I use this relation in the algorithmic definition of constraint set implication:
Q ⇒A Q0 if and only if ∀(`1,`2)∈Q.`1vQA`2
The algorithmic relation vQA and the algorithmic constraint set implication are correct with respect to the label order relationvQ, and the original constraint set implication. This is formalized in the following lemma.
Lemma 6.2 The algorithmic label order and the algorithmic constraint set implication are correct with respect to their original definitions, that is,
1. If`1vQA`2then`1vQ`2. 2. If Q ⇒A Q0then Q ⇒Q0.
PROOF For the first implication, it is easy to see that all the rules above can be derived from the original rules, if one takes into account Lemma 6.1. The second implica-tion follows from the first one and the definiimplica-tion of the original and the algorithmic
constraint set implication.
6.2 Algorithmic Version of the High-Level Type System
TA-SKIP
Γ,pc `A {Q} skip {Q}
TA-SEQΓ,pc `A {Q0}S2 {Q} Γ,pc `A {Q00}S1 {Q0} Γ,pc `A {Q00} S1;S2 {Q}
TA-WHILE1Γ`e :` Γ,pct``A {Q0} S {Q} Q ⇒A Q0
Γ,pc `A {Q} whileedoS {Q}
TA-WHILE2
Γ`e :` Γ,pct``A {Q0} S {Q} Q 6⇒A Q0 Γ,pc `A {Q00}whileedoS {Q∪Q0}
Γ,pc `A {Q00} whileedoS {Q}
TA-IF Γ`e :` Γ,pct``A {Q1} S1 {Q} Γ,pct``A {Q2} S2 {Q}
Γ,pc `A {Q1∪Q2} ifethenS1elseS2 {Q}
TA-IFLABELΓ``1v`2 : ` Γ,pct``A {Q1} S1 {Q} Γ,pct` `A {Q2}S2 {Q} Γ,pc `A {(Q1\(`1v`2))∪Q2} if`1v`2thenS1elseS2 {Q}
TA-ASSIGN Γ`e :` x6∈pc x6=xδ
Γ,pc `A {Q[e/x], (`tpcvΓ(x))}x:=e {Q}
TA-PUTFΓ`π :`1 Γ`e :`2 f 6∈pc f 6=fδ f 6∈Q[e/π.f]
Γ,pc `A {Q[e/π.f], (`1t`2tpcvΦπ(f))}π.f:=e {Q}
TA-NEW
Γ`e :`
fields(C)=f Φ∗=Φx[e.1/x.fδ] x6∈pc x6=xδ x6∈Q[e/x.f] Γ,pc `A {Q[e/x.f], (`vΦ∗(f)), (pcvΓ(x))}x:=newC(e) {Q}
TA-CALL
msig(m)=[Γm,pcm,Qm,Qm0 ]
margs(m)=x Γ` π: `r Γ` e : ` Γ∗=Γm[e.1/xδ] Q0={`rvΓ∗(this),`vΓ∗(x),pcvpcm[e/x][π/this]}
Q00=(Q\Qm0 [x/ret])∪(Γ∗(ret)tpcvΓ(x)) x6∈pc,Q00 ∀f.f 6=fδ ⇒ f 6∈pc,Q00 x6=xδ Γ,pc `A {Qm[e/x][π/this]∪Q0∪Q00} x:=π.m(e) {Q}
Figure 6.2: Algorithmic version of the high-level type system
that it is a label flow predicate. There are a number of differences from the original system:
• The weakening rule is built into the system where it is needed. In particular, at control flow branching points, the union of the different preconditions is taken as the overall precondition.
• There are two rules forwhile, TA-WHILE1 and TA-WHILE2 which together com-pute a least fixed point of the preconditions. Depending on whetherQ ⇒A Q0, only one of the two rules fires.
• The side conditions needed for assignments are directly added to the precondi-tion set.
• In the rule TA-IFLABELfor label tests “removes” the label test from the precondi-tion of the first branch. This is defined syntactically as
Q\Q0=Q\ {(`1,`2)∈Q|`01vQA0`02} and will be explained later.
• Likewise, the rule TA-CALL“removes” all information from the postcondition that does not follow from the postcondition of the called method.
Note that the algorithmic type system uses the normal typing rules for expressions to judgements of the formΓ` e : `, because they are already in a syntax-directed form.
Inference algorithm The rules suggest an algorithmAthat computes constraint sets in a backwards fashion, similar to the computation of weakest (liberal) preconditions in predicate transformer semantics [Dij75], which can be seen as an algorithmic refor-mulation of Hoare logic. Given a type environment, a program counter label, a DSD statement, and a postcondition, the algorithm returns the matching precondition:
A(Γ,pc,S,Qpost)=Qpr e such that
Γ,pc `A {Qpr e} S {Qpost}
can be derived. The premises are processed from left to right. Each statement typing relation in a premise corresponds to the application of the algorithm to the respective subgoal. A syntactic side condition likex6∈pcis considered as an assertion in the algorithm; the algorithm fails if the condition cannot be satisfied. An expression typing relationΓ` e : `corresponds to a subalgorithm that computes the label of the expres-sione, exploiting the fact that the expression typing rules are syntax-directed. Finally, the entire algorithm checks that all methods are well-typed — that is, for all methodsm such thatmsig(m)=[Γ,pc,Q,Q0], it checks thatQ ⇒A A(Γ,pc,mbody(m),Q0).
6.2 Algorithmic Version of the High-Level Type System Soundness The algorithmic typing rules are sound with respect to the original typing rules presented in Section 3.4 on page 39, so that wheneverΓ,pc `A {Q} S {Q0} can be derived in the system presented here, thenΓ,pc ` {Q} S {Q0} can also be derived from the original system.
Lemma 6.3 IfΓ,pc `A {Q}S {Q0}, thenΓ,pc ` {Q}S {Q0}.
PROOF The lemma is shown inductively over the structure ofΓ,pc `A {Q} S {Q0}.
Instead of the full proof, I describe the general proof pattern for each form ofS.
As the judgements are syntax-directed, one can determine the algorithmic rule used for S and read off the premises. We getΓ,pc ` {Q} S {Q0} by applying the corresponding rule of the original type system, but first, the premises have to be put into the appropriate form. There are three kinds of premises in the original system:
1. Statement typing judgements: we observe that we already have the correspond-ing algorithmic typcorrespond-ing judgements, thus we can apply the lemma inductively. In most cases, the subsumption rule T-WEAKis then applied to the result to weaken the precondition appropriately.
2. For label order requirements of the form`1vQ0`2, we can directly assumeQ0 to be the set of label order preconditions given in the algorithmic typing rule, which are identical to the required flows.
3. All other premises are already present in the rule for the algorithmic type system.
For the algorithmic constraint set implication in TA-WHILE1, the original form follows from Lemma 6.2 on page 86.
The only (minor) difficulty is caused by the syntactic “removal” of flow information from a constraint set used in TA-IFLABELand TA-CALL. By definition, however, it can be shown thatQ\Q0∪Q0 ⇒A Q.
To get the premise forS1 in T-IFLABELin the correct form, we can thus trans-form its preconditionQ1using T-WEAKwith the factQ1\(`1v`2)∪Q2∪(`1v`2) ⇒A Q1\(`1v`2)∪(`1v`2) ⇒A Q1. Likewise, T-CALLgives usQ00∪Qm[x/ret] as the post-condition of the entire call. With two applications of T-WEAK, this can be transformed toQusing the factQ00∪Qm[x/ret]=(Q\Q0m[x/ret])∪(Γ∗(ret)tpcvΓ(x))∪Qm[x/ret] ⇒
Q\Qm[x/ret]∪Qm[x/ret]⇒A Q.
Remarks on the relation to the weakest precondition calculus By means of the con-straint set preconditions defined in the rules TA-IFand TA-IFLABEL, I will now explain how the algorithmic rules relate to predicate transformer semantics [Dij75], and de-scribe the limits of the expressivity of constraint sets. The weakest precondition of a conditional statement is computed as follows:
w p(ifethenS1elseS2,R) = (e→w p(S1,R))∧(¬e→w p(S2,R))
Constraint sets represent only conjunctive and positive label order predicates. Other types of expressionse, as well as negations and implications cannot be expressed in a constraint set. Therefore, the algorithmic type system infers astrongerprecondition as follows. Let us treatQ as a postcondition in the calculus, and say thatQ1 corre-sponds tow p(S1,Q), andQ2corresponds tow p(S2,Q). The union of two constraint sets corresponds to a logical conjunction of predicates. The precondition of ordinary conditionals implies the one computed by the weakest precondition calculus:
Q1∪Q2 ' w p(S1,Q)∧w p(S2,Q)
⇒ (e→w p(S1,Q))∧(¬e→w p(S2,Q))
= w p(ifethenS1elseS2,Q)
For the label test rule, the algorithmic type system can derive a better (i.e., weaker) precondition. LetQ1={q1,q2, . . .}, such that eachqi is a flow expression`v`0, and letI={1, . . . ,|Q1|}. As a predicate,Q1thus corresponds toV
i∈Iqi. We have previously definedQ1\(`1v`2)=Q1\ {(`,`0)∈Q1|`v{`1v`2}`0}. As a predicate, this corresponds to
Q1\ {(`,`0)∈Q1|`v{`1v`2}`0} ' V
i∈I{qi| ¬((`1v`2)→qi)}
= V
i∈I¬((`1v`2)→qi)→qi
= V
i∈I((`1v`2)∧ ¬qi)→qi
= V
i∈I((`1v`2)→qi)
= (`1v`2)→V
i∈Iqi
= (`1v`2)→w p(S1,Q)
The precondition of label test statements is thus strictly stronger than the one derivable in the weakest precondition calculus:
Q1\(`1v`2)∪Q2 ' (`1v`2→w p(S1,R))∧w p(S2,R)
⇒ (`1v`2→w p(S1,R))∧(¬(`1v`2)→w p(S2,R))
= w p(if`1v`2thenS1elseS2,R)