The Strata Core Language Definition

1. Introduction🔗

Strata aims to provide a foundation for representing the semantics of programs, specifications, protocols, architectures, and other aspects of large-scale distributed systems and their components. It achieves this through languages of two types. The first type, consisting of the single Strata Core language, provides a central hub that can serve as a connection point between multiple types of input artifact and multiple types of analysis, reducing the cost of implementing N analyses for M languages from N*M to N+M.

The second type consists of numerous Strata dialects. The Dialect Definition Mechanism, described here, provides a way to define the syntax and a simple type system for a dialect. At the moment, dialects do not directly have semantics (though we may add a mechanism for defining their semantics in the future) but instead are defined by translation to or from Strata Core. Said another way, each of these dialects is a different concrete way to write Strata programs, but all of these dialects are ultimately represented internally using the same Core language.

Dialects are used to describe both the initial artifacts being analyzed by Strata and more low-level representations of those artifacts used to communicate with external reasoning tools such as model checkers or SMT solvers. In both situations, Strata uses dialects as a mechanism for communicating with external tools (either language front ends or generic automated reasoning tools like SMT solvers).

The following "hourglass" diagram illustrates how various existing (blue) or potential (gray) input dialects could be translated into Strata Core and then into the input language for various back end tools. Solid lines indicate translation paths that exist (though experimentally in the connection between Strata Core and CBMC), and dotted lines indicate translations that illustrate the sorts of use cases we expect Strata to support but that haven't yet been implemented.

Strata hourglass diagram

The Strata Core language is constructed using a few building blocks that can be combined in different ways. This allows concrete dialects to systematically use different combinations that still share the majority of their implementation. In Lean (and in principle in most other source languages that could be used to process Strata programs), the type system can enforce various structural constraints, ensuring that only expected language constructs show up. The Strata Core language itself consists of an imperative statement type parameterized by an expression type, with various more fine-grained adjustments of other parameters.

The two fundamental building blocks of Strata Core are a representation of functional programs (Lambda), and a representation of imperative programs (Imperative). The Lambda language is parameterized by a type system and a set of built-in types and functions. The Imperative language is then parameterized by the type of expressions it allows in conditions, assignments, and so on. Currently, those expressions will almost always be some instantiation of Lambda. Both Core building blocks are parameterized by a metadata type, which by default is instantiated with a map from keys to structured values that can contain expressions (typically from Lambda).

The remainder of this document describes the current abstract syntax and semantics of Lambda and Imperative in detail, with direct reference to the Lean source code that defines these languages. We do not consider the Core language set in stone. It may evolve over time, particularly to add new fundamental constructs, and this document will be updated as it does. We intend for Strata Core to be close to a superset of B3, but it may at times make different choices to support its goal of being useful for a wide range of analyses, rather than being optimized for deductive verification. In particular, Strata aims to make it possible to encode most input artifacts without the need for axioms.

2. Lambda🔗

The Lambda language is a standard but generic implementation of the lambda calculus. It is parameterized by a type for metadata and the type of types (which may be Unit, to describe the untyped lambda calculus). It includes the standard constructs for constants, free and bound variables, abstractions, and applications. In addition, it includes a special type of constant, an operator, to represent built-in functions. It extends the standard lambda calculus by allowing quantifiers (since a key use of the language is to write logical predicates) and includes a constructor for if-then-else to allow it to have lazy semantics.

Although Lambda can be parameterized by an arbitrary type system, the Strata code base includes a formalization of a polymorphic Hindley-Milner type system and an implementation of an inference algorithm over the type LTy (described below). This allows universal quantification over types and the use of arbitrary named type constructors (as well as special support for bit vector types, to allow them to be parameterized by size).

2.1. Syntax🔗

The syntax of lambda expressions is provided by the LExpr type.

inductive type

Lambda.LExpr (T : LExprParamsT) : Type
Lambda.LExpr (T : LExprParamsT) : Type

Lambda expressions with quantifiers.

Like Lean's own expressions, we use the locally nameless representation for this abstract syntax. See this paper for details.

We leave placeholders for type annotations only for constants (.const), operations (.op), binders (.abs, .quant), and free variables (.fvar).

LExpr is parameterized by LExprParamsT, which includes arbitrary metadata, user-allowed type annotations (optional), and special metadata to attach to Identifiers. Type inference adds any missing type annotations.

Constructors

const {T : LExprParamsT} (m : T.base.Metadata)
  (c : LConst) : LExpr T

A constant (in the sense of literals).

op {T : LExprParamsT} (m : T.base.Metadata)
  (o : Identifier T.base.IDMeta) (ty : Option T.TypeType) :
  LExpr T

A built-in operation, referred to by name.

bvar {T : LExprParamsT} (m : T.base.Metadata)
  (deBruijnIndex : Nat) : LExpr T

A bound variable, in de Bruijn form.

fvar {T : LExprParamsT} (m : T.base.Metadata)
  (name : Identifier T.base.IDMeta)
  (ty : Option T.TypeType) : LExpr T

A free variable, with an optional type annotation.

abs {T : LExprParamsT} (m : T.base.Metadata)
  (prettyName : String) (ty : Option T.TypeType)
  (e : LExpr T) : LExpr T

An abstraction, where prettyName is a display name (empty string if none provided) and ty is the (optional) type of bound variable.

quant {T : LExprParamsT} (m : T.base.Metadata)
  (k : QuantifierKind) (prettyName : String)
  (ty : Option T.TypeType) (trigger e : LExpr T) : LExpr T

A quantified expression, where k indicates whether it is universally or existentially quantified, prettyName is a display name (empty string if none provided) and ty is the type of bound variable; trigger is a trigger pattern (primarily for use with SMT).

app {T : LExprParamsT} (m : T.base.Metadata)
  (fn e : LExpr T) : LExpr T

A function application.

ite {T : LExprParamsT} (m : T.base.Metadata)
  (c t e : LExpr T) : LExpr T

A conditional expression. This is a constructor rather than a built-in operation because it occurs so frequently.

eq {T : LExprParamsT} (m : T.base.Metadata)
  (e1 e2 : LExpr T) : LExpr T

An equality expression. This is a constructor rather than a built-in operation because it occurs so frequently.

Identifiers in lambda expressions, using the Identifier type, can be annotated with metadata.

structure

Lambda.Identifier (IDMeta : Type) : Type
Lambda.Identifier (IDMeta : Type) : Type

Identifiers with a name and additional metadata

Constructor

Lambda.Identifier.mk

Fields

name : String

A unique name.

metadata : IDMeta

Any additional metadata that it would be useful to attach to an identifier.

Specific constructors exist for constants of various scalar types, including booleans, bit vectors, integers, reals, and strings.

inductive type

Lambda.LConst : Type
Lambda.LConst : Type

Lambda constants.

Constants are integers, strings, reals, bitvectors of a fixed length, or booleans.

Constructors

intConst (i : Int) : LConst

An unbounded integer constant.

strConst (s : String) : LConst

A string constant, using Lean's String type for a sequence of Unicode code points encoded with UTF-8.

realConst (r : Rat) : LConst

A real constant, represented as a rational number.

bitvecConst (n : Nat) (b : BitVec n) : LConst

A bit vector constant, represented using Lean's BitVec type.

boolConst (b : Bool) : LConst

A Boolean constant.

The LExpr type can be parameterized by the type used to represent normal metadata and the type used to represent identifier metadata, as well as the type of types.

structure

Lambda.LExprParams : Type 1
Lambda.LExprParams : Type 1

Expected interface for pure expressions that can be used to specialize the Imperative dialect.

Constructor

Lambda.LExprParams.mk

Fields

Metadata : Type

The type of metadata allowed on expressions.

IDMeta : Type

The type of metadata allowed on identifiers.

structure

Lambda.LExprParamsT : Type 1
Lambda.LExprParamsT : Type 1

Extended LExprParams that includes TypeType parameter.

Constructor

Lambda.LExprParamsT.mk

Fields

base : LExprParams

The base parameters, with the types for expression and identifier metadata.

TypeType : Type

The type of types used to annotate expressions.

2.2. Type System🔗

Although LExpr can be parameterized by an arbitrary type system, Strata currently implements one, based on the types LMonoTy and LTy.

The first, LMonoTy, represents monomorphic types. It's a separate type because some contexts allow only monomorphic types.

inductive type

Lambda.LMonoTy : Type
Lambda.LMonoTy : Type

Monomorphic types in Lambda. Note that all free type variables (.ftvar) are implicitly universally quantified.

Constructors

ftvar (name : TyIdentifier) : LMonoTy

A type variable.

tcons (name : String) (args : List LMonoTy) : LMonoTy

A type constructor.

bitvec (size : Nat) : LMonoTy

A bit vector type. This is a special case so that it can be parameterized by a size.

Type variables in LMonoTy use the TyIdentifier type.

def

Lambda.TyIdentifier : Type
Lambda.TyIdentifier : Type

Type identifiers. For now, these are just strings.

The LTy type allows monomorphic types to be wrapped in universal type quantifiers that bind these type variables, creating polymorphic types.

inductive type

Lambda.LTy : Type
Lambda.LTy : Type

Polymorphic type schemes in Lambda.

Constructors

forAll (vars : List TyIdentifier) (ty : LMonoTy) : LTy

A type containing universally quantified type variables.

An expression LExpr parameterized by LTy is well-typed according to the HasType relation. This relation depends on two types of context.

The first of these, LContext, contains information that is typically constant during expression type checking, but may be extended during statement type checking (e.g., when local function declarations add new functions to the factory). This includes information about built-in functions, using the Factory type, and built-in types, using the TypeFactory type. Built-in functions optionally include concrete evaluation functions, which can be used in the operational semantics described below.

structure

Lambda.LContext (T : LExprParams) : Type
Lambda.LContext (T : LExprParams) : Type

Context data for type checking: a factory of user-specified functions and data structures for ensuring unique names of types and functions.

This context is typically constant during expression type checking, but may be extended during statement type checking when local function declarations (funcDecl) add new functions to the factory.

Invariant: all functions defined in TypeFactory.genFactory for datatypes should be in functions.

Constructor

Lambda.LContext.mk

Fields

functions : Lambda.Factory T

Descriptions of all built-in functions.

datatypes : TypeFactory

Descriptions of all built-in datatypes.

knownTypes : Lambda.KnownTypes

A list of known built-in types.

idents : Identifiers T.IDMeta

The set of identifiers that have been seen or generated so far.

The second context includes two pieces of data that change throughout the type checking process: a map from free variables in expressions to types, and a list of type aliases including the name and definition of each alias.

structure

Lambda.TContext (IDMeta : Type) : Type
Lambda.TContext (IDMeta : Type) : Type

A type context describing the types of free variables and the mappings of type aliases.

Constructor

Lambda.TContext.mk

Fields

types : Maps (Identifier IDMeta) LTy

A map from free variables in expressions (i.e., LExpr.fvars) to their type schemes. This is essentially a stack to account for variable scopes.

aliases : List TypeAlias

A map from type synonym names to their corresponding type definitions. We expect these type definitions to not be aliases themselves, to avoid any cycles in the map (see TEnv.addTypeAlias).

Given these two pieces of context, the HasType relation describes the valid type of each expression form.

inductive predicate

Lambda.LExpr.HasType {T : LExprParams} [DecidableEq T.IDMeta]
  (C : LContext T) : TContext T.IDMeta → LExpr T.mono → LTy → Prop
Lambda.LExpr.HasType {T : LExprParams}
  [DecidableEq T.IDMeta]
  (C : LContext T) :
  TContext T.IDMeta →
    LExpr T.mono → LTy → Prop

Typing relation for LExprs with respect to LTy.

The typing relation is parameterized by two contexts. An LContext contains known types and functions while a TContext associates free variables with their types.

Constructors

tbool_const {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (b : Bool) :
  C.knownTypes.containsName "bool" = true →
    LExpr.HasType C Γ (LExpr.boolConst m b)
      (LTy.forAll [] LMonoTy.bool)

A boolean constant has type .bool if bool is a known type in this context.

tint_const {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (n : Int) :
  C.knownTypes.containsName "int" = true →
    LExpr.HasType C Γ (LExpr.intConst m n)
      (LTy.forAll [] LMonoTy.int)

An integer constant has type .int if int is a known type in this context.

treal_const {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (r : Rat) :
  C.knownTypes.containsName "real" = true →
    LExpr.HasType C Γ (LExpr.realConst m r)
      (LTy.forAll [] LMonoTy.real)

A real constant has type .real if real is a known type in this context.

tstr_const {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (s : String) :
  C.knownTypes.containsName "string" = true →
    LExpr.HasType C Γ (LExpr.strConst m s)
      (LTy.forAll [] LMonoTy.string)

A string constant has type .string if string is a known type in this context.

tbitvec_const {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (n : Nat) (b : BitVec n) :
  C.knownTypes.containsName "bitvec" = true →
    LExpr.HasType C Γ (LExpr.bitvecConst m n b)
      (LTy.forAll [] (LMonoTy.bitvec n))

A bit vector constant of size n has type .bitvec n if bitvec is a known type in this context.

tvar {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata)
  (x : Identifier T.mono.base.IDMeta) (ty : LTy) :
  Γ.types.find? x = some ty →
    LExpr.HasType C Γ (LExpr.fvar m x none) ty

An un-annotated variable has the type recorded for it in Γ, if any.

tvar_annotated {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata)
  (x : Identifier T.mono.base.IDMeta) (ty_o : LTy)
  (ty_s : LMonoTy) (tys : List LMonoTy) (ann : LMonoTy) :
  Γ.types.find? x = some ty_o →
    tys.length = ty_o.boundVars.length →
      ty_o.openFull tys = ty_s →
        LExpr.AnnotCompat Γ.aliases ann ty_s →
          LExpr.HasType C Γ (LExpr.fvar m x (some ann))
            (LTy.forAll [] ty_s)

An annotated free variable has its claimed type ty_s if ty_s is an instantiation of the type ty_o recorded for it in Γ, and the annotation ann is compatible with ty_s (via substitution + alias equivalence).

tabs {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (name : String)
  (x : IdentT LMonoTy T.IDMeta) (x_ty : LTy)
  (e : LExpr { base := T, TypeType := LMonoTy })
  (e_ty : LTy) (o : Option LMonoTy) :
  LExpr.fresh x e →
    ∀ (hx : x_ty.isMonoType = true)
      (he : e_ty.isMonoType = true),
      LExpr.HasType C
          { types := Γ.types.insert x.fst x_ty,
            aliases := Γ.aliases }
          (LExpr.varOpen 0 x e) e_ty →
        (o = none ∨
            ∃ t,
              o = some t ∧
                LExpr.AnnotCompat Γ.aliases t
                  (x_ty.toMonoType hx)) →
          LExpr.HasType C Γ (LExpr.abs m name o e)
            (LTy.forAll []
              (LMonoTy.tcons "arrow"
                [x_ty.toMonoType hx, e_ty.toMonoType he]))

An abstraction λ x.e has type x_ty → e_ty if the claimed type of x is x_ty or None and if e has type e_ty when Γ is extended with the binding (x → x_ty).

tapp {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (e1 e2 : LExpr T.mono)
  (t1 t2 : LTy) (h1 : t1.isMonoType = true)
  (h2 : t2.isMonoType = true) :
  LExpr.HasType C Γ e1
      (LTy.forAll []
        (LMonoTy.tcons "arrow"
          [t2.toMonoType h2, t1.toMonoType h1])) →
    LExpr.HasType C Γ e2 t2 →
      LExpr.HasType C Γ (LExpr.app m e1 e2) t1

An application e₁e₂ has type t1 if e₁ has type t2 → t1 and e₂ has type t2.

tinst {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (e : LExpr T.mono) (ty e_ty : LTy) (x : TyIdentifier)
  (x_ty : LMonoTy) :
  LExpr.HasType C Γ e ty →
    e_ty = LTy.open x x_ty ty → LExpr.HasType C Γ e e_ty

If expression e has type ty and ty is more general than e_ty, then e has type e_ty (i.e. we can instantiate ty with e_ty).

tgen {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (e : LExpr T.mono) (a : TyIdentifier) (ty : LTy) :
  LExpr.HasType C Γ e ty →
    TContext.isFresh a Γ →
      LExpr.HasType C Γ e (LTy.close a ty)

If e has type ty, it also has type ∀ a. ty as long as a is fresh. For instance, (·ftvar "a") → (.ftvar "a") (or a → a) can be generalized to (.btvar 0) → (.btvar 0) (or ∀a. a → a), assuming a is not in the context.

tif {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (c e1 e2 : LExpr T.mono)
  (ty : LTy) :
  LExpr.HasType C Γ c (LTy.forAll [] LMonoTy.bool) →
    LExpr.HasType C Γ e1 ty →
      LExpr.HasType C Γ e2 ty →
        LExpr.HasType C Γ (LExpr.ite m c e1 e2) ty

If e1 and e2 have the same type ty, and c has type .bool, then .ite c e1 e2 has type ty.

teq {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (e1 e2 : LExpr T.mono)
  (ty : LTy) :
  LExpr.HasType C Γ e1 ty →
    LExpr.HasType C Γ e2 ty →
      LExpr.HasType C Γ (LExpr.eq m e1 e2)
        (LTy.forAll [] LMonoTy.bool)

If e1 and e2 have the same type ty, then .eq e1 e2 has type .bool.

tquant {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (k : QuantifierKind)
  (name : String)
  (tr : LExpr { base := T, TypeType := LMonoTy })
  (tr_ty : LTy) (x : IdentT LMonoTy T.IDMeta) (x_ty : LTy)
  (e : LExpr { base := T, TypeType := LMonoTy })
  (o : Option LMonoTy) :
  LExpr.fresh x e →
    ∀ (hx : x_ty.isMonoType = true),
      LExpr.HasType C
          { types := Γ.types.insert x.fst x_ty,
            aliases := Γ.aliases }
          (LExpr.varOpen 0 x e)
          (LTy.forAll [] LMonoTy.bool) →
        LExpr.HasType C
            { types := Γ.types.insert x.fst x_ty,
              aliases := Γ.aliases }
            (LExpr.varOpen 0 x tr) tr_ty →
          (o = none ∨
              ∃ t,
                o = some t ∧
                  LExpr.AnnotCompat Γ.aliases t
                    (x_ty.toMonoType hx)) →
            LExpr.HasType C Γ (LExpr.quant m k name o tr e)
              (LTy.forAll [] LMonoTy.bool)

A quantifier ∀/∃ {x: tr}.e has type bool if the claimed type of x is x_ty or None, and if, when Γ is extended with the binding (x → x_ty), e has type bool and tr is well-typed.

top {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (f : LFunc T)
  (op : T.Identifier) (ty : LTy) :
  Array.find? (fun fn => fn.name == op) C.functions =
      some f →
    f.type = Except.ok ty →
      LExpr.HasType C Γ (LExpr.op m op none) ty

An un-annotated operator has the type recorded for it in C.functions, if any.

top_annotated {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (m : T.mono.base.Metadata) (f : LFunc T)
  (op : T.Identifier) (ty_o : LTy) (ty_s : LMonoTy)
  (tys : List LMonoTy) (ann : LMonoTy) :
  Array.find? (fun fn => fn.name == op) C.functions =
      some f →
    f.type = Except.ok ty_o →
      tys.length = ty_o.boundVars.length →
        ty_o.openFull tys = ty_s →
          LExpr.AnnotCompat Γ.aliases ann ty_s →
            LExpr.HasType C Γ (LExpr.op m op (some ann))
              (LTy.forAll [] ty_s)

Similarly to free variables, an annotated operator has its claimed type ty_s if ty_s is an instantiation of the type ty_o recorded for it in C.functions, and the annotation ann is compatible with ty_s.

talias {T : LExprParams} [DecidableEq T.IDMeta]
  {C : LContext T} (Γ : TContext T.IDMeta)
  (e : LExpr T.mono) (mty mty' : LMonoTy) :
  AliasEquiv Γ.aliases mty mty' →
    LExpr.HasType C Γ e (LTy.forAll [] mty) →
      LExpr.HasType C Γ e (LTy.forAll [] mty')

Alias equivalence preserves typing: if e has type mty and mty is alias-equivalent to mty' (under the aliases in Γ), then e also has type mty'. This covers single-step expansion, subtree resolution, and their transitive composition.

2.3. Operational Semantics🔗

The semantics of the LExpr type are specified in a standard way using the small-step inductive relation Lambda.Step. This relation is parameterized by a Factory, which describes built-in functions via an optional body and/or evaluation function.

inductive predicate

Lambda.Step {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] (F : Lambda.Factory Tbase)
  (rf : Lambda.Env Tbase) : LExpr Tbase.mono → LExpr Tbase.mono → Prop
Lambda.Step {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta]
  (F : Lambda.Factory Tbase)
  (rf : Lambda.Env Tbase) :
  LExpr Tbase.mono →
    LExpr Tbase.mono → Prop

A small-step semantics for LExpr.

Currently only defined for expressions paremeterized by LMonoTy, but it will be expanded to an arbitrary type in the future.

The order of constructors matter because the constructor tactic will rely on it.

This small-step definitions faithfully follows the behavior of LExpr.eval, except that:

This inductive definition may get stuck early when there is no assignment to a free variable available.
This semantics does not describe how metadata must change, because metadata must not affect evaluation semantics. Different concrete evaluators like LExpr.eval can have different strategy for updating metadata.

Constructors

expand_fvar {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase} {m : Tbase.mono.base.Metadata}
  {ty : Option Tbase.mono.TypeType} (x : Tbase.Identifier)
  (e : LExpr Tbase.mono) :
  rf x = some e → Step F rf (LExpr.fvar m x ty) e

A free variable. Stuck if fvar does not exist in FreeVarMap.

beta {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase} {m1 m2 : Tbase.mono.base.Metadata}
  {name : String} {ty : Option Tbase.mono.TypeType}
  (e1 v2 eres : LExpr Tbase.mono) :
  LExpr.isCanonicalValue F v2 = true →
    eres = LExpr.subst (fun x => v2) e1 →
      Step F rf (LExpr.app m1 (LExpr.abs m2 name ty e1) v2)
        eres

Call-by-value semantics: beta reduction.

reduce_2 {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase} {m m' : Tbase.mono.base.Metadata}
  (v1 e2 e2' : LExpr Tbase.mono) :
  Step F rf e2 e2' →
    Step F rf (LExpr.app m v1 e2) (LExpr.app m' v1 e2')

Call-by-value semantics: argument evaluation.

reduce_1 {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase} {m m' : Tbase.mono.base.Metadata}
  (e1 e1' e2 : LExpr Tbase.mono) :
  Step F rf e1 e1' →
    Step F rf (LExpr.app m e1 e2) (LExpr.app m' e1' e2)

Call-by-value semantics: function evaluation.

ite_reduce_then {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m mc : Tbase.mono.base.Metadata}
  (ethen eelse : LExpr Tbase.mono) :
  Step F rf
    (LExpr.ite m (LExpr.const mc (LConst.boolConst true))
      ethen eelse)
    ethen

Evaluation of ite: condition is true, select "then" branch.

ite_reduce_else {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m mc : Tbase.mono.base.Metadata}
  (ethen eelse : LExpr Tbase.mono) :
  Step F rf
    (LExpr.ite m (LExpr.const mc (LConst.boolConst false))
      ethen eelse)
    eelse

Evaluation of ite: condition is false, select "else" branch.

ite_reduce_cond {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m m' : Tbase.mono.base.Metadata}
  (econd econd' ethen eelse : LExpr Tbase.mono) :
  Step F rf econd econd' →
    Step F rf (LExpr.ite m econd ethen eelse)
      (LExpr.ite m' econd' ethen eelse)

Evaluation of ite condition.

ite_reduce_then_branch {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m m' : Tbase.mono.base.Metadata}
  (econd ethen ethen' eelse : LExpr Tbase.mono) :
  Step F rf ethen ethen' →
    Step F rf (LExpr.ite m econd ethen eelse)
      (LExpr.ite m' econd ethen' eelse)

Evaluation of ite "then" branch (when condition is not yet resolved).

ite_reduce_else_branch {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m m' : Tbase.mono.base.Metadata}
  (econd ethen eelse eelse' : LExpr Tbase.mono) :
  Step F rf eelse eelse' →
    Step F rf (LExpr.ite m econd ethen eelse)
      (LExpr.ite m' econd ethen eelse')

Evaluation of ite "else" branch (when condition is not yet resolved).

eq_reduce_true {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m mc : Tbase.mono.base.Metadata}
  (e1 e2 : LExpr Tbase.mono) :
  LExpr.eql F e1 e2 = some true →
    Step F rf (LExpr.eq m e1 e2)
      (LExpr.const mc (LConst.boolConst true))

Evaluation of equality to true. Always allowed.

eq_reduce_false {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m mc : Tbase.mono.base.Metadata}
  (e1 e2 : LExpr Tbase.mono) :
  LExpr.eql F e1 e2 = some false →
    Step F rf (LExpr.eq m e1 e2)
      (LExpr.const mc (LConst.boolConst false))

Evaluation of equality to false. Only when neither side contains a binder, because syntactic inequality under binders does not imply semantic inequality (e.g., λx. x+1 vs λx. 1+x).

eq_reduce_lhs {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m m' : Tbase.mono.base.Metadata}
  (e1 e1' e2 : LExpr Tbase.mono) :
  Step F rf e1 e1' →
    Step F rf (LExpr.eq m e1 e2) (LExpr.eq m' e1' e2)

Evaluation of the left-hand side of an equality.

eq_reduce_rhs {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta] [Inhabited Tbase.IDMeta]
  {F : Lambda.Factory Tbase} {rf : Lambda.Env Tbase}
  {m m' : Tbase.mono.base.Metadata}
  (v1 e2 e2' : LExpr Tbase.mono) :
  Step F rf e2 e2' →
    Step F rf (LExpr.eq m v1 e2) (LExpr.eq m' v1 e2')

Evaluation of the right-hand side of an equality.

expand_fn {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase}
  (e callee fnbody new_body : LExpr Tbase.mono)
  (args :
    List (LExpr { base := Tbase, TypeType := LMonoTy }))
  (fn : LFunc Tbase) :
  F.callOfLFunc e = some (callee, args, fn) →
    fn.body = some fnbody →
      new_body =
          fnbody.substFvarsLifting
            (fn.inputs.keys.zip args) →
        Step F rf e new_body

Evaluate a built-in function when a body expression is available in the Factory argument F. This is consistent with what LExpr.eval does (modulo the inline flag). Note that it might also be possible to evaluate with eval_fn. A key correctness property is that doing so will yield the same result. Note that this rule does not enforce an evaluation order.

eval_fn {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] {F : Lambda.Factory Tbase}
  {rf : Lambda.Env Tbase} {m : Tbase.Metadata}
  (e callee e' : LExpr Tbase.mono)
  (args :
    List (LExpr { base := Tbase, TypeType := LMonoTy }))
  (fn : LFunc Tbase)
  (denotefn :
    Tbase.Metadata →
      List (LExpr Tbase.mono) → Option (LExpr Tbase.mono)) :
  F.callOfLFunc e = some (callee, args, fn) →
    fn.concreteEval = some denotefn →
      some e' = denotefn m args → Step F rf e e'

Evaluate a built-in function when a concrete evaluation function is available in the Factory argument F. Note that it might also be possible to evaluate with expand_fn. A key correctness property is that doing so will yield the same result. Note that this rule does not enforce an evaluation order.

Typically we will want to talk about arbitrarily long sequences of steps, such as from an initial expression to a value. The Lambda.StepStar relation describes the reflexive, transitive closure of the Lambda.Step relation.

def

Lambda.StepStar {Tbase : LExprParams} [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta] (F : Lambda.Factory Tbase)
  (rf : Lambda.Env Tbase) : LExpr Tbase.mono → LExpr Tbase.mono → Prop
Lambda.StepStar {Tbase : LExprParams}
  [DecidableEq Tbase.IDMeta]
  [Inhabited Tbase.IDMeta]
  (F : Lambda.Factory Tbase)
  (rf : Lambda.Env Tbase) :
  LExpr Tbase.mono →
    LExpr Tbase.mono → Prop

Multi-step execution: reflexive transitive closure of single steps.

3. Imperative🔗

The Imperative language is a standard core imperative calculus, parameterized by a type of expressions and divided into two pieces: commands and statements. Commands represent atomic operations that do not induce control flow (except possibly in the form of procedure calls that follow a stack discipline, though the current core set of commands does not include calls). Statements are parameterized by a command type and describe the control flow surrounding those commands. Currently, Imperative has structured, deterministic statements, each of which can be: a command, a sequence of statements in a block, a deterministic conditional, a deterministic loop with a condition, or an exit statement that exits the nearest enclosing block with a matching label.

We plan to add non-deterministic statements, as in Kleene Algebra with Tests, and support a translation from structured deterministic statements into structured non-deterministic statements.

We also expect to add unstructured control-flow graphs where each basic block consists of a sequence of commands followed by a terminator command. A terminator command can be: a conditional jump to one of two blocks, termination of execution, or a non-deterministic jump to any one of an arbitrary number of successor blocks.

3.1. Command Syntax🔗

The core built-in set of commands includes variable initializations, deterministic assignments, non-deterministic assignments ("havoc"), assertions, and assumptions.

inductive type

Imperative.Cmd (P : PureExpr) : Type
Imperative.Cmd (P : PureExpr) : Type

A an atomic command in the Imperative dialect.

Commands don't create local control flow, and are typically used as a parameter to Imperative.Stmt or other similar types.

Constructors

init {P : PureExpr} (name : P.Ident) (ty : P.Ty)
  (e : ExprOrNondet P) (md : MetaData P) : Cmd P

Define a variable called name with type ty and value e. When e is .nondet, the variable is initialized with an arbitrary value.

set {P : PureExpr} (name : P.Ident) (e : ExprOrNondet P)
  (md : MetaData P) : Cmd P

Assign e to a pre-existing variable name. When e is .nondet, assigns an arbitrary value (havoc semantics).

assert {P : PureExpr} (label : String) (b : P.Expr)
  (md : MetaData P) : Cmd P

Checks if condition b is true on all paths on which this command is encountered. Reports an error if b does not hold on any of these paths.

assume {P : PureExpr} (label : String) (b : P.Expr)
  (md : MetaData P) : Cmd P

Ignore any execution state in which b is not true.

cover {P : PureExpr} (label : String) (b : P.Expr)
  (md : MetaData P) : Cmd P

Checks if there exists a path that reaches this command and condition b is true. Reports an error otherwise. This is the dual of assert, and can be used for coverage analysis.

3.2. Command Operational Semantics🔗

The semantics of commands are specified in terms of how they interact with a program state, written σ. A state can be applied to a variable to obtain its current value. And an expression e can be evaluated using the evaluation function in a given state: δ σ e gives the result of evaluating e in state σ. This generic description allows the details of the program state representation to vary, as long as it supports these operations.

Given a state σ, the InitState relation describes how a variable obtains its initial value.

inductive predicate

Imperative.InitState (P : PureExpr) :
  SemanticStore P → P.Ident → P.Expr → SemanticStore P → Prop
Imperative.InitState (P : PureExpr) :
  SemanticStore P →
    P.Ident →
      P.Expr → SemanticStore P → Prop

Abtract variable initialization.

This does not specify how σ is represented, only what it maps each variable to.

Constructors

init {P : PureExpr} {σ σ' : SemanticStore P} {x : P.Ident}
  {v : P.Expr} :
  σ x = none →
    σ' x = some v →
      (∀ (y : P.Ident), x ≠ y → σ' y = σ y) →
        InitState P σ x v σ'

The state σ' is be equivalent to σ except at x, where it maps to v. Requires that x mapped to nothing beforehand.

The UpdateState relation then describes how a variable's value can change.

inductive predicate

Imperative.UpdateState (P : PureExpr) :
  SemanticStore P → P.Ident → P.Expr → SemanticStore P → Prop
Imperative.UpdateState (P : PureExpr) :
  SemanticStore P →
    P.Ident →
      P.Expr → SemanticStore P → Prop

Abstract variable update.

This does not specify how σ is represented, only what it maps each variable to.

Constructors

update {P : PureExpr} {σ σ' : SemanticStore P} {x : P.Ident}
  {v v' : P.Expr} :
  σ x = some v' →
    σ' x = some v →
      (∀ (y : P.Ident), x ≠ y → σ' y = σ y) →
        UpdateState P σ x v σ'

The state σ' is be equivalent to σ except at x, where it maps to v. Requires that x mapped to something beforehand.

Given these two state relations, the semantics of each command is specified in a standard way.

inductive predicate

Imperative.EvalCmd (P : PureExpr) [HasFvar P] [HasBool P] [HasNot P] :
  SemanticEval P →
    SemanticStore P → Cmd P → SemanticStore P → Bool → Prop
Imperative.EvalCmd (P : PureExpr)
  [HasFvar P] [HasBool P] [HasNot P] :
  SemanticEval P →
    SemanticStore P →
      Cmd P →
        SemanticStore P → Bool → Prop

An inductively-defined operational semantics for Cmd that depends on variable lookup (σ) and expression evaluation (δ) functions. Commands do not modify the evaluator - only funcDecl statements do.

The Bool output parameter is a failure flag: true when the command signals an assertion failure, false otherwise. Only eval_assert_fail sets it to true; all other constructors report false.

The failure flag is accumulated in Env.hasFailure by the statement semantics (EvalStmt).

Constructors

eval_init {P : PureExpr} [HasFvar P] [HasBool P] [HasNot P]
  {x✝ : P.Ty} {x✝¹ : MetaData P} {δ : SemanticEval P}
  {σ : SemanticStore P} {x : P.Ident} {v : P.Expr}
  {σ' : SemanticStore P} {e : P.Expr} :
  δ σ e = some v →
    InitState P σ x v σ' →
      WellFormedSemanticEvalVar δ →
        EvalCmd P δ σ
          (Cmd.init x x✝ (ExprOrNondet.det e) x✝¹) σ' false

If e evaluates to a value v, initialize x according to InitState.

eval_init_unconstrained {P : PureExpr} [HasFvar P]
  [HasBool P] [HasNot P] {x✝ : P.Ty} {x✝¹ : MetaData P}
  {σ : SemanticStore P} {x : P.Ident} {v : P.Expr}
  {σ' : SemanticStore P} {δ : SemanticEval P} :
  InitState P σ x v σ' →
    WellFormedSemanticEvalVar δ →
      EvalCmd P δ σ (Cmd.init x x✝ ExprOrNondet.nondet x✝¹)
        σ' false

Initialize x with an unconstrained value (havoc semantics).

eval_set {P : PureExpr} [HasFvar P] [HasBool P] [HasNot P]
  {x✝ : MetaData P} {δ : SemanticEval P}
  {σ : SemanticStore P} {x : P.Ident} {v : P.Expr}
  {σ' : SemanticStore P} {e : P.Expr} :
  δ σ e = some v →
    UpdateState P σ x v σ' →
      WellFormedSemanticEvalVar δ →
        EvalCmd P δ σ (Cmd.set x (ExprOrNondet.det e) x✝) σ'
          false

If e evaluates to a value v, assign x according to UpdateState.

eval_set_nondet {P : PureExpr} [HasFvar P] [HasBool P]
  [HasNot P] {x✝ : MetaData P} {σ : SemanticStore P}
  {x : P.Ident} {v : P.Expr} {σ' : SemanticStore P}
  {δ : SemanticEval P} :
  UpdateState P σ x v σ' →
    WellFormedSemanticEvalVar δ →
      EvalCmd P δ σ (Cmd.set x ExprOrNondet.nondet x✝) σ'
        false

Assign x an arbitrary value v according to UpdateState.

eval_assert_pass {P : PureExpr} [HasFvar P] [HasBool P]
  [HasNot P] {x✝ : String} {x✝¹ : MetaData P}
  {δ : SemanticEval P} {σ : SemanticStore P} {e : P.Expr} :
  δ σ e = some HasBool.tt →
    WellFormedSemanticEvalBool δ →
      EvalCmd P δ σ (Cmd.assert x✝ e x✝¹) σ false

Assert passes: e evaluates to true, no failure. The store is unchanged.

eval_assert_fail {P : PureExpr} [HasFvar P] [HasBool P]
  [HasNot P] {x✝ : String} {x✝¹ : MetaData P}
  {δ : SemanticEval P} {σ : SemanticStore P} {e : P.Expr} :
  δ σ e = some HasBool.ff →
    WellFormedSemanticEvalBool δ →
      EvalCmd P δ σ (Cmd.assert x✝ e x✝¹) σ true

Assert fails: e does not evaluate to true, failure flag is set. The store is unchanged — the command is an unconditional skip on the store, but the failure flag records the violation.

eval_assume {P : PureExpr} [HasFvar P] [HasBool P]
  [HasNot P] {x✝ : String} {x✝¹ : MetaData P}
  {δ : SemanticEval P} {σ : SemanticStore P} {e : P.Expr} :
  δ σ e = some HasBool.tt →
    WellFormedSemanticEvalBool δ →
      EvalCmd P δ σ (Cmd.assume x✝ e x✝¹) σ false

If e evaluates to true in σ, evaluate to the same σ.

eval_cover {P : PureExpr} [HasFvar P] [HasBool P] [HasNot P]
  {x✝ : String} {x✝¹ : MetaData P} {δ : SemanticEval P}
  {σ : SemanticStore P} {e : P.Expr} :
  WellFormedSemanticEvalBool δ →
    EvalCmd P δ σ (Cmd.cover x✝ e x✝¹) σ false

A cover, when encountered, is essentially a skip.

3.3. Structured Deterministic Statement Syntax🔗

Statements allow commands to be organized into standard control flow arrangements, including sequencing, alternation, and iteration. Sequencing statements occurs by grouping them into blocks. Loops can be annotated with optional invariants and decreasing measures, which can be used for deductive verification.

inductive type

Imperative.Stmt (P : PureExpr) (Cmd : Type) : Type
Imperative.Stmt (P : PureExpr)
  (Cmd : Type) : Type

Imperative statements focused on control flow.

The P parameter specifies the type of expressions that appear in conditional and loop guards. The Cmd parameter specifies the type of atomic command contained within the .cmd constructor.

Constructors

cmd {P : PureExpr} {Cmd : Type} (cmd : Cmd) : Stmt P Cmd

An atomic command.

block {P : PureExpr} {Cmd : Type} (label : String)
  (b : List (Stmt P Cmd)) (md : MetaData P) : Stmt P Cmd

An block containing a List of Stmt.

ite {P : PureExpr} {Cmd : Type} (cond : ExprOrNondet P)
  (thenb elseb : List (Stmt P Cmd)) (md : MetaData P) :
  Stmt P Cmd

A conditional execution statement. When cond is .nondet, the branch is chosen non-deterministically.

loop {P : PureExpr} {Cmd : Type} (guard : ExprOrNondet P)
  (measure : Option P.Expr) (invariants : List P.Expr)
  (body : List (Stmt P Cmd)) (md : MetaData P) : Stmt P Cmd

An iterated execution statement. Includes an optional measure (for termination) and invariants. When guard is .nondet, the loop iterates a non-deterministic number of times.

exit {P : PureExpr} {Cmd : Type} (label : Option String)
  (md : MetaData P) : Stmt P Cmd

An exit statement that transfers control out of the nearest enclosing block with the given label. If no label is provided, exits the nearest enclosing block.

funcDecl {P : PureExpr} {Cmd : Type} (decl : PureFunc P)
  (md : MetaData P) : Stmt P Cmd

A function declaration within a statement block.

typeDecl {P : PureExpr} {Cmd : Type} (tc : TypeConstructor)
  (md : MetaData P) : Stmt P Cmd

A type declaration within a statement block.

def

Imperative.Block (P : PureExpr) (Cmd : Type) : Type
Imperative.Block (P : PureExpr)
  (Cmd : Type) : Type

A block is simply an abbreviation for a list of commands.

3.4. Structured Deterministic Statement Operational Semantics🔗

The semantics of the Stmt type is defined in terms of configurations, represented by the Config type. A configuration pairs the statement(s) remaining to be executed with a state, and each step of execution goes from an initial configuration to a final configuration.

inductive type

Imperative.Config (P : PureExpr) (CmdT : Type) : Type
Imperative.Config (P : PureExpr)
  (CmdT : Type) : Type

Configuration for small-step semantics, representing the current execution state. A configuration consists of:

The current statement (or list of statements) being executed
An execution environment (Env) bundling store, evaluator, and failure flag

Constructors

stmt {P : PureExpr} {CmdT : Type} :
  Stmt P CmdT → Imperative.Env P → Imperative.Config P CmdT

A single statement to execute next.

stmts {P : PureExpr} {CmdT : Type} :
  List (Stmt P CmdT) →
    Imperative.Env P → Imperative.Config P CmdT

A list of statements to execute next, in order.

terminal {P : PureExpr} {CmdT : Type} :
  Imperative.Env P → Imperative.Config P CmdT

A terminal configuration, indicating that execution has finished.

exiting {P : PureExpr} {CmdT : Type} :
  Option String →
    Imperative.Env P → Imperative.Config P CmdT

An exiting configuration, indicating that an exit statement was encountered. The optional label identifies which block to exit to.

block {P : PureExpr} {CmdT : Type} :
  String →
    Imperative.Config P CmdT → Imperative.Config P CmdT

A block context: execute the inner config, then consume matching exits. The string is the block label.

seq {P : PureExpr} {CmdT : Type} :
  Imperative.Config P CmdT →
    List (Stmt P CmdT) → Imperative.Config P CmdT

A sequence context: execute the first statement (as a sub-config), then continue with the remaining statements.

The StepStmt type describes how each type of statement transforms configurations. Like with the other components of Strata, the rules follow standard conventions.

inductive predicate

Imperative.StepStmt {CmdT : Type} (P : PureExpr) [HasBool P] [HasNot P]
  (EvalCmd : EvalCmdParam P CmdT) (extendEval : ExtendEval P) :
  Imperative.Config P CmdT → Imperative.Config P CmdT → Prop
Imperative.StepStmt {CmdT : Type}
  (P : PureExpr) [HasBool P] [HasNot P]
  (EvalCmd : EvalCmdParam P CmdT)
  (extendEval : ExtendEval P) :
  Imperative.Config P CmdT →
    Imperative.Config P CmdT → Prop

StepStmt defines a single execution step from one configuration to another. The expression evaluator is part of the Env and can be extended by funcDecl statements. The cumulative failure flag in Env.hasFailure is OR-ed with the per-command failure flag at each step_cmd.

Constructors

step_cmd {CmdT : Type} {P : PureExpr} [HasBool P] [HasNot P]
  {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {c : CmdT}
  {σ' : SemanticStore P} {hasAssertFailure : Bool}
  {ρ : Imperative.Env P} :
  EvalCmd ρ.eval ρ.store c σ' hasAssertFailure →
    StepStmt P EvalCmd extendEval
      (Config.stmt (Stmt.cmd c) ρ)
      (Config.terminal
        { store := σ', eval := ρ.eval,
          hasFailure := ρ.hasFailure || hasAssertFailure })

A command steps to terminal configuration if it evaluates successfully. Commands preserve the evaluator (ρ'.eval = ρ.eval). The per-command failure flag hasAssertFailure is OR-ed into ρ.hasFailure to produce the new environment's flag.

step_block {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P}
  {label : String} {ss : List (Stmt P CmdT)}
  {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.block label ss x✝) ρ)
    (Config.block label (Config.stmts ss ρ))

A labeled block steps to a block context that wraps its body as .stmts.

step_ite_true {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P} {c : P.Expr}
  {tss ess : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  ρ.eval ρ.store c = some HasBool.tt →
    WellFormedSemanticEvalBool ρ.eval →
      StepStmt P EvalCmd extendEval
        (Config.stmt
          (Stmt.ite (ExprOrNondet.det c) tss ess x✝) ρ)
        (Config.stmts tss ρ)

If the condition of an ite statement evaluates to true, step to the then branch.

step_ite_false {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P} {c : P.Expr}
  {tss ess : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  ρ.eval ρ.store c = some HasBool.ff →
    WellFormedSemanticEvalBool ρ.eval →
      StepStmt P EvalCmd extendEval
        (Config.stmt
          (Stmt.ite (ExprOrNondet.det c) tss ess x✝) ρ)
        (Config.stmts ess ρ)

If the condition of an ite statement evaluates to false, step to the else branch.

step_ite_nondet_true {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P}
  {tss ess : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.ite ExprOrNondet.nondet tss ess x✝)
      ρ)
    (Config.stmts tss ρ)

Non-deterministic ite: step to the then branch.

step_ite_nondet_false {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P}
  {tss ess : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.ite ExprOrNondet.nondet tss ess x✝)
      ρ)
    (Config.stmts ess ρ)

Non-deterministic ite: step to the else branch.

step_loop_enter {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {g : P.Expr}
  {m : Option P.Expr} {inv : List P.Expr}
  {body : List (Stmt P CmdT)} {md : MetaData P}
  {ρ : Imperative.Env P} :
  ρ.eval ρ.store g = some HasBool.tt →
    WellFormedSemanticEvalBool ρ.eval →
      StepStmt P EvalCmd extendEval
        (Config.stmt
          (Stmt.loop (ExprOrNondet.det g) m inv body md) ρ)
        (Config.stmts
          (body ++
            [Stmt.loop (ExprOrNondet.det g) m inv body md])
          ρ)

If a loop guard is true, execute the body (followed by the loop again).

step_loop_exit {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P} {g : P.Expr}
  {m : Option P.Expr} {inv : List P.Expr}
  {body : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  ρ.eval ρ.store g = some HasBool.ff →
    WellFormedSemanticEvalBool ρ.eval →
      StepStmt P EvalCmd extendEval
        (Config.stmt
          (Stmt.loop (ExprOrNondet.det g) m inv body x✝) ρ)
        (Config.terminal ρ)

If a loop guard is false, terminate the loop.

step_loop_nondet_enter {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {m : Option P.Expr}
  {inv : List P.Expr} {body : List (Stmt P CmdT)}
  {md : MetaData P} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt
      (Stmt.loop ExprOrNondet.nondet m inv body md) ρ)
    (Config.stmts
      (body ++
        [Stmt.loop ExprOrNondet.nondet m inv body md])
      ρ)

Non-deterministic loop: enter the body.

step_loop_nondet_exit {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P}
  {m : Option P.Expr} {inv : List P.Expr}
  {body : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt
      (Stmt.loop ExprOrNondet.nondet m inv body x✝) ρ)
    (Config.terminal ρ)

Non-deterministic loop: exit the loop.

step_exit {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {x✝ : MetaData P}
  {label : Option String} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.exit label x✝) ρ)
    (Config.exiting label ρ)

An exit statement produces an exiting configuration.

step_funcDecl {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {decl : PureFunc P}
  {md : MetaData P} {ρ : Imperative.Env P} [HasSubstFvar P]
  [HasVarsPure P P.Expr] :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.funcDecl decl md) ρ)
    (Config.terminal
      { store := ρ.store,
        eval := extendEval ρ.eval ρ.store decl,
        hasFailure := ρ.hasFailure })

A function declaration extends the evaluator with the new function.

step_typeDecl {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {_tc : TypeConstructor}
  {_md : MetaData P} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.stmt (Stmt.typeDecl _tc _md) ρ)
    (Config.terminal ρ)

A type declaration is a no-op at runtime.

step_stmts_nil {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval (Config.stmts [] ρ)
    (Config.terminal ρ)

An empty list of statements steps to .terminal with no state changes.

step_stmts_cons {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {s : Stmt P CmdT}
  {ss : List (Stmt P CmdT)} {ρ : Imperative.Env P} :
  StepStmt P EvalCmd extendEval (Config.stmts (s :: ss) ρ)
    ((Config.stmt s ρ).seq ss)

To evaluate a non-empty sequence, enter a seq context that processes the first statement while remembering the remaining statements.

step_seq_inner {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P}
  {inner inner' : Imperative.Config P CmdT}
  {ss : List (Stmt P CmdT)} :
  StepStmt P EvalCmd extendEval inner inner' →
    StepStmt P EvalCmd extendEval (inner.seq ss)
      (inner'.seq ss)

A seq context steps its inner config forward.

step_seq_done {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {ρ' : Imperative.Env P}
  {ss : List (Stmt P CmdT)} :
  StepStmt P EvalCmd extendEval
    ((Config.terminal ρ').seq ss) (Config.stmts ss ρ')

When the inner config of a seq reaches terminal, continue with the remaining statements.

step_seq_exit {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {label : Option String}
  {ρ' : Imperative.Env P} {ss : List (Stmt P CmdT)} :
  StepStmt P EvalCmd extendEval
    ((Config.exiting label ρ').seq ss)
    (Config.exiting label ρ')

When the inner config of a seq exits, propagate the exit (skip remaining statements).

step_block_body {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P}
  {inner inner' : Imperative.Config P CmdT}
  {label : String} :
  StepStmt P EvalCmd extendEval inner inner' →
    StepStmt P EvalCmd extendEval (Config.block label inner)
      (Config.block label inner')

A block context steps its inner body one step forward. The inner body can be any config (stmts, seq, etc.).

step_block_done {CmdT : Type} {P : PureExpr} [HasBool P]
  [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {label : String}
  {ρ' : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.block label (Config.terminal ρ'))
    (Config.terminal ρ')

When a block's inner body reaches terminal, the block terminates.

step_block_exit_none {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {label : String}
  {ρ' : Imperative.Env P} :
  StepStmt P EvalCmd extendEval
    (Config.block label (Config.exiting none ρ'))
    (Config.terminal ρ')

When a block's inner body exits with no label, the block consumes the exit.

step_block_exit_match {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {l label : String}
  {ρ' : Imperative.Env P} :
  l = label →
    StepStmt P EvalCmd extendEval
      (Config.block label (Config.exiting (some l) ρ'))
      (Config.terminal ρ')

When a block's inner body exits with a matching label, the block consumes it.

step_block_exit_mismatch {CmdT : Type} {P : PureExpr}
  [HasBool P] [HasNot P] {EvalCmd : EvalCmdParam P CmdT}
  {extendEval : ExtendEval P} {l label : String}
  {ρ' : Imperative.Env P} :
  l ≠ label →
    StepStmt P EvalCmd extendEval
      (Config.block label (Config.exiting (some l) ρ'))
      (Config.exiting (some l) ρ')

When a block's inner body exits with a non-matching label, the exit propagates.

Like with Lambda, we typically want to talk about arbitrarily long sequences of steps. The Imperative.StepStmtStar relation describes the reflexive, transitive closure of the Imperative.StepStmt relation.

def

Imperative.StepStmtStar {CmdT : Type} (P : PureExpr) [HasBool P]
  [HasNot P] (EvalCmd : EvalCmdParam P CmdT)
  (extendEval : ExtendEval P) :
  Imperative.Config P CmdT → Imperative.Config P CmdT → Prop
Imperative.StepStmtStar {CmdT : Type}
  (P : PureExpr) [HasBool P] [HasNot P]
  (EvalCmd : EvalCmdParam P CmdT)
  (extendEval : ExtendEval P) :
  Imperative.Config P CmdT →
    Imperative.Config P CmdT → Prop

A multi-step execution of Imperative.

4. Metadata🔗

Metadata allows additional information to be attached to nodes in the Strata AST. This may include information such as the provenance of specific AST nodes (e.g., the locations in source code that gave rise to them), facts inferred by specific analyses, or indications of the goal of a specific analysis, among many other possibilities.

Each metadata element maps a field to a value. A field can be named with a variable or an arbitrary string.

inductive type

Imperative.MetaDataElem.Field (P : PureExpr) : Type
Imperative.MetaDataElem.Field
  (P : PureExpr) : Type

A metadata field, which can be either a variable or an arbitrary string label.

For now, we only track the variables modified by a construct, but we will expand this in the future.

Constructors

var {P : PureExpr} (v : P.Ident) : MetaDataElem.Field P

Metadata indexed by a Strata variable.

label {P : PureExpr} (l : String) : MetaDataElem.Field P

Metadata indexed by an arbitrary label.

A value can take the form of an expression or an arbitrary string.

inductive type

Imperative.MetaDataElem.Value (P : PureExpr) : Type
Imperative.MetaDataElem.Value
  (P : PureExpr) : Type

A metadata value, which can be either an expression, a message, or a fileRange

Constructors

expr {P : PureExpr} (e : P.Expr) : MetaDataElem.Value P

Metadata value in the form of a structured expression.

msg {P : PureExpr} (s : String) : MetaDataElem.Value P

Metadata value in the form of an arbitrary string.

fileRange {P : PureExpr} (r : Strata.FileRange) :
  MetaDataElem.Value P

Metadata value in the form of a fileRange.

switch {P : PureExpr} (b : Bool) : MetaDataElem.Value P

Metadata value in the form of a boolean switch.

A metadata element pairs a field with a value.

structure

Imperative.MetaDataElem (P : PureExpr) : Type
Imperative.MetaDataElem (P : PureExpr) :
  Type

A metadata element

Constructor

Imperative.MetaDataElem.mk

Fields

fld : MetaDataElem.Field P

The field or key used to identify the metadata.

value : MetaDataElem.Value P

The value of the metadata.

And, finally, the metadata attached to an AST node consists of an array of metadata elements.

def

Imperative.MetaData (P : PureExpr) : Type
Imperative.MetaData (P : PureExpr) : Type

Metadata is an array of tagged elements.

5. Strata Core Procedures🔗

A procedure is the main verification unit in Strata Core. It is a named signature with typed input and output parameters, a specification (contract), and an optional implementation body.

The concrete syntax of a procedure declaration is:

procedure Name<TypeArgs>(x₁ : T₁, ..., xₙ : Tₙ) returns (y₁ : U₁, ..., yₘ : Uₘ)
spec {
  modifies g₁, g₂, ...;
  [free] requires [label]: P;
  [free] ensures  [label]: Q;
}
{ body };

The Procedure.Header structure captures the procedure's name, type parameters, and input/output signatures.

structure

Core.Procedure.Header : Type
Core.Procedure.Header : Type

The header of a procedure: its name, type parameters, and input/output signatures.

Constructor

Core.Procedure.Header.mk

Fields

name : CoreIdent

The procedure's name.

typeArgs : List TyIdentifier

Type parameters for polymorphic procedures.

inputs : LMonoTySignature

Input parameters: passed by value from caller to callee (immutable in body).

outputs : LMonoTySignature

Output parameters: passed by value from callee to caller (mutable in body).

noFilter : Bool

If true, FilterProcedures will never remove this procedure.

5.1. Parameters🔗

Each procedure has two groups of parameters: input parameters, which are passed by value from the caller to the callee and are immutable within the body, and output parameters, which are mutable within the body and whose final values are returned to the caller. Input and output parameter names must be disjoint from each other and from the modifies clause.

5.2. Specification🔗

A procedure's specification (Procedure.Spec) consists of three parts: a modifies clause listing global variables the procedure may modify (any global not listed is guaranteed unchanged by the frame condition), preconditions (requires) that must hold before invocation, and postconditions (ensures) that must hold on return. Postconditions may reference old(expr) for pre-state values.

structure

Core.Procedure.Spec : Type
Core.Procedure.Spec : Type

The specification (contract) of a procedure.

modifies: Global variables the procedure may modify. Any global not listed is guaranteed unchanged (the frame condition).
preconditions: Labeled boolean expressions that must hold before the procedure executes. Checked (asserted) at call sites unless marked Free.
postconditions: Labeled boolean expressions that must hold when the procedure returns. May reference old(expr) for pre-state values. Assumed at call sites unless the implementation is being verified.

Constructor

Core.Procedure.Spec.mk

Fields

modifies : List Expression.Ident

Global variables the procedure is allowed to modify.

preconditions : ListMap CoreLabel Procedure.Check

Labeled preconditions (requires clauses).

postconditions : ListMap CoreLabel Procedure.Check

Labeled postconditions (ensures clauses).

Each specification clause is represented by Procedure.Check, pairing a boolean expression with an optional Free attribute and metadata.

structure

Core.Procedure.Check : Type
Core.Procedure.Check : Type

A single specification clause: a boolean expression with an optional Free attribute and optional metadata.

Constructor

Core.Procedure.Check.mk

Fields

expr : Expression.Expr

The boolean expression of this specification clause.

attr : Procedure.CheckAttr

Whether this clause is checked (Default) or free (Free).

md : MetaData Expression

Optional metadata (e.g., source location).

The Procedure.CheckAttr type controls whether a clause is checked or free. A free precondition is assumed by the implementation but not asserted at call sites; a free postcondition is assumed upon return from calls but not checked on exit from implementations.

inductive type

Core.Procedure.CheckAttr : Type
Core.Procedure.CheckAttr : Type

Attribute controlling whether a specification clause is checked or free.

Default: The clause is checked (asserted at call sites for preconditions, checked on exit for postconditions).
Free: The clause is assumed but not checked. A free precondition is assumed by the implementation but not asserted at call sites. A free postcondition is assumed upon return from calls but not checked on exit from implementations.

See Section 8.1 of "This is Boogie 2" for motivation.

Constructors

Free : Procedure.CheckAttr

The clause is free: assumed but not checked.

Default : Procedure.CheckAttr

The clause is checked (default behavior).

5.2.1. The `old` expression🔗

Postconditions and procedure bodies are two-state contexts: they can refer to both the pre-state (on entry) and the post-state (on exit) of a procedure invocation. The pre-state value of an expression is denoted by old(expr). Only global variables are affected by old; it distributes to the leaves of expressions and is idempotent. old is not allowed in preconditions.

5.3. Procedure calls🔗

A procedure is invoked via the call statement:

call y₁, ..., yₘ := ProcName(e₁, ..., eₙ);

The semantics of a call are: (1) evaluate argument expressions, (2) assert each non-free precondition with actuals substituted for formals, (3) havoc the output and modifies variables, (4) assume each postcondition with actuals substituted for formals and old(g) bound to the pre-call value of g, and (5) update the caller's state. This enables modular verification: each procedure is verified against its contract independently, and callers reason only about the contract.

5.4. Body and verification🔗

If a procedure has a body, the preconditions are assumed, the body is symbolically executed, and the postconditions are asserted at the end. If the body is absent, the procedure is abstract and can only be reasoned about via its contract.

5.5. The Procedure type🔗

structure

Core.Procedure : Type
Core.Procedure : Type

A Strata Core procedure: the main verification unit.

A procedure consists of a header (name, type parameters, input/output signatures), a specification (contract), and an optional body (list of statements). If the body is empty, the procedure is abstract and can only be reasoned about via its contract. If the body is present, it is verified against the specification.

Constructor

Core.Procedure.mk

Fields

header : Procedure.Header

The procedure header: name, type parameters, and parameter signatures.

spec : Procedure.Spec

The procedure's contract: modifies clause, preconditions, and postconditions.

body : List Statement

The procedure body. Empty for abstract (bodyless) procedures.

The Strata Core Language Definition

Table of Contents

1. Introduction🔗

2. Lambda🔗

2.1. Syntax🔗

Constructors

Constructor

Fields

Constructors

Constructor

Fields

Constructor

Fields

2.2. Type System🔗

Constructors

Constructors

Constructor

Fields

Constructor

Fields

Constructors

2.3. Operational Semantics🔗

Constructors

3. Imperative🔗

3.1. Command Syntax🔗

Constructors

3.2. Command Operational Semantics🔗

Constructors

Constructors

Constructors

3.3. Structured Deterministic Statement Syntax🔗

Constructors

3.4. Structured Deterministic Statement Operational Semantics🔗

Constructors

Constructors

4. Metadata🔗

Constructors

Constructors

Constructor

Fields

5. Strata Core Procedures🔗

Constructor

Fields

5.1. Parameters🔗

5.2. Specification🔗

Constructor

Fields

Constructor

Fields

Constructors

5.2.1. The old expression🔗

5.3. Procedure calls🔗

5.4. Body and verification🔗

5.5. The Procedure type🔗

Constructor

Fields

5.2.1. The `old` expression🔗