mathrel{\buildrel \mathrm{def} \over {#1}}}
487: \newcommand{\defeq}{\defrel{=}}
488: \newcommand{\defiff}{\defrel{\Longleftrightarrow}}
489: %\newcommand{\defeq}{=}
490: %\newcommand{\defiff}{\Longleftrightarrow}
491:
492: %% Divergence relation
493: \newcommand{\diverges}{\,\mathord{\buildrel \infty \over \longrightarrow}}
494:
495: %% Special letters denoting sets and algebras.
496: \providecommand*{\Nset}{\mathbb{N}} % Naturals
497: \providecommand*{\Qset}{\mathbb{Q}} % Rationals
498: \providecommand*{\Zset}{\mathbb{Z}} % Integers
499: \providecommand*{\Rset}{\mathbb{R}} % Reals
500:
501: %% Calligraphic alphabet.
502: \newcommand*{\calA}{\ensuremath{\mathcal{A}}}
503: \newcommand*{\calB}{\ensuremath{\mathcal{B}}}
504: \newcommand*{\calC}{\ensuremath{\mathcal{C}}}
505: \newcommand*{\calD}{\ensuremath{\mathcal{D}}}
506: \newcommand*{\calE}{\ensuremath{\mathcal{E}}}
507: \newcommand*{\calF}{\ensuremath{\mathcal{F}}}
508: \newcommand*{\calG}{\ensuremath{\mathcal{G}}}
509: \newcommand*{\calH}{\ensuremath{\mathcal{H}}}
510: \newcommand*{\calI}{\ensuremath{\mathcal{I}}}
511: \newcommand*{\calJ}{\ensuremath{\mathcal{J}}}
512: \newcommand*{\calK}{\ensuremath{\mathcal{K}}}
513: \newcommand*{\calL}{\ensuremath{\mathcal{L}}}
514: \newcommand*{\calM}{\ensuremath{\mathcal{M}}}
515: \newcommand*{\calN}{\ensuremath{\mathcal{N}}}
516: \newcommand*{\calO}{\ensuremath{\mathcal{O}}}
517: \newcommand*{\calP}{\ensuremath{\mathcal{P}}}
518: \newcommand*{\calQ}{\ensuremath{\mathcal{Q}}}
519: \newcommand*{\calR}{\ensuremath{\mathcal{R}}}
520: \newcommand*{\calS}{\ensuremath{\mathcal{S}}}
521: \newcommand*{\calT}{\ensuremath{\mathcal{T}}}
522: \newcommand*{\calU}{\ensuremath{\mathcal{U}}}
523: \newcommand*{\calV}{\ensuremath{\mathcal{V}}}
524: \newcommand*{\calW}{\ensuremath{\mathcal{W}}}
525: \newcommand*{\calX}{\ensuremath{\mathcal{X}}}
526: \newcommand*{\calY}{\ensuremath{\mathcal{Y}}}
527: \newcommand*{\calZ}{\ensuremath{\mathcal{Z}}}
528:
529: %% Declarators for functions and relations.
530: \newcommand*{\reld}[3]{\mathord{#1}\subseteq#2\times#3}
531: \newcommand*{\fund}[3]{\mathord{#1}\colon#2\to#3}
532: \newcommand*{\pard}[3]{\mathord{#1}\colon#2\rightarrowtail#3}
533:
534: %% Logical quantifiers stuff.
535: \newcommand{\st}{\mathrel{.}}
536: \newcommand{\itc}{\mathrel{:}}
537:
538: %% Domain, codomain and range of a function.
539: \newcommand*{\dom}{\mathop{\mathrm{dom}}\nolimits}
540: %\newcommand*{\cod}{\mathop{\mathrm{cod}}\nolimits}
541: %\newcommand*{\range}{\mathop{\mathrm{range}}\nolimits}
542:
543: %% Restriction of a function.
544: \newcommand*{\restrict}[1]{\mathop{\mid}\nolimits_{#1}}
545:
546: %% Type of a constant.
547: \newcommand*{\type}{\mathop{\mathrm{type}}\nolimits}
548:
549: %% Lubs, glbs, and fixed points.
550: \newcommand*{\lub}{\mathop{\mathrm{lub}}\nolimits}
551: %\newcommand*{\glb}{\mathop{\mathrm{glb}}\nolimits}
552: \newcommand*{\lfp}{\mathop{\mathrm{lfp}}\nolimits}
553: \newcommand*{\gfp}{\mathop{\mathrm{gfp}}\nolimits}
554:
555: %% Generic widening.
556: \newcommand*{\widen}{\mathbin{\nabla}}
557:
558: %% Set theory.
559: \renewcommand{\emptyset}{\varnothing}
560:
561: %\newcommand*{\wpc}{\mathop{\wp_\mathrm{c}}\nolimits}
562: %\newcommand*{\wpf}{\mathop{\wp_\mathrm{f}}\nolimits}
563: %\newcommand*{\wpn}{\mathop{\wp_\mathrm{n}}\nolimits}
564:
565: \newcommand*{\sseq}{\subseteq}
566: \newcommand*{\sseqf}{\mathrel{\subseteq_\mathrm{f}}}
567: \newcommand*{\sslt}{\subset}
568: %\newcommand*{\Sseq}{\supseteq}
569: %\newcommand*{\Ssgt}{\supset}
570:
571: %\newcommand{\Nsseq}{\nsubseteq}
572:
573: \newcommand*{\union}{\cup}
574: \newcommand*{\bigunion}{\bigcup}
575: %\newcommand*{\biginters}{\bigcap}
576: \newcommand*{\inters}{\cap}
577: \newcommand*{\setdiff}{\setminus}
578:
579: \newcommand{\sset}[2]{{\renewcommand{\arraystretch}{1.2}
580: \left\{\,#1 \,\left|\,
581: \begin{array}{@{}l@{}}#2\end{array}
582: \right. \,\right\}}}
583:
584: %% Base sets.
585: \newcommand*{\ttv}{\mathrm{tt}}
586: \newcommand*{\ffv}{\mathrm{ff}}
587: \newcommand*{\divop}{\mathbin{/}}
588: \newcommand*{\modop}{\mathbin{\%}}
589: \newcommand*{\andop}{\mathbin{\textbf{\textup{and}}}}
590: \newcommand*{\orop}{\mathbin{\textbf{\textup{or}}}}
591: \newcommand*{\notop}{\mathop{\textbf{\textup{not}}}}
592:
593: \newcommand*{\FI}{\mathop{\mathrm{FI}}\nolimits}
594: \newcommand*{\DI}{\mathop{\mathrm{DI}}\nolimits}
595: \newcommand*{\SL}{\mathop{\mathrm{SL}}\nolimits}
596: %\newcommand*{\match}{\mathop{\mathrm{match}}\nolimits}
597:
598: \newcommand*{\Env}{\mathord{\mathrm{Env}}}
599: \newcommand*{\emptystring}{\mathord{\epsilon}}
600:
601: %% Exceptions.
602: \newcommand*{\RTSExcept}{\mathord{\mathrm{RTSExcept}}}
603: \newcommand*{\rtsexcept}{\chi}
604: \newcommand*{\Except}{\mathord{\mathrm{Except}}}
605: \newcommand*{\except}{\xi}
606: \newcommand*{\none}{\mathtt{none}}
607: \newcommand*{\divbyzero}{\mathtt{divbyzero}}
608: \newcommand*{\stkovflw}{\mathtt{stkovflw}}
609: \newcommand*{\datovflw}{\mathtt{datovflw}}
610: \newcommand*{\memerror}{\mathtt{memerror}}
611: %\newcommand*{\inerror}{\mathtt{inerror}}
612: %\newcommand*{\nullptr}{\mathtt{nullptr}}
613: %\newcommand*{\outofboundsptr}{\mathtt{outofboundsptr}}
614:
615: %% Flags for terminal configurations of catch clauses.
616: \newcommand*{\caught}{\mathtt{caught}}
617: \newcommand*{\uncaught}{\mathtt{uncaught}}
618:
619: %% Static semantics.
620: \newcommand*{\TEnv}{\mathord{\mathrm{TEnv}}}
621: \newcommand*{\tinteger}{\mathrm{integer}}
622: \newcommand*{\tboolean}{\mathrm{boolean}}
623: \newcommand*{\trtsexcept}{\mathrm{rts\_exception}}
624:
625: %% Memory structures.
626: \newcommand*{\Loc}{\mathord{\mathrm{Loc}}}
627: \newcommand*{\Ind}{\mathrm{Ind}}
628: \newcommand*{\Addr}{\mathrm{Addr}}
629: \newcommand*{\Map}{\mathrm{Map}}
630: %\newcommand*{\eMap}{\mathrm{eMap}}
631: \newcommand*{\Stack}{\mathord{\mathrm{Stack}}}
632: \newcommand*{\Mem}{\mathord{\mathrm{Mem}}}
633: \newcommand*{\stknew}{\mathop{\mathrm{new}_\mathrm{s}}\nolimits}
634: \newcommand*{\datnew}{\mathop{\mathrm{new}_\mathrm{d}}\nolimits}
635: \newcommand*{\txtnew}{\mathop{\mathrm{new}_\mathrm{t}}\nolimits}
636: \newcommand*{\heapnew}{\mathop{\mathrm{new}_\mathrm{h}}\nolimits}
637: \newcommand*{\heapdel}{\mathop{\mathrm{delete}_\mathrm{h}}\nolimits}
638: \newcommand*{\datcleanup}{\mathop{\mathrm{cleanup}_\mathrm{d}}\nolimits}
639: \newcommand*{\smark}{\mathop{\mathrm{mark}_\mathrm{s}}\nolimits}
640: \newcommand*{\sunmark}{\mathop{\mathrm{unmark}_\mathrm{s}}\nolimits}
641: \newcommand*{\slink}{\mathop{\mathrm{link}_\mathrm{s}}\nolimits}
642: \newcommand*{\sunlink}{\mathop{\mathrm{unlink}_\mathrm{s}}\nolimits}
643: \newcommand*{\asmark}{\mathop{\mathrm{mark}_\mathrm{s}^\sharp}\nolimits}
644: \newcommand*{\asunmark}{\mathop{\mathrm{unmark}_\mathrm{s}^\sharp}\nolimits}
645: \newcommand*{\aslink}{\mathop{\mathrm{link}_\mathrm{s}^\sharp}\nolimits}
646: \newcommand*{\asunlink}{\mathop{\mathrm{unlink}_\mathrm{s}^\sharp}\nolimits}
647: \newcommand*{\sm}{\dag}
648: \newcommand*{\fm}{\ddag}
649: \newcommand*{\topmost}{\mathop{\mathrm{tf}}\nolimits}
650: %% Short forms of \datcleanup, \sunmark, \sunlink for table.
651: \newcommand*{\datcleanupshort}{\mathop{\mathrm{cu}_\mathrm{d}}\nolimits}
652: \newcommand*{\sunmarkshort}{\mathop{\mathrm{um}_\mathrm{s}}\nolimits}
653: \newcommand*{\sunlinkshort}{\mathop{\mathrm{ul}_\mathrm{s}}\nolimits}
654:
655: \newcommand*{\location}[1]{\mathord{#1 \; \mathrm{loc}}}
656: %\newcommand*{\saeval}{\mathop{\mathrm{aeval}}\nolimits}
657: %\newcommand*{\saupd}{\mathop{\mathrm{aupd}}\nolimits}
658: \newcommand*{\asupported}{\mathop{\mathrm{supported}^\sharp}\nolimits}
659: \newcommand*{\aeval}{\mathop{\mathrm{eval}^\sharp}\nolimits}
660: \newcommand*{\ceval}[1]{\mathop{\mathrm{eval}_{#1}}\nolimits}
661:
662: %% Abstracts.
663: \newcommand*{\Abstract}{\mathord{\mathrm{Abstract}}}
664: \newcommand*{\abs}{\mathord{\mathrm{abs}}}
665:
666: %% Integer part function.
667: \newcommand{\intp}{\mathop{\mathrm{int}}\nolimits}
668:
669: %% Concrete functions and operations.
670: % Aritmethic
671: %% \newcommand*{\conadd}{\mathbin{\boxplus}}
672: %% \newcommand*{\consub}{\mathbin{\boxminus}}
673: %% \newcommand*{\conmul}{\mathbin{\boxdot}}
674: %% \newcommand*{\condiv}{\mathbin{\boxslash}}
675: %% \newcommand*{\conmod}{\mathbin{\boxbar}}
676: % Boolean
677: %% \newcommand*{\coneq}{\mathbin{\triangleq}}
678: %% \newcommand*{\conineq}{\mathbin{\trianglelefteq}}
679: %% \newcommand*{\conneg}{\mathbin{\daleth}}
680: %% \newcommand*{\conor}{\mathbin{\triangledown}}
681: %% \newcommand*{\conand}{\mathbin{\vartriangle}}
682: \newcommand*{\bneg}{\mathop{\neg}\nolimits}
683:
684: %% Abstract functions and operations.
685: % Aritmethic
686: \newcommand*{\absuminus}{\mathop{\ominus}\nolimits}
687: \newcommand*{\absadd}{\mathbin{\oplus}}
688: \newcommand*{\abssub}{\mathbin{\ominus}}
689: \newcommand*{\absmul}{\mathbin{\odot}}
690: \newcommand*{\absdiv}{\mathbin{\oslash}}
691: \newcommand*{\absmod}{\mathbin{\obar}}
692: % Boolean
693: \newcommand*{\abseq}{\mathrel{\triangleq}}
694: \newcommand*{\absneq}{\mathrel{\not\triangleq}}
695: \newcommand*{\absleq}{\mathrel{\trianglelefteq}}
696: \newcommand*{\abslt}{\mathrel{\vartriangleleft}}
697: \newcommand*{\absgeq}{\mathrel{\trianglerighteq}}
698: \newcommand*{\absgt}{\mathrel{\vartriangleright}}
699: \newcommand*{\absneg}{\mathrel{\circleddash}}
700: \newcommand*{\absor}{\mathrel{\ovee}}
701: \newcommand*{\absand}{\mathrel{\owedge}}
702:
703: %% Summaries for theorem-like environments
704: \newcommand{\summary}[1]{\textrm{\textbf{\textup{#1}}}}
705:
706: %% Filter function extracting the relevant and irrelevant parts.
707: \newcommand*{\sel}{\mathop{\mathrm{sel}}\nolimits}
708: \newcommand*{\mem}{\mathop{\mathrm{mem}}\nolimits}
709:
710: %% Modeling definite exceptions.
711: %\newcommand*{\None}{\mathrm{None}}
712:
713: %% Strict Cartesian products.
714: \newcommand*{\stimes}{\otimes}
715: \newcommand*{\spair}[2]{{#1} \otimes {#2}}
716: %\newcommand*{\rstimes}{\rtimes}
717: %\newcommand*{\rspair}[2]{{#1} \rtimes {#2}}
718: %\newcommand*{\lstimes}{\ltimes}
719: %\newcommand*{\lspair}[2]{{#1} \ltimes {#2}}
720:
721: %% Additional syntax for the numeric type extension supplement
722: \newcommand*{\iT}{\mathrm{iT}}
723: \newcommand*{\iType}{\mathrm{iType}}
724: \newcommand*{\tschar}{\mathrm{signed\_char}}
725: \newcommand*{\tuchar}{\mathrm{unsigned\_char}}
726: \newcommand*{\flcon}{\mathrm{fl}}
727: \newcommand*{\Float}{\mathrm{Float}}
728: \newcommand*{\sccon}{\mathrm{sc}}
729: \newcommand*{\sChar}{\mathrm{sChar}}
730: \newcommand*{\uccon}{\mathrm{uc}}
731: \newcommand*{\uChar}{\mathrm{uChar}}
732:
733: %% Additional macros for the extension for extra numeric types
734: %% Floating point types.
735: \newcommand*{\tfloat}{\mathrm{float}}
736: %% Numeric types
737: \newcommand*{\nType}{\mathrm{nType}}
738: \newcommand*{\nT}{\mathrm{nT}}
739:
740: %% Additional macros for the extension to pointer and arrays:
741: %% Elementary types.
742: \newcommand*{\eType}{\mathrm{eType}}
743: \newcommand*{\eT}{\mathrm{eT}}
744: %% Elementary values.
745: %\newcommand*{\eValue}{\mathrm{eVal}}
746: %% Array types.
747: \newcommand*{\aType}{\mathrm{aType}}
748: \newcommand*{\aT}{\mathrm{aT}}
749: %% Record types.
750: \newcommand*{\rType}{\mathrm{rType}}
751: \newcommand*{\rT}{\mathrm{rT}}
752: %% Object types.
753: \newcommand*{\oType}{\mathrm{oType}}
754: \newcommand*{\oT}{\mathrm{oT}}
755: %% Function types.
756: \newcommand*{\fType}{\mathrm{fType}}
757: \newcommand*{\fT}{\mathrm{fT}}
758: %% Memory types.
759: \newcommand*{\mType}{\mathrm{mType}}
760: \newcommand*{\mT}{\mathrm{mT}}
761: %% Pointer types.
762: \newcommand*{\pType}{\mathrm{pType}}
763: \newcommand*{\pT}{\mathrm{pT}}
764: %% Offsets.
765: \newcommand*{\Offset}{\mathrm{Offset}}
766: \newcommand*{\nooffset}{\boxempty}
767: \newcommand*{\indexoffset}[1]{\mathopen{\boldsymbol{[}}{#1}\mathclose{\boldsymbol{]}}}
768: \newcommand*{\fieldoffset}[1]{\mathop{\boldsymbol{.}}{#1}}
769: %% Lvalues.
770: \newcommand*{\lValue}{\mathrm{LValue}}
771: \newcommand*{\lvalue}{\mathrm{lval}}
772: %% Rvalues.
773: \newcommand*{\rValue}{\mathrm{RValue}}
774: \newcommand*{\rvalue}{\mathrm{rval}}
775: %%
776: \newcommand*{\pointer}[1]{{#1}\boldsymbol{\ast}}
777: \newcommand*{\maddress}[1]{\mathop{\&}{#1}}
778: \newcommand*{\indirection}[1]{\mathop{\boldsymbol{\ast}}{#1}}
779: %%
780: \newcommand*{\locnull}{\mathord{l_\mathrm{null}}}
781: \newcommand*{\ptrmove}{{\mathop{\mathrm{ptrmove}}\nolimits}}
782: \newcommand*{\ptrdiff}{{\mathop{\mathrm{ptrdiff}}\nolimits}}
783: \newcommand*{\ptrcmp}{{\mathop{\mathrm{ptrcmp}}\nolimits}}
784: %%
785: \newcommand*{\arraysyntax}[3]{\kw{#1} {#2} \kw{of}\,{#3}}
786: \newcommand*{\arraytype}[2]{\arraysyntax{array}{#1}{#2}}
787: \newcommand*{\firstof}{{\mathop{\mathrm{firstof}}\nolimits}}
788: \newcommand*{\arrayindex}{\mathop{\mathrm{index}}\nolimits}
789: \newcommand*{\locindex}{\mathop{\mathrm{locindex}}\nolimits}
790: %%
791: \newcommand*{\recordsyntax}[3]{\kw{#1} {#2} \kw{of}\,{#3}}
792: \newcommand*{\recordtype}[2]{\recordsyntax{record}{#1}{#2}}
793: \newcommand*{\field}{\mathop{\mathrm{field}}\nolimits}
794: \newcommand*{\locfield}{\mathop{\mathrm{locfield}}\nolimits}
795: %%
796: \newcommand*{\NTo}{\Gamma_\mathrm{o}}
797: \newcommand*{\To}{T_\mathrm{o}}
798: \newcommand*{\NTl}{\Gamma_\mathrm{l}}
799: \newcommand*{\Tl}{T_\mathrm{l}}
800: %\newcommand*{\NTr}{\Gamma_\mathrm{r}}
801: %\newcommand*{\Tr}{T_\mathrm{r}}
802: %%
803: \newcommand*{\arraydatnew}{\mathop{\mathrm{newarray}_\mathrm{d}}\nolimits}
804: \newcommand*{\arraystknew}{\mathop{\mathrm{newarray}_\mathrm{s}}\nolimits}
805:
806:
807: %\usepackage{showlabels}
808: %\renewcommand{\showlabelfont}{\tiny}
809:
810: \newboolean{TOPLAS}
811: \setboolean{TOPLAS}{true}
812: %\setboolean{TOPLAS}{false}
813:
814: %% Theorem without summary, numbered inside Section.
815: \newtheorem{theorem}{Theorem}[section]
816: \newtheorem{definition}[theorem]{Definition}
817: \newtheorem{lemma}[theorem]{Lemma}
818: \newtheorem{proposition}[theorem]{Proposition}
819: \newtheorem{conjecture}[theorem]{Conjecture}
820:
821: \ifthenelse{\boolean{TOPLAS}}{
822:
823: }{
824:
825: \newcommand*{\citeN}[1]{\cite{#1}}
826: \newcommand*{\citeNN}[1]{\cite{#1}}
827:
828: \newenvironment{proof}
829: {
830: \begin{pf}
831: }
832: {
833: \end{pf}
834: }
835:
836: }
837:
838: \begin{document}
839:
840: \ifthenelse{\boolean{TOPLAS}}{
841: }{
842: \begin{frontmatter}
843: }
844:
845: \title{%
846: On the Design of Generic Static Analyzers \\
847: for Modern Imperative Languages
848: }
849:
850: \begin{abstract}
851: The design and implementation of precise static analyzers for
852: significant fragments of modern imperative languages like C,
853: \Cplusplus{}, Java and Python is a challenging problem.
854: In this paper, we consider a core imperative language
855: that has several features found in mainstream languages such as those
856: including recursive functions,
857: run-time system and user-defined exceptions, and a realistic data and
858: memory model.
859: For this language we provide a concrete semantics
860: ---characterizing both finite and infinite computations---
861: and a generic abstract semantics that we prove sound with
862: respect to the concrete one.
863: We say the abstract semantics is generic since it is designed to be
864: completely parametric on the analysis domains:
865: in particular, it provides support for
866: \emph{relational} domains (i.e., abstract domains that can capture the
867: relationships between different data objects).
868: We also sketch how the proposed methodology can be extended to accommodate
869: a larger language that includes pointers, compound data objects and
870: non-structured control flow mechanisms.
871: The approach, which is based on structured, big-step
872: $\mathrm{G}^\infty\mathrm{SOS}$ operational semantics and on abstract
873: interpretation, is modular in that the overall static analyzer is
874: naturally partitioned into components with clearly identified
875: responsibilities and interfaces, something that greatly simplifies
876: both the proof of correctness and the implementation.
877: \end{abstract}
878:
879: \ifthenelse{\boolean{TOPLAS}}{
880:
881: \author{%
882: ROBERTO BAGNARA \\
883: Department of Mathematics,
884: University of Parma,
885: Italy
886: \and
887: PATRICIA M. HILL \\
888: School of Computing,
889: University of Leeds,
890: UK
891: \and
892: ANDREA PESCETTI, and
893: ENEA ZAFFANELLA \\
894: Department of Mathematics,
895: University of Parma,
896: Italy
897: }
898:
899: \markboth{%
900: R.~Bagnara,
901: P.M.~Hill,
902: A.~Pescetti,
903: and E.~Zaffanella}%
904: {On the Design of Generic Static Analyzers for Modern Imperative Languages}
905:
906: \category{F3.1}{Logics and Meanings of Programs}{Specifying and Verifying and Reasoning about Programs.}
907: \terms{Languages, Verification.}
908: \keywords{Abstract interpretation, structured operational semantics.}
909:
910: \begin{bottomstuff}
911: This work has been partly supported by MIUR project
912: ``AIDA --- Abstract Interpretation: Design and Applications''
913: and by a Royal Society (UK) International Joint Project (ESEP) award.
914: \end{bottomstuff}
915:
916: }{
917: \author[Parma]{Roberto Bagnara},
918: \ead{bagnara@cs.unipr.it}
919: \author[Leeds]{Patricia M. Hill},
920: \ead{hill@comp.leeds.ac.uk}
921: \author[Parma]{Andrea Pescetti}
922: \ead{pescetti@cs.unipr.it}
923: \author[Parma]{Enea Zaffanella}
924: \ead{zaffanella@cs.unipr.it}
925:
926: \address[Parma]{Department of Mathematics, University of Parma, Italy}
927: \address[Leeds]{School of Computing, University of Leeds, UK}
928:
929: \end{frontmatter}
930: }
931: \maketitle
932:
933: %\tableofcontents
934:
935: \section{Introduction}
936:
937: The last few years have witnessed significant progress toward
938: achieving the ideal of the program verification grand challenge
939: \cite{Hoare03}. Still, the distance separating us from that ideal can
940: be measured by the substantial lack of available tools that are able
941: to verify the absence of relevant classes of run-time errors in code
942: written in (reasonably rich fragments of) mainstream imperative
943: languages like C, \Cplusplus{}, Java and Python. True: there is a
944: handful of commercial products that target generic applications
945: written in C, but little is known about them. In contrast, several
946: papers explain the essence of the techniques employed by the
947: \emph{ASTR\'EE} analyzer to formally and automatically verify the
948: absence of run-time errors in large safety-critical embedded
949: control/command codes \cite{BlanchetCCFMMMR02,BlanchetCCFMMMR03};
950: however, ASTR\'EE is specially targeted at a particular class of
951: programs and program properties, so that widening its scope of
952: application is likely to require significant effort \cite{Cousot05b}.
953: It is interesting to observe that, among the dozens of software
954: development tools that are freely available, there are hardly any
955: that, by analyzing the program semantics, are able to certify the
956: absence of important classes of run-time hazards such as, say, the
957: widely known \emph{buffer overflows} in C code.
958:
959: The reason for the current, extreme scarcity of the resource ``precise
960: analyzers for mainstream programming languages'' is that the design
961: and implementation of such analyzers is a very challenging problem.
962: The theory of abstract interpretation \cite{CousotC77,CousotC92fr} is
963: crucial to the management of the complexity of this problem and, in
964: fact, both ASTR\'EE and the existing commercial analyzers are
965: (as far as we know) based on it.
966: Static analysis via abstract interpretation is conducted by mimicking
967: the execution of the analyzed programs on an \emph{abstract domain}.
968: This is a set of computable representations of program properties
969: equipped with all the operations required to mirror, in an approximate
970: though correct way, the real, \emph{concrete} executions of the
971: program.
972: Over the last decade, research and development on the abstract domains
973: has led to the availability of several implementations of a wide range
974: of abstract domains: from the most efficient though imprecise, to the
975: most precise though inefficient. Simplification and acceleration
976: techniques have also been developed to mitigate the effects of this
977: complexity/precision trade-off. So the lack of semantics-based static
978: analyzers is not ascribable to a shortage of abstract domains and
979: their implementations.
980: The point is that there is more to a working analyzer than a collection
981: of abstract domains:
982: \begin{enumerate}[(i)]
983: \item
984: A \emph{concrete semantics} must be selected for the analyzed language
985: that models all the aspects of executions that are relevant to the
986: properties of interest. This semantics must be recognizable as a
987: sound characterization of the language at the intended level of
988: abstraction.
989: \item
990: An \emph{abstract semantics} must be selected and correlated to the
991: concrete semantics. This requires a proof of correctness that, while
992: greatly simplified by abstract interpretation theory,
993: can be a time-consuming task by highly qualified individuals.
994: \item
995: An algorithm to finitely and efficiently compute (approximations of)
996: the abstract semantics must be selected.
997: \item
998: For good results, the abstract domain needs to be an object that is
999: both complex and easily adaptable. So, instead of designing a new
1000: domain from scratch, it is often better if one can be obtained by
1001: combining simpler, existing, abstract domains. Even though the theory
1002: of abstract interpretation provides important conceptual instruments
1003: for the design of such a combination, a significant effort is still
1004: needed to achieve, as far as possible, the desired precision and
1005: efficiency levels. Note that this point can have an impact on
1006: points~(ii) and~(iii): a \emph{generic} abstract semantics has the
1007: advantage of not requiring an entirely new proof and a new algorithm
1008: each time the abstract domain changes.
1009: \end{enumerate}
1010: This paper, which is the first product of a long-term research plan
1011: that is meant to deal with all of the points above, specifically
1012: addresses points~(i) and~(ii) and refers to a slight generalization
1013: of existing techniques for point~(iii).
1014:
1015: \subsection{Contribution}
1016:
1017: We build on ideas that have been around for quite some time but, as
1018: far as we know, have never been sufficiently elaborated to be applied to
1019: the description and analysis of realistic imperative languages. In
1020: extreme synthesis, the contribution consists in filling a good portion
1021: of the gaps that have impeded the application of these ideas to
1022: complex imperative programming languages such as C.%
1023: \footnote{It is worth noticing that we improperly refer to the C language
1024: to actually mean some more constrained language
1025: ---like CIL, the \emph{C Intermediate Language}
1026: described in \cite{NeculaMRW02}---
1027: where all ambiguities have been removed, in addition to an
1028: ABI (\emph{Application Binary Interface}) that further
1029: defines its semantics. Similarly, by `Python' we
1030: mean a tractable subset of the language, such as the \emph{RPython}
1031: subset being developed by the \emph{PyPy} project (\url{http://pypy.org/}).}
1032:
1033: More precisely, here we define the concrete and generic abstract
1034: semantics constructions for a language
1035: ---called CPM---
1036: that incorporates all the features of mainstream, single-threaded
1037: imperative programming languages that can be somehow problematic
1038: from the point of view of static analysis.
1039: Most notably, the CPM language features:
1040: a non-toy memory model;
1041: exceptions;
1042: run-time errors modeled via exceptions
1043: (for instance, an exception is raised whenever a division by zero is
1044: attempted, when a stack allocation request causes a stack overflow
1045: or when other memory errors occur);
1046: array types;
1047: pointer types to both data objects and functions;
1048: short-circuit evaluation of Boolean operators;
1049: user-defined (possibly recursive) functions;
1050: and
1051: non-structured control flow mechanisms.
1052:
1053: For the description of the concrete dynamic semantics of the language
1054: we have used a structured operational semantics (SOS) approach extended to
1055: deal with infinite computations, mainly building on the work of Kahn,
1056: Plotkin and Cousot. With respect to what can be found in the
1057: literature, we have added the treatment of all non-structured control
1058: flow mechanisms of the C language. Of course, as the ultimate goal of
1059: this research is to end up with practical analysis tools, the concrete dynamic
1060: semantics has been defined in order to facilitate as much as possible
1061: the subsequent abstraction phase. Still, our dynamic semantics
1062: retains all the traditional good features: in particular, the concrete
1063: rule schemata are plainly readable (assuming the reader becomes
1064: sufficiently familiar with the unavoidable notational conventions) and
1065: fairly concise.
1066:
1067: For the abstract semantics, we build on the work of Schmidt by providing
1068: the concrete dynamic semantics rules with abstract counterparts.
1069: As far as we know, this is the first time that Schmidt's proposal
1070: is applied to the analysis of a realistic programming language
1071: [D.~Schmidt, personal communication, 2004].
1072: A remarkable feature of our abstract semantics is that it is truly
1073: generic in that it fully supports relational abstract domains: the key
1074: step in this direction is the identification and specification of a
1075: suitable set of operators on (concrete and abstract) memory
1076: structures, that allow for domain-independent approximations but
1077: without inherent limitations on the obtainable precision.
1078:
1079: Schmidt's proposal about the abstract interpretation of natural semantics
1080: has, in our opinion, two important advantages: concrete and abstract rules
1081: can be made executable and are easily correlated.
1082: We review these two aspects in turn.
1083:
1084: Even though here we do not provide details in this respect,
1085: a prototype system ---called ECLAIR\footnote{The
1086: `Extended CLAIR' system targets the analysis of mainstream programming
1087: languages by building upon CLAIR, the `Combined Language and Abstract
1088: Interpretation Resource', which was initially developed and used in a
1089: teaching context (see \url{http://www.cs.unipr.it/clair/}).}---
1090: has been developed in parallel with the writing of the present paper.
1091: The Prolog implementation exploits nice features
1092: of a semantics construction based on SOS approach:
1093: the concrete semantics rule schemata can be directly translated into
1094: Prolog clauses; and the resulting interpreter, with the help of a \Cplusplus{}
1095: implementation of memory structures, is efficient enough to run non-trivial
1096: programs.
1097: Similar considerations apply to the modules implementing the abstract
1098: semantics: the abstract semantics rules are almost directly translated
1099: to generic Prolog code that is interfaced with specialized libraries
1100: implementing several abstract domains, including accurate ones
1101: such as the ones provided by the Parma Polyhedra Library
1102: \cite{BagnaraHRZ05SCP,BagnaraHZ05FAC,BagnaraHZ06TR}.
1103: So, following this approach, the distance between the expression
1104: of the concrete semantics and its executable realization is,
1105: as is well known, very little; but the same can be said about the
1106: distance between the specification of the abstract semantics and
1107: the static analyzer that results from its implementation.
1108: This prototype system therefore gives us confidence that
1109: both the concrete and abstract semantics are correctly modeled and
1110: that, in this paper, no real difficulties have been overlooked.
1111:
1112: For space reasons, only a subset of CPM is treated in full depth in
1113: the main body of the paper (the extension of the design to the full
1114: language is only briefly described even though all the important points
1115: are covered). For this subset, we give a complete proof of
1116: correctness that relates the abstract semantics to the concrete
1117: semantics. The proofs are not complicated and suggest (also because
1118: of the way we present them) the possibility of their automatization.
1119: To summarize, at this stage of the research work it does not seem
1120: unreasonable that we may end up with: readable and executable
1121: representations of the concrete semantics of mainstream programming
1122: languages; readable and executable representations of program analyzers;
1123: correctness of the analyzers established by automatic specialized
1124: theorem provers; and, at last, availability of sophisticated program
1125: analyzers for such languages.
1126:
1127: A final word is due to address the following concern:
1128: if the target languages
1129: are ``real'' imperative programming languages, why choose CPM, an
1130: unreal one? The reason is indeed quite simple:
1131: Java and Python miss some of the ``hard'' features of C;
1132: C~misses exceptions; \Cplusplus{} is too hard, for the time being.
1133: So, choosing any one of these real languages
1134: would have been unlikely to provide us with the answer we were looking for,
1135: which was about the adequacy of Schmidt's approach with respect to
1136: the above goals. Moreover, in its ECLAIR realization, the CPM language
1137: is being extended so as to become a superset of C (i.e., with all the
1138: floating-point and integer types, cast and bitwise operators and so forth).
1139: Once that code has stabilized, a C and a Java subsystem will be forked.
1140:
1141:
1142:
1143: \subsection{Related Work}
1144:
1145: The literature on abstract interpretation proposes several
1146: \emph{frameworks} for static analysis, where the more general
1147: approaches put forward in foundational papers are partially specialized
1148: according to a given criterion.
1149: For a few examples of specializations based on the programming paradigm,
1150: one can mention
1151: the frameworks in~\cite{Bruynooghe91} and \cite{GiacobazziDL92}
1152: for the analysis of (constraint) logic programs;
1153: the approach in~\cite{CousotC94} for the analysis of functional programs;
1154: and the so called ``Marktoberdorf'98 generic static analyzer''
1155: specified in~\cite{Cousot98mark} for the analysis of imperative programs.
1156:
1157: All of these frameworks are ``generic'' in that,
1158: while fixing some of the parameters of the considered problem,
1159: they are still characterized by several degrees of freedom.
1160: It is therefore natural to reason on the similarities and differences
1161: between these approaches.
1162: However, independently from the programming paradigm under analysis,
1163: direct comparisons between frameworks are extremely difficult in that
1164: each proposal typically focuses on the solution of a subset of the
1165: relevant issues, while partially disregarding other important problems.
1166: For instance, both \cite{Bruynooghe91} and \cite{GiacobazziDL92}
1167: study the generic algebraic properties that allow for a clean and safe
1168: separation between the abstract domains and the abstract interpreter;
1169: in contrast, \cite{Cousot98mark} provides full details
1170: for a specific instance of the proposed framework, ranging from
1171: the parsing of literal constants to the explicit implementation
1172: of the abstract operators for the abstract domain of intervals.
1173: On the other hand, the frameworks mentioned above differ from
1174: the one presented in this paper in that they allow for significant
1175: simplifications of the language analyzed.
1176: Here we briefly discuss the main differences between
1177: the language considered in our proposal and the one in~\cite{Cousot98mark}.
1178:
1179: At the syntactic level, as already mentioned,
1180: the language CPM is much richer than the simple imperative language
1181: adopted in~\cite{Cousot98mark}, which has no support for functions,
1182: nesting of block statements, exceptions, non-structured control flows
1183: and it allows for a single data type (in particular, no pointers and arrays).
1184: %%
1185: These syntactic differences are clearly mirrored at the semantics level.
1186: In particular, even though the detection of initialization and arithmetic
1187: errors is considered by the semantics in~\cite{Cousot98mark},
1188: the actual process of error propagation is not modeled.
1189: In contrast, the semantics construction we propose can easily accommodate
1190: the sophisticated exception propagation and handling mechanisms
1191: that can be found in modern languages such as \Cplusplus{}, Java and Python.
1192: Note that this choice has a non-trivial impact on the specification
1193: of the other components of the semantic construction. For example,
1194: the short-circuit evaluation of Boolean expressions cannot be
1195: normalized as proposed in~\cite{Cousot98mark}, because such a normalization
1196: process, by influencing the order of evaluation of subexpressions,
1197: is unable to preserve the concrete semantics as far as exceptional
1198: computation paths are concerned.
1199: %%
1200: A minor difference is in the modeling of integer variables and values:
1201: while \cite{Cousot98mark} considers the case of possibly uninitialized
1202: variables taking values in a finite set of machine-representable integers,
1203: for ease of presentation we have opted for definitely initialized
1204: variables storing arbitrary (i.e., unbounded) integer values.
1205: Since the CPM language supports an extensible set of RTS exceptions,
1206: the specification of a semantics modeling (the generation, propagation
1207: and handling of) uninitialization errors is rather straightforward.
1208: An extension of the semantics to the case of several sets of bounded
1209: and unbounded numerical types, with suitable type conversion functions,
1210: is under development.
1211: Another difference is in the generality of the abstract semantics
1212: construction: following the approach described here, an analyzer can
1213: take full advantage of the more accurate information provided by a
1214: relational domain such as that of polyhedra. In contrast, the work in
1215: \cite{Cousot98mark} only considers the simpler case of non-relational
1216: abstract domains.
1217: %%
1218: As mentioned above, the semantics we propose also models the case of
1219: possibly recursive functions
1220: (with a call-by-value parameter passing mechanism),
1221: which are not supported by the language syntax
1222: considered in~\cite{Cousot98mark}.
1223: %%
1224: While both this paper and~\cite{Cousot98mark} consider
1225: the specification of a \emph{forward} static analysis framework,
1226: \cite{Cousot98mark} also provides a backward analysis for arithmetic
1227: expressions, to be used in reductive iterations so as to improve precision
1228: losses that are usually incurred by non-relational approximations.
1229:
1230:
1231: \subsection{Plan of the Paper}
1232:
1233: The paper is organized as follows.
1234: Section~\ref{sec:prelims} introduces the notation and terminology
1235: used throughout the paper;
1236: Section~\ref{sec:syntax} defines the syntax of a subset of the
1237: imperative language CPM, whereas Section~\ref{sec:static-semantics}
1238: defines its static semantics;
1239: the concrete dynamic semantics of this fragment is presented in
1240: Section~\ref{sec:concrete-dynamic-semantics}, whereas its abstract
1241: counterpart is defined in Section~\ref{sec:abstract-dynamic-semantics}.
1242: The proof of correctness of the abstract semantics is the subject
1243: of Section~\ref{sec:abstract-semantics-correctness},
1244: while the computation of further approximations is treated
1245: in Section~\ref{sec:computable-approximations}.
1246: The integration of the full CPM language in the analysis framework
1247: presented in this paper is discussed in Section~\ref{sec:extensions}.
1248: Section~\ref{sec:conclusion} concludes.
1249:
1250:
1251: \section{Preliminaries}
1252: \label{sec:prelims}
1253:
1254: Let $S$ and $T$ be sets.
1255: The notation $S \sseqf T$ means that $S$ is a \emph{finite} subset of $T$.
1256: We write $S \uplus T$ to denote the union $S \union T$, yet
1257: emphasizing the fact that $S \inters T = \emptyset$.
1258: The set of total (resp., partial) functions from $S$ to $T$
1259: is denoted by $S \to T$ (resp., $S \rightarrowtail T$).
1260: We denote by $\dom(f)$ the \emph{domain} of a function
1261: $\fund{f}{S}{T}$ (resp., $\pard{f}{S}{T}$),
1262: where $\dom(f) = S$ (resp., $\dom(f) \sseq S$).
1263: Let $(S, \preceq)$ be a partial order and $\fund{f}{S}{S}$ be a function.
1264: An element $x \in S$ such that $x = f(x)$ (resp., $x \preceq f(x)$)
1265: is called a \emph{fixpoint} (resp., \emph{post-fixpoint}) of $f$.
1266: The notation $\lfp_{\mathord{\preceq}}(f)$
1267: (resp., $\gfp_{\mathord{\preceq}}(f)$)
1268: stands, if it exists, for the least (resp., greatest) fixpoint of $f$.
1269: A complete lattice is a partial order $(S, \preceq)$ such that
1270: $\lub T$ exists for each $T \sseq S$. If $\fund{f}{S}{S}$ is monotonic
1271: over the complete lattice $S$,
1272: the Knaster-Tarski theorem ensures that the set of post-fixpoints of $f$
1273: is itself a complete lattice.
1274: The \emph{fixpoint coinduction} proof principle follows:
1275: if $f$ is monotonic over the complete lattice $S$ then,
1276: in order to prove that $x \preceq \gfp_{\mathord{\preceq}}(f)$,
1277: it is sufficient to prove that $x \preceq f(x)$.
1278:
1279: Let $S = \{s_1, \ldots, s_n \}$ be a finite set of cardinality $n \geq 0$.
1280: Then, the notation
1281: $\{ s_1 \mapsto t_1, \ldots, s_n \mapsto t_n \}$,
1282: where $\{t_1, \ldots, t_n \} \sseq T$, stands for the function
1283: $\fund{f}{S}{T}$ such that $f(s_i) = t_i$, for each $i = 1$, \ldots, $n$.
1284: Note that, assuming that the codomain $T$ is clear from context,
1285: the empty set $\emptyset$ denotes the (nowhere defined) function
1286: $\fund{f}{\emptyset}{T}$.
1287:
1288: When denoting the application of a function
1289: $\fund{f}{(S_1 \times\cdots\times S_n)}{T}$
1290: we omit, as customary, the outer parentheses and write
1291: $f(s_1, \ldots, s_n)$ to mean $f\bigl((s_1, \ldots, s_n)\bigr)$.
1292:
1293: Let $\pard{f_0}{S_0}{T_0}$ and $\pard{f_1}{S_1}{T_1}$ be partial functions.
1294: Then the function
1295: $\pard{f_0[f_1]}{(S_0 \union S_1)}{(T_0 \union T_1)}$
1296: is defined, for each $x \in \dom(f_0) \union \dom(f_1)$, by
1297: \[
1298: \bigl(f_0[f_1]\bigr)(x)
1299: \defeq
1300: \begin{cases}
1301: f_1(x), &\text{if $x \in \dom(f_1)$;} \\
1302: f_0(x), &\text{if $x \in \dom(f_0) \setminus \dom(f_1)$.}
1303: \end{cases}
1304: \]
1305: (Note that, if $f_0$ and $f_1$ are total functions,
1306: then $f_0[f_1]$ is total too.)
1307:
1308: For a partial function $\pard{f}{S}{T}$ and a set $S' \subseteq S$,
1309: $f\restrict{S'}$ denotes the restriction of $f$ to $S'$,
1310: i.e., the function $\pard{f\restrict{S'}}{S'}{T}$ defined,
1311: for each $x \in S' \inters \dom(f)$, by
1312: $f\restrict{S'}(x) = f(x)$.
1313: (Note that, if $f$ is a total function, then $f\restrict{S'}$ is total too.)
1314: With a minor abuse of notation, we will sometimes write
1315: $f \setminus S''$ to denote $f \restrict{S \setminus S''}$.
1316:
1317: $S^\star$ denotes the set of all finite, possibly empty strings
1318: of symbols taken from $S$.
1319: The empty string is denoted by $\emptystring$.
1320: If $w, z \in S \union S^\star$, the concatenation of $w$ and $z$
1321: is an element of $S^\star$ denoted by $wz$ or, to avoid ambiguities,
1322: by $w \cdot z$. The length of a string $z$ is denoted by $|z|$.
1323:
1324: The \emph{integer part} function $\fund{\intp}{\Rset}{\Zset}$
1325: is given, for each $x \in \Rset$, by
1326: $\intp(x) \defeq \lfloor x \rfloor$, if $x \geq 0$,
1327: and
1328: $\intp(x) \defeq \lceil x \rceil$, if $x < 0$.
1329: The \emph{integer division} and the \emph{modulo} operations
1330: \(
1331: \fund{\mathord{\div}, \mathord{\bmod}}%
1332: {\bigl(\Zset\times\Zset\setdiff\{ 0 \}\bigr)}%
1333: {\Zset}
1334: \)
1335: are defined, for each $x, y \in \Zset$ with $y \neq 0$,
1336: respectively by
1337: $x \div y \defeq \intp(x/y)$
1338: and
1339: $x \bmod y \defeq x - (x \div y) \cdot y$.
1340:
1341: We assume familiarity with the field of program analysis and verification
1342: via abstract interpretation. The reader is referred to the literature
1343: for the theory
1344: (e.g., \cite{Cousot81,CousotC76,CousotC77,CousotC79,CousotC92fr,CousotC92})
1345: and examples of applications
1346: \cite{DorRS01,Halbwachs93,ShahamKS00}.
1347:
1348: \section{The Language Syntax}
1349: \label{sec:syntax}
1350:
1351: The run-time support of CPM uses exceptions to communicate
1352: run-time errors. The set of RTS exceptions is left open so
1353: that it can be extended if and when needed.
1354: That said, the basic syntactic sets of the CPM language are:
1355: \begin{description}
1356: \item[Identifiers]
1357: $\id \in \Id = \{ \main, \idx, \idx_0, \idx_1, \ldots \} \uplus \rId$,
1358: where $\rId \defeq \{ \ridx, \ridx_0, \ridx_1, \ldots \}$;
1359: \item[Basic types]
1360: $T \in \Type \defeq \{ \tinteger, \tboolean \}$;
1361: \item[Integers]
1362: $m \in \Integer \defeq \Zset$;
1363: \item[Booleans]
1364: $t \in \Bool \defeq \{ \ttv, \ffv \}$;
1365: \item[RTS exceptions]
1366: \(
1367: \rtsexcept
1368: \in \RTSExcept
1369: \defeq \{ \divbyzero, \stkovflw, \memerror, \ldots \}
1370: \).
1371: \end{description}
1372: The identifiers in $\rId$ are ``reserved'' for the specification of the
1373: concrete semantics.
1374:
1375: From the basic sets, a number of syntactic categories are defined,
1376: along with their syntactic meta-variables,
1377: by means of the BNF rules:
1378: \begin{description}
1379: \item[Expressions]
1380: \begin{align*}
1381: \Exp \ni
1382: e &::= m \vbar -e \vbar e_0 + e_1 \vbar e_0 - e_1
1383: \vbar e_0 * e_1 \vbar e_0 \divop e_1 \vbar e_0 \modop e_1 \\
1384: &\vbar t \vbar e_0 = e_1 \vbar e_0 \neq e_1 \vbar e_0 < e_1
1385: \vbar e_0 \leq e_1 \vbar e_0 \geq e_1 \vbar e_0 > e_1 \\
1386: &\vbar \notop e \vbar e_0 \andop e_1 \vbar e_0 \orop e_1
1387: \vbar \id
1388: \end{align*}
1389: \item[Sequences of expressions]
1390: \begin{align*}
1391: \Exps \ni
1392: \es ::= \emptysequence \vbar e, \es
1393: \end{align*}
1394: \item[Storable types]
1395: \[
1396: \sType \ni
1397: \sT ::= T
1398: \]
1399: \item[Formal parameters]
1400: \[
1401: \formParams \ni
1402: \fps ::= \emptysequence \vbar \id : \sT, \fps
1403: \]
1404: \item[Function bodies]
1405: \[
1406: \funBody \ni
1407: \funbody ::= \kw{let} d \,\kw{in} s \kw{result} e
1408: \vbar \kw{extern} : \sT
1409: \]
1410: \item[Global declarations]
1411: \[
1412: \Glob \ni
1413: g ::= \kw{gvar} \id : \sT = e
1414: \vbar \kw{function} \; \id(\fps) = \funbody
1415: \vbar \kw{rec} g \vbar g_0 ; g_1
1416: \]
1417: \item[Local declarations]
1418: \[
1419: \Decl \ni
1420: d ::= \kw{nil}
1421: \vbar \kw{lvar} \id : \sT = e
1422: \vbar d_0 ; d_1
1423: \]
1424: \item[Catchable types]
1425: \[
1426: \cType \ni
1427: \cT ::= \trtsexcept \vbar \sT
1428: \]
1429: \item[Exception declarations]
1430: \[
1431: \exceptDecl \ni
1432: p ::= \rtsexcept \vbar \cT \vbar \id : \sT \vbar \kw{any}
1433: \]
1434: \item[Catch clauses]
1435: \[
1436: \Catch \ni
1437: k ::= (p) \, s \vbar k_0 ; k_1
1438: \]
1439: \item[Statements]
1440: \begin{align*}
1441: \Stmt \ni
1442: s &::= \kw{nop}
1443: \vbar \id := e
1444: \vbar \id_0 := \id(\es)
1445: \vbar s_0 ; s_1
1446: \vbar d ; s \\
1447: &\vbar \kw{if} e \kw{then} s_0 \kw{else} s_1
1448: \vbar \kw{while} e \kw{do} s \\
1449: &\vbar \kw{throw} \rtsexcept \vbar \kw{throw} e
1450: \vbar \kw{try} s \kw{catch} k
1451: \vbar \kw{try} s_0 \kw{finally} s_1
1452: \end{align*}
1453: \end{description}
1454: Observe that there is no need of a separate syntactic category for programs:
1455: as we will see, a CPM program is just a global declaration
1456: defining the special function `$\main$', like in C and \Cplusplus{}.
1457:
1458: It should be noted that some apparent limitations of the abstract syntax
1459: of CPM are not real limitations. For instance: the use of function
1460: calls as expressions can be avoided by introducing temporary variables;
1461: procedures can be rendered by functions that return a dummy value;
1462: and so forth. More generally, a slight elaboration of the abstract syntax
1463: presented here and extended in Section~\ref{sec:extensions} is used
1464: in the ECLAIR prototype to encode the C language almost in its entirety,
1465: plus the basic exception handling mechanisms of \Cplusplus{} and Java.
1466:
1467: For notational convenience,
1468: we also define the syntactic categories of constants, storable values%%
1469: \footnote{The reason for a distinction between the roles of constants
1470: and storable values (as well as basic types and storable types)
1471: will become clear when discussing language extensions
1472: in Section~\ref{sec:extensions}.}
1473: and exceptions:
1474: \begin{description}
1475: \item[Constants]
1476: \[
1477: \Con \ni
1478: \con ::= m \vbar t
1479: \]
1480: \item[Storable values]
1481: \[
1482: \sVal \ni
1483: \sval ::= \con
1484: \]
1485: \item[Exceptions]
1486: \[
1487: \Except \ni
1488: \except ::= \rtsexcept \vbar \sval
1489: \]
1490: \end{description}
1491:
1492: The (partial) function $\pard{\type}{\sVal}{\sType}$, mapping
1493: a storable value to its type name `$\tinteger$' or `$\tboolean$',
1494: is defined by:
1495: \begin{align*}
1496: \type(\sval)
1497: &\defeq
1498: \begin{cases}
1499: \tinteger, &\text{if $\sval = m \in \Integer$;} \\
1500: \tboolean, &\text{if $\sval = t \in \Bool$.}
1501: \end{cases} \\
1502: \intertext{%
1503: For ease of notation, we also define the overloadings
1504: $\pard{\type}{\Except}{\cType}$
1505: and $\pard{\type}{\exceptDecl}{\cType}$ defined by
1506: }
1507: \type(\except)
1508: &\defeq
1509: \begin{cases}
1510: \trtsexcept, &\text{if $\except = \rtsexcept \in \RTSExcept$;} \\
1511: \type(\sval), &\text{if $\except = \sval \in \sVal$;}
1512: \end{cases} \\
1513: \type(p)
1514: &\defeq
1515: \begin{cases}
1516: \trtsexcept, &\text{if $p = \rtsexcept \in \RTSExcept$;} \\
1517: \cT, &\text{if $p = \cT \in \cType$;} \\
1518: \sT, &\text{if $p = \id : \sT$ and $\sT \in \sType$.}
1519: \end{cases}
1520: \end{align*}
1521: Note that such an overloading is consistent and the resulting function
1522: is not defined on value $\kw{any} \in \exceptDecl$.
1523:
1524: The helper function
1525: $\fund{\dom}{\cType}{\{\Integer, \Bool, \RTSExcept\}}$, which associates
1526: a catchable type name to the corresponding domain, is defined by
1527: \[
1528: \dom(\cT)
1529: \defeq
1530: \begin{cases}
1531: \Integer, &\text{if $\cT = \tinteger$;} \\
1532: \Bool, &\text{if $\cT = \tboolean$;} \\
1533: \RTSExcept, &\text{if $\cT = \trtsexcept$.}
1534: \end{cases}
1535: \]
1536:
1537:
1538: \section{Static Semantics}
1539: \label{sec:static-semantics}
1540:
1541: The static semantics of the CPM language establishes the conditions under
1542: which a program is well typed.
1543: Only well-typed programs are given a dynamic semantics.
1544:
1545: \subsection{Defined and Free Identifiers}
1546:
1547: The set of identifiers defined by sequences of formal parameters,
1548: (global or local) declarations or exception declarations
1549: is defined as follows:
1550: \begin{gather*}
1551: \DI(\emptysequence)
1552: \defeq \DI(\kw{nil})
1553: \defeq \DI(\funbody)
1554: \defeq \DI(\rtsexcept)
1555: \defeq \DI(\cT)
1556: \defeq \DI(\kw{any})
1557: \defeq \emptyset; \\
1558: \DI(\id : \sT)
1559: \defeq \DI(\kw{gvar} \id : \sT = e)
1560: \defeq \DI(\kw{lvar} \id : \sT = e) \\
1561: \quad
1562: \defeq \DI(\kw{function} \; \id(\fps) = \funbody)
1563: \defeq \{ \id \}; \\
1564: \DI(\id : \sT, \fps)
1565: \defeq \DI(\id : \sT) \union \DI(\fps);\\
1566: \DI(\kw{rec} g)
1567: \defeq \DI(g); \\
1568: \DI(g_0 ; g_1)
1569: \defeq \DI(g_0) \union \DI(g_1); \\
1570: \DI(d_0 ; d_1)
1571: \defeq \DI(d_0) \union \DI(d_1).
1572: \end{gather*}
1573: %%
1574: The set of identifiers that occur freely in (sequences of) expressions,
1575: (exception) declarations, statements and catch clauses is defined by:
1576: \begin{gather*}
1577: \FI(m)
1578: \defeq \FI(t)
1579: \defeq \FI(\kw{nop})
1580: \defeq \FI(\emptysequence)
1581: \defeq \FI(\id : \sT)
1582: \defeq \FI(\kw{nil}) \\
1583: \quad
1584: \defeq \FI(\rtsexcept)
1585: \defeq \FI(\cT)
1586: \defeq \FI(\kw{any})
1587: \defeq \FI(\kw{throw} \rtsexcept)
1588: \defeq \FI(\kw{extern} : \sT)
1589: \defeq \emptyset; \\
1590: \FI(-e)
1591: \defeq \FI(\notop e)
1592: \defeq \FI(\kw{lvar} \id : \sT = e) \\
1593: \quad
1594: \defeq \FI(\kw{gvar} \id : \sT = e)
1595: \defeq \FI(\kw{throw} e)
1596: \defeq \FI(e); \\
1597: \FI(e_0 \mathbin{\mathrm{op}} e_1)
1598: \defeq \FI(e_0) \union \FI(e_1), \text{ for
1599: \(
1600: \mathrm{op}
1601: \in \{
1602: \mathord{+}, \ldots, \modop,
1603: \mathord{=}, \ldots, \mathord{>},
1604: \mathord{\andop}, \mathord{\orop}
1605: \}
1606: \);} \\
1607: \FI(\id)
1608: \defeq \{ \id \}; \\
1609: \FI(\kw{let} d \,\kw{in} s \kw{result} e)
1610: \defeq
1611: \FI(d)
1612: \union
1613: \bigl(\FI(s) \setdiff \DI(d)\bigr)
1614: \union
1615: \bigl(\FI(e) \setdiff \DI(d)\bigr); \\
1616: \FI(\kw{function} \; \id(\fps) = \funbody)
1617: \defeq
1618: \FI(\funbody) \setdiff \DI(\fps); \\
1619: \FI(\kw{rec} g) \defeq \FI(g) \setdiff \DI(g); \\
1620: \FI(g_0 ; g_1)
1621: \defeq \FI(g_0) \union \bigl(\FI(g_1) \setminus \DI(g_0)\bigr); \\
1622: \FI(d_0 ; d_1) \defeq \FI(d_0) \union
1623: \bigl(\FI(d_1) \setminus \DI(d_0)\bigr); \\
1624: %%
1625: \FI(\id := e) \defeq \{ \id \} \union \FI(e); \\
1626: \FI(e, \es) \defeq \FI(e) \union \FI(\es); \\
1627: \FI\bigl(\id_0 := \id(\es)\bigr)
1628: \defeq \{ \id, \id_0 \} \union \FI(\es); \\
1629: \FI(d ; s) \defeq \FI(d) \union \bigl(\FI(s) \setdiff \DI(d)\bigr); \\
1630: \FI\bigl((p) \, s\bigr) \defeq \FI(s) \setminus \DI(p); \\
1631: \FI(k_0 ; k_1) \defeq \FI(k_0) \union \FI(k_1); \\
1632: \FI(s_0 ; s_1) \defeq \FI(\kw{try} s_0 \kw{finally} s_1)
1633: \defeq \FI(s_0) \union \FI(s_1); \\
1634: \FI(\kw{if} e \kw{then} s_0 \kw{else} s_1)
1635: \defeq \FI(e) \union \FI(s_0) \union \FI(s_1); \\
1636: \FI(\kw{while} e \kw{do} s) \defeq \FI(e) \union \FI(s); \\
1637: \FI(\kw{try} s \kw{catch} k) \defeq \FI(s) \union \FI(k).
1638: \end{gather*}
1639:
1640: \subsection{Type Environments}
1641:
1642: We start by defining the convenience syntactic category of
1643: \begin{description}
1644: \item[Denotable types]
1645: \[
1646: \dType \ni
1647: \dT ::= \location{\sT}
1648: \vbar \fps \rightarrow \sT
1649: \]
1650: \end{description}
1651: A type environment associates a denotable type to each identifier of a
1652: given, finite set of identifiers.
1653:
1654: \begin{definition} \summary{($\TEnv_I$, $\TEnv$.)}
1655: For each $I \sseqf \Id$, the set of \emph{type environments over $I$}
1656: is $\TEnv_I \defeq I \to \dType$; the set of all type environments
1657: is given by $\TEnv \defeq \biguplus_{I \sseqf \Id} \TEnv_I$.
1658: Type environments are denoted by $\beta$, $\beta_0$, $\beta_1$
1659: and so forth.
1660: The notation $\beta : I$ is a shorthand for $\beta \in \TEnv_I$.
1661: \end{definition}
1662:
1663: \subsection{Static Semantics Predicates}
1664:
1665: Let $I \sseqf \Id$ and $\beta \in \TEnv_I$.
1666: The well-typedness of program constructs whose free identifiers
1667: are contained in $I$ is encoded by the following
1668: predicates, here listed along with their informal meaning:
1669: \begin{align*}
1670: \beta &\vdash_I e : \sT,
1671: &\text{$e$ is well-formed and has type $\sT$ in $\beta$;} \\
1672: \beta &\vdash_I \funbody : \sT,
1673: &\text{$\funbody$ is well-formed and has type $\sT$ in $\beta$;} \\
1674: \beta, \fps & \vdash_I \es,
1675: &\text{$\es$ is compatible with $\fps$ and well formed in $\beta$;}\\
1676: & \fps : \delta,
1677: &\text{$\fps$ is well formed and yields the type environment $\delta$;}\\
1678: \beta & \vdash_I g : \delta,
1679: &\text{$g$ is well formed
1680: and yields the type environment $\delta$ in $\beta$;} \\
1681: \beta &\vdash_I d : \delta,
1682: &\text{$d$ is well-formed
1683: and yields the type environment $\delta$ in $\beta$;}\\
1684: &\vdash_I p : \delta,
1685: &\text{$p$ is well-formed and yields the type environment $\delta$;} \\
1686: \beta &\vdash_I k,
1687: &\text{$k$ is well-formed in $\beta$;}\\
1688: \beta &\vdash_I s,
1689: &\text{$s$ is well-formed in $\beta$.} \\
1690: \end{align*}
1691: These predicates are defined inductively on the abstract syntax
1692: by means of the following rules.
1693: \begin{description}
1694: %
1695: \item[Expressions]
1696: %
1697: \begin{gather*}
1698: \begin{aligned}
1699: &
1700: \prooftree
1701: \nohyp
1702: \justifies
1703: \beta \vdash_I m : \tinteger
1704: \endprooftree
1705: &\quad&
1706: \prooftree
1707: \nohyp
1708: \justifies
1709: \beta \vdash_I t : \tboolean
1710: \endprooftree \\[1ex]
1711: &
1712: \prooftree
1713: \beta \vdash_I e : \tinteger
1714: \justifies
1715: \beta \vdash_I -e : \tinteger
1716: \endprooftree
1717: &\quad&
1718: \prooftree
1719: \beta \vdash_I e : \tboolean
1720: \justifies
1721: \beta \vdash_I \notop\ e : \tboolean
1722: \endprooftree
1723: \end{aligned} \\[1ex]
1724: %%
1725: \begin{aligned}
1726: &
1727: \prooftree
1728: \beta \vdash_I e_0 : \tinteger
1729: \quad
1730: \beta \vdash_I e_1 : \tinteger
1731: \justifies
1732: \beta \vdash_I e_0 \boxcircle e_1 : \tinteger
1733: \using\quad\text{if
1734: \(
1735: \mathord{\boxcircle}
1736: \in
1737: \{ \mathord{+}, \mathord{-}, \mathord{*}, \divop, \modop \}
1738: \)
1739: }
1740: \endprooftree \\[1ex]
1741: &
1742: \prooftree
1743: \beta \vdash_I e_0 : \tinteger
1744: \quad
1745: \beta \vdash_I e_1 : \tinteger
1746: \justifies
1747: \beta \vdash_I e_0 \boxast e_1 : \tboolean
1748: \using\quad\text{if
1749: \(
1750: \mathord{\boxast}
1751: \in
1752: \{
1753: \mathord{=}, \mathord{\neq}, \mathord{<},
1754: \mathord{\leq}, \mathord{\geq}, \mathord{>}
1755: \}
1756: \)
1757: }
1758: \endprooftree \\[1ex]
1759: &
1760: \prooftree
1761: \beta \vdash_I e_0 : \tboolean
1762: \quad
1763: \beta \vdash_I e_1 : \tboolean
1764: \justifies
1765: \beta \vdash_I e_0 \diamond e_1 : \tboolean
1766: \using\quad
1767: \text{if $\mathord{\diamond} \in \{ \mathord{\andop}, \mathord{\orop} \}$}
1768: \endprooftree
1769: \end{aligned} \\[1ex]
1770: %%
1771: \begin{aligned}
1772: &
1773: \prooftree
1774: \nohyp
1775: \justifies
1776: \beta \vdash_I \id : \sT
1777: \using\quad\text{if $\beta(\id) = \location{\sT}$}
1778: \endprooftree
1779: \end{aligned}
1780: \end{gather*}
1781: %
1782: \item[Sequences of expressions]
1783: %
1784: \begin{align*}
1785: &
1786: \prooftree
1787: \nohyp
1788: \justifies
1789: \beta, \emptysequence \vdash_I \emptysequence
1790: \endprooftree
1791: &\quad&
1792: \prooftree
1793: \beta \vdash_I e : \sT
1794: \quad
1795: \beta, \fps \vdash_I \es
1796: \justifies
1797: \beta, (\id : \sT, \fps) \vdash_I (e, \es)
1798: \endprooftree
1799: \end{align*}
1800: %
1801: \item[Sequences of formal parameters]
1802: %
1803: \begin{align*}
1804: &
1805: \prooftree
1806: \nohyp
1807: \justifies
1808: \emptysequence : \emptyset
1809: \endprooftree
1810: &\quad&
1811: \prooftree
1812: \fps : \delta
1813: \using\quad\text{if $\id \notin \DI(\fps)$}
1814: \justifies
1815: (\id : \sT, \fps) : \{ \id \mapsto \location{\sT} \} \union \delta
1816: \endprooftree
1817: \end{align*}
1818: %
1819: \item[Function bodies]
1820: %
1821: \begin{align*}
1822: \prooftree
1823: \beta \vdash_I d : \beta_0
1824: \qquad
1825: \beta[\beta_0] \vdash_{I \union \DI(d)} s
1826: \qquad
1827: \beta[\beta_0] \vdash_{I \union \DI(d)} e : \sT
1828: \justifies
1829: \beta
1830: \vdash_I
1831: (\kw{let} d \,\kw{in} s \kw{result} e) : \sT
1832: \endprooftree
1833: \end{align*}
1834: %
1835: \begin{align*}
1836: \prooftree
1837: \nohyp
1838: \justifies
1839: \beta
1840: \vdash_I
1841: (\kw{extern} : \sT) : \sT
1842: \endprooftree
1843: \end{align*}
1844: %
1845: \item[Declarations]
1846: %
1847: \begin{gather}
1848: \notag
1849: \begin{aligned}
1850: &
1851: \prooftree
1852: \nohyp
1853: \justifies
1854: \beta \vdash_I \kw{nil} : \emptyset
1855: \endprooftree
1856: &\quad&
1857: \prooftree
1858: \beta \vdash_I e : \sT
1859: \justifies
1860: \beta \vdash_I \kw{gvar} \id : \sT = e : \{ \id \mapsto \location{\sT} \}
1861: \endprooftree \\[1ex]
1862: &
1863: &\quad&
1864: \prooftree
1865: \beta \vdash_I e : \sT
1866: \justifies
1867: \beta \vdash_I \kw{lvar} \id : \sT = e : \{ \id \mapsto \location{\sT} \}
1868: \endprooftree
1869: \end{aligned} \\[1ex]
1870: %%
1871: \notag
1872: \begin{aligned}
1873: \prooftree
1874: \fps : \delta
1875: \qquad
1876: \beta[\delta] \vdash_{I \union \DI(\fps)} \funbody : \sT
1877: \justifies
1878: \beta
1879: \vdash_I
1880: \bigl(
1881: \kw{function} \; \id(\fps) = \funbody
1882: \bigr)
1883: : \bigl\{ \id \mapsto (\fps \rightarrow \sT) \bigr\}
1884: \endprooftree
1885: \end{aligned} \\[1ex]
1886: %%
1887: \label{rule:well-formed-recursive-declaration}
1888: \begin{aligned}
1889: \prooftree
1890: \beta[\delta \restrict{J}] \vdash_{I \union J} g : \delta
1891: \justifies
1892: \beta \vdash_I (\kw{rec} g) : \delta
1893: \using\quad\text{if
1894: \(
1895: J = \FI(g) \inters \DI(g)
1896: \)
1897: and
1898: \(
1899: \forall \id, \sT : (\id \mapsto \location{\sT}) \notin \delta
1900: \)
1901: }
1902: \endprooftree
1903: \end{aligned} \\[1ex]
1904: %%
1905: \notag
1906: \begin{aligned}
1907: &
1908: \prooftree
1909: \beta \vdash_I g_0 : \beta_0
1910: \quad
1911: \beta[\beta_0] \vdash_{I \cup \DI(g_0)} g_1 : \beta_1
1912: \justifies
1913: \beta \vdash_I g_0;g_1 : \beta_0[\beta_1]
1914: \endprooftree
1915: &\quad&
1916: \prooftree
1917: \beta \vdash_I d_0 : \beta_0
1918: \quad
1919: \beta[\beta_0] \vdash_{I \union \DI(d_0)} d_1 : \beta_1
1920: \justifies
1921: \beta \vdash_I d_0 ; d_1 : \beta_0[\beta_1]
1922: \endprooftree
1923: \end{aligned}
1924: \end{gather}
1925: Note that rule~\eqref{rule:well-formed-recursive-declaration} seems
1926: to suggest that $\delta$ must be guessed. Indeed, this is not the case,
1927: as it can be proved that the environment generated by a declaration $g$
1928: only depends on $g$ and not on the environment used to establish whether
1929: $g$ is well formed. While the right thing to do is to define two static
1930: semantics predicates for declarations ---one for the generated environments
1931: and the other for well-formedness \cite{Plotkin04b}---
1932: we opted for a more concise presentation.
1933: Also notice that the side condition
1934: in rule~\eqref{rule:well-formed-recursive-declaration}
1935: explicitly forbids recursive declarations of variables.%
1936: \footnote{Namely, a recursive declaration such as
1937: $\kw{rec} \; \kw{gvar} \id : \sT = e$ is not well-typed.}
1938: %
1939: \item[Exception declarations]
1940: %
1941: \begin{align*}
1942: &
1943: \prooftree
1944: \nohyp
1945: \justifies
1946: \vdash_I \rtsexcept : \emptyset
1947: \endprooftree
1948: &\quad&
1949: \prooftree
1950: \nohyp
1951: \justifies
1952: \vdash_I \cT : \emptyset
1953: \endprooftree \\[1ex]
1954: %%
1955: &
1956: \prooftree
1957: \nohyp
1958: \justifies
1959: \vdash_I \id : \sT : \{ \id \mapsto \location{\sT} \}
1960: \endprooftree
1961: &\quad&
1962: \prooftree
1963: \nohyp
1964: \justifies
1965: \vdash_I \kw{any} : \emptyset
1966: \endprooftree
1967: \end{align*}
1968: %
1969: \item[Catch clauses]
1970: %
1971: \begin{align*}
1972: &
1973: \prooftree
1974: \vdash_I p : \delta
1975: \quad \beta[\delta] \vdash_{I \union \DI(p)} s
1976: \justifies
1977: \beta \vdash_I (p) \, s
1978: \endprooftree
1979: &\quad&
1980: \prooftree
1981: \beta \vdash_I k_0
1982: \quad \beta \vdash_I k_1
1983: \justifies
1984: \beta \vdash_I k_0 ; k_1
1985: \endprooftree
1986: \end{align*}
1987: %
1988: \item[Statements]
1989: %
1990: \begin{align*}
1991: &
1992: \prooftree
1993: \nohyp
1994: \justifies
1995: \beta \vdash_I \kw{nop}
1996: \endprooftree
1997: &\quad&
1998: \prooftree
1999: \beta \vdash_I e : \sT
2000: \justifies
2001: \beta \vdash_I \id := e
2002: \using\quad\text{if $\beta(\id) = \location{\sT}$}
2003: \endprooftree
2004: \end{align*}
2005: %%
2006: \begin{align*}
2007: &
2008: \prooftree
2009: \beta, \fps \vdash_I \es
2010: \using\quad\text{if $\beta(\id_0) = \location{\sT}$ and
2011: $\beta(\id) = \fps \rightarrow \sT$}
2012: \justifies
2013: \beta \vdash_I \id_0 := \id(\es)
2014: \endprooftree
2015: \end{align*}
2016: %%
2017: \begin{gather*}
2018: \begin{aligned}
2019: &
2020: \prooftree
2021: \beta \vdash_I s_0
2022: \quad
2023: \beta \vdash_I s_1
2024: \justifies
2025: \beta \vdash_I s_0 ; s_1
2026: \endprooftree
2027: &\quad&
2028: \prooftree
2029: \beta \vdash_I d : \beta_0
2030: \quad
2031: \beta[\beta_0] \vdash_{I \union \DI(d)} s
2032: \justifies
2033: \beta \vdash_I d ; s
2034: \endprooftree \\[1ex]
2035: &
2036: \prooftree
2037: \beta \vdash_I e : \tboolean
2038: \quad
2039: \beta \vdash_I s_0
2040: \quad
2041: \beta \vdash_I s_1
2042: \justifies
2043: \beta \vdash_I \kw{if} e \kw{then} s_0 \kw{else} s_1
2044: \endprooftree
2045: &\quad&
2046: \prooftree
2047: \beta \vdash_I e : \tboolean
2048: \quad
2049: \beta \vdash_I s
2050: \justifies
2051: \beta \vdash_I \kw{while} e \kw{do} s
2052: \endprooftree \\[1ex]
2053: %%
2054: &
2055: \prooftree
2056: \nohyp
2057: \justifies
2058: \beta \vdash_I \kw{throw} \rtsexcept
2059: \endprooftree
2060: &\quad&
2061: \prooftree
2062: \beta \vdash_I e : \sT
2063: \justifies
2064: \beta \vdash_I \kw{throw} e
2065: \endprooftree \\[1ex]
2066: %%
2067: &
2068: \prooftree
2069: \beta \vdash_I s
2070: \quad \beta \vdash_I k
2071: \justifies
2072: \beta \vdash_I \kw{try} s \kw{catch} k
2073: \endprooftree
2074: &\quad&
2075: \prooftree
2076: \beta \vdash_I s_0
2077: \quad \beta \vdash_I s_1
2078: \justifies
2079: \beta \vdash_I \kw{try} s_0 \kw{finally} s_1
2080: \endprooftree
2081: \end{aligned}
2082: \end{gather*}
2083: \end{description}
2084:
2085: A program $g$ is said to be \emph{valid} if and only if
2086: it does not contain any occurrence of a reserved identifier $\id \in \rId$,
2087: $\emptyset \vdash_\emptyset g : \beta$
2088: and $\beta(\main) = \emptysequence \rightarrow \tinteger$.
2089:
2090: \section{Concrete Dynamic Semantics}
2091: \label{sec:concrete-dynamic-semantics}
2092:
2093: For the specification of the concrete dynamic semantics for CPM, we
2094: adopt the $\mathrm{G}^\infty\mathrm{SOS}$ approach of Cousot and Cousot
2095: \cite{CousotC92}.
2096: This generalizes with infinite computations
2097: the \emph{natural} semantics approach by Kahn \cite{Kahn87}, which,
2098: in turn, is a ``big-step'' operational semantics defined by structural
2099: induction on program structures in the style of
2100: Plotkin \cite{Plotkin04b}.
2101:
2102:
2103: \subsection{Absolute Locations and Indirect Locators}
2104:
2105: An \emph{absolute location} (or, simply, \emph{location}) is a unique
2106: identifier for a memory area of unspecified size. The (possibly
2107: infinite) set of all locations is denoted by $\Loc$, while individual
2108: locations are denoted by $l$, $l_0$, $l_1$ and so forth.
2109: We also postulate the existence of a set $\Ind \defeq \Nset$ of
2110: \emph{indirect (stack) locators} such that $\Loc \inters \Ind = \emptyset$.
2111: Indirect locators are denoted by $i$, $i_0$, $i_1$ and so forth.
2112: For notational convenience, we define the set of \emph{addresses} as
2113: $\Addr \defeq \Loc \uplus \Ind$.
2114: Addresses are denoted by $a$, $a_0$, $a_1$ and so forth.
2115:
2116: \subsection{Concrete Execution Environments}
2117:
2118: The concrete dynamic aspect of declarations is captured by
2119: concrete execution environments.
2120: These map a finite set of identifiers to concrete denotable values.
2121: In the sequel we will simply write `environment' to refer to
2122: execution environments.
2123:
2124: \begin{definition}\summary{($\Abstract$, $\dVal$, $\Env_I$.)}
2125: We define
2126: \begin{equation*}
2127: \Abstract
2128: \defeq
2129: \{\,
2130: \lambdaop \fps \st \funbody
2131: \mid
2132: \fps \in \formParams, \funbody \in \funBody
2133: \,\}.
2134: \end{equation*}
2135: The set of \emph{concrete denotable values} is
2136: \[
2137: \dVal
2138: \defeq
2139: (\Addr \times \sType) \uplus \Abstract.
2140: \]
2141:
2142: For $I \sseqf \Id$, $\Env_I \defeq I \to \dVal$ is
2143: the set of \emph{concrete environments over $I$}.
2144: The set of all environments is given by
2145: $\Env \defeq \biguplus_{I \sseqf \Id} \Env_I$.
2146: Environments in $\Env_I$ are denoted by
2147: $\rho$, $\rho_0$, $\rho_1$ and so forth.
2148: We write $\rho : I$ as a shorthand for $\rho \in \Env_I$.
2149: For $\rho : I$ and $\beta : I$, we write $\rho : \beta$ to signify
2150: that
2151: \begin{multline*}
2152: \forall \id \in I
2153: \itc
2154: \bigl(
2155: \exists (a, \sT) \in \Addr \times \sType
2156: \st \beta(\id) = \location{\sT} \land \rho(\id) = (a, \sT)
2157: \bigr) \\
2158: \lor
2159: \bigl(
2160: \exists \abs = (\lambdaop \fps \st \funbody) \in \Abstract
2161: \st
2162: \beta(\id) = \fps \rightarrow \sT
2163: \land
2164: \beta \vdash_I \funbody : \sT\\
2165: \land
2166: \rho(\id) = \abs
2167: \bigr).
2168: \end{multline*}
2169: \end{definition}
2170:
2171: \subsection{Memory Structures, Value States and Exception States}
2172:
2173: A \emph{memory structure} uses a stack and suitable operators
2174: to allocate/deallocate, organize, read and update
2175: the locations of an absolute memory map, which is a partial function
2176: mapping a location and a storable type to a storable value.
2177: Memory structures model all the memory areas that are used in the
2178: most common implementations of imperative programming languages:
2179: the \emph{data segment} (for global variables) and the \emph{stack segment}
2180: (for local variables) are of interest for the language fragment we are
2181: considering; the \emph{text segment} (where pointers to function point to)
2182: and the \emph{heap segment} (for dynamically allocated memory) are required
2183: to deal with the extensions of Section~\ref{sec:extensions}.
2184: As it will be clear from the following definition, our notion of
2185: memory structure is underspecified: while we define it and its
2186: operations so that the semantics of programs is the expected one, we
2187: allow for many possible implementations by leaving out many details
2188: that are inessential to the achievement of that objective.
2189: It is for this same reason that we treat locations as unique identifiers
2190: neglecting the mathematical structure they may or may not have.
2191: More generally, what we call ``concrete semantics'' is indeed
2192: an abstraction of an infinite number of machines
2193: and compilation schemes that could be used to execute our programs.
2194: Furthermore, since the considered fragment of CPM
2195: does not support pointers, arrays, type casts and unions, we can
2196: here make the simplifying assumption that there is no overlap between the
2197: storage cells associated to different locations.
2198: In Section~\ref{sec:extensions} we will hint at how these assumptions
2199: must be modified in order to accommodate the full language.
2200:
2201: Memory structures will be used to describe the outcome of computations
2202: whose only observable behavior is given by their side effects.
2203: Computations yielding a proper value will be described by
2204: a \emph{value state}, which pairs the value computed with a memory
2205: structure recording the side effects of the execution.
2206: Exceptional behavior must, of course, be taken into proper account:
2207: thus, the result of an exceptional computation path will be described
2208: by pairing the memory structure with an exception,
2209: yielding what we call an \emph{exception state}.
2210:
2211: \begin{definition}
2212: \summary{($\Map$, $\Stack$, $\Mem$, $\ValState$, $\ExceptState$.)}
2213: \label{def:concrete-memory-structure}
2214: The set of all absolute maps is the set of partial functions
2215: \[
2216: \Map \defeq (\Loc \times \sType) \rightarrowtail \sVal.
2217: \]
2218: Absolute maps are denoted by $\mu$, $\mu_0$, $\mu_1$ and so forth.
2219: %%
2220: The absolute map update partial function
2221: \[
2222: \pard{\cdot[\cdot := \cdot]}%
2223: {\bigl(\Map \times (\Loc \times \sType) \times \sVal\bigr)}%
2224: {\Map}
2225: \]
2226: is defined,
2227: for each $\mu \in \Map$,
2228: $(l, \sT) \in \Loc \times \sType$ such that $(l, \sT) \in \dom(\mu)$
2229: and $\sval \in \sVal$ such that $\sT = \type(\sval)$, by
2230: \[
2231: \mu\bigl[(l, \sT) := \sval\bigr] \defeq \mu',
2232: \]
2233: where $\mu' \in \Map$ is any absolute map satisfying the following
2234: conditions:
2235: \begin{enumerate}[(i)]
2236: \item
2237: $\dom(\mu') = \dom(\mu)$;
2238: \item
2239: $\mu'(l, \sT) = \sval$;
2240: \item
2241: $\mu'(l', \sT') = \mu(l', \sT')$,
2242: for each $(l', \sT') \in \dom(\mu)$ such that $l' \neq l$.
2243: \end{enumerate}
2244:
2245: Let $W \defeq \bigl( \Loc \union \{\sm, \fm\} \bigr)^{\star}$.
2246: An element $w \in W$ is a \emph{stack} if and only if no location
2247: occurs more than once in it.
2248: The set of all stacks is denoted by $\Stack$.
2249: `$\,\sm$' is called \emph{stack marker} and
2250: `$\,\fm$' is called \emph{frame marker}.
2251: The \emph{top-most frame} of $w \in \Stack$,
2252: denoted by $\topmost(w)$,
2253: is the longest suffix of $w$ containing no frame marker;
2254: formally,
2255: $\topmost(w) \in \bigl(\Loc \union \{\sm\}\bigr)^{\star}$
2256: satisfies either $w = \topmost(w)$ or $w = w' \fm \topmost(w)$.
2257: %%
2258: The partial infix operator
2259: $\pard{\mathord{@}}{\Stack \times \Ind}{\Loc}$
2260: maps, when defined, a stack $w$ and an indirect locator $i$
2261: into an absolute location to be found in the top-most frame;
2262: formally, if $i < n = |\topmost(w)|$,
2263: $\topmost(w) = z_0 \cdots z_{n-1}$ and $z_i = l$,
2264: then $w \mathbin{@} i \defeq l$.
2265:
2266: A \emph{memory structure} is an element of
2267: $\Mem \defeq \Map \times \Stack$.
2268: Memory structures are denoted by
2269: $\sigma$, $\sigma_0$, $\sigma_1$ and so forth.
2270:
2271: A \emph{value state} is an element of
2272: $\ValState \defeq \sVal \times \Mem$.
2273: Value states are denoted by
2274: $\valstate$, $\valstate_0$, $\valstate_1$ and so forth.
2275:
2276: An \emph{exception state} is an element of
2277: $\ExceptState \defeq \Mem \times \Except$.
2278: Exception states are denoted by
2279: $\exceptstate$, $\exceptstate_0$, $\exceptstate_1$ and so forth.
2280:
2281: The overloading
2282: $\pard{\mathord{@}}{\Mem \times \Addr}{\Loc}$
2283: of the partial infix operator $\mathord{@}$ is defined,
2284: for each $\sigma = (\mu, w)$ and $a \in \Addr$, as follows
2285: and under the following conditions:
2286: \[
2287: \sigma \mathbin{@} a
2288: \defeq
2289: \begin{cases}
2290: a, &\text{if $a \in \Loc$;} \\
2291: l, &\text{if $a \in \Ind$ and $l = w \mathbin{@} a$ is defined.}
2292: \end{cases}
2293: \]
2294: The memory structure read and update operators
2295: \begin{align*}
2296: \fund{\cdot[\cdot, \cdot]}%
2297: {&\bigl(
2298: \Mem \times \Addr \times \sType
2299: \bigr)}%
2300: {(\ValState \uplus \ExceptState)}, \\
2301: \fund{\cdot[\cdot := \cdot]}%
2302: {&\bigl(
2303: \Mem \times (\Addr \times \sType) \times \sVal
2304: \bigr)}%
2305: {(\Mem \uplus \ExceptState)}
2306: \end{align*}
2307: are respectively defined,
2308: for each $\sigma = (\mu, w) \in \Mem$,
2309: $a \in \Addr$, $\sT \in \sType$ and $\sval \in \sVal$, as follows:
2310: let $d = (\sigma \mathbin{@} a, \sT)$; then
2311: \begin{align*}
2312: \sigma[a, \sT]
2313: &\defeq
2314: \begin{cases}
2315: \bigl( \mu(d), \sigma \bigr),
2316: &\text{if $d \in \dom(\mu)$;} \\
2317: (\sigma, \memerror),
2318: &\text{otherwise;} \\
2319: \end{cases} \\
2320: \sigma\bigl[ (a, \sT) := \sval \bigr]
2321: &\defeq
2322: \begin{cases}
2323: \bigl(\mu[d := \sval], w\bigr),
2324: &\text{if $d \in \dom(\mu)$ and $\sT = \type(\sval)$;} \\
2325: (\sigma, \memerror),
2326: &\text{otherwise.}
2327: \end{cases}
2328: \end{align*}
2329:
2330: The data and stack memory allocation functions
2331: \begin{align*}
2332: \fund{\datnew}%
2333: {&\ValState}%
2334: {\bigl( (\Mem \times \Loc) \uplus \ExceptState \bigr)}, \\
2335: \fund{\stknew}%
2336: {&\ValState}%
2337: {\bigl( (\Mem \times \Ind) \uplus \ExceptState \bigr)}
2338: \end{align*}
2339: are defined, for each $\valstate = (\sval, \sigma) \in \ValState$,
2340: where $\sigma = (\mu, w)$, by
2341: \begin{align*}
2342: \datnew(\valstate)
2343: &\defeq
2344: \begin{cases}
2345: ((\mu', w), l),
2346: &\text{if the data segment of $\sigma$ can be extended;} \\
2347: (\sigma, \datovflw),
2348: &\text{otherwise;}
2349: \end{cases} \\
2350: \stknew(\valstate)
2351: &\defeq
2352: \begin{cases}
2353: ((\mu', w'), i),
2354: &\text{if the stack segment of $\sigma$ can be extended;} \\
2355: (\sigma, \stkovflw),
2356: &\text{otherwise;}
2357: \end{cases}
2358: \end{align*}
2359: where, in the case of $\stknew$,
2360: $w' \in \Stack$ and $i \in \Ind$ are such that:
2361: \begin{enumerate}[(i)]
2362: \item
2363: $w' = w \cdot l$;
2364: \item
2365: $i = |\topmost(w)|$;
2366: \end{enumerate}
2367: and, for both $\datnew$ and $\stknew$, $\mu' \in \Map$
2368: and $l \in \Loc$ are such that:
2369: \begin{enumerate}[(i)]
2370: \setcounter{enumi}{2}
2371: \item
2372: for each $\sT \in \sType$, $(l, \sT) \notin \dom(\mu)$;
2373: \item
2374: for each $(l', \sT') \in \dom(\mu)$, $\mu'(l', \sT') = \mu(l', \sT')$;
2375: \item
2376: $\mu'\bigl(l, \type(\sval)\bigr) = \sval$.
2377: \end{enumerate}
2378: %
2379: The memory structure data cleanup function
2380: \(
2381: \fund{\datcleanup}{\ExceptState}{\ExceptState}
2382: \)
2383: is given, for each $\exceptstate = (\sigma, \except) \in \ExceptState$, by
2384: \[
2385: \datcleanup(\exceptstate)
2386: \defeq
2387: \bigl( (\emptyset, \emptystring), \except \bigr).
2388: \]
2389: %
2390: The stack mark function
2391: \(
2392: \fund{\smark}{\Mem}{\Mem}
2393: \)
2394: is given, for each $\sigma \in \Mem$, by
2395: \[
2396: \smark(\sigma)
2397: \defeq
2398: (\mu, w \sm),
2399: \qquad \text{where $\sigma = (\mu, w)$.}
2400: \]
2401: The stack unmark partial function
2402: \(
2403: \pard{\sunmark}{\Mem}{\Mem}
2404: \)
2405: is given,
2406: for each $\sigma \in \Mem$ such that
2407: $\sigma = (\mu, w' \sm w'')$ and $w'' \in \Loc^\star$, by
2408: \begin{equation*}
2409: \sunmark (\mu, w' \sm w'')
2410: \defeq
2411: (\mu', w'),
2412: \end{equation*}
2413: where the absolute map $\mu' \in \Map$ satisfies:
2414: \begin{enumerate}[(i)]
2415: \item
2416: \(
2417: \dom(\mu')
2418: = \bigl\{\,
2419: (l, \sT) \in \dom(\mu)
2420: \bigm|
2421: \text{$l$ does not occur in $w''$}
2422: \,\bigr\}
2423: \);
2424: \item
2425: $\mu' = \mu \restrict{\dom(\mu')}$.
2426: \end{enumerate}
2427: The frame link partial function
2428: \(
2429: \pard{\slink}{\Mem}{\Mem}
2430: \)
2431: is given,
2432: for each $\sigma \in \Mem$ such that
2433: $\sigma = (\mu, w' \sm w'')$ and
2434: $w'' \in \Loc^{\star}$, by
2435: \begin{align*}
2436: \slink(\mu, w' \sm w'')
2437: &\defeq
2438: (\mu, w' \fm w'').
2439: \intertext{%
2440: The frame unlink partial function
2441: \(
2442: \pard{\sunlink}{\Mem}{\Mem}
2443: \)
2444: is given,
2445: for each $\sigma \in \Mem$ such that
2446: $\sigma = (\mu, w' \fm w'')$ and $w'' \in \Loc^\star$, by
2447: }
2448: \sunlink(\mu, w' \fm w'')
2449: &\defeq
2450: (\mu, w' \sm w'').
2451: \end{align*}
2452: \end{definition}
2453: %%
2454: For ease of notation, the stack unmark and the frame unlink
2455: partial functions are lifted to also work on exception states.
2456: Namely, for each $\exceptstate = (\sigma, \except) \in \ExceptState$,
2457: \begin{align*}
2458: \sunmark(\sigma, \except)
2459: &\defeq
2460: \bigl( \sunmark(\sigma), \except\bigr); \\[1ex]
2461: \sunlink(\sigma, \except)
2462: &\defeq
2463: \bigl( \sunlink(\sigma), \except\bigr).
2464: \end{align*}
2465:
2466: Intuitively,
2467: global variables are allocated in the data segment using $\datnew$
2468: and are accessed through absolute locations; function $\datcleanup$
2469: models their deallocation due to an RTS exception thrown during the
2470: program start-up phase.
2471: The functions $\smark$ and $\sunmark$ use the stack marker `$\sm$'
2472: to implement the automatic allocation (through $\stknew$) and
2473: deallocation of stack slots for storing local variables,
2474: return values and actual arguments of function calls.
2475: The functions $\slink$ and $\sunlink$ use the frame marker `$\fm$'
2476: to partition the stack into activation frames, each frame corresponding
2477: to a function call.
2478: All accesses to the top-most frame can be expressed in terms of indirect
2479: locators (i.e., offsets from the top-most frame marker), because at each
2480: program point the layout of the current top-most frame is statically known.
2481: As it will be clearer when considering the concrete rules for function calls,
2482: the frame marker is used to move the return value and the actual arguments,
2483: which are allocated by the caller, from the activation frame of the caller
2484: to the activation frame of the callee, and vice versa.
2485:
2486: The memory structures and operations satisfy the following property:
2487: for each pair of memory structures $\sigma_0$ and $\sigma_1$ such that
2488: $\sigma_1$ has been obtained from $\sigma_0$
2489: by any sequence of operations where each $\mathord{\slink}$
2490: is matched by a corresponding $\mathord{\sunlink}$,
2491: for each indirect locator $i \in \Ind$,
2492: if $\sigma_0 \mathbin{@} i$ and $\sigma_1 \mathbin{@} i$ are both defined,
2493: then $\sigma_0 \mathbin{@} i = \sigma_1 \mathbin{@} i$.
2494:
2495: As anticipated, we profit from the lack of aliasing in the fragment of
2496: CPM considered here, i.e., we assume there is no overlap between the storage
2497: cells associated to $(l_0, \sT_0)$ and the ones associated to $(l_1,
2498: \sT_1)$, unless $l_0 = l_1$.
2499: Moreover, we need not specify the relationship between $\mu(l, \sT_0)$
2500: and $\mu(l, \sT_1)$ for the case where $\sT_0 \neq \sT_1$.
2501: This also implies that the absolute map update operator is underspecified,
2502: resulting in a nondeterministic operator.
2503: Of course, any real implementation will be characterized by a complete
2504: specification: for instance, a precise definition of the memory overflow
2505: conditions will take the place of the informal conditions
2506: ``if the data (resp., stack) segment of $\sigma$ can be extended''
2507: in the definitions of $\datnew$ and $\stknew$.
2508: As is clear from the definition above, where memory is writable
2509: if and only if it is readable, we do not attempt to model read-only memory.
2510: It is also worth observing that, in the sequel, the ``meaning'' of
2511: variable identifiers will depend on unrestricted
2512: elements of $\Env \times \Mem$.
2513: As a consequence we can have \emph{dangling references}, that is,
2514: a pair $(\rho, \sigma) \in \Env \times \Mem$ with $\rho : I$
2515: can be such that there exists an identifier $\id \in I$ for which
2516: $\rho(\id) = (a, \sT)$ and $\sigma[a, \sT] = \memerror$.
2517:
2518:
2519: \subsection{Configurations}
2520:
2521: The dynamic semantics of CPM is expressed by means of an
2522: \emph{evaluation (or reduction) relation}, which specifies how a
2523: \emph{non-terminal configuration} is reduced to a
2524: \emph{terminal configuration}.
2525: The sets of non-terminal configurations are parametric with respect
2526: to a type environment associating every identifier to its type.
2527:
2528: \begin{definition} \summary{(Non-terminal configurations.)}
2529: \label{def:nonterminal-concrete-configuration}
2530: The sets of \emph{non-terminal configurations} for expressions,
2531: local and global declarations, statements, function bodies and catch
2532: clauses are given, respectively and for each $\beta \in \TEnv_I$, by
2533: \begin{align*}
2534: \NTe^\beta
2535: &\defeq
2536: \bigl\{\,
2537: \langle e, \sigma \rangle
2538: \in \Exp \times \Mem
2539: \bigm|
2540: \exists \sT \in \sType \st \beta \vdash_I e : \sT
2541: \,\bigr\}, \\
2542: \NTd^\beta
2543: &\defeq
2544: \bigl\{\,
2545: \langle d, \sigma \rangle
2546: \in \Decl \times \Mem
2547: \bigm|
2548: \exists \delta \in \TEnv \st \beta \vdash_I d : \delta
2549: \,\bigr\}, \\
2550: \NTg^\beta
2551: &\defeq
2552: \bigl\{\,
2553: \langle g, \sigma \rangle
2554: \in \Glob \times \Mem
2555: \bigm|
2556: \exists \delta \in \TEnv \st \beta \vdash_I g : \delta
2557: \,\bigr\}, \\
2558: \NTs^\beta
2559: &\defeq
2560: \bigl\{\,
2561: \langle s, \sigma \rangle
2562: \in \Stmt \times \Mem
2563: \bigm|
2564: \beta \vdash_I s
2565: \,\bigr\}, \\
2566: \NTb^\beta
2567: &\defeq
2568: \bigl\{\,
2569: \langle \funbody, \sigma \rangle
2570: \in \funBody \times \Mem
2571: \bigm|
2572: \exists \sT \in \sType \st \beta \vdash_I \funbody : \sT
2573: \,\bigr\}, \\
2574: \NTk^\beta
2575: &\defeq
2576: \bigl\{\,
2577: \langle k, \exceptstate \rangle
2578: \in \Catch \times \ExceptState
2579: \bigm|
2580: \beta \vdash_I k
2581: \,\bigr\}.
2582: \end{align*}
2583: \end{definition}
2584:
2585: Each kind of terminal configuration has to allow for the possibility
2586: of both a non-exceptional and an exceptional computation path.
2587:
2588: \begin{definition} \summary{(Terminal configurations.)}
2589: \label{def:terminal-concrete-configuration}
2590: The sets of \emph{terminal configurations} for expressions,
2591: local and global declarations, statements, function bodies and catch clauses
2592: are given, respectively, by
2593: \begin{align*}
2594: \Te
2595: &\defeq
2596: \ValState \uplus \ExceptState, \\
2597: \Td
2598: &\defeq
2599: \Tg \defeq
2600: (\Env \times \Mem)
2601: \uplus \ExceptState, \\
2602: \Ts
2603: &\defeq
2604: \Tb
2605: \defeq
2606: \Mem \uplus \ExceptState, \\
2607: \Tk
2608: &\defeq
2609: \bigl(
2610: \{ \caught \}
2611: \times
2612: \Ts
2613: \bigr)
2614: \uplus
2615: \bigl(
2616: \{ \uncaught \}
2617: \times
2618: \ExceptState
2619: \bigr).
2620: \end{align*}
2621: \end{definition}
2622: %%
2623: Note that $\Te$ is defined as $\ValState \uplus \ExceptState$;
2624: as it will be apparent from the concrete semantics, expressions
2625: never modify the memory structure, so $\Te$ could have been
2626: defined as $\sVal \uplus \Except$; but defining it as
2627: $\ValState \uplus \ExceptState$ simplifies the approximation
2628: relations in Section~\ref{sec:abstract-dynamic-semantics}.
2629:
2630: In the following, we write $N$ and $\eta$ to denote
2631: a non-terminal and a terminal concrete configuration, respectively.
2632: For clarity of notation, we often use angle brackets to highlight
2633: that a tuple is indeed representing a configuration. Angle brackets
2634: are not normally used for configurations made of a single element.
2635: Therefore, when $\exceptstate = (\sigma, \except) \in \ExceptState$,
2636: we indifferently write
2637: $\exceptstate \in \Ts$ or
2638: $\langle \sigma, \except \rangle \in \Ts$,
2639: as well as
2640: $\langle \caught, \exceptstate \rangle \in \Tk$ or
2641: $\bigl\langle \caught, (\sigma, \except) \bigr\rangle \in \Tk$.
2642:
2643: A few explanatory words are needed for $\Tk$.
2644: When the evaluation of a non-terminal configuration
2645: for catch clauses $\langle k, \exceptstate \rangle \in \NTk^\beta$
2646: yields the terminal configuration $\langle \caught, \eta \rangle \in \Tk$,
2647: then the exception $\except$ in $\exceptstate = (\sigma, \except)$
2648: was caught inside $k$ and $\eta \in \Ts$
2649: is the result of evaluating the corresponding exception handler statement;
2650: note that $\eta \in \Ts$ may itself be another exception state,
2651: meaning that another exception was thrown during the evaluation of the
2652: exception handler statement.
2653: In contrast, when the resulting terminal configuration is
2654: $\langle \uncaught, \exceptstate \rangle \in \Tk$,
2655: then the exception in $\exceptstate$ was not caught inside $k$ and
2656: will be propagated to the outer context.%
2657: \footnote{Note that the names of the labels $\caught$ and $\uncaught$
2658: have been chosen as such for clarity, but provide no special meaning:
2659: they are only needed for a correct application of the disjoint union
2660: construction, since we have $\Ts \inters \ExceptState \neq \emptyset$.}
2661:
2662: \subsection{Concrete Evaluation Relations}
2663: \label{sec:concrete-evaluation-relations}
2664:
2665: For convenience, in order to represent function closures, we extend the
2666: syntactic category of local declarations with (recursive) execution
2667: environments. These syntactic constructs are meant to be only
2668: available in the dynamic semantics (in non-terminal configurations):
2669: they cannot occur in the program text.
2670: Thus we have
2671: \[
2672: \Decl \ni
2673: d ::= \ldots
2674: \vbar \rho
2675: \vbar \kw{rec} \rho
2676: \]
2677: Consequently, if $\rho : I$ we define
2678: \(
2679: \DI(\rho)
2680: \defeq
2681: \DI(\kw{rec} \rho)
2682: \defeq
2683: I
2684: \),
2685: \(
2686: \FI(\rho)
2687: \defeq
2688: \bigunion_{\id \in I} \FI\bigl(\rho(\id)\bigr)
2689: \)
2690: and
2691: \(
2692: \FI(\kw{rec} \rho)
2693: \defeq
2694: \FI(\rho) \setminus I,
2695: \)
2696: where the function $\FI$ is defined on elements of $\dVal$ by
2697: \(
2698: \FI(l, \sT)
2699: \defeq \FI(i, \sT)
2700: \defeq \emptyset
2701: \)
2702: and
2703: \(
2704: \FI(\lambdaop \fps \st \funbody)
2705: \defeq \FI(\funbody) \setminus \DI(\fps)
2706: \).
2707: The static semantics is extended by adding the rules
2708: \[
2709: \prooftree
2710: \rho : \delta
2711: \justifies
2712: \beta \vdash_I \rho : \delta
2713: \endprooftree
2714: \quad
2715: \prooftree
2716: \beta[\delta \restrict{J}] \vdash_{I \union J} \rho : \delta
2717: \justifies
2718: \beta \vdash_I \kw{rec} \rho : \delta
2719: \using\quad\text{if $J = \FI(\rho) \inters \DI(\rho)$ and
2720: \(
2721: \forall \id : (\id \mapsto \location{\sT}) \notin \delta.
2722: \)
2723: }
2724: \endprooftree
2725: \]
2726:
2727: The concrete evaluation relations that complete the definition of the
2728: concrete semantics for CPM are defined, as usual, by structural
2729: induction from a set of rule schemata.
2730: The evaluation relations are of the form
2731: \(
2732: \rho \vdash_\beta N \rightarrow \eta,
2733: \)
2734: where
2735: $\beta \in \TEnv_I$, $\rho \in \Env_J$, $\rho : \beta \restrict{J}$ and,
2736: for some
2737: \(
2738: q
2739: \in
2740: \{
2741: \mathrm{e}, \mathrm{d}, \mathrm{g}, \mathrm{s}, \mathrm{b}, \mathrm{k}
2742: \}
2743: \),
2744: $N \in \NTq^\beta$ and $\eta \in \Tq$.
2745:
2746: %% CHECKME: why this page break?
2747: %%\pagebreak
2748: \subsubsection{Expressions}
2749: \label{subsubsec:conc_expressions}
2750:
2751: \begin{description}
2752: %
2753: \item[Constant]
2754: %
2755: \begin{gather}
2756: \label{rule:conc_constant}
2757: \prooftree
2758: \nohyp
2759: \justifies
2760: \rho \vdash_\beta \langle \con, \sigma \rangle
2761: \rightarrow
2762: \langle \con, \sigma \rangle
2763: \endprooftree
2764: \end{gather}
2765: %
2766: \item[Identifier]
2767: %
2768: \begin{gather}
2769: \label{rule:conc_identifier}
2770: \prooftree
2771: \nohyp
2772: \justifies
2773: \rho \vdash_\beta \langle \id, \sigma \rangle
2774: \rightarrow
2775: \sigma\bigl[\rho(\id)\bigr]
2776: \endprooftree
2777: \end{gather}
2778: %
2779: \item[Unary minus]
2780: %
2781: \begin{gather}
2782: \label{rule:conc_uminus_error}
2783: \prooftree
2784: \rho \vdash_\beta \langle e, \sigma \rangle
2785: \rightarrow
2786: \exceptstate
2787: \justifies
2788: \rho \vdash_\beta \langle -e, \sigma \rangle
2789: \rightarrow
2790: \exceptstate
2791: \endprooftree \\[1ex]
2792: %%
2793: \label{rule:conc_uminus_ok}
2794: \prooftree
2795: \rho \vdash_\beta \langle e, \sigma \rangle
2796: \rightarrow
2797: \langle m, \sigma_0 \rangle
2798: \justifies
2799: \rho \vdash_\beta \langle -e, \sigma \rangle
2800: \rightarrow
2801: \langle -m, \sigma_0 \rangle
2802: \endprooftree
2803: \end{gather}
2804: %
2805: \item[Binary arithmetic operations]
2806: %
2807: Letting $\mathord{\boxcircle}$ denote any abstract syntax operator in
2808: \(
2809: \{ \mathord{+}, \mathord{-}, \mathord{*}, \divop, \modop \}
2810: \)
2811: and
2812: \(
2813: \mathord{\circ}
2814: \in
2815: \{
2816: \mathord{+}, \mathord{-}, \mathord{\cdot},
2817: \mathord{\div}, \mathord{\bmod}
2818: \}
2819: \)
2820: the corresponding arithmetic operation.
2821: Then the rules for addition, subtraction, multiplication,
2822: division and remainder are given by the following schemata:
2823: \begin{gather}
2824: \label{rule:conc_arith_bop_0}
2825: \prooftree
2826: \rho \vdash_\beta \langle e_0, \sigma \rangle
2827: \rightarrow
2828: \exceptstate
2829: \justifies
2830: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
2831: \rightarrow
2832: \exceptstate
2833: \endprooftree \\[1ex]
2834: %%
2835: \label{rule:conc_arith_bop_1}
2836: \prooftree
2837: \rho \vdash_\beta \langle e_0, \sigma \rangle
2838: \rightarrow
2839: \langle m_0, \sigma_0 \rangle
2840: \quad
2841: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
2842: \rightarrow
2843: \exceptstate
2844: \justifies
2845: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
2846: \rightarrow
2847: \exceptstate
2848: \endprooftree \\[1ex]
2849: %%
2850: \label{rule:conc_arith_bop_2}
2851: \prooftree
2852: \rho \vdash_\beta \langle e_0, \sigma \rangle
2853: \rightarrow
2854: \langle m_0, \sigma_0 \rangle
2855: \quad
2856: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
2857: \rightarrow
2858: \langle m_1, \sigma_1 \rangle
2859: \justifies
2860: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
2861: \rightarrow
2862: \langle m_0 \circ m_1, \sigma_1 \rangle
2863: \using\quad\text{if $\mathord{\boxcircle} \notin \{\divop, \modop \}$
2864: or $m_1 \neq 0$}
2865: \endprooftree \\[1ex]
2866: %%
2867: \label{rule:conc_arith_bop_exc_0}
2868: \prooftree
2869: \rho \vdash_\beta \langle e_0, \sigma \rangle
2870: \rightarrow
2871: \langle m_0, \sigma_0 \rangle
2872: \quad
2873: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
2874: \rightarrow
2875: \langle 0, \sigma_1 \rangle
2876: \justifies
2877: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
2878: \rightarrow
2879: \langle \sigma_1, \divbyzero \rangle
2880: \using\quad\text{if $\mathord{\boxcircle} \in \{\divop, \modop \}$}
2881: \endprooftree
2882: \end{gather}
2883: %
2884: \item[Arithmetic tests]
2885: %
2886: Let
2887: \(
2888: \mathord{\boxast}
2889: \in
2890: \{ \mathord{=}, \mathord{\neq}, \mathord{<},
2891: \mathord{\leq}, \mathord{\geq}, \mathord{>} \}
2892: \)
2893: be an abstract syntax operator and denote with
2894: `$\mathord{\lessgtr}$' the corresponding test operation
2895: in $\Zset \times \Zset \rightarrow \Bool$.
2896: The rules for the arithmetic tests are then given by the following
2897: schemata:
2898: \begin{gather}
2899: \label{rule:conc_arith_test_error_0}
2900: \prooftree
2901: \rho \vdash_\beta \langle e_0, \sigma \rangle
2902: \rightarrow
2903: \exceptstate
2904: \justifies
2905: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
2906: \rightarrow
2907: \exceptstate
2908: \endprooftree \\[1ex]
2909: %%
2910: \label{rule:conc_arith_test_error_1}
2911: \prooftree
2912: \rho \vdash_\beta \langle e_0, \sigma \rangle
2913: \rightarrow
2914: \langle m_0, \sigma_0 \rangle
2915: \quad
2916: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
2917: \rightarrow
2918: \exceptstate
2919: \justifies
2920: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
2921: \rightarrow
2922: \exceptstate
2923: \endprooftree \\[1ex]
2924: %%
2925: \label{rule:conc_arith_test_ok}
2926: \prooftree
2927: \rho \vdash_\beta \langle e_0, \sigma \rangle
2928: \rightarrow
2929: \langle m_0, \sigma_0 \rangle
2930: \quad
2931: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
2932: \rightarrow
2933: \langle m_1, \sigma_1 \rangle
2934: \justifies
2935: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
2936: \rightarrow
2937: \langle m_0 \lessgtr m_1, \sigma_1 \rangle
2938: \endprooftree
2939: \end{gather}
2940: %
2941: \item[Negation]
2942: %
2943: \begin{gather}
2944: \label{rule:conc_negation_error}
2945: \prooftree
2946: \rho \vdash_\beta \langle b, \sigma \rangle
2947: \rightarrow
2948: \exceptstate
2949: \justifies
2950: \rho \vdash_\beta \langle \notop\ b, \sigma \rangle
2951: \rightarrow
2952: \exceptstate
2953: \endprooftree \\[1ex]
2954: %%
2955: \label{rule:conc_negation_ok}
2956: \prooftree
2957: \rho \vdash_\beta \langle b, \sigma \rangle
2958: \rightarrow
2959: \langle t, \sigma_0 \rangle
2960: \justifies
2961: \rho \vdash_\beta \langle \notop\ b, \sigma \rangle
2962: \rightarrow
2963: \langle \bneg t, \sigma_0 \rangle
2964: \endprooftree
2965: \end{gather}
2966: %
2967: \item[Conjunction]
2968: %
2969: \begin{gather}
2970: \label{rule:conc_conjunction_0}
2971: \prooftree
2972: \rho \vdash_\beta \langle b_0, \sigma \rangle
2973: \rightarrow
2974: \exceptstate
2975: \justifies
2976: \rho \vdash_\beta \langle b_0 \andop b_1, \sigma \rangle
2977: \rightarrow
2978: \exceptstate
2979: \endprooftree \\[1ex]
2980: %%
2981: \label{rule:conc_conjunction_1}
2982: \prooftree
2983: \rho \vdash_\beta \langle b_0, \sigma \rangle
2984: \rightarrow
2985: \langle \ffv, \sigma_0 \rangle
2986: \justifies
2987: \rho \vdash_\beta \langle b_0 \andop b_1, \sigma \rangle
2988: \rightarrow
2989: \langle \ffv, \sigma_0 \rangle
2990: \endprooftree \\[1ex]
2991: %%
2992: \label{rule:conc_conjunction_2}
2993: \prooftree
2994: \rho \vdash_\beta \langle b_0, \sigma \rangle
2995: \rightarrow
2996: \langle \ttv, \sigma_0 \rangle
2997: \quad
2998: \rho \vdash_\beta \langle b_1, \sigma_0 \rangle
2999: \rightarrow
3000: \eta
3001: \justifies
3002: \rho \vdash_\beta \langle b_0 \andop b_1, \sigma \rangle
3003: \rightarrow
3004: \eta
3005: \endprooftree
3006: \end{gather}
3007: %
3008: \item[Disjunction]
3009: %
3010: \begin{gather}
3011: \label{rule:conc_disjunction_0}
3012: \prooftree
3013: \rho \vdash_\beta \langle b_0, \sigma \rangle
3014: \rightarrow
3015: \exceptstate
3016: \justifies
3017: \rho \vdash_\beta \langle b_0 \orop b_1, \sigma \rangle
3018: \rightarrow
3019: \exceptstate
3020: \endprooftree \\[1ex]
3021: %%
3022: \label{rule:conc_disjunction_1}
3023: \prooftree
3024: \rho \vdash_\beta \langle b_0, \sigma \rangle
3025: \rightarrow
3026: \langle \ttv, \sigma_0 \rangle
3027: \justifies
3028: \rho \vdash_\beta \langle b_0 \orop b_1, \sigma \rangle
3029: \rightarrow
3030: \langle \ttv, \sigma_0 \rangle
3031: \endprooftree \\[1ex]
3032: %%
3033: \label{rule:conc_disjunction_2}
3034: \prooftree
3035: \rho \vdash_\beta \langle b_0, \sigma \rangle
3036: \rightarrow
3037: \langle \ffv, \sigma_0 \rangle
3038: \quad
3039: \rho \vdash_\beta \langle b_1, \sigma_0 \rangle
3040: \rightarrow
3041: \eta
3042: \justifies
3043: \rho \vdash_\beta \langle b_0 \orop b_1, \sigma \rangle
3044: \rightarrow
3045: \eta
3046: \endprooftree
3047: \end{gather}
3048: %
3049: \end{description}
3050:
3051: \subsubsection{Declarations}
3052:
3053: \begin{description}
3054: %
3055: \item[Nil]
3056: %
3057: \begin{gather}
3058: \label{rule:conc_decl_nil}
3059: \prooftree
3060: \nohyp
3061: \justifies
3062: \rho \vdash_\beta \langle \kw{nil}, \sigma \rangle
3063: \rightarrow
3064: \langle \emptyset, \sigma \rangle
3065: \endprooftree
3066: \end{gather}
3067: %
3068: \item[Environment]
3069: %
3070: \begin{gather}
3071: \label{rule:conc_decl_environment}
3072: \prooftree
3073: \nohyp
3074: \justifies
3075: \rho
3076: \vdash_\beta
3077: \langle \rho_0, \sigma \rangle
3078: \rightarrow
3079: \langle \rho_0, \sigma \rangle
3080: \endprooftree
3081: \end{gather}
3082: %
3083: \item[Recursive environment]
3084: %
3085: \begin{gather}
3086: \label{rule:conc_decl_rec_environment}
3087: \prooftree
3088: \nohyp
3089: \justifies
3090: \rho
3091: \vdash_\beta
3092: \langle \kw{rec} \rho_0, \sigma \rangle
3093: \rightarrow
3094: \langle \rho_1, \sigma \rangle
3095: \endprooftree
3096: \end{gather}
3097: \begin{align*}
3098: &\text{if }
3099: \rho_1
3100: = \bigl\{\,
3101: \id \mapsto \rho_0(\id)
3102: \bigm|
3103: \rho_0(\id) = \lambda \fps \st \kw{extern} : \sT
3104: \,\bigr\} \\
3105: & \qquad
3106: \union
3107: \sset{
3108: \id \mapsto \abs_1
3109: }{
3110: \forall i \in \{0,1\}
3111: \itc
3112: \abs_i = \lambda \fps
3113: \st \kw{let} d_i \,\kw{in} s \kw{result} e, \\
3114: \rho_0(\id) = \abs_0,
3115: d_1 = \kw{rec} \bigl( \rho_0 \setminus \DI(\fps) \bigr); d_0
3116: }.
3117: \end{align*}
3118: %
3119: \item[Global variable declaration]
3120: %
3121: \begin{gather}
3122: \label{rule:conc_gvar_decl_expr_err}
3123: \prooftree
3124: \rho \vdash_\beta \langle e, \sigma \rangle
3125: \rightarrow
3126: \exceptstate
3127: \justifies
3128: \rho \vdash_\beta \langle \kw{gvar} \id : \sT = e, \sigma \rangle
3129: \rightarrow
3130: \datcleanup(\exceptstate)
3131: \endprooftree \\[1ex]
3132: %%
3133: \label{rule:conc_gvar_decl_dat_err}
3134: \prooftree
3135: \rho \vdash_\beta \langle e, \sigma \rangle
3136: \rightarrow
3137: \valstate
3138: \justifies
3139: \rho \vdash_\beta \langle \kw{gvar} \id : \sT = e, \sigma \rangle
3140: \rightarrow
3141: \datcleanup(\exceptstate)
3142: \using\quad\text{if $\datnew(\valstate) = \exceptstate$}
3143: \endprooftree \\[1ex]
3144: %%
3145: \label{rule:conc_gvar_decl_ok}
3146: \prooftree
3147: \rho \vdash_\beta \langle e, \sigma \rangle
3148: \rightarrow
3149: \valstate
3150: \justifies
3151: \rho \vdash_\beta \langle \kw{gvar} \id : \sT = e, \sigma \rangle
3152: \rightarrow
3153: \langle
3154: \rho_1, \sigma_1
3155: \rangle
3156: \endprooftree
3157: \end{gather}
3158: if $\datnew(\valstate) = (\sigma_1, l)$ and
3159: $\rho_1 = \bigl\{ \id \mapsto (l, \sT) \bigr\}$.
3160: %
3161: \item[Local variable declaration]
3162: %
3163: \begin{gather}
3164: \label{rule:conc_lvar_decl_expr_err}
3165: \prooftree
3166: \rho \vdash_\beta \langle e, \sigma \rangle
3167: \rightarrow
3168: \exceptstate
3169: \justifies
3170: \rho \vdash_\beta \langle \kw{lvar} \id : \sT = e, \sigma \rangle
3171: \rightarrow
3172: \sunmark(\exceptstate)
3173: \endprooftree \\[1ex]
3174: %%
3175: \label{rule:conc_lvar_decl_stk_err}
3176: \prooftree
3177: \rho \vdash_\beta \langle e, \sigma \rangle
3178: \rightarrow
3179: \valstate
3180: \justifies
3181: \rho \vdash_\beta \langle \kw{lvar} \id : \sT = e, \sigma \rangle
3182: \rightarrow
3183: \sunmark(\exceptstate)
3184: \using\quad\text{if $\stknew(\valstate) = \exceptstate$}
3185: \endprooftree \\[1ex]
3186: %%
3187: \label{rule:conc_lvar_decl_ok}
3188: \prooftree
3189: \rho \vdash_\beta \langle e, \sigma \rangle
3190: \rightarrow
3191: \valstate
3192: \justifies
3193: \rho \vdash_\beta \langle \kw{lvar} \id : \sT = e, \sigma \rangle
3194: \rightarrow
3195: \langle
3196: \rho_1, \sigma_1
3197: \rangle
3198: \endprooftree
3199: \end{gather}
3200: if $\stknew(\valstate) = (\sigma_1, i)$ and
3201: $\rho_1 = \bigl\{ \id \mapsto (i, \sT) \bigr\}$.
3202: %
3203: \item[Function declaration]
3204: %
3205: \begin{gather}
3206: \label{rule:conc_decl_function}
3207: \prooftree
3208: \nohyp
3209: \justifies
3210: \rho
3211: \vdash_\beta
3212: \bigl\langle
3213: \kw{function} \id(\fps) = \funbody_0,
3214: \sigma
3215: \bigr\rangle
3216: \rightarrow
3217: \langle
3218: \rho_0, \sigma
3219: \rangle
3220: \endprooftree
3221: \end{gather}
3222: if $\rho_0 = \{ \id \mapsto \lambdaop \fps \st \funbody_1 \}$ and
3223: either $\funbody_0 = \funbody_1 = \kw{extern} : \sT$
3224: or, for each $i \in \{0, 1\}$,
3225: $\funbody_i = \kw{let} d_i \,\kw{in} s \kw{result} e$,
3226: $I = \FI(\funbody_0) \setminus \DI(\fps)$ and
3227: $d_1 = \rho \restrict{I}; d_0$.
3228: %
3229: \item[Recursive declaration]
3230: %
3231: \begin{gather}
3232: \label{rule:conc_decl_rec}
3233: \prooftree
3234: (\rho \setminus J) \vdash_{\beta[\beta_1]} \langle g, \sigma \rangle
3235: \rightarrow
3236: \langle \rho_0, \sigma_0 \rangle
3237: \quad
3238: \rho \vdash_\beta \langle \kw{rec} \rho_0, \sigma_0 \rangle
3239: \rightarrow
3240: \eta
3241: \justifies
3242: \rho \vdash_\beta \langle \kw{rec} g, \sigma \rangle
3243: \rightarrow
3244: \eta
3245: \endprooftree
3246: \end{gather}
3247: if $J = \FI(g) \inters \DI(g)$,
3248: $\beta \vdash_{\FI(g)} g : \beta_0$ and
3249: $\beta_1 = \beta_0 \restrict{J}$.
3250: %
3251: \item[Global sequential composition]
3252: %
3253: \begin{gather}
3254: \label{rule:conc_glob_seq_err_0}
3255: \prooftree
3256: \rho \vdash_\beta \langle g_0, \sigma \rangle
3257: \rightarrow
3258: \exceptstate
3259: \justifies
3260: \rho \vdash_\beta \langle g_0;g_1, \sigma \rangle
3261: \rightarrow
3262: \exceptstate
3263: \endprooftree \\[1ex]
3264: \label{rule:conc_glob_seq_err_1}
3265: \prooftree
3266: \rho \vdash_\beta \langle g_0, \sigma \rangle
3267: \rightarrow
3268: \langle \rho_0, \sigma_0 \rangle
3269: \quad
3270: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle g_1, \sigma_0 \rangle
3271: \rightarrow
3272: \exceptstate
3273: \justifies
3274: \rho \vdash_\beta \langle g_0;g_1, \sigma \rangle
3275: \rightarrow
3276: \exceptstate
3277: \using\quad\text{if $\beta \vdash_{\FI(g_0)} g_0 : \beta_0$}
3278: \endprooftree \\[1ex]
3279: %%
3280: \label{rule:conc_glob_seq_ok}
3281: \prooftree
3282: \rho \vdash_\beta \langle g_0, \sigma \rangle
3283: \rightarrow
3284: \langle \rho_0, \sigma_0 \rangle
3285: \quad
3286: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle g_1, \sigma_0 \rangle
3287: \rightarrow
3288: \langle \rho_1, \sigma_1 \rangle
3289: \justifies
3290: \rho \vdash_\beta \langle g_0;g_1, \sigma \rangle
3291: \rightarrow
3292: \bigl\langle \rho_0[\rho_1], \sigma_1 \bigr\rangle
3293: \using\quad\text{if $\beta \vdash_{\FI(g_0)} g_0 : \beta_0$}
3294: \endprooftree
3295: \end{gather}
3296: %
3297: \item[Local sequential composition]
3298: %
3299: \begin{gather}
3300: \label{rule:conc_decl_seq_err_0}
3301: \prooftree
3302: \rho \vdash_\beta \langle d_0 , \sigma \rangle
3303: \rightarrow
3304: \exceptstate
3305: \justifies
3306: \rho \vdash_\beta \langle d_0;d_1 , \sigma \rangle
3307: \rightarrow
3308: \exceptstate
3309: \endprooftree \\[1ex]
3310: %%
3311: \label{rule:conc_decl_seq_err_1}
3312: \prooftree
3313: \rho \vdash_\beta \langle d_0 , \sigma \rangle
3314: \rightarrow
3315: \langle \rho_0, \sigma_0 \rangle
3316: \quad
3317: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle d_1 , \sigma_0 \rangle
3318: \rightarrow
3319: \exceptstate
3320: \justifies
3321: \rho \vdash_\beta \langle d_0;d_1 , \sigma \rangle
3322: \rightarrow
3323: \exceptstate
3324: \using\quad\text{if $\beta \vdash_{\FI(d_0)} d_0 : \beta_0$}
3325: \endprooftree \\[1ex]
3326: %%
3327: \label{rule:conc_decl_seq_ok}
3328: \prooftree
3329: \rho \vdash_\beta \langle d_0 , \sigma \rangle
3330: \rightarrow
3331: \langle \rho_0, \sigma_0 \rangle
3332: \quad
3333: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle d_1 , \sigma_0 \rangle
3334: \rightarrow
3335: \langle \rho_1, \sigma_1 \rangle
3336: \justifies
3337: \rho \vdash_\beta \langle d_0;d_1 , \sigma \rangle
3338: \rightarrow
3339: \bigl\langle \rho_0[\rho_1], \sigma_1 \bigr\rangle
3340: \using\quad\text{if $\beta \vdash_{\FI(d_0)} d_0 : \beta_0$}
3341: \endprooftree
3342: \end{gather}
3343: %
3344: \end{description}
3345:
3346: \subsubsection{Statements}
3347:
3348: \begin{description}
3349: %
3350: \item[Nop]
3351: %
3352: \begin{gather}
3353: \label{rule:conc_nop}
3354: \prooftree
3355: \nohyp
3356: \justifies
3357: \rho \vdash_\beta \langle \kw{nop}, \sigma \rangle
3358: \rightarrow
3359: \sigma
3360: \endprooftree
3361: \end{gather}
3362: %
3363: \item[Assignment]
3364: %
3365: \begin{gather}
3366: \label{rule:conc_assignment_error}
3367: \prooftree
3368: \rho \vdash_\beta \langle e, \sigma \rangle
3369: \rightarrow
3370: \exceptstate
3371: \justifies
3372: \rho \vdash_\beta \langle \id := e, \sigma \rangle
3373: \rightarrow
3374: \exceptstate
3375: \endprooftree \\[1ex]
3376: %%
3377: \label{rule:conc_assignment_ok}
3378: \prooftree
3379: \rho \vdash_\beta \langle e, \sigma \rangle
3380: \rightarrow
3381: \langle \sval, \sigma_0 \rangle
3382: \justifies
3383: \rho \vdash_\beta \langle \id := e, \sigma \rangle
3384: \rightarrow
3385: \sigma_0\bigl[ \rho(\id) := \sval \bigr]
3386: \endprooftree
3387: \end{gather}
3388:
3389: \item[Statement sequence]
3390: %
3391: \begin{gather}
3392: \label{rule:conc_sequence_0}
3393: \prooftree
3394: \rho \vdash_\beta \langle s_0, \sigma \rangle
3395: \rightarrow
3396: \exceptstate
3397: \justifies
3398: \rho \vdash_\beta \langle s_0 ; s_1, \sigma \rangle
3399: \rightarrow
3400: \exceptstate
3401: \endprooftree \\[1ex]
3402: %%
3403: \label{rule:conc_sequence_1}
3404: \prooftree
3405: \rho \vdash_\beta \langle s_0, \sigma \rangle
3406: \rightarrow
3407: \sigma_0
3408: \quad
3409: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
3410: \rightarrow
3411: \eta
3412: \justifies
3413: \rho \vdash_\beta \langle s_0 ; s_1, \sigma \rangle
3414: \rightarrow
3415: \eta
3416: \endprooftree
3417: \end{gather}
3418: %
3419: \item[Block]
3420: %
3421: \begin{gather}
3422: \label{rule:conc_block_0}
3423: \prooftree
3424: \rho \vdash_\beta \bigl\langle d, \smark(\sigma) \bigr\rangle
3425: \rightarrow
3426: \exceptstate
3427: \justifies
3428: \rho \vdash_\beta \langle d ; s, \sigma \rangle
3429: \rightarrow
3430: \exceptstate
3431: \endprooftree \\[1ex]
3432: %%
3433: \label{rule:conc_block_1}
3434: \prooftree
3435: \rho \vdash_\beta \bigl\langle d, \smark(\sigma) \bigr\rangle
3436: \rightarrow
3437: \langle \rho_0, \sigma_0 \rangle
3438: \quad
3439: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle s, \sigma_0 \rangle
3440: \rightarrow
3441: \eta
3442: \justifies
3443: \rho \vdash_\beta \langle d ; s, \sigma \rangle
3444: \rightarrow
3445: \sunmark(\eta)
3446: \using\quad\text{if $\beta \vdash_{\FI(d)} d : \beta_0$}
3447: \endprooftree
3448: \end{gather}
3449: %
3450: \item[Conditional]
3451: %
3452: \begin{gather}
3453: \label{rule:conc_conditional_error}
3454: \prooftree
3455: \rho \vdash_\beta \langle e, \sigma \rangle
3456: \rightarrow
3457: \exceptstate
3458: \justifies
3459: \rho \vdash_\beta
3460: \langle \kw{if} e \kw{then} s_0 \kw{else} s_1, \sigma \rangle
3461: \rightarrow
3462: \exceptstate
3463: \endprooftree \\[1ex]
3464: %%
3465: \label{rule:conc_conditional_true}
3466: \prooftree
3467: \rho \vdash_\beta \langle e, \sigma \rangle
3468: \rightarrow
3469: \langle \ttv, \sigma_0 \rangle
3470: \quad
3471: \rho \vdash_\beta \langle s_0, \sigma_0 \rangle
3472: \rightarrow
3473: \eta
3474: \justifies
3475: \rho \vdash_\beta
3476: \langle \kw{if} e \kw{then} s_0 \kw{else} s_1, \sigma \rangle
3477: \rightarrow
3478: \eta
3479: \endprooftree \\[1ex]
3480: %%
3481: \label{rule:conc_conditional_false}
3482: \prooftree
3483: \rho \vdash_\beta \langle e, \sigma \rangle
3484: \rightarrow
3485: \langle \ffv, \sigma_0 \rangle
3486: \quad
3487: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
3488: \rightarrow
3489: \eta
3490: \justifies
3491: \rho \vdash_\beta
3492: \langle \kw{if} e \kw{then} s_0 \kw{else} s_1, \sigma \rangle
3493: \rightarrow
3494: \eta
3495: \endprooftree
3496: \end{gather}
3497: %
3498: \item[While]
3499: %
3500: \begin{gather}
3501: \label{rule:conc_while_guard_error}
3502: \prooftree
3503: \rho \vdash_\beta \langle e, \sigma \rangle
3504: \rightarrow
3505: \exceptstate
3506: \justifies
3507: \rho \vdash_\beta \langle \kw{while} e \kw{do} s, \sigma \rangle
3508: \rightarrow
3509: \exceptstate
3510: \endprooftree \\[1ex]
3511: %%
3512: \label{rule:conc_while_false_ok}
3513: \prooftree
3514: \rho \vdash_\beta \langle e, \sigma \rangle
3515: \rightarrow
3516: \langle \ffv, \sigma_0 \rangle
3517: \justifies
3518: \rho \vdash_\beta \langle \kw{while} e \kw{do} s, \sigma \rangle
3519: \rightarrow
3520: \sigma_0
3521: \endprooftree \\[1ex]
3522: %%
3523: \label{rule:conc_while_true_body_error}
3524: \prooftree
3525: \rho \vdash_\beta \langle e, \sigma \rangle
3526: \rightarrow
3527: \langle \ttv, \sigma_0 \rangle
3528: \quad
3529: \rho \vdash_\beta \langle s, \sigma_0 \rangle
3530: \rightarrow
3531: \exceptstate
3532: \justifies
3533: \rho \vdash_\beta \langle \kw{while} e \kw{do} s, \sigma \rangle
3534: \rightarrow
3535: \exceptstate
3536: \endprooftree \\[1ex]
3537: %%
3538: \label{rule:conc_while_true_body_ok}
3539: \prooftree
3540: \rho \vdash_\beta \langle e, \sigma \rangle
3541: \rightarrow
3542: \langle \ttv, \sigma_0 \rangle
3543: \quad
3544: \rho \vdash_\beta \langle s, \sigma_0 \rangle
3545: \rightarrow
3546: \sigma_1
3547: \quad
3548: \rho \vdash_\beta \langle \kw{while} e \kw{do} s, \sigma_1 \rangle
3549: \rightarrow
3550: \eta
3551: \justifies
3552: \rho \vdash_\beta \langle \kw{while} e \kw{do} s, \sigma \rangle
3553: \rightarrow
3554: \eta
3555: \endprooftree
3556: \end{gather}
3557: %
3558: \item[Throw]
3559: %
3560: \begin{gather}
3561: \label{rule:conc_throw_except}
3562: \prooftree
3563: \nohyp
3564: \justifies
3565: \rho \vdash_\beta \langle \kw{throw} \rtsexcept, \sigma \rangle
3566: \rightarrow
3567: \langle \sigma, \rtsexcept \rangle
3568: \endprooftree \\[1ex]
3569: %%
3570: \label{rule:conc_throw_expr_error}
3571: \prooftree
3572: \rho \vdash_\beta \langle e, \sigma \rangle
3573: \rightarrow
3574: \exceptstate
3575: \justifies
3576: \rho \vdash_\beta \langle \kw{throw} e, \sigma \rangle
3577: \rightarrow
3578: \exceptstate
3579: \endprooftree \\[1ex]
3580: \label{rule:conc_throw_expr_ok}
3581: \prooftree
3582: \rho \vdash_\beta \langle e, \sigma \rangle
3583: \rightarrow
3584: \langle \sval, \sigma_0 \rangle
3585: \justifies
3586: \rho \vdash_\beta \langle \kw{throw} e, \sigma \rangle
3587: \rightarrow
3588: \langle \sigma_0, \sval \rangle
3589: \endprooftree
3590: \end{gather}
3591: %
3592: \item[Try blocks]
3593: %
3594: \begin{gather}
3595: \label{rule:conc_try_no_except}
3596: \prooftree
3597: \rho \vdash_\beta \langle s, \sigma \rangle
3598: \rightarrow
3599: \sigma_0
3600: \justifies
3601: \rho
3602: \vdash_\beta
3603: \langle
3604: \kw{try} s \kw{catch} k,
3605: \sigma
3606: \rangle
3607: \rightarrow
3608: \sigma_0
3609: \endprooftree \\[1ex]
3610: %%
3611: \label{rule:conc_try_except}
3612: \prooftree
3613: \rho \vdash_\beta \langle s, \sigma \rangle
3614: \rightarrow
3615: \exceptstate_0
3616: \quad
3617: \rho \vdash_\beta \langle k, \exceptstate_0 \rangle
3618: \rightarrow
3619: \langle u, \eta \rangle
3620: \justifies
3621: \rho
3622: \vdash_\beta
3623: \langle
3624: \kw{try} s \kw{catch} k,
3625: \sigma
3626: \rangle
3627: \rightarrow
3628: \eta
3629: \using\quad\text{if $u \in \{ \caught, \uncaught \}$}
3630: \endprooftree
3631: \end{gather}
3632:
3633: \begin{gather}
3634: \label{rule:conc_try_finally}
3635: \prooftree
3636: \rho \vdash_\beta \langle s_0, \sigma \rangle
3637: \rightarrow
3638: \sigma_0
3639: \quad
3640: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
3641: \rightarrow
3642: \eta
3643: \justifies
3644: \rho
3645: \vdash_\beta
3646: \langle
3647: \kw{try} s_0 \kw{finally} s_1,
3648: \sigma
3649: \rangle
3650: \rightarrow
3651: \eta
3652: \endprooftree \\[1ex]
3653: \label{rule:conc_try_finally_exc_0}
3654: \prooftree
3655: \rho \vdash_\beta \langle s_0, \sigma \rangle
3656: \rightarrow
3657: \langle \sigma_0, \except_0 \rangle
3658: \quad
3659: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
3660: \rightarrow
3661: \sigma_1
3662: \justifies
3663: \rho
3664: \vdash_\beta
3665: \langle
3666: \kw{try} s_0 \kw{finally} s_1,
3667: \sigma
3668: \rangle
3669: \rightarrow
3670: \langle \sigma_1, \except_0 \rangle
3671: \endprooftree \\[1ex]
3672: %%
3673: \label{rule:conc_try_finally_exc_1}
3674: \prooftree
3675: \rho \vdash_\beta \langle s_0, \sigma \rangle
3676: \rightarrow
3677: \langle \sigma_0, \except_0 \rangle
3678: \quad
3679: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
3680: \rightarrow
3681: \exceptstate
3682: \justifies
3683: \rho
3684: \vdash_\beta
3685: \langle
3686: \kw{try} s_0 \kw{finally} s_1,
3687: \sigma
3688: \rangle
3689: \rightarrow
3690: \exceptstate
3691: \endprooftree
3692: \end{gather}
3693: %
3694: \item[Function call]
3695: %
3696: Consider the following conditions:
3697: \begin{gather}
3698: \label{eq:function-call-condition-beta-rho-d}
3699: \left.
3700: \begin{aligned}
3701: \beta(\id)
3702: &= (\fps \rightarrow \sT_0) \\
3703: \rho(\id)
3704: &= \lambdaop \id_1 : \sT_1, \ldots, \id_n : \sT_n \st \funbody \\
3705: d &= (\kw{lvar} \ridx_0 : \sT_0 = \id_0;
3706: \kw{lvar} \ridx_1 : \sT_1 = e_1;
3707: \ldots;
3708: \kw{lvar} \ridx_n : \sT_n = e_n)
3709: \end{aligned}
3710: \right\} \\
3711: \label{eq:function-call-condition-rho0-rho1}
3712: \rho_1
3713: = \bigl\{
3714: \ridx_0 \mapsto (0, \sT_0)
3715: \bigr\}
3716: \union
3717: \bigl\{\,
3718: \id_j \mapsto (j, \sT_j)
3719: \bigm|
3720: j = 1, \ldots, n
3721: \,\bigr\},
3722: \;
3723: \rho_0 : \beta_0,
3724: \;
3725: \rho_1 : \beta_1.
3726: \end{gather}
3727: Then the rule schemata for function calls are the following:
3728: \begin{gather}
3729: \label{rule:conc_function_call_param_err}
3730: \prooftree
3731: \rho
3732: \vdash_\beta
3733: \bigl\langle
3734: d, \smark(\sigma)
3735: \bigr\rangle
3736: \rightarrow
3737: \exceptstate
3738: \justifies
3739: \rho
3740: \vdash_\beta
3741: \bigl\langle
3742: \id_0 := \id(e_1, \ldots, e_n),
3743: \sigma
3744: \bigr\rangle
3745: \rightarrow
3746: \exceptstate
3747: \using\quad\text{if \eqref{eq:function-call-condition-beta-rho-d} holds}
3748: \endprooftree \\[1ex]
3749: %
3750: \label{rule:conc_function_call_eval_err}
3751: \prooftree
3752: \begin{aligned}
3753: & \rho
3754: \vdash_\beta
3755: \bigl\langle
3756: d, \smark(\sigma)
3757: \bigr\rangle
3758: \rightarrow
3759: \langle \rho_0, \sigma_0 \rangle \\
3760: & \rho[\rho_1]
3761: \vdash_{\beta[\beta_1]}
3762: \bigl\langle \funbody, \slink(\sigma_0) \bigr\rangle
3763: \rightarrow
3764: \exceptstate
3765: \end{aligned}
3766: \justifies
3767: \rho
3768: \vdash_\beta
3769: \bigl\langle
3770: \id_0 := \id(e_1, \ldots, e_n),
3771: \sigma
3772: \bigr\rangle
3773: \rightarrow
3774: \sunmark\bigl(\sunlink(\exceptstate)\bigr)
3775: \using\quad\text{if \eqref{eq:function-call-condition-beta-rho-d}
3776: and \eqref{eq:function-call-condition-rho0-rho1} hold}
3777: \endprooftree \\[1ex]
3778: %
3779: \label{rule:conc_function_call_eval_ok}
3780: \prooftree
3781: \begin{aligned}
3782: & \rho
3783: \vdash_\beta
3784: \bigl\langle
3785: d, \smark(\sigma)
3786: \bigr\rangle
3787: \rightarrow
3788: \langle \rho_0, \sigma_0 \rangle \\
3789: & \rho[\rho_1]
3790: \vdash_{\beta[\beta_1]}
3791: \bigl\langle \funbody, \slink(\sigma_0) \bigr\rangle
3792: \rightarrow
3793: \sigma_1 \\
3794: & \rho[\rho_0]
3795: \vdash_{\beta[\beta_0]}
3796: \bigl\langle
3797: \id_0 := \ridx_0,
3798: \sunlink(\sigma_1)
3799: \bigr\rangle
3800: \rightarrow
3801: \eta_2
3802: \end{aligned}
3803: \justifies
3804: \rho
3805: \vdash_\beta
3806: \bigl\langle
3807: \id_0 := \id(e_1, \ldots, e_n),
3808: \sigma
3809: \bigr\rangle
3810: \rightarrow
3811: \sunmark(\eta_2)
3812: \using\quad\text{if \eqref{eq:function-call-condition-beta-rho-d}
3813: and \eqref{eq:function-call-condition-rho0-rho1} hold}
3814: \endprooftree
3815: \end{gather}
3816: %
3817: \end{description}
3818: %
3819: Note that parameter passing is implemented by using reserved identifiers
3820: that reference the return value ($\ridx_0$) and the actual
3821: arguments ($\ridx_1$, \ldots, $\ridx_n$).
3822: When evaluating the function body
3823: (i.e., after linking a new activation frame),
3824: the callee can get access to the return value and the arguments' values
3825: by using the indirect locators $0$ and $1$, \ldots, $n$, respectively;
3826: to this end, the callee uses the environment $\rho_1$, where
3827: the reserved identifier $\ridx_0$ is still mapped to the return value,
3828: whereas the arguments are accessible using the formal parameters' names
3829: $\id_1$, \ldots, $\id_n$.
3830:
3831: \subsubsection{Function Bodies}
3832:
3833: \begin{gather}
3834: \label{rule:conc_function_body_0}
3835: \prooftree
3836: \rho \vdash_\beta \bigl\langle d, \smark(\sigma) \bigr\rangle
3837: \rightarrow
3838: \exceptstate
3839: \justifies
3840: \rho
3841: \vdash_\beta
3842: \langle \kw{let} d \,\kw{in} s \kw{result} e, \sigma \rangle
3843: \rightarrow
3844: \exceptstate
3845: \endprooftree \\[1ex]
3846: %%
3847: \label{rule:conc_function_body_1}
3848: \prooftree
3849: \rho \vdash_\beta \bigl\langle d, \smark(\sigma) \bigr\rangle
3850: \rightarrow
3851: \langle \rho_0, \sigma_0 \rangle
3852: \quad
3853: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle s, \sigma_0 \rangle
3854: \rightarrow
3855: \exceptstate
3856: \justifies
3857: \rho
3858: \vdash_\beta
3859: \langle \kw{let} d \,\kw{in} s \kw{result} e, \sigma \rangle
3860: \rightarrow
3861: \sunmark(\exceptstate)
3862: \using\quad\text{if $\beta \vdash_{\FI(d)} d : \beta_0$}
3863: \endprooftree \\[1ex]
3864: %%
3865: \label{rule:conc_function_body_2}
3866: \prooftree
3867: \begin{aligned}
3868: & \rho \vdash_\beta \bigl\langle d, \smark(\sigma) \bigr\rangle
3869: \rightarrow
3870: \langle \rho_0, \sigma_0 \rangle \\
3871: %%\quad
3872: & \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle s, \sigma_0 \rangle
3873: \rightarrow
3874: \sigma_1 \\
3875: & \rho[\rho_0]
3876: \vdash_{\beta[\beta_0]}
3877: \langle \ridx_0 := e, \sigma_1 \rangle
3878: \rightarrow
3879: \eta_0
3880: \end{aligned}
3881: \justifies
3882: \rho
3883: \vdash_\beta
3884: \langle \kw{let} d \,\kw{in} s \kw{result} e, \sigma \rangle
3885: \rightarrow
3886: \sunmark(\eta_0)
3887: \using\quad\text{if $\beta \vdash_{\FI(d)} d : \beta_0$}
3888: \endprooftree
3889: \end{gather}
3890:
3891: \begin{gather}
3892: \label{rule:conc_function_body_extern}
3893: \prooftree
3894: \nohyp
3895: \justifies
3896: \rho
3897: \vdash_\beta
3898: \bigl\langle
3899: \kw{extern} : \sT,
3900: (\mu, w)
3901: \bigr\rangle
3902: \rightarrow
3903: \eta
3904: \endprooftree
3905: \end{gather}
3906: if
3907: \(
3908: \exists \sigma_0 = (\mu_0, w) \in \Mem, \except \in \Except
3909: \st
3910: \eta = \sigma_0
3911: \lor
3912: \eta = \langle \sigma_0, \except \rangle
3913: \).
3914:
3915: \subsubsection{Catch Clauses}
3916:
3917: \begin{description}
3918: %
3919: \item[Catch]
3920: %
3921: \begin{gather}
3922: \label{rule:conc_catch_caught}
3923: \prooftree
3924: \rho \vdash_\beta \langle s, \sigma \rangle
3925: \rightarrow
3926: \eta_0
3927: \justifies
3928: \rho
3929: \vdash_\beta
3930: \bigl\langle
3931: (p) \, s,
3932: (\sigma, \except)
3933: \bigr\rangle
3934: \rightarrow
3935: \langle \caught, \eta_0 \rangle
3936: \endprooftree \\[1ex]
3937: \intertext{%
3938: if $p = \except \in \RTSExcept$,
3939: or $p = \type(\except)$,
3940: or $p = \kw{any}$.
3941: }
3942: %%
3943: \label{rule:conc_catch_expr_caught_stkerr}
3944: \prooftree
3945: \nohyp
3946: \justifies
3947: \rho
3948: \vdash_\beta
3949: \bigl\langle
3950: (\id : \sT) \, s,
3951: (\sigma, \sval)
3952: \bigr\rangle
3953: \rightarrow
3954: \bigl\langle \caught, \sunmark(\exceptstate_0) \bigr\rangle
3955: \endprooftree \\[1ex]
3956: \intertext{%
3957: if $\sT = \type(\sval)$ and
3958: $\exceptstate_0 = \stknew\bigl( \sval, \smark(\sigma) \bigr)$.
3959: }
3960: %%
3961: \label{rule:conc_catch_expr_caught_noerr}
3962: \prooftree
3963: \rho\bigl[\{\id \mapsto (i,\sT)\}\bigr]
3964: \vdash_{\beta[ \{\id \mapsto \location{\sT}\} ]}
3965: \langle s, \sigma_0 \rangle
3966: \rightarrow
3967: \eta_0
3968: \justifies
3969: \rho
3970: \vdash_\beta
3971: \bigl\langle
3972: (\id : \sT) \, s,
3973: (\sigma, \sval)
3974: \bigr\rangle
3975: \rightarrow
3976: \bigl\langle \caught, \sunmark(\eta_0) \bigr\rangle
3977: \endprooftree \\[1ex]
3978: \intertext{%
3979: if $\sT = \type(\sval)$ and
3980: $(\sigma_0, i) = \stknew\bigl( \sval, \smark(\sigma) \bigr)$.
3981: }
3982: %%
3983: \label{rule:conc_catch_uncaught}
3984: \prooftree
3985: \nohyp
3986: \justifies
3987: \rho
3988: \vdash_\beta
3989: \bigl\langle
3990: (p) \, s,
3991: (\sigma, \except)
3992: \bigr\rangle
3993: \rightarrow
3994: \bigl\langle \uncaught, (\sigma, \except) \bigr\rangle
3995: \endprooftree
3996: \end{gather}
3997: %% if $p \notin \bigl\{ \except, \cT, \kw{any} \bigr\}$
3998: %% and $\forall \id \in \Id \itc p \neq \id : \cT$,
3999: %% where $\cT = \type(\except)$.
4000: if, letting $\cT = \type(\except)$, we have
4001: $p \notin \bigl\{ \except, \cT, \kw{any} \bigr\}$
4002: and $\forall \id \in \Id \itc p \neq \id : \cT$.
4003: %
4004: \item[Catch sequence]
4005: %
4006: \begin{gather}
4007: \label{rule:conc_catch_seq_caught}
4008: \prooftree
4009: \rho
4010: \vdash_\beta
4011: \langle k_0, \exceptstate \rangle
4012: \rightarrow
4013: \langle \caught, \eta_0 \rangle
4014: \justifies
4015: \rho
4016: \vdash_\beta
4017: \langle
4018: k_0 ; k_1,
4019: \exceptstate
4020: \rangle
4021: \rightarrow
4022: \langle \caught, \eta_0 \rangle
4023: \endprooftree \\[1ex]
4024: %%
4025: \label{rule:conc_catch_seq_uncaught}
4026: \prooftree
4027: \rho
4028: \vdash_\beta
4029: \langle k_0, \exceptstate \rangle
4030: \rightarrow
4031: \langle \uncaught, \exceptstate_0 \rangle
4032: \quad
4033: \rho
4034: \vdash_\beta
4035: \langle k_1, \exceptstate_0 \rangle
4036: \rightarrow
4037: \eta
4038: \justifies
4039: \rho
4040: \vdash_\beta
4041: \langle
4042: k_0 ; k_1,
4043: \exceptstate
4044: \rangle
4045: \rightarrow
4046: \eta
4047: \endprooftree
4048: \end{gather}
4049: %
4050: \end{description}
4051:
4052: \subsection{Concrete Divergence Relation}
4053: \label{sec:concrete-divergence-relation}
4054:
4055: In order to capture divergent computations, we follow the approach
4056: of Cousot and Cousot \cite{CousotC92}, also advocated by
4057: Schmidt \cite{Schmidt98}
4058: and Leroy \cite{Leroy06}.
4059: This consists in introducing a \emph{divergence relation} by means
4060: of sequents of the form
4061: \(
4062: \rho \vdash_\beta N \diverges,
4063: \)
4064: where $N \in \NTq$ and
4065: $q \in \{ \mathrm{s}, \mathrm{b}, \mathrm{k} \}$.
4066: Intuitively, a divergence sequent of the form, say,
4067: $\rho \vdash_\beta \langle s, \sigma \rangle \diverges$
4068: means that, in the context given by $\rho$ and $\sigma$,
4069: the execution of statement $s$ diverges.
4070: We now give a set of rules that
4071: (interpreted coinductively, as we will see later)
4072: allow to characterize the behavior of divergent computations.
4073: For instance, the following rule schemata characterize the divergence
4074: behavior of statement sequences:
4075: \[
4076: \prooftree
4077: \rho \vdash_\beta \langle s_0, \sigma \rangle
4078: \diverges
4079: \Justifies
4080: \rho \vdash_\beta \langle s_0 ; s_1, \sigma \rangle
4081: \diverges
4082: \endprooftree \\[1ex]
4083: \quad
4084: \prooftree
4085: \rho \vdash_\beta \langle s_0, \sigma \rangle
4086: \rightarrow
4087: \sigma_0
4088: \quad
4089: \rho \vdash_\beta \langle s_1, \sigma_0 \rangle
4090: \diverges
4091: \Justifies
4092: \rho \vdash_\beta \langle s_0 ; s_1, \sigma \rangle
4093: \diverges
4094: \endprooftree
4095: \]
4096: %%
4097: Notice that, once the set of concrete rules characterizing finite computations
4098: is known, the concrete rules modeling divergences can be specified
4099: systematically (and thus implicitly).
4100: Namely, for each concrete rule
4101: \begin{equation}
4102: \label{rule:conc_generic}
4103: \prooftree
4104: P_0 \quad \cdots \quad P_{i-1}
4105: \quad
4106: \rho_i \vdash_{\beta_i} N_i \rightarrow \eta_i
4107: \quad
4108: P_{i+1} \quad \cdots \quad P_{h-1}
4109: \justifies
4110: \rho \vdash_\beta N \rightarrow \eta
4111: \using\quad\text{(side condition)}
4112: \endprooftree
4113: \end{equation}
4114: such that $0 \leq i < h$ and,
4115: for $q \in \{ \mathrm{s}, \mathrm{b}, \mathrm{k} \}$,
4116: $N_i \in \biguplus \NTq^{\beta_i}$ and
4117: $N \in \biguplus \NTq^\beta$,
4118: there is the corresponding divergence rule where
4119: the $i$-th premise is diverging, i.e.,
4120: \begin{equation*}
4121: \prooftree
4122: P_0 \quad \cdots \quad P_{i-1} \quad \rho_i \vdash_{\beta_i} N_i \diverges
4123: \Justifies
4124: \rho \vdash_\beta N \diverges
4125: \using\quad\text{(side condition)}
4126: \endprooftree
4127: \end{equation*}
4128: Therefore, there are two rules above modeling the divergence of statement
4129: sequences, which can be obtained from rule \eqref{rule:conc_sequence_1}.
4130: It is worth noting that
4131: a single divergence rule schema can be obtained from more than
4132: one of the concrete rules in Section~\ref{sec:concrete-evaluation-relations}.
4133:
4134: We will use the terms \emph{negative} and \emph{positive}
4135: to distinguish the different kinds of rules constructed in
4136: this and the previous section, respectively.
4137: \begin{definition} \summary{(Concrete semantics rules.)}
4138: \label{def:conc-rules}
4139: The set $\calR_+$ (resp., $\calR_-$)
4140: of \emph{positive} (resp., \emph{negative}) \emph{concrete semantics rules}
4141: is the infinite set obtained by instantiating the rule schemata
4142: of \textup{Section~\ref{sec:concrete-evaluation-relations}}
4143: (resp., \textup{Section~\ref{sec:concrete-divergence-relation}})
4144: in all possible ways (respecting, of course, the side conditions).
4145: Moreover, $\calR \defeq \calR_+ \uplus \calR_-$.
4146: \end{definition}
4147:
4148: \subsection{Concrete Semantics Trees}
4149: \label{sec:concrete-semantics-trees}
4150:
4151: The concrete semantics of a program is a (possibly infinite)
4152: set of finite or infinite trees. Such trees are defined in
4153: terms of the (infinite) set of instances of the rules defined
4154: in the previous two sections.
4155:
4156: Let $\calS$ be the (infinite) set of sequents occurring in the premises
4157: and conclusions of the rules in $\calR$.
4158: The \emph{concrete semantics universe}, denoted by $\calU$, is the
4159: set of finitely branching trees of at most $\omega$-depth with labels
4160: in $\calS$.
4161: \begin{definition} \summary{(Concrete semantics universe.)}
4162: \label{def:concrete-semantics-universe}
4163: A set $P \sseq \Nset^\star$ is \emph{prefix-closed} if, for each
4164: $z \in \Nset^\star$ and each $n \in \Nset$, $zn \in P$ implies $z \in P$.
4165: A set $P \sseq \Nset^\star$ is \emph{canonical} if, for each
4166: $z \in \Nset^\star$ there exists $h \in \Nset$ such that
4167: \[
4168: \{\, n \in \Nset \mid zn \in P \,\} = \{ 0, \ldots, h-1 \}.
4169: \]
4170: An \emph{$\calS$-tree} is a partial function
4171: $\pard{\theta}{\Nset^\star}{\calS}$
4172: such that $\dom(\theta)$ is prefix-closed and canonical.
4173: The \emph{concrete semantics universe} $\calU$ is the set of all $\calS$-trees.
4174: \end{definition}
4175: For each $p \in \dom(\theta)$, the tree $\theta_{[p]}$ defined,
4176: for each $z \in \Nset^\star$, by $\theta_{[p]}(z) \defeq \theta(pz)$,
4177: is called a \emph{subtree} of $\theta$; it is called a \emph{proper subtree}
4178: if $p \neq \emptystring$.
4179: If $\dom(\theta) = \emptyset$, then $\theta$ is the empty tree.
4180: If $\theta$ is not empty,
4181: then $\theta(\emptystring)$ is the \emph{root} of $\theta$ and,
4182: if $\{ 0, \ldots, h-1 \} \subseteq \dom(\theta)$
4183: and $h \notin \dom(\theta)$,
4184: then $\theta_{[0]}$, \dots,~$\theta_{[h-1]}$
4185: are its \emph{immediate subtrees}
4186: (note that $h \in \Nset$ may be zero);
4187: in this case $\theta$ can be denoted by
4188: $\frac{\theta_{[0]} \; \cdots \; \theta_{[h-1]}}{\theta(\emptystring)}$.
4189:
4190: \begin{definition} \summary{(Concrete semantics trees.)}
4191: \label{def:concrete-semantics-trees}
4192: Let $\fund{\calF_+}{\wp(\calU)}{\wp(\calU)}$ be the continuous function
4193: over the complete lattice $\bigl(\wp(\calU), \mathord{\sseq}\bigl)$ given,
4194: for all $U \in \wp(\calU)$, by
4195: \begin{align*}
4196: \calF_+(U)
4197: &\defeq
4198: \sset{%
4199: \prooftree
4200: \theta_0 \; \cdots \; \theta_{h-1}
4201: \justifies
4202: s
4203: \endprooftree
4204: }{%
4205: \theta_0, \ldots, \theta_{h-1} \in U, \\[1ex]
4206: \prooftree
4207: \theta_0(\emptystring) \; \cdots \; \theta_{h-1}(\emptystring)
4208: \justifies
4209: s
4210: \endprooftree
4211: \in \calR_+
4212: }. \\
4213: \intertext{%
4214: The set of \emph{positive concrete semantics trees} is
4215: $\Theta_+ \defeq \lfp_{\mathord{\subseteq}}(\calF_+)$.
4216: %%
4217: Consider now the co-continuous function
4218: $\fund{\calF_-}{\wp(\calU)}{\wp(\calU)}$
4219: given, for each $U \in \wp(\calU)$, by
4220: }
4221: \calF_-(U)
4222: &\defeq
4223: \sset{%
4224: \prooftree
4225: \theta_0 \; \cdots \; \theta_{h-1}
4226: \justifies
4227: s
4228: \endprooftree
4229: }{%
4230: \theta_0, \ldots, \theta_{h-2} \in \Theta_+,
4231: \quad
4232: \theta_{h-1} \in U, \\[1ex]
4233: \prooftree
4234: \theta_0(\emptystring) \; \cdots \; \theta_{h-1}(\emptystring)
4235: \justifies
4236: s
4237: \endprooftree
4238: \in \calR_-
4239: }.
4240: \end{align*}
4241: The set of \emph{negative concrete semantics trees} is
4242: $\Theta_- \defeq \gfp_{\mathord{\subseteq}}(\calF_-)$.
4243: The set of all \emph{concrete semantics trees} is
4244: $\Theta \defeq \Theta_+ \uplus \Theta_-$.
4245: \end{definition}
4246:
4247: We now show that, for every concrete non-terminal configuration,
4248: there exists a concrete semantics tree with that in the root.
4249: \begin{proposition}
4250: \label{prop:concrete-tree-exists}
4251: For each $\beta \in \TEnv$,
4252: $\rho \in \Env$ such that $\rho : \beta$ and
4253: $N \in \NTq^{\beta}$, where
4254: \(
4255: q
4256: \in
4257: \{
4258: \mathrm{e}, \mathrm{d}, \mathrm{g},
4259: \mathrm{s}, \mathrm{b}, \mathrm{k}
4260: \}
4261: \),
4262: there exists $\theta \in \Theta$ such that
4263: \[
4264: \theta(\emptystring)
4265: \in \bigl\{\,
4266: (\rho \vdash_\beta N \rightarrow \eta)
4267: \bigm|
4268: \eta \in \Tq
4269: \,\bigr\}
4270: \uplus
4271: \bigl\{\, (\rho \vdash_\beta N \diverges) \,\bigr\}.
4272: \]
4273: \end{proposition}
4274: \begin{proof}
4275: If $q = \mathrm{e}$ and $\eta \in \Te$,
4276: we say that the sequent
4277: $(\rho \vdash_\beta N \rightarrow \eta)$
4278: is well-typed if
4279: $N = \langle e, \sigma_0 \rangle$
4280: and
4281: $\eta = \langle \sval, \sigma_1 \rangle$
4282: imply
4283: $\beta \vdash e : \type(\sval)$.
4284: For the proof, let
4285: \begin{equation*}
4286: S_+(\rho, \beta, N)
4287: \defeq
4288: \bigl\{\,
4289: s
4290: \bigm|
4291: s = (\rho \vdash_\beta N \rightarrow \eta),
4292: \eta \in \Tq,
4293: (q = \mathrm{e} \implies \text{$s$ is well-typed})
4294: \,\bigr\}.
4295: \end{equation*}
4296:
4297: We now assume that $N \in \NTq^{\beta}$
4298: is a fixed but arbitrary non-terminal configuration.
4299: It suffices
4300: to show there exists $\theta \in \Theta$ such that
4301: \(
4302: \theta(\emptystring)
4303: \in
4304: S_+(\rho, \beta, N)
4305: \uplus
4306: \bigl\{\, (\rho \vdash_\beta N \diverges) \,\bigr\}
4307: \).
4308: Let $R_0$ be the set of all rules in $\calR_+$
4309: whose conclusions are in $S_+(\rho, \beta, N)$.
4310: By inspecting the concrete evaluation rule schemata in
4311: Section~\ref{sec:concrete-evaluation-relations},
4312: $R_0 \neq \emptyset$.
4313: Let $j \geq 0$ be the maximal value for which
4314: there exist finite trees
4315: $\theta_0, \ldots, \theta_{j-1} \in \Theta_+$ where
4316: $P_0 = \theta_0(\emptystring), \ldots, P_{j-1} = \theta_{j-1}(\emptystring)$
4317: are the first $j$ premises of a rule in $R_0$.
4318: Let $R_j \sseq R_0$ be the set of all rules in $R_0$
4319: with $P_0, \ldots, P_{j-1}$ as their first $j$ premises;
4320: then $R_j \neq \emptyset$.
4321: By inspecting the rule schemata
4322: in Section~\ref{sec:concrete-evaluation-relations},
4323: it can be seen that, if there exists
4324: $\frac{P_0 \; \cdots \; P_{j-1} \; P'_j \; \cdots}{s'} \in R_j$
4325: for some $P'_j \in S_+(\rho_j, \beta_j, N_j)$ and
4326: $s' \in S_+(\rho, \beta, N)$,
4327: then%
4328: \footnote{
4329: To help understand this property,
4330: we illustrate it in the case that
4331: $q = \mathrm{e}$
4332: and the non-terminal configuration is
4333: $N = \langle b_0 \andop b_1, \sigma \rangle$;
4334: hence the concrete rule schemata
4335: \eqref{rule:conc_conjunction_0}--\eqref{rule:conc_conjunction_2}
4336: will apply.
4337: In all the rule instances, the first premise is of the form
4338: $P_0 = (\rho \vdash_\beta N_0 \rightarrow \eta_0)$,
4339: where $N_0 = \langle b_0, \sigma \rangle$;
4340: as a consequence, we have
4341: \(
4342: S_+(\rho, \beta, N_0) =
4343: \bigl\{\,
4344: (\rho \vdash_\beta N_0 \rightarrow \eta_0)
4345: \bigm|
4346: \eta_0 \in B
4347: \,\bigr\}
4348: \),
4349: where
4350: \(
4351: B \defeq
4352: \ExceptState
4353: \uplus
4354: \{\,
4355: \langle t, \sigma_0 \rangle \in \Te
4356: \mid
4357: t \in \Bool, \sigma_0 \in \Mem
4358: \,\}
4359: \).
4360: Thus, for each terminal configuration $\eta_0 \in B$,
4361: there is a rule instance having $\eta_0$ in its first premise ---
4362: that is we instantiate
4363: rule~\eqref{rule:conc_conjunction_0}
4364: when $\eta_0 = \exceptstate$,
4365: rule~\eqref{rule:conc_conjunction_1}
4366: when $\eta_0 = \langle \ffv, \sigma_0 \rangle$
4367: and rule~\eqref{rule:conc_conjunction_2}
4368: when $\eta_0 = \langle \ttv, \sigma_0 \rangle$.
4369: Thus property~\eqref{prop:concrete-tree-exists:j_plus_1_premise}
4370: holds for $j = 0$.
4371: Moreover, although only
4372: rule~\eqref{rule:conc_conjunction_2} applies when $j = 1$,
4373: the terminal configuration for the second premise ($P_1$)
4374: is just any terminal configuration in $\Te$.
4375: Thus property~\eqref{prop:concrete-tree-exists:j_plus_1_premise}
4376: also holds for $j = 1$.
4377: }
4378: \begin{equation}
4379: \label{prop:concrete-tree-exists:j_plus_1_premise}
4380: \forall P_j \in S_+(\rho_j, \beta_j, N_j)
4381: \itc
4382: \exists s \in S_+(\rho, \beta, N)
4383: \st
4384: \frac{P_0 \; \cdots \; P_{j-1} \; P_j \; \cdots}{s} \in R_j.
4385: \end{equation}
4386:
4387: Suppose that $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g} \}$
4388: so that we can also assume $N = \langle u, \sigma \rangle$.
4389: We show by structural induction on $u$ that
4390: there exists $\theta \in \Theta_+$ such that
4391: \(
4392: \theta(\emptystring) \in S_+(\rho, \beta, N)
4393: \).
4394: By inspecting the rule schemata in
4395: Section~\ref{sec:concrete-evaluation-relations},
4396: it can be seen that, if $u$ is atomic,
4397: the rules in $R_0$ have no premises (so that $j = 0$) and hence,
4398: letting $\theta \in \Theta_+$ be the singleton tree consisting of the
4399: conclusion of a rule in $R_0$,
4400: we obtain that $\theta(\emptystring) \in S_+(\rho, \beta, N)$.
4401: %%
4402: Otherwise, $u$ is not atomic,
4403: we show that each of the rules in $R_j$ has exactly $j$ premises;
4404: to do this, we assume there exists a rule in $R_j$
4405: with a $(j+1)$-th premise
4406: $P_j$
4407: and derive a contradiction.
4408: Let
4409: $N_j \in \NT{q_j}^{\beta_j}$ be the non-terminal configuration
4410: in $P_j$.
4411: By inspecting the rule schemata in
4412: Section~\ref{sec:concrete-evaluation-relations}
4413: in the case that $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g} \}$,
4414: it can be seen that:
4415: \begin{enumerate}[(i)]
4416: \item
4417: \label{prop:concrete-tree-exists:q_j-in-edg}
4418: $q_j \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g}\}$
4419: so that $N_j$ has the form $\langle u_j, \sigma_j \rangle$;
4420: \item
4421: \label{prop:concrete-tree-exists:u_j-in-u}
4422: $u_j$ is a substructure of $u$
4423: unless $R_j$ consists of instances of
4424: the schematic rule~\eqref{rule:conc_decl_rec} and $j = 1$.
4425: \end{enumerate}
4426: If $u_j$ is a substructure of $u$,
4427: by property~\eqref{prop:concrete-tree-exists:q_j-in-edg},
4428: we can apply structural induction to obtain that
4429: there exists a finite tree $\theta_j \in \Theta_+$ such that
4430: $P_j = \theta_j(\emptystring) \in S_+(\rho_j, \beta_j, N_j)$;
4431: hence,
4432: by property~\eqref{prop:concrete-tree-exists:j_plus_1_premise},
4433: there exists a rule in $R_j$ having
4434: $P_j$ as its $(j+1)$-th premise;
4435: contradicting the assumption that $j$ was maximal.
4436: Otherwise, by property~\eqref{prop:concrete-tree-exists:u_j-in-u},
4437: if $u_j$ is not a substructure of $u$,
4438: the rules in $R_0$ must be instances of rule
4439: schema~\eqref{rule:conc_decl_rec} and $j = 1$;
4440: in this case, rule schema~\eqref{rule:conc_decl_rec_environment},
4441: which has no premises,
4442: can be instantiated with the second premise of a rule in $R_j$
4443: as its conclusion; and again we have a contradiction.
4444: Thus, for any $u_j$, all rules in $R_j$ have exactly $j$ premises.
4445: By Definition~\ref{def:concrete-semantics-trees},
4446: \(
4447: \theta
4448: =
4449: \frac{\theta_0 \; \cdots \; \theta_{j-1}}%
4450: {s}
4451: \in
4452: \Theta_+
4453: \)
4454: for some $s \in S_+(\rho, \beta, N)$.
4455: Therefore, since $\Theta_+ \sseq \Theta$, the thesis holds when
4456: $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g} \}$.
4457:
4458: Suppose now that $q \in \{ \mathrm{s}, \mathrm{b}, \mathrm{k} \}$.
4459: We prove that,
4460: if there does not exist a tree $\theta \in \Theta_+$ such that
4461: $\theta(\emptystring) \in S_+(\rho, \beta, N)$,
4462: then, for all $n \geq 0$, there exists a tree $\theta$ such that
4463: $\theta(\emptystring) = s_\infty \defeq (\rho \vdash_\beta N \diverges)$ and
4464: $\theta \in \calF^n_-(\calU)$.
4465: %
4466: To this end, we reason by induction on $n \geq 0$.
4467: By our assumption that there is no tree $\theta \in \Theta_+$
4468: such that $\theta(\emptystring) \in S_+(\rho, \beta, N)$,
4469: there must exist a rule
4470: \begin{equation*}
4471: \frac{P_0 \; \cdots \; P_{j-1} \; P_j \; \cdots}%
4472: {s}
4473: \in
4474: R_j
4475: \end{equation*}
4476: for some $P_j \in S_+(\rho_j, \beta_j, N_j)$;
4477: let $q_j$ be such that $N_j \in \NT{q_j}^{\beta_j}$.
4478: By the maximality of $j$, there is no tree in $\Theta_+$ whose root is $P_j$.
4479: We have already shown that,
4480: if $q_j \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g} \}$,
4481: then there exists a tree
4482: $\theta_j \in \Theta_+$ such that
4483: $\theta_j(\emptystring) \in S_+(\rho_j, \beta_j, N_j)$;
4484: thus, by property~\eqref{prop:concrete-tree-exists:j_plus_1_premise},
4485: there must be a rule in $R_j$ whose $(j+1)$-th premise
4486: is $\theta_j(\emptystring)$; contradicting the assumption that
4487: $j \geq 0$ is maximal.
4488: Hence $q_j \in \{ \mathrm{s}, \mathrm{b}, \mathrm{k} \}$.
4489: By the definition of the negative concrete semantics rules
4490: in Section~\ref{sec:concrete-divergence-relation},
4491: there exists a corresponding negative rule
4492: \begin{equation*}
4493: \frac{P_0 \; \cdots \; P_{j-1} \; P_\infty}%
4494: {s_\infty}
4495: \in \calR_-
4496: \end{equation*}
4497: such that
4498: $P_\infty = (\rho_j \vdash_{\beta_j} N_j \diverges)$.
4499: Hence, by Definition~\ref{def:concrete-semantics-universe},
4500: there exists a tree in $\calU = \calF^0_-(\calU)$
4501: with root $s_\infty$,
4502: so that the inductive hypothesis holds for $n = 0$.
4503: Suppose now that $n > 0$.
4504: By the inductive hypothesis,
4505: there exists a tree $\theta_\infty \in \calF^{n-1}_-(\calU)$
4506: such that $\theta_\infty(\emptystring) = P_\infty$.
4507: Hence, by Definition~\ref{def:concrete-semantics-trees},
4508: \(
4509: \frac{\theta_0 \; \cdots \; \theta_{j-1} \; \theta_\infty}%
4510: {s_\infty}
4511: \in
4512: \calF^n_-(\calU)
4513: \).
4514: Thus, for all $n \geq 0$, there exists a tree in $\calF^n_-(\calU)$
4515: with root $s_\infty$ and hence,
4516: by Definition~\ref{def:concrete-semantics-trees},
4517: there exists a tree in $\Theta_-$ with root $s_\infty$.
4518: Since $\Theta = \Theta_+ \uplus \Theta_-$,
4519: the thesis holds when
4520: $q \in \{ \mathrm{s}, \mathrm{b}, \mathrm{k} \}$.
4521: \qed
4522: \end{proof}
4523:
4524: The concrete semantics of a valid program $g$ with respect to
4525: the initial memory structure
4526: $\sigma_\mathrm{i} \defeq (\emptyset, \emptystring) \in \Mem$
4527: is a set of concrete semantics trees.
4528: This set will always include a tree $\theta_0 \in \Theta$
4529: (which, by Proposition~\ref{prop:concrete-tree-exists}, must exist)
4530: such that
4531: \[
4532: \theta_0(\emptystring)
4533: =
4534: \Bigl(
4535: \emptyset
4536: \vdash_\emptyset
4537: \bigl\langle
4538: (g; \textup{$\kw{gvar} \ridx : \tinteger = 0$}),
4539: \sigma_\mathrm{i}
4540: \bigr\rangle
4541: \rightarrow
4542: \eta_0
4543: \Bigr).
4544: \]
4545: If $\eta_0 = \exceptstate_0$,
4546: i.e., an RTS exception is thrown during the evaluation of $g$,
4547: then the concrete semantics is $\{\theta_0\}$.
4548: If, instead, $\eta_0 = \langle \rho_0, \sigma_0 \rangle$,
4549: then the concrete semantics is
4550: \[
4551: \{\theta_0 \} \union
4552: \bigl\{\,
4553: \theta \in \Theta
4554: \bigm|
4555: \theta(\emptystring)
4556: = (\rho_0 \vdash_\beta N \rightarrow \eta)
4557: \; \text{ or } \;
4558: \theta(\emptystring)
4559: = (\rho_0 \vdash_\beta N \diverges)
4560: \,\bigr\},
4561: \]
4562: where
4563: \(
4564: N = \bigl\langle
4565: \bigl(
4566: \ridx := \main(\emptysequence)
4567: \bigr),
4568: \sigma_0
4569: \bigr\rangle
4570: \in \NTs^\beta
4571: \)
4572: and
4573: \(
4574: \emptyset
4575: \vdash_\emptyset
4576: (g; \textup{$\kw{gvar} \ridx : \tinteger = 0$}) : \beta
4577: \).
4578:
4579: The concrete semantics for CPM we have just presented, extended
4580: as indicated in Section~\ref{sec:extensions}, allows us to reason on a number
4581: of interesting program safety properties (such as the absence of
4582: division-by-zero and other run-time errors) as well as termination
4583: and computational complexity. In the next section, we will see how
4584: the usually non-computable concrete semantics can be given an abstract
4585: counterpart that is amenable to effective computation.
4586:
4587: \section{Abstract Dynamic Semantics}
4588: \label{sec:abstract-dynamic-semantics}
4589:
4590: For the specification of the abstract semantics, we mainly
4591: follow the approach outlined in the works
4592: by Schmidt \citeNN{Schmidt95,Schmidt97,Schmidt98}.
4593: The specification of the abstract semantics requires that appropriate
4594: abstract domains are chosen to provide correct approximations for the
4595: values that are involved in the concrete computation
4596: \cite{CousotC77,CousotC79,CousotC92fr,CousotC92}.
4597: For the sake of generality and extensibility, we will not target any
4598: specific abstraction, but rather consider arbitrary abstract domains
4599: that satisfy a limited set of properties that are sufficient to provide
4600: the correctness of the overall analysis without compromising
4601: its potential precision.
4602:
4603: \subsection{Abstract Semantic Domains}
4604: \label{sec:abstract-semantic-domains}
4605:
4606: We adopt the framework proposed in~\cite[Section~7]{CousotC92fr},
4607: where the correspondence between the concrete and the abstract domains
4608: is induced from a concrete approximation relation and a concretization
4609: function.
4610: For the sole purpose of simplifying the presentation, we will consider
4611: a particular instance of the framework by assuming a few additional
4612: but non-essential domain properties.
4613: The resulting construction is adequate for our purposes and still
4614: allows for algebraically weak abstract domains, such as the domain of
4615: convex polyhedra~\cite{CousotH78}.
4616:
4617: A concrete domain is modeled as a complete lattice
4618: $(C, \sqsubseteq, \bot, \top, \sqcap, \sqcup)$
4619: of semantic properties;
4620: as usual, the concrete approximation relation $c_1 \sqsubseteq c_2$ holds
4621: if $c_1$ is a stronger property than $c_2$ (i.e., $c_2$ approximates $c_1$).
4622: %%
4623: An abstract domain is modeled as a bounded join-semilattice
4624: $(D^\sharp, \sqsubseteq^\sharp, \bot^\sharp, \sqcup^\sharp)$,
4625: so that it has a bottom element $\bot^\sharp$
4626: and the least upper bound
4627: $d^\sharp_1 \sqcup^\sharp d^\sharp_2$ exists
4628: for all $d^\sharp_1, d^\sharp_2 \in D^\sharp$.
4629: When the abstract domain is also provided with a top element
4630: $\top^\sharp \in D^\sharp$, we will write
4631: $(D^\sharp, \sqsubseteq^\sharp, \bot^\sharp, \top^\sharp, \sqcup^\sharp)$.
4632: The abstract domain $D^\sharp$ is related to $C$ by a monotonic
4633: concretization function $\fund{\gamma}{D^\sharp}{C}$:
4634: in words, $C$ is approximated by $D^\sharp$ through $\gamma$;
4635: this approximation is said to be \emph{strict}
4636: if $\gamma$ is a strict function.%
4637: \footnote{Let $\fund{f}{D_1 \times \dots \times D_n}{D_0}$,
4638: where $(D_i, \sqsubseteq_i, \bot_i, \sqcup_i)$
4639: is a bounded join-semilattice, for each $i = 0$, \dots,~$n$.
4640: Then, function $f$ is \emph{strict on the $i$-th argument}
4641: if $d_i = \bot_i$ implies $f(d_1, \dots, d_n) = \bot_0$.}
4642:
4643: In order to compute approximations for specific concrete objects,
4644: we assume the existence of a partial abstraction function
4645: $\pard{\alpha}{C}{D^\sharp}$ such that, for each $c \in C$,
4646: if $\alpha(c)$ is defined then $c \sqsubseteq \gamma\bigl(\alpha(c)\bigr)$.
4647: In particular, we assume that $\alpha(\bot) = \bot^\sharp$ is always defined;
4648: if an abstract top element exists, then $\alpha(\top) = \top^\sharp$ is
4649: also defined.
4650: When needed or useful, we will require a few additional properties.
4651:
4652: Most of the concrete domains used in the concrete semantics construction
4653: are obtained as the powerset lattice
4654: $\bigl( \wp(D), \sseq, \emptyset, D, \inters, \union \bigr)$
4655: of some set of concrete objects $D$.
4656: In such a situation, for each concrete object $d \in D$ and
4657: abstract element $d^\sharp \in D^\sharp$ such that
4658: the corresponding domains are related by the concretization function
4659: $\fund{\gamma}{D^\sharp}{\wp(D)}$, we write
4660: $d \propto d^\sharp$ and $d \not\propto d^\sharp$ to denote
4661: the assertions $d \in \gamma(d^\sharp)$ and $d \notin \gamma(d^\sharp)$,
4662: respectively.
4663: %%
4664: For a lighter notation, we denote $\sqsubseteq^\sharp$,
4665: $\bot^\sharp$, $\top^\sharp$ and $\sqcup^\sharp$ by $\sqsubseteq$, $\bot$,
4666: $\top$ and $\sqcup$, respectively. We also overload the symbols
4667: $\sqsubseteq$, $\bot$, $\top$, $\sqcup$, $\gamma$ and $\alpha$:
4668: the context will always make clear which incarnation has to be
4669: considered.
4670:
4671: The approximations of composite concrete domains are
4672: typically obtained by suitably combining the approximations already
4673: available for their basic components.
4674: For $i = 1$, $2$, let $D_i$ be a set of concrete objects and
4675: consider the corresponding powerset lattice
4676: $\bigl( \wp(D_i), \sseq, \emptyset, D_i, \inters, \union \bigr)$;
4677: let also $D^\sharp_i$ be an abstract domain related to $\wp(D_i)$
4678: by the concretization function
4679: $\fund{\gamma_i}{D^\sharp_i}{\wp(D_i)}$.
4680:
4681: \subsubsection{Approximation of Cartesian Products}
4682:
4683: Values of the Cartesian product $D_1 \times D_2$
4684: can be approximated by elements of the Cartesian product
4685: $D^\sharp_1 \times D^\sharp_2$.
4686: Namely, the component-wise ordered abstract domain
4687: \(
4688: \bigl(D^\sharp_1 \times D^\sharp_2, \sqsubseteq, \bot, \sqcup \bigr)
4689: \)
4690: is related to the concrete powerset lattice
4691: \(
4692: \bigl(
4693: \wp(D_1 \times D_2), \sseq, \emptyset, D_1 \times D_2, \inters, \union
4694: \bigr)
4695: \)
4696: by the concretization function
4697: \(
4698: \fund{\gamma}%
4699: {(D^\sharp_1 \times D^\sharp_2)}%
4700: {\wp(D_1 \times D_2)}
4701: \)
4702: defined, for each
4703: \(
4704: (d^\sharp_1, d^\sharp_2) \in D^\sharp_1 \times D^\sharp_2
4705: \),
4706: by
4707: \begin{equation}
4708: \label{eq:concretization-for-Cartesian-product}
4709: \gamma(d^\sharp_1, d^\sharp_2)
4710: \defeq
4711: \bigl\{\,
4712: (d_1, d_2) \in D_1 \times D_2
4713: \bigm|
4714: d_1 \in \gamma_1(d^\sharp_1), d_2 \in \gamma_2(d^\sharp_2)
4715: \,\bigr\}.
4716: \end{equation}
4717: Hence,
4718: $(d_1, d_2) \propto (d^\sharp_1, d^\sharp_2)$ holds
4719: if and only if
4720: $d_1 \propto d^\sharp_1$ and $d_2 \propto d^\sharp_2$.
4721:
4722: If the underlying approximations $D^\sharp_1$ and $D^\sharp_2$
4723: are both strict, then a better approximation scheme can be obtained
4724: by adopting the \emph{strict product} (also called \emph{smash product})
4725: construction, which performs a simple form of reduction
4726: by collapsing $(d^\sharp_1, d^\sharp_2)$ to the bottom element
4727: whenever $d^\sharp_1 = \bot$ or $d^\sharp_2 = \bot$.
4728: Namely,
4729: \[
4730: D^\sharp_1 \stimes D^\sharp_2
4731: \defeq
4732: \bigl\{\,
4733: (d^\sharp_1, d^\sharp_2) \in D^\sharp_1 \times D^\sharp_2
4734: \bigm|
4735: \text{$d^\sharp_1 = \bot$ if and only if $d^\sharp_2 = \bot$}
4736: \,\bigr\}.
4737: \]
4738: The concretization function is defined exactly as
4739: in~\eqref{eq:concretization-for-Cartesian-product}.
4740: The constructor function
4741: \(
4742: \fund{\spair{\cdot}{\cdot}}
4743: {(D^\sharp_1 \times D^\sharp_2)}
4744: {(D^\sharp_1 \stimes D^\sharp_2)}
4745: \)
4746: is defined by
4747: \[
4748: \spair{d^\sharp_1}{d^\sharp_2}
4749: \defeq
4750: \begin{cases}
4751: (d^\sharp_1, d^\sharp_2),
4752: &\text{if $d^\sharp_1 \neq \bot$ and $d^\sharp_2 \neq \bot$}; \\
4753: \bot,
4754: &\text{otherwise.}
4755: \end{cases}
4756: \]
4757:
4758:
4759: \subsubsection{Approximation of Disjoint Unions}
4760: \label{sec:approximation-disjoint-union}
4761:
4762: In order to provide an abstract domain approximating
4763: sets of concrete objects drawn from a disjoint union,
4764: we use the following well-known construction several times.
4765:
4766: Suppose that $D_1 \inters D_2 = \emptyset$.
4767: Then, values of the disjoint union $D = D_1 \uplus D_2$
4768: can be approximated by elements of the Cartesian product
4769: $D^\sharp = D^\sharp_1 \times D^\sharp_2$.
4770: In this case, the abstract domain $D^\sharp$
4771: is related to the concrete powerset lattice
4772: \(
4773: \bigl(
4774: \wp(D), \sseq, \emptyset, D, \inters, \union
4775: \bigr)
4776: \)
4777: by means of the concretization function
4778: $\fund{\gamma}{(D^\sharp_1 \times D^\sharp_2)}{\wp(D_1 \uplus D_2)}$
4779: defined, for each
4780: \(
4781: (d^\sharp_1, d^\sharp_2) \in D^\sharp_1 \times D^\sharp_2
4782: \),
4783: by
4784: \[
4785: \gamma(d^\sharp_1, d^\sharp_2)
4786: \defeq
4787: \gamma_1(d^\sharp_1) \uplus \gamma_2(d^\sharp_2).
4788: \]
4789: Therefore, the approximation provided by $D^\sharp$ is strict
4790: if both $D^\sharp_1$ and $D^\sharp_2$ are so.
4791: %%
4792: In order to simplify notation, if $d^\sharp_1 \in D^\sharp_1$
4793: then we will sometimes write $d^\sharp_1$ to also denote
4794: the abstract element $(d^\sharp_1, \bot) \in D^\sharp$;
4795: similarly, $d^\sharp_2 \in D^\sharp_2$ also denotes
4796: the abstract element $(\bot, d^\sharp_2) \in D^\sharp$.
4797: %%
4798: As usual, for each $i = 1$, $2$ and $d_i \in D_i$, the notation
4799: $d_i \propto (d^\sharp_1, d^\sharp_2)$
4800: stands for the assertion
4801: $d_i \in \gamma(d^\sharp_1, d^\sharp_2)$,
4802: which is equivalent to $d_i \in \gamma_i(d^\sharp_i)$.
4803: %%
4804: For the sake of clarity,
4805: the abstract domain $D^\sharp$ as specified above
4806: will be denoted by $D^\sharp_1 \uplus^\sharp D^\sharp_2$.
4807: %%
4808: It is worth stressing that
4809: \(
4810: D^\sharp_1 \uplus^\sharp D^\sharp_2
4811: \neq D^\sharp_1 \uplus D^\sharp_2
4812: \).
4813:
4814: \subsection{Approximation of Integers}
4815: \label{sec:approximation-integers}
4816:
4817: The concrete domain of integers
4818: \(
4819: \bigl(\wp(\Integer), \sseq, \emptyset, \Integer, \inters, \union\bigr)
4820: \)
4821: is correctly approximated by an abstract domain
4822: \(
4823: \bigl(\Integer^\sharp, \sqsubseteq, \bot, \top, \sqcup\bigr)
4824: \),
4825: where we assume that $\gamma$ is strict.
4826: Elements of $\Integer^\sharp$ are denoted by
4827: $m^\sharp$, $m^\sharp_0$, $m^\sharp_1$ and so forth.
4828: %%
4829: We assume that the partial abstraction function
4830: $\pard{\alpha}{\wp(\Integer)}{\Integer^\sharp}$ is defined
4831: on all singletons $\{m\} \in \wp(\Integer)$.
4832: We also assume that there are abstract binary operations
4833: `$\absadd$', `$\abssub$', `$\absmul$', `$\absdiv$' and `$\absmod$'
4834: on $\Integer^\sharp$ that are strict on each argument and
4835: sound with respect to the corresponding operations on $\wp(\Integer)$
4836: which, in turn, are the obvious pointwise extensions
4837: of addition, subtraction, multiplication, division
4838: and remainder over the integers.
4839: %%
4840: More formally, we require
4841: \(
4842: \gamma(m^\sharp_0 \absadd m^\sharp_1)
4843: \supseteq
4844: \bigl\{\,
4845: m_0 + m_1
4846: \bigm|
4847: m_0 \in \gamma(m^\sharp_0),
4848: m_1 \in \gamma(m^\sharp_1)
4849: \,\bigr\}
4850: \)
4851: for each $m^\sharp_0, m^\sharp_1 \in \Integer^\sharp$,
4852: to ensure that `$\absadd$' is sound with respect to addition.
4853: Likewise for `$\abssub$' and `$\absmul$' with respect
4854: to subtraction and multiplication, respectively.
4855: For the `$\absdiv$' operation we require soundness with respect to
4856: integer division
4857: i.e., that, for each $m^\sharp_0, m^\sharp_1 \in \Integer^\sharp$,
4858: \(
4859: \gamma(m^\sharp_0 \absdiv m^\sharp_1)
4860: \supseteq
4861: \bigl\{\,
4862: m_0 \div m_1
4863: \bigm|
4864: m_0 \in \gamma(m^\sharp_0),
4865: m_1 \in \gamma(m^\sharp_1),
4866: m_1 \neq 0
4867: \,\bigr\}
4868: \).
4869: Likewise for `$\absmod$' with respect to the `$\mathord{\bmod}$' operation.
4870: We also assume there is a unary abstract operation,
4871: denoted by `$\abssub$', which is strict and sound with respect to
4872: the unary minus concrete operation, that is,
4873: \(
4874: \gamma(\abssub m^\sharp)
4875: \supseteq
4876: \bigl\{\,
4877: - m
4878: \bigm|
4879: m \in \gamma(m^\sharp)
4880: \,\bigr\}
4881: \).
4882:
4883: \subsection{Approximation of Booleans}
4884: \label{sec:approximation-booleans}
4885:
4886: We assume a complete lattice
4887: \(
4888: \bigl(\Bool^\sharp, \sqsubseteq, \bot, \top, \sqcap, \sqcup\bigr)
4889: \)
4890: is given that is related to the concrete domain of Booleans
4891: \(
4892: \bigl(\wp(\Bool), \sseq, \emptyset, \Bool, \inters, \union\bigr)
4893: \)
4894: by means of a Galois connection where $\gamma$ is strict.
4895: Elements of $\Bool^\sharp$ are denoted by $t^\sharp$,
4896: $t^\sharp_0$, $t^\sharp_1$ and so forth.
4897: %%
4898: We assume that there are abstract operations
4899: `$\absneg$', `$\absor$' and `$\absand$'
4900: on $\Bool^\sharp$ that are strict on each argument and
4901: sound with respect to the pointwise extensions
4902: of Boolean negation, disjunction
4903: and conjunction over $\wp(\Bool)$.
4904: %%
4905: For instance, for the operation `$\absor$' to be sound with respect
4906: to disjunction on $\wp(\Bool)$, it is required that,
4907: \(
4908: \gamma(t^\sharp_0 \absor t^\sharp_1)
4909: \supseteq
4910: \bigl\{\,
4911: t_0 \lor t_1
4912: \bigm|
4913: t_0 \in \gamma(t^\sharp_0),
4914: t_1 \in \gamma(t^\sharp_1)
4915: \,\bigr\}
4916: \)
4917: for each $t^\sharp_0$ and $t^\sharp_1$ in $\Bool^\sharp$.
4918: Likewise for `$\absand$'.
4919: For operation `$\absneg$' to be sound with respect to negation on
4920: $\wp(\Bool)$, we require that, for each $t^\sharp$ in $\Bool^\sharp$,
4921: \(
4922: \gamma(\absneg t^\sharp)
4923: \supseteq
4924: \bigl\{\,
4925: \bneg t
4926: \bigm|
4927: t \in \gamma(t^\sharp)
4928: \,\bigr\}
4929: \).
4930:
4931: Furthermore, we assume that there are abstract operations
4932: `$\abseq$', `$\absneq$', `$\abslt$', `$\absleq$', `$\absgeq$' and `$\absgt$'
4933: on $\Integer^\sharp$ that are strict on each argument and
4934: sound with respect to the pointwise extensions over $\wp(\Integer)$
4935: of the corresponding relational operators
4936: `$=$', `$\neq$', `$<$', `$\leq$', `$\geq$' and `$>$' over the integers,
4937: considered as functions taking values in $\Bool$.
4938: For instance, for the operation `$\abseq$' to be sound with respect
4939: to equality on $\wp(\Integer)$, we require
4940: that
4941: \(
4942: \gamma(m^\sharp_0 \abseq m^\sharp_1)
4943: \supseteq
4944: \bigl\{\,
4945: m_0 = m_1
4946: \bigm|
4947: m_0 \in \gamma(m^\sharp_0),
4948: m_1 \in \gamma(m^\sharp_1)
4949: \,\bigr\}
4950: \)
4951: for each $m^\sharp_0, m^\sharp_1 \in \Integer^\sharp$.
4952: Likewise for `$\absneq$', `$\abslt$', `$\absleq$', `$\absgeq$' and `$\absgt$'.
4953:
4954: \subsection{Approximation of Storable Values}
4955:
4956: The concrete domain of storable values
4957: \(
4958: \bigl(\wp(\sVal), \sseq, \emptyset, \sVal, \inters, \union \bigr)
4959: \),
4960: including both integers and Booleans, is abstracted by the domain
4961: $\sVal^\sharp \defeq \Integer^\sharp \uplus^\sharp \Bool^\sharp$.
4962: The hypotheses on $\Integer^\sharp$ and $\Bool^\sharp$ imply that
4963: the approximation is strict.
4964:
4965: \subsection{Approximation of Exceptions}
4966: \label{sec:approximation-exceptions}
4967:
4968: For the approximation of RTS exceptions,
4969: we assume that there is an abstract domain
4970: \(
4971: \bigl(\RTSExcept^\sharp, \sqsubseteq, \bot, \top, \sqcup \bigr)
4972: \),
4973: which is related to the concrete powerset domain
4974: \(
4975: \bigl(\wp(\RTSExcept), \sseq, \emptyset, \RTSExcept, \inters, \union\bigr)
4976: \)
4977: by a strict concretization function.
4978: The partial abstraction function
4979: $\pard{\alpha}{\wp(\RTSExcept)}{\RTSExcept^\sharp}$
4980: is assumed to be defined on all singletons.
4981: Elements of $\RTSExcept^\sharp$ are denoted by $\rtsexcept^\sharp$,
4982: $\rtsexcept^\sharp_0$, $\rtsexcept^\sharp_1$ and so forth.
4983:
4984: Generic exceptions, including both RTS exceptions and user-defined
4985: exceptions, are approximated by elements of the domain
4986: \(
4987: \Except^\sharp
4988: \defeq
4989: \RTSExcept^\sharp \uplus^\sharp \sVal^\sharp
4990: \).
4991: The hypotheses on its components imply that
4992: the approximation is strict.
4993: Elements of $\Except^\sharp$ are denoted by $\except^\sharp$,
4994: $\except^\sharp_0$, $\except^\sharp_1$ and so forth.
4995:
4996: \subsection{Approximation of Memory Structures, %
4997: Value States and Exception States}
4998:
4999: Here we differ from other published abstract semantics in that
5000: we explicitly cater for \emph{relational} abstract domains as well as for
5001: \emph{attribute-independent} ones \cite{CousotC79}.
5002: While this complicates the presentation, it results in a truly
5003: generic abstract semantics. Moreover, the approach presented
5004: here is ---all things considered--- quite simple and reflects into a modular,
5005: clean design of the analyzer.
5006:
5007: \begin{definition}
5008: \summary{($\Mem^\sharp$, $\ValState^\sharp$, $\ExceptState^\sharp$.)}
5009: \label{def:abstract-memory-structure}
5010: \label{def:abstract-exception-state}
5011: We assume there exists an abstract domain
5012: \(
5013: \bigl(\Mem^\sharp, \sqsubseteq, \bot, \sqcup \bigr)
5014: \)
5015: that is related, by means of a strict concretization function,
5016: to the concrete powerset domain
5017: \(
5018: \bigl( \wp(\Mem), \sseq, \emptyset, \Mem, \inters, \union \bigr)
5019: \).
5020: Elements of $\Mem^\sharp$ are denoted by
5021: $\sigma^\sharp$, $\sigma^\sharp_0$, $\sigma^\sharp_1$ and so forth.
5022: We assume that, for each $\sigma \in \Mem$,
5023: there exists $\sigma^\sharp \in \Mem^\sharp$
5024: such that $\sigma \propto \sigma^\sharp$.
5025:
5026: The abstract domain of value states is
5027: \(
5028: \ValState^\sharp
5029: \defeq
5030: \sVal^\sharp \stimes \Mem^\sharp
5031: \).
5032: Elements of $\ValState^\sharp$ will be denoted by
5033: $\valstate^\sharp$, $\valstate^\sharp_0$, $\valstate^\sharp_1$
5034: and so forth.
5035:
5036: The abstract domain of exception states is
5037: \(
5038: \ExceptState^\sharp
5039: \defeq
5040: \Mem^\sharp \stimes \Except^\sharp
5041: \).
5042: Elements of $\ExceptState^\sharp$ will be denoted by
5043: $\exceptstate^\sharp$, $\exceptstate^\sharp_0$, $\exceptstate^\sharp_1$
5044: and so forth.
5045: %%
5046: To improve readability,
5047: $\none^\sharp$ will denote the bottom element
5048: $\bot \in \ExceptState^\sharp$,
5049: indicating that no exception is possible.
5050:
5051: The abstract memory structure read and update operators
5052: \begin{gather*}
5053: \fund{\cdot[\cdot, \cdot]}%
5054: {(\Mem^\sharp \times \Addr \times \sType)}%
5055: {(\ValState^\sharp \uplus^\sharp \ExceptState^\sharp)}, \\
5056: \fund{\cdot[\cdot :=^\sharp \cdot]}%
5057: {\bigl(
5058: \Mem^\sharp \times (\Addr \times \sType) \times \sVal^\sharp
5059: \bigr)}%
5060: {(\Mem^\sharp \uplus^\sharp \ExceptState^\sharp)}
5061: \end{gather*}
5062: are assumed to be such that,
5063: for each $\sigma^\sharp \in \Mem^\sharp$,
5064: $a \in \Addr$, $\sT \in \sType$ and $\sval^\sharp \in \sVal^\sharp$:
5065: \begin{align*}
5066: \gamma\bigl( \sigma^\sharp[a,\sT] \bigr)
5067: &\supseteq
5068: \bigl\{\,
5069: \sigma[a,\sT]
5070: \bigm|
5071: \sigma \in \gamma(\sigma^\sharp)
5072: \,\bigr\}, \\
5073: \gamma\bigl(
5074: \sigma^\sharp\bigl[(a,\sT) :=^\sharp \sval^\sharp\bigr]
5075: \bigr)
5076: &\supseteq
5077: \bigl\{\,
5078: \sigma\bigl[ (a,\sT) := \sval \bigr]
5079: \bigm|
5080: \sigma \in \gamma(\sigma^\sharp),
5081: \sval \in \gamma(\sval^\sharp)
5082: \,\bigr\}.
5083: \end{align*}
5084: The abstract data and stack memory allocation functions
5085: \begin{gather*}
5086: \fund{\datnew^\sharp}
5087: {\ValState^\sharp}
5088: {\bigl(
5089: (\Mem^\sharp \times \Loc)
5090: \uplus^\sharp
5091: \ExceptState^\sharp
5092: \bigr)}, \\
5093: \fund{\stknew^\sharp}
5094: {\ValState^\sharp}
5095: {\bigl(
5096: (\Mem^\sharp \times \Ind)
5097: \uplus^\sharp
5098: \ExceptState^\sharp
5099: \bigr)}
5100: \end{gather*}
5101: are assumed to be such that,
5102: for each $\valstate \in \ValState$ and
5103: $\valstate^\sharp \in \ValState^\sharp$ such that
5104: $\valstate \in \gamma(\valstate^\sharp)$,
5105: and each $h \in \{ \mathrm{d}, \mathrm{s} \}$:
5106: if $\mathop{\mathrm{new}_h}(\valstate) = (\sigma, a)$
5107: (resp., $\mathop{\mathrm{new}_h}(\valstate) = \exceptstate$) and
5108: \(
5109: \mathop{\mathrm{new}_h}^\sharp(\valstate^\sharp)
5110: = \bigl( (\sigma^\sharp, a'), \exceptstate^\sharp \bigr)
5111: \),
5112: then $\sigma \in \gamma(\sigma^\sharp)$ and $a = a'$
5113: (resp., $\exceptstate \in \gamma(\exceptstate^\sharp)$).
5114:
5115: The abstract memory structure data cleanup function
5116: \[
5117: \fund{\datcleanup^\sharp}{\ExceptState^\sharp}{\ExceptState^\sharp}
5118: \]
5119: is such that, for each
5120: $\exceptstate^\sharp \in \ExceptState^\sharp$,
5121: we have
5122: \[
5123: \gamma\bigl(\datcleanup^\sharp(\exceptstate^\sharp)\bigr)
5124: \supseteq
5125: \bigl\{\,
5126: \datcleanup(\exceptstate)
5127: \bigm|
5128: \exceptstate \in \gamma(\exceptstate^\sharp)
5129: \,\bigr\}.
5130: \]
5131:
5132: The abstract functions
5133: \[
5134: \{ \asmark, \asunmark, \aslink, \asunlink \}
5135: \sseq
5136: \Mem^\sharp \to \Mem^\sharp
5137: \]
5138: are defined to be such that,
5139: for each $\sigma^\sharp \in \Mem^\sharp$:
5140: \begin{align*}
5141: \gamma\bigl( \asmark(\sigma^\sharp) \bigr)
5142: &\supseteq
5143: \bigl\{\,
5144: \smark(\sigma)
5145: \bigm|
5146: \sigma \in \gamma(\sigma^\sharp)
5147: \,\bigr\}, \\
5148: \gamma\bigl( \asunmark(\sigma^\sharp) \bigr)
5149: &\supseteq
5150: \bigl\{\,
5151: \sunmark(\sigma)
5152: \bigm|
5153: \text{$\sigma \in \gamma(\sigma^\sharp)$
5154: and $\sunmark(\sigma)$ is defined}
5155: \,\bigr\}, \\
5156: \gamma\bigl( \aslink(\sigma^\sharp) \bigr)
5157: &\supseteq
5158: \bigl\{\,
5159: \slink(\sigma)
5160: \bigm|
5161: \text{$\sigma \in \gamma(\sigma^\sharp)$
5162: and $\slink(\sigma)$ is defined}
5163: \,\bigr\}, \\
5164: \gamma\bigl( \asunlink(\sigma^\sharp) \bigr)
5165: &\supseteq
5166: \bigl\{\,
5167: \sunlink(\sigma)
5168: \bigm|
5169: \text{$\sigma \in \gamma(\sigma^\sharp)$
5170: and $\sunlink(\sigma)$ is defined}
5171: \,\bigr\}.
5172: \end{align*}
5173: It is assumed that all the abstract operators mentioned above
5174: are strict on each of their arguments taken from an abstract domain.
5175: \end{definition}
5176: %%
5177: As done in the concrete,
5178: the abstract stack unmark and the abstract frame unlink functions
5179: are lifted to also work on abstract exception states.
5180: Namely, for each
5181: \(
5182: \exceptstate^\sharp
5183: = (\sigma^\sharp, \except^\sharp)
5184: \in \ExceptState^\sharp
5185: \),
5186: \begin{align*}
5187: \asunmark(\sigma^\sharp, \except^\sharp)
5188: &\defeq
5189: \bigl( \asunmark(\sigma^\sharp), \except^\sharp \bigr), \\
5190: \asunlink(\sigma^\sharp, \except^\sharp)
5191: &\defeq
5192: \bigl( \asunlink(\sigma^\sharp), \except^\sharp \bigr).
5193: \end{align*}
5194:
5195: Besides the abstract operators specified above,
5196: which closely mimic the concrete operators related to
5197: concrete memory structures and exception states,
5198: other abstract operators will be used in the abstract semantics
5199: construction so as to enhance its precision.
5200:
5201: When dealing with Boolean guards during the abstract evaluation
5202: of conditional and iteration statements,
5203: it might be the case that no definite information is available.
5204: In such a situation, the abstract execution can be made more precise if
5205: the abstract memory structure is \emph{filtered} according to the condition
5206: holding in the considered computation branch.
5207:
5208: \begin{definition} \summary{(Memory structure filter.)}
5209: \label{def:memstruct-filter}
5210: An \emph{abstract memory structure filter} is any computable function
5211: \(
5212: \fund{\phi}%
5213: {(\Env \times \Mem^\sharp \times \Exp)}%
5214: {\Mem^\sharp}
5215: \)
5216: such that, for each $e \in \Exp$, each $\beta : I$ with $\FI(e) \sseq I$
5217: and $\beta \vdash_I e : \tboolean$, for each $\rho \in \Env$
5218: with $\rho : \beta$ and each $\sigma^\sharp \in \Mem^\sharp$,
5219: if $\phi(\rho, \sigma^\sharp, e) = \sigma^\sharp_\ttv$, then
5220: \[
5221: \gamma(\sigma^\sharp_\ttv)
5222: \supseteq
5223: \bigl\{\,
5224: \sigma_\ttv \in \Mem
5225: \bigm|
5226: \sigma \in \gamma(\sigma^\sharp),
5227: \rho
5228: \vdash_\beta
5229: \langle e, \sigma \rangle
5230: \rightarrow
5231: \langle \ttv, \sigma_\ttv \rangle
5232: \,\bigr\}.
5233: \]
5234: \end{definition}
5235:
5236: Similarly, abstract exception states can be filtered according to
5237: whether or not they can be caught by the guard of a catch clause.
5238:
5239: \begin{definition} \summary{(Exception state filters and selectors.)}
5240: \label{def:exceptstate-filter}
5241: The \emph{abstract exception state filters} are computable functions
5242: \[
5243: \fund{\phi^+, \phi^-}%
5244: {(\exceptDecl \times \ExceptState^\sharp)}%
5245: {\ExceptState^\sharp}
5246: \]
5247: such that,
5248: for each $p \in \exceptDecl$ and
5249: each $\exceptstate^\sharp \in \ExceptState^\sharp$,
5250: \begin{align*}
5251: \gamma\bigl( \phi^+(p, \exceptstate^\sharp) \bigr)
5252: &\supseteq
5253: \begin{cases}
5254: \gamma(\exceptstate^\sharp),
5255: &\text{if $p = \kw{\textup{any}}$;} \\
5256: \bigl\{\,
5257: (\sigma, \except) \in \gamma(\exceptstate^\sharp)
5258: \bigm|
5259: \except = p
5260: \,\bigr\},
5261: &\text{if $p \in \RTSExcept$;} \\
5262: \bigl\{\,
5263: (\sigma, \except) \in \gamma(\exceptstate^\sharp)
5264: \bigm|
5265: \except \in \dom\bigl(\type(p)\bigr)
5266: \,\bigr\},
5267: &\text{otherwise;}
5268: \end{cases} \\
5269: \gamma\bigl( \phi^-(p, \exceptstate^\sharp) \bigr)
5270: &\supseteq
5271: \begin{cases}
5272: \emptyset,
5273: &\text{if $p = \kw{\textup{any}}$;} \\
5274: \bigl\{\,
5275: (\sigma, \except) \in \gamma(\exceptstate^\sharp)
5276: \bigm|
5277: \except \neq p
5278: \,\bigr\},
5279: &\text{if $p \in \RTSExcept$;} \\
5280: \bigl\{\,
5281: (\sigma, \except) \in \gamma(\exceptstate^\sharp)
5282: \bigm|
5283: \except \notin \dom\bigl(\type(p)\bigr)
5284: \,\bigr\},
5285: &\text{otherwise.}
5286: \end{cases}
5287: \end{align*}
5288:
5289: The \emph{abstract memory structure and abstract exception selectors}
5290: \begin{align*}
5291: \fund{\mem}{&\ExceptState^\sharp}{\Mem^\sharp}, \\
5292: \fund{\sel}{&(\cType \times \ExceptState^\sharp)}%
5293: {(\RTSExcept^\sharp \uplus \Integer^\sharp \uplus \Bool^\sharp)}
5294: \end{align*}
5295: are defined, for each
5296: \(
5297: \exceptstate^\sharp
5298: = \bigl(
5299: \sigma^\sharp,
5300: \bigl(\rtsexcept^\sharp, (m^\sharp, t^\sharp)\bigr)
5301: \bigr)
5302: \in \ExceptState^\sharp
5303: \)
5304: and $\cT \in \cType$, by
5305: \begin{align*}
5306: \mem(\exceptstate^\sharp)
5307: &\defeq
5308: \sigma^\sharp; \\
5309: \sel(\cT, \exceptstate^\sharp)
5310: &\defeq
5311: \begin{cases}
5312: \rtsexcept^\sharp,
5313: &\text{if $\cT = \trtsexcept$;} \\
5314: m^\sharp,
5315: &\text{if $\cT = \tinteger$;} \\
5316: t^\sharp,
5317: &\text{if $\cT = \tboolean$.}
5318: \end{cases}
5319: \end{align*}
5320: To simplify notation, we will write $\cT(\exceptstate^\sharp)$
5321: to denote $\sel(\cT, \exceptstate^\sharp)$.
5322: \end{definition}
5323:
5324: The generic specification provided above for abstract memory structures
5325: and the corresponding abstract operators plays a central role for the
5326: modularity of the overall construction.
5327: By exploiting this ``black box'' approach, we achieve orthogonality
5328: not only from the specific abstract domains used to approximate
5329: (sets of tuples of) storable values, but also from the critical
5330: design decisions that have to be taken when approximating the
5331: concrete stack, which may be unbounded in size due to recursive functions.
5332: Hence, while still staying in the boundaries of the current framework,
5333: we can flexibly explore, combine, and finely tune the sophisticated
5334: proposals that have been put forward in the literature,
5335: such as the work in~\cite{JeannetS03TR,JeannetS04},
5336: which encompasses both the functional and the call string
5337: approaches to interprocedural analysis \cite{CousotC77b,SharirP81}.
5338:
5339:
5340: \subsection{Abstract Configurations}
5341:
5342: Terminal and non-terminal configurations of the abstract transition
5343: system are now defined.
5344:
5345: \begin{definition} \summary{(Non-terminal abstract configurations.)}
5346: \label{def:nonterminal-abstract-configuration}
5347: The sets of \emph{non-terminal abstract configurations} for expressions,
5348: local and global declarations, statements, function bodies and catch clauses
5349: are given, for each $\beta \in \TEnv_I$ and respectively, by
5350: \begin{align*}
5351: \NTe^{\beta\sharp}
5352: &\defeq
5353: \bigl\{\,
5354: \langle e, \sigma^\sharp \rangle
5355: \in \Exp \times \Mem^\sharp
5356: \bigm|
5357: \exists \sT \in \sType \st \beta \vdash_I e : \sT
5358: \,\bigr\}, \\
5359: \NTd^{\beta\sharp}
5360: &\defeq
5361: \bigl\{\,
5362: \langle d, \sigma^\sharp \rangle
5363: \in \Decl \times \Mem^\sharp
5364: \bigm|
5365: \exists \delta \in \TEnv \st \beta \vdash_I d : \delta
5366: \,\bigr\}, \\
5367: \NTg^{\beta\sharp}
5368: &\defeq
5369: \bigl\{\,
5370: \langle g, \sigma^\sharp \rangle
5371: \in \Glob \times \Mem^\sharp
5372: \bigm|
5373: \exists \delta \in \TEnv \st \beta \vdash_I g : \delta
5374: \,\bigr\}, \\
5375: \NTs^{\beta\sharp}
5376: &\defeq
5377: \bigl\{\,
5378: \langle s, \sigma^\sharp \rangle
5379: \in \Stmt \times \Mem^\sharp
5380: \bigm|
5381: \beta \vdash_I s
5382: \,\bigr\}, \\
5383: \NTb^{\beta\sharp}
5384: &\defeq
5385: \bigl\{\,
5386: \langle \funbody, \sigma^\sharp \rangle
5387: \in \funBody \times \Mem^\sharp
5388: \bigm|
5389: \exists \sT \in \sType \st \beta \vdash_I \funbody : \sT
5390: \,\bigr\}, \\
5391: \NTk^{\beta\sharp}
5392: &\defeq
5393: \bigl\{\,
5394: \langle k, \exceptstate^\sharp \rangle
5395: \in \Catch \times \ExceptState^\sharp
5396: \bigm|
5397: \beta \vdash_I k
5398: \,\bigr\}.
5399: \end{align*}
5400: We write $N^\sharp$ to denote a non-terminal abstract configuration.
5401:
5402: The approximation relation
5403: between concrete and abstract non-terminal configurations
5404: is defined as follows.
5405: For each
5406: $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g}, \mathrm{s}, \mathrm{b} \}$,
5407: \(
5408: N = \langle q_1, \sigma \rangle \in \NTq^{\beta}
5409: \)
5410: and
5411: \(
5412: N^\sharp = \langle q_2, \sigma^\sharp \rangle \in \NTq^{\beta\sharp}
5413: \),
5414: \begin{align}
5415: \label{def:propto-nonterminal:expr-decl-glob-statement}
5416: N \propto N^\sharp
5417: &\iff
5418: (q_1 = q_2 \land \sigma \propto \sigma^\sharp).
5419: \intertext{%
5420: For each
5421: \(
5422: N = \langle k_1, \exceptstate \rangle
5423: \in \NTk^{\beta}
5424: \)
5425: and
5426: \(
5427: N^\sharp
5428: = \langle k_2, \exceptstate^\sharp \rangle
5429: \in \NTk^{\beta\sharp}
5430: \),
5431: }
5432: \label{def:propto-nonterminal:catch}
5433: N \propto N^\sharp
5434: &\iff
5435: (k_1 = k_2 \land \exceptstate \propto \exceptstate^\sharp).
5436: \end{align}
5437: \end{definition}
5438:
5439: \begin{definition} \summary{(Terminal abstract configurations.)}
5440: \label{def:terminal-abstract-configuration}
5441: The sets of \emph{terminal abstract configurations} for expressions,
5442: local and global declarations, statements, function bodies and catch
5443: clauses are given, respectively, by
5444: \begin{align*}
5445: \Te^\sharp
5446: &\defeq
5447: \ValState^\sharp \uplus^\sharp \ExceptState^\sharp, \\
5448: \Td^\sharp
5449: &\defeq
5450: \Tg^\sharp
5451: \defeq
5452: (\Env \times \Mem^\sharp)
5453: \uplus^\sharp \ExceptState^\sharp, \\
5454: \Ts^\sharp
5455: &\defeq
5456: \Tb^\sharp
5457: \defeq
5458: \Mem^\sharp
5459: \uplus^\sharp \ExceptState^\sharp, \\
5460: \Tk^\sharp
5461: &\defeq
5462: \Ts^\sharp
5463: \uplus^\sharp
5464: \ExceptState^\sharp.
5465: \end{align*}
5466: We write $\eta^\sharp$ to denote a terminal abstract configuration.
5467:
5468: The approximation relation $\eta \propto \eta^\sharp$
5469: between concrete and abstract terminal configurations
5470: is defined as follows.
5471: For expressions,
5472: \begin{align}
5473: \label{def:propto-terminal:expr}
5474: \eta
5475: \propto
5476: \langle
5477: \valstate^\sharp,
5478: \exceptstate^\sharp
5479: \rangle
5480: &\iff
5481: \begin{cases}
5482: \valstate \propto \valstate^\sharp,
5483: &\text{if $\eta = \valstate$;} \\
5484: \exceptstate \propto \exceptstate^\sharp,
5485: &\text{if $\eta = \exceptstate$.}
5486: \end{cases} \\
5487: \intertext{%
5488: For local and global declarations,
5489: }
5490: \label{def:propto-terminal:decl}
5491: \eta
5492: \propto
5493: \bigl\langle
5494: (\rho_2, \sigma^\sharp),
5495: \exceptstate^\sharp
5496: \bigr\rangle
5497: &\iff
5498: \begin{cases}
5499: (\rho_1 = \rho_2
5500: \land
5501: \sigma \propto \sigma^\sharp),
5502: &\text{if $\eta = \langle \rho_1, \sigma \rangle$}; \\
5503: \exceptstate \propto \exceptstate^\sharp,
5504: &\text{if $\eta = \exceptstate$}.
5505: \end{cases} \\
5506: \intertext{%%
5507: For statements and function bodies,
5508: }
5509: \label{def:propto-terminal:statement}
5510: \eta
5511: \propto
5512: \langle \sigma^\sharp, \exceptstate^\sharp \rangle
5513: &\iff
5514: \begin{cases}
5515: \sigma \propto \sigma^\sharp,
5516: &\text{if $\eta = \sigma$}; \\
5517: \exceptstate \propto \exceptstate^\sharp,
5518: &\text{if $\eta = \exceptstate$}.
5519: \end{cases} \\
5520: \intertext{%%
5521: For catch sequences,
5522: }
5523: \label{def:propto-terminal:catch}
5524: \eta
5525: \propto
5526: \langle \eta^\sharp_\mathrm{s}, \exceptstate^\sharp \rangle
5527: &\iff
5528: \begin{cases}
5529: \eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s},
5530: &\text{if $\eta = \langle \caught, \eta_\mathrm{s} \rangle$}; \\
5531: \exceptstate \propto \exceptstate^\sharp,
5532: &\text{if $\eta = \langle \uncaught, \exceptstate \rangle$}.
5533: \end{cases}
5534: \end{align}
5535: \end{definition}
5536:
5537: The approximation relation for sequents is trivially obtained from the
5538: approximation relations defined above for configurations.
5539:
5540: \begin{definition}\summary{(`$\propto$' on sequents.)}
5541: \label{def:propto-sequents}
5542: The approximation relation
5543: between concrete (positive and negative) sequents and
5544: abstract sequents is defined,
5545: for each $\beta \in \TEnv_I$,
5546: for each $\rho_0, \rho_1 \in \Env_J$ such that
5547: $\rho_0 : \beta \restrict{J}$ and
5548: $\rho_1 : \beta \restrict{J}$,
5549: for each
5550: \(
5551: q \in
5552: \{
5553: \mathrm{e}, \mathrm{d}, \mathrm{g},
5554: \mathrm{s}, \mathrm{b}, \mathrm{k}
5555: \}
5556: \),
5557: $N \in \NTq^\beta$,
5558: $\eta \in \Tq$,
5559: $N^\sharp \in \NTq^{\beta\sharp}$ and
5560: $\eta^\sharp \in \Tq^\sharp$, by
5561: \begin{align}
5562: \label{def:propto-sequents:term}
5563: (\rho_0 \vdash_\beta N \rightarrow \eta)
5564: \propto
5565: (\rho_1 \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
5566: &\iff
5567: (\rho_0 = \rho_1
5568: \land N \propto N^\sharp
5569: \land \eta \propto \eta^\sharp); \\
5570: \label{def:propto-sequents:diverge}
5571: (\rho_0 \vdash_\beta N \diverges)
5572: \propto
5573: (\rho_1 \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
5574: &\iff
5575: (\rho_0 = \rho_1
5576: \land N \propto N^\sharp).
5577: \end{align}
5578: \end{definition}
5579:
5580:
5581: \subsection{Supported Expressions, Declarations and Statements}
5582:
5583: Each abstract domain has to provide a relation saying
5584: which (abstract configuration for) expressions,
5585: declarations and statements it directly supports,
5586: as well as an abstract evaluation function providing safe approximations
5587: of any supported expressions, declarations and statements.
5588:
5589: \begin{definition} \summary{($\asupported$, $\aeval$.)}
5590: \label{def:supports-eval}
5591: For each
5592: $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g}, \mathrm{s} \}$,
5593: we assume there exists a computable relation
5594: and a partial and computable operation,
5595: \[
5596: \reld{\asupported}%
5597: {\Env}%
5598: {\NTq^{\beta\sharp}}
5599: \qquad\text{and}\qquad
5600: \pard{\aeval}%
5601: {(\Env \times \NTq^{\beta\sharp})}%
5602: {\Tq^\sharp},
5603: \]
5604: such that whenever
5605: $\rho : \beta$ and
5606: $\asupported(\rho, N^\sharp)$ holds,
5607: $\aeval(\rho, N^\sharp)$ is defined and has value
5608: $\eta^\sharp \in \Tq^\sharp$
5609: and, for each
5610: $N \in \NTq^\beta$ and each $\eta \in \Tq$
5611: such that $N \propto N^\sharp$ and
5612: $\rho \vdash_\beta N \rightarrow \eta$,
5613: we have $\eta \propto \eta^\sharp$.
5614: \end{definition}
5615:
5616: An appropriate use of `$\asupported$' and `$\aeval$' allows
5617: the design of the domain of abstract memory structures to be decoupled from
5618: the design of the analyzer. In particular, it enables
5619: the use of relational as well as non-relational domains.
5620: For example, using the domain of convex polyhedra the proper way,
5621: one can easily implement a safe evaluation function for
5622: (the non-terminal abstract configuration of) any affine expression $e$.
5623: As a consequence, one can specify the support relation so that
5624: $\asupported\bigl(\rho, \langle e, \sigma^\sharp\rangle \bigr)$ holds.
5625: Similarly, one can specify
5626: $\asupported\bigl(\rho, \langle \id := e, \sigma^\sharp \rangle \bigr)$ holds
5627: for any affine assignment, i.e., an assignment where $e$
5628: is an affine expression.
5629: Other implementation choices are possible.
5630: For instance, besides supporting affine expressions, the implementer
5631: could specify that
5632: $\asupported\bigl(\rho, \langle \id_1*\id_2, \sigma^\sharp \rangle \bigr)$ holds
5633: provided $\rho : I$, $\id_1, \id_2 \in I$ and, for at least one
5634: $i \in \{1, 2\}$,
5635: $\gamma\bigl(\sigma^\sharp\bigl[\rho(\id_i)\bigr]\bigr) = \{ m \}$,
5636: for some integer value $m$.
5637: Similarly, the design can impose that
5638: $\asupported\bigl(\rho, \langle \id*\id, \sigma^\sharp \rangle \bigr)$
5639: always holds.
5640:
5641: \subsection{Abstract Evaluation Relations}
5642: \label{sec:abstract-evaluation-relations}
5643:
5644: The abstract evaluation relations that provide the first part
5645: of the specification of the abstract interpreter for CPM
5646: are now defined.
5647: These relations are of the form
5648: \[
5649: \rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp,
5650: \]
5651: where $\beta \in \TEnv$, $\rho : \beta$ and,
5652: for some
5653: \(
5654: q \in
5655: \{
5656: \mathrm{e}, \mathrm{d}, \mathrm{g},
5657: \mathrm{s}, \mathrm{b}, \mathrm{k}
5658: \}
5659: \),
5660: $N^\sharp \in \NTq^{\beta\sharp}$
5661: and $\eta^\sharp \in \Tq^\sharp$.
5662: The definition is again by structural induction from a set of rule schemata.
5663: In order to allow for the arbitrary weakening of the abstract descriptions
5664: in the conclusion, without having to introduce precondition strengthening
5665: and postcondition weakening rules, and to save typing at the same time,
5666: we will use the notation
5667: \begin{align*}
5668: &\prooftree
5669: P_0 \cdots P_{\ell-1}
5670: \justifies
5671: \rho \vdash_\beta N^\sharp \rightsquigarrow \eta^\sharp_0
5672: \using\quad\text{(side condition)}
5673: \endprooftree \\
5674: \intertext{%
5675: to denote
5676: }
5677: &\prooftree
5678: P_0 \cdots P_{\ell-1}
5679: \justifies
5680: \rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp
5681: \using\quad\text{(side condition) and
5682: $\eta^\sharp_0 \sqsubseteq \eta^\sharp$}
5683: \endprooftree
5684: \end{align*}
5685: where `$\sqsubseteq$' is the natural ordering relation on the
5686: appropriate abstract lattice (i.e., one of the $\Tq^\sharp$,
5687: for
5688: \(
5689: q \in
5690: \{
5691: \mathrm{e}, \mathrm{d}, \mathrm{g},
5692: \mathrm{s}, \mathrm{b}, \mathrm{k}
5693: \}
5694: \).
5695:
5696:
5697: Recalling the shorthand notation introduced
5698: in Section~\ref{sec:approximation-disjoint-union},
5699: when an abstract storable value $\sval^\sharp$ is expected and we write
5700: an abstract integer $m^\sharp$ or an abstract Boolean $t^\sharp$,
5701: then we are actually meaning the abstract storable value
5702: $(m^\sharp, \bot)$ or $(\bot, t^\sharp)$, respectively;
5703: similarly, when an abstract exception $\except^\sharp$ is expected
5704: and we write an abstract RTS exception $\rtsexcept^\sharp$
5705: or an abstract storable value $\sval^\sharp$,
5706: then we are actually meaning the abstract exceptions
5707: $(\rtsexcept^\sharp, \bot)$ or $(\bot, \sval^\sharp)$, respectively.
5708:
5709:
5710: \subsubsection{Unsupported Expressions}
5711:
5712: The following rules for the abstract evaluation of expressions
5713: apply only if
5714: $\asupported\bigl(\rho, \langle e, \sigma^\sharp \rangle \bigr)$
5715: does not hold,
5716: where $e$ is the expression being evaluated.
5717: This side condition will be left implicit in order not to clutter
5718: the presentation.
5719:
5720: \begin{description}
5721: %
5722: \item[Constant]
5723: %
5724: \begin{gather}
5725: \label{rule:abstr_constant}
5726: \prooftree
5727: \nohyp
5728: \justifies
5729: \rho \vdash_\beta \langle \con, \sigma^\sharp \rangle
5730: \rightsquigarrow
5731: \bigl\langle
5732: \spair{\alpha(\{\con\})}{\sigma^\sharp},
5733: \none^\sharp
5734: \bigr\rangle
5735: \endprooftree
5736: \end{gather}
5737: %
5738: \item[Identifier]
5739: %
5740: \begin{gather}
5741: \label{rule:abstr_identifier}
5742: \prooftree
5743: \nohyp
5744: \justifies
5745: \rho \vdash_\beta \langle \id, \sigma^\sharp \rangle
5746: \rightsquigarrow
5747: \sigma^\sharp\bigl[\rho(\id)\bigr]
5748: \endprooftree
5749: \end{gather}
5750: %
5751: \item[Unary minus]
5752: %
5753: \begin{gather}
5754: \label{rule:abstr_unary_minus}
5755: \prooftree
5756: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
5757: \rightarrow
5758: \bigl\langle
5759: (m^\sharp, \sigma^\sharp_0),
5760: \exceptstate^\sharp
5761: \bigr\rangle
5762: \justifies
5763: \rho \vdash_\beta \langle -e, \sigma^\sharp \rangle
5764: \rightsquigarrow
5765: \bigl\langle
5766: (\absuminus m^\sharp, \sigma^\sharp_0),
5767: \exceptstate^\sharp
5768: \bigr\rangle
5769: \endprooftree
5770: \end{gather}
5771: %
5772: \item[Binary arithmetic operations]
5773: %
5774: Let
5775: \(
5776: \mathord{\boxcircle}
5777: \in
5778: \{ \mathord{+}, \mathord{-}, \mathord{*}, \divop, \modop \}
5779: \)
5780: be a syntactic operator and
5781: $\mathord{\circledcirc} \in \{ \absadd, \abssub, \absmul, \absdiv, \absmod\}$
5782: denote the corresponding abstract operation.
5783: Then the abstract rules for addition, subtraction, multiplication,
5784: division and remainder are given by the following schemata:
5785: \begin{gather}
5786: \label{rule:abstr_arith_bop}
5787: \prooftree
5788: \rho \vdash_\beta \langle e_0, \sigma^\sharp \rangle
5789: \rightarrow
5790: \bigl\langle
5791: (m^\sharp_0, \sigma^\sharp_0),
5792: \exceptstate^\sharp_0
5793: \bigr\rangle
5794: \quad
5795: \rho \vdash_\beta \langle e_1, \sigma^\sharp_0 \rangle
5796: \rightarrow
5797: \bigl\langle
5798: (m^\sharp_1, \sigma^\sharp_1),
5799: \exceptstate^\sharp_1
5800: \bigr\rangle
5801: \justifies
5802: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma^\sharp \rangle
5803: \rightsquigarrow
5804: \bigl\langle
5805: (m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1),
5806: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
5807: \bigr\rangle
5808: \endprooftree
5809: \end{gather}
5810: if $\mathord{\boxcircle} \notin \{\divop, \modop \}$
5811: or $0 \not\propto m^\sharp_1$.
5812: %%
5813: \begin{gather}
5814: \label{rule:abstr_div_mod_exc}
5815: \prooftree
5816: \rho \vdash_\beta \langle e_0, \sigma^\sharp \rangle
5817: \rightarrow
5818: \bigl\langle
5819: (m^\sharp_0, \sigma^\sharp_0),
5820: \exceptstate^\sharp_0
5821: \bigr\rangle
5822: \quad
5823: \rho \vdash_\beta \langle e_1, \sigma^\sharp_0 \rangle
5824: \rightarrow
5825: \bigl\langle
5826: (m^\sharp_1, \sigma^\sharp_1),
5827: \exceptstate^\sharp_1
5828: \bigr\rangle
5829: \justifies
5830: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma^\sharp \rangle
5831: \rightsquigarrow
5832: \bigl\langle
5833: (m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1),
5834: \exceptstate^\sharp_0
5835: \sqcup \exceptstate^\sharp_1
5836: \sqcup \exceptstate^\sharp_2
5837: \bigr\rangle
5838: \endprooftree
5839: \end{gather}
5840: if $\mathord{\boxcircle} \in \{\divop, \modop \}$,
5841: $0 \propto m^\sharp_1$ and
5842: \(
5843: \exceptstate^\sharp_2
5844: = \spair{\sigma^\sharp_1}{\alpha(\{\divbyzero\})}
5845: \).
5846: %
5847: \item[Arithmetic tests]
5848: %
5849: Let
5850: \(
5851: \mathord{\boxast}
5852: \in
5853: \{
5854: \mathord{=}, \mathord{\neq}, \mathord{<},
5855: \mathord{\leq}, \mathord{\geq}, \mathord{>}
5856: \}
5857: \)
5858: be an abstract syntax operator and let
5859: $\fund{\mathord{\bowtie}}{(\Integer^\sharp \times \Integer^\sharp)}{\Bool^\sharp}$
5860: denote the corresponding abstract test operation
5861: in $\{ \abseq, \absneq, \abslt, \absleq, \absgeq, \absgt \}$.
5862: Then the rules for the abstract arithmetic tests
5863: are given by
5864: \begin{gather}
5865: \label{rule:abstr_arith_test}
5866: \prooftree
5867: \rho \vdash_\beta \langle e_0, \sigma^\sharp \rangle
5868: \rightarrow
5869: \bigl\langle
5870: (m^\sharp_0, \sigma^\sharp_0),
5871: \exceptstate^\sharp_0
5872: \bigr\rangle
5873: \quad
5874: \rho \vdash_\beta \langle e_1, \sigma^\sharp_0 \rangle
5875: \rightarrow
5876: \bigl\langle
5877: (m^\sharp_1, \sigma^\sharp_1),
5878: \exceptstate^\sharp_1
5879: \bigr\rangle
5880: \justifies
5881: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma^\sharp \rangle
5882: \rightsquigarrow
5883: \bigl\langle
5884: (m^\sharp_0 \bowtie m^\sharp_1, \sigma^\sharp_1),
5885: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
5886: \bigr\rangle
5887: \endprooftree
5888: \end{gather}
5889: %
5890: \item[Negation]
5891: %
5892: \begin{gather}
5893: \label{rule:abstr_negation}
5894: \prooftree
5895: \rho \vdash_\beta \langle b, \sigma^\sharp \rangle
5896: \rightarrow
5897: \bigl\langle
5898: (t^\sharp, \sigma^\sharp_0),
5899: \exceptstate^\sharp
5900: \bigr\rangle
5901: \justifies
5902: \rho \vdash_\beta \langle \notop\ b, \sigma^\sharp \rangle
5903: \rightsquigarrow
5904: \bigl\langle
5905: (\absneg t^\sharp, \sigma^\sharp_0),
5906: \exceptstate^\sharp
5907: \bigr\rangle
5908: \endprooftree
5909: \end{gather}
5910: %
5911: \item[Conjunction]
5912: %
5913: \begin{gather}
5914: \label{rule:abstr_conjunction}
5915: \prooftree
5916: \rho \vdash_\beta \langle b_0, \sigma^\sharp \rangle
5917: \rightarrow
5918: \langle
5919: \valstate^\sharp_0,
5920: \exceptstate^\sharp_0
5921: \rangle
5922: \quad
5923: \rho \vdash_\beta \langle b_1, \sigma^\sharp_\ttv \rangle
5924: \rightarrow
5925: \langle
5926: \valstate^\sharp_1,
5927: \exceptstate^\sharp_1
5928: \rangle
5929: \justifies
5930: \rho \vdash_\beta \langle b_0 \andop b_1, \sigma^\sharp \rangle
5931: \rightsquigarrow
5932: \bigl\langle
5933: \valstate^\sharp_\ffv \sqcup \valstate^\sharp_1,
5934: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
5935: \bigr\rangle
5936: \endprooftree,
5937: \end{gather}
5938: if
5939: \(
5940: \sigma^\sharp_\ttv = \phi(\rho, \sigma^\sharp, b_0)
5941: \),
5942: \(
5943: \sigma^\sharp_\ffv = \phi(\rho, \sigma^\sharp, \notop b_0)
5944: \)
5945: and
5946: $\valstate^\sharp_\ffv = \spair{\alpha(\{\ffv\})}{\sigma^\sharp_\ffv}$.
5947: %
5948: \item[Disjunction]
5949: %
5950: \begin{gather}
5951: \label{rule:abstr_disjunction}
5952: \prooftree
5953: \rho \vdash_\beta \langle b_0, \sigma^\sharp \rangle
5954: \rightarrow
5955: \langle
5956: \valstate^\sharp_0,
5957: \exceptstate^\sharp_0
5958: \rangle
5959: \quad
5960: \rho \vdash_\beta \langle b_1, \sigma^\sharp_\ffv \rangle
5961: \rightarrow
5962: \langle
5963: \valstate^\sharp_1,
5964: \exceptstate^\sharp_1
5965: \rangle
5966: \justifies
5967: \rho \vdash_\beta \langle b_0 \orop b_1, \sigma^\sharp \rangle
5968: \rightsquigarrow
5969: \langle
5970: \valstate^\sharp_\ttv \sqcup \valstate^\sharp_1,
5971: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
5972: \rangle
5973: \endprooftree
5974: \end{gather}
5975: if
5976: \(
5977: \sigma^\sharp_\ttv = \phi(\rho, \sigma^\sharp, b_0)
5978: \),
5979: \(
5980: \sigma^\sharp_\ffv = \phi(\rho, \sigma^\sharp, \notop b_0)
5981: \)
5982: and
5983: $\valstate^\sharp_\ttv = \spair{\alpha(\{\ttv\})}{\sigma^\sharp_\ttv}$.
5984: %
5985: \end{description}
5986:
5987: \subsubsection{Unsupported Declarations}
5988:
5989: The following rules only apply if the condition
5990: $\asupported\bigl(\rho, \langle q, \sigma^\sharp \rangle \bigr)$
5991: does not hold,
5992: where $q \in \Decl \uplus \Glob$ is the declaration being evaluated.
5993: Again, this side condition is left implicit.
5994:
5995: \begin{description}
5996: %
5997: \item[Nil]
5998: %
5999: \begin{gather}
6000: \label{rule:abstr_decl_nil}
6001: \prooftree
6002: \nohyp
6003: \justifies
6004: \rho \vdash_\beta \langle \kw{nil}, \sigma^\sharp \rangle
6005: \rightsquigarrow
6006: \bigl\langle
6007: (\emptyset, \sigma^\sharp),
6008: \none^\sharp
6009: \bigr\rangle
6010: \endprooftree
6011: \end{gather}
6012: %
6013: \item[Environment]
6014: %
6015: \begin{gather}
6016: \label{rule:abstr_decl_environment}
6017: \prooftree
6018: \nohyp
6019: \justifies
6020: \rho \vdash_\beta \langle \rho_0, \sigma^\sharp \rangle
6021: \rightsquigarrow
6022: \bigl\langle
6023: (\rho_0, \sigma^\sharp),
6024: \none^\sharp
6025: \bigr\rangle
6026: \endprooftree
6027: \end{gather}
6028: %
6029: \item[Recursive environment]
6030: %
6031: \begin{gather}
6032: \label{rule:abstr_decl_rec_environment}
6033: \prooftree
6034: \nohyp
6035: \justifies
6036: \rho
6037: \vdash_\beta
6038: \langle \kw{rec} \rho_0, \sigma^\sharp \rangle
6039: \rightsquigarrow
6040: \bigl\langle
6041: (\rho_1, \sigma^\sharp),
6042: \none^\sharp
6043: \bigr\rangle
6044: \endprooftree
6045: \end{gather}
6046: \begin{align*}
6047: &\text{if }
6048: \rho_1
6049: = \bigl\{\,
6050: \id \mapsto \rho_0(\id)
6051: \bigm|
6052: \rho_0(\id) = \lambda \fps \st \kw{extern} : \sT
6053: \,\bigr\} \\
6054: & \qquad
6055: \union
6056: \sset{
6057: \id \mapsto \abs_1
6058: }{
6059: \forall i \in \{0,1\}
6060: \itc
6061: \abs_i = \lambda \fps
6062: \st \kw{let} d_i \,\kw{in} s \kw{result} e, \\
6063: \rho_0(\id) = \abs_0,
6064: d_1 = \kw{rec} \bigl( \rho_0 \setminus \DI(\fps) \bigr); d_0
6065: }.
6066: \end{align*}
6067: %
6068: \item[Global variable declaration]
6069: %
6070: \begin{gather}
6071: \label{rule:abstr_global_decl}
6072: \prooftree
6073: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6074: \rightarrow
6075: \langle
6076: \valstate^\sharp,
6077: \exceptstate^\sharp_0
6078: \rangle
6079: \justifies
6080: \rho \vdash_\beta \langle \kw{gvar} \id : \sT = e, \sigma^\sharp \rangle
6081: \rightsquigarrow
6082: \bigl\langle
6083: (\rho_1, \sigma^\sharp_1),
6084: \datcleanup^\sharp(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)
6085: \bigr\rangle
6086: \endprooftree
6087: \end{gather}
6088: if
6089: \(
6090: \datnew^\sharp(\valstate^\sharp)
6091: = \bigl( (\sigma^\sharp_1, l), \exceptstate^\sharp_1 \bigr)
6092: \)
6093: and
6094: $\rho_1 = \bigl\{\id \mapsto (l, \sT)\bigr\}$.
6095: %
6096: \item[Local variable declaration]
6097: %
6098: \begin{gather}
6099: \label{rule:abstr_local_decl}
6100: \prooftree
6101: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6102: \rightarrow
6103: \langle
6104: \valstate^\sharp,
6105: \exceptstate^\sharp_0
6106: \rangle
6107: \justifies
6108: \rho \vdash_\beta \langle \kw{lvar} \id : \sT = e, \sigma^\sharp \rangle
6109: \rightsquigarrow
6110: \bigl\langle
6111: (\rho_1, \sigma^\sharp_1),
6112: \asunmark(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)
6113: \bigr\rangle
6114: \endprooftree
6115: \end{gather}
6116: if
6117: \(
6118: \stknew^\sharp(\valstate^\sharp)
6119: = \bigl( (\sigma^\sharp_1, i), \exceptstate^\sharp_1 \bigr)
6120: \)
6121: and
6122: $\rho_1 = \bigl\{ \id \mapsto (i, \sT) \bigr\}$.
6123: %
6124: \item[Function declaration]
6125: %
6126: \begin{gather}
6127: \label{rule:abstr_decl_function}
6128: \prooftree
6129: \nohyp
6130: \justifies
6131: \rho
6132: \vdash_\beta
6133: \bigl\langle
6134: \kw{function} \id(\fps) = \funbody_0,
6135: \sigma^\sharp
6136: \bigr\rangle
6137: \rightsquigarrow
6138: \bigl\langle
6139: (\rho_0, \sigma^\sharp), \none^\sharp
6140: \bigr\rangle
6141: \endprooftree
6142: \end{gather}
6143: if $\rho_0 = \{ \id \mapsto \lambdaop \fps \st \funbody_1 \}$ and
6144: either $\funbody_0 = \funbody_1 = \kw{extern} : \sT$
6145: or, for each $i \in \{0, 1\}$,
6146: $\funbody_i = \kw{let} d_i \,\kw{in} s \kw{result} e$,
6147: $I = \FI(\funbody_0) \setminus \DI(\fps)$ and
6148: $d_1 = \rho \restrict{I}; d_0$.
6149: %
6150: \item[Recursive declaration]
6151: %
6152: \begin{gather}
6153: \label{rule:abstr_recursive_decl}
6154: \prooftree
6155: (\rho \setminus J) \vdash_{\beta[\beta_1]} \langle g, \sigma^\sharp \rangle
6156: \rightarrow
6157: \bigl\langle
6158: (\rho_0, \sigma^\sharp_0),
6159: \none^\sharp
6160: \bigr\rangle
6161: \quad
6162: \rho \vdash_\beta \langle \kw{rec} \rho_0, \sigma^\sharp_0 \rangle
6163: \rightarrow
6164: \eta^\sharp
6165: \justifies
6166: \rho \vdash_\beta \langle \kw{rec} g, \sigma^\sharp \rangle
6167: \rightsquigarrow
6168: \eta^\sharp
6169: \endprooftree
6170: \end{gather}
6171: if $J = \FI(g) \inters \DI(g)$,
6172: $\beta \vdash_{\FI(g)} g : \beta_0$ and
6173: $\beta_1 = \beta_0 \restrict{J}$.
6174: %
6175: \item[Global sequential composition]
6176: %
6177: \begin{gather}
6178: \label{rule:abstr_global_seq}
6179: \prooftree
6180: \rho \vdash_\beta \langle g_0, \sigma^\sharp \rangle
6181: \rightarrow
6182: \bigl\langle
6183: (\rho_0, \sigma^\sharp_0),
6184: \exceptstate^\sharp_0
6185: \bigr\rangle
6186: \quad
6187: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle g_1, \sigma^\sharp_0 \rangle
6188: \rightarrow
6189: \bigl\langle
6190: (\rho_1, \sigma^\sharp_1),
6191: \exceptstate^\sharp_1
6192: \bigr\rangle
6193: \justifies
6194: \rho \vdash_\beta \langle g_0;g_1, \sigma^\sharp \rangle
6195: \rightsquigarrow
6196: \bigl\langle
6197: (\rho_0[\rho_1], \sigma^\sharp_1),
6198: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
6199: \bigr\rangle
6200: \endprooftree
6201: \end{gather}
6202: if $\beta \vdash_I g_0 : \beta_0$ and $\FI(g_0) \sseq I$.
6203: %
6204: \item[Local sequential composition]
6205: %
6206: \begin{gather}
6207: \label{rule:abstr_local_seq}
6208: \prooftree
6209: \rho \vdash_\beta \langle d_0, \sigma^\sharp \rangle
6210: \rightarrow
6211: \bigl\langle
6212: (\rho_0, \sigma^\sharp_0),
6213: \exceptstate^\sharp_0
6214: \bigr\rangle
6215: \quad
6216: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle d_1, \sigma^\sharp_0 \rangle
6217: \rightarrow
6218: \bigl\langle
6219: (\rho_1, \sigma^\sharp_1),
6220: \exceptstate^\sharp_1
6221: \bigr\rangle
6222: \justifies
6223: \rho \vdash_\beta \langle d_0;d_1, \sigma^\sharp \rangle
6224: \rightsquigarrow
6225: \bigl\langle
6226: (\rho_0[\rho_1], \sigma^\sharp_1),
6227: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
6228: \bigr\rangle
6229: \endprooftree
6230: \end{gather}
6231: if $\beta \vdash_I d_0 : \beta_0$ and $\FI(d_0) \sseq I$.
6232: %
6233: \end{description}
6234:
6235: \subsubsection{Unsupported Statements}
6236:
6237: The following rules only apply if the implicit side condition
6238: $\asupported\bigl(\rho, \langle s, \sigma^\sharp \rangle \bigr)$ does not hold,
6239: where $s$ is the statement being evaluated.
6240:
6241: \begin{description}
6242: %
6243: \item[Nop]
6244: %
6245: \begin{gather}
6246: \label{rule:abstr_nop}
6247: \prooftree
6248: \nohyp
6249: \justifies
6250: \rho \vdash_\beta \langle \kw{nop}, \sigma^\sharp \rangle
6251: \rightsquigarrow
6252: \sigma^\sharp
6253: \endprooftree
6254: \end{gather}
6255: %
6256: \item[Assignment]
6257: %
6258: \begin{gather}
6259: %%
6260: \label{rule:abstr_assignment}
6261: \prooftree
6262: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6263: \rightarrow
6264: \bigl\langle
6265: (\sval^\sharp, \sigma^\sharp_0),
6266: \exceptstate^\sharp_0
6267: \bigr\rangle
6268: \justifies
6269: \rho \vdash_\beta \langle \id := e, \sigma^\sharp \rangle
6270: \rightsquigarrow
6271: \langle
6272: \sigma^\sharp_1,
6273: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
6274: \rangle
6275: \using\quad\text{if
6276: \(
6277: \sigma^\sharp_0\bigl[\rho(\id) :=^\sharp \sval^\sharp\bigr]
6278: = (\sigma^\sharp_1, \exceptstate^\sharp_1)
6279: \)
6280: }
6281: \endprooftree
6282: \end{gather}
6283: %
6284: \item[Statement sequence]
6285: %
6286: \begin{gather}
6287: \label{rule:abstr_sequence}
6288: \prooftree
6289: \rho \vdash_\beta \langle s_0, \sigma^\sharp \rangle
6290: \rightarrow
6291: \langle \sigma^\sharp_0, \exceptstate^\sharp_0 \rangle
6292: \quad
6293: \rho \vdash_\beta \langle s_1, \sigma^\sharp_0 \rangle
6294: \rightarrow
6295: \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle
6296: \justifies
6297: \rho \vdash_\beta \langle s_0 ; s_1, \sigma^\sharp \rangle
6298: \rightsquigarrow
6299: \bigl\langle
6300: \sigma^\sharp_1,
6301: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
6302: \bigr\rangle
6303: \endprooftree
6304: \end{gather}
6305: %
6306: \item[Block]
6307: %
6308: \begin{gather}
6309: \label{rule:abstr_block}
6310: \prooftree
6311: \rho \vdash_\beta \bigl\langle d, \asmark(\sigma^\sharp) \bigr\rangle
6312: \rightarrow
6313: \bigl\langle
6314: (\rho_0, \sigma^\sharp_0), \exceptstate^\sharp_0
6315: \bigr\rangle
6316: \quad
6317: \rho[\rho_0] \vdash_{\beta[\beta_0]} \langle s, \sigma^\sharp_0 \rangle
6318: \rightarrow
6319: \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle
6320: \justifies
6321: \rho \vdash_\beta \langle d ; s, \sigma^\sharp \rangle
6322: \rightsquigarrow
6323: \bigl\langle
6324: \asunmark(\sigma^\sharp_1),
6325: \exceptstate^\sharp_0
6326: \sqcup
6327: \asunmark(\exceptstate^\sharp_1)
6328: \bigr\rangle
6329: \endprooftree
6330: \end{gather}
6331: if $\beta \vdash_{\FI(d)} d : \beta_0$.
6332: %
6333: \item[Conditional]
6334: %
6335: \begin{gather}
6336: \label{rule:abstr_conditional}
6337: \prooftree
6338: \begin{aligned}
6339: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6340: \rightarrow
6341: \langle
6342: \valstate^\sharp_0,
6343: \exceptstate^\sharp_0
6344: \rangle
6345: &\quad
6346: \rho \vdash_\beta \langle s_0, \sigma^\sharp_\ttv \rangle
6347: \rightarrow
6348: \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle \\
6349: &\quad
6350: \rho \vdash_\beta \langle s_1, \sigma^\sharp_\ffv \rangle
6351: \rightarrow
6352: \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle
6353: \end{aligned}
6354: \justifies
6355: \rho
6356: \vdash_\beta
6357: \langle \kw{if} e \kw{then} s_0 \kw{else} s_1, \sigma^\sharp \rangle
6358: \rightsquigarrow
6359: \langle
6360: \sigma^\sharp_1 \sqcup \sigma^\sharp_2,
6361: \exceptstate^\sharp_0
6362: \sqcup \exceptstate^\sharp_1
6363: \sqcup \exceptstate^\sharp_2
6364: \rangle
6365: \endprooftree
6366: \end{gather}
6367: if
6368: \(
6369: \sigma^\sharp_\ttv = \phi(\rho, \sigma^\sharp, e)
6370: \)
6371: and
6372: \(
6373: \sigma^\sharp_\ffv = \phi(\rho, \sigma^\sharp, \notop e)
6374: \).
6375: %
6376: \item[While]
6377: %
6378: \begin{gather}
6379: \label{rule:abstr_while}
6380: \prooftree
6381: \begin{aligned}
6382: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6383: \rightarrow
6384: \langle
6385: \valstate^\sharp_0,
6386: \exceptstate^\sharp_0
6387: \rangle
6388: &\quad
6389: \rho \vdash_\beta \langle s, \sigma^\sharp_\ttv \rangle
6390: \rightarrow
6391: \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle \\
6392: &\quad
6393: \rho
6394: \vdash_\beta
6395: \langle \kw{while} e \kw{do} s, \sigma^\sharp_1 \rangle
6396: \rightarrow
6397: \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle
6398: \end{aligned}
6399: \justifies
6400: \rho
6401: \vdash_\beta
6402: \langle \kw{while} e \kw{do} s, \sigma^\sharp \rangle
6403: \rightsquigarrow
6404: \langle
6405: \sigma^\sharp_\ffv \sqcup \sigma^\sharp_2,
6406: \exceptstate^\sharp_0
6407: \sqcup \exceptstate^\sharp_1
6408: \sqcup \exceptstate^\sharp_2
6409: \rangle
6410: \endprooftree
6411: \end{gather}
6412: if
6413: \(
6414: \sigma^\sharp_\ttv = \phi(\rho, \sigma^\sharp, e)
6415: \)
6416: and
6417: \(
6418: \sigma^\sharp_\ffv = \phi(\rho, \sigma^\sharp, \notop e)
6419: \).
6420: %
6421: \item[Throw]
6422: %
6423: \begin{gather}
6424: \label{rule:abstr_throw_except}
6425: \prooftree
6426: \nohyp
6427: \justifies
6428: \rho \vdash_\beta \langle \kw{throw} \rtsexcept, \sigma^\sharp \rangle
6429: \rightsquigarrow
6430: \langle \bot, \exceptstate^\sharp \rangle
6431: \using\quad\text{if
6432: \(
6433: \exceptstate^\sharp
6434: = \spair{\sigma^\sharp}{\alpha(\{\rtsexcept\})}
6435: \)}
6436: \endprooftree \\[1ex]
6437: %%
6438: \label{rule:abstr_throw_expr}
6439: \prooftree
6440: \rho \vdash_\beta \langle e, \sigma^\sharp \rangle
6441: \rightarrow
6442: \bigl\langle
6443: (\sval^\sharp, \sigma^\sharp_0),
6444: \exceptstate^\sharp_0
6445: \bigr\rangle
6446: \justifies
6447: \rho \vdash_\beta \langle \kw{throw} e, \sigma^\sharp \rangle
6448: \rightsquigarrow
6449: \langle
6450: \bot,
6451: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1
6452: \rangle
6453: \using\quad\text{if
6454: $\exceptstate^\sharp_1 = \spair{\sigma^\sharp_0}{\sval^\sharp}$}
6455: \endprooftree
6456: \end{gather}
6457: %
6458: \item[Try blocks]
6459: %
6460: \begin{gather}
6461: \label{rule:abstr_try_catch}
6462: \prooftree
6463: \rho \vdash_\beta \langle s, \sigma^\sharp \rangle
6464: \rightarrow
6465: \langle \sigma^\sharp_0, \exceptstate^\sharp_0 \rangle
6466: \quad
6467: \rho
6468: \vdash_\beta
6469: \langle k, \exceptstate^\sharp_0 \rangle
6470: \rightarrow
6471: \bigl\langle
6472: (\sigma^\sharp_1, \exceptstate^\sharp_1), \exceptstate^\sharp_2
6473: \bigr\rangle
6474: \justifies
6475: \rho
6476: \vdash_\beta
6477: \langle \kw{try} s \kw{catch} k, \sigma^\sharp \rangle
6478: \rightsquigarrow
6479: \langle
6480: \sigma^\sharp_0 \sqcup \sigma^\sharp_1,
6481: \exceptstate^\sharp_1 \sqcup \exceptstate^\sharp_2
6482: \rangle
6483: \endprooftree
6484: \end{gather}
6485:
6486: \begin{gather}
6487: \label{rule:abstr_try_finally}
6488: \prooftree
6489: \begin{aligned}
6490: \rho \vdash_\beta \langle s_0, \sigma^\sharp \rangle
6491: \rightarrow
6492: \bigl\langle
6493: \sigma^\sharp_0,
6494: (\sigma^\sharp_1, \except^\sharp_1)
6495: \bigr\rangle
6496: \quad
6497: & \rho \vdash_\beta \langle s_1, \sigma^\sharp_0 \rangle
6498: \rightarrow
6499: \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle \\
6500: & \rho \vdash_\beta \langle s_1, \sigma^\sharp_1 \rangle
6501: \rightarrow
6502: \langle \sigma^\sharp_3, \exceptstate^\sharp_3 \rangle
6503: \end{aligned}
6504: \justifies
6505: \rho
6506: \vdash_\beta
6507: \langle
6508: \kw{try} s_0 \kw{finally} s_1,
6509: \sigma^\sharp
6510: \rangle
6511: \rightsquigarrow
6512: \bigl\langle
6513: \sigma^\sharp_2,
6514: \exceptstate^\sharp_2
6515: \sqcup \exceptstate^\sharp_3
6516: \sqcup (\spair{\sigma^\sharp_3}{\except^\sharp_1})
6517: \bigr\rangle
6518: \endprooftree
6519: \end{gather}
6520: %
6521: \item[Function call]
6522: %
6523: With reference to conditions \eqref{eq:function-call-condition-beta-rho-d}
6524: and \eqref{eq:function-call-condition-rho0-rho1} of the concrete rules for
6525: function calls, the corresponding abstract rule schema is
6526: \begin{gather}
6527: \label{rule:abstr_function_call_eval}
6528: \prooftree
6529: \begin{aligned}
6530: & \rho
6531: \vdash_\beta
6532: \bigl\langle
6533: d, \asmark(\sigma^\sharp)
6534: \bigr\rangle
6535: \rightarrow
6536: \bigl\langle
6537: (\rho_0, \sigma^\sharp_0),
6538: \exceptstate^\sharp_0
6539: \bigr\rangle \\
6540: & \rho[\rho_1]
6541: \vdash_{\beta[\beta_1]}
6542: \bigl\langle \funbody, \aslink(\sigma^\sharp_0) \bigr\rangle
6543: \rightarrow
6544: \langle
6545: \sigma^\sharp_1,
6546: \exceptstate^\sharp_1
6547: \rangle \\
6548: & \rho[\rho_0]
6549: \vdash_{\beta[\beta_0]}
6550: \bigl\langle
6551: \id_0 := \ridx_0,
6552: \asunlink(\sigma^\sharp_1)
6553: \bigr\rangle
6554: \rightarrow
6555: \langle
6556: \sigma^\sharp_2,
6557: \exceptstate^\sharp_2
6558: \rangle
6559: \end{aligned}
6560: \justifies
6561: \rho
6562: \vdash_\beta
6563: \bigl\langle
6564: \id_0 := \id(e_1, \ldots, e_n),
6565: \sigma^\sharp
6566: \bigr\rangle
6567: \rightsquigarrow
6568: \bigl\langle
6569: \asunmark(\sigma^\sharp_2),
6570: \exceptstate^\sharp
6571: \bigr\rangle
6572: \endprooftree
6573: \end{gather}
6574: if \eqref{eq:function-call-condition-beta-rho-d}
6575: and \eqref{eq:function-call-condition-rho0-rho1} hold and
6576: \(
6577: \exceptstate^\sharp
6578: = \exceptstate^\sharp_0
6579: \sqcup
6580: \asunmark\bigl(\asunlink(\exceptstate^\sharp_1)\bigr)
6581: \sqcup
6582: \asunmark(\exceptstate^\sharp_2)
6583: \).
6584: %
6585: \end{description}
6586:
6587: \subsubsection{Function Bodies}
6588: %
6589: \begin{gather}
6590: \label{rule:abstr_function_body}
6591: \prooftree
6592: \begin{aligned}
6593: & \rho
6594: \vdash_\beta
6595: \bigl\langle
6596: d, \asmark(\sigma^\sharp)
6597: \bigr\rangle
6598: \rightarrow
6599: \bigl\langle
6600: (\rho_0, \sigma^\sharp_0),
6601: \exceptstate^\sharp_0
6602: \bigr\rangle \\
6603: & \rho[\rho_0]
6604: \vdash_{\beta[\beta_0]}
6605: \langle s, \sigma^\sharp_0 \rangle
6606: \rightarrow
6607: \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle \\
6608: & \rho[\rho_0]
6609: \vdash_{\beta[\beta_0]}
6610: \langle \ridx_0 := e, \sigma^\sharp_1 \rangle
6611: \rightarrow
6612: \langle
6613: \sigma^\sharp_2,
6614: \exceptstate^\sharp_2
6615: \rangle
6616: \end{aligned}
6617: \justifies
6618: \rho
6619: \vdash_\beta
6620: \langle
6621: \kw{let} d \,\kw{in} s \kw{result} e,
6622: \sigma^\sharp
6623: \rangle
6624: \rightsquigarrow
6625: \bigl\langle
6626: \asunmark(\sigma^\sharp_2),
6627: \exceptstate^\sharp_3
6628: \bigr\rangle
6629: \endprooftree
6630: \end{gather}
6631: if
6632: $\beta \vdash_{\FI(d)} d : \beta_0$,
6633: \(
6634: \exceptstate^\sharp_3
6635: = \exceptstate^\sharp_0
6636: \sqcup
6637: \asunmark(\exceptstate^\sharp_1
6638: \sqcup \exceptstate^\sharp_2)
6639: \).
6640:
6641:
6642: \begin{gather}
6643: \label{rule:abstr_function_body_extern}
6644: \prooftree
6645: \nohyp
6646: \justifies
6647: \rho
6648: \vdash_\beta
6649: \langle
6650: \kw{extern} : \sT,
6651: \sigma^\sharp
6652: \rangle
6653: \rightsquigarrow
6654: \bigl\langle
6655: \sigma^\sharp_0,
6656: (\sigma_0^\sharp, \top)
6657: \bigr\rangle
6658: \endprooftree
6659: \end{gather}
6660: if
6661: \(
6662: \forall \sigma, \sigma_0 \in \Mem
6663: \itc
6664: \bigl(
6665: \sigma = (\mu, w)
6666: \land
6667: \sigma \propto \sigma^\sharp
6668: \land
6669: \sigma_0 = (\mu_0, w)
6670: \bigr)
6671: \implies
6672: \sigma_0 \propto \sigma^\sharp_0
6673: \).
6674:
6675: \subsubsection{Catch Clauses}
6676:
6677: \begin{description}
6678: %
6679: \item[Catch]
6680: %
6681: \begin{gather}
6682: \label{rule:abstr_catch_maybe_caught}
6683: \prooftree
6684: \rho \vdash_\beta \bigl\langle s, \mem(\exceptstate^\sharp_0) \bigr\rangle
6685: \rightarrow
6686: \eta^\sharp_1
6687: \justifies
6688: \rho
6689: \vdash_\beta
6690: \bigl\langle
6691: (p) \, s,
6692: \exceptstate^\sharp
6693: \bigr\rangle
6694: \rightsquigarrow
6695: \langle
6696: \eta^\sharp_1,
6697: \exceptstate^\sharp_1
6698: \rangle
6699: \endprooftree \\[1ex]
6700: \intertext{%
6701: if $p = \kw{any}$ or $p = \rtsexcept$ or $p = \cT$,
6702: $\exceptstate^\sharp_0 = \phi^+(p, \exceptstate^\sharp)$ and
6703: $\exceptstate^\sharp_1 = \phi^-(p, \exceptstate^\sharp)$.
6704: }
6705: %%
6706: \label{rule:abstr_catch_expr_maybe_caught}
6707: \prooftree
6708: \rho\bigl[ \{\id \mapsto (i,\sT) \} \bigr]
6709: \vdash_{\beta[ \{\id \mapsto \location{\sT}\} ]}
6710: \langle s, \sigma^\sharp_2 \rangle
6711: \rightarrow
6712: \langle \sigma^\sharp_3, \exceptstate^\sharp_3 \rangle
6713: \justifies
6714: \rho
6715: \vdash_\beta
6716: \bigl\langle
6717: (\id : \sT) \, s,
6718: \exceptstate^\sharp
6719: \bigr\rangle
6720: \rightsquigarrow
6721: \bigl\langle
6722: (\sigma^\sharp_4, \exceptstate^\sharp_4),
6723: \exceptstate^\sharp_1
6724: \bigr\rangle
6725: \endprooftree
6726: \end{gather}
6727: if $\exceptstate^\sharp_0 = \phi^+(\sT, \exceptstate^\sharp)$,
6728: $\exceptstate^\sharp_1 = \phi^-(\sT, \exceptstate^\sharp)$,
6729: \(
6730: \stknew^\sharp\Bigl(
6731: \sT(\exceptstate^\sharp_0),
6732: \asmark\bigl( \mem(\exceptstate^\sharp_0) \bigr)
6733: \Bigr)
6734: = \bigl( (\sigma^\sharp_2, i), \exceptstate^\sharp_2 \bigr)
6735: \),
6736: $\sigma^\sharp_4 = \asunmark(\sigma^\sharp_3)$
6737: and
6738: \(
6739: \exceptstate^\sharp_4
6740: = \asunmark(\exceptstate^\sharp_2)
6741: \sqcup \asunmark(\exceptstate^\sharp_3)
6742: \).
6743: %
6744: \item[Catch sequence]
6745: %
6746: \begin{gather}
6747: \label{rule:abstr_catch_seq}
6748: \prooftree
6749: \rho
6750: \vdash_\beta
6751: \langle k_0, \exceptstate^\sharp \rangle
6752: \rightarrow
6753: \bigl\langle
6754: (\sigma^\sharp_0, \exceptstate^\sharp_0), \exceptstate^\sharp_1
6755: \bigr\rangle
6756: \quad
6757: \rho
6758: \vdash_\beta
6759: \langle k_1, \exceptstate^\sharp_1 \rangle
6760: \rightarrow
6761: \bigl\langle
6762: (\sigma^\sharp_1, \exceptstate^\sharp_2), \exceptstate^\sharp_3
6763: \bigr\rangle
6764: \justifies
6765: \rho
6766: \vdash_\beta
6767: \langle k_0 ; k_1, \exceptstate^\sharp \rangle
6768: \rightsquigarrow
6769: \bigr\langle
6770: (\sigma^\sharp_0 \sqcup \sigma^\sharp_1,
6771: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_2),
6772: \exceptstate^\sharp_3
6773: \bigl\rangle
6774: \endprooftree
6775: \end{gather}
6776: %
6777: \end{description}
6778:
6779: \subsubsection{Supported Expressions, Declarations and Statements}
6780: \label{sec:supported-rules}
6781:
6782: Let $q \in \{ \mathrm{e}, \mathrm{d}, \mathrm{g}, \mathrm{s} \}$
6783: and $N^\sharp \in \NTq^{\beta\sharp}$.
6784: Then, whenever $\asupported(\rho, N^\sharp)$ holds,
6785: alternate versions of the rules above apply.
6786: For each of the rules above,
6787: \begin{align*}
6788: &\prooftree
6789: P_0 \quad \cdots \quad P_{\ell-1}
6790: \justifies
6791: \rho \vdash_\beta N^\sharp
6792: \rightsquigarrow
6793: \eta^\sharp
6794: \using\quad\text{if (side condition) and
6795: not $\asupported(\rho, N^\sharp)$}
6796: \endprooftree \\
6797: \intertext{%
6798: we also have the rule
6799: }
6800: &\prooftree
6801: P_0 \quad \cdots \quad P_{\ell-1}
6802: \justifies
6803: \rho \vdash_\beta N^\sharp
6804: \rightsquigarrow
6805: \aeval(\rho, N^\sharp)
6806: \using\quad\text{if (side condition) and
6807: $\asupported(\rho, N^\sharp)$}
6808: \endprooftree
6809: \end{align*}
6810: Notice that even if $\aeval(\rho, N^\sharp)$
6811: does not depend on the rule antecedents $P_0$, \dots,~$P_{\ell-1}$,
6812: these cannot be omitted, as this would neglect the sub-computations
6813: spawned by the unsupported evaluation of $N^\sharp$.
6814:
6815:
6816: \subsection{Abstract Semantics Trees}
6817: \label{sec:abstract-semantics-trees}
6818:
6819: We now define possibly infinite abstract semantics trees along
6820: the lines of what we did in Section~\ref{sec:concrete-semantics-trees}.
6821: Notice that the need to consider infinite abstract trees goes
6822: beyond the need to observe infinite concrete computations.
6823: For instance, there is no finite abstract tree corresponding to a
6824: program containing a $\kw{while}$ command,
6825: because~\eqref{rule:abstr_while} is the only abstract
6826: rule for $\kw{while}$ and it recursively introduces a new $\kw{while}$
6827: node into the tree.
6828:
6829: \begin{definition} \summary{(Abstract semantics rules.)}
6830: \label{def:abstract-semantics-rules}
6831: The set $\calR^\sharp$ of \emph{abstract semantics rules}
6832: is the infinite set obtained by instantiating the rule schemata
6833: of \textup{Section~\ref{sec:abstract-evaluation-relations}}
6834: in all possible ways (respecting the side conditions).
6835: \end{definition}
6836:
6837: Let $\calS^\sharp$ be the (infinite) set of sequents occurring in the premises
6838: and conclusions of the rules in $\calR^\sharp$.
6839: Matching Definition~\ref{def:concrete-semantics-universe},
6840: the \emph{abstract semantics universe}, denoted by $\calU^\sharp$, is the
6841: set of finitely branching trees of at most $\omega$-depth with labels
6842: in $\calS^\sharp$.
6843:
6844: \begin{definition} \summary{(Abstract semantics trees.)}
6845: \label{def:abstract-semantics-trees}
6846: Let $\fund{\calF^\sharp}{\wp(\calU^\sharp)}{\wp(\calU^\sharp)}$ be given,
6847: for each $U^\sharp \in \wp(\calU^\sharp)$, by
6848: \[
6849: \calF^\sharp(U^\sharp)
6850: \defeq
6851: \biggl\{\,
6852: \prooftree
6853: \theta^\sharp_0 \; \cdots \; \theta^\sharp_{\ell-1}
6854: \justifies
6855: s
6856: \endprooftree
6857: \biggm|
6858: \{ \theta^\sharp_0, \ldots, \theta^\sharp_{\ell-1} \}
6859: \subseteq U^\sharp,
6860: \;
6861: \prooftree
6862: \theta^\sharp_0(\emptystring)
6863: \; \cdots \;
6864: \theta^\sharp_{\ell-1}(\emptystring)
6865: \justifies
6866: s
6867: \endprooftree
6868: \in \calR^\sharp
6869: \,\biggr\}.
6870: \]
6871: The set of \emph{abstract semantics trees} is
6872: $\Theta^\sharp \defeq \gfp_{\mathord{\subseteq}}(\calF^\sharp)$.
6873: \end{definition}
6874:
6875: We now show that, for every non-terminal abstract configuration,
6876: there exists an abstract tree with that in the root.
6877: \begin{proposition}
6878: \label{prop:abstract-tree-exists}
6879: For each $\beta \in \TEnv$,
6880: $\rho \in \Env$ such that $\rho : \beta$ and
6881: $N^\sharp \in \NTq^{\beta\sharp}$, where
6882: \(
6883: q
6884: \in
6885: \{
6886: \mathrm{e}, \mathrm{d}, \mathrm{g},
6887: \mathrm{s}, \mathrm{b}, \mathrm{k}
6888: \}
6889: \),
6890: there exists $\theta^\sharp \in \Theta^\sharp$ such that,
6891: \[
6892: \theta^\sharp(\emptystring)
6893: \in \bigl\{\,
6894: (\rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
6895: \bigm|
6896: \eta^\sharp \in \Tq^\sharp
6897: \,\bigr\}.
6898: \]
6899: \end{proposition}
6900: \begin{proof}
6901: For the proof, let%
6902: \footnote{%%
6903: For the definition of a well-typed sequent,
6904: see the proof of Proposition~\ref{prop:concrete-tree-exists}.%
6905: }
6906: \begin{equation*}
6907: S^\sharp_+(\rho, \beta, N^\sharp)
6908: \defeq
6909: \bigl\{\,
6910: s^\sharp
6911: \bigm|
6912: s^\sharp = (\rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp),
6913: (s \propto s^\sharp \implies
6914: \text{$s$ is well-typed})
6915: \,\bigr\}.
6916: \end{equation*}
6917:
6918: We now assume that $N^\sharp \in \NTq^{\beta\sharp}$ is a fixed but
6919: arbitrary non-terminal abstract configuration.
6920: Suppose that $\asupported(\rho, N^\sharp)$ does not hold.
6921: By inspecting the abstract evaluation rules given in
6922: Section~\ref{sec:abstract-evaluation-relations}, it can be
6923: seen that there exists $\ell \geq 0$
6924: and a nonempty set of rules $R_0 \in \calR^\sharp$
6925: with $\ell$ premises and a conclusion in $S^\sharp_+(\rho, \beta, N^\sharp)$.
6926: If, on the other hand,
6927: $\asupported(\rho, N^\sharp)$ does hold,
6928: then it follows from Section~\ref{sec:supported-rules} that,
6929: by Definition~\ref{def:supports-eval},
6930: $\aeval(\rho, N^\sharp)$ is defined and, for each rule in $R_0$,
6931: there is a rule with the same set of premises
6932: but where the conclusion
6933: $\bigl(\rho \vdash_\beta N^\sharp \rightarrow \aeval(\rho, N^\sharp)\bigr)$
6934: is also in $S^\sharp_+(\rho, \beta, N^\sharp)$.
6935: Thus, in both cases, by definition of $\calU^\sharp$,
6936: there exists a tree in $\calU^\sharp$ with root
6937: in $S^\sharp_+(\rho, \beta, N^\sharp)$.
6938:
6939: We prove that,
6940: for any $n \in \Nset$,
6941: there exists a tree $\theta^\sharp \in \calF^{\sharp n}(\calU^\sharp)$
6942: such that
6943: \(
6944: \theta^\sharp(\emptystring) \in S^\sharp_+(\rho, \beta, N^\sharp)
6945: \).
6946: To this end, we reason by induction on $n \geq 0$.
6947: In the case $n=0$, $\calU = \calF^{\sharp n}(\calU^\sharp)$
6948: so that the hypothesis holds.
6949:
6950: We now suppose that $n > 0$.
6951: Let $j \in \{0, \ldots, \ell\}$ be the maximal value for which
6952: there exist trees
6953: \(
6954: \theta^\sharp_0, \ldots, \theta^\sharp_{j-1}
6955: \in \calF^{\sharp (n-1)}(\calU^\sharp)
6956: \)
6957: where
6958: \(
6959: P_0 = \theta^\sharp_0(\emptystring),
6960: \ldots, P_{j-1} = \theta^\sharp_{j-1}(\emptystring)
6961: \)
6962: are the first $j$ premises of a rule in $R_0$;
6963: let $R_j \sseq R_0$ be the set of all rules in $R_0$ with
6964: $P_0, \ldots, P_{j-1}$ as their first $j$ premises; then $R_j \neq \emptyset$.
6965: We assume that $j < \ell$ and derive a contradiction.
6966: By inspecting the rule schemata in
6967: Section~\ref{sec:abstract-evaluation-relations},
6968: it can be seen that, if there exists
6969: $\frac{P_0 \; \cdots \; P_{j-1} \; P'_j \; \cdots}{\acute{s}^\sharp} \in R_j$
6970: for some $P'_j \in S^\sharp_+(\rho_j, \beta_j, N^\sharp_j)$ and
6971: $\acute{s}^\sharp \in S^\sharp_+(\rho, \beta, N^\sharp)$,
6972: then
6973: \begin{equation}
6974: \label{prop:abstract-tree-exists:j_plus_1_premise}
6975: \forall P_j \in S^\sharp_+(\rho_j, \beta_j, N^\sharp_j)
6976: \itc
6977: \exists s^\sharp \in S^\sharp_+(\rho, \beta, N^\sharp)
6978: \st
6979: \frac{P_0 \; \cdots \; P_{j-1} \; P_j \; \cdots}{s^\sharp} \in R_j.
6980: \end{equation}
6981: By the inductive hypothesis, there exists
6982: $\theta^\sharp_j \in \calF^{\sharp (n-1)}(\calU^\sharp)$
6983: such that
6984: \(
6985: P_j = \theta^\sharp_j(\emptystring)
6986: \in S^\sharp_+(\rho_j, \beta_j, N^\sharp_j)
6987: \);
6988: hence, by~\eqref{prop:abstract-tree-exists:j_plus_1_premise},
6989: there must be a rule in $R_j$
6990: whose $(j+1)$-th premise is $P_j$;
6991: contradicting the assumption that $j < \ell$ is maximal.
6992: Hence $j = \ell$.
6993: Thus there exists a rule
6994: \(
6995: \frac{P_0
6996: \; \cdots
6997: \; P_{\ell-1}}%
6998: {s^\sharp}
6999: \in
7000: R_0
7001: \)
7002: for some $s^\sharp \in S^\sharp_+(\rho, \beta, N^\sharp)$;
7003: hence, by Definition~\ref{def:abstract-semantics-trees},
7004: the tree
7005: \(
7006: \frac{\theta^\sharp_0
7007: \; \cdots
7008: \; \theta^\sharp_{\ell-1}}%
7009: {s^\sharp}
7010: \in \calF^{\sharp n}(\calU^\sharp)
7011: \).
7012: Therefore since, by Definition~\ref{def:abstract-semantics-trees},
7013: $\Theta^\sharp = \gfp_{\mathord{\subseteq}}(\calF^\sharp)$,
7014: there exists a tree $\theta^\sharp$ in $\Theta^\sharp$ such that
7015: $\theta^\sharp(\emptystring) \in S^\sharp_+(\rho, \beta, N^\sharp)$.
7016: \qed
7017: \end{proof}
7018:
7019: \section{Correctness of the Abstract Semantics}
7020: \label{sec:abstract-semantics-correctness}
7021:
7022: In Section~\ref{sec:abstract-dynamic-semantics},
7023: we introduced the notion of \emph{sound approximation}
7024: for configurations and sequents
7025: in terms of the concretization function $\gamma$ defined
7026: for each abstract domain.
7027: We now proceed to define the notion of sound approximation for trees.
7028:
7029: \begin{definition}\summary{(`$\propto$' for trees.)}
7030: \label{def:propto-trees}
7031: Let
7032: \(
7033: \fund{\overline{\propto}}
7034: {\wp(\Theta\times\Theta^\sharp)}
7035: {\wp(\Theta\times\Theta^\sharp)}
7036: \)
7037: be given, for each $U \in \wp(\Theta\times\Theta^\sharp)$, by
7038: \[
7039: \mathop{\overline{\propto}}(U)
7040: \defeq
7041: \sset{%
7042: (\theta, \theta^\sharp) \in \Theta\times\Theta^\sharp
7043: }{%
7044: \theta(\emptystring) \propto \theta^\sharp(\emptystring), \\
7045: \forall i \in \dom(\theta) \inters \Nset
7046: \itc \\
7047: \qquad
7048: \exists j \in \dom(\theta^\sharp) \inters \Nset
7049: \st
7050: \bigl(\theta_{[i]}, \theta^\sharp_{[j]}\bigr) \in U
7051: }.
7052: \]
7053: Then $\theta \propto \theta^\sharp$
7054: if and only if
7055: \(
7056: (\theta, \theta^\sharp)
7057: \in
7058: \gfp_{\mathord{\subseteq}}({\mathord{\overline{\propto}}})
7059: \).
7060: \end{definition}
7061: %%
7062: In words, $\theta \propto \theta^\sharp$ means that
7063: the root of $\theta$ is approximated by the root of $\theta^\sharp$ and
7064: every immediate subtree of $\theta$ is approximated by
7065: some immediate subtrees of $\theta^\sharp$.
7066: %%
7067: Notice that one immediate subtree in $\theta^\sharp$ may be related by
7068: `$\propto$' to none, one or more than one immediate subtree of $\theta$.
7069:
7070: The following result states that, for each concrete tree, there is
7071: always an abstract tree that is generated from a corresponding
7072: non-terminal abstract configuration.
7073: \begin{theorem}
7074: \label{thm:abstract-tree-exists}
7075: Let $\theta \in \Theta$ be a concrete tree such that
7076: \(
7077: \theta(\emptystring)
7078: = (\rho \vdash_\beta N \rightarrow \eta)
7079: \)
7080: or
7081: \(
7082: \theta(\emptystring)
7083: = (\rho \vdash_\beta N \diverges)
7084: \).
7085: Then there exists $\theta^\sharp \in \Theta^\sharp$ such that,
7086: \(
7087: \theta^\sharp(\emptystring)
7088: = (\rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
7089: \)
7090: and $N \propto N^\sharp$.
7091: \end{theorem}
7092:
7093: \begin{proof}
7094: Suppose first that
7095: $N = \langle q, \sigma \rangle$ where $q \in \{ e, d, g, s, b \}$.
7096: By Definition~\ref{def:abstract-memory-structure},
7097: we can always find $\sigma^\sharp \in \Mem^\sharp$ such that
7098: $\sigma \propto \sigma^\sharp$.
7099: Hence,
7100: letting $N^\sharp = \langle q, \sigma^\sharp \rangle$,
7101: by~\eqref{def:propto-nonterminal:expr-decl-glob-statement}
7102: in Definition~\ref{def:nonterminal-abstract-configuration},
7103: we obtain $N \propto N^\sharp$.
7104: Next suppose $N = \langle k, \exceptstate \rangle$,
7105: where $\exceptstate = (\sigma, \except)$.
7106: As before, by Definition~\ref{def:abstract-memory-structure},
7107: we can always find $\sigma^\sharp \in \Mem^\sharp$ such that
7108: $\sigma \propto \sigma^\sharp$.
7109: Moreover, by the definition of the approximation for exceptions,
7110: we can always find $\except^\sharp \in \Except^\sharp$ such that
7111: $\except \propto \except^\sharp$.
7112: Hence, letting
7113: $N^\sharp = \langle k, \spair{\sigma^\sharp}{\except^\sharp} \rangle$,
7114: by~\eqref{def:propto-nonterminal:catch}
7115: in Definition~\ref{def:nonterminal-abstract-configuration},
7116: we again obtain $N \propto N^\sharp$.
7117: In both cases, by Proposition~\ref{prop:abstract-tree-exists},
7118: there exists an abstract tree $\theta^\sharp$
7119: such that
7120: \(
7121: \theta^\sharp(\emptystring)
7122: = (\rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
7123: \)
7124: and $N \propto N^\sharp$.
7125: \qed
7126: \end{proof}
7127:
7128: The next result states that our abstract rules only generate
7129: abstract trees that are correct approximations of their concrete
7130: counterparts (i.e., concrete trees rooted with the same statement, the same
7131: environment and initial memory structure).
7132: \begin{theorem}
7133: \label{thm:abstract-tree-is-safe}
7134: Let
7135: $\theta \in \Theta$ and $\theta^\sharp \in \Theta^\sharp$
7136: be such that
7137: \(
7138: \theta(\emptystring)
7139: =
7140: \bigl(
7141: \rho \vdash_\beta N
7142: \rightarrow
7143: \eta
7144: \bigr)
7145: \)
7146: or
7147: \(
7148: \theta(\emptystring)
7149: =
7150: \bigl(
7151: \rho \vdash_\beta N
7152: \diverges
7153: \bigr)
7154: \)
7155: and
7156: \(
7157: \theta^\sharp(\emptystring)
7158: =
7159: \bigl(
7160: \rho \vdash_\beta N^\sharp
7161: \rightarrow
7162: \eta^\sharp
7163: \bigr)
7164: \),
7165: where $N \propto N^\sharp$.
7166: Then $\theta \propto \theta^\sharp$.
7167: \end{theorem}
7168:
7169: Theorem~\ref{thm:abstract-tree-is-safe} is a trivial corollary
7170: of the following
7171: \begin{proposition}
7172: \label{prop:abstract-tree-is-safe}
7173: Let
7174: \begin{align}
7175: \label{eq:def_S}
7176: S
7177: &\defeq
7178: \sset{
7179: (\theta, \theta^\sharp) \in \Theta\times\Theta^\sharp
7180: }{
7181: \theta(\emptystring)
7182: \in \bigl\{
7183: \rho \vdash_\beta N
7184: \rightarrow
7185: \eta,\;
7186: \rho \vdash_\beta N
7187: \diverges
7188: \bigr\}, \\
7189: \theta^\sharp(\emptystring) =
7190: \rho \vdash_\beta N^\sharp
7191: \rightarrow
7192: \eta^\sharp, \\
7193: N \propto N^\sharp
7194: }.
7195: \end{align}
7196: Then, for all $(\theta, \theta^\sharp) \in S$,
7197: $\theta \propto \theta^\sharp$.
7198: \end{proposition}
7199:
7200: \begin{proof}
7201: Let $\theta \in \Theta$ and $\theta^\sharp \in \Theta^\sharp$.
7202: We define:
7203: \begin{align*}
7204: r &\defeq
7205: \prooftree
7206: \theta_{[0]}(\emptystring) \; \cdots \; \theta_{[h-1]}(\emptystring)
7207: \justifies
7208: \theta(\emptystring)
7209: \endprooftree
7210: \qquad & \qquad
7211: r^\sharp &\defeq
7212: \prooftree
7213: \theta^\sharp_{[0]}(\emptystring)
7214: \; \cdots \;
7215: \theta^\sharp_{[\ell-1]}(\emptystring)
7216: \justifies
7217: \theta^\sharp(\emptystring)
7218: \endprooftree
7219: \end{align*}
7220: where, for some $h, \ell \geq 0$,
7221: $\{ 0, \ldots, h-1 \} \subseteq \dom(\theta)$,
7222: $\{ 0, \ldots, \ell-1 \} \subseteq \dom(\theta^\sharp)$,
7223: $h \notin \dom(\theta)$
7224: and $\ell \notin \dom(\theta^\sharp)$.
7225: By Definitions~\ref{def:concrete-semantics-trees}
7226: and~\ref{def:abstract-semantics-trees},
7227: $r \in \calR$ and $r^\sharp \in \calR^\sharp$.
7228: Note that, to simplify the proof,
7229: we will use the schematic concrete and abstract
7230: rules given in Sections~\ref{sec:concrete-evaluation-relations}
7231: and~\ref{sec:abstract-evaluation-relations} to denote the actual rule
7232: instances $r$ and $r^\sharp$.
7233:
7234: Letting $(\theta, \theta^\sharp) \in S$,
7235: we need to show that $\theta \propto \theta^\sharp$;
7236: by Definition~\ref{def:propto-trees}, this is equivalent to
7237: showing that
7238: \(
7239: (\theta, \theta^\sharp)
7240: \in
7241: \gfp_{\mathord{\subseteq}}({\mathord{\overline{\propto}}})
7242: \).
7243: To this end, by the principle of fixpoint coinduction,
7244: we will show that
7245: $(\theta, \theta^\sharp) \in \mathop{\overline{\propto}}(S)$.
7246:
7247: By Definition~\ref{def:propto-trees}, we need to show that the following
7248: properties hold:
7249: \begin{enumerate}[(i)]
7250: \item
7251: \label{enum:abstract-tree-is-safe:root}
7252: $\theta(\emptystring) \propto \theta^\sharp(\emptystring)$;
7253: \item
7254: \label{enum:abstract-tree-is-safe:immediate-subtrees}
7255: for each $i = 0$, \dots,~$h-1$ there exists $j \in \{ 0, \ldots, \ell-1 \}$
7256: such that $(\theta_{[i]}, \theta^\sharp_{[j]}) \in S$.
7257: \end{enumerate}
7258:
7259: The proof that properties~\eqref{enum:abstract-tree-is-safe:root}
7260: and~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} hold
7261: is by (well-founded) induction on the structure of the concrete tree $\theta$.
7262: %%
7263: Observe that the ``immediate subtree'' relation between trees
7264: in $\Theta_+$ is a well-founded partial ordering because,
7265: if $\theta \in \Theta_+$ then,
7266: by Definition~\ref{def:concrete-semantics-trees},
7267: there are no infinite descending chains.
7268: We extend this ordering relation to the
7269: \emph{immediate positive subtree} relation between trees in $\Theta$:
7270: $\theta'$ is said to be an \emph{immediate positive subtree} of $\theta$
7271: if and only if $\theta' \in \Theta_+$ and is an immediate subtree of $\theta$.
7272: Clearly, by Definition~\ref{def:concrete-semantics-trees},
7273: the immediate positive subtree ordering on trees in $\Theta$
7274: is also well-founded.
7275:
7276: We first note that it is not restrictive to only consider
7277: unsupported expressions, declarations or statements: as noted in
7278: Section~\ref{sec:abstract-evaluation-relations},
7279: the tree for any supported expression (resp., declaration or statement)
7280: has the same structure as the tree for the same expression
7281: (resp., declaration or statement) as if it were unsupported. Hence,
7282: once correctness of the approximation for unsupported expressions,
7283: declarations or statements is proved, the correctness for their
7284: supported counterparts will immediately follow
7285: from Definition~\ref{def:supports-eval}.
7286:
7287: Let
7288: \begin{gather*}
7289: \theta(\emptystring)
7290: = \bigl(
7291: \rho \vdash_\beta N
7292: \rightarrow \eta
7293: \bigr)
7294: \,\text{ or }\,
7295: \theta(\emptystring)
7296: = \bigl(
7297: \rho \vdash_\beta N
7298: \diverges
7299: \bigr),\\
7300: \theta^\sharp(\emptystring)
7301: = \bigl(
7302: \rho \vdash_\beta N^\sharp
7303: \rightsquigarrow \eta^\sharp
7304: \bigr).
7305: \end{gather*}
7306: By \eqref{eq:def_S}, $N \propto N^\sharp$.
7307: Therefore, by condition~\eqref{def:propto-sequents:diverge}
7308: of Definition~\ref{def:propto-sequents},
7309: property~\eqref{enum:abstract-tree-is-safe:root} holds trivially
7310: whenever $\theta \in \Theta_-$ (i.e., when $r$ is a negative concrete rule).
7311: In addition,
7312: to prove that property~\eqref{enum:abstract-tree-is-safe:root} holds for
7313: each $\theta \in \Theta_+$ (i.e., when $r$ is a positive concrete rule),
7314: by condition~\eqref{def:propto-sequents:term}
7315: of Definition~\ref{def:propto-sequents},
7316: we just need to show $\eta \propto \eta^\sharp$.
7317:
7318: Consider next property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees}.
7319: The base cases are when the concrete rule $r$ has no premises
7320: (i.e., $h = 0$);
7321: and this property holds trivially in these cases.
7322: %%
7323: For the inductive steps (i.e., $h > 0$)
7324: suppose $i \in \{0, \ldots, h-1\}$ and $j \in \{0, \ldots, \ell-1\}$ are
7325: such that $(\theta_{[i]}, \theta^\sharp_{[j]}) \in S$.
7326: If $\theta \in \Theta_+$ then, by the inductive hypothesis, we can assume that
7327: $(\theta_{[i]}, \theta^\sharp_{[j]}) \in \mathop{\overline{\propto}}(S)$;
7328: similarly, if $\theta \in \Theta_-$ and $i \neq h-1$,
7329: by the inductive hypothesis, we can assume that,
7330: $(\theta_{[i]}, \theta^\sharp_{[j]}) \in \mathop{\overline{\propto}}(S)$.
7331: Hence, in both cases, by Definition~\ref{def:propto-trees},
7332: $\theta_{[i]}(\emptystring) \propto \theta^\sharp_{[j]}(\emptystring)$.
7333: Also, if $\theta \in \Theta_-$,
7334: by Definition~\ref{def:concrete-semantics-trees},
7335: $\theta_{[h-1]}(\emptystring)$ is a divergent sequent
7336: so that, by Definitions~\ref{def:propto-sequents}
7337: and~\ref{def:propto-trees},
7338: $\theta_{[h-1]}(\emptystring) \propto \theta^\sharp_{[j]}(\emptystring)$.
7339: Thus, for all concrete trees $\theta \in \Theta$,
7340: we can safely assume the following:
7341: \begin{equation}
7342: \label{enum:abstract-tree-is-safe:inductive_assume}
7343: \forall i \in \{ 0, \dots, h-1\}, j \in \{ 0, \dots, \ell-1\} \itc
7344: (\theta_{[i]}, \theta^\sharp_{[j]}) \in S
7345: \implies
7346: \theta_{[i]}(\emptystring) \propto \theta^\sharp_{[j]}(\emptystring).
7347: \end{equation}
7348: Moreover, we need only explicitly prove
7349: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees}
7350: for each of the positive rules
7351: since, by the definition of the concrete divergence (negative) rules,
7352: \eqref{enum:abstract-tree-is-safe:inductive_assume} and
7353: Definition~\ref{def:nonterminal-abstract-configuration},
7354: if property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees}
7355: holds for any positive rule
7356: it also holds for the corresponding negative rules.
7357: Thus in the detailed proofs of
7358: properties~\eqref{enum:abstract-tree-is-safe:root}
7359: and~\eqref{enum:abstract-tree-is-safe:immediate-subtrees}
7360: for the inductive steps,
7361: we only consider the positive rules.
7362:
7363: To help the reader,
7364: Tables~\ref{tab:abstract-tree-is-safe:expressions},
7365: \ref{tab:abstract-tree-is-safe:declarations},
7366: \ref{tab:abstract-tree-is-safe:statements},
7367: \ref{tab:abstract-tree-is-safe:function-bodies}
7368: and~\ref{tab:abstract-tree-is-safe:catch-clauses},
7369: contain a summary of the conclusions of rules
7370: $r$ and $r^\sharp$.
7371: The first column $Q \in \{E, D, G, S, B, K\}$, gives
7372: the syntactic forms in the first component
7373: of the non-terminal configurations $N$ and $N^\sharp$ (which,
7374: by Definition~\ref{def:nonterminal-abstract-configuration},
7375: must be the same);
7376: the second and third columns give a concrete rule $r$ and
7377: abstract rule $r^\sharp$, respectively, that apply to $Q$.
7378: Note that we do not pair concrete rules with abstract rules that
7379: have mutually inconsistent side conditions.
7380: Justification for the omission of any abstract rules
7381: for a particular concrete rule $r$ is given in the detailed proof
7382: for that case.
7383: The column headed $\eta_q$,
7384: where
7385: \(
7386: q \in
7387: \{
7388: \mathrm{e}, \mathrm{d}, \mathrm{g},
7389: \mathrm{s}, \mathrm{b}, \mathrm{k}
7390: \}
7391: \)
7392: gives the concrete terminal configuration for $r$,
7393: while the columns headed by $\eta^\sharp_q$ give the
7394: components of the abstract terminal configuration for $r^\sharp$.
7395: A blank entry in any table cell means that
7396: the value is exactly the same as the value found
7397: in the same column of the previous row.
7398: To save space in Tables~\ref{tab:abstract-tree-is-safe:declarations},
7399: \ref{tab:abstract-tree-is-safe:statements},
7400: \ref{tab:abstract-tree-is-safe:function-bodies}
7401: and~\ref{tab:abstract-tree-is-safe:catch-clauses},
7402: we have denoted the operations
7403: `$\mathord{\datcleanup}$', `$\mathord{\sunmark}$', `$\mathord{\sunlink}$',
7404: `$\mathord{\asunmark}$' and `$\mathord{\asunlink}$'
7405: by `$\mathord{\datcleanupshort}$', `$\mathord{\sunmarkshort}$',
7406: `$\mathord{\sunlinkshort}$', `$\mathord{\sunmarkshort^\sharp}$' and
7407: `$\mathord{\sunlinkshort^\sharp}$', respectively.
7408: Note that the premises and the side conditions
7409: for the rules are not provided in any of the tables;
7410: reference must be made to the actual rules for this information.
7411:
7412: \subsection{Expressions}
7413:
7414: For this part of the proof,
7415: we use Table~\ref{tab:abstract-tree-is-safe:expressions}.
7416: By \eqref{eq:def_S}, $N \propto N^\sharp$.
7417: Thus letting $N = \langle E, \sigma \rangle$
7418: and $N^\sharp = \langle E, \sigma^\sharp \rangle$,
7419: by Definition~\ref{def:nonterminal-abstract-configuration},
7420: we have the implicit hypothesis $\sigma \propto \sigma^\sharp$.
7421: We show using~\eqref{def:propto-terminal:expr}
7422: in Definition~\ref{def:terminal-abstract-configuration},
7423: that $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7424:
7425: \begin{table}
7426: \caption{Corresponding concrete and abstract rules and
7427: terminals for expressions}
7428: \label{tab:abstract-tree-is-safe:expressions}
7429: \centering
7430: \footnotesize
7431: \begin{tabular}
7432: {|c|l|l|l|l|l|}
7433: \hline
7434: \multicolumn{1}{|c|}{$E$}
7435: &\multicolumn{1}{c|}{$r$}
7436: &\multicolumn{1}{c|}{$r^\sharp$} &\multicolumn{1}{c|}{$\eta_\mathrm{e}$}
7437: &\multicolumn{2}{c|}{
7438: \(\eta^\sharp_\mathrm{e} =
7439: \bigl\langle
7440: (\sval^\sharp_a,\sigma^\sharp_a),
7441: \exceptstate^\sharp_a
7442: \bigr\rangle
7443: \) }\\
7444: \cline{5-6}
7445: &&&
7446: & \multicolumn{1}{c|}{$(\sval^\sharp_a,\sigma^\sharp_a)$}
7447: & \multicolumn{1}{c|}{$\exceptstate^\sharp_a$}\\
7448: \hline
7449: \hline
7450: $\con$
7451: & \ref{rule:conc_constant}
7452: & \ref{rule:abstr_constant}
7453: & $\langle \con, \sigma \rangle$
7454: & $\spair{\alpha(\{\con\})}{\sigma^\sharp}$
7455: & $\none^\sharp$ \\
7456: \hline
7457: $\id$
7458: & \ref{rule:conc_identifier}
7459: & \ref{rule:abstr_identifier}
7460: & $\sigma[\rho(\id)]$
7461: & \multicolumn{2}{c|}{$\sigma^\sharp[\rho(\id)]$} \\
7462: \hline
7463: $-e$
7464: & \ref{rule:conc_uminus_error}
7465: & \ref{rule:abstr_unary_minus}
7466: & $\exceptstate$
7467: & $(\mathop{\absuminus} m^\sharp, \sigma^\sharp_0)$
7468: & $\exceptstate^\sharp$ \\
7469: & \ref{rule:conc_uminus_ok}
7470: &
7471: & $\langle -m, \sigma_0 \rangle$
7472: &
7473: & \\
7474: \hline
7475: $e_0 \boxcircle e_1$
7476: & \ref{rule:conc_arith_bop_0}/\ref{rule:conc_arith_bop_1}
7477: & \ref{rule:abstr_arith_bop}
7478: & $\exceptstate$
7479: & $(m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1)$
7480: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
7481: &
7482: & \ref{rule:abstr_div_mod_exc}
7483: &
7484: & $(m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1)$
7485: & \(
7486: \exceptstate^\sharp_0
7487: \sqcup \exceptstate^\sharp_1
7488: \sqcup \exceptstate^\sharp_2
7489: \) \\
7490: \cline{2-6}
7491: & \ref{rule:conc_arith_bop_2}
7492: & \ref{rule:abstr_arith_bop}
7493: & $\langle m_0 \circ m_1, \sigma_1 \rangle$
7494: & $(m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1)$
7495: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
7496: &
7497: & \ref{rule:abstr_div_mod_exc}
7498: &
7499: & $(m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1)$
7500: & \(
7501: \exceptstate^\sharp_0
7502: \sqcup \exceptstate^\sharp_1
7503: \sqcup \exceptstate^\sharp_2
7504: \) \\
7505: \cline{2-6}
7506: & \ref{rule:conc_arith_bop_exc_0}
7507: & \ref{rule:abstr_div_mod_exc}
7508: & $\langle \sigma_1, \divbyzero \rangle$
7509: & $(m^\sharp_0 \circledcirc m^\sharp_1, \sigma^\sharp_1)$
7510: & \(
7511: \exceptstate^\sharp_0
7512: \sqcup \exceptstate^\sharp_1
7513: \sqcup \exceptstate^\sharp_2
7514: \) \\
7515: \hline
7516: $m_0 \boxast m_1$
7517: & \ref{rule:conc_arith_test_error_0}/\ref{rule:conc_arith_test_error_1}
7518: & \ref{rule:abstr_arith_test}
7519: & $\exceptstate$
7520: & $(m_0^\sharp \bowtie m^\sharp_1, \sigma^\sharp_1)$
7521: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
7522: & \ref{rule:conc_arith_test_ok}
7523: &
7524: & $\langle m_0 \lessgtr m_1, \sigma_1 \rangle$
7525: &
7526: & \\
7527: \hline
7528: $\notop\ b$
7529: & \ref{rule:conc_negation_error}
7530: & \ref{rule:abstr_negation}
7531: & $\exceptstate$
7532: & $(\absneg t^\sharp, \sigma^\sharp_0)$
7533: & $\exceptstate^\sharp$ \\
7534: & \ref{rule:conc_negation_ok}
7535: &
7536: & $\langle \bneg t, \sigma_0 \rangle$
7537: &
7538: & \\
7539: \hline
7540: $b_0 \andop\ b_1$
7541: & \ref{rule:conc_conjunction_0}
7542: & \ref{rule:abstr_conjunction}
7543: & $\exceptstate$
7544: & $\valstate^\sharp_\ffv \sqcup \valstate^\sharp_1$
7545: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
7546: & \ref{rule:conc_conjunction_1}
7547: &
7548: & $\langle \ffv, \sigma_0 \rangle$
7549: &
7550: & \\
7551: & \ref{rule:conc_conjunction_2}
7552: &
7553: & $\eta$
7554: &
7555: & \\
7556: \hline
7557: $b_0 \orop\ b_1$
7558: & \ref{rule:conc_disjunction_0}--\ref{rule:conc_disjunction_2}
7559: & \ref{rule:abstr_disjunction}
7560: &\multicolumn{3}{c|}{Similar to the rows for `$b_0 \andop\ b_1$'} \\
7561: \hline
7562: \end{tabular}
7563: \end{table}
7564:
7565: \paragraph*{Constant}
7566:
7567: Suppose $r$ is an instance of~\eqref{rule:conc_constant}.
7568: By definition of $\pard{\alpha}{\wp(\Integer)}{\Integer^\sharp}$
7569: and $\pard{\alpha}{\wp(\Bool)}{\Bool^\sharp}$,
7570: we have $\con \propto \alpha(\{\con\})$;
7571: by hypothesis, $\sigma \propto \sigma^\sharp$
7572: so that
7573: $\langle \con, \sigma \rangle \propto \spair{\alpha(\{\con\})}{\sigma^\sharp}$.
7574: Hence $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7575:
7576: \paragraph*{Identifier}
7577:
7578: Suppose $r$ is an instance of~\eqref{rule:conc_identifier}.
7579: Since, by hypothesis, $\sigma \propto \sigma^\sharp$,
7580: by Definition~\ref{def:abstract-memory-structure} we obtain
7581: \(
7582: \sigma\bigl[ \rho(\id) \bigr]
7583: \propto \sigma^\sharp\bigl[ \rho(\id) \bigr]
7584: \).
7585: Hence, $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7586:
7587: \paragraph*{Unary Minus}
7588:
7589: Suppose $r$ is an instance of~\eqref{rule:conc_uminus_error}
7590: or~\eqref{rule:conc_uminus_ok}.
7591: Then, by hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$
7592: and, hence, as $h=1$,
7593: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7594: %%
7595: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7596: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
7597: Thus, if $r$ is an instance of~\eqref{rule:conc_uminus_error},
7598: then $\exceptstate \propto \exceptstate^\sharp$;
7599: if $r$ is an instance of~\eqref{rule:conc_uminus_ok},
7600: then $m \propto m^\sharp$ and $\sigma_0 \propto \sigma^\sharp_0$.
7601: In the latter case, by the soundness of `$\mathop{\absuminus}$',
7602: $-m \propto \mathop{\absuminus} m^\sharp$.
7603: Hence, in both cases,
7604: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7605:
7606: \paragraph*{Binary Arithmetic Operations}
7607:
7608: Suppose that $r$ is an instance of one of
7609: the rules \eqref{rule:conc_arith_bop_0}--\eqref{rule:conc_arith_bop_exc_0}.
7610: Then, by hypothesis,
7611: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
7612: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7613: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
7614: Note that, in the condition for
7615: abstract rule~\eqref{rule:abstr_div_mod_exc},
7616: \(
7617: \exceptstate^\sharp_2
7618: = \spair{\sigma^\sharp_1}{\alpha(\{\divbyzero\})}
7619: \).
7620:
7621: If $r$ is an instance of~\eqref{rule:conc_arith_bop_0},
7622: then $h=1$
7623: so that property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7624: The property
7625: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7626: implies $\exceptstate \propto \exceptstate^\sharp_0$.
7627: Therefore,%%
7628: \footnote{Here and in the following, whenever
7629: we need to prove $\iota \propto \iota^\sharp_0 \sqcup \iota^\sharp_1$,
7630: we just prove either $\iota \propto \iota^\sharp_0$ or
7631: $\iota \propto \iota^\sharp_1$
7632: and implicitly use the monotonicity of $\gamma$.}
7633: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7634:
7635: If $r$ is an instance of~\eqref{rule:conc_arith_bop_1},
7636: \eqref{rule:conc_arith_bop_2}
7637: or~\eqref{rule:conc_arith_bop_exc_0}, then $h=2$.
7638: Property
7639: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7640: implies $\sigma_0 \propto \sigma^\sharp_0$ and $m_0 \propto m^\sharp_0$;
7641: hence
7642: $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and
7643: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7644: %%
7645: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7646: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$.
7647:
7648: If $r$ is an instance of~\eqref{rule:conc_arith_bop_1},
7649: then property
7650: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
7651: implies $\exceptstate \propto \exceptstate^\sharp_1$;
7652: thus $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7653: %
7654: If $r$ is an instance of~\eqref{rule:conc_arith_bop_2},
7655: then property
7656: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
7657: implies $\sigma_1 \propto \sigma^\sharp_1$
7658: and $m_1 \propto m^\sharp_1$ so that,
7659: by the soundness of `$\mathord{\circledcirc}$',
7660: $(m_0 \boxcircle m_1) \propto (m^\sharp_0 \circledcirc m^\sharp_1)$;
7661: and hence
7662: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7663: %
7664: If $r$ is an instance of~\eqref{rule:conc_arith_bop_exc_0},
7665: then the condition
7666: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
7667: implies $\sigma_1 \propto \sigma^\sharp_1$ and $0 \propto m^\sharp_1$.
7668: Hence, by the side conditions,
7669: $r^\sharp$ must be an instance of~\eqref{rule:abstr_div_mod_exc};
7670: so that, as
7671: \(
7672: \langle \sigma_1, \divbyzero \rangle
7673: \propto
7674: \spair{\sigma^\sharp_1}{\alpha(\{\divbyzero\})}
7675: \), we have
7676: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7677:
7678: \paragraph*{Test Operators}
7679:
7680: Suppose $r$ is an instance of one of
7681: rules~\eqref{rule:conc_arith_test_error_0}--\eqref{rule:conc_arith_test_ok}.
7682: Then, by hypothesis,
7683: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
7684: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7685: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
7686:
7687: If $r$ is an instance of~\eqref{rule:conc_arith_test_error_0},
7688: then $h=1$ and
7689: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7690: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7691: implies $\exceptstate \propto \exceptstate^\sharp_0$.
7692: Hence $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7693:
7694: If r is an instance of~\eqref{rule:conc_arith_test_error_1}
7695: or~\eqref{rule:conc_arith_test_ok}, then $h=2$.
7696: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7697: implies $\sigma_0 \propto \sigma^\sharp_0$ and $m_0 \propto m^\sharp_0$.
7698: Thus
7699: $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and
7700: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7701: %%
7702: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7703: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$.
7704: If $r$ is an instance of~\eqref{rule:conc_arith_test_error_1},
7705: then $\exceptstate \propto \exceptstate^\sharp_1$;
7706: and if $r$ is an instance of~\eqref{rule:conc_arith_test_ok},
7707: $\sigma_1 \propto \sigma^\sharp_1$ and $m_1 \propto m^\sharp_1$ so that,
7708: by soundness of `$\bowtie$',
7709: $(m_0 \lessgtr m_1) \propto (m^\sharp_0 \bowtie m^\sharp_1)$.
7710: Hence, for both concrete rules,
7711: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7712:
7713: \paragraph*{Negation}
7714:
7715: The proof when $r$ is an instance
7716: of~\eqref{rule:conc_negation_error} or~\eqref{rule:conc_negation_ok}
7717: has the same structure of the proof for the unary minus case shown before.
7718:
7719: \paragraph*{Conjunction}
7720:
7721: Suppose $r$ is an instance of one of
7722: rules~\eqref{rule:conc_conjunction_0}--\eqref{rule:conc_conjunction_2}.
7723: By hypothesis,
7724: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
7725:
7726: If $r$ is an instance of~\eqref{rule:conc_conjunction_0}
7727: or~\eqref{rule:conc_conjunction_1},
7728: then $h=1$ and
7729: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7730: If $r$ is an instance of~\eqref{rule:conc_conjunction_0},
7731: by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7732: we have $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$,
7733: which implies $\exceptstate \propto \exceptstate^\sharp_0$.
7734: If $r$ is an instance of~\eqref{rule:conc_conjunction_1},
7735: by Definition~\ref{def:memstruct-filter},
7736: \(
7737: \sigma_0
7738: \propto
7739: \sigma^\sharp_{\ffv}
7740: = \phi(\rho, \sigma^\sharp, \kw{not} b_0)
7741: \).
7742: Thus, since $\ffv \propto \alpha(\{\ffv\})$ holds by definition,
7743: we have $\langle \ffv, \sigma_0 \rangle \propto \valstate^\sharp_\ffv$.
7744: Hence, for both concrete rules,
7745: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7746:
7747: If $r$ is an instance of~\eqref{rule:conc_conjunction_2}, then $h = 2$.
7748: By Definition~\ref{def:memstruct-filter},
7749: $\sigma_0 \propto \sigma^\sharp_\ttv$, so that
7750: $(\theta_{[1]},\theta^\sharp_{[1]}) \in S$ and
7751: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7752: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7753: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
7754: so that
7755: \(
7756: \eta
7757: \propto
7758: \langle \valstate^\sharp_1, \exceptstate^\sharp_1 \rangle
7759: \).
7760: Hence, $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
7761:
7762: \paragraph*{Disjunction}
7763: The proof when $r$ is an instance
7764: of one of
7765: rules~\eqref{rule:conc_disjunction_0}--\eqref{rule:conc_disjunction_2}
7766: is similar to that for conjunction.
7767:
7768: \subsection{Declarations}
7769:
7770: In Table~\ref{tab:abstract-tree-is-safe:declarations},
7771: $Q$ denotes a local declaration $D$ or a global declaration $G$.
7772: Moreover, $\eta_\mathrm{q} \in \{\Td, \Tg\}$ and
7773: $\eta^\sharp_\mathrm{q} \in \{\Td^\sharp, \Tg^\sharp\}$,
7774: the actual domains for $\eta_\mathrm{q}$ and $\eta^\sharp_\mathrm{q}$
7775: will depend on context.
7776:
7777: By \eqref{eq:def_S} we have $N \propto N^\sharp$.
7778: Thus letting $N = \langle Q, \sigma \rangle$
7779: and $N^\sharp = \langle Q, \sigma^\sharp \rangle$
7780: for any $Q \in \{D, G\}$,
7781: by Definition~\ref{def:nonterminal-abstract-configuration},
7782: we have the implicit hypothesis $\sigma \propto \sigma^\sharp$.
7783: We show using~\eqref{def:propto-terminal:decl}
7784: in Definition~\ref{def:terminal-abstract-configuration},
7785: that $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7786:
7787: \begin{table}
7788: \caption{Corresponding concrete and abstract rules and
7789: terminals for declarations}
7790: \label{tab:abstract-tree-is-safe:declarations}
7791: \centering
7792: \footnotesize
7793: \begin{tabular}
7794: {|c|l|l|l|l|l|}
7795: \hline
7796: \multicolumn{1}{|c|}{$Q$}
7797: &\multicolumn{1}{c|}{$r$}
7798: &\multicolumn{1}{c|}{$r^\sharp$}
7799: &\multicolumn{1}{c|}{$\eta_\mathrm{q}$}
7800: &\multicolumn{2}{c|}{
7801: \(\eta^\sharp_\mathrm{q} =
7802: \bigl\langle
7803: (\rho^\sharp_a,\sigma^\sharp_a),
7804: \exceptstate^\sharp_a
7805: \bigr\rangle
7806: \) }\\
7807: \cline{5-6}
7808: &&&
7809: & \multicolumn{1}{c|}{$(\rho^\sharp_a, \sigma^\sharp_a)$}
7810: & \multicolumn{1}{c|}{$\exceptstate^\sharp_a$}\\
7811: \hline
7812: \hline
7813: $\kw{nil}$
7814: & \ref{rule:conc_decl_nil}
7815: & \ref{rule:abstr_decl_nil}
7816: & $\langle \emptyset, \sigma \rangle$
7817: & $(\emptyset, \sigma^\sharp)$
7818: & $\none^\sharp$ \\
7819: \hline
7820: $\rho_0$
7821: & \ref{rule:conc_decl_environment}
7822: & \ref{rule:abstr_decl_environment}
7823: & $\langle \rho_0, \sigma \rangle$
7824: & $(\rho_0, \sigma^\sharp)$
7825: & $\none^\sharp$ \\
7826: \hline
7827: $\kw{rec} \rho_0$
7828: & \ref{rule:conc_decl_rec_environment}
7829: & \ref{rule:abstr_decl_rec_environment}
7830: & $\langle \rho_1, \sigma \rangle$
7831: & $(\rho_1, \sigma^\sharp)$
7832: & $\none^\sharp$ \\
7833: \hline
7834: $\kw{gvar} \id : \sT = e$
7835: & \ref{rule:conc_gvar_decl_expr_err}/\ref{rule:conc_gvar_decl_dat_err}
7836: & \ref{rule:abstr_global_decl}
7837: & $\datcleanupshort(\exceptstate)$
7838: & $(\rho_1, \sigma^\sharp_1)$
7839: & $\datcleanupshort^\sharp(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)$\\
7840: & \ref{rule:conc_gvar_decl_ok}
7841: &
7842: & \(
7843: \langle
7844: \rho_1, \sigma_1
7845: \rangle
7846: \)
7847: &
7848: & \\
7849: \hline
7850: $\kw{lvar} \id : \sT = e$
7851: & \ref{rule:conc_lvar_decl_expr_err}/\ref{rule:conc_lvar_decl_stk_err}
7852: & \ref{rule:abstr_local_decl}
7853: & $\sunmarkshort(\exceptstate)$
7854: & $(\rho_1, \sigma^\sharp_1)$
7855: & $\sunmarkshort^\sharp(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)$\\
7856: & \ref{rule:conc_lvar_decl_ok}
7857: &
7858: & \(
7859: \langle
7860: \rho_1, \sigma_1
7861: \rangle
7862: \)
7863: &
7864: & \\
7865: \hline
7866: $\kw{function} \id(\fps) : \sT = e$
7867: & \ref{rule:conc_decl_function}
7868: & \ref{rule:abstr_decl_function}
7869: & $\langle \rho_0, \sigma \rangle$
7870: & $(\rho_0, \sigma^\sharp)$
7871: & $\none^\sharp$ \\
7872: \hline
7873: $\kw{rec} g$
7874: & \ref{rule:conc_decl_rec}
7875: & \ref{rule:abstr_recursive_decl}
7876: & $\eta$
7877: & \multicolumn{2}{c|}{$\eta^\sharp$} \\
7878: \hline
7879: $g_0;g_1$
7880: & \ref{rule:conc_glob_seq_err_0}/\ref{rule:conc_glob_seq_err_1}
7881: & \ref{rule:abstr_global_seq}
7882: & $\exceptstate$
7883: & $(\rho_0[\rho_1], \sigma^\sharp_1)$
7884: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$\\
7885: & \ref{rule:conc_glob_seq_ok}
7886: &
7887: & $\bigl\langle \rho_0[\rho_1], \sigma_1 \bigr\rangle$
7888: &
7889: & \\
7890: \hline
7891: $d_0;d_1$
7892: & \ref{rule:conc_decl_seq_err_0}--\ref{rule:conc_decl_seq_ok}
7893: & \ref{rule:abstr_local_seq}
7894: &\multicolumn{3}{c|}{Similar to the rows for `$g_0;g_1$'} \\
7895: \hline
7896: \end{tabular}
7897: \end{table}
7898:
7899: \paragraph*{Nil}
7900:
7901: If $r$ is an instance of~\eqref{rule:conc_decl_nil}
7902: then, by the hypothesis,
7903: $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7904:
7905: \paragraph*{(Recursive) Environment}
7906:
7907: If $r$ is an instance of~\eqref{rule:conc_decl_environment}
7908: or~\eqref{rule:conc_decl_rec_environment} then, by the hypothesis,
7909: $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7910:
7911: \paragraph*{Global Variable Declaration}
7912:
7913: If $r$ is an instance of one of
7914: rules~\eqref{rule:conc_gvar_decl_expr_err}--\eqref{rule:conc_gvar_decl_ok}
7915: then, by the hypothesis
7916: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$
7917: so that, as $h=1$,
7918: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7919: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7920: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
7921: %%
7922: If $r$ is an instance of~\eqref{rule:conc_gvar_decl_expr_err},
7923: then $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7924: implies $\exceptstate \propto \exceptstate^\sharp_0$;
7925: by Definition~\ref{def:abstract-memory-structure} and monotonicity
7926: of $\gamma$, we have
7927: \(
7928: \datcleanup(\exceptstate)
7929: \propto
7930: \datcleanup^\sharp(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)
7931: \),
7932: i.e., $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7933: %%
7934: If $r$ is an instance
7935: of~\eqref{rule:conc_gvar_decl_dat_err}
7936: or~\eqref{rule:conc_gvar_decl_ok},
7937: then $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
7938: implies $\valstate \propto \valstate^\sharp$.
7939: By Definition~\ref{def:abstract-memory-structure},
7940: \(
7941: \datnew(\valstate)
7942: \propto
7943: \datnew^\sharp(\valstate^\sharp)
7944: \).
7945: By the side condition for abstract rule~\eqref{rule:abstr_global_decl},
7946: \(
7947: \datnew^\sharp(\valstate)
7948: = \bigl((\sigma^\sharp_1, l), \exceptstate^\sharp_1\bigr)
7949: \).
7950: By the side conditions for~\eqref{rule:conc_gvar_decl_dat_err}
7951: and~\eqref{rule:conc_gvar_decl_ok},
7952: either $\datnew(\valstate) = \exceptstate \propto \exceptstate^\sharp_1$
7953: ---and hence
7954: \(
7955: \datcleanup(\exceptstate)
7956: \propto
7957: \datcleanup^\sharp(\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1)
7958: \)
7959: by Definition~\ref{def:abstract-memory-structure}---
7960: or $\datnew(\valstate) = (\sigma_1, l) \propto (\sigma^\sharp_1, l)$.
7961: Thus, in both cases, $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7962:
7963: \paragraph*{Local Variable Declaration}
7964:
7965: The proof for local variable declaration,
7966: when $r$ is an instance of one of
7967: rules~\eqref{rule:conc_lvar_decl_expr_err}--\eqref{rule:conc_lvar_decl_ok},
7968: is the same as that for global variable declaration,
7969: with the few necessary adjustments
7970: (i.e., using $\sunmark$, $\asunmark$, $\stknew$,
7971: $\stknew^\sharp$ and $i$
7972: in place of $\datcleanup$, $\datcleanup^\sharp$, $\datnew$,
7973: $\datnew^\sharp$ and $l$).
7974:
7975: \paragraph*{Function Declaration}
7976:
7977: If $r$ is an instance of~\eqref{rule:conc_decl_function}
7978: then, by the hypothesis,
7979: $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7980:
7981: \paragraph*{Recursive Declaration}
7982:
7983: If $r$ is an instance
7984: of~\eqref{rule:conc_decl_rec},
7985: then $h = 2$ and, by the hypothesis,
7986: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
7987: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7988: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$,
7989: which implies that $\rho_0$ denotes the same environment in both
7990: $r$ and $r^\sharp$ and $\sigma_0 \propto \sigma^\sharp_0$.
7991: Hence, $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and
7992: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
7993: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
7994: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
7995: which implies $\eta \propto \eta^\sharp$.
7996: Hence, $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
7997:
7998: \paragraph*{Global Sequential Composition}
7999:
8000: If $r$ is an instance of one of rules
8001: \eqref{rule:conc_glob_seq_err_0}--\eqref{rule:conc_glob_seq_ok},
8002: then $1 \leq h \leq 2$ and
8003: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8004: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8005: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8006:
8007: If $r$ is an instance of~\eqref{rule:conc_glob_seq_err_0},
8008: then $h=1$ and
8009: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8010: Also, $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
8011: implies $\exceptstate \propto \exceptstate^\sharp_0$
8012: and hence $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
8013:
8014: If $r$ is an instance
8015: of~\eqref{rule:conc_glob_seq_err_1} or
8016: \eqref{rule:conc_glob_seq_ok},
8017: then $h = 2$ and,
8018: since $\sigma_0 \propto \sigma^\sharp_0$,
8019: $(\theta_{[1]} \propto \theta^\sharp_{[1]}) \in S$, so that
8020: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8021: By~\eqref{enum:abstract-tree-is-safe:inductive_assume}, we have
8022: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$.
8023: If $r$ is an instance of~\eqref{rule:conc_glob_seq_err_1},
8024: then $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8025: implies $\exceptstate \propto \exceptstate^\sharp_1$,
8026: so that $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
8027: If $r$ is an instance of~\eqref{rule:conc_glob_seq_ok},
8028: then $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$
8029: and $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8030: imply that $\sigma_1 \propto \sigma^\sharp_1$ and that the two
8031: environments $\rho_0$ and $\rho_1$ are the same in both $r$ and $r^\sharp$.
8032: Hence, their composition $\rho_0[\rho_1]$ is the same in both rules
8033: $r$ and $r^\sharp$,
8034: so that $\eta_\mathrm{q} \propto \eta^\sharp_\mathrm{q}$.
8035:
8036: \paragraph*{Local Sequential Composition}
8037:
8038: The proof when $r$ is an instance of one of
8039: rules \eqref{rule:conc_decl_seq_err_0}--\eqref{rule:conc_decl_seq_ok}
8040: is similar to that for global sequential composition.
8041:
8042: \subsection{Statements}
8043:
8044: For this part of the proof,
8045: we use Table~\ref{tab:abstract-tree-is-safe:statements}.
8046: By \eqref{eq:def_S}, $N \propto N^\sharp$.
8047: Thus letting $N = \langle s, \sigma \rangle$
8048: and $N^\sharp = \langle s, \sigma^\sharp \rangle$,
8049: by Definition~\ref{def:nonterminal-abstract-configuration},
8050: we have the implicit hypothesis $\sigma \propto \sigma^\sharp$.
8051: We show using~\eqref{def:propto-terminal:statement}
8052: in Definition~\ref{def:terminal-abstract-configuration},
8053: that $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8054:
8055: \begin{table}
8056: %% \begin{sidewaystable}
8057: \caption{Corresponding concrete and abstract rules and
8058: terminals for statements}
8059: \label{tab:abstract-tree-is-safe:statements}
8060: \centering
8061: \footnotesize
8062: \begin{tabular}
8063: {|c|l|l|l|l|l|}
8064: \hline
8065: \multicolumn{1}{|c|}{$S$}
8066: &\multicolumn{1}{c|}{$r$}
8067: &\multicolumn{1}{c|}{$r^\sharp$}
8068: &\multicolumn{1}{c|}{$\eta_\mathrm{s}$}
8069: &\multicolumn{2}{c|}{
8070: \(\eta^\sharp_\mathrm{s} =
8071: \langle
8072: \sigma^\sharp_a,
8073: \exceptstate^\sharp_a
8074: \rangle
8075: \) }\\
8076: \cline{5-6}
8077: &&&
8078: & \multicolumn{1}{c|}{$\sigma^\sharp_a$}
8079: & \multicolumn{1}{c|}{$\exceptstate^\sharp_a$}\\
8080: \hline
8081: \hline
8082: $\kw{nop}$
8083: & \ref{rule:conc_nop}
8084: & \ref{rule:abstr_nop}
8085: & $\sigma$
8086: & $\sigma^\sharp$
8087: & $\none^\sharp$ \\
8088: \hline
8089: $\id := e$
8090: & \ref{rule:conc_assignment_error}
8091: & \ref{rule:abstr_assignment}
8092: & $\exceptstate$
8093: & $\sigma^\sharp_1$
8094: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
8095: & \ref{rule:conc_assignment_ok}
8096: &
8097: & $\sigma_0\bigl[ \rho(\id) := \sval \bigr]$
8098: &
8099: & \\
8100: \hline
8101: $s_0 ; s_1$
8102: & \ref{rule:conc_sequence_0}
8103: & \ref{rule:abstr_sequence}
8104: & $\exceptstate$
8105: & $\sigma^\sharp_1$
8106: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
8107: & \ref{rule:conc_sequence_1}
8108: &
8109: & $\eta$
8110: &
8111: & \\
8112: \hline
8113: $d ; s$
8114: & \ref{rule:conc_block_0}
8115: & \ref{rule:abstr_block}
8116: & $\exceptstate$
8117: & $\sunmarkshort^\sharp(\sigma^\sharp_1)$
8118: & \(
8119: \exceptstate^\sharp_0
8120: \sqcup
8121: \sunmarkshort^\sharp(\exceptstate^\sharp_1)
8122: \) \\
8123: & \ref{rule:conc_block_1}
8124: &
8125: & $\sunmarkshort(\eta)$
8126: &
8127: & \\
8128: \hline
8129: $\kw{if} e \kw{then} s_0 \kw{else}\, s_1$
8130: & \ref{rule:conc_conditional_error}
8131: & \ref{rule:abstr_conditional}
8132: & $\exceptstate$
8133: & $\sigma^\sharp_1 \sqcup \sigma^\sharp_2$
8134: & \(
8135: \exceptstate^\sharp_0
8136: \sqcup \exceptstate^\sharp_1
8137: \sqcup \exceptstate^\sharp_2
8138: \) \\
8139: & \ref{rule:conc_conditional_true}/\ref{rule:conc_conditional_false}
8140: &
8141: & $\eta$
8142: &
8143: & \\
8144: \hline
8145: $\kw{while} e \kw{do} s_0$
8146: & \ref{rule:conc_while_guard_error}/\ref{rule:conc_while_true_body_error}
8147: & \ref{rule:abstr_while}
8148: & $\exceptstate$
8149: & $\sigma^\sharp_\ffv \sqcup \sigma^\sharp_2$
8150: & \(
8151: \exceptstate^\sharp_0
8152: \sqcup \exceptstate^\sharp_1
8153: \sqcup \exceptstate^\sharp_2
8154: \) \\
8155: & \ref{rule:conc_while_false_ok}
8156: &
8157: & $\sigma_0$
8158: &
8159: & \\
8160: & \ref{rule:conc_while_true_body_ok}
8161: &
8162: & $\eta$
8163: &
8164: & \\
8165: \hline
8166: $\kw{throw} s$
8167: & \ref{rule:conc_throw_except}
8168: & \ref{rule:abstr_throw_except}
8169: & $\langle \sigma, \rtsexcept \rangle$
8170: & $\bot$
8171: & $\exceptstate^\sharp$ \\
8172: & \ref{rule:conc_throw_expr_error}
8173: & \ref{rule:abstr_throw_expr}
8174: & $\exceptstate$
8175: &
8176: & $\exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_1$ \\
8177: & \ref{rule:conc_throw_expr_ok}
8178: &
8179: & $\langle \sigma_0, \sval \rangle$
8180: &
8181: & \\
8182: \hline
8183: $\kw{try} s \kw{catch} k$
8184: & \ref{rule:conc_try_no_except}
8185: & \ref{rule:abstr_try_catch}
8186: & $\sigma_0$
8187: & $\sigma^\sharp_0 \sqcup \sigma^\sharp_1$
8188: & $\exceptstate^\sharp_1 \sqcup \exceptstate^\sharp_2$ \\
8189: & \ref{rule:conc_try_except}
8190: &
8191: & $\eta$
8192: &
8193: & \\
8194: \hline
8195: $\kw{try} s_0 \kw{finally} s_1$
8196: & \ref{rule:conc_try_finally}
8197: & \ref{rule:abstr_try_finally}
8198: & $\eta$
8199: & $\sigma^\sharp_2$
8200: & \(
8201: \exceptstate^\sharp_2 \sqcup
8202: \exceptstate^\sharp_3 \sqcup
8203: (\spair{\sigma^\sharp_3}{\except^\sharp_1})
8204: \) \\
8205: & \ref{rule:conc_try_finally_exc_0}
8206: &
8207: & $\langle \sigma_1, \except_0 \rangle$
8208: &
8209: & \\
8210: & \ref{rule:conc_try_finally_exc_1}
8211: &
8212: & $\exceptstate$
8213: &
8214: & \\
8215: \hline
8216: $\id := \id_0(e_1, \ldots, e_n)$
8217: & \ref{rule:conc_function_call_param_err}
8218: & \ref{rule:abstr_function_call_eval}
8219: & $\exceptstate$
8220: & $\sunmarkshort^\sharp(\sigma^\sharp_2)$
8221: & $\exceptstate^\sharp = \exceptstate^\sharp_0$ \\
8222: & \ref{rule:conc_function_call_eval_err}
8223: &
8224: & $\sunmarkshort\bigl(\sunlinkshort(\exceptstate)\bigr)$
8225: &
8226: & \(\qquad
8227: \sqcup
8228: \sunmarkshort^\sharp
8229: \bigl(
8230: \sunlinkshort^\sharp(\exceptstate^\sharp_1)
8231: \bigr)
8232: \) \\
8233: & \ref{rule:conc_function_call_eval_ok}
8234: &
8235: & $\sunmarkshort(\eta_2)$
8236: &
8237: & $\qquad \sqcup \sunmarkshort(\exceptstate^\sharp_2)$ \\
8238: \hline
8239: \end{tabular}
8240: %% \end{sidewaystable}
8241: \end{table}
8242:
8243: \paragraph*{Nop}
8244:
8245: If $r$ is an instance of~\eqref{rule:conc_nop} then,
8246: by the hypothesis,
8247: $\eta_\mathrm{e} \propto \eta^\sharp_\mathrm{e}$.
8248:
8249: \paragraph*{Assignment}
8250:
8251: Suppose $r$ is an instance of
8252: \eqref{rule:conc_assignment_error}
8253: or~\eqref{rule:conc_assignment_ok}.
8254: Then $h = 1$
8255: and, by the hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$
8256: and hence
8257: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8258: By~\eqref{enum:abstract-tree-is-safe:inductive_assume} we have
8259: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8260: %%
8261: If $r$ is an instance of~\eqref{rule:conc_assignment_error},
8262: $\exceptstate \propto \exceptstate^\sharp_0$.
8263: Moreover, if $r$ is an instance of~\eqref{rule:conc_assignment_ok},
8264: \(
8265: \langle \sval, \sigma_0 \rangle
8266: \propto
8267: \langle \sval_0^\sharp, \sigma^\sharp_0 \rangle
8268: \)
8269: so that, by Definition~\ref{def:abstract-memory-structure},
8270: \(
8271: \sigma_0\bigl[ \rho(\id) := \sval \bigr]
8272: \propto
8273: \sigma^\sharp_0\bigl[ \rho(\id) := \sval^\sharp \bigr]
8274: \);
8275: letting
8276: \(
8277: \sigma^\sharp_0\bigl[ \rho(\id) := \sval^\sharp \bigr]
8278: = (\sigma^\sharp_1, \exceptstate^\sharp_1)
8279: \),
8280: this means that either we have
8281: $\sigma_0\bigl[ \rho(\id) := \sval \bigr] \in \ExceptState$,
8282: so that
8283: $\sigma_0\bigl[ \rho(\id) := \sval \bigr] \propto \exceptstate^\sharp_1$,
8284: or we have
8285: $\sigma_0\bigl[ \rho(\id) := \sval \bigr] \in \Mem$,
8286: so that
8287: $\sigma_0\bigl[ \rho(\id) := \sval \bigr] \propto \sigma^\sharp_1$.
8288: In all cases, $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8289:
8290: \paragraph*{Statement Sequence}
8291:
8292: Suppose $r$ is an instance of
8293: \eqref{rule:conc_sequence_0}
8294: or~\eqref{rule:conc_sequence_1}.
8295: Then $1 \le h \le 2$
8296: and, by the hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8297: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8298: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8299: %%
8300: If $r$ is an instance of rule~\eqref{rule:conc_sequence_0}, as $h = 1$,
8301: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8302: and also $\exceptstate \propto \exceptstate^\sharp_0$.
8303: %%
8304: If $r$ is an instance of \eqref{rule:conc_sequence_1},
8305: then $\sigma_0 \propto \sigma_0^\sharp$
8306: so that $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$;
8307: also, as $h = 2$,
8308: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds;
8309: by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8310: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8311: so that $\eta \propto \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle$.
8312: Hence, in both cases, $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8313:
8314: \paragraph*{Block}
8315:
8316: Suppose $r$ is an instance of
8317: \eqref{rule:conc_block_0}
8318: or~\eqref{rule:conc_block_1}.
8319: Then $1 \le h \le 2$
8320: and, by the hypothesis and Definition~\ref{def:abstract-memory-structure},
8321: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8322: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8323: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8324: %%
8325: If $r$ is an instance of~\eqref{rule:conc_block_0}, as $h = 1$,
8326: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8327: and also $\exceptstate \propto \exceptstate^\sharp_0$.
8328: %%
8329: If $r$ is an instance of \eqref{rule:conc_block_1},
8330: then $\sigma_0 \propto \sigma_0^\sharp$
8331: so that $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$;
8332: also, as $h = 2$,
8333: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds;
8334: by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8335: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$;
8336: so that $\eta \propto \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle$
8337: and therefore, by Definition~\ref{def:abstract-memory-structure},
8338: \(
8339: \sunmark(\eta)
8340: \propto
8341: \bigl\langle
8342: \asunmark(\sigma^\sharp_1),
8343: \asunmark(\exceptstate^\sharp_1)
8344: \bigr\rangle
8345: \).
8346: Hence, in both cases $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8347:
8348: \paragraph*{Conditional}
8349:
8350: Suppose $r$ is an instance of one of rules
8351: \eqref{rule:conc_conditional_error}--\eqref{rule:conc_conditional_false}.
8352: %%
8353: Then $1 \le h \le 2$ and,
8354: by the hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8355: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8356: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8357:
8358: If $r$ is an instance of~\eqref{rule:conc_conditional_error}, $h = 1$,
8359: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8360: and, as $\exceptstate \propto \exceptstate^\sharp_0$,
8361: $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8362:
8363: If $r$ is an instance of~\eqref{rule:conc_conditional_true}
8364: or~\eqref{rule:conc_conditional_false},
8365: then $h = 2$ and $\sigma_0 \propto \sigma^\sharp_0$.
8366: By the side conditions and Definition~\ref{def:memstruct-filter},
8367: if $\ttv \propto t^\sharp$, then
8368: $\langle \ttv, \sigma_0 \rangle \propto \langle t^\sharp, \sigma_\ttv \rangle$
8369: and, if $\ffv \propto t^\sharp$, then
8370: $\langle \ffv, \sigma_0 \rangle \propto \langle t^\sharp, \sigma_\ffv \rangle$.
8371: Hence, if~\eqref{rule:conc_conditional_true} applies,
8372: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8373: so that $\eta \propto \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle$;
8374: and, if~\eqref{rule:conc_conditional_false} applies,
8375: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[2]}(\emptystring)$
8376: so that $\eta \propto \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle$.
8377: Hence, in both cases,
8378: $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8379:
8380: \paragraph*{While}
8381:
8382: Suppose $r$ is an instance of one of rules
8383: \eqref{rule:conc_while_guard_error}--\eqref{rule:conc_while_true_body_ok}.
8384: %%
8385: Then $1 \le h \le 3$ and, by hypothesis,
8386: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8387: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8388: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8389:
8390: If $r$ is an instance of~\eqref{rule:conc_while_guard_error},
8391: $h = 1$,
8392: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8393: and, as $\exceptstate \propto \exceptstate^\sharp_0$,
8394: $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8395:
8396: Suppose $r$ is an instance of
8397: \eqref{rule:conc_while_false_ok},
8398: \eqref{rule:conc_while_true_body_error} or
8399: \eqref{rule:conc_while_true_body_ok}.
8400: By the side conditions and Definition~\ref{def:memstruct-filter},
8401: if $\ttv \propto t^\sharp$, then
8402: $\langle \ttv, \sigma_0 \rangle \propto \langle t^\sharp, \sigma_\ttv \rangle$
8403: and, if $\ffv \propto t^\sharp$, then
8404: $\langle \ffv, \sigma_0 \rangle \propto \langle t^\sharp, \sigma_\ffv \rangle$.
8405:
8406: If $r$ is an instance of~\eqref{rule:conc_while_false_ok},
8407: then, as $h = 1$,
8408: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8409: and hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8410:
8411: If $r$ is an instance of~\eqref{rule:conc_while_true_body_error},
8412: then $h = 2$.
8413: Thus $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and
8414: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8415: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8416: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8417: so that $\exceptstate \propto \exceptstate^\sharp_1$.
8418: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8419:
8420: If $r$ is an instance of~\eqref{rule:conc_while_true_body_ok},
8421: then $h = 3$.
8422: Thus $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$.
8423: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8424: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8425: so that $\sigma_1 \propto \sigma^\sharp_1$.
8426: %%
8427: Thus $(\theta_{[2]}, \theta^\sharp_{[2]}) \in S$ and
8428: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8429: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8430: $\theta_{[2]}(\emptystring) \propto \theta^\sharp_{[2]}(\emptystring)$
8431: so that $\eta \propto \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle$.
8432: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8433:
8434: \paragraph*{Throw}
8435:
8436: Suppose $r$ is an instance of~\eqref{rule:conc_throw_except}.
8437: Then $s = \rtsexcept \in \RTSExcept$
8438: (so that rule~\eqref{rule:abstr_throw_expr}
8439: is not applicable).
8440: By definition of
8441: $\pard{\alpha}{\wp(\RTSExcept)}{\RTSExcept^\sharp}$,
8442: $\rtsexcept \propto \alpha(\{\rtsexcept\})$.
8443: Since, by hypothesis, $\sigma \propto \sigma^\sharp$,
8444: \(
8445: \spair{\sigma^\sharp}{\alpha(\{\rtsexcept\})}
8446: = \bigl\langle \sigma^\sharp, \alpha(\{\rtsexcept\}) \bigr\rangle
8447: \)
8448: so that, by the side condition for~\eqref{rule:abstr_throw_except},
8449: $(\sigma, \rtsexcept) \propto \exceptstate^\sharp$.
8450: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8451:
8452: Suppose $r$ is an instance of
8453: \eqref{rule:conc_throw_expr_error}
8454: or~\eqref{rule:conc_throw_expr_ok}.
8455: Then $s = e \in \Exp$ (so that rule~\eqref{rule:abstr_throw_except}
8456: is not applicable).
8457: By hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$ and,
8458: as $h = 1$,
8459: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8460: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8461: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8462: %%
8463: If $r$ is an instance of~\eqref{rule:conc_throw_expr_error},
8464: then $\exceptstate \propto \exceptstate^\sharp_0$,
8465: while, if $r$ is an instance of~\eqref{rule:conc_throw_expr_ok},
8466: $\sval \propto \sval^\sharp$ and
8467: $\sigma_0 \propto \sigma^\sharp_0$.
8468: Hence, in both cases, $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8469:
8470: \paragraph*{Try Blocks}
8471:
8472: Suppose $r$ is an instance of
8473: \eqref{rule:conc_try_no_except}--\eqref{rule:conc_try_finally_exc_1}.
8474: By hypothesis, $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8475: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8476: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8477: Note that if $r$ is an instance of
8478: \eqref{rule:conc_try_no_except} or \eqref{rule:conc_try_except},
8479: only abstract rule \eqref{rule:abstr_try_catch} will be applicable while
8480: if $r$ is an instance of
8481: \eqref{rule:conc_try_finally}--\eqref{rule:conc_try_finally_exc_1},
8482: only abstract rule \eqref{rule:abstr_try_finally} will be applicable.
8483:
8484: If $r$ is an instance of \eqref{rule:conc_try_no_except},
8485: $h = 1$,
8486: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds
8487: and, as $\sigma_0 \propto \sigma^\sharp_0$,
8488: $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8489:
8490: If $r$ is an instance of \eqref{rule:conc_try_except},
8491: then $\exceptstate_0 \propto \exceptstate^\sharp_0$
8492: so that $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$.
8493: Thus, as $h=2$,
8494: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8495: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8496: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8497: so that
8498: \(
8499: \langle u, \eta \rangle \propto
8500: \bigl\langle
8501: (\sigma^\sharp_1, \exceptstate^\sharp_1), \exceptstate^\sharp_2
8502: \bigr\rangle
8503: \)
8504: where $u \in \{ \caught, \uncaught \}$.
8505: By Definition~\ref{def:terminal-abstract-configuration},
8506: if $u = \caught$, then
8507: $\eta \propto \langle \sigma^\sharp_1, \exceptstate^\sharp_1 \rangle$
8508: and, if $u = \uncaught$, then
8509: \(
8510: \eta \propto
8511: \exceptstate^\sharp_2
8512: \).
8513: Hence, in both cases, $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8514:
8515: If $r$ is an instance of rule~\eqref{rule:conc_try_finally},
8516: $\sigma_0 \propto \sigma_0^\sharp$;
8517: hence $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and
8518: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8519: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8520: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8521: so that
8522: $\eta \propto \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle$.
8523: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8524:
8525: If $r$ is an instance of \eqref{rule:conc_try_finally_exc_0}
8526: or~\eqref{rule:conc_try_finally_exc_1},
8527: \(
8528: \langle \sigma_0, \except_0 \rangle \propto
8529: \langle \sigma^\sharp_1, \except^\sharp_1 \rangle
8530: \);
8531: hence $\sigma_0 \propto \sigma^\sharp_1$
8532: and $\except_0 \propto \except^\sharp_1$
8533: so that $(\theta_{[1]}, \theta^\sharp_{[2]}) \in S$ and
8534: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8535: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8536: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[2]}(\emptystring)$.
8537: Thus, if \eqref{rule:conc_try_finally_exc_0} applies,
8538: $\sigma_1 \propto \langle \sigma^\sharp_3, \exceptstate^\sharp_3 \rangle$
8539: so that
8540: \(
8541: \langle \sigma_1, \except_0 \rangle \propto
8542: (\spair{\sigma^\sharp_3}{\except^\sharp_1})
8543: \);
8544: and, if \eqref{rule:conc_try_finally_exc_1} applies,
8545: $\exceptstate \propto \langle \sigma^\sharp_3, \exceptstate^\sharp_3 \rangle$
8546: so that $\exceptstate \propto \exceptstate^\sharp_3$.
8547: Hence, in both cases, $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8548:
8549: \paragraph*{Function call}
8550:
8551: If $r$ is an instance of one of rules
8552: \eqref{rule:conc_function_call_param_err}--\eqref{rule:conc_function_call_eval_ok},
8553: then $1 \leq h \leq 3$ and $\ell = 3$.
8554: Then the conditions \eqref{eq:function-call-condition-beta-rho-d}
8555: and \eqref{eq:function-call-condition-rho0-rho1}
8556: are also conditions for abstract
8557: rule~\eqref{rule:abstr_function_call_eval}.
8558: By hypothesis and Definition~\ref{def:abstract-memory-structure},
8559: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$;
8560: by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8561: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8562:
8563: If $r$ is an instance
8564: of~\eqref{rule:conc_function_call_param_err}, then
8565: $\exceptstate \propto \exceptstate^\sharp_0$, $h = 1$ and
8566: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8567: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8568:
8569: If $r$ is an instance of~\eqref{rule:conc_function_call_eval_err},
8570: then $\sigma_0 \propto \sigma_0^\sharp$
8571: so that, by Definition~\ref{def:abstract-memory-structure},
8572: $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$;
8573: also, as $h = 2$,
8574: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8575: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8576: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8577: and $\exceptstate \propto \exceptstate^\sharp_1$;
8578: by Definition~\ref{def:abstract-memory-structure},
8579: \(
8580: \sunmark\bigl(\sunlink(\exceptstate)\bigr)
8581: \propto
8582: \asunmark\bigl(\asunlink(\exceptstate^\sharp_1)\bigr)
8583: \).
8584: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8585:
8586: If $r$ is an instance of~\eqref{rule:conc_function_call_eval_ok},
8587: then $\sigma_1 \propto \sigma_1^\sharp$
8588: so that, by Definition~\ref{def:abstract-memory-structure},
8589: $(\theta_{[2]}, \theta^\sharp_{[2]}) \in S$;
8590: also, as $h = 3$,
8591: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8592: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8593: $\theta_{[2]}(\emptystring) \propto \theta^\sharp_{[2]}(\emptystring)$
8594: and
8595: $\eta_2 \propto \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle$;
8596: by Definition~\ref{def:abstract-memory-structure},
8597: \(
8598: \sunmark(\eta_2)
8599: \propto
8600: \bigl\langle
8601: \asunmark(\sigma^\sharp_2),
8602: \asunmark(\exceptstate_2^\sharp)
8603: \bigr\rangle
8604: \).
8605: Hence $\eta_\mathrm{s} \propto \eta^\sharp_\mathrm{s}$.
8606:
8607: \subsection{Function Bodies}
8608:
8609: \begin{table}
8610: \caption{Corresponding concrete and abstract rules and
8611: terminals for function bodies}
8612: \label{tab:abstract-tree-is-safe:function-bodies}
8613: \centering
8614: \footnotesize
8615: \begin{tabular}
8616: {|c|l|l|l|l|l|}
8617: \hline
8618: \multicolumn{1}{|c|}{$B$}
8619: &\multicolumn{1}{c|}{$r$}
8620: &\multicolumn{1}{c|}{$r^\sharp$} &\multicolumn{1}{c|}{$\eta_\mathrm{b}$}
8621: &\multicolumn{2}{c|}{
8622: \(\eta^\sharp_\mathrm{b} =
8623: \bigl\langle
8624: (\sval^\sharp_a,\sigma^\sharp_a),
8625: \exceptstate^\sharp_a
8626: \bigr\rangle
8627: \) }\\
8628: \cline{5-6}
8629: &&&
8630: & \multicolumn{1}{c|}{$(\sval^\sharp_a,\sigma^\sharp_a)$}
8631: & \multicolumn{1}{c|}{$\exceptstate^\sharp_a$}\\
8632: \hline
8633: \hline
8634: $\kw{let} d \,\kw{in} s \kw{result} e$
8635: & \ref{rule:conc_function_body_0}
8636: & \ref{rule:abstr_function_body}
8637: & $\exceptstate$
8638: & $\sunmarkshort^\sharp(\sigma^\sharp_2)$
8639: & $\exceptstate^\sharp_3 = \exceptstate^\sharp_0$ \\
8640: & \ref{rule:conc_function_body_1}
8641: &
8642: & $\sunmarkshort(\exceptstate)$
8643: &
8644: & $\qquad\; \sqcup \sunmarkshort^\sharp(\exceptstate^\sharp_1 \sqcup \exceptstate^\sharp_2)$ \\
8645: & \ref{rule:conc_function_body_2}
8646: &
8647: & $\sunmarkshort(\eta_0)$
8648: &
8649: & \\
8650: \hline
8651: $\kw{extern} : \sT$
8652: & \ref{rule:conc_function_body_extern}
8653: & \ref{rule:abstr_function_body_extern}
8654: & $\sigma_0 \vbar \langle\sigma_0, \except\rangle$
8655: & $\sigma^\sharp_0$
8656: & $(\sigma^\sharp_0, \top)$ \\
8657: \hline
8658: \end{tabular}
8659: \end{table}
8660:
8661: For this part of the proof,
8662: we use Table~\ref{tab:abstract-tree-is-safe:function-bodies}.
8663: By \eqref{eq:def_S}, $N \propto N^\sharp$.
8664: Thus letting $N = \langle B, \sigma \rangle$
8665: and $N^\sharp = \langle B, \sigma^\sharp \rangle$,
8666: by Definition~\ref{def:nonterminal-abstract-configuration},
8667: we have the implicit hypothesis $\sigma \propto \sigma^\sharp$.
8668: We show using~\eqref{def:propto-terminal:statement}
8669: in Definition~\ref{def:terminal-abstract-configuration},
8670: that $\eta_\mathrm{b} \propto \eta^\sharp_\mathrm{b}$.
8671:
8672: Suppose $r$ is an instance
8673: of one of rules
8674: \eqref{rule:conc_function_body_0}--\eqref{rule:conc_function_body_2}.
8675: By hypothesis and Definition~\ref{def:abstract-memory-structure},
8676: $\smark(\sigma) \propto \asmark(\sigma^\sharp)$, so that
8677: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$.
8678: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8679: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8680:
8681: If $r$ is an instance of~\eqref{rule:conc_function_body_0},
8682: $\exceptstate \propto \exceptstate^\sharp_0$,
8683: $h=1$ and
8684: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8685: Hence $\eta_\mathrm{b} \propto \eta^\sharp_\mathrm{b}$.
8686:
8687: If $r$ is an instance of~\eqref{rule:conc_function_body_1},
8688: $\sigma_0 \propto \sigma^\sharp_0$;
8689: hence
8690: $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$
8691: and, as $h = 2$,
8692: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8693: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8694: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$
8695: so that $\exceptstate \propto \exceptstate^\sharp_1$.
8696: By Definition~\ref{def:abstract-memory-structure},
8697: $\sunmark(\exceptstate) \propto \asunmark(\exceptstate^\sharp_1)$;
8698: hence $\eta_\mathrm{b} \propto \eta^\sharp_\mathrm{b}$.
8699:
8700: If $r$ is an instance of~\eqref{rule:conc_function_body_2},
8701: $\sigma_0 \propto \sigma^\sharp_0$;
8702: hence $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$.
8703: By~\eqref{enum:abstract-tree-is-safe:inductive_assume} we have
8704: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$,
8705: so that $\sigma_1 \propto \sigma^\sharp_1$; hence
8706: $(\theta_{[2]}, \theta^\sharp_{[2]}) \in S$;
8707: as $h = 3$,
8708: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8709: Again, by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8710: $\theta_{[2]}(\emptystring) \propto \theta^\sharp_{[2]}(\emptystring)$;
8711: hence,
8712: $\eta_0 \propto \langle \sigma^\sharp_2, \exceptstate^\sharp_2 \rangle$.
8713: %%
8714: By Definition~\ref{def:abstract-memory-structure},
8715: \(
8716: \sunmark(\eta_0)
8717: \propto
8718: \bigl\langle
8719: \asunmark(\sigma^\sharp_2),
8720: \asunmark(\exceptstate^\sharp_2)
8721: \bigr\rangle
8722: \);
8723: hence $\eta_\mathrm{b} \propto \eta^\sharp_\mathrm{b}$.
8724:
8725: Suppose $r$ is an instance of~\eqref{rule:conc_function_body_extern}.
8726: Then $\sigma = (\mu, w)$ and $\sigma_0 = (\mu_0, w)$.
8727: By the hypothesis, $\sigma \propto \sigma^\sharp$;
8728: hence, by the side conditions, $\sigma_0 \propto \sigma^\sharp_0$;
8729: also, $\except \propto \top$,
8730: so that $\eta_\mathrm{b} \propto \eta^\sharp_\mathrm{b}$.
8731:
8732: \subsection{Catch Clauses}
8733:
8734: For this part of the proof,
8735: we use Table~\ref{tab:abstract-tree-is-safe:catch-clauses}.
8736: By \eqref{eq:def_S}, $N \propto N^\sharp$.
8737: Thus, letting $N = \langle K, \exceptstate \rangle$
8738: and $N^\sharp = \langle K, \exceptstate^\sharp \rangle$,
8739: by Definition~\ref{def:nonterminal-abstract-configuration},
8740: we have the implicit hypothesis $\exceptstate \propto \exceptstate^\sharp$.
8741: We show using~\eqref{def:propto-terminal:catch}
8742: in Definition~\ref{def:terminal-abstract-configuration},
8743: that $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8744:
8745: \begin{table}
8746: \caption{Corresponding concrete and abstract rules and
8747: terminals for catch clauses}
8748: \label{tab:abstract-tree-is-safe:catch-clauses}
8749: \centering
8750: \footnotesize
8751: \begin{tabular}
8752: {|c|l|l|l|l|l|}
8753: \hline
8754: \multicolumn{1}{|c|}{$K$}
8755: &\multicolumn{1}{c|}{$r$}
8756: &\multicolumn{1}{c|}{$r^\sharp$}
8757: &\multicolumn{1}{c|}{$\eta_\mathrm{k}$}
8758: &\multicolumn{2}{c|}{
8759: \(\eta^\sharp_\mathrm{k} =
8760: \langle
8761: \eta^\sharp_a,
8762: \exceptstate^\sharp_a
8763: \rangle
8764: \) }\\
8765: \cline{5-6}
8766: &&&
8767: & \multicolumn{1}{c|}{$\eta^\sharp_a$}
8768: & \multicolumn{1}{c|}{$\exceptstate^\sharp_a$}\\
8769: \hline
8770: \hline
8771: $(\kw{any}) \, s \vbar (\rtsexcept) \, s \vbar (\sT) \, s$
8772: & \ref{rule:conc_catch_caught}
8773: & \ref{rule:abstr_catch_maybe_caught}
8774: & $\langle \caught, \eta_0 \rangle$
8775: & $\eta^\sharp_1$
8776: & $\exceptstate^\sharp_1$ \\
8777: \hline
8778: $(\id : \sT) \, s$
8779: & \ref{rule:conc_catch_expr_caught_stkerr}
8780: & \ref{rule:abstr_catch_expr_maybe_caught}
8781: & $\bigl\langle \caught, \sunmarkshort(\exceptstate_0) \bigr\rangle$
8782: & $(\sigma_4, \exceptstate_4) = \bigl(\sunmarkshort^\sharp(\sigma^\sharp_3)$,
8783: & $\exceptstate^\sharp_1$ \\
8784: & \ref{rule:conc_catch_expr_caught_noerr}
8785: &
8786: & $\langle \caught, \eta_0 \rangle$
8787: & $\qquad \sunmarkshort^\sharp(\exceptstate^\sharp_2) \sqcup \sunmarkshort^\sharp(\exceptstate^\sharp_3)\bigr)$
8788: & \\
8789: \hline
8790: $(\rtsexcept) \, s \vbar (\sT) \, s$
8791: & \ref{rule:conc_catch_uncaught}
8792: & \ref{rule:abstr_catch_maybe_caught}
8793: & $\bigl\langle \uncaught, (\sigma, \except) \bigr\rangle$
8794: & $\eta^\sharp_1$
8795: & $\exceptstate^\sharp_1$ \\
8796: \hline
8797: $(\id : \sT) \, s$
8798: & \ref{rule:conc_catch_uncaught}
8799: & \ref{rule:abstr_catch_expr_maybe_caught}
8800: & $\bigl\langle \uncaught, (\sigma, \except) \bigr\rangle$
8801: & $(\sigma^\sharp_3, \exceptstate^\sharp_2 \sqcup \exceptstate^\sharp_3)$
8802: & $\exceptstate^\sharp_1$ \\
8803: \hline
8804: $k_0;k_1$
8805: & \ref{rule:conc_catch_seq_caught}
8806: & \ref{rule:abstr_catch_seq}
8807: & $\langle \caught, \eta_0 \rangle$
8808: & \(
8809: (\sigma^\sharp_0 \sqcup \sigma^\sharp_1,
8810: \exceptstate^\sharp_0 \sqcup \exceptstate^\sharp_2)
8811: \)
8812: & $\exceptstate^\sharp_3$ \\
8813: & \ref{rule:conc_catch_seq_uncaught}
8814: &
8815: & $\eta$
8816: &
8817: & \\
8818: \hline
8819: \end{tabular}
8820: \end{table}
8821:
8822: \paragraph*{Catch}
8823:
8824: Let $K$ have the form $(p) \, s$ for some exception declaration $p$.
8825:
8826: Suppose $r$ is an instance of one of rules
8827: \eqref{rule:conc_catch_caught}--\eqref{rule:conc_catch_expr_caught_noerr}.
8828: Then, by the hypothesis and Definition~\ref{def:exceptstate-filter},
8829: $\exceptstate \propto \phi^+(p, \exceptstate^\sharp)$;
8830: by the side conditions for the abstract rules,
8831: $\exceptstate \propto \exceptstate^\sharp_0$.
8832:
8833: If $r$ is an instance of~\eqref{rule:conc_catch_caught}
8834: then $\exceptstate = (\sigma, \except)$;
8835: by Definition~\ref{def:abstract-exception-state},
8836: $\sigma \propto \mem(\exceptstate^\sharp_0)$;
8837: Hence $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$ and, as $h = 1$,
8838: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8839: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8840: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$,
8841: which implies $\eta_0 \propto \eta^\sharp_1$ so that
8842: $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8843:
8844: If $r$ is an instance of~\eqref{rule:conc_catch_expr_caught_stkerr}
8845: or~\eqref{rule:conc_catch_expr_caught_noerr},
8846: then $\exceptstate = (\sigma, \sval)$ and $\type(\sval) = \sT$;
8847: by Definition~\ref{def:abstract-exception-state},
8848: $\sigma \propto \mem(\exceptstate^\sharp_0)$
8849: and $\sval \propto \sT(\exceptstate^\sharp_0)$.
8850: Hence,
8851: by Definition~\ref{def:abstract-memory-structure},
8852: \begin{equation}
8853: \label{eq:abstract-tree-exists:catch-property}
8854: \stknew\bigl(\sval, \smark(\sigma) \bigr)
8855: \propto
8856: \stknew^\sharp\Bigl(
8857: \sT(\exceptstate^\sharp_0),
8858: \asmark\bigl(\mem(\exceptstate^\sharp_0)\bigr)
8859: \Bigr)
8860: = \bigl( (\sigma^\sharp_2, i), \exceptstate^\sharp_2 \bigr).
8861: \end{equation}
8862: %
8863: If~\eqref{rule:conc_catch_expr_caught_stkerr} applies,
8864: then $h=0$, so that
8865: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds trivially,
8866: and, by the side condition,
8867: $\exceptstate_0 = \stknew\bigl(\sval, \smark(\sigma) \bigr)$
8868: so that by \eqref{eq:abstract-tree-exists:catch-property},
8869: $\exceptstate_0 \propto \exceptstate^\sharp_2$;
8870: by Definition~\ref{def:abstract-memory-structure},
8871: $\sunmark(\exceptstate_0) \propto \asunmark(\exceptstate^\sharp_2)$.
8872: %
8873: If~\eqref{rule:conc_catch_expr_caught_noerr} applies,
8874: then, by the side condition,
8875: $(\sigma_0, i) = \stknew\bigl(\sval, \smark(\sigma) \bigr)$
8876: so that by \eqref{eq:abstract-tree-exists:catch-property},
8877: $\sigma_0 \propto \sigma^\sharp_2$.
8878: Hence,
8879: $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$ and, as $h = 1$,
8880: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8881: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8882: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$,
8883: which implies
8884: $\eta_0 \propto \langle \sigma^\sharp_3, \exceptstate^\sharp_3 \rangle$.
8885: Thus, by Definition~\ref{def:abstract-memory-structure},
8886: \(
8887: \sunmark(\eta_0)
8888: \propto
8889: \bigl(
8890: \asunmark(\sigma^\sharp_3),
8891: \asunmark(\exceptstate^\sharp_2)
8892: \bigr).
8893: \)
8894: Hence, in both cases,
8895: $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8896:
8897: If $r$ is an instance of~\eqref{rule:conc_catch_uncaught},
8898: then $h=0$, so that
8899: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds trivially.
8900: We have $\exceptstate = (\sigma, \except)$ and,
8901: by the side condition,
8902: $p \notin \{ \except, \cT, \kw{any} \}$, where $\cT = \type(\except)$.
8903: If $p \in \{\rtsexcept, \sT\}$
8904: then abstract rule~\eqref{rule:abstr_catch_maybe_caught} applies
8905: so that, by the hypothesis, the side conditions
8906: and Definition~\ref{def:exceptstate-filter},
8907: \(
8908: (\sigma, \except)
8909: \propto \phi^-(p, \exceptstate^\sharp)
8910: = \exceptstate^\sharp_1
8911: \).
8912: Similarly, if $p = \id : \sT$ and
8913: abstract rule~\eqref{rule:abstr_catch_expr_maybe_caught} applies,
8914: \(
8915: (\sigma, \except)
8916: \propto \phi^-(\sT, \exceptstate^\sharp)
8917: = \exceptstate^\sharp_1
8918: \).
8919: Hence, in both cases,
8920: $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8921:
8922: \paragraph*{Catch Sequence}
8923:
8924: If $r$ is an instance of~\eqref{rule:conc_catch_seq_caught},
8925: then as $h = 1$ and $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$,
8926: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8927: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8928: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$,
8929: so that
8930: \(
8931: \langle \caught, \eta_0 \rangle
8932: \propto
8933: \bigl\langle
8934: (\sigma^\sharp_0, \exceptstate^\sharp_0), \exceptstate^\sharp_1
8935: \bigr\rangle
8936: \).
8937: By~\eqref{def:propto-terminal:catch}
8938: in Definition~\ref{def:terminal-abstract-configuration},
8939: \(
8940: \eta_0 \propto (\sigma^\sharp_0, \exceptstate^\sharp_0)
8941: \),
8942: which implies $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8943:
8944: If $r$ is an instance of~\eqref{rule:conc_catch_seq_uncaught},
8945: then $(\theta_{[0]}, \theta^\sharp_{[0]}) \in S$ and,
8946: by~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8947: $\theta_{[0]}(\emptystring) \propto \theta^\sharp_{[0]}(\emptystring)$.
8948: Thus,
8949: \(
8950: \langle \uncaught, \exceptstate_0 \rangle
8951: \propto
8952: \bigl\langle
8953: (\sigma^\sharp_0, \exceptstate^\sharp_0), \exceptstate^\sharp_1
8954: \bigr\rangle
8955: \),
8956: so that, by~\eqref{def:propto-terminal:catch}
8957: in Definition~\ref{def:terminal-abstract-configuration},
8958: $\exceptstate_0 \propto \exceptstate^\sharp_1$.
8959: Hence $(\theta_{[1]}, \theta^\sharp_{[1]}) \in S$ and,
8960: as $h = 2$,
8961: property~\eqref{enum:abstract-tree-is-safe:immediate-subtrees} holds.
8962: By~\eqref{enum:abstract-tree-is-safe:inductive_assume},
8963: $\theta_{[1]}(\emptystring) \propto \theta^\sharp_{[1]}(\emptystring)$,
8964: so that
8965: \(
8966: \eta
8967: \propto
8968: \bigl\langle
8969: (\sigma^\sharp_1, \exceptstate^\sharp_2), \exceptstate^\sharp_3
8970: \bigr\rangle
8971: \),
8972: which implies
8973: $\eta_\mathrm{k} \propto \eta^\sharp_\mathrm{k}$.
8974: \qed
8975: \end{proof}
8976:
8977: A few observations regarding the precision of the proposed
8978: approximations are in order.
8979: Consider an abstract tree $\theta^\sharp \in \Theta^\sharp$ such that
8980: \(
8981: \theta^\sharp(\emptystring)
8982: = (\rho \vdash_\beta N^\sharp \rightarrow \eta^\sharp)
8983: \),
8984: where $N^\sharp \in \NTs^{\beta\sharp}$ and $\eta^\sharp \in \Ts^\sharp$.
8985: If the concretization functions relating the concrete and abstract domains
8986: are strict, then the abstract tree above will encode the following
8987: \emph{definite information}:
8988: \begin{itemize}
8989: \item
8990: non-terminating computations (i.e., unreachable code),
8991: if $\eta^\sharp = \bot$;
8992: \item
8993: non-exceptional computations, if
8994: $\eta^\sharp = \langle \sigma^\sharp, \none^\sharp \rangle$ and
8995: $\sigma^\sharp \neq \bot$;
8996: \item
8997: exceptional computations, if
8998: $\eta^\sharp = \langle \bot, \exceptstate^\sharp \rangle$ and
8999: $\exceptstate^\sharp \neq \none^\sharp$.
9000: \end{itemize}
9001: Obviously, a precise propagation of this definite information
9002: requires that all of the abstract domain operators are strict too.
9003: Hence, if
9004: \(
9005: \theta^\sharp(\emptystring)
9006: = \bigl(
9007: \rho \vdash_\beta \langle s, \bot \rangle \rightarrow \eta^\sharp
9008: \bigr)
9009: \),
9010: we will also have $\eta^\sharp = \bot$.
9011: %%
9012: Similar properties hold when considering
9013: expressions, declarations and catch clauses.
9014:
9015:
9016: \section{Computing Abstract Trees}
9017: \label{sec:computable-approximations}
9018:
9019: The results of the previous section
9020: (Theorems~\ref{thm:abstract-tree-exists} and \ref{thm:abstract-tree-is-safe})
9021: guarantee that each concrete tree can be safely approximated by an
9022: abstract tree, provided the non-terminal configurations in the roots
9023: satisfy the approximation relation.
9024:
9025: For expository purposes,
9026: suppose we are interested in a whole-program analysis.
9027: For each (concrete and abstract) pair of initial memories
9028: satisfying $\sigma_\mathrm{i} \propto \sigma^\sharp_\mathrm{i}$
9029: and each
9030: \(
9031: g_0 = (g; \textup{$\kw{gvar} \ridx : \tinteger = 0$})
9032: \),
9033: where $g$ is a valid program,
9034: we obtain that any abstract tree
9035: $\theta^\sharp_0 \in \Theta^\sharp$
9036: such that
9037: \(
9038: \theta^\sharp_0(\emptystring)
9039: =
9040: \bigl(
9041: \emptyset
9042: \vdash_\emptyset
9043: \langle g_0, \sigma^\sharp_\mathrm{i} \rangle
9044: \rightarrow
9045: \eta^\sharp_0
9046: \bigr)
9047: \)
9048: correctly approximates each concrete tree $\theta_0 \in \Theta$
9049: such that
9050: \(
9051: \theta_0(\emptystring)
9052: =
9053: \bigl(
9054: \emptyset
9055: \vdash_\emptyset
9056: \langle g_0, \sigma_\mathrm{i} \rangle
9057: \rightarrow
9058: \eta_0
9059: \bigr)
9060: \).
9061: Notice that $\theta^\sharp_0$ is a finite tree.
9062: Letting
9063: \(
9064: \eta^\sharp_0
9065: = \bigl\langle
9066: (\rho_0, \sigma^\sharp_0),
9067: \exceptstate^\sharp_0
9068: \bigr\rangle
9069: \)
9070: and assuming $\eta_0 \notin \ExceptState$,
9071: we obtain $\eta_0 = \langle \rho_0, \sigma_0 \rangle$,
9072: where $\sigma_0 \propto \sigma^\sharp_0$.
9073: %%
9074: Hence,
9075: letting $s_0 = \bigl(\ridx := \main(\emptysequence)\bigr)$
9076: and $\rho_0 : \beta$,
9077: any abstract tree $\theta^\sharp_1 \in \Theta^\sharp$
9078: such that
9079: \(
9080: \theta^\sharp_1(\emptystring)
9081: =
9082: \bigl(
9083: \rho_0
9084: \vdash_\beta
9085: \langle s_0, \sigma^\sharp_0 \bigr\rangle
9086: \rightarrow
9087: \eta^\sharp_1
9088: \bigr)
9089: \)
9090: correctly approximates each concrete tree $\theta_1 \in \Theta$
9091: such that either
9092: \(
9093: \theta_1(\emptystring)
9094: =
9095: \bigl(
9096: \rho_0
9097: \vdash_\beta
9098: \langle s_0, \sigma_0 \bigr\rangle
9099: \rightarrow
9100: \eta_1
9101: \bigr)
9102: \)
9103: or
9104: \(
9105: \theta_1(\emptystring)
9106: =
9107: \bigl(
9108: \rho_0
9109: \vdash_\beta
9110: \langle s_0, \sigma_0 \bigr\rangle
9111: \diverges
9112: \bigr)
9113: \).
9114: %%
9115: We are thus left with the problem of computing (any) one of these
9116: abstract trees, which are usually infinite.
9117: In particular, we are interested in choosing $\theta^\sharp_1$
9118: in a subclass of trees admitting finite representations
9119: and, within this class, in maintaining a level of accuracy that is
9120: compatible with the complexity/precision trade-off dictated
9121: by the application.
9122:
9123: A classical choice is to restrict attention to rational trees,
9124: that is, trees with only finitely many subtrees:
9125: the algorithm sketched in \cite{Schmidt95,Schmidt97,Schmidt98},
9126: which assumes that the abstract domain is \emph{Noetherian}
9127: (i.e., all of its ascending chains are finite),
9128: guides the analysis toward the computation of a rational tree
9129: by forcing each infinite path to contain a repetition node.
9130: Here below we describe a variation, also working for
9131: abstract domains that admit infinite ascending chains, that exploits
9132: \emph{widening operators} \cite{CousotC76,CousotC77,CousotC92plilp}.
9133:
9134: \begin{definition}\summary{(Widening operators.)}
9135: \label{def:widening-operator}
9136: Let $(D^\sharp, \sqsubseteq, \bot, \sqcup)$ be an abstract domain.
9137: The partial operator $\pard{\widen}{D^\sharp \times D^\sharp}{D^\sharp}$
9138: is a \emph{widening} if:
9139: \begin{itemize}
9140: \item
9141: for all $x^\sharp, y^\sharp \in D^\sharp$,
9142: $y^\sharp \sqsubseteq x^\sharp$ implies that
9143: $y^\sharp \widen x^\sharp$ is defined and
9144: $x^\sharp \sqsubseteq y^\sharp \widen x^\sharp$;
9145: \item
9146: for all increasing chains
9147: $x^\sharp_0 \sqsubseteq x^\sharp_1 \sqsubseteq \cdots$,
9148: the increasing chain defined by
9149: $y^\sharp_0 \defeq x^\sharp_0$ and
9150: \(
9151: y^\sharp_{i+1}
9152: \defeq
9153: y^\sharp_i \widen (y^\sharp_i \sqcup x^\sharp_{i+1})
9154: \),
9155: for $i \in \Nset$, is not strictly increasing.
9156: \end{itemize}
9157: \end{definition}
9158:
9159: The algorithm works by recursively constructing a finite approximation
9160: for the abstract subtree rooted in the current node
9161: (initially, the root of the whole tree).
9162: Let
9163: \(
9164: n = \bigl(
9165: \rho
9166: \vdash_\beta
9167: \langle q, y^\sharp_n \rangle
9168: \rightarrow
9169: r_n
9170: \bigr)
9171: \)
9172: be the current node,
9173: where $q$ is a uniquely labeled program phrase,%
9174: \footnote{Unique labels (e.g., given by the address of the root node
9175: for $q$ in the program parse tree) ensure that different occurrences
9176: of the same syntax are not confused~\cite{Schmidt95}; this also means
9177: that, in each node $n$, the type and execution environments $\rho$
9178: and $\beta$ are uniquely determined by $q$.}
9179: $y^\sharp \in D^\sharp$ is either
9180: an abstract memory $\sigma^\sharp \in \Mem^\sharp$ or
9181: an abstract exception state $\exceptstate^\sharp \in \ExceptState^\sharp$,
9182: and $r_n$ is a placeholder for the ``yet to be computed'' conclusion.
9183: The node $n$ is processed according to the following alternatives.
9184: \begin{enumerate}[(i)]
9185: \item
9186: \label{enum-case:expand}
9187: If no ancestor of $n$ is labeled by the program phrase $q$,
9188: the node has to be expanded using an applicable abstract rule instance.
9189: Namely, descendants of the premises of the rule are (recursively)
9190: processed, one at a time and from left to right.
9191: When the expansion of all the premises has been completed, including
9192: the case when the rule has no premise at all, the marker $r_n$
9193: is replaced by an abstract value computed according to the conclusion
9194: of the rule.
9195: \item
9196: \label{enum-case:subsumed}
9197: If there exists an ancestor node
9198: \(
9199: m = \bigl(
9200: \rho
9201: \vdash_\beta
9202: \langle q, y^\sharp_m \rangle
9203: \rightarrow
9204: r_m
9205: \bigr)
9206: \)
9207: of $n$ labeled by the same program phrase $q$ and such that
9208: $y^\sharp_n \sqsubseteq y^\sharp_m$,
9209: i.e., if node $n$ is subsumed by node $m$,
9210: then the node is not expanded further and
9211: the placeholder $r_n$ is replaced by the least fixpoint of the equation
9212: $r_n = f_m(r_n)$, where $f_m$ is the expression corresponding to
9213: the conclusion of the abstract rule that was used for the expansion
9214: of node $m$.%
9215: \footnote{As explained in \cite{Schmidt95,Schmidt97,Schmidt98},
9216: the computation of such a \emph{least} fixpoint
9217: (in the context of a coinductive interpretation of the abstract rules)
9218: is justified by the fact that here we only need to approximate
9219: the conclusions produced by the terminating concrete computations,
9220: i.e., by the concrete rules that are interpreted inductively.
9221: Also note that the divergence rules have no conclusion at all.}
9222: Intuitively, an infinite subtree rooted in node $m$ has been identified
9223: and the ``repetition node'' $n$ is transformed to a back edge to
9224: the root $m$ of this subtree.
9225: \item
9226: \label{enum-case:widen}
9227: Otherwise, there must be an ancestor node
9228: \(
9229: m = \bigl(
9230: \rho
9231: \vdash_\beta
9232: \langle q, y^\sharp_m \rangle
9233: \rightarrow
9234: r_m
9235: \bigr)
9236: \)
9237: of $n$ labeled by the same program phrase $q$,
9238: but the subsumption condition
9239: $y^\sharp_n \sqsubseteq y^\sharp_m$ does not hold.
9240: Then, to ensure convergence, the abstract element $y^\sharp_n$ in node $n$
9241: is further approximated by $y^\sharp_m \widen (y^\sharp_m \sqcup y^\sharp_n)$
9242: and we proceed as in case~\eqref{enum-case:expand}.
9243: \end{enumerate}
9244:
9245: Termination of the algorithm can be proved thanks to the following
9246: observations:
9247: an infinite abstract tree necessarily has infinite paths
9248: (since the tree is finitely branching);
9249: each infinite path necessarily has an infinite number of nodes labeled by
9250: the same program phrase (since the set of program phrases is finite);
9251: the application of case~\eqref{enum-case:widen} leads to the computation,
9252: along each infinite path, of increasing chains of abstract elements and,
9253: by Definition~\ref{def:widening-operator},
9254: these chains are necessarily finite;
9255: hence, case~\eqref{enum-case:subsumed} is eventually applied
9256: to all infinite paths, leading to a finite representation of the
9257: rational tree where all the infinite paths are expressed by using back edges.
9258:
9259: It should be stressed that, as far as efficiency is concerned,
9260: the algorithm outlined above can be improved by the adoption of
9261: well studied memoization techniques;
9262: as noted in \cite{Schmidt97},
9263: by clearly separating design concerns from implementation concerns,
9264: the adopted methodology produces simpler proofs of correctness.
9265: Also note that the choice of the widening operator has a deep impact
9266: on the precision of the results obtained and, moreover, even a precise
9267: widening can lead to inaccurate results if applied too eagerly.
9268: However, precision problems can be mitigated by the application
9269: of suitable ``widening delay'' techniques
9270: \cite{CousotC92plilp,HalbwachsPR97,BagnaraHRZ05SCP}.
9271:
9272:
9273: \section{Extensions}
9274: \label{sec:extensions}
9275:
9276: In this section we outline how the techniques presented in the first part
9277: of the paper can be extended so as to encompass the C language and
9278: all the imperative aspects of \Cplusplus{} (including, of course, exceptions):
9279: Section~\ref{sec:arithemetic-types} shows how the set of primitive types
9280: can be extended by discussing the introduction of bounded integer
9281: and floating-point types;
9282: Section~\ref{sec:c-like-pointers-and-arrays} provides a sketch of how
9283: C-like pointers, arrays and records can be dealt with;
9284: dynamic memory allocation and deallocation is treated in
9285: Section~\ref{sec:heap-memory-management};
9286: and Section~\ref{sec:non-structured-control-flow-mechanisms} illustrates how
9287: all the non-structured control flow mechanisms of C and \Cplusplus{}
9288: can be accounted for.
9289:
9290: Once an ABI (\emph{Application Binary Interface}) has been fixed and
9291: its characteristics have been reflected into concrete and abstract
9292: memory structures, C struct and union compound types can be
9293: accommodated, even in presence of pointer casts and unrestricted
9294: pointer arithmetics, by compiling down all their uses to memory reads
9295: and writes performed through pointer dereferencing \cite{Mine06a}.
9296:
9297: While we have not yet tried to incorporate object-oriented features
9298: (like classes, inheritance, method calls with dynamic binding
9299: and so forth) we do not see what, in the current design,
9300: would prevent such an extension.
9301:
9302: \subsection{Additional Arithmetic Types}
9303: \label{sec:arithemetic-types}
9304:
9305: The addition of more arithmetic types such as (signed and unsigned)
9306: finite integer and floating-point types is fairly straightforward.
9307: It is assumed that a preprocessor will add, as needed, a value cast
9308: operator that, for a given numeric type and constant expression,
9309: ensures that either the returned value is in the domain of that type
9310: or an appropriate exception is thrown.
9311: With this assumption, all the operations need only to be specified
9312: for operands of the very same type.
9313:
9314: \subsubsection{Syntax}
9315:
9316: For floating-point numbers, we add a new basic type $\tfloat$ that represents
9317: a fixed and finite subset of the reals together with a set
9318: of special values denoting infinities, NaN (\emph{Not a Number}) value
9319: and so forth.
9320: The exact format and range of a floating-point literal is unspecified.
9321: The addition of other floating-point types to represent double and extended
9322: precision numbers can be done the same way.
9323: To exemplify the inclusion of signed and unsigned bounded integer types,
9324: we also add the $\tschar$ and $\tuchar$ basic types.
9325: \begin{description}
9326: \item[Integer types]
9327: $\iT \in \iType \defeq \{ \tinteger, \tschar, \tuchar, \ldots \}$;
9328: \item[Numeric types]
9329: $\nT \in \nType \defeq \iType \union \{ \tfloat, \ldots \}$;
9330: \item[Basic types]
9331: $T \in \Type \defeq \nType \union \{ \tboolean \}$;
9332: \item[Floating-point literals]
9333: $\flcon \in \Float$;
9334: \item[Signed char literals]
9335: $\sccon \in \sChar$;
9336: \item[Unsigned char literals]
9337: $\uccon \in \uChar$.
9338: \item[Expressions and constants]
9339: Expressions are extended with floating-point constants,
9340: bounded integer constants, and $\kw{vcast}$,
9341: a \emph{value cast} operator for converting values from
9342: one basic type to another, when possible, or yielding an appropriate
9343: exception:
9344: \begin{align*}
9345: \Exp \ni
9346: e &::= \ldots \vbar \flcon \vbar \sccon \vbar \uccon
9347: \vbar \kw{vcast}(\nT, e) \\
9348: \Con \ni
9349: \con &::= \ldots \vbar \flcon \vbar \sccon \vbar \uccon.
9350: \end{align*}
9351: \end{description}
9352:
9353: The functions
9354: $\fund{\dom}{\cType}{\{\Integer, \Bool, \RTSExcept, \Float, \sChar, \uChar\}}$
9355: and $\pard{\type}{\sVal}{\sType}$
9356: are easily extended:
9357: \begin{align*}
9358: \dom(\tfloat)
9359: &\defeq
9360: \Float,
9361: &
9362: \type(\flcon)
9363: &\defeq
9364: \tfloat, \\
9365: \dom(\tschar)
9366: &\defeq
9367: \sChar,
9368: &
9369: \type(\sccon)
9370: &\defeq
9371: \tschar, \\
9372: \dom(\tuchar)
9373: &\defeq
9374: \uChar,
9375: &
9376: \type(\uccon)
9377: &\defeq
9378: \tuchar.
9379: \end{align*}
9380:
9381: \subsubsection{Static Semantics}
9382:
9383: The required adjustments to functions $\FI$ and $\DI$ are straightforward
9384: and thus omitted.
9385: Then, we add the following static semantic rules, where
9386: \(
9387: \mathord{\boxcircle}
9388: \in
9389: \{ \mathord{+}, \mathord{-}, \mathord{*}, \divop, \modop \}
9390: \)
9391: and
9392: \(
9393: \mathord{\boxast}
9394: \in
9395: \{
9396: \mathord{=}, \mathord{\neq}, \mathord{<},
9397: \mathord{\leq}, \mathord{\geq}, \mathord{>}
9398: \}
9399: \):
9400: \begin{description}
9401: %
9402: \item[Expressions]
9403: %
9404: \begin{gather*}
9405: \begin{aligned}
9406: &
9407: \prooftree
9408: \nohyp
9409: \justifies
9410: \beta \vdash_I \flcon : \tfloat
9411: \endprooftree
9412: &\qquad
9413: &\prooftree
9414: \nohyp
9415: \justifies
9416: \beta \vdash_I \sccon : \tschar
9417: \endprooftree \\[1ex]
9418: %%
9419: &
9420: \prooftree
9421: \beta \vdash_I e : \nT
9422: \justifies
9423: \beta \vdash_I -e : \nT
9424: \endprooftree
9425: &
9426: &\prooftree
9427: \nohyp
9428: \justifies
9429: \beta \vdash_I \uccon : \tuchar
9430: \endprooftree \\[1ex]
9431: %%
9432: &
9433: \prooftree
9434: \beta \vdash_I e_0 : \nT
9435: \quad
9436: \beta \vdash_I e_1 : \nT
9437: \justifies
9438: \beta \vdash_I e_0 \boxcircle e_1 : \nT
9439: \endprooftree
9440: &
9441: &\prooftree
9442: \beta \vdash_I e_0 : \nT
9443: \quad
9444: \beta \vdash_I e_1 : \nT
9445: \justifies
9446: \beta \vdash_I e_0 \boxast e_1 : \tboolean
9447: \endprooftree \\[1ex]
9448: &
9449: \prooftree
9450: \beta \vdash_I e : T_0
9451: \justifies
9452: \beta \vdash_I \kw{vcast}(T_1, e) : T_1
9453: \using\quad\text{\hbox to0pt{if casting $T_0$ to $T_1$ is legal.}}
9454: \endprooftree
9455: \end{aligned}
9456: \end{gather*}
9457:
9458: \end{description}
9459:
9460: \subsubsection{Concrete Dynamic Semantics}
9461: The added numeric types and the operations upon them
9462: bring in a considerable degree of complexity. Consider the C language,
9463: for example: unsigned bounded integers employ modular arithmetic;
9464: for signed bounded integers, overflow yields undefined behavior;
9465: the results of floating-point operations depend on the rounding mode
9466: in effect and on the settings that cause floating-point exceptions to be
9467: trapped or ignored;
9468: relational operators may or may not raise a floating-point exception
9469: when one or both arguments are NaN.
9470: In order to factor out these details and delegate them to the memory
9471: structure, we resort to a device like the one used to model supported
9472: and unsupported language elements in the abstract semantics.
9473: We thus postulate the existence of the partial functions
9474: \begin{align*}
9475: \pard{\ceval{\mathrm{vc}}}{&(\nType \times \Con \times \Mem)}%
9476: {\ValState \uplus \ExceptState}, \\
9477: \pard{\ceval{-_1}}{&(\Con \times \Mem)}%
9478: {\ValState \uplus \ExceptState}, \\
9479: \pard{\ceval{\boxcircle}}{&(\Con \times \Con \times \Mem)}%
9480: {\ValState \uplus \ExceptState}, \\
9481: \pard{\ceval{\boxast}}{&(\Con \times \Con \times \Mem)}%
9482: {\ValState \uplus \ExceptState},
9483: \end{align*}
9484: that model the cast operator, unary minus, binary operators
9485: \(
9486: \mathord{\boxcircle}
9487: \in
9488: \{ \mathord{+}, \mathord{-}, \mathord{*}, \divop, \modop \}
9489: \)
9490: and relational operators
9491: \(
9492: \mathord{\boxast}
9493: \in
9494: \{
9495: \mathord{=}, \mathord{\neq}, \mathord{<},
9496: \mathord{\leq}, \mathord{\geq}, \mathord{>}
9497: \}
9498: \),
9499: respectively.
9500: Such functions need not be always defined:
9501: for example, there is no need to define $\ceval{+}(\con_0, \con_1, \sigma)$
9502: for the case $\type(\con_0) \neq \type(\con_1)$.
9503: %%
9504: \begin{description}
9505: %
9506: \item[Value casts]
9507: The following concrete rule schemata use the corresponding evaluation
9508: function to specify the execution of the $\kw{vcast}$ operator.
9509: \begin{align*}
9510: &\prooftree
9511: \rho \vdash_\beta \langle e, \sigma \rangle
9512: \rightarrow
9513: \exceptstate
9514: \justifies
9515: \rho \vdash_\beta \langle \kw{vcast}(\nT, e), \sigma \rangle
9516: \rightarrow
9517: \exceptstate
9518: \endprooftree
9519: &
9520: &\prooftree
9521: \rho \vdash_\beta \langle e, \sigma \rangle
9522: \rightarrow
9523: \langle \con, \sigma_0 \rangle
9524: \justifies
9525: \rho \vdash_\beta \langle \kw{vcast}(\nT, e), \sigma \rangle
9526: \rightarrow
9527: \ceval{\mathrm{vc}}(\nT, \con, \sigma_0)
9528: \endprooftree
9529: \end{align*}
9530: %
9531: \item[Arithmetic evaluation]
9532: By using the evaluation functions, we can substitute rules
9533: \eqref{rule:conc_uminus_ok}, \eqref{rule:conc_arith_bop_2}
9534: and \eqref{rule:conc_arith_bop_exc_0}
9535: with the following (note that they also capture the case when
9536: a divide-by-zero exception is thrown):
9537: \begin{align*}
9538: &\prooftree
9539: \rho \vdash_\beta \langle e, \sigma \rangle
9540: \rightarrow
9541: \langle \con, \sigma_0 \rangle
9542: \justifies
9543: \rho \vdash_\beta \langle -e, \sigma \rangle
9544: \rightarrow
9545: \ceval{-_1}(\nT, \con, \sigma_0)
9546: \endprooftree \\[1ex]
9547: &\prooftree
9548: \rho \vdash_\beta \langle e_0, \sigma \rangle
9549: \rightarrow
9550: \langle \con_0, \sigma_0 \rangle
9551: \quad
9552: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
9553: \rightarrow
9554: \langle \con_1, \sigma_1 \rangle
9555: \justifies
9556: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
9557: \rightarrow
9558: \ceval{\boxcircle}(\con_0, \con_1, \sigma_1)
9559: \endprooftree
9560: \end{align*}
9561: %
9562: \item[Arithmetic tests]
9563: Similarly, rule \eqref{rule:conc_arith_test_ok}
9564: is replaced by the more general rule
9565: \[
9566: \prooftree
9567: \rho \vdash_\beta \langle e_0, \sigma \rangle
9568: \rightarrow
9569: \langle \con_0, \sigma_0 \rangle
9570: \quad
9571: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
9572: \rightarrow
9573: \langle \con_1, \sigma_1 \rangle
9574: \justifies
9575: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
9576: \rightarrow
9577: \ceval{\boxast}(\con_0, \con_1, \sigma_1)
9578: \endprooftree
9579: \]
9580: \end{description}
9581:
9582:
9583: \subsection{C-like Pointers, Arrays and Records}
9584: \label{sec:c-like-pointers-and-arrays}
9585:
9586: \subsubsection{Syntax}
9587:
9588: Recall that in Sections~\ref{sec:syntax} and~\ref{sec:static-semantics}
9589: we defined the set of storable types,
9590: whose values can be read from and written to memory,
9591: and the set of denotable types, that can occur in declarations.
9592: The introduction of pointer, array and record types requires the adoption
9593: of a finer classification.
9594: The set of all \emph{memory types} is partitioned into \emph{object types}
9595: and \emph{function types}: the latter differ in that we cannot read
9596: or update the ``value'' of a function; rather, we execute it.
9597: Object types are further partitioned into \emph{elementary types}
9598: (also called scalar types, including basic types and pointer types)
9599: and \emph{aggregate types} (arrays and records).
9600: All the elementary types are storable, meaning that their values
9601: can be read directly from or written directly to memory, as well as
9602: passed to and returned from functions.
9603: Regarding aggregate types, the C language prescribes that
9604: record types are storable, whereas array types are not.
9605: Pointer, array and record type derivations can be applied
9606: repeatedly to obtain, e.g., multi-dimensional arrays.
9607: %%
9608: \begin{description}
9609: \item[Types]
9610: \begin{align*}
9611: \eType \ni
9612: \eT &::= T \vbar \pT
9613: & \oType \ni
9614: \oT &::= \sT \vbar \aT \\
9615: \pType \ni
9616: \pT &::= \pointer{\mT}
9617: & \fType \ni
9618: \fT &::= \fps \to \sT \\
9619: \sType \ni
9620: \sT &::= \eT \vbar \rT
9621: & \mType \ni
9622: \mT &::= \oT \vbar \fT \\
9623: \aType \ni
9624: \aT &::= \arraytype{m}{\oT}
9625: & \dType \ni
9626: \dT &::= \location{\mT} \\
9627: \rType \ni
9628: \rT &::= \recordtype{\id}{\id_1 : \oT_1, \ldots, \id_j : \oT_j}\hspace{-1cm}
9629: \end{align*}
9630: \end{description}
9631: %%
9632: We assume, without loss of generality, that the field names
9633: of record types are unique across the entire program
9634: (for example, $\id_1$, \dots,~$\id_j$ could contain $\id$ as some
9635: kind of special prefix).
9636:
9637: Identifiers are no longer the only way to denote
9638: a memory structure location. This can also be referred to by
9639: combining a pointer with the indirection operator `$\mathord{\ast}$',
9640: an array with the indexing operator,
9641: or a record with the field selection operator.
9642: Hence, we introduce the concept of \emph{lvalue},
9643: which can be read as ``location-valued expression.''
9644:
9645: \begin{description}
9646: \item[Offsets and lvalues]
9647: \begin{align*}
9648: & \Offset \ni
9649: o ::= \nooffset \vbar
9650: \indexoffset{e} \cdot o \vbar
9651: \fieldoffset{\id} \cdot o \\
9652: & \lValue \ni
9653: \lvalue ::= \id \cdot o
9654: \vbar (\indirection{e}) \cdot o
9655: \end{align*}
9656: \end{description}
9657: %%
9658: Consequently, the syntactic production for expressions generating
9659: identifiers, as well as the productions for statements generating
9660: assignments and function calls, are replaced by more general versions
9661: using lvalues;
9662: expressions and declarations are also extended
9663: with the address-of operator, null pointers and array variables.
9664: %%
9665: \begin{description}
9666: \item[Expressions, declarations and statements]
9667: \begin{align*}
9668: & \Exp \ni
9669: e ::= \ldots
9670: \vbar \kw{val} \lvalue
9671: \vbar \maddress{\lvalue}
9672: \vbar (\pT)\,0
9673: &\quad
9674: & \Glob \ni
9675: g ::= \ldots
9676: \vbar \kw{gvar} \id : \aT = e \\
9677: & \Stmt \ni
9678: s ::= \ldots
9679: \vbar \lvalue := e
9680: \vbar \lvalue := e(\es)
9681: &\quad
9682: & \Decl \ni
9683: d ::= \ldots
9684: \vbar \kw{lvar} \id : \aT = e
9685: \end{align*}
9686: \end{description}
9687:
9688: \subsubsection{Static Semantics}
9689:
9690: The required adjustments to functions $\FI$ and $\DI$ are straightforward
9691: and thus omitted.
9692: The well-typedness of offsets and lvalues
9693: is encoded by the following predicates:
9694: \begin{align*}
9695: \beta, \dT_0 &\vdash_I o : \dT_1,
9696: &\text{$o$ is compatible with $\dT_0$ and has type $\dT_1$ in $\beta$;} \\
9697: \beta &\vdash_I \lvalue : \dT,
9698: &\text{$\lvalue$ is well-formed and has type $\dT$ in $\beta$.}
9699: \end{align*}
9700: The static semantics is thus extended by the following rules.%
9701: \footnote{The previous rules for identifier, assignment and function call
9702: are no longer used.}
9703: Note that the evaluation of an lvalue as an expression
9704: ---$\kw{val} \lvalue$---
9705: causes a suitable type conversion,
9706: sometimes referred to as ``type decay.''
9707: Pointer arithmetics can only be applied to object types.
9708: In function calls, the callee is specified via an expression
9709: having function pointer type (typically resulting from a type decay).
9710:
9711: \begin{description}
9712: %
9713: \item[Offset]
9714: %
9715: \begin{align*}
9716: &
9717: \begin{aligned}
9718: %% No offset.
9719: \prooftree
9720: \nohyp
9721: \justifies
9722: \beta, \dT \vdash_I \nooffset : \dT
9723: \endprooftree
9724: &\quad&
9725: %% Indexing.
9726: \prooftree
9727: \beta \vdash_I e : \tinteger
9728: \quad
9729: \beta, \location{\oT} \vdash_I o : \dT
9730: \justifies
9731: \beta, \location{(\arraytype{m}{\oT})}
9732: \vdash_I
9733: \indexoffset{e} \cdot o : \dT
9734: \endprooftree
9735: \end{aligned} \\[1ex]
9736: &
9737: %% Field offset.
9738: \prooftree
9739: \beta, \location{\oT_i} \vdash_I o : \dT
9740: \justifies
9741: \beta, \location{(\recordtype{\id}{\id_1 : \oT_1; \ldots; \id_j : \oT_j})}
9742: \vdash_I
9743: \fieldoffset{\id_i} \cdot o : \dT
9744: \using\quad\text{if $i \in \{1, \ldots, j\}$}
9745: \endprooftree
9746: \end{align*}
9747: %
9748: \item[Lvalue]
9749: %
9750: \begin{align*}
9751: &
9752: %% Identifier.
9753: \prooftree
9754: \beta, \dT_0 \vdash_I o : \dT_1
9755: \justifies
9756: \beta \vdash_I \id \cdot o : \dT_1
9757: \using\quad\text{if $\beta(\id) = \dT_0$}
9758: \endprooftree
9759: &\quad&
9760: %% Indirection.
9761: \prooftree
9762: \beta \vdash_I e : \pointer{\mT}
9763: \quad
9764: \beta, \location{\mT} \vdash_I o : \dT
9765: \justifies
9766: \beta \vdash_I (\indirection{e}) \cdot o : \dT
9767: \endprooftree
9768: \end{align*}
9769: %
9770: \item[Null pointer and address-of operator]
9771: %
9772: \begin{gather*}
9773: %% Null pointer constant.
9774: \prooftree
9775: \nohyp
9776: \justifies
9777: \beta \vdash_I (\pT)\,0 : \pT
9778: \endprooftree
9779: \qquad
9780: %% Address operator.
9781: \prooftree
9782: \beta \vdash_I \lvalue : \location{\mT}
9783: \justifies
9784: \beta \vdash_I \maddress{\lvalue} : \pointer{\mT}
9785: \endprooftree
9786: \end{gather*}
9787: %
9788: \item[Type decay]
9789: %
9790: \begin{gather*}
9791: %% lvalue-to-value: storable type.
9792: \prooftree
9793: \beta \vdash_I \lvalue : \location{\sT}
9794: \justifies
9795: \beta \vdash_I \kw{val} \lvalue : \sT
9796: \endprooftree
9797: \qquad
9798: %% id-to-value: array to pointer decay.
9799: \prooftree
9800: \beta \vdash_I \lvalue : \location{(\arraytype{m}{\oT})}
9801: \justifies
9802: \beta \vdash_I \kw{val} \lvalue : \pointer{\oT}
9803: \endprooftree
9804: \qquad
9805: %% lvalue-to-value: function to pointer decay.
9806: \prooftree
9807: \beta \vdash_I \lvalue : \location{\fT}
9808: \justifies
9809: \beta \vdash_I \kw{val} \lvalue : \pointer{\fT}
9810: \endprooftree
9811: \end{gather*}
9812: %
9813: \item[Pointer arithmetics]
9814: %
9815: \begin{gather*}
9816: \begin{aligned}
9817: &
9818: %% Pointer plus integer.
9819: \prooftree
9820: \beta \vdash_I e_0 : \pointer{\oT}
9821: \quad
9822: \beta \vdash_I e_1 : \tinteger
9823: \justifies
9824: \beta \vdash_I e_0 + e_1 : \pointer{\oT}
9825: \endprooftree
9826: &\quad&
9827: %% Integer plus pointer.
9828: \prooftree
9829: \beta \vdash_I e_0 : \tinteger
9830: \quad
9831: \beta \vdash_I e_1 : \pointer{\oT}
9832: \justifies
9833: \beta \vdash_I e_0 + e_1 : \pointer{\oT}
9834: \endprooftree \\[1ex]
9835: &
9836: %% Pointer minus integer.
9837: \prooftree
9838: \beta \vdash_I e_0 : \pointer{\oT}
9839: \quad
9840: \beta \vdash_I e_1 : \tinteger
9841: \justifies
9842: \beta \vdash_I e_0 - e_1 : \pointer{\oT}
9843: \endprooftree
9844: &\quad&
9845: %% Pointer difference.
9846: \prooftree
9847: \beta \vdash_I e_0 : \pointer{\oT}
9848: \quad
9849: \beta \vdash_I e_1 : \pointer{\oT}
9850: \justifies
9851: \beta \vdash_I e_0 - e_1 : \tinteger
9852: \endprooftree
9853: \end{aligned}
9854: \end{gather*}
9855: %
9856: \item[Pointer comparison]
9857: %
9858: \[
9859: %% Pointer comparison.
9860: \prooftree
9861: \beta \vdash_I e_0 : \pT
9862: \quad
9863: \beta \vdash_I e_1 : \pT
9864: \justifies
9865: \beta \vdash_I e_0 \boxast e_1 : \tboolean
9866: \using\quad\text{where
9867: \(
9868: \mathord{\boxast}
9869: \in
9870: \{
9871: \mathord{=}, \mathord{\neq}, \mathord{<},
9872: \mathord{\leq}, \mathord{\geq}, \mathord{>}
9873: \}
9874: \).}
9875: \endprooftree
9876: \]
9877: %
9878: \item[Assignment and function call]
9879: %
9880: \begin{gather*}
9881: \begin{aligned}
9882: &
9883: %% Assignment.
9884: \prooftree
9885: \beta \vdash_I \lvalue : \location{\sT}
9886: \quad
9887: \beta \vdash_I e : \sT
9888: \justifies
9889: \beta \vdash_I \lvalue := e
9890: \endprooftree \\[1ex]
9891: &
9892: %% Function call.
9893: \prooftree
9894: \beta \vdash_I \lvalue : \location{\sT}
9895: \quad
9896: \beta \vdash_I e : \pointer{(\fps \rightarrow \sT)}
9897: \quad
9898: \beta, \fps \vdash_I \es
9899: \justifies
9900: \beta \vdash_I \lvalue := e(\es)
9901: \endprooftree
9902: \end{aligned}
9903: \end{gather*}
9904: %
9905: \item[(Multi-dimensional) Global array declaration]
9906: %
9907: \begin{align*}
9908: \prooftree
9909: \beta \vdash_I \kw{gvar} \id : \oT = e
9910: : \{ \id \mapsto \location{\oT} \}
9911: \justifies
9912: \beta
9913: \vdash_I
9914: \kw{gvar} \id : \arraytype{m}{\oT} = e
9915: : \bigl\{
9916: \id \mapsto \location{(\arraytype{m}{\oT})}
9917: \bigr\}
9918: \using\quad\text{if $m > 0$}
9919: \endprooftree
9920: \end{align*}
9921: The static semantics rule for a local array declaration is similar.
9922: %
9923: \end{description}
9924:
9925:
9926: \subsubsection{Concrete Dynamic Semantics}
9927:
9928: Concrete execution environments now map function identifiers to
9929: (properly typed) locations, rather than function abstracts:
9930: hence, we redefine
9931: \(
9932: \dVal
9933: \defeq
9934: \Addr \times \mType
9935: \).
9936:
9937: A proper handling of aggregate and function types in memory structures
9938: requires a few semantic adjustments and extensions.
9939: %%
9940: New memory functions allow the allocation of function abstracts
9941: in the text segment, as well as the contiguous allocation
9942: of a number of memory cells, so as to model (multi-dimensional) arrays:
9943: \begin{align*}
9944: \fund{\txtnew}%
9945: {&(\Abstract \times \Mem)}%
9946: {\bigl( (\Mem \times \Loc) \uplus \ExceptState \bigr)}, \\
9947: \fund{\arraydatnew}%
9948: {&(\Integer \times \ValState)}%
9949: {\bigl( (\Mem \times \Loc) \uplus \ExceptState \bigr)}, \\
9950: \fund{\arraystknew}%
9951: {&(\Integer \times \ValState)}%
9952: {\bigl( (\Mem \times \Ind) \uplus \ExceptState \bigr)}.
9953: \end{align*}
9954: %%
9955: It can be observed that the properties stated
9956: in Definition~\ref{def:concrete-memory-structure}
9957: still hold as long as we consider locations having non-aggregate type
9958: and properly extend the domain and codomain of the absolute memory map:
9959: \[
9960: \Map
9961: \defeq
9962: \left(\Loc \times (\eType \uplus \fType)\right)
9963: \rightarrowtail
9964: (\Con \uplus \Loc \uplus \Abstract).
9965: \]
9966: These ``elementary'' memory maps need to be extended to read or
9967: update record values. To this end, we assume the existence
9968: of a couple of helper functions working on locations having
9969: aggregate type:
9970: \begin{align*}
9971: \pard{\locfield}%
9972: {&(\Id \times \Loc \times \rType)}%
9973: {(\Loc \times \oType)}, \\
9974: \pard{\locindex}%
9975: {&(\Integer \times \Loc \times \aType)}%
9976: {(\Loc \times \oType)}.
9977: \end{align*}
9978: Intuitively, when defined, these functions map
9979: a record (resp., array) typed location to the typed location
9980: of one of its record fields (resp., array elements).
9981: Hence, for each $\mu \in \Map$, the extension
9982: \(
9983: \pard{\mu}{(\Loc \times \sType)}{\sVal}
9984: \)
9985: can be recursively obtained, for each $l \in \Loc$ and
9986: $\rT = \recordtype{\id}{\id_1 : \oT_1; \ldots; \id_j : \oT_j}$,
9987: as follows and under the following conditions:
9988: \begin{gather*}
9989: \mu(l, \rT)
9990: \defeq
9991: \Bigl\langle
9992: \mu\bigl(\locfield(\id_1, l, \rT)\bigr),
9993: \ldots,
9994: \mu\bigl(\locfield(\id_j, l, \rT)\bigr)
9995: \Bigr\rangle, \\
9996: \intertext{%
9997: where, for each $l \in \Loc$ and $\aT = \arraytype{m}{\oT} \in \aType$,
9998: }
9999: \mu(l, \aT)
10000: \defeq
10001: \Bigl[
10002: \mu\bigl(\locindex(0, l, \aT)\bigr),
10003: \ldots,
10004: \mu\bigl(\locindex(m-1, l, \aT)\bigr)
10005: \Bigr].
10006: \end{gather*}
10007: A similar extension is required for the memory update operator.
10008: %% for instance, under the conditions above, we can recursively define
10009: %% \begin{gather*}
10010: %% \mu\bigl[(l, \rT) := \langle \sval_1, \ldots, \sval_j \rangle \bigr]
10011: %% \defeq
10012: %% \mu_j, \\
10013: %% \intertext{%
10014: %% where $\mu_0 = \mu$ and, for each $i = 1$, \ldots, $j$,
10015: %% }
10016: %% \mu_i
10017: %% \defeq
10018: %% \mu_{i-1}\bigl[ \field(\id_i, l, \rT) := \sval_i \bigr].
10019: %% \end{gather*}
10020: %%
10021: Note that we will still use $\valstate$ as a syntactic meta-variable for
10022: $\ValState = \sVal \times \Mem$, but now its first component can be
10023: either a constant, or an absolute location, or a record value.
10024:
10025: Pointer and array indexing errors are modeled via RTS exceptions.
10026: %% For simplicity of exposition, the RTS exception $\memerror$ will be thrown;
10027: %% a refined specification can (and should) provide a better distinction
10028: %% between the various kinds of pointer errors.
10029: %%
10030: It is assumed there exists a special location $\locnull \in \Loc$
10031: (the \emph{null pointer} value) such that
10032: $(\locnull, \mT) \notin \dom(\sigma)$
10033: for all $\sigma \in \Mem$ and $\mT \in \mType$;
10034: this also implies that $\locnull$ cannot be returned by
10035: the memory allocation operators.
10036: Hence, any attempt to read from or write to memory
10037: through this location will result in an exception state.
10038: Suitable operators on memory structures are required to check
10039: the constraints regarding pointer arithmetics
10040: (e.g., out-of-bounds array accesses),
10041: pointer comparisons (where $\mathord{\boxast}$ ranges over
10042: \(
10043: \{
10044: \mathord{=}, \mathord{\neq}, \mathord{<},
10045: \mathord{\leq}, \mathord{\geq}, \mathord{>}
10046: \}
10047: \)%
10048: )
10049: and to perform ``array-to-pointer decay'' conversions
10050: or record field selections:
10051: \begin{align*}
10052: \fund{\ptrmove}%
10053: {&(\Integer \times \Loc \times \Mem)}%
10054: {\ValState \uplus \ExceptState}, \\
10055: \fund{\ptrdiff}%
10056: {&(\Loc \times \Loc \times \Mem)}%
10057: {\ValState \uplus \ExceptState}, \\
10058: \fund{\ptrcmp_\boxast}%
10059: {&(\Loc \times \Loc \times \Mem)}%
10060: {\ValState \uplus \ExceptState}, \\
10061: \fund{\firstof}%
10062: {&(\Loc \times \Mem)}%
10063: {\ValState \uplus \ExceptState}, \\
10064: \fund{\field}%
10065: {&(\Id \times \Loc \times \Mem)}%
10066: {\ValState \uplus \ExceptState}.
10067: \end{align*}
10068: Note that array indexing is semantically equivalent to
10069: a suitable combination of type decay, pointer arithmetics
10070: and pointer indirection.
10071: Nonetheless, for the sake of clarity and also to simplify the application
10072: of pointer and array dependence analyses~\cite{EmamiGH94},
10073: we keep the distinction of the two constructs and,
10074: to simplify notation, we define%
10075: \footnote{Functions `$\field$' and `$\arrayindex$' are similar to
10076: `$\locfield$' and `$\locindex$', but they are also meant to check
10077: their arguments against the memory structure, possibly returning
10078: an RTS exception.}
10079: \[
10080: \pard{\arrayindex}%
10081: {(\Loc \times \ValState)}%
10082: {\ValState \uplus \ExceptState}
10083: \]
10084: as follows:
10085: \[
10086: \arrayindex\bigl(l, (m, \sigma)\bigr)
10087: \defeq
10088: \begin{cases}
10089: \exceptstate,
10090: &\text{if $\firstof(l, \sigma) = \exceptstate$;} \\
10091: \ptrmove(m, l_0, \sigma_0),
10092: &\text{if $\firstof(l, \sigma) = (l_0, \sigma_0)$.}
10093: \end{cases}
10094: \]
10095:
10096: Non-terminal and terminal configurations are extended so as to
10097: allow for the syntactic categories of offsets and lvalues,
10098: whose non-exceptional evaluation leads to a location:
10099: %%
10100: \begin{align*}
10101: \NTo^\beta
10102: &\defeq
10103: \sset{%
10104: \langle o, l, \sigma \rangle
10105: \in \Offset \times \Loc \times \Mem
10106: }{%
10107: \exists \dT_0, \dT_1 \in \dType \st \\
10108: \beta, \dT_0 \vdash_I o : \dT_1
10109: }, \\
10110: \NTl^\beta
10111: &\defeq
10112: \bigl\{\,
10113: \langle \lvalue, \sigma \rangle
10114: \in \lValue \times \Mem
10115: \bigm|
10116: \exists \dT \in \dType \st \beta \vdash_I \lvalue : \dT
10117: \,\bigr\}, \\
10118: \To
10119: &\defeq
10120: \Tl
10121: \defeq
10122: (\Loc \times \Mem) \uplus \ExceptState,
10123: \end{align*}
10124: %%
10125: The dynamic concrete semantics is extended with the following rule schemata.
10126:
10127: \begin{description}
10128: %
10129: \item[Offset]
10130: %
10131: \begin{align*}
10132: %% No offset.
10133: &
10134: \prooftree
10135: \nohyp
10136: \justifies
10137: \rho \vdash_\beta \langle \nooffset, l, \sigma \rangle
10138: \rightarrow
10139: \langle l, \sigma \rangle
10140: \endprooftree \\[1ex]
10141: %% Indexing offset.
10142: &
10143: \begin{aligned}
10144: \prooftree
10145: \rho \vdash_\beta
10146: \langle e, \sigma \rangle
10147: \rightarrow
10148: \exceptstate
10149: \justifies
10150: \rho \vdash_\beta
10151: \bigl\langle
10152: \indexoffset{e} \cdot o, l, \sigma
10153: \bigr\rangle
10154: \rightarrow
10155: \exceptstate
10156: \endprooftree
10157: &\quad&
10158: \prooftree
10159: \rho \vdash_\beta
10160: \langle e, \sigma \rangle
10161: \rightarrow
10162: \valstate
10163: \justifies
10164: \rho \vdash_\beta
10165: \bigl\langle
10166: \indexoffset{e} \cdot o, l, \sigma
10167: \bigr\rangle
10168: \rightarrow
10169: \exceptstate
10170: \using\quad\text{if $\arrayindex(l, \valstate) = \exceptstate$}
10171: \endprooftree
10172: \end{aligned} \\[1ex]
10173: &
10174: \prooftree
10175: \rho \vdash_\beta
10176: \langle e, \sigma \rangle
10177: \rightarrow
10178: \valstate
10179: \quad
10180: \rho \vdash_\beta
10181: \langle o, l_0, \sigma_0 \rangle
10182: \rightarrow
10183: \eta
10184: \justifies
10185: \rho \vdash_\beta
10186: \bigl\langle
10187: \indexoffset{e} \cdot o, l, \sigma
10188: \bigr\rangle
10189: \rightarrow
10190: \eta
10191: \using\quad\text{if $\arrayindex(l, \valstate) = (l_0, \sigma_0)$}
10192: \endprooftree \\[1ex]
10193: %% Field offset.
10194: &
10195: \prooftree
10196: \nohyp
10197: \justifies
10198: \rho \vdash_\beta
10199: \langle \fieldoffset{\id_i} \cdot o, l, \sigma \rangle
10200: \rightarrow
10201: \exceptstate
10202: \using\quad\text{if $\field(\id_i, l, \sigma) = \exceptstate$}
10203: \endprooftree \\[1ex]
10204: &
10205: \prooftree
10206: \rho
10207: \vdash_\beta
10208: \langle o, l_0, \sigma_0 \rangle
10209: \rightarrow
10210: \eta
10211: \justifies
10212: \rho \vdash_\beta
10213: \langle \fieldoffset{\id_i} \cdot o, l, \sigma \rangle
10214: \rightarrow
10215: \eta
10216: \using\quad\text{if $\field(\id_i, l, \sigma) = (l_0, \sigma_0)$}
10217: \endprooftree
10218: \end{align*}
10219: %
10220: \item[Lvalue]
10221: %
10222: \begin{align*}
10223: &
10224: \prooftree
10225: \rho \vdash_\beta
10226: \langle o, \sigma \mathbin{@} a, \sigma \rangle
10227: \rightarrow
10228: \eta
10229: \justifies
10230: \rho \vdash_\beta \langle \id \cdot o, \sigma \rangle
10231: \rightarrow
10232: \eta
10233: \using\quad\text{if $\rho(\id) = (a, \mT)$}
10234: \endprooftree \\[1ex]
10235: &
10236: \begin{aligned}
10237: \prooftree
10238: \rho \vdash_\beta
10239: \langle e, \sigma \rangle
10240: \rightarrow
10241: \exceptstate
10242: \justifies
10243: \rho \vdash_\beta
10244: \bigl\langle
10245: (\indirection{e}) \cdot o,
10246: \sigma
10247: \bigr\rangle
10248: \rightarrow
10249: \exceptstate
10250: \endprooftree
10251: &\quad&
10252: \prooftree
10253: \rho \vdash_\beta
10254: \langle e, \sigma \rangle
10255: \rightarrow
10256: \langle l_0, \sigma_0 \rangle
10257: \quad
10258: \rho \vdash_\beta \langle o, l_0, \sigma_0 \rangle \rightarrow \eta
10259: \justifies
10260: \rho \vdash_\beta
10261: \bigl\langle
10262: (\indirection{e}) \cdot o,
10263: \sigma
10264: \bigr\rangle
10265: \rightarrow
10266: \eta
10267: \endprooftree
10268: \end{aligned}
10269: \end{align*}
10270: %
10271: \item[Null pointer and address-of operator]
10272: \begin{align*}
10273: &
10274: \prooftree
10275: \nohyp
10276: \justifies
10277: \rho \vdash_\beta \bigl\langle (\pT)\,0, \sigma \bigr\rangle
10278: \rightarrow
10279: \langle \locnull, \sigma \rangle
10280: \endprooftree
10281: &\quad&
10282: %% Address operator.
10283: \prooftree
10284: \rho \vdash_\beta
10285: \langle \lvalue, \sigma \rangle
10286: \rightarrow
10287: \eta
10288: \justifies
10289: \rho \vdash_\beta
10290: \langle \maddress{\lvalue}, \sigma \rangle
10291: \rightarrow
10292: \eta
10293: \endprooftree
10294: \end{align*}
10295: %
10296: \item[Type decay]
10297: %
10298: \begin{align*}
10299: &
10300: \begin{aligned}
10301: \prooftree
10302: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10303: \rightarrow \exceptstate
10304: \justifies
10305: \rho \vdash_\beta
10306: \langle \kw{val} \lvalue, \sigma \rangle
10307: \rightarrow
10308: \exceptstate
10309: \endprooftree
10310: \end{aligned} \\[1ex]
10311: &
10312: %% Lvalue-to-value: storable type.
10313: \prooftree
10314: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10315: \rightarrow
10316: \langle l, \sigma_0 \rangle
10317: \justifies
10318: \rho \vdash_\beta
10319: \langle \kw{val} \lvalue, \sigma \rangle
10320: \rightarrow
10321: \sigma_0[l, \sT]
10322: \using\quad\text{if
10323: $\beta \vdash_{\FI(\lvalue)} \lvalue : \location{\sT}$}
10324: \endprooftree \\[1ex]
10325: &
10326: %% Lvalue-to-value: array to pointer decay.
10327: \prooftree
10328: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10329: \rightarrow
10330: \valstate
10331: \justifies
10332: \rho \vdash_\beta
10333: \langle \kw{val} \lvalue, \sigma \rangle
10334: \rightarrow
10335: \firstof(\valstate)
10336: \using\quad\text{if
10337: $\beta \vdash_{\FI(\lvalue)} \lvalue : \location{\aT}$}
10338: \endprooftree \\[1ex]
10339: &
10340: %% Lvalue-to-value: function to pointer decay.
10341: \prooftree
10342: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10343: \rightarrow
10344: \valstate
10345: \justifies
10346: \rho \vdash_\beta
10347: \langle \kw{val} \lvalue, \sigma \rangle
10348: \rightarrow
10349: \valstate
10350: \using\quad\text{if
10351: $\beta \vdash_{\FI(\lvalue)} \lvalue : \location{\fT}$}
10352: \endprooftree
10353: \end{align*}
10354: %
10355: \item[Pointer arithmetics]
10356: %
10357: Let $\mathord{\boxcircle}$ denote a binary abstract syntax operator
10358: in $\{ \mathord{+}, \mathord{-} \}$, as well as the corresponding
10359: unary operation on integers. Then, the following are added to
10360: rule schemata~\eqref{rule:conc_arith_bop_0}--\eqref{rule:conc_arith_bop_exc_0}.
10361:
10362: \begin{gather*}
10363: \prooftree
10364: \rho \vdash_\beta \langle e_0, \sigma \rangle
10365: \rightarrow
10366: \langle l, \sigma_0 \rangle
10367: \quad
10368: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10369: \rightarrow
10370: \exceptstate
10371: \justifies
10372: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
10373: \rightarrow
10374: \exceptstate
10375: \endprooftree \\[1ex]
10376: %%
10377: \prooftree
10378: \rho \vdash_\beta \langle e_0, \sigma \rangle
10379: \rightarrow
10380: \langle l, \sigma_0 \rangle
10381: \quad
10382: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10383: \rightarrow
10384: \langle m, \sigma_1 \rangle
10385: \justifies
10386: \rho \vdash_\beta \langle e_0 \boxcircle e_1, \sigma \rangle
10387: \rightarrow
10388: \ptrmove(m_0, l, \sigma_1)
10389: \using\quad\text{if $m_0 = \mathop{\boxcircle} m$}
10390: \endprooftree \\[1ex]
10391: %%
10392: \prooftree
10393: \rho \vdash_\beta \langle e_0, \sigma \rangle
10394: \rightarrow
10395: \langle m, \sigma_0 \rangle
10396: \quad
10397: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10398: \rightarrow
10399: \langle l, \sigma_1 \rangle
10400: \justifies
10401: \rho \vdash_\beta \langle e_0 + e_1, \sigma \rangle
10402: \rightarrow
10403: \ptrmove(m, l, \sigma_1)
10404: \endprooftree \\[1ex]
10405: %%
10406: \prooftree
10407: \rho \vdash_\beta \langle e_0, \sigma \rangle
10408: \rightarrow
10409: \langle l_0, \sigma_0 \rangle
10410: \quad
10411: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10412: \rightarrow
10413: \langle l_1, \sigma_1 \rangle
10414: \justifies
10415: \rho \vdash_\beta \langle e_0 - e_1, \sigma \rangle
10416: \rightarrow
10417: \ptrdiff(l_0, l_1, \sigma_1)
10418: \endprooftree
10419: \end{gather*}
10420: %
10421: \item[Pointer comparison]
10422: %
10423: Let $\mathord{\boxast}$ denote a binary abstract syntax operator
10424: in the set
10425: \(
10426: \{ \mathord{=}, \mathord{\neq}, \mathord{<},
10427: \mathord{\leq}, \mathord{\geq}, \mathord{>} \}
10428: \).
10429: Then, the following are added to rule
10430: schemata~\eqref{rule:conc_arith_test_error_0}--\eqref{rule:conc_arith_test_ok}.
10431:
10432: \begin{gather*}
10433: \prooftree
10434: \rho \vdash_\beta \langle e_0, \sigma \rangle
10435: \rightarrow
10436: \langle l, \sigma_0 \rangle
10437: \quad
10438: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10439: \rightarrow
10440: \exceptstate
10441: \justifies
10442: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
10443: \rightarrow
10444: \exceptstate
10445: \endprooftree \\[1ex]
10446: %%
10447: \prooftree
10448: \rho \vdash_\beta \langle e_0, \sigma \rangle
10449: \rightarrow
10450: \langle l_0, \sigma_0 \rangle
10451: \quad
10452: \rho \vdash_\beta \langle e_1, \sigma_0 \rangle
10453: \rightarrow
10454: \langle l_1, \sigma_1 \rangle
10455: \justifies
10456: \rho \vdash_\beta \langle e_0 \boxast e_1, \sigma \rangle
10457: \rightarrow
10458: \ptrcmp_\boxast(l_0, l_1, \sigma_1)
10459: \endprooftree
10460: \end{gather*}
10461: %
10462: \item[Assignment]
10463: %
10464: \begin{align*}
10465: &
10466: \begin{aligned}
10467: \prooftree
10468: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10469: \rightarrow
10470: \exceptstate
10471: \justifies
10472: \rho \vdash_\beta \langle \lvalue := e, \sigma \rangle
10473: \rightarrow
10474: \exceptstate
10475: \endprooftree
10476: %%
10477: &\quad&
10478: %%
10479: \prooftree
10480: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10481: \rightarrow
10482: (l, \sigma_0)
10483: \quad
10484: \rho \vdash_\beta \langle e, \sigma_0 \rangle
10485: \rightarrow
10486: \exceptstate
10487: \justifies
10488: \rho \vdash_\beta \langle \lvalue := e, \sigma \rangle
10489: \rightarrow
10490: \exceptstate
10491: \endprooftree
10492: \end{aligned} \\[1ex]
10493: %%
10494: &
10495: \prooftree
10496: \rho \vdash_\beta \langle \lvalue, \sigma \rangle
10497: \rightarrow
10498: (l, \sigma_0)
10499: \quad
10500: \rho \vdash_\beta \langle e, \sigma_0 \rangle
10501: \rightarrow
10502: \langle \sval, \sigma_1 \rangle
10503: \justifies
10504: \rho \vdash_\beta \langle \lvalue := e, \sigma \rangle
10505: \rightarrow
10506: \sigma_1\bigl[ (l, \sT) := \sval \bigr]
10507: \using\quad\text{if $\beta \vdash_{\FI(e)} e : \sT$}
10508: \endprooftree
10509: \end{align*}
10510: Similar changes are required for the case of a function call.
10511: First, the lvalue is evaluated so as to obtain the target location
10512: where the result of the function call will be stored;
10513: then, the function designator (an expression) is evaluated to obtain
10514: a location having function type; this location is fed to the memory
10515: structure so as to obtain the function abstract.
10516: All the other computation steps, including parameter passing,
10517: are performed as before. On exit from the function call,
10518: the return value is stored at the location computed in the first step.
10519: Exceptions are eventually detected and propagated as usual.
10520: Also note that, thanks to the rules for type decay,
10521: arrays and functions can be passed to and returned from function calls.
10522: %
10523: \item[(Multi-dimensional) Global array declaration]
10524: In the following rule schemata, let $n > 0$,
10525: $\aT = \arraytype{m_1}{( \dots (\arraytype{m_n}{\sT}) \dots )}$
10526: and $m = m_1 \times \ldots \times m_n$.
10527: %%
10528: \begin{gather*}
10529: \prooftree
10530: \rho \vdash_\beta \langle e, \sigma \rangle
10531: \rightarrow
10532: \eta
10533: \justifies
10534: \rho
10535: \vdash_\beta
10536: \langle
10537: \kw{gvar} \id : \aT = e,
10538: \sigma
10539: \rangle
10540: \rightarrow
10541: \datcleanup(\exceptstate)
10542: \endprooftree \\
10543: \intertext{%
10544: if either $\eta = \exceptstate$,
10545: or $\eta = \valstate$ and $\arraydatnew(m, \valstate) = \exceptstate$;
10546: }
10547: \prooftree
10548: \rho \vdash_\beta \langle e, \sigma \rangle
10549: \rightarrow
10550: \valstate
10551: \justifies
10552: \rho
10553: \vdash_\beta
10554: \langle
10555: \kw{gvar} \id : \aT = e,
10556: \sigma
10557: \rangle
10558: \rightarrow
10559: \langle \rho_0, \sigma_0 \rangle
10560: \endprooftree
10561: \end{gather*}
10562: if $\arraydatnew(m, \valstate) = (\sigma_0, l)$ and
10563: $\rho_0 = \bigl\{ \id \mapsto (l, \aT) \bigr\}$.
10564: %
10565: \end{description}
10566: %%
10567: The rules for local array declaration are similar.
10568: Since function abstracts are now stored in memory structures,
10569: a few minor adaptations, omitted for space reasons, are also required
10570: for the rule of function declarations (which uses $\txtnew$) and
10571: the rules for recursive environments and declarations.
10572:
10573: \subsection{Heap Memory Management}
10574: \label{sec:heap-memory-management}
10575:
10576: By adding a \emph{heap segment} to memory structures, as well as
10577: suitable helper functions ($\heapnew$, $\heapdel$ and the
10578: corresponding array versions), it is possible to further extend
10579: the language to embrace dynamic memory allocation and deallocation.
10580:
10581: \subsubsection{Syntax}
10582:
10583: We add an allocation expression and a deallocation statement:
10584: \begin{align*}
10585: \Exp &\ni
10586: e ::= \ldots
10587: \vbar \kw{new} \sT = e \\
10588: \Stmt &\ni
10589: s ::= \ldots
10590: \vbar \kw{delete} e
10591: \end{align*}
10592:
10593: \subsubsection{Static Semantics}
10594:
10595: \begin{align*}
10596: %% New storable.
10597: \prooftree
10598: \beta \vdash_I e : \sT
10599: \justifies
10600: \beta \vdash_I \kw{new} \sT = e : \pointer{\sT}
10601: \endprooftree
10602: &\quad&
10603: %% Delete storable.
10604: \prooftree
10605: \beta \vdash_I e : \pointer{\sT}
10606: \justifies
10607: \beta \vdash_I \kw{delete} e
10608: \endprooftree
10609: \end{align*}
10610:
10611: \subsubsection{Concrete Dynamic Semantics}
10612: This is extended with the schemata:
10613: \begin{description}
10614: %
10615: \item[New expression]
10616: %
10617: \begin{align*}
10618: &
10619: \begin{aligned}
10620: \prooftree
10621: \rho \vdash_\beta \langle e, \sigma \rangle
10622: \rightarrow
10623: \exceptstate
10624: \justifies
10625: \rho \vdash_\beta \langle \kw{new} \sT = e, \sigma \rangle
10626: \rightarrow
10627: \exceptstate
10628: \endprooftree
10629: %%
10630: &\quad&
10631: %%
10632: \prooftree
10633: \rho \vdash_\beta \langle e, \sigma \rangle
10634: \rightarrow
10635: \valstate
10636: \justifies
10637: \rho \vdash_\beta \langle \kw{new} \sT = e, \sigma \rangle
10638: \rightarrow
10639: \exceptstate
10640: \using\quad\text{if $\heapnew(\valstate) = \exceptstate$}
10641: \endprooftree
10642: \end{aligned} \\[1ex]
10643: %%
10644: &
10645: \prooftree
10646: \rho \vdash_\beta \langle e, \sigma \rangle
10647: \rightarrow
10648: \valstate
10649: \justifies
10650: \rho \vdash_\beta \langle \kw{new} \sT = e, \sigma \rangle
10651: \rightarrow
10652: \langle l, \sigma_0 \rangle
10653: \using\quad\text{if $\heapnew(\valstate) = (\sigma_0, l)$}
10654: \endprooftree
10655: \end{align*}
10656: %
10657: \item[Delete operator]
10658: %
10659: \begin{align*}
10660: \prooftree
10661: \rho \vdash_\beta \langle e, \sigma \rangle
10662: \rightarrow
10663: \exceptstate
10664: \justifies
10665: \rho \vdash_\beta \langle \kw{delete} e, \sigma \rangle
10666: \rightarrow
10667: \exceptstate
10668: \endprooftree
10669: %%
10670: &\quad&
10671: %%
10672: \prooftree
10673: \rho \vdash_\beta \langle e, \sigma \rangle
10674: \rightarrow
10675: \valstate
10676: \justifies
10677: \rho \vdash_\beta \langle \kw{delete} e, \sigma \rangle
10678: \rightarrow
10679: \heapdel(\valstate)
10680: \endprooftree
10681: \end{align*}
10682: %
10683: \end{description}
10684: %%
10685: Similar rules allow for allocation and deallocation of an array on the heap:
10686: note that, contrary to the previous cases,
10687: the dimensions of the array can be specified as expressions
10688: that will be evaluated dynamically.
10689:
10690: Regarding the abstract semantics, the extensions concerning C-like
10691: pointers and arrays as well as heap memory management can be obtained
10692: along the lines followed in
10693: Section~\ref{sec:abstract-dynamic-semantics}.
10694: In particular, the new memory structure operators described above are
10695: provided with safe approximations and a new abstract domain $\Loc^\sharp$
10696: for location-valued expressions has to be defined.
10697: By generalizing the abstract memory read and update operators so as
10698: to take as input an abstract location, we realize the so-called
10699: \emph{weak read} and \emph{weak update} operators, so as to correctly
10700: deal with, e.g., assignments or function calls whose target is not
10701: statically known.
10702: In practice, no fundamentally new issue has to be solved as far as
10703: the specification of the abstract interpreter is concerned.
10704: This is not to say that these extensions are trivial; rather,
10705: the real issues (e.g., the efficient and accurate tracking of
10706: aliasing information for pointers~\cite{Emami93th,EmamiGH94}
10707: or the appropriate summarization
10708: techniques for large arrays~\cite{GopanRS05} and
10709: heap-allocated data~\cite{GopanDMDRS04,SagivRW02})
10710: are orthogonal to the current approach and should be addressed elsewhere.
10711:
10712:
10713: \subsection{Non-Structured Control Flow Mechanisms}
10714: \label{sec:non-structured-control-flow-mechanisms}
10715:
10716: It turns out that the approach we have chosen to model exceptional
10717: behavior of programs can be easily generalized so as to capture all the
10718: non-structured control flow mechanisms of languages such as
10719: C and \Cplusplus{}.
10720: To exemplify such a generalization, the abstract syntax of commands is
10721: extended with branching and labeled statements:
10722: \begin{align*}
10723: \Label \ni
10724: l &::= \id
10725: \vbar m
10726: \vbar \kw{default} \\
10727: \Stmt \ni
10728: s &::= \ldots
10729: \vbar \kw{goto} \id
10730: \vbar \kw{switch} e \kw{in} s
10731: \vbar \kw{break}
10732: \vbar \kw{continue}
10733: \vbar \kw{return} e
10734: \vbar l : s
10735: \end{align*}
10736: We assume that the static semantics ensures the labels used in a function
10737: body are all distinct (if the language supports local labels, then a trivial
10738: renaming will be required) and that every goto has access to a corresponding
10739: labeled statement, respecting the constraints imposed by the language
10740: (concerning, for instance, jumping into and outside blocks).
10741:
10742: The state of a computation is captured, besides the current
10743: program point, by a \emph{control mode} and a memory structure,
10744: which together constitute what we call a \emph{control state}.
10745: A control state is classified by the corresponding control mode
10746: in either a plain execution state or an \emph{exception state};
10747: a plain execution state can be further distinguished in either
10748: a \emph{normal execution state},
10749: or a \emph{branching state},
10750: or a \emph{value state} (for computations yielding a proper value),
10751: or an \emph{environment state} (for computations yielding an
10752: execution environment).
10753: \begin{definition}
10754: \summary{($\GotoMode$, $\SwitchMode$, $\ValMode$,
10755: $\EnvMode$, $\ExceptMode$, $\CtrlMode$,
10756: $\CtrlState$.)}
10757: \label{def:concrete-control-mode}
10758: \label{def:concrete-control-state}
10759: The sets of \emph{goto}, \emph{switch},
10760: \emph{value},
10761: \emph{environment}, \emph{exception} and all \emph{control modes}
10762: are given, respectively, by
10763: \begin{align*}
10764: \GotoMode
10765: &\defeq
10766: \bigl\{\, \cmgoto(\id) \bigm| \id \in \Id \,\bigr\}, \\
10767: \SwitchMode
10768: &\defeq
10769: \bigl\{\, \cmswitch(\sval) \bigm| \sval \in \sVal \,\bigr\}, \\
10770: \ValMode
10771: &\defeq
10772: \bigl\{\, \cmvalue(\sval) \bigm| \sval \in \sVal \,\bigr\}, \\
10773: \EnvMode
10774: &\defeq
10775: \bigl\{\, \cmenv(\rho) \bigm| \rho \in \Env \,\bigr\}, \\
10776: \ExceptMode
10777: &\defeq
10778: \bigl\{\, \cmexcept(\except) \bigm| \except \in \Except \,\bigr\}, \\
10779: \CtrlMode
10780: &\defeq
10781: \GotoMode \uplus \SwitchMode \uplus \ValMode
10782: \uplus \EnvMode \\
10783: & \qquad \uplus \ExceptMode
10784: \uplus \{ \cmcontinue, \cmbreak, \cmreturn, \cmexec \},
10785: \end{align*}
10786: where $\cmcontinue$, $\cmbreak$ and $\cmreturn$
10787: are the \emph{exit modes}
10788: and $\cmexec$ is the \emph{plain execution mode}.
10789: Control modes are denoted by $\cm$, $\cm_0$, $\cm_1$ and so forth.
10790:
10791: A \emph{control state} is an element of
10792: \(
10793: \CtrlState
10794: \defeq
10795: \CtrlMode \times \Mem
10796: \).
10797: Control states are denoted by
10798: $\cs$, $\cs_0$, $\cs_1$ and so forth.
10799: \end{definition}
10800:
10801: The concrete semantics of the goto statement can now be expressed by
10802: \[
10803: \prooftree
10804: \nohyp
10805: \justifies
10806: \rho \vdash_\beta
10807: \bigl\langle
10808: \kw{goto} \id, (\cm, \sigma)
10809: \bigr\rangle
10810: \rightarrow
10811: \langle \cm_0, \sigma \rangle
10812: \endprooftree
10813: \]
10814: if $\cm = \cmexec$ and $\cm_0 = \cmgoto(\id)$ or
10815: $\cm \neq \cmexec$ and $\cm_0 = \cm$.
10816:
10817: The semantics of labeled statements is given by
10818: \[
10819: \prooftree
10820: \rho \vdash_\beta \bigl\langle s, (\cm_0, \sigma) \bigr\rangle
10821: \rightarrow
10822: \eta
10823: \justifies
10824: \rho \vdash_\beta \bigl\langle l : s, (\cm, \sigma) \rangle
10825: \rightarrow
10826: \eta
10827: \endprooftree
10828: \]
10829: where $\cm_0 = \cmexec$
10830: if $\cm = \cmexec$,
10831: or $\cm = \cmgoto(\id)$ and $l = \id$,
10832: or $\cm = \cmswitch(\sval)$ and $l \in \{\kw{default}, \sval\}$;
10833: otherwise $\cm_0 = \cm$.
10834:
10835: Of course, the semantics of all statements must be suitably modified.
10836: For instance, the assignment should behave like a nop unless the control
10837: mode is the normal execution one.
10838: Statements with non trivial control flow need more work.
10839: For example, the semantics of the conditional statement can be captured
10840: by\footnote{Recall that, in C, it is perfectly legal to jump into
10841: the ``else branch'' from the ``then branch.''}
10842: \begin{gather}
10843: \notag
10844: \prooftree
10845: \rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10846: \rightarrow
10847: \langle \cm_0, \sigma_0 \rangle
10848: \justifies
10849: \rho \vdash_\beta
10850: \bigl\langle
10851: \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cmexec, \sigma)
10852: \bigr\rangle
10853: \rightarrow
10854: \langle \cm_0, \sigma_0 \rangle
10855: \using\quad\text{if $\cm_0 \in \ExceptMode$}
10856: \endprooftree \\[1ex]
10857: %%
10858: \label{rule:conc_conditional_then_jumps_into_else}
10859: \prooftree
10860: \begin{aligned}
10861: \rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10862: \rightarrow
10863: \bigl\langle \cmvalue(\ttv), \sigma_0 \bigr\rangle
10864: \quad
10865: &\rho \vdash_\beta \bigl\langle s_0, (\cmexec, \sigma_0) \bigr\rangle
10866: \rightarrow
10867: \langle \cm_1, \sigma_1 \rangle \\
10868: &\rho \vdash_\beta
10869: \bigl\langle s_1, (\cm_1, \sigma_1) \bigr\rangle
10870: \rightarrow
10871: \eta
10872: \end{aligned}
10873: \justifies
10874: \rho \vdash_\beta
10875: \bigl\langle \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cmexec, \sigma)
10876: \bigr\rangle
10877: \rightarrow
10878: \eta
10879: \endprooftree
10880: \end{gather}
10881: if $\cm_1 \in \GotoMode$;
10882: \begin{gather}
10883: %%
10884: \notag
10885: \prooftree
10886: \rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10887: \rightarrow
10888: \bigl\langle \cmvalue(\ttv), \sigma_0 \bigr\rangle
10889: \quad
10890: \rho \vdash_\beta \bigl\langle s_0, (\cmexec, \sigma_0) \bigr\rangle
10891: \rightarrow
10892: \langle \cm_1, \sigma_1 \rangle
10893: \justifies
10894: \rho \vdash_\beta
10895: \bigl\langle \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cmexec, \sigma)
10896: \bigr\rangle
10897: \rightarrow
10898: \langle \cm_1, \sigma_1 \rangle
10899: \endprooftree
10900: \end{gather}
10901: if $\cm_1 \notin \GotoMode$;
10902: %%
10903: \begin{gather*}
10904: \prooftree
10905: \rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10906: \rightarrow
10907: \bigl\langle \cmvalue(\ffv), \sigma_0 \bigr\rangle
10908: \quad
10909: \rho \vdash_\beta \bigl\langle s_1, (\cmexec, \sigma_0) \bigr\rangle
10910: \rightarrow
10911: \eta
10912: \justifies
10913: \rho \vdash_\beta
10914: \bigl\langle
10915: \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cmexec, \sigma)
10916: \bigr\rangle
10917: \rightarrow
10918: \eta
10919: \endprooftree \\[1ex]
10920: %%
10921: \prooftree
10922: \rho \vdash_\beta \bigl\langle s_0, (\cm, \sigma) \bigr\rangle
10923: \rightarrow
10924: \langle \cm_0, \sigma_0 \rangle
10925: \justifies
10926: \rho \vdash_\beta
10927: \bigl\langle
10928: \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cm, \sigma)
10929: \bigr\rangle
10930: \rightarrow
10931: \langle \cm_0, \sigma_0 \rangle
10932: \endprooftree
10933: \end{gather*}
10934: if $\cm \in \GotoMode \uplus \SwitchMode$
10935: and $\cm_0 \notin \GotoMode \uplus \SwitchMode$;
10936: \begin{gather*}
10937: \prooftree
10938: \rho \vdash_\beta \bigl\langle s_0, (\cm, \sigma) \bigr\rangle
10939: \rightarrow
10940: \langle \cm_0, \sigma_0 \rangle
10941: \quad
10942: \rho \vdash_\beta \bigl\langle s_1, (\cm_0, \sigma_0) \bigr\rangle
10943: \rightarrow
10944: \eta
10945: \justifies
10946: \rho \vdash_\beta
10947: \bigl\langle \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cm, \sigma)
10948: \bigr\rangle
10949: \rightarrow
10950: \eta
10951: \endprooftree
10952: \end{gather*}
10953: if $\cm \in \GotoMode \uplus \SwitchMode$
10954: and $\cm_0 \in \GotoMode \uplus \SwitchMode$;
10955: \begin{gather*}
10956: \prooftree
10957: \nohyp
10958: \justifies
10959: \rho \vdash_\beta
10960: \bigl\langle
10961: \kw{if} e \kw{then} s_0 \kw{else} s_1, (\cm, \sigma)
10962: \bigr\rangle
10963: \rightarrow
10964: \langle \cm, \sigma \rangle
10965: \endprooftree
10966: \end{gather*}
10967: if $\cm \notin \GotoMode \uplus \SwitchMode \uplus \{ \cmexec \}$.
10968:
10969: Likewise, the semantics of the $\kw{switch}$ statement can be captured by:
10970: \begin{gather}
10971: \notag
10972: \prooftree
10973: \rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10974: \rightarrow
10975: \langle \cm_0, \sigma_0 \rangle
10976: \justifies
10977: \rho \vdash_\beta
10978: \bigl\langle
10979: \kw{switch} e \kw{in} s, (\cmexec, \sigma)
10980: \bigr\rangle
10981: \rightarrow
10982: \langle \cm_0, \sigma_0 \rangle
10983: \using\quad\text{if $\cm_0 \in \ExceptMode$}
10984: \endprooftree \\[1ex]
10985: %%
10986: \notag
10987: \prooftree
10988: \begin{aligned}
10989: &\rho \vdash_\beta \bigl\langle e, (\cmexec, \sigma) \bigr\rangle
10990: \rightarrow
10991: \bigl\langle \cmvalue(\sval_0), \sigma_0 \bigr\rangle \\
10992: &\qquad
10993: \rho \vdash_\beta \bigl\langle s, (\cmswitch(\sval_0), \sigma_0) \bigr\rangle
10994: \rightarrow
10995: \langle \cm_1, \sigma_1 \rangle
10996: \end{aligned}
10997: \justifies
10998: \rho \vdash_\beta
10999: \bigl\langle
11000: \kw{switch} e \kw{in} s, (\cmexec, \sigma)
11001: \bigr\rangle
11002: \rightarrow
11003: \langle \cm_2, \sigma_1 \rangle
11004: \endprooftree
11005: \end{gather}
11006: if
11007: \(
11008: \cm_2 =
11009: \begin{cases}
11010: \cmexec,
11011: &\text{if $\cm_1 \in \SwitchMode \uplus \{ \cmbreak \}$,} \\
11012: \cm_1,
11013: &\text{otherwise;}
11014: \end{cases}
11015: \)
11016: \begin{gather}
11017: %%
11018: \notag
11019: \prooftree
11020: \rho \vdash_\beta \bigl\langle s, (\cmgoto(\id), \sigma) \bigr\rangle
11021: \rightarrow
11022: \langle \cm_0, \sigma_0 \rangle
11023: \justifies
11024: \rho \vdash_\beta
11025: \bigl\langle
11026: \kw{switch} e \kw{in} s, (\cmgoto(\id), \sigma)
11027: \bigr\rangle
11028: \rightarrow
11029: \langle \cm_1, \sigma_0 \rangle
11030: \endprooftree
11031: \end{gather}
11032: if
11033: \(
11034: \cm_1 =
11035: \begin{cases}
11036: \cmexec,
11037: &\text{if $\cm_0 = \cmbreak$,} \\
11038: \cm_0,
11039: &\text{otherwise;}
11040: \end{cases}
11041: \)
11042: %%
11043: \begin{gather}
11044: \notag
11045: \prooftree
11046: \nohyp
11047: \justifies
11048: \rho \vdash_\beta
11049: \bigl\langle
11050: \kw{switch} e \kw{in} s, (\cm, \sigma)
11051: \bigr\rangle
11052: \rightarrow
11053: \langle \cm, \sigma \rangle
11054: \using\quad\text{if $\cm \notin \GotoMode \uplus \{ \cmexec \}$.}
11055: \endprooftree
11056: \end{gather}
11057:
11058: While such a semantic treatment captures all forward jumps,
11059: for backward jumps something more is required.
11060: One simple possibility (which is not the only one) is to explicitly
11061: introduce a looping construct that is (only) available in the abstract
11062: syntax. That is, we extend $\Stmt$ once again as
11063: \[
11064: \Stmt \ni
11065: s ::= \ldots
11066: \vbar \kw{loop} s
11067: \]
11068: and assume that a set of such loops has been inserted so that all backward
11069: jumps are enclosed in at least one loop (notice that at most one such
11070: loop per function body suffices, but more can be used as a matter of
11071: optimization).
11072: For $s \in \Stmt$, let $\SL(s)$ denote the set of statement labels in $s$.
11073: The concrete semantics of this looping construct is now given by
11074: \begin{gather*}
11075: \prooftree
11076: \rho \vdash_\beta \langle s, \cs \rangle
11077: \rightarrow
11078: \langle \cm, \sigma \rangle
11079: \justifies
11080: \rho \vdash_\beta \langle \kw{loop} s, \cs \rangle
11081: \rightarrow
11082: \langle \cm, \sigma \rangle
11083: \using\quad\text{if $\cm \neq \cmgoto(\id)$ for each $\id \in \SL(s)$}
11084: \endprooftree \\[1ex]
11085: \prooftree
11086: \rho \vdash_\beta \langle s, \cs \rangle
11087: \rightarrow
11088: \bigl\langle \cmgoto(\id), \sigma \bigr\rangle
11089: \quad
11090: \rho \vdash_\beta
11091: \bigl\langle \kw{loop} s, \bigl(\cmgoto(\id), \sigma\bigr) \bigr\rangle
11092: \rightarrow
11093: \eta
11094: \justifies
11095: \rho \vdash_\beta \langle \kw{loop} s, \cs \rangle
11096: \rightarrow
11097: \eta
11098: \using\quad\text{if $\id \in \SL(s)$}
11099: \endprooftree
11100: \end{gather*}
11101: Observe that the systematic use of the looping construct can make
11102: rule schema~\eqref{rule:conc_conditional_then_jumps_into_else}
11103: redundant.
11104:
11105: Other rules are omitted for space reasons. However, there are
11106: no additional difficulties besides the ones just addressed:
11107: the rules for $\kw{break}$ and $\kw{continue}$ are straightforward;
11108: $\kw{return} e$ can be modeled as the assignment to the reserved
11109: identifier $\ridx_0$
11110: (see concrete rule~\eqref{rule:conc_function_body_2}),
11111: followed by the setting of the control mode;
11112: the rules for the $\kw{while}$ loop are a bit involved as they must
11113: support the `$\cmbreak$' and `$\cmcontinue$' control modes in addition
11114: to `$\cmgoto$' and `$\cmswitch$'.
11115:
11116: The proposed approach handles non-structured control flow mechanisms
11117: essentially by adding a sort of control register to the rule-based
11118: interpreter of the language.
11119: As far as the abstract semantics is concerned, a first choice to be made
11120: concerns the approximation of the values that the control register can take.
11121: As usual, there is a complexity/precision trade-off to be faced:
11122: the simple solution is to approximate $\wp(\CtrlMode)$ by some (simple)
11123: abstract domain $\CtrlMode^\sharp$ and then approximate
11124: $\CtrlState = \CtrlMode \times \Mem$
11125: by $\CtrlMode^\sharp \stimes \Mem^\sharp$;
11126: a more precise solution is to approximate $\wp(\CtrlState)$
11127: by an abstract domain $\CtrlState^\sharp$ that captures
11128: relational information connecting the control modes to the
11129: memory structures they can be coupled with.
11130: The abstract rules schemata must of course be modified to match the
11131: concrete world.
11132: For instance, the abstract rule for the conditional statement becomes:
11133: \begin{equation*}
11134: \label{rule:abstr_conditional_extended}
11135: \prooftree
11136: \rho \vdash_\beta \langle e, \cs^\sharp_\mathrm{cond} \rangle
11137: \rightarrow
11138: \cs^\sharp_0
11139: \quad
11140: \rho \vdash_\beta \langle s_0, \cs^\sharp_\mathrm{then} \rangle
11141: \rightarrow
11142: \cs^\sharp_1
11143: \quad
11144: \rho \vdash_\beta \langle s_1, \cs^\sharp_\mathrm{else} \rangle
11145: \rightarrow
11146: \cs^\sharp_2
11147: \justifies
11148: \rho
11149: \vdash_\beta
11150: \langle \kw{if} e \kw{then} s_0 \kw{else} s_1, \cs^\sharp \rangle
11151: \rightsquigarrow
11152: \cs^\sharp_3
11153: \endprooftree
11154: \end{equation*}
11155: where
11156: \begin{align*}
11157: \cs^\sharp_\mathrm{cond}
11158: &=
11159: \Phi_\mathrm{e}(\rho, \cs^\sharp, \ttv), \\
11160: \cs^\sharp_\mathrm{then}
11161: &=
11162: \Phi_\mathrm{e}(\rho, \cs^\sharp, e)
11163: \sqcup
11164: \Phi_\mathrm{m}(\cs^\sharp, \GotoMode \uplus \SwitchMode), \\
11165: \cs^\sharp_\mathrm{else}
11166: &=
11167: \Phi_\mathrm{e}(\rho, \cs^\sharp, \kw{not} e)
11168: \sqcup
11169: \Phi_\mathrm{m}(\cs^\sharp_1, \GotoMode)
11170: \sqcup \cs^\sharp_\mathrm{jump}, \\
11171: \cs^\sharp_\mathrm{jump}
11172: &=
11173: \begin{cases}
11174: \bot,
11175: &\text{if
11176: $\Phi_\mathrm{m}(\cs^\sharp, \GotoMode \uplus \SwitchMode) = \bot$,} \\
11177: \Phi_\mathrm{m}(\cs^\sharp_1, C_\mathrm{jump}),
11178: &\text{otherwise,}
11179: \end{cases} \\
11180: C_\mathrm{jump}
11181: &=
11182: \GotoMode \union \bigl\{\,
11183: \cm \in \CtrlMode
11184: \bigm|
11185: \exists \sigma \in \Mem
11186: \st \gamma(\cs^\sharp) = (\cm, \sigma)
11187: \,\bigl\}, \\
11188: \cs^\sharp_3
11189: &=
11190: \Phi_\mathrm{m}
11191: \Bigl(
11192: \cs^\sharp,
11193: \CtrlMode
11194: \setminus
11195: \bigl(\{\cmexec\} \uplus \GotoMode \uplus \SwitchMode\bigr)
11196: \Bigr) \\
11197: &\qquad
11198: \sqcup
11199: \Phi_\mathrm{m}
11200: \Bigl(
11201: \cs^\sharp_0,
11202: \CtrlMode
11203: \setminus
11204: \ValMode
11205: \Bigr)
11206: \sqcup
11207: \cs^\sharp_1
11208: \sqcup
11209: \cs^\sharp_2,
11210: \end{align*}
11211: and the two computable filter functions
11212: \(
11213: \fund{\Phi_\mathrm{e}}%
11214: {(\Env \times \CtrlState^\sharp \times \Exp)}%
11215: {\CtrlState^\sharp}
11216: \)
11217: and
11218: \(
11219: \fund{\Phi_\mathrm{m}}%
11220: {\bigl(\CtrlState^\sharp \times \wp(\CtrlMode)\bigr)}%
11221: {\CtrlState^\sharp}
11222: \)
11223: are defined as follows,
11224: for each $\rho \in \Env$, $\cs^\sharp \in \CtrlState^\sharp$,
11225: $e \in \Exp$ and $C \sseq \CtrlMode$ such that,
11226: for some $\beta \in \TEnv$, $\beta : I$ with $\FI(e) \sseq I$
11227: and $\beta \vdash_I e : \tboolean$:
11228: \begin{align*}
11229: \gamma\bigl(\Phi_\mathrm{e}(\rho, \cs^\sharp, e)\bigr)
11230: &\supseteq
11231: \sset{%
11232: \cs \in \gamma(\cs^\sharp)
11233: }{%
11234: \exists \sigma \in \Mem \st \cs = (\cmexec, \sigma), \\
11235: \exists \sigma' \in \Mem \\
11236: \qquad
11237: \st
11238: \bigl(
11239: \rho
11240: \vdash_\beta
11241: \langle e, \cs \rangle
11242: \rightarrow
11243: \bigl\langle
11244: \cmvalue(\ttv), \sigma'
11245: \bigr\rangle
11246: \bigr)
11247: }, \\
11248: \gamma\bigl(\Phi_\mathrm{m}(\cs^\sharp, C)\bigr)
11249: &\supseteq
11250: \bigl\{\,
11251: \cs \in \gamma(\cs^\sharp)
11252: \bigm|
11253: \exists \sigma \in \Mem \st \cs = (\cm, \sigma),
11254: \cm \in C
11255: \,\bigr\}.
11256: \end{align*}
11257:
11258:
11259: \section{Conclusion}
11260: \label{sec:conclusion}
11261:
11262: In this paper, we have confronted the problem of defining an analysis
11263: framework for the specification and realization of precise static
11264: analyzers for mainstream imperative programming languages, tools in
11265: very short supply that, however, ought to become part of the current
11266: programming practice.
11267: A proposal put forward by Schmidt twelve years ago \cite{Schmidt95}
11268: held, in our eyes, considerable promise, despite the fact it had not
11269: been fully developed and applied in realistic contexts.
11270: It was therefore natural to question whether the promise
11271: could be fulfilled.
11272: To investigate Schmidt's approach, which is based on structured
11273: operational semantics and abstract interpretation, we have defined an
11274: imperative language, CPM, that embodies all the ``problematic features'' of
11275: single-threaded imperative languages now in widespread use.
11276: We have presented a concrete semantics of CPM that is suitable for
11277: abstraction while retaining all the nice features of SOS descriptions.
11278: For a subset of the language we have formally defined an abstract semantics
11279: that can fully exploit the precision offered by relational abstract
11280: domains, and proved its soundness with respect to the concrete one.
11281: We have also shown how approximations of the abstract semantics
11282: can be effectively computed.
11283: In order to provide an experimental evaluation of the ideas presented
11284: in this paper, both the concrete and the abstract semantics
11285: ---instantiated over sophisticated numeric domains and together with
11286: a suitable fixpoint computation engine--- have been incorporated
11287: into the ECLAIR system. This work allows us to conclude that
11288: the proposal of Schmidt can play a crucial role in the development
11289: of reliable and precise analyzers.
11290: The key features of this approach are:
11291: \begin{itemize}
11292: \item
11293: a fairly concise concrete semantics that experts can easily read
11294: (and modify as needed) and that everyone can execute on non-trivial
11295: examples in order to check its agreement with the applicable language
11296: standards;
11297: \item
11298: a fairly concise abstract semantics that is fully parametric with
11299: respect to the abstract domain, that is not difficult to prove correct
11300: with respect to the concrete one (to the point that automatizing the
11301: proof seems to be a reasonable goal), and that directly leads to
11302: the implementation of static analyzers.
11303: \end{itemize}
11304: Of course, the story does not end here. For instance, our analysis
11305: framework is parametric on abstract memory structures. While the
11306: literature seems to provide all that is necessary to realize very
11307: sophisticated ones, it is not difficult to predict that, among all the
11308: code out there waiting to be analyzed, some will greatly exacerbate
11309: the complexity/precision trade-off. However, these are research
11310: problems for the future --- now that we have, as given here, a formal
11311: design on which analyzers can be built, our next goal is to complete
11312: the build and make the technology described here truly available and
11313: deployable.
11314:
11315: \ifthenelse{\boolean{TOPLAS}}{
11316: \begin{acks}
11317: }{
11318: \bigskip
11319: \noindent
11320: {\bfseries Acknowledgments.}
11321: }
11322: Anna Dolma Alonso, Irene Bacchi, Danilo Bonardi, Andrea Cimino,
11323: Enrico Franchi, Davide Masi and Alessandro Vincenzi
11324: (all students of the course on ``Analysis and Verification of Software''
11325: taught by Roberto Bagnara at the University of Parma)
11326: and Vajirapan Panumong (University of Leeds) collaborated on previous,
11327: much more restricted versions of this work.
11328: We are also grateful to David Merchat (formerly at the University of Parma)
11329: and Katy Dobson (University of Leeds)
11330: for the discussions we have had on the subject of this paper.
11331: \ifthenelse{\boolean{TOPLAS}}{
11332: \end{acks}
11333: }{
11334: }
11335:
11336: \ifthenelse{\boolean{TOPLAS}}{
11337: %\bibliographystyle{acmtrans}
11338: \bibliographystyle{amsalpha}
11339: %\bibliographystyle{amsplain}
11340: }{
11341: \bibliographystyle{plain}
11342: }
11343: %\bibliography{ppl,ppl_citations,mybib}
11344: \newcommand{\etalchar}[1]{$^{#1}$}
11345: \newcommand{\noopsort}[1]{}\hyphenation{ Ba-gna-ra Bie-li-ko-va Bruy-noo-ghe
11346: Common-Loops DeMich-iel Dober-kat Di-par-ti-men-to Er-vier Fa-la-schi
11347: Fell-eisen Gam-ma Gem-Stone Glan-ville Gold-in Goos-sens Graph-Trace
11348: Grim-shaw Her-men-e-gil-do Hoeks-ma Hor-o-witz Kam-i-ko Kenn-e-dy Kess-ler
11349: Lisp-edit Lu-ba-chev-sky Ma-te-ma-ti-ca Nich-o-las Obern-dorf Ohsen-doth
11350: Par-log Para-sight Pega-Sys Pren-tice Pu-ru-sho-tha-man Ra-guid-eau Rich-ard
11351: Roe-ver Ros-en-krantz Ru-dolph SIG-OA SIG-PLAN SIG-SOFT SMALL-TALK Schee-vel
11352: Schlotz-hauer Schwartz-bach Sieg-fried Small-talk Spring-er Stroh-meier
11353: Thing-Lab Zhong-xiu Zac-ca-gni-ni Zaf-fa-nel-la Zo-lo }
11354: \providecommand{\bysame}{\leavevmode\hbox to3em{\hrulefill}\thinspace}
11355: \providecommand{\MR}{\relax\ifhmode\unskip\space\fi MR }
11356: % \MRhref is called by the amsart/book/proc definition of \MR.
11357: \providecommand{\MRhref}[2]{%
11358: \href{http://www.ams.org/mathscinet-getitem?mr=#1}{#2}
11359: }
11360: \providecommand{\href}[2]{#2}
11361: \begin{thebibliography}{NMRW02}
11362:
11363: \bibitem[BCC{\etalchar{+}}02]{BlanchetCCFMMMR02}
11364: B.~Blanchet, P.~Cousot, R.~Cousot, J.~Feret, L.~Mauborgne, A.~Min\'e,
11365: D.~Monniaux, and X.~Rival, \emph{Design and implementation of a
11366: special-purpose static program analyzer for safety-critical real-time
11367: embedded software}, The Essence of Computation, Complexity, Analysis,
11368: Transformation. Essays Dedicated to Neil D. Jones [on occasion of his 60th
11369: birthday] (T.~{\AE}. Mogensen, D.~A. Schmidt, and I.~Hal Sudborough, eds.),
11370: Lecture Notes in Computer Science, vol. 2566, Springer-Verlag, Berlin, 2002,
11371: pp.~85--108.
11372:
11373: \bibitem[BCC{\etalchar{+}}03]{BlanchetCCFMMMR03}
11374: \bysame, \emph{A static analyzer for large safety-critical software},
11375: Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design
11376: and Implementation (PLDI'03) (San Diego, California, USA), ACM Press, 2003,
11377: pp.~196--207.
11378:
11379: \bibitem[BHRZ05]{BagnaraHRZ05SCP}
11380: R.~Bagnara, P.~M. Hill, E.~Ricci, and E.~Zaffanella, \emph{Precise widening
11381: operators for convex polyhedra}, Science of Computer Programming \textbf{58}
11382: (2005), no.~1--2, 28--56.
11383:
11384: \bibitem[BHZ05]{BagnaraHZ05FAC}
11385: R.~Bagnara, P.~M. Hill, and E.~Zaffanella, \emph{Not necessarily closed convex
11386: polyhedra and the double description method}, Formal Aspects of Computing
11387: \textbf{17} (2005), no.~2, 222--257.
11388:
11389: \bibitem[BHZ06]{BagnaraHZ06TR}
11390: \bysame, \emph{The {Parma Polyhedra Library}: Toward a complete set of
11391: numerical abstractions for the analysis and verification of hardware and
11392: software systems}, Quaderno 457, Dipartimento di Matematica, Universit\`a di
11393: Parma, Italy, 2006, Available at \url{http://www.cs.unipr.it/Publications/}.
11394: Also published as {\tt arXiv:cs.MS/0612085}, available from
11395: \url{http://arxiv.org/}.
11396:
11397: \bibitem[Bru91]{Bruynooghe91}
11398: M.~Bruynooghe, \emph{A practical framework for the abstract interpretations of
11399: logic programs}, Journal of Logic Programming \textbf{10} (1991), 91--124.
11400:
11401: \bibitem[CC76]{CousotC76}
11402: P.~Cousot and R.~Cousot, \emph{Static determination of dynamic properties of
11403: programs}, Proceedings of the Second International Symposium on Programming
11404: (Paris, France) (B.~Robinet, ed.), Dunod, Paris, France, 1976, pp.~106--130.
11405:
11406: \bibitem[CC77a]{CousotC77}
11407: \bysame, \emph{Abstract interpretation: A unified lattice model for static
11408: analysis of programs by construction or approximation of fixpoints},
11409: Proceedings of the Fourth Annual ACM Symposium on Principles of Programming
11410: Languages (New York), ACM Press, 1977, pp.~238--252.
11411:
11412: \bibitem[CC77b]{CousotC77b}
11413: \bysame, \emph{Static determination of dynamic properties of recursive
11414: procedures}, IFIP Conference on Formal Description of Programming Concepts
11415: (E.~J. Neuhold, ed.), North-Holland, 1977, pp.~237--277.
11416:
11417: \bibitem[CC79]{CousotC79}
11418: \bysame, \emph{Systematic design of program analysis frameworks}, Proceedings
11419: of the Sixth Annual ACM Symposium on Principles of Programming Languages (New
11420: York), ACM Press, 1979, pp.~269--282.
11421:
11422: \bibitem[CC92a]{CousotC92fr}
11423: \bysame, \emph{Abstract interpretation frameworks}, Journal of Logic and
11424: Computation \textbf{2} (1992), no.~4, 511--547.
11425:
11426: \bibitem[CC92b]{CousotC92plilp}
11427: \bysame, \emph{Comparing the {Galois} connection and widening/narrowing
11428: approaches to abstract interpretation}, Proceedings of the 4th International
11429: Symposium on Programming Language Implementation and Logic Programming
11430: (Leuven, Belgium) (M.~Bruynooghe and M.~Wirsing, eds.), Lecture Notes in
11431: Computer Science, vol. 631, Springer-Verlag, Berlin, 1992, pp.~269--295.
11432:
11433: \bibitem[CC92c]{CousotC92}
11434: \bysame, \emph{Inductive definitions, semantics and abstract interpretation},
11435: Proceedings of the Nineteenth Annual ACM Symposium on Principles of
11436: Programming Languages (Albuquerque, New Mexico, USA), ACM Press, 1992,
11437: pp.~83--94.
11438:
11439: \bibitem[CC94]{CousotC94}
11440: \bysame, \emph{Higher-order abstract interpretation (and application to
11441: comportment analysis generalizing strictness, termination, projection and
11442: {PER} analysis of functional languages)}, Proceedings of the IEEE Computer
11443: Society 1994 International Conference on Computer Languages (Toulouse,
11444: France) (H.~E. Bal, ed.), IEEE Computer Society Press, 1994, Invited paper,
11445: pp.~95--112.
11446:
11447: \bibitem[CH78]{CousotH78}
11448: P.~Cousot and N.~Halbwachs, \emph{Automatic discovery of linear restraints
11449: among variables of a program}, Conference Record of the Fifth Annual ACM
11450: Symposium on Principles of Programming Languages (Tucson, Arizona), ACM
11451: Press, 1978, pp.~84--96.
11452:
11453: \bibitem[Cou81]{Cousot81}
11454: P.~Cousot, \emph{Semantic foundations of program analysis}, Program Flow
11455: Analysis: Theory and Applications (S.~S. Muchnick and N.~D. Jones, eds.),
11456: Prentice Hall, Englewood Cliffs, NJ, USA, 1981, pp.~303--342.
11457:
11458: \bibitem[Cou99]{Cousot98mark}
11459: \bysame, \emph{The calculational design of a generic abstract interpreter},
11460: Calculational System Design (M.~Broy and R.~Steinbr{\"u}ggen, eds.), NATO ASI
11461: Series F. IOS Press, Amsterdam, NL, 1999.
11462:
11463: \bibitem[Cou05]{Cousot05b}
11464: \bysame, \emph{The verification grand challenge and abstract interpretation},
11465: Verified Software: Theories, Tools, Experiments (VSTTE) (ETH {Z\"urich},
11466: Switzerland), 2005, Position paper.
11467:
11468: \bibitem[DRS01]{DorRS01}
11469: N.~Dor, M.~Rodeh, and S.~Sagiv, \emph{Cleanness checking of string
11470: manipulations in {C} programs via integer analysis}, Static Analysis: 8th
11471: International Symposium, SAS 2001 (Paris, France) (P.~Cousot, ed.), Lecture
11472: Notes in Computer Science, vol. 2126, Springer-Verlag, Berlin, 2001,
11473: pp.~194--212.
11474:
11475: \bibitem[EGH94]{EmamiGH94}
11476: M.~Emami, R.~Ghiya, and L.~J. Hendren, \emph{Context-sensitive interprocedural
11477: points-to analysis in the presence of function pointers}, Proceedings of the
11478: ACM SIGPLAN'94 Conference on Programming Language Design and Implementation
11479: (Orlando, Florida), vol.~29, ACM SIGPLAN Notices, no.~6, Association for
11480: Computing Machinery, 1994, pp.~242--256.
11481:
11482: \bibitem[Ema93]{Emami93th}
11483: M.~Emami, \emph{A practical inter-procedural alias analysis for an
11484: optimizing/paralleling {C} compiler}, Master's thesis, School of Computer
11485: Science, McGill University, Montreal, Canada, August 1993.
11486:
11487: \bibitem[GDD{\etalchar{+}}04]{GopanDMDRS04}
11488: D.~Gopan, F.~DiMaio, N.~Dor, T.~Reps, and M.~Sagiv, \emph{Numeric domains with
11489: summarized dimensions}, Tools and Algorithms for the Construction and
11490: Analysis of Systems, 10th International Conference, TACAS 2004 (Barcelona,
11491: Spain) (K.~Jensen and A.~Podelski, eds.), Lecture Notes in Computer Science,
11492: vol. 2988, Springer-Verlag, Berlin, 2004, pp.~512--529.
11493:
11494: \bibitem[GDL92]{GiacobazziDL92}
11495: R.~Giacobazzi, S.~K. Debray, and G.~Levi, \emph{A generalized semantics for
11496: constraint logic programs}, Proceedings of the International Conference on
11497: Fifth Generation Computer Systems (FGCS'92) (Tokyo, Japan), ICOT, 1992,
11498: pp.~581--591.
11499:
11500: \bibitem[GRS05]{GopanRS05}
11501: D.~Gopan, T.~W. Reps, and M.~Sagiv, \emph{A framework for numeric analysis of
11502: array operations}, Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on
11503: Principles of Programming Languages (Long Beach, California, USA), 2005,
11504: pp.~338--350.
11505:
11506: \bibitem[Hal93]{Halbwachs93}
11507: N.~Halbwachs, \emph{Delay analysis in synchronous programs}, Computer Aided
11508: Verification: Proceedings of the 5th International Conference (Elounda,
11509: Greece) (C.~Courcoubetis, ed.), Lecture Notes in Computer Science, vol. 697,
11510: Springer-Verlag, Berlin, 1993, pp.~333--346.
11511:
11512: \bibitem[Hoa03]{Hoare03}
11513: C.~A.~R. Hoare, \emph{The verifying compiler: A grand challenge for computing
11514: research}, Journal of the ACM \textbf{50} (2003), no.~1, 63--69.
11515:
11516: \bibitem[HPR97]{HalbwachsPR97}
11517: N.~Halbwachs, Y.-E. Proy, and P.~Roumanoff, \emph{Verification of real-time
11518: systems using linear relation analysis}, Formal Methods in System Design
11519: \textbf{11} (1997), no.~2, 157--185.
11520:
11521: \bibitem[JS03]{JeannetS03TR}
11522: B.~Jeannet and W.~Serwe, \emph{Abstracting call-stacks for interprocedural
11523: verification of imperative programs}, Publication interne 1543, IRISA, Campus
11524: de Beaulieu, Rennes, France, 2003.
11525:
11526: \bibitem[JS04]{JeannetS04}
11527: \bysame, \emph{Abstracting call-stacks for interprocedural verification of
11528: imperative programs}, Proceedings of the 10th International Conference on
11529: Algebraic Methodology and Software Technology (Stirling, Scotland, UK)
11530: (C.~Rattray, S.~Maharaj, and C.~Shankland, eds.), Lecture Notes in Computer
11531: Science, vol. 3116, Springer-Verlag, Berlin, 2004, pp.~258--273.
11532:
11533: \bibitem[Kah87]{Kahn87}
11534: G.~Kahn, \emph{Natural semantics}, Proceedings of the 4th Annual Symposium on
11535: Theoretical Aspects of Computer Science (Passau, Germany) (F.-J. Brandenburg,
11536: G.~Vidal-Naquet, and M.~Wirsing, eds.), Lecture Notes in Computer Science,
11537: vol. 247, Springer-Verlag, Berlin, 1987, pp.~22--39.
11538:
11539: \bibitem[Ler06]{Leroy06}
11540: X.~Leroy, \emph{Coinductive big-step operational semantics}, Programming
11541: Languages and Systems, Proceedings of the 14th European Symposium on
11542: Programming (Vienna, Austria) (P.~Sestoft, ed.), Lecture Notes in Computer
11543: Science, vol. 3924, Springer-Verlag, Berlin, 2006, pp.~54--68.
11544:
11545: \bibitem[Min06]{Mine06a}
11546: A.~Min{\'e}, \emph{Field-sensitive value analysis of embedded {C} programs with
11547: union types and pointer arithmetics}, Proceedings of the 2006 ACM
11548: SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded
11549: Systems (Ottawa, Ontario, Canada) (M.~J. Irwin and K.~{De Bosschere}, eds.),
11550: ACM Press, 2006, pp.~54--63.
11551:
11552: \bibitem[NMRW02]{NeculaMRW02}
11553: G.~C. Necula, S.~McPeak, S.~P. Rahul, and W.~Weimer, \emph{{CIL}: Intermediate
11554: language and tools for analysis and transformation of {C} programs}, Compiler
11555: Construction: Proceedings of the 11th International Conference (CC 2002)
11556: (Grenoble, France) (R.~N. Horspool, ed.), Lecture Notes in Computer Science,
11557: vol. 2304, Springer-Verlag, Berlin, 2002, pp.~213--228.
11558:
11559: \bibitem[Plo04]{Plotkin04b}
11560: G.~D. Plotkin, \emph{A structural approach to operational semantics}, Journal
11561: of Logic and Algebraic Programming \textbf{60--61} (2004), 17--139.
11562:
11563: \bibitem[Sch95]{Schmidt95}
11564: D.~A. Schmidt, \emph{Natural-semantics-based abstract interpretation
11565: (preliminary version)}, Static Analysis: Proceedings of the 2nd International
11566: Symposium (Glasgow, UK) (A.~Mycroft, ed.), Lecture Notes in Computer Science,
11567: vol. 983, Springer-Verlag, Berlin, 1995, pp.~1--18.
11568:
11569: \bibitem[Sch97]{Schmidt97}
11570: \bysame, \emph{Abstract interpretation of small-step semantics}, Analysis and
11571: Verification of Multiple-Agent Languages (M.~Dam, ed.), Lecture Notes in
11572: Computer Science, vol. 1192, Springer-Verlag, Berlin, 1997, 5th LOMAPS
11573: Workshop Stockholm, Sweden, June 24--26, 1996, Selected Papers, pp.~76--99.
11574:
11575: \bibitem[Sch98]{Schmidt98}
11576: \bysame, \emph{Trace-based abstract interpretation of operational semantics},
11577: {LISP} and Symbolic Computation \textbf{10} (1998), no.~3, 237--271.
11578:
11579: \bibitem[SKS00]{ShahamKS00}
11580: R.~Shaham, E.~K. Kolodner, and S.~Sagiv, \emph{Automatic removal of array
11581: memory leaks in {J}ava}, Proceedings of the 9th International Conference on
11582: Compiler Construction (CC 2000) (Berlin, Germany) (D.~A. Watt, ed.), Lecture
11583: Notes in Computer Science, vol. 1781, Springer-Verlag, Berlin, 2000,
11584: pp.~50--66.
11585:
11586: \bibitem[SP81]{SharirP81}
11587: M.~Sharir and A.~Pnueli, \emph{Two approaches to interprocedural data flow
11588: analysis}, Program Flow Analysis: Theory and Applications (S.~S. Muchnick and
11589: N.~D. Jones, eds.), Prentice Hall, Englewood Cliffs, NJ, USA, 1981,
11590: pp.~189--233.
11591:
11592: \bibitem[SRW02]{SagivRW02}
11593: S.~Sagiv, T.~W. Reps, and R.~Wilhelm, \emph{Parametric shape analysis via
11594: 3-valued logic}, ACM Transactions on Programming Languages and Systems
11595: \textbf{24} (2002), no.~3, 217--298.
11596:
11597: \end{thebibliography}
11598:
11599: \received
11600: \endreceived
11601:
11602: \end{document}
11603: