In [17] the authors also define a binary logical relations model for Fµ,ref,conc and prove that logical relatedness implies contextual refinement.
Many of the ideas from the unary case carry over to the binary case,e.g.,the binary value in-terpretation is a straightforward modification of the unary value inin-terpretation. The expression interpretation, however, is quiet different: in the unary case, it sufficed to use a simple weakest precondition definition, but now, in the binary case, the challenge is to find a way to relate two (different) expressions. In this section, we sketch the key ideas of how one can define a rela-tional model. We do not include the full definition of the binary logical relation, but instead refer the reader to [17].
In the relational model, the goal is to define a logical relation, such that if e is logically related toe0thenecontextually refinese0. We often refer to the expression “on the left”,e, as the implementation side expression and the expression “on the right”,e0, as the specification side expression. To define the relational models, we need a way to refer to (the heap and different threads of) the program on the specification side “that is about to be executed”. The intuitive definition of two expressions being related is as follows:
An expressionse(the implementation side) is related to an expressione0(the specification side) if we have:
∀j, E.“threadjis about to executeE[e0]” −∗
wpe{∃v0.“threadjis about to executeE[v0]”}
This relation betweene ande0 reads as follows: if threadj is about to executee0 under some evaluation contextE on the specification side andereduces to a value, then there is a valuev0 such that the specification side is about to executeE[v0]. In other words, wheneverereduces
to a value we know thate0 has also been reduced tov0. The reason for explicit quantification over the threadj under which the specification side is being executed is to enable thread-local reasoning. We quantify over the evaluation contextEunder which the expression is about to be executed to enable modular reasoning with respect to evaluation contexts.
The goal is now to be able to formalize that ”threadjis about to executeE[e0]”. For this, we first define the monoids:
Heap,Auth(Loc−fin−*(Ex(Val))) Tpool,Auth(N−fin−*(Ex(Exp)))
Lettingγh0,γtp0 be instances ofHeap23respectivelyTpoolwe now define the following proposi-tions:
SpecConf(σ ,#»e),•res(σ)γ
0
h∗ •fpfnOf(#»e)γ
0 tp
`7→sv,◦[`7→v]γ
0 h
jZ⇒se,◦[j7→e]γ
0 tp
where
fpfnOf(e1, . . . , en),{(i, ei)|1≤i≤n}
Here,ρis a configuration,i.e.,a pair of a heap and a thread pool, (σ ,#»e). The intuition is that SpecConf(ρ) is the (unique) configuration that the specification side is in. The propositionsjZ⇒ eand`7→sv simply specify the exclusive ownership of the execution of a thread or a memory location on the specification side. Naturally, this requires the propositions to be exclusive.
Furthermore we use the following invariant to express that the specification side is in a configuration reachable from some starting configuration:
SpecCtx(ρ),∃ρ0.SpecConf(ρ0)∧ρ→∗
tpρ0 N.sc With these tools, it is possible to define the expression relation as:
JΞ`τKE∆(e, e0),∀ρ, j, E.SpecCtx(ρ)∗jZ⇒E[e0]−∗
wpe{v.∃v0. jZ⇒E[v0]∗
JΞ`τK∆(v, v0)}
The expression relation above states thate ande0 are related if the following holds: for any threadj which is about to executee0 under some evaluation contextE, it is safe to evaluatee and wheneverereduces to a valuev, we know thate0 has also been evaluated to some valuev0 in threadjunder the evaluation contextE. Furthermore, we know thatv andv0will be related as values of the type relatingeande0. Thus, essentially, two expressionseande0are related at typeτ if, wheneverereduces to a value, so doese0 (no matter under which circumstances it is being evaluated), and the resulting values will be related at typeτ.
23Notice that is the same resource algebra, that is used to define the standard7→predicate. Hence we now have two instances of it, oneγhfor tracking the heap on the implementation side and oneγh0 for tracking the heap on the specification side.
One can now define the binary logical relations forFµ,ref,conc, writtenΞ|Γ e≤loge0 :τ, as follows:
Ξ|Γ e≤loge0:τ,∀#»v ,#»
v0,∆.JΞ`ΓK
G
∆(#»v ,#»
v0)`
JΞ`τKE∆(e[#»v /#»x], e0[#»
v0/#»x]) where#»x is the domain ofΓ.
See [17] for the definition of the value relation and also for applications of the logical relation for proving challenging contextual refinements.
References
[1] Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. TaDA: A logic for time and data abstraction. InECOOP, volume 8586 ofLNCS, pages 207–231, 2014.113 [2] B.A. Davey and H. Priestly.Introduction to Lattices and Order. Cambridge Univ. Press, 2nd
edition, 2002. 140
[3] Thomas Dinsdale-Young, Pedro da Rocha Pinto, and Philippa Gardner. A perspective on specifying and verifying concurrent modules. Journal of Logical and Algebraic Methods in Programming, 98:1 – 25, 2018.113
[4] Robert Harper. Practical Foundations for Programming Languages. Cambridge University Press, 2 edition, 2016. 144,145
[5] J.M.E. Hyland. The effective topos. In A.S. Troelstra and D. van Dalen, editors,The L.E.J.
Brouwer Centenary Symposium, volume 110 ofStudies in Logic and The Foundations of Math-ematics, pages 165–216, Amsterdam, 1982. North-Holland. 1
[6] Bart Jacobs and Frank Piessens. Expressive modular fine-grained concurrency specifica-tion. InPOPL, pages 271–282, 2011.113
[7] Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. Higher-order ghost state.
InICFP, pages 256–269, 2016.1
[8] Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleˇs Bizjak, and Derek Dreyer Lars Birkedal. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming, 2018. 1,50,137,139,150
[9] Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. InPOPL, pages 637–650, 2015.1,121
[10] Robbert Krebbers, Ralf Jung, Aleˇs Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. The essence of higher-order concurrent separation logic. InESOP, LNCS, pages 696–723, 2017. 1
[11] Robbert Krebbers, Amin Timany, and Lars Birkedal. Interactive proofs in higher-order concurrent separation logic. InProceedings of the 44th ACM SIGPLAN Symposium on Prin-ciples of Programming Languages, POPL 2017, pages 205–217, New York, NY, USA, 2017.
ACM. 137
[12] Robin Milner. A theory of type polymorphism in programming languages. Journal of Computer and System Science, 17(3):348–375, 1978.143
[13] Benjamin C. Pierce. Types and Programming Languages. The MIT Press, 1st edition, 2002.
144,145
[14] John C. Reynolds. Types, abstraction, and parametric polymorphism.Information Process-ing, 1983.143
[15] K. Svendsen, L. Birkedal, and M. Parkinson. Modular reasoning about separation of con-current data structures. InProceedings of ESOP, 2013. 113,121
[16] Kasper Svendsen and Lars Birkedal. Impredicative concurrent abstract predicates. In Eu-ropean Symposium on Programming Languages and Systems, pages 149–168. Springer, 2014.
140
[17] A. Timany and L. Birkedal. Type soundness and contextual refinement via logical relations in higher-order concurrent separation logic. 2018. Manuscript. 143,144,151,153 [18] Aaron Joseph Turon, Jacob Thamsborg, Amal Ahmed, Lars Birkedal, and Derek Dreyer.
Logical relations for fine-grained concurrency. InThe 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13, Rome, Italy - January 23 - 25, 2013, pages 343–356, 2013.4