Lecture notes 20190604

More Semantics 5 Separation 1

Require Import Coq.Relations.Relation_Operators.
Require Import Coq.Relations.Relation_Definitions.
Require Export Coq.ZArith.ZArith.
Require Export Coq.Strings.String.
Require Export Coq.Logic.Classical.

Arguments clos_refl_trans {A} _ _ _.
Arguments clos_refl_trans_1n {A} _ _ _.
Arguments clos_refl_trans_n₁ {A} _ _ _.

Open Scope Z.

Review

Definition var: Type := nat.

Definition var2addr (X: var): Z := Z.of_nat X + 1.

Definition state: Type := Z → option Z.

Inductive aevalR : aexp → state → Z → Prop :=
  | E_ANum n st:
      aevalR (ANum n) st n
  | E_AId X st n:
      st (var2addr X) = Some n →
      aevalR (AId X) st n
  | E_APlus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (APlus e₁ e₂) st (n₁ + n₂)
  | E_AMinus (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (AMinus e₁ e₂) st (n₁ - n₂)
  | E_AMult (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂) :
      aevalR (AMult e₁ e₂) st (n₁ * n₂)
  | E_ADeref (e₁: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : st n₁ = Some n₂) :
      aevalR (ADeref e₁) st n₂
  | E_AAddre (e₁: aexp) (n₁: Z) st
      (H₁ : aevalL e₁ st n₁):
      aevalR (AAddr e₁) st n₁
with aevalL : aexp → state → Z → Prop :=
  | EL_AId X st:
      aevalL (AId X) st (var2addr X)
  | EL_ADeref (e₁: aexp) (n₁: Z) st
      (H₁ : aevalR e₁ st n₁) :
      aevalL (ADeref e₁) st n₁.

Inductive beval : bexp → state → bool → Prop :=
  | E_BTrue st:
      beval BTrue st true
  | E_BFalse st:
      beval BFalse st false
  | E_BEqTrue (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ = n₂) :
      beval (BEq e₁ e₂) st true
  | E_BEqFalse (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ ≠ n₂) :
      beval (BEq e₁ e₂) st false
  | E_BLeTrue (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ < n₂) :
      beval (BLe e₁ e₂) st true
  | E_BLeFalse (e₁ e₂: aexp) (n₁ n₂: Z) st
      (H₁ : aevalR e₁ st n₁)
      (H₂ : aevalR e₂ st n₂)
      (H₃ : n₁ ≥ n₂) :
      beval (BLe e₁ e₂) st false
  | E_BNot (e: bexp) (b: bool) st
      (H₁ : beval e st b):
      beval (BNot e) st (negb b)
  | E_BAnd (e₁ e₂: bexp) (b₁ b₂: bool) st
      (H₁ : beval e₁ st b₁)
      (H₂ : beval e₂ st b₂):
      beval (BAnd e₁ e₂) st (andb b₁ b₂).

Module Example.

The following statements are all straightforward if you know a little bit about C programming. The point here is not to persuad yourself that they are correct. It is rather important to see that we can formally prove them under our definitions above. We suppose that X and Y are variable 0 and 1.

Definition X := 0%nat.
Definition Y := 1%nat.

Suppose st is a program state such that the values stored on X and Y are 100 and 99. Also, we assume that the value stored on address 99 and 100 are both 0, and 0 is a null address.

Parameter st: state.
Hypothesis stX: st (var2addr X) = Some 100.
Hypothesis stY: st (var2addr Y) = Some 99.
Hypothesis st₉₉: st 99 = Some 0.
Hypothesis st100: st 100 = Some 0.
Hypothesis st₀: st 0 = None.

Here are two basic statements.

Fact ex₁: aevalR (AId X) st 100.
Proof. apply E_AId. apply stX. Qed.

Fact ex₂: aevalR (AId Y) st 99.
Proof. apply E_AId. apply stY. Qed.

The following statements talk about X and Y's address.

Fact ex₃: aevalL (AId X) st 1.
Proof. apply EL_AId. Qed.

Fact ex₄: aevalL (AId Y) st 2.
Proof. apply EL_AId. Qed.

Fact ex₅: aevalR (AAddr (AId X)) st 1.
Proof. apply E_AAddre. apply EL_AId. Qed.

Fact ex₆: aevalR (AAddr (AId Y)) st 2.
Proof. apply E_AAddre. apply EL_AId. Qed.

We can also use the values stored in X and Y as addresses.

Fact ex₇: aevalR (ADeref (AId X)) st 0. (* The value of expreesion * X. *)
Proof. eapply E_ADeref. apply E_AId. apply stX. apply st100. Qed.

Fact ex₈: aevalR (ADeref (AId Y)) st 0. (* The value of expreesion * Y. *)
Proof. eapply E_ADeref. apply E_AId. apply stY. apply st₉₉. Qed.

It is not too weird to talk about dereference of dereference.

Fact ex₉: ∀v, ¬aevalR (ADeref (ADeref (AId X))) st v.
(* The value of expreesion * * X. *)
Proof.
  unfold not.
  intros.
  inversion H; subst.
  inversion H₀; subst.
  inversion H₃; subst.
  rewrite stX in H₅.
  injection H₅ as ?.
  subst n₀.
  rewrite st100 in H₄.
  injection H₄ as ?.
  subst n₁.
  rewrite st₀ in H₂.
  discriminate H₂.
Qed.

End Example.

Programs' Denotations

The interesting cases below are about assignment commands. Specifically, an assignment command may fail in 3 different way: l-value evaluation fails; rvalue evaluation fails; the address to write is not available.

Inductive ceval : com → state → option state → Prop :=
  | E_Skip st:
      ceval CSkip st (Some st)
  | E_AssSucc st₁ st₂ E E' n n' (* <-- new *)
      (H₁: aevalL E st₁ n)
      (H₂: aevalR E' st₁ n')
      (H₃: st₁ n ≠ None)
      (H₄: st₂ n = Some n')
      (H₅: ∀n'', n ≠ n'' → st₁ n'' = st₂ n''):
      ceval (CAss E E') st₁ (Some st₂)
  | E_AssFail1 st₁ E E' (* <-- new *)
      (H₁: ∀n, ¬aevalL E st₁ n):
      ceval (CAss E E') st₁ None
  | E_AssFail2 st₁ E E' (* <-- new *)
      (H₁: ∀n', ¬aevalR E' st₁ n'):
      ceval (CAss E E') st₁ None
  | E_AssFail3 st₁ E E' n (* <-- new *)
      (H₁: aevalL E st₁ n)
      (H₂: st₁ n = None):
      ceval (CAss E E') st₁ None
  | E_SeqSafe c₁ c₂ st st' o
      (H₁: ceval c₁ st (Some st'))
      (H₂: ceval c₂ st' o):
      ceval (CSeq c₁ c₂) st o
  | E_SeqCrush c₁ c₂ st
      (H₁: ceval c₁ st None):
      ceval (CSeq c₁ c₂) st None
  | E_IfTrue st o b c₁ c₂
      (H₁: beval b st true)
      (H₂: ceval c₁ st o):
      ceval (CIf b c₁ c₂) st o
  | E_IfFalse st o b c₁ c₂
      (H₁: beval b st false)
      (H₂: ceval c₂ st o):
      ceval (CIf b c₁ c₂) st o
  | E_IfFail st b c₁ c₂
      (H₁: ¬beval b st true)
      (H₂: ¬beval b st false):
      ceval (CIf b c₁ c₂) st None
  | E_WhileFalse b st c
      (H₁: beval b st false):
      ceval (CWhile b c) st (Some st)
  | E_WhileTrue st o b c
      (H₁: beval b st true)
      (H₂: ceval (CSeq c (CWhile b c)) st o):
      ceval (CWhile b c) st o
  | E_WhileFail st b c
      (H₁: ¬beval b st true)
      (H₂: ¬beval b st false):
      ceval (CWhile b c) st None.

Small Step Semantics for Expression Evaluation

Inductive aexp_halt: aexp → Prop :=
| AH_num : ∀n, aexp_halt (ANum n).

Inductive astepR : state → aexp → aexp → Prop :=
  | ASR_Id : ∀st X n,
      st (var2addr X) = Some n →
      astepR st
        (AId X) (ANum n)

  | ASR_Plus1 : ∀st a₁ a₁' a₂,
      astepR st
        a₁ a₁' →
      astepR st
        (APlus a₁ a₂) (APlus a₁' a₂)
  | ASR_Plus2 : ∀st a₁ a₂ a₂',
      aexp_halt a₁ →
      astepR st
        a₂ a₂' →
      astepR st
        (APlus a₁ a₂) (APlus a₁ a₂')
  | ASR_Plus : ∀st n₁ n₂,
      astepR st
        (APlus (ANum n₁) (ANum n₂)) (ANum (n₁ + n₂))

  | ASR_Minus1 : ∀st a₁ a₁' a₂,
      astepR st
        a₁ a₁' →
      astepR st
        (AMinus a₁ a₂) (AMinus a₁' a₂)
  | ASR_Minus2 : ∀st a₁ a₂ a₂',
      aexp_halt a₁ →
      astepR st
        a₂ a₂' →
      astepR st
        (AMinus a₁ a₂) (AMinus a₁ a₂')
  | ASR_Minus : ∀st n₁ n₂,
      astepR st
        (AMinus (ANum n₁) (ANum n₂)) (ANum (n₁ - n₂))

  | ASR_Mult1 : ∀st a₁ a₁' a₂,
      astepR st
        a₁ a₁' →
      astepR st
        (AMult a₁ a₂) (AMult a₁' a₂)
  | ASR_Mult2 : ∀st a₁ a₂ a₂',
      aexp_halt a₁ →
      astepR st
        a₂ a₂' →
      astepR st
        (AMult a₁ a₂) (AMult a₁ a₂')
  | ASR_Mult : ∀st n₁ n₂,
      astepR st
        (AMult (ANum n₁) (ANum n₂)) (ANum (n₁ * n₂))

  | ASR_DerefStep : ∀st a₁ a₁',
      astepR st
        a₁ a₁' →
      astepR st
        (ADeref a₁) (ADeref a₁')
  | ASR_Deref : ∀st n n',
      st n = Some n' →
      astepR st
        (ADeref (ANum n)) (ANum n')

  | ASR_AddrStep : ∀st a₁ a₁',
      astepL st
        a₁ a₁' →
      astepR st
        (AAddr a₁) (AAddr a₁')
  | ASR_Addr : ∀st n,
      astepR st
        (AAddr (ADeref (ANum n))) (ANum n)
with astepL : state → aexp → aexp → Prop :=
  | ASL_Id: ∀st X,
      astepL st
        (AId X) (ADeref (ANum (var2addr X)))

  | ASL_DerefStep: ∀st a₁ a₁',
      astepR st
        a₁ a₁' →
      astepL st
        (ADeref a₁) (ADeref a₁')
.

Inductive bstep : state → bexp → bexp → Prop :=

  | BS_Eq₁ : ∀st a₁ a₁' a₂,
      astepR st
        a₁ a₁' →
      bstep st
        (BEq a₁ a₂) (BEq a₁' a₂)
  | BS_Eq₂ : ∀st a₁ a₂ a₂',
      aexp_halt a₁ →
      astepR st
        a₂ a₂' →
      bstep st
        (BEq a₁ a₂) (BEq a₁ a₂')
  | BS_Eq_True : ∀st n₁ n₂,
      n₁ = n₂ →
      bstep st
        (BEq (ANum n₁) (ANum n₂)) BTrue
  | BS_Eq_False : ∀st n₁ n₂,
      n₁ ≠ n₂ →
      bstep st
        (BEq (ANum n₁) (ANum n₂)) BFalse

  | BS_Le₁ : ∀st a₁ a₁' a₂,
      astepR st
        a₁ a₁' →
      bstep st
        (BLe a₁ a₂) (BLe a₁' a₂)
  | BS_Le₂ : ∀st a₁ a₂ a₂',
      aexp_halt a₁ →
      astepR st
        a₂ a₂' →
      bstep st
        (BLe a₁ a₂) (BLe a₁ a₂')
  | BS_Le_True : ∀st n₁ n₂,
      n₁ ≤ n₂ →
      bstep st
        (BLe (ANum n₁) (ANum n₂)) BTrue
  | BS_Le_False : ∀st n₁ n₂,
      n₁ > n₂ →
      bstep st
        (BLe (ANum n₁) (ANum n₂)) BFalse

  | BS_NotStep : ∀st b₁ b₁',
      bstep st
        b₁ b₁' →
      bstep st
        (BNot b₁) (BNot b₁')
  | BS_NotTrue : ∀st,
      bstep st
        (BNot BTrue) BFalse
  | BS_NotFalse : ∀st,
      bstep st
        (BNot BFalse) BTrue

  | BS_AndStep : ∀st b₁ b₁' b₂,
      bstep st
        b₁ b₁' →
      bstep st
       (BAnd b₁ b₂) (BAnd b₁' b₂)
  | BS_AndTrue : ∀st b,
      bstep st
       (BAnd BTrue b) b
  | BS_AndFalse : ∀st b,
      bstep st
       (BAnd BFalse b) BFalse.

Small Step Semantics for Program Execution

Inductive cstep : (com * state) → (com * state) → Prop :=
  | CS_AssStep1 st E₁ E₁' E₂ (* <-- new *)
      (H₁: astepL st E₁ E₁'):
      cstep (CAss E₁ E₂, st) (CAss E₁' E₂, st)
  | CS_AssStep2 st n E₂ E₂' (* <-- new *)
      (H₁: astepR st E₂ E₂'):
      cstep (CAss (ADeref (ANum n)) E₂, st) (CAss (ADeref (ANum n)) E₂', st)
  | CS_Ass st₁ st₂ n₁ n₂ (* <-- new *)
      (H₁: st₁ n₁ ≠ None)
      (H₂: st₂ n₁ = Some n₂)
      (H₃: ∀n, n₁ ≠ n → st₁ n = st₂ n):
      cstep (CAss (ADeref (ANum n₁)) (ANum n₂), st₁) (CSkip, st₂)
  | CS_SeqStep st c₁ c₁' st' c₂
      (H₁: cstep (c₁, st) (c₁', st')):
      cstep (CSeq c₁ c₂ , st) (CSeq c₁' c₂, st')
  | CS_Seq st c₂:
      cstep (CSeq CSkip c₂, st) (c₂, st)
  | CS_IfStep st b b' c₁ c₂
      (H₁: bstep st b b'):
      cstep (CIf b c₁ c₂, st) (CIf b' c₁ c₂, st)
  | CS_IfTrue st c₁ c₂:
      cstep (CIf BTrue c₁ c₂, st) (c₁, st)
  | CS_IfFalse st c₁ c₂:
      cstep (CIf BFalse c₁ c₂, st) (c₂, st)
  | CS_While st b c:
      cstep
        (CWhile b c, st)
        (CIf b (CSeq c (CWhile b c)) CSkip, st).

Advanced: Separation Logic

Now, we start to set up the assertion language for defining a Hoare logic.

Module Separation_logic.

Definition logical_var: Type := nat.

Coercion ANum' : term >-> aexp'.
Coercion AId' : var >-> aexp'.
Bind Scope vimp_scope with aexp'.
Bind Scope vimp_scope with bexp'.
Delimit Scope vimp_scope with vimp.

Notation "x + y" := (APlus' x y) (at level 50, left associativity) : vimp_scope.
Notation "x - y" := (AMinus' x y) (at level 50, left associativity) : vimp_scope.
Notation "x * y" := (AMult' x y) (at level 40, left associativity) : vimp_scope.
Notation "x ≤ y" := (BLe' x y) (at level 70, no associativity) : vimp_scope.
Notation "x == y" := (BEq' x y) (at level 70, no associativity) : vimp_scope.
Notation "x && y" := (BAnd' x y) (at level 40, left associativity) : vimp_scope.
Notation "'!' b" := (BNot' b) (at level 39, right associativity) : vimp_scope.

Coercion TNum : Z >-> term.
Coercion TId: logical_var >-> term.
Bind Scope term_scope with term.
Delimit Scope term_scope with term.

Notation "x + y" := (TPlus x y) (at level 50, left associativity) : term_scope.
Notation "x - y" := (TMinus x y) (at level 50, left associativity) : term_scope.
Notation "x * y" := (TMult x y) (at level 40, left associativity) : term_scope.
Notation "[[ a ]]" := (TDenote ((a)%vimp)) (at level 30, no associativity) : term_scope.

We choose not to create notations for ADeref' and AAddr'. Such that we do not need to parse two differnt * and &.

Coercion ainj: aexp >-> aexp'.
Coercion binj: bexp >-> bexp'.

Bind Scope assert_scope with Assertion.
Delimit Scope assert_scope with assert.

Notation "x ≤ y" := (AssnLe ((x)%term) ((y)%term)) (at level 70, no associativity) : assert_scope.
Notation "x '<' y" := (AssnLt ((x)%term) ((y)%term)) (at level 70, no associativity) : assert_scope.
Notation "x == y" := (AssnEq ((x)%term) ((y)%term)) (at level 70, no associativity) : assert_scope.
Notation "[[ b ]]" := (AssnDenote ((b)%vimp)) (at level 30, no associativity) : assert_scope.
Notation "P₁ 'SEP' P₂" := (AssnSep P₁ P₂) (at level 72, left associativity) : assert_scope.
Notation "P₁ 'OR' P₂" := (AssnOr P₁ P₂) (at level 76, left associativity) : assert_scope.
Notation "P₁ 'AND' P₂" := (AssnAnd P₁ P₂) (at level 74, left associativity) : assert_scope.
Notation "P₁ 'IMPLY' P₂" := (AssnImpl P₁ P₂) (at level 74, left associativity) : assert_scope.
Notation "'NOT' P" := (AssnNot P) (at level 73, right associativity) : assert_scope.
Notation "'EXISTS' x ',' P " := (AssnExists x ((P)%assert)) (at level 77, right associativity) : assert_scope.
Notation "'FORALL' x ',' P " := (AssnForall x ((P)%assert)) (at level 77, right associativity) : assert_scope.

Now, what we need is a new assignment rule:

    {{  SafeA(AAddr E₁) AND SafeA(E₂) AND [[AAddr E₁]] == V₁ AND [[E₂]] == V₂ AND
        Mapsto(V₁, V) SEP P }}
    E₁ ::= E₂
    {{  Mapsto(V₁, V₂) SEP P }}

Adding all other Hoare logic proof rules together, it is enough to verify all programs. However, the following proof rule is more important in separation logic:

          {{ P }} c {{ Q }}
    -----------------------------
    {{ P SEP F }} c {{ Q SEP F }}

It is called frame rule.

End Separation_logic.

(* Mon Jun 10 15:13:09 UTC 2019 *)