Recalling a Witness

type ref t = id:N{witnessed (has_a_t id t)} let has (id:N) (H h _) = match h id with Used _ _ (Untyped _)→⊤ | _→⊥ abstract type uref = id:N{witnessed (has id)}type uref = id:N{witnessed (has id)} To enforce these invariants on state-manipulating operations, we define a preorder rel on heap, that constrains the heap evolution. It states that every Used identifier remains Used; every Typed reference has a stable type; and that no Untyped reference may be reused after deallocation. let rel (H h0 _) (H h1 _) = ∀id. match h0 id, h1 id with | Used a _ Typed, Used b _ Typed→ a == b | Used _ _ (Untyped live0), Used _ _ (Untyped live1)→ not live0 =⇒ not live1 | _→⊥ Instantiating MST with state=heap and the preorder above, we can implement the expected operations for allocating, reading, writing typed references. The alloc action below allocates a new, typed reference ref t by generating a fresh identifier id; extending the heap at id with a new typed cell; and witnessing the new state, ensuring that id will contain a t-typed cell for ever. Reading and writing a reference are similar: they both recall the reference exists in the heap at its expected type. let alloc #t (v:t) :MST (ref t) (ensures (λ h0 id h1 → fresh id h0 h1 ∧ modifies {} h0 h1 ∧ h1.[id] == v)) = let H h id = get () in put (H (upd h id (Used t v Typed)) (id + 1)); witness (has_a_t id t); id let (!) #t (r:ref t) :MST t (ensures (λ h0 v h1 → h0 == h1 ∧ has_ref r h1 ∧ h1.[r] == v)) = recall (has_ref r); let h = get () in h.[r] let (:=) #t (r:ref t) (v:t) :MST unit (ensures (λ h0 _ h1 →modifies {r} h0 h1 ∧ has_ref r h1 ∧ h1.[r] == v)) = recall (has_ref r); let H h ctr = get () in put (H (upd h r (Used t v Typed), ctr)) These functions make use of a few straightforward auxiliary definitions for freshness of identifiers (fresh) and for the write-footprint of a computation (modifies). The one subtlety is in the definition of h.[r], a total function to select a reference r from a heap h. Unlike the stateful (!) operator, h.[r] has a precondition requiring that h actually contain r—even though the type of r indicates that it has been witnessed in some prior heap of the program, this does not suffice to recall that it is actually present in an arbitrary heap h. In other words, pure functions may not use recall. On the other hand, the stateful lookup (!) is free to recall the membership of r in the current heap in order to meet the precondition of h.[r].1 let has_ref #t (r:ref t) h = has_a_t r t h let fresh #t (r:ref t) (H h0 _) (H h1 _) = h0 x == Unused ∧ has_ref r h1 let modifies (ids:set N) (H h0 _) (H h1 _) = ∀id. id < ids ∧ Used? (h0 id) =⇒ h0 id == h1 id let `_.[_]` #t h (r:ref t{has_ref r h}) : t = let H h _ = h in match h r with Used _ v _→ v 1In our revision to the libraries of F⋆, we use a more sophisticated representation of ref t which allows us to provide a variant of h.[r] without the has_ref h r precondition. This makes it more convenient to use in specifications, since their well-typedness is easier to establish. However, we leave this out in the paper to ease the presentation. The curious reader may consult the FStar.Heap library for the full story (in the auxiliary material for reviewers). Recalling a Witness 9 The operations of untyped references are essentially simpler counterparts of alloc, (!) and (:=) with weaker types. The free operation is easily defined by replacing an Untyped cell with a version marking it as deallocated. The precondition of free prevents double-frees, and is necessary to show that the preorder is preserved as we mark the cell deallocated. let live (r:addr) (H h _) = match h l with Used _ _ (Untyped live)→ live | _→ false let free (r:addr) :MST unit (requires (live r)) (ensures (λ h0 _ h1 →modifies {r} h0 h1)) = let H h ctr = get () in put (H (upd h r (Used unit () (Untyped false))) ctr) 2.4 Monotonic references Typed references ref t use a fixed global preorder saying that the type of each ref-cell is invariant. However, we would like a more flexible form, allowing the programmer to associate a preorder of their choosing with each typed reference. In this section, we present a library for providing a type ‘mref a ra’, a typed reference to a value of type ‘a’ whose contents is constrained to evolve according to a preorder ‘ra’ on ‘a’. Using mrefs one can for instance encode a form of typestate programming (Strom and Yemini 1986) by attaching a preorder to an mref corresponding to the reachability relation of a state machine. As before, our global, monotonic-state monad MST can be instantiated with a suitable heap type for the global state (defined below) and a preorder on the global state that is intuitively the pointwise composition of the preorders associated with each mref that the state contains. In this setting, the type ref t can be reconstructed as a derived form, i.e., ref t = mref t (λ_ _→⊤) An interface for monotonic references: When allocating a monotonic reference one picks both the initial value and the preorder constraining its evolution. An mref a ra can be dereferenced unconditionally, whereas assigning to an mref a ra requires maintaining the preorder, analogous to the precondition on put for the global state. type mref : a:Type→ ra:preorder a→ Type val (:=) : #a:Type→ #ra:preorder a→ r:mref a ra→ v:a→MST unit (requires (λ h→ h.[r] `ra` v)) (ensures (λ h0 _ h1 →modifies {r} h0 h1 ∧ h1.[r] == v)) The local state analog of witness on the global state allows observing a predicate p on the global heap as long as the predicate is stable with respect to arbitrary heap updates that respect the preorder only on a given reference. Using recall to restore a previously witnessed property remains unchanged. let stable #a #ra (r:mref a ra) (p:(heap→ Type)) = ∀h0 h1. p h0 ∧ h0.[r] `ra` h1.[r] =⇒ p h1 val witness : #a:Type→ #ra:preorder a→ r:mref a ra→ p:(heap→ Type){stable r p}→MST unit (requires (λ h→ p h)) (ensures (λ h0 v h1 → h0==h1 ∧ witnessed p)) Implementing monotonic references: To implement mref we chose the following, revised representation of heap and its global preorder. We enrich the tags from §2.3 to additionally record a preorder with every typed cell. Correspondingly, the global preorder on heaps is, as mentioned earlier, the pointwise composition of preorders on each typed cell (the cell and heap types are unchanged). type tag a = Typed : preorder a→ tag a | Untyped : bool→ tag a type cell = Unused | Used : a:Type→ a→ tag a→ cell type heap = H : h:(N→ cell)→ ctr:N{∀ (n:N{ctr ≤ n}). h n == Unused}→ heap let rel (H h0 _) (H h1 _) = ∀id. match h0 id, h1 id with | Used a0 v0 (Typed ra0), Used a1 v1 (Typed ra1)→ a0 == a1 ∧ ra0 == ra1 ∧ v0 `ra0` v1