├── .gitignore ├── README.md ├── citations.bib ├── main.pdf ├── main.tex ├── poster └── meeting-of-the-minds.tex ├── secs ├── ack.tex ├── conclusion.tex ├── domains.tex ├── guarded-recursion.tex ├── handedness.tex ├── introduction.tex ├── language.tex └── step-indexing.tex └── slides ├── happy-karl.png └── meeting-of-the-minds.tex /.gitignore: -------------------------------------------------------------------------------- 1 | *.pdf 2 | *.log 3 | *.aux 4 | **/auto 5 | *.agdai 6 | *.nav 7 | *.out 8 | *.snm 9 | *.toc 10 | *.vrb 11 | _region_.tex 12 | *.bbl 13 | *.blg 14 | *.fls 15 | *.fdb_latexmk 16 | *.ps 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## undergrad-thesis 2 | 3 | My undergraduate thesis: "The Next 700 Failed Step-Index-Free Logical 4 | Relations". It describes a variety of ways one should not attempt to 5 | build a logical relation without step-indexing for general 6 | references. 7 | 8 | - The thesis itself may be found in `main.pdf` or built with 9 | `latexmk -pdf main.tex` 10 | - The poster is under `poster/` and may be built with 11 | `latexmk -pdf poster/meeting-of-the-minds.tex` 12 | - The slides for a 20 minute talk given on the subject are under 13 | `slides/` and may be built with `latexmk -pdf slides/meeting-of-the-minds.tex` 14 | -------------------------------------------------------------------------------- /citations.bib: -------------------------------------------------------------------------------- 1 | @inproceedings{Abadi:90, 2 | title = "A Per Model of Polymorphism and Recursive Types", 3 | author = "Abadi, Mart{\'i}n and Plotkin, Gordon D.", 4 | booktitle = "Logic in Computer Science", 5 | year = 1990, 6 | } 7 | 8 | @incollection{Abramsky:94, 9 | author = {Samson Abramsky and Achim Jung}, 10 | booktitle = {Handbook of Logic in Computer Science}, 11 | title = {Domain Theory}, 12 | year = 1994, 13 | } 14 | 15 | @phdthesis{Ahmed:04, 16 | author = {Ahmed, Amal Jamil}, 17 | title = {Semantics of Types for Mutable State}, 18 | year = 2004, 19 | school = "Department of Computer Science, Princeton University", 20 | } 21 | 22 | @inproceedings{Ahmed:06, 23 | author = {Ahmed, Amal}, 24 | title = {Step-Indexed Syntactic Logical Relations for 25 | Recursive and Quantified Types}, 26 | booktitle = {European Symposium on Programming}, 27 | year = 2006, 28 | } 29 | 30 | @inproceedings{Allen:87, 31 | author = "Allen, Stuart", 32 | title = "A Non-Type-Theoretic Definition of {Martin-L\"{o}f}'s Types", 33 | booktitle = "Logic and Computer Science", 34 | year = 1987, 35 | } 36 | 37 | 38 | @inproceedings{America:87, 39 | author = {America, Pierre and Rutten, Jan J. M. M.}, 40 | title = {Solving Reflexive Domain Equations in a Category of 41 | Complete Metric Spaces}, 42 | booktitle = {Workshop on Mathematical Foundations of Programming Language Semantics}, 43 | year = 1988, 44 | } 45 | 46 | @article{Appel:01, 47 | author = {Appel, Andrew W. and McAllester, David}, 48 | title = {An Indexed Model of Recursive Types for Foundational 49 | Proof-carrying Code}, 50 | journal = {ACM Transactions Programming Language Systems}, 51 | year = 2001, 52 | } 53 | 54 | @inproceedings{Appel:07, 55 | author = {Appel, Andrew W. and Melli\`{e}s, Paul-Andr{\'e} and 56 | Richards, Christopher D. and Vouillon, 57 | J{\'e}r\^{o}me}, 58 | title = {A Very Modal Model of a Modern, Major, General Type 59 | System}, 60 | booktitle = {Principles of Programming Languages}, 61 | year = 2007, 62 | } 63 | 64 | @InProceedings{Atkey:12, 65 | title = {Relational Parametricity for Higher Kinds}, 66 | author = {Robert Atkey}, 67 | year = {2012}, 68 | booktitle = {Computer Science Logic}, 69 | } 70 | 71 | @inproceedings{Bahr:17, 72 | title = {{The Clocks Are Ticking: No More Delays!}}, 73 | author = {Bahr, Patrick and Grathwohl, Hans Bugge and 74 | M{\o}gelberg, Rasmus Ejlers}, 75 | year = 2017, 76 | booktitle = {Logic in Computer Science}, 77 | } 78 | 79 | @article{Bainbridge:90, 80 | title = "Functorial polymorphism", 81 | journal = "Theoretical Computer Science", 82 | year = 1990, 83 | author = "E.S. Bainbridge and P.J. Freyd and A. Scedrov and 84 | P.J. Scott" 85 | } 86 | 87 | @book{Barendregt:13, 88 | title={The Lambda Calculus: Its Syntax and Semantics}, 89 | author={Barendregt, Henk}, 90 | series={Studies in Logic and the Foundations of Mathematics}, 91 | year={2013}, 92 | publisher={Elsevier Science} 93 | } 94 | 95 | @inproceedings{Birkedal:05, 96 | author = {Lars Birkedal and Rasmus M{\o}gelberg}, 97 | title = {{Categorical models for Abadi and Plotkin’s logic for parametricity}}, 98 | year = 2005, 99 | booktitle = {Mathematical Structures in Computer Science} 100 | } 101 | 102 | 103 | @InProceedings{Birkedal:13, 104 | author = {Lars Birkedal and Rasmus M{\o}gelberg}, 105 | title = {Intensional Type Theory with Guarded Recursive Types qua Fixed Points on Universes}, 106 | booktitle = {Logic in Computer Science}, 107 | year = 2013, 108 | } 109 | 110 | 111 | @InProceedings{Birkedal:16, 112 | author = {Birkedal, Lars and Bizjak, Ale{\v{s}} and Clouston, Ranald and 113 | Gratwohl, Hans Bugge and Spitters, Bas and Vezzosi, Andrea}, 114 | title = {Guarded Cubical Type Theory}, 115 | booktitle = {TYPES}, 116 | year = 2016, 117 | } 118 | 119 | @Article{Birkedal:99, 120 | author = {Birkedal, Lars and Harper, Robert}, 121 | title = {Constructing Interpretations of Recursives Types in 122 | an Operational Setting}, 123 | journal = {Information and Computation}, 124 | year = 1999, 125 | } 126 | 127 | @article{Birkedal:adts:12, 128 | author = {Lars Birkedal and Kristen St{\o}vring and Jacob Thamsborg}, 129 | title = {A Relational Realizability Model for Higher-Order Stateful {ADT}s}, 130 | journal = {Logic and Algebraic Programming}, 131 | year = 2012, 132 | } 133 | 134 | @article{Birkedal:domain:10, 135 | author = {Birkedal, Lars and St{\o}vring, Kristian and Thamsborg, Jacob}, 136 | title = {The Category-theoretic Solution of Recursive Metric-space Equations}, 137 | journal = {Theoretical Computer Science}, 138 | year = {2010}, 139 | } 140 | 141 | @InProceedings{Birkedal:guarded:10, 142 | author = {Lars Birkedal and Jan Schwinghammer and Kristian St{\o}vring}, 143 | title = {A Metric Model of Lambda Calculus with Guarded Recursion}, 144 | year = 2010, 145 | booktitle = {Fixed Points in Computer Science}, 146 | } 147 | 148 | @article{Birkedal:realizability:10, 149 | author = {Birkedal, Lars and St{\o}vring, Kristian and Thamsborg, Jacob}, 150 | title = {Realizability Semantics of Parametric Polymorphism, 151 | General References, and Recursive Types}, 152 | journal = {Mathematical Structures in Computer Science}, 153 | year = 2010, 154 | } 155 | 156 | 157 | @InProceedings{Birkedal:recursive:11, 158 | author = {Birkedal, Lars and Reus, Bernhard and Schwinghammer, Jan and 159 | St{\o}vring, Kristian and Thamsborg, Jacob and Yang, Hongseok}, 160 | title = {Step-Indexed Kripke Models over Recursive Worlds}, 161 | booktitle = {Principles of Programming Languages}, 162 | year = 2011, 163 | } 164 | 165 | @inproceedings{Birkedal:steps:11, 166 | title = {First Steps in Synthetic Guarded Domain Theory: 167 | Step-Indexing in the Topos of Trees}, 168 | author = {Birkedal, Lars and M{\o}gelberg, Rasmus Ejlers and 169 | Schwinghammer, Jan and St{\o}vring, Kristian}, 170 | booktitle = {Logic in Computer Science}, 171 | year = 2011 172 | } 173 | 174 | @misc{Birkedal:trans:12, 175 | author = {Lars Birkedal}, 176 | title = {A note on the transitivity of step-indexed logical 177 | relations}, 178 | year = 2012 179 | } 180 | 181 | @InProceedings{Bizjak:16, 182 | author = {Bizjak, Ale{\v{s}} and Grathwohl, Hans Bugge and Clouston, Ranald and 183 | M{\o}gelberg, Rasmus Ejlers and Birkedal, Lars}, 184 | title = {Guarded Dependent Type Theory with Coinductive Types}, 185 | booktitle = {Foundations of Software Science and Computation Structures}, 186 | year = 2016, 187 | } 188 | 189 | @article{Crary:07, 190 | author = {Crary, Karl and Harper, Robert}, 191 | title = {Syntactic Logical Relations for Polymorphic and 192 | Recursive Types}, 193 | journal = {Electronic Notes Theoretical Computer Science}, 194 | year = 2007, 195 | } 196 | 197 | @inproceedings{Crary:17, 198 | author = {Crary, Karl}, 199 | title = {Modules, Abstraction, and Parametric Polymorphism}, 200 | booktitle = {Principles of Programming Languages}, 201 | year = {2017}, 202 | } 203 | 204 | @INPROCEEDINGS{Crary:99, 205 | AUTHOR = {Karl Crary and Stephanie Weirich}, 206 | TITLE = {Flexible Type Analysis}, 207 | BOOKTITLE = {International Conference on Functional Programming}, 208 | YEAR = 1999, 209 | } 210 | 211 | @article{Davies:01, 212 | author = "Rowan Davies and Frank Pfenning", 213 | title = "A Modal Analysis of Staged Computation", 214 | journal = "Journal of the {ACM}", 215 | year = 2001, 216 | } 217 | 218 | @inproceedings{Dreyer:09, 219 | author = {Dreyer, Derek and Ahmed, Amal and Birkedal, Lars}, 220 | title = {Logical Step-Indexed Logical Relations}, 221 | booktitle = {Logic In Computer Science}, 222 | year = 2009, 223 | } 224 | 225 | @inproceedings{Dreyer:10, 226 | author = {Dreyer, Derek and Neis, Georg and Birkedal, Lars}, 227 | title = {The Impact of Higher-order State and Control Effects 228 | on Local Relational Reasoning}, 229 | booktitle = {International Conference on Functional Programming}, 230 | year = 2010, 231 | } 232 | 233 | @inproceedings{Dunphy:04, 234 | title = {Parametric Limits}, 235 | author = {Brian Dunphy and Uday Reddy}, 236 | year = {2004}, 237 | booktitle = {Logic in Computer Science} 238 | } 239 | 240 | @inproceedings{Escardo:98, 241 | author = {Mart{\'i}n Escard{\'o}}, 242 | title = {A metric model of PCF}, 243 | booktitle = {Workshop on Realizability Semantics and Applications}, 244 | year = 1998 245 | } 246 | 247 | @inproceedings{Freyd:70, 248 | author = {Freyd, Peter}, 249 | year = 1970, 250 | booktitle = {Category Theory}, 251 | title = {Algebraically complete categories} 252 | } 253 | 254 | @inproceedings{Girard:71, 255 | author = "Jean-Yves Girard", 256 | title = "Une extension de l'interpr\'{e}tation de {G\"{o}del} \`{a} l'analyse, et son application \`{a} l'\'{e}limination de coupures dans l'analyse et la th\'{e}orie des types", 257 | booktitle = "Proceedings of the Second Scandinavian Logic Symposium", 258 | year = 1971, 259 | } 260 | 261 | @phdthesis{Girard:72, 262 | author = "Jean-Yves Girard", 263 | title = "Interpr\'{e}tation fonctionelle et \'{e}limination des coupures de l'arithm\'{e}tique d'ordre sup\'{e}rieur", 264 | school = "Universit\'{e} Paris VII", 265 | year = 1972, 266 | } 267 | 268 | @article{Girard:93, 269 | author = "Jean-Yves Girard", 270 | title = "On the unity of logic", 271 | journal = "Annals of Pure and Applied Logic", 272 | year = 1993, 273 | volume = 59, 274 | number = 3, 275 | } 276 | 277 | @book{Girez:03, 278 | title = {Continuous Lattices and Domains}, 279 | author = {Gierz, G. and Hofmann, K. H. and Keimel, K. and 280 | Lawson, J. D. and Mislove, M. and Scott, D. S. and 281 | Rota, G.-C.}, 282 | year = 2003 283 | } 284 | 285 | @book{Harper:16, 286 | title={Practical Foundations for Programming Languages}, 287 | author={Harper, Robert}, 288 | year={2016}, 289 | publisher={Cambridge University Press} 290 | } 291 | 292 | @article{Harper:92, 293 | author = "Harper, Robert", 294 | title = "Constructing Type Systems over an Operational Semantics", 295 | journal = "Journal of Symbolic Computation", 296 | year = 1992, 297 | } 298 | 299 | @article{Hasegawa:94, 300 | author = {Hasegawa, Ryu}, 301 | year = 1994, 302 | title = {Categorical Data Types in Parametric Polymorphism.}, 303 | booktitle = {Mathematical Structures in Computer Science} 304 | } 305 | 306 | @article{Hermida:14, 307 | author = {Hermida, Claudio and Reddy, Uday and Robinson, 308 | Edmund}, 309 | year = 2014, 310 | title = {Logical Relations and Parametricity – A Reynolds 311 | Programme for Category Theory and Programming 312 | Languages}, 313 | booktitle = {Electronic Notes in Theoretical Computer Science} 314 | } 315 | 316 | @misc{Hofmann:90s, 317 | author = {Martin Hofmann and Thomas Steicher}, 318 | title = {Lifting Grothendieck Universes}, 319 | year = {199?}, 320 | note = {Unpublished note, available online at 321 | \url{http://www.mathematik.tu−darmstadt.de/~streicher/NOTES/lift.dvi.gz}} 322 | } 323 | 324 | @INPROCEEDINGS{Howe:98, 325 | author = {Douglas J. Howe}, 326 | title = {Equality In Lazy Computation Systems}, 327 | booktitle = {Logic in Computer Science}, 328 | year = 1989, 329 | } 330 | 331 | @inproceedings{Hur:bisim:12, 332 | author = "Hur, Chung-Kil and Dreyer, Derek and Neis, Georg and Vafeiadis, Viktor", 333 | title = "The Marriage of Bisimulations and {Kripke} Logical Relations", 334 | booktitle = "Principles of Programming Languages", 335 | year = 2012, 336 | } 337 | 338 | @techreport{Hur:rts:12, 339 | title = "The Transitive Composability of Relation Transition Systems", 340 | author = "Hur, Chung-Kil and Neis, Georg and Dreyer, Derek and Vafeiadis, Viktor", 341 | year = 2012, 342 | institution = "Max Planck Institute for Sofware Systems", 343 | number = "MPI-SWS-2012-002", 344 | } 345 | 346 | @article{Jung:15, 347 | author = {Jung, Ralf and Swasey, David and Sieczkowski, Filip 348 | and Svendsen, Kasper and Turon, Aaron and Birkedal, 349 | Lars and Dreyer, Derek}, 350 | title = {Iris: Monoids and Invariants As an Orthogonal Basis 351 | for Concurrent Reasoning}, 352 | journal = {Principles of Programming Languages}, 353 | year = 2015, 354 | } 355 | 356 | @inproceedings{Jung:16, 357 | author = {Jung, Ralf and Krebbers, Robbert and Birkedal, Lars 358 | and Dreyer, Derek}, 359 | title = {Higher-order Ghost State}, 360 | booktitle = {International Conference on Functional Programming}, 361 | year = 2016, 362 | } 363 | 364 | @Article{Jung:17, 365 | author = {Jung, Ralf and Krebbers, Robert and Jourdan, Jacques-Henri and 366 | Bizjak, Ale{\v{s}} and Birkedal, Lars and Dreyer, Derek}, 367 | title = {Iris from the Ground Up: A Modular Foundation for 368 | Higher-Order Concurrent Separation Logic}, 369 | journal = {Submitted for publication}, 370 | year = 2017, 371 | } 372 | 373 | @inproceedings{Krebbers:17, 374 | author = "Krebbers, Robbert and Jung, Ralf and Bizjak, 375 | Ale{\v{s}} and Jourdan, Jacques-Henri and Dreyer, 376 | Derek and Birkedal, Lars", 377 | title = "The Essence of Higher-Order Concurrent Separation Logic", 378 | bookTitle = "European Joint Conferences on Theory and Practice of Software", 379 | year = 2017, 380 | } 381 | 382 | @article{Krivine:94, 383 | title = "Classical logic, storage operators and second-order 384 | lambda-calculus", 385 | journal = "Annals of Pure and Applied Logic", 386 | year = 1994, 387 | author = "Jean-Louis Krivine", 388 | } 389 | 390 | @InProceedings{Krogh-Jespersen:17, 391 | author = {M. Krogh-Jespersen and K. Svendsen and L. Birkedal}, 392 | title = {A Relational Model of Types-and-Effects in 393 | Higher-Order Concurrent Separation Logic}, 394 | booktitle = {Principles of Programming Languages}, 395 | year = 2017, 396 | } 397 | 398 | @inproceedings{Ma:91, 399 | author = {Ma, QingMing and C. Reynolds, John}, 400 | year = 1991, 401 | booktitle = {Mathematical Foundations of Programming Semantics}, 402 | title = {Types, Abstractions, and Parametric Polymorphism, 403 | Part 2.} 404 | } 405 | 406 | @article{Mitchell:91, 407 | title = "Kripke-style models for typed lambda calculus", 408 | journal = "Annals of Pure and Applied Logic", 409 | year = 1991, 410 | author = "John C. Mitchell and Eugenio Moggi" 411 | } 412 | 413 | @book{Munkres:00, 414 | title={Topology}, 415 | author={Munkres, James R.}, 416 | year={2000}, 417 | publisher="Pearson", 418 | } 419 | 420 | @inproceedings{Nakano:00, 421 | author = {Nakano, Hiroshi}, 422 | title = {A Modality for Recursion}, 423 | booktitle = {Logic in Computer Science}, 424 | year = 2000, 425 | } 426 | 427 | @inproceedings{Nakano:01, 428 | author = "Hiroshi Nakano", 429 | title = "Fixed-point logic with the approximation modality and its Kripke completeness", 430 | booktitle = "Theoretical Aspects of Computer Software", 431 | year = 2001, 432 | } 433 | 434 | @InProceedings{Paviotti:15, 435 | author = {M. Paviotti and R.E. M{\o}gelberg and L. Birkedal}, 436 | title = {A Model of {PCF} in Guarded Type Theory}, 437 | booktitle = {Mathematical Foundations of Programming Semantics}, 438 | year = 2015, 439 | } 440 | 441 | @article{Pfenning:01, 442 | author = {Pfenning, Frank and Davies, Rowan}, 443 | title = {A Judgmental Reconstruction of Modal Logic}, 444 | journal = {Mathematical Structures in Computer Science}, 445 | year = 2001, 446 | } 447 | 448 | @InCollection{Pitts:11, 449 | author = {Pitts, Andrew M.}, 450 | title = {Howe's Method for Higher-Order Languages}, 451 | booktitle = {Advanced Topics in Bisimulation and Coinduction}, 452 | year = 2011, 453 | } 454 | 455 | @book{Pitts:13, 456 | title={Nominal Sets: Names and Symmetry in Computer Science}, 457 | author={Pitts, Andrew M.}, 458 | year={2013}, 459 | publisher={Cambridge University Press} 460 | } 461 | 462 | @article{Pitts:96, 463 | author = {Pitts, Andrew M.}, 464 | title = {Relational Properties of Domains}, 465 | journal = {Information and Computation}, 466 | year = 1996, 467 | } 468 | 469 | @incollection{Pitts:97, 470 | author = "Pitts, Andrew M.", 471 | title = "Operationally-Based Theories of Program Equivalence", 472 | booktitle = "Semantics and Logics of Computation", 473 | year = 1997, 474 | publisher = "Cambridge University Press", 475 | } 476 | 477 | @incollection{Pitts:98, 478 | author = {Pitts, Andrew M. and Stark, Ian D. B.}, 479 | title = {Operational Reasoning for Functions with Local 480 | State}, 481 | booktitle = {Higher Order Operational Techniques in Semantics}, 482 | year = 1998, 483 | } 484 | 485 | @article{Plotkin:80, 486 | title={Lambda-definability in the full type hierarchy}, 487 | author={Plotkin, Gordon}, 488 | journal={To HB Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism}, 489 | year={1980} 490 | } 491 | 492 | @inproceedings{Pottier:11, 493 | author = {Pottier, Fran\c{c}ois}, 494 | title = {A typed store-passing translation for general 495 | references}, 496 | booktitle = {Principles of Programming Languages}, 497 | year = 2011, 498 | } 499 | 500 | @inproceedings{Reynolds:83, 501 | author = {Reynolds, John C.}, 502 | title = {Types, Abstraction, and Parametric Polymorphism}, 503 | booktitle = {Information Processing}, 504 | year = {1983}, 505 | } 506 | 507 | @inproceedings{Robinson:94, 508 | author = {Robinson, Edmund and Rosolini, Giuseppe}, 509 | year = 1994, 510 | title = {Reflexive graphs and parametric polymorphism}, 511 | booktitle = {Logic in Computer Science} 512 | } 513 | 514 | @article{Scott:76, 515 | author = {Scott, Dana}, 516 | year = 1976, 517 | title = {Data Types as Lattices}, 518 | journal = {SIAM Journal on Computing} 519 | } 520 | 521 | @inproceedings{Smyth:77, 522 | author = {Smyth, Michael and Plotkin, Gordon}, 523 | year = 1977, 524 | title = {The Category-Theoretic Solution of Recursive Domain 525 | Equations}, 526 | booktitle = {SIAM Journal on Computing} 527 | } 528 | 529 | @misc{Streicher:04, 530 | author = {Thomas Streicher}, 531 | title = {Universes in Toposes}, 532 | year = 2004, 533 | note = {Unpublished note, available online at 534 | \url{http://www.mathematik.tu-darmstadt.de/~streicher/NOTES/UniTop.pdf}} 535 | } 536 | 537 | @inproceedings{Svendsen:16, 538 | author = "Svendsen, Kasper and Sieczkowski, Filip and 539 | Birkedal, Lars", 540 | title = "Transfinite Step-Indexing: Decoupling Concrete and 541 | Logical Steps", 542 | bookTitle = "European Symposium on Programming", 543 | year = 2016, 544 | } 545 | 546 | @article{Tait:67, 547 | author = "Tait, William W.", 548 | journal = "Journal of Symbolic Logic", 549 | title = {{Intensional Interpretations of Functionals of Finite 550 | Type I}}, 551 | year = 1967 552 | } 553 | 554 | @inproceedings{Turon:13, 555 | author = {Turon, Aaron J. and Thamsborg, Jacob and Ahmed, Amal 556 | and Birkedal, Lars and Dreyer, Derek}, 557 | title = {Logical Relations for Fine-grained Concurrency}, 558 | booktitle = {Principles of Programming Languages}, 559 | year = 2013, 560 | } 561 | 562 | @inproceedings{Vytiniotis:10, 563 | author = {Vytiniotis, Dimitrios and Weirich, Stephanie}, 564 | title = {Parametricity, type equality, and higher-order 565 | polymorphism}, 566 | booktitle = {Journal of Functional Programming}, 567 | year = 2010, 568 | } 569 | 570 | @Manual{coq, 571 | title = {The Coq proof assistant reference manual}, 572 | author = {\mbox{The Coq development team}}, 573 | organization = {LogiCal Project}, 574 | year = 2004, 575 | url = "http://coq.inria.fr" 576 | } 577 | -------------------------------------------------------------------------------- /main.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jozefg/undergraduate-thesis/8bf8c11b7ad7d81efa5c51cabbde083a36155302/main.pdf -------------------------------------------------------------------------------- /main.tex: -------------------------------------------------------------------------------- 1 | \documentclass{article} 2 | \usepackage[hyperfootnotes=false]{hyperref} 3 | \usepackage[sort&compress,square,comma,numbers]{natbib} 4 | \usepackage{amsthm} 5 | \usepackage{amsmath} 6 | \usepackage{amssymb} 7 | \usepackage{mathpartir} 8 | \usepackage{stmaryrd} 9 | \usepackage{xifthen} 10 | \usepackage{tikz-cd} 11 | \usepackage{xcolor} 12 | 13 | % Formatting tools 14 | \newcommand{\declareJudgement}[1]{\framebox{$\displaystyle{}{#1}$}} 15 | \newcommand{\different}[1]{{\color{red} #1}} 16 | % Theorems 17 | \newtheorem{thm}{Theorem}[section] 18 | \newtheorem{cor}[thm]{Corollary} 19 | \newtheorem{lem}[thm]{Lemma} 20 | \newtheorem{remark}[thm]{Remark} 21 | \newtheorem{example}[thm]{Example} 22 | \newtheorem{defn}[thm]{Definition} 23 | 24 | % Categories stuff 25 | \newcommand{\Ccat}{\ensuremath{\mathbb{C}}} 26 | \newcommand{\Dcat}{\ensuremath{\mathbb{D}}} 27 | \newcommand{\op}[1]{\ensuremath{#1^{\mathsf{op}}}} 28 | \newcommand{\SET}{\ensuremath{\mathbf{Set}}} 29 | \newcommand{\DCPO}{\ensuremath{\mathbf{Dcpo}}} 30 | \newcommand{\presheaves}[1]{\ensuremath{\widehat{#1}}} 31 | \newcommand{\transpose}[1]{\ensuremath{\widehat{#1}}} 32 | \newcommand{\pair}[2]{\ensuremath{\left\langle #1, #2 \right\rangle}} 33 | \newcommand{\univ}{\ensuremath{\mathcal{U}}} 34 | \newcommand{\mono}{\ensuremath{\rightarrowtail}} 35 | \newcommand{\yoneda}{\ensuremath{\mathsf{y}}} 36 | 37 | % Math stuffs 38 | \newcommand{\upred}[1]{\ensuremath{\mathsf{UPred}(#1)}} 39 | \newcommand{\reach}{\ensuremath{\mathrel{\sqsubseteq}}} 40 | \newcommand{\breach}{\ensuremath{\mathrel{\sqsupseteq}}} 41 | \newcommand{\mto}{\ensuremath{\xrightarrow{\mathsf{mon}}}} 42 | \newcommand{\pto}{\ensuremath{\rightharpoonup}} 43 | \newcommand{\pow}[1]{\ensuremath{\mathcal{P}(#1)}} 44 | \newcommand{\powfin}[1]{\ensuremath{\mathcal{P_{\mathrm{fin}}}(#1)}} 45 | \newcommand{\card}[1]{\ensuremath{\left\vert #1 \right\vert}} 46 | \newcommand{\real}{\ensuremath{\mathbb{R}}} 47 | \newcommand{\nat}{\ensuremath{\mathbb{N}}} 48 | \newcommand{\cbult}{\ensuremath{\mathrm{CBUlt}}} 49 | \newcommand{\cle}{\ensuremath{\lesssim}} 50 | \newcommand{\ceq}{\ensuremath{\cong}} 51 | \newcommand{\relR}{\ensuremath{\mathrel{\mathcal{R}}}} 52 | \newcommand{\relS}{\ensuremath{\mathrel{\mathcal{S}}}} 53 | \newcommand{\AND}{\ensuremath{\mathrel{\wedge}}} 54 | \newcommand{\OR}{\ensuremath{\mathrel{\vee}}} 55 | \newcommand{\den}[1]{\ensuremath{\llbracket #1 \rrbracket}} 56 | \newcommand{\definitely}[1]{\ensuremath{\lceil #1 \rceil}} 57 | \newcommand{\possibly}[1]{\ensuremath{\lfloor #1 \rfloor}} 58 | \newcommand{\defs}{\ensuremath{\mathrel{\triangleq}}} 59 | \newcommand{\bifix}{\ensuremath{\mathsf{bifix}}} 60 | \newcommand{\disjoint}{\ensuremath{\mathop{\#}}} 61 | \newcommand{\hole}{\ensuremath{\square}} 62 | \newcommand{\sincl}[1]{\ensuremath{\mathsf{succ}(#1)}} 63 | \newcommand{\join}{\ensuremath{\bigvee}} 64 | \newcommand{\cless}{\ensuremath{\lessapprox}} 65 | \newcommand{\aless}{\ensuremath{\lesssim}} 66 | 67 | \DeclareMathOperator{\dom}{Dom} 68 | 69 | % Sets 70 | \newcommand{\states}{\ensuremath{\mathrm{State}}} 71 | \newcommand{\worlds}{\ensuremath{\mathrm{World}}} 72 | \newcommand{\assignables}{\ensuremath{\mathrm{Assignable}}} 73 | \newcommand{\nrel}[1]{\ensuremath{\mathbb{R}_{#1}}} 74 | \newcommand{\semtypes}{\ensuremath{\mathbb{T}}} 75 | \newcommand{\types}{\ensuremath{\mathrm{Type}}} 76 | \newcommand{\typesEnv}{\ensuremath{\mathrm{TypeEnv}}} 77 | \newcommand{\term}{\ensuremath{\mathrm{Term}}} 78 | \newcommand{\urel}{\ensuremath{\mathrm{URel}}} 79 | 80 | % judgments 81 | \newcommand{\guardJ}[2]{\ensuremath{\text{$#1.\,#2$\ \textsf{guarded}}}} 82 | \newcommand{\hasE}[2]{\ensuremath{#1 \mathrel{:} #2}} 83 | \newcommand{\hasM}[2]{\ensuremath{#1 \mathrel{\div} #2}} 84 | \newcommand{\hasKJ}[2]{\ensuremath{#1 \vdash \hasE{#2}{\mathrm{\kind}}}} 85 | \newcommand{\hasTJ}[4]{\ifthenelse{\isempty{#1}}% 86 | {\ensuremath{#2 \vdash \hasE{#3}{#4}}}% 87 | {\ensuremath{#1;#2 \vdash \hasE{#3}{#4}}}} 88 | \newcommand{\hasEJ}[5]{\ifthenelse{\isempty{#1}}% 89 | {\ensuremath{#2; #3 \vdash \hasE{#4}{#5}}}% 90 | {\ensuremath{#1; #2; #3 \vdash \hasE{#4}{#5}}}} 91 | \newcommand{\hasESigJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4}{#5}}} 92 | \newcommand{\hasMJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4}{#5}}} 93 | \newcommand{\hasCEJ}[9]{\ensuremath{#5 : (#1; #2 \vdash_{#3} #4) \rightsquigarrow (#6; #7 \vdash_{#8} #9)}} 94 | 95 | \newcommand{\subKJ}[3]{\ifthenelse{\isempty{#1}}% 96 | {\ensuremath{{#2} \leq {#3}}}% 97 | {\ensuremath{{#1} \vdash {#2} \leq {#3}}}} 98 | 99 | \newcommand{\equivESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \cong #5}{#6}}} 100 | \newcommand{\approxESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \aless #5}{#6}}} 101 | \newcommand{\equivMJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4 \cong #5}{#6}}} 102 | 103 | \newcommand{\step}[2]{\ensuremath{#1 \mapsto #2}} 104 | \newcommand{\steps}[2]{\ensuremath{#1 \mapsto^* #2}} 105 | \newcommand{\stepM}[4]{\ensuremath{(#1, #2) \mapsto (#3, #4)}} 106 | \newcommand{\stepsM}[5][*]{\ensuremath{(#2, #3) \mapsto^{#1} (#4, #5)}} 107 | 108 | \newcommand{\dec}[4][i]{\ensuremath{#2 \rhd^{#1} #3 : #4}} 109 | \newcommand{\valueJ}[1]{\ensuremath{#1\ \mathsf{value}}} 110 | \newcommand{\finalJ}[2]{\ensuremath{(#1, #2)\ \mathsf{final}}} 111 | 112 | % language 113 | \newcommand{\kind}{\ensuremath{\mathsf{kind}}} 114 | \newcommand{\later}{\ensuremath{{\blacktriangleright}}} 115 | \newcommand{\ilater}{\ensuremath{{\triangleright}}} 116 | \newcommand{\rec}[2]{\ensuremath{\mu #1.\, #2}} 117 | \newcommand{\fn}[2]{\ensuremath{#1 \to #2}} 118 | \newcommand{\tp}{\ensuremath{\mathsf{T}}} 119 | \newcommand{\unit}{\ensuremath{\mathsf{unit}}} 120 | \newcommand{\cmd}[1]{\ensuremath{\mathsf{cmd}(#1)}} 121 | 122 | \newcommand{\ap}[2]{\ensuremath{#1\ #2}} 123 | \newcommand{\lam}[3]{\ensuremath{\lambda #1 {:} #2.\, #3}} 124 | \newcommand{\into}[1]{\ifthenelse{\isempty{#1}}% 125 | {\ensuremath{\mathsf{in}}}% 126 | {\ensuremath{\mathsf{in}\,#1}}} 127 | \newcommand{\out}[1]{\ifthenelse{\isempty{#1}}% 128 | {\ensuremath{\mathsf{out}}}% 129 | {\ensuremath{\mathsf{out}\,#1}}} 130 | \newcommand{\delay}{\mathsf{next}} 131 | \newcommand{\fix}{\mathsf{fix}} 132 | \newcommand{\letdelay}[3]{\ensuremath{\mathsf{let\ next\ } #1 = #2 \mathsf{\ in\ } #3}} 133 | \newcommand{\all}[3]{\ensuremath{\forall #1 {:} #2.\, #3}} 134 | \newcommand{\allNoKind}[2]{\ensuremath{\forall #1.\, #2}} 135 | 136 | \newcommand{\Ap}[2]{\ensuremath{#1[#2]}} 137 | \newcommand{\Lam}[3]{\ensuremath{\Lambda #1 {:} #2.\, #3}} 138 | 139 | \newcommand{\LamNoKind}[2]{\ensuremath{\Lambda #1.\, #2}} 140 | \newcommand{\ret}[1]{\ensuremath{\mathsf{ret}(#1)}} 141 | \newcommand{\get}[1]{\ensuremath{\mathsf{get}[#1]}} 142 | \newcommand{\set}[2]{\ensuremath{\mathsf{set}[#1](#2)}} 143 | \newcommand{\dcl}[3]{\ensuremath{\mathsf{dcl}\ #1 := #2\ \mathsf{in}\ #3}} 144 | \newcommand{\bnd}[3]{\ensuremath{\mathsf{bnd}\ #1 \gets #2;\ #3}} 145 | 146 | \newcommand{\trunc}{\ensuremath{\mathsf{trunc}}} 147 | 148 | \newcommand{\littrue}{\ensuremath{\mathsf{true}}} 149 | \newcommand{\litfalse}{\ensuremath{\mathsf{false}}} 150 | 151 | \newcommand{\zap}{\ensuremath{\circledast}} 152 | 153 | 154 | \title{The Next 700 Failed Step-Index-Free Logical Relations} 155 | \author{Daniel Gratzer} 156 | \date{\today} 157 | 158 | \begin{document} 159 | \begin{titlepage} 160 | \makeatletter 161 | \centering 162 | {\scshape\Large Senior Thesis\par} 163 | \vspace{1.5cm} 164 | {\huge\bfseries \@title\par} 165 | \vspace{2cm} 166 | {\Large\itshape \@author\par} 167 | \vfill 168 | supervised by\par 169 | Professor Karl \textsc{Crary} 170 | 171 | \vfill 172 | 173 | % Bottom of the page 174 | {\large \@date\par} 175 | \makeatother 176 | \end{titlepage} 177 | 178 | \begin{abstract} 179 | An important topic in programming languages is the study of 180 | program equivalence. This is done typically with the construction of 181 | a relational denotational model or a syntactic analogue, called a 182 | logical relation. Logical relations have proven to be an effective 183 | tool for analyzing programs and lending formal weight to ideas like 184 | data abstraction and information hiding. 185 | 186 | A central difficulty with logical relations is their fragility; it 187 | has proven to be a challenge to scale logical relations to more 188 | realistic languages. A common technique for accomplishing this is 189 | \emph{step-indexing}. Step-indexing may be an effective tool for 190 | defining logical relations but it results in often frustrating 191 | technical details and limitations. Replacing it with more 192 | traditional logical relations is desirable but so far has only been 193 | achieved for recursive types. In this work we consider extending 194 | traditional logical relations to higher-order references, a common 195 | feature in modern languages. 196 | 197 | The central challenge with constructing a logical relation for 198 | higher-order references is that it must be a Kripke logical 199 | relation. The construction of the Kripke worlds has been a 200 | persistent challenge because they do not exist as mere sets. The 201 | semantic types must be indexed by a Kripke world and the Kripke 202 | world must mention those semantic types, a recursive equation 203 | which has no solutions naively. This can be solved by using 204 | step-indexing to navigate the recursive equation but other 205 | techniques may be possible. 206 | 207 | Three methods are explored in this thesis: a domain theoretic 208 | approach, a naive application syntactic minimal invariance, and an 209 | application of syntactic minimal invariance to step-indexing. None 210 | are sufficient to solve the problem. This demonstrates the 211 | difficulty of expressing the recursive structure of higher-order 212 | references. 213 | \end{abstract} 214 | 215 | \newpage 216 | 217 | \input{secs/introduction} 218 | \input{secs/language} 219 | \input{secs/step-indexing} 220 | \input{secs/domains} 221 | \input{secs/handedness} 222 | \input{secs/guarded-recursion} 223 | \input{secs/conclusion} 224 | \input{secs/ack} 225 | 226 | \bibliographystyle{plainnat} 227 | \bibliography{citations} 228 | \end{document} 229 | -------------------------------------------------------------------------------- /poster/meeting-of-the-minds.tex: -------------------------------------------------------------------------------- 1 | \documentclass[a0,landscape]{a0poster} 2 | 3 | \usepackage{multicol} 4 | \columnsep=100pt 5 | \columnseprule=3pt 6 | 7 | \usepackage[svgnames]{xcolor} 8 | 9 | \usepackage[hyperfootnotes=false]{hyperref} 10 | \usepackage[sort&compress,square,comma,numbers]{natbib} 11 | \usepackage{amsthm} 12 | \usepackage{amsmath} 13 | \usepackage{amssymb} 14 | \usepackage{amsfonts} 15 | \usepackage{mathpartir} 16 | \usepackage{stmaryrd} 17 | \usepackage{xifthen} 18 | \usepackage{tikz-cd} 19 | 20 | \usepackage{palatino} 21 | \usepackage{graphicx} 22 | \usepackage{booktabs} 23 | \usepackage[font=small,labelfont=bf]{caption} 24 | \usepackage{wrapfig} 25 | 26 | 27 | % Formatting tools 28 | \newcommand{\declareJudgement}[1]{\framebox{$\displaystyle{}{#1}$}} 29 | \newcommand{\different}[1]{{\color{red} #1}} 30 | % Theorems 31 | \newtheorem{thm}{Theorem} 32 | \newtheorem{cor}[thm]{Corollary} 33 | \newtheorem{lem}[thm]{Lemma} 34 | \newtheorem{remark}[thm]{Remark} 35 | \newtheorem{example}[thm]{Example} 36 | \newtheorem{defn}[thm]{Definition} 37 | 38 | % Categories stuff 39 | \newcommand{\Ccat}{\ensuremath{\mathbb{C}}} 40 | \newcommand{\Dcat}{\ensuremath{\mathbb{D}}} 41 | \newcommand{\op}[1]{\ensuremath{#1^{\mathsf{op}}}} 42 | \newcommand{\SET}{\ensuremath{\mathbf{Set}}} 43 | \newcommand{\DCPO}{\ensuremath{\mathbf{Dcpo}}} 44 | \newcommand{\presheaves}[1]{\ensuremath{\widehat{#1}}} 45 | \newcommand{\transpose}[1]{\ensuremath{\widehat{#1}}} 46 | \newcommand{\pair}[2]{\ensuremath{\left\langle #1, #2 \right\rangle}} 47 | \newcommand{\univ}{\ensuremath{\mathcal{U}}} 48 | \newcommand{\mono}{\ensuremath{\rightarrowtail}} 49 | \newcommand{\yoneda}{\ensuremath{\mathsf{y}}} 50 | 51 | % Math stuffs 52 | \newcommand{\upred}[1]{\ensuremath{\mathsf{UPred}(#1)}} 53 | \newcommand{\reach}{\ensuremath{\mathrel{\sqsubseteq}}} 54 | \newcommand{\breach}{\ensuremath{\mathrel{\sqsupseteq}}} 55 | \newcommand{\mto}{\ensuremath{\xrightarrow{\mathsf{mon}}}} 56 | \newcommand{\pto}{\ensuremath{\rightharpoonup}} 57 | \newcommand{\ptofin}{\ensuremath{\overset{\mathsf{mon}}{\rightharpoonup}}} 58 | \newcommand{\pow}[1]{\ensuremath{\mathcal{P}(#1)}} 59 | \newcommand{\powfin}[1]{\ensuremath{\mathcal{P_{\mathrm{fin}}}(#1)}} 60 | \newcommand{\card}[1]{\ensuremath{\left\vert #1 \right\vert}} 61 | \newcommand{\real}{\ensuremath{\mathbb{R}}} 62 | \newcommand{\nat}{\ensuremath{\mathbb{N}}} 63 | \newcommand{\cbult}{\ensuremath{\mathrm{CBUlt}}} 64 | \newcommand{\cle}{\ensuremath{\lesssim}} 65 | \newcommand{\ceq}{\ensuremath{\cong}} 66 | \newcommand{\relR}{\ensuremath{\mathrel{\mathcal{R}}}} 67 | \newcommand{\relS}{\ensuremath{\mathrel{\mathcal{S}}}} 68 | \newcommand{\AND}{\ensuremath{\mathrel{\wedge}}} 69 | \newcommand{\OR}{\ensuremath{\mathrel{\vee}}} 70 | \newcommand{\den}[1]{\ensuremath{\llbracket #1 \rrbracket}} 71 | \newcommand{\definitely}[1]{\ensuremath{\lceil #1 \rceil}} 72 | \newcommand{\possibly}[1]{\ensuremath{\lfloor #1 \rfloor}} 73 | \newcommand{\defs}{\ensuremath{\mathrel{\triangleq}}} 74 | \newcommand{\bifix}{\ensuremath{\mathsf{bifix}}} 75 | \newcommand{\disjoint}{\ensuremath{\mathop{\#}}} 76 | \newcommand{\hole}{\ensuremath{\square}} 77 | \newcommand{\sincl}[1]{\ensuremath{\mathsf{succ}(#1)}} 78 | \newcommand{\join}{\ensuremath{\bigvee}} 79 | \newcommand{\cless}{\ensuremath{\lessapprox}} 80 | \newcommand{\aless}{\ensuremath{\lesssim}} 81 | 82 | \DeclareMathOperator{\dom}{Dom} 83 | 84 | % Sets 85 | \newcommand{\states}{\ensuremath{\mathrm{State}}} 86 | \newcommand{\worlds}{\ensuremath{\mathrm{World}}} 87 | \newcommand{\assignables}{\ensuremath{\mathrm{Assignable}}} 88 | \newcommand{\nrel}[1]{\ensuremath{\mathbb{R}_{#1}}} 89 | \newcommand{\semtypes}{\ensuremath{\mathbb{T}}} 90 | \newcommand{\types}{\ensuremath{\mathrm{Type}}} 91 | \newcommand{\typesEnv}{\ensuremath{\mathrm{TypeEnv}}} 92 | \newcommand{\term}{\ensuremath{\mathrm{Term}}} 93 | \newcommand{\urel}{\ensuremath{\mathrm{URel}}} 94 | 95 | % judgments 96 | \newcommand{\guardJ}[2]{\ensuremath{\text{$#1.\,#2$\ \textsf{guarded}}}} 97 | \newcommand{\hasE}[2]{\ensuremath{#1 \mathrel{:} #2}} 98 | \newcommand{\hasM}[2]{\ensuremath{#1 \mathrel{\div} #2}} 99 | \newcommand{\hasKJ}[2]{\ensuremath{#1 \vdash \hasE{#2}{\mathrm{\kind}}}} 100 | \newcommand{\hasTJ}[4]{\ifthenelse{\isempty{#1}}% 101 | {\ensuremath{#2 \vdash \hasE{#3}{#4}}}% 102 | {\ensuremath{#1;#2 \vdash \hasE{#3}{#4}}}} 103 | \newcommand{\hasEJ}[5]{\ifthenelse{\isempty{#1}}% 104 | {\ensuremath{#2; #3 \vdash \hasE{#4}{#5}}}% 105 | {\ensuremath{#1; #2; #3 \vdash \hasE{#4}{#5}}}} 106 | \newcommand{\hasESigJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4}{#5}}} 107 | \newcommand{\hasMJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4}{#5}}} 108 | \newcommand{\hasCEJ}[9]{\ensuremath{#5 : (#1; #2 \vdash_{#3} #4) \rightsquigarrow (#6; #7 \vdash_{#8} #9)}} 109 | 110 | \newcommand{\subKJ}[3]{\ifthenelse{\isempty{#1}}% 111 | {\ensuremath{{#2} \leq {#3}}}% 112 | {\ensuremath{{#1} \vdash {#2} \leq {#3}}}} 113 | 114 | \newcommand{\equivESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \cong #5}{#6}}} 115 | \newcommand{\approxESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \aless #5}{#6}}} 116 | \newcommand{\equivMJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4 \cong #5}{#6}}} 117 | 118 | \newcommand{\step}[2]{\ensuremath{#1 \mapsto #2}} 119 | \newcommand{\steps}[2]{\ensuremath{#1 \mapsto^* #2}} 120 | \newcommand{\stepM}[4]{\ensuremath{(#1, #2) \mapsto (#3, #4)}} 121 | \newcommand{\stepsM}[5][*]{\ensuremath{(#2, #3) \mapsto^{#1} (#4, #5)}} 122 | 123 | \newcommand{\dec}[4][i]{\ensuremath{#2 \rhd^{#1} #3 : #4}} 124 | \newcommand{\valueJ}[1]{\ensuremath{#1\ \mathsf{value}}} 125 | \newcommand{\finalJ}[2]{\ensuremath{(#1, #2)\ \mathsf{final}}} 126 | 127 | % language 128 | \newcommand{\kind}{\ensuremath{\mathsf{kind}}} 129 | \newcommand{\later}{\ensuremath{{\blacktriangleright}}} 130 | \newcommand{\ilater}{\ensuremath{{\triangleright}}} 131 | \newcommand{\rec}[2]{\ensuremath{\mu #1.\, #2}} 132 | \newcommand{\fn}[2]{\ensuremath{#1 \to #2}} 133 | \newcommand{\tp}{\ensuremath{\mathsf{T}}} 134 | \newcommand{\unit}{\ensuremath{\mathsf{unit}}} 135 | \newcommand{\cmd}[1]{\ensuremath{\mathsf{cmd}(#1)}} 136 | 137 | \newcommand{\ap}[2]{\ensuremath{#1\ #2}} 138 | \newcommand{\lam}[3]{\ensuremath{\lambda #1 {:} #2.\, #3}} 139 | \newcommand{\into}[1]{\ifthenelse{\isempty{#1}}% 140 | {\ensuremath{\mathsf{in}}}% 141 | {\ensuremath{\mathsf{in}\,#1}}} 142 | \newcommand{\out}[1]{\ifthenelse{\isempty{#1}}% 143 | {\ensuremath{\mathsf{out}}}% 144 | {\ensuremath{\mathsf{out}\,#1}}} 145 | \newcommand{\delay}{\mathsf{next}} 146 | \newcommand{\fix}{\mathsf{fix}} 147 | \newcommand{\letdelay}[3]{\ensuremath{\mathsf{let\ next\ } #1 = #2 \mathsf{\ in\ } #3}} 148 | \newcommand{\all}[3]{\ensuremath{\forall #1 {:} #2.\, #3}} 149 | \newcommand{\allNoKind}[2]{\ensuremath{\forall #1.\, #2}} 150 | 151 | \newcommand{\Ap}[2]{\ensuremath{#1[#2]}} 152 | \newcommand{\Lam}[3]{\ensuremath{\Lambda #1 {:} #2.\, #3}} 153 | 154 | \newcommand{\LamNoKind}[2]{\ensuremath{\Lambda #1.\, #2}} 155 | \newcommand{\ret}[1]{\ensuremath{\mathsf{ret}(#1)}} 156 | \newcommand{\get}[1]{\ensuremath{\mathsf{get}[#1]}} 157 | \newcommand{\set}[2]{\ensuremath{\mathsf{set}[#1](#2)}} 158 | \newcommand{\dcl}[3]{\ensuremath{\mathsf{dcl}\ #1 := #2\ \mathsf{in}\ #3}} 159 | \newcommand{\bnd}[3]{\ensuremath{\mathsf{bnd}\ #1 \gets #2;\ #3}} 160 | 161 | \newcommand{\trunc}{\ensuremath{\mathsf{trunc}}} 162 | 163 | \newcommand{\littrue}{\ensuremath{\mathsf{true}}} 164 | \newcommand{\litfalse}{\ensuremath{\mathsf{false}}} 165 | 166 | \newcommand{\zap}{\ensuremath{\circledast}} 167 | 168 | \begin{document} 169 | 170 | \begin{minipage}[b]{0.75\linewidth} 171 | \veryHuge \color{NavyBlue} \textbf{The Next 700 Failed Step-Index-Free Logical Relations}\\ \color{Black} 172 | \Huge\textit{Approaches to Designing Logical Relations for General References}\\[1cm] 173 | \huge \textbf{Daniel Gratzer \& Karl Crary}\\ 174 | \huge Carnegie Mellon University\\ 175 | \end{minipage} 176 | \begin{minipage}[b]{0.15\linewidth} 177 | \color{DarkSlateGray}\Large \textbf{Contact Information:}\\ 178 | GitHub: \texttt{https://www.github.com/jozefg}\\ 179 | Email: \texttt{danny.gratzer@gmail.com}\\ 180 | \end{minipage} 181 | 182 | \vspace{1cm} 183 | 184 | \begin{multicols}{4} 185 | \begin{abstract} 186 | \color{Navy} 187 | 188 | An important topic in programming languages is the study of 189 | program equivalence. This is done typically with the construction of 190 | a relational denotational model or a syntactic analogue, called a 191 | logical relation. Logical relations have proven to be an effective 192 | tool for analyzing programs and lending formal weight to ideas like 193 | data abstraction and information hiding. 194 | 195 | A central difficulty with logical relations is their fragility; it 196 | has proven to be a challenge to scale logical relations to more 197 | realistic languages. A common technique for accomplishing this is 198 | \emph{step-indexing}. Step-indexing may be an effective tool for 199 | defining logical relations but it results in often frustrating 200 | technical details and limitations~\citep{Svendsen:16}. Replacing 201 | it with more traditional logical relations is desirable but so far 202 | has only been achieved for recursive types. In this work we 203 | consider extending traditional logical relations to higher-order 204 | references, a common feature in modern languages. 205 | 206 | The central challenge with constructing a logical relation for 207 | higher-order references is that it must be a Kripke logical 208 | relation. The construction of the Kripke worlds has been a 209 | persistent challenge because they do not exist as mere sets. The 210 | semantic types must be indexed by a Kripke world and the Kripke 211 | world must mention those semantic types, a recursive equation 212 | which has no solutions naively. This can be solved by using 213 | step-indexing to navigate the recursive equation but other 214 | techniques may be possible. 215 | 216 | Three methods are explored in this thesis: a domain theoretic 217 | approach, a naive application syntactic minimal invariance, and an 218 | application of syntactic minimal invariance to step-indexing. None 219 | are sufficient to solve the problem. This demonstrates the 220 | difficulty of expressing the recursive structure of higher-order 221 | references. 222 | \end{abstract} 223 | 224 | \color{SaddleBrown} 225 | \section*{Introduction} 226 | 227 | Logical relations originated with~\citet{Tait:67}. They were a 228 | generalization of many different ideas but fundamentally are a 229 | lifting of \emph{structure preserving functions} or 230 | \emph{homomorphisms} to \emph{structure preserving relations}. The 231 | earliest results in programming languages which used logical 232 | relations include normalization and termination results for System 233 | T~\citep{Tait:67} and System F~\citep{Girard:72} as well as a theory 234 | of abstraction~\citep{Reynolds:83}. 235 | 236 | This last result has been of particular importance. The theory of 237 | abstractions, called \emph{parametricity}, has given formal weight 238 | to proofs about data abstraction. Attempts have been made to 239 | reconstruct it in a more general denotational 240 | settings~\citep{Bainbridge:90,Abadi:90,Ma:91,Birkedal:05,Dunphy:04} 241 | but this program is still incomplete. 242 | 243 | This means that in the 50 years since they have been introduced 244 | logical relations have become a tool of choice for capturing 245 | properties of programs, especially program equivalence. This work is 246 | concerned with extending orthodox logical relations to \emph{general 247 | references}: the ability to store arbitrary data (numbers, 248 | strings, functions, objects, etc) in mutable cells. 249 | 250 | \subsection*{Program Equivalence is Vital for Program Verification} 251 | \begin{enumerate} 252 | \item Simplify an existing, efficient program to an equivalent 253 | simpler program. 254 | \item Verify that this simpler program matches the desired 255 | specification for the program 256 | \item Use the aforementioned equivalence to conclude that the 257 | original program satisfies the desired specification. 258 | \end{enumerate} 259 | As software verification becomes more and more critical it therefore 260 | becomes increasingly important to have a well understood theory of 261 | program equivalence. This theory has proven elusive for more 262 | realistic languages. Logical relations are one technique to describe 263 | it but scaling it to these languages currently requires 264 | \emph{step-indexing}. While useful, step-indexing introduces 265 | complications and bureaucracy into the use and construction of 266 | logical relations. 267 | 268 | \subsection*{Our Approaches} 269 | Our research attempts to extend syntactic logical relations in the 270 | style of Tait and Reynolds~\citep{Tait:67, Reynolds:83} to a more 271 | modern language general references. Our approaches are as follows: 272 | \begin{itemize} 273 | \item Use domains to solve the recursive equation for Kripke Worlds. 274 | \item Construct a logical relation for a more standard type theory 275 | which is powerful enough to encode state~\citep{Pottier:11} using 276 | Syntactic Minimal Invariance. 277 | \item Constructing a logical relation for guarded recursive kinds 278 | in $\presheaves{\omega}$. 279 | \end{itemize} 280 | The failure of these approaches demonstrates the difficulties in 281 | constructing a logical relation for general references. 282 | 283 | \color{DarkSlateGray} 284 | \section*{A Language with General References} 285 | 286 | In order to clarify the language that we will be working with, we will 287 | start by defining the rules for this language. The language is 288 | divided into three sorts: types, commands, and expressions. This 289 | division is inspired by Harper's Modernized 290 | Algol~\citep{Harper:16}. The judgment ensuring types are well-formed 291 | is standard from System F. 292 | \begin{mathpar} 293 | \declareJudgement{\hasTJ{}{\Delta}{\tau}{\tp}}\\ 294 | \inferrule{ 295 | \alpha \in \Delta 296 | }{\hasTJ{}{\Delta}{\alpha}{\tp}}\and 297 | \inferrule{ 298 | \hasTJ{}{\Delta}{\tau_1}{\tp}\\ 299 | \hasTJ{}{\Delta}{\tau_2}{\tp} 300 | }{\hasTJ{}{\Delta}{\fn{\tau_1}{\tau_2}}{\tp}}\and 301 | \inferrule{ 302 | \hasTJ{}{\Delta, \alpha}{\tau}{\tp} 303 | }{\hasTJ{}{\Delta}{\allNoKind{\alpha}{\tau}}{\tp}}\and 304 | \inferrule{ 305 | \hasTJ{}{\Delta}{\tau}{\tp} 306 | }{\hasTJ{}{\Delta}{\cmd{\tau}}{\tp}} 307 | \end{mathpar} 308 | In order to explain the statics of expressions and commands two 309 | judgments are necessary and they must depend on each other. This 310 | dependence stems from $\cmd{-}$ which internalizes the command 311 | judgment. First the expression judgment is given, it is completely 312 | standard except that it must also be fibered over a specification of 313 | the available assignables. This extra context is necessary in order to 314 | make sense of the binding done in $\mathsf{dcl}$. 315 | \begin{mathpar} 316 | \declareJudgement{\hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau}}\\ 317 | \inferrule{ 318 | x : \tau \in \Gamma 319 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{x}{\tau}}\and 320 | \inferrule{ 321 | \hasESigJ{\Delta}{\Gamma, x : \tau_1}{\Sigma}{e}{\tau_2} 322 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\lam{x}{\tau_1}{e}}{\fn{\tau_1}{\tau_2}}}\and 323 | \inferrule{ 324 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e_1}{\fn{\tau_1}{\tau_2}}\\ 325 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e_2}{\tau_1}\\ 326 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\ap{e_1}{e_2}}{\tau_2}}\and 327 | \inferrule{ 328 | \hasESigJ{\Delta, \alpha}{\Gamma}{\Sigma}{e}{\tau} 329 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\LamNoKind{\alpha}{e}}{\allNoKind{\alpha}{\tau}}}\and 330 | \inferrule{ 331 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\allNoKind{\alpha}{\tau_1}}\\ 332 | \hasTJ{}{\Delta}{\tau_2}{\tp} 333 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\Ap{e}{\tau_2}}{[\tau_2/\alpha]\tau_1}}\and 334 | \inferrule{ 335 | \hasMJ{\Delta}{\Gamma}{\Sigma}{m}{\tau} 336 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau}} 337 | \end{mathpar} 338 | \begin{mathpar} 339 | \declareJudgement{\hasMJ{\Delta}{\Gamma}{\Sigma}{m}{\tau}}\\ 340 | \inferrule{ 341 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau} 342 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\ret{e}}{\tau}}\and 343 | \inferrule{ 344 | \alpha \div \tau \in \Sigma 345 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\get{\alpha}}{\tau}}\and 346 | \inferrule{ 347 | \alpha \div \tau \in \Sigma\\ 348 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau} 349 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\set{\alpha}{e}}{\tau}}\and 350 | \inferrule{ 351 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau_2}\\ 352 | \hasMJ{\Delta}{\Gamma}{\Sigma, \alpha : \tau_2}{m}{\tau_1} 353 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\dcl{\alpha}{e}{m}}{\tau_1}}\and 354 | \inferrule{ 355 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\cmd{\tau_1}}\\ 356 | \hasMJ{\Delta}{\Gamma, x : \tau_1}{\Sigma}{m}{\tau_2} 357 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\bnd{x}{e}{m}}{\tau_2}}\and 358 | \end{mathpar} 359 | 360 | 361 | \vfill\null \columnbreak 362 | 363 | \section*{The Mathematical Tools} 364 | 365 | The main way approach to constructing a logical relation for this 366 | language is to interpret types as objects in presheaves over 367 | $\omega$. In order to illustrate the idea we present a step-indexed 368 | version which illustrates the problems involved. 369 | 370 | A presheaf over $\omega$ is an indexed family of sets 371 | $(X_n)_{n \in \nat}$ with a family of maps $X_{n + 1} \to X_n$. A 372 | map between two indexed families, $X$ and $Y$ is an indexed family 373 | $(f_n)_{n \in \nat}$ 374 | \[ 375 | \begin{tikzcd} 376 | X_n \ar[d] \ar[r, "f_n"] & Y_n \ar[d]\\ 377 | X_{n - 1} \ar[d] \ar[r, "f_{n - 1}"] & Y_{n - 1} \ar[d]\\ 378 | X_{n - 2} \ar[d] \ar[r, "f_{n - 2}"] & Y_{n - 2} \ar[d]\\ 379 | .... \ar[d] & .... \ar[d]\\ 380 | X_0 \ar[r, "f_0"] & Y_0 381 | \end{tikzcd} 382 | \] 383 | \begin{thm} 384 | Presheaves over $\omega$, written $\presheaves{\omega}$, have all 385 | small (co)limits as well as exponentials. 386 | \end{thm} 387 | What distinguishes $\presheaves{\omega}$ as a useful category beyond 388 | the category of sets is its support for guarded 389 | recursion~\citep{Birkedal:steps:11}. 390 | \begin{thm}\label{thm:fix} 391 | There exists an product-preserving functor $\later$ and a natural 392 | transformation $\delay{} : 1 \to \later$. 393 | 394 | Furthermore, for any functor 395 | $F : \op{\presheaves{\omega}} \times \presheaves{\omega} \to \presheaves{\omega}$ 396 | with a strength respecting composition and identity which factors 397 | through $\delay$ has a unique invariant object. That is, there is 398 | an $I$ so that $F(I, I) \cong I$. 399 | \end{thm} 400 | Using this, we can construct an object of Kripke worlds in 401 | $\presheaves{\omega}$. It is built up from a few presheaves, 402 | all easily definable in the internal logic. First, finite maps and 403 | an ordering on them. 404 | \begin{align*} 405 | X \ptofin Y &\defs \{f \in \Omega^{X \times Y} \mid\\ 406 | &\qquad (\forall x \in X.\ \forall y_1, y_2 \in Y.\ f(x, y_1) \land f(x, y_2) \implies y_1 = y_2) \land {}\\ 407 | &\qquad (\exists n \in \nat.\ \{x \in X \mid \exists y \in Y. f(x, y)\} \cong [n])\}\\ 408 | f_1 \le f_2 &\defs \forall x \in X, y \in Y.\ f_1(x, y) \implies f_2(x, y) 409 | \end{align*} 410 | Then monotone functions. 411 | \[ 412 | P_1 \mto P_2 \defs \{f \in P_2^{P_1} \mid 413 | \forall x_1, x_2 \in P_1.\ x_1 \le x_2 \implies f(x_1) \le f(x_2)\}\\ 414 | \] 415 | Finally, and this is the part specific to step-indexing, we provide 416 | a uniform way construction of predicates on a set. 417 | \begin{align*} 418 | \urel(S) &\defs \Omega^{\Delta(S)} 419 | \end{align*} 420 | Then, worlds are defined by constructing a solution to the following 421 | equation with Theorem~\ref{thm:fix}: 422 | \[ 423 | \worlds \cong \nat \ptofin \worlds \mto \urel(\term \times \term) 424 | \] 425 | We say that two heaps are related at $w$ when the following formula 426 | holds. 427 | \[ 428 | h_1 \sim_w h_2 \defs \forall \alpha \in \dom(w). 429 | \ \sincl{\iota(w) \zap \delay(w) \zap (h_1, h_2)} 430 | \] 431 | In this, $\sincl$ and $\ilater$ are the internalization of the 432 | action of $\delay$ and $\later$ on $\Omega$ and $\zap$ is the 433 | monoidal action of $\ilater$. 434 | 435 | \vfill\null 436 | 437 | \section*{The Logical Relation} 438 | Once the presheaf of worlds is fixed and correct it is relatively 439 | easy to define the logical relation. In its definition we again make 440 | judicious use of the internal logic. The parameter $\eta$ is a type 441 | enviroment sending type variables to candidates: elements of 442 | $\worlds \mto \urel(\term \times \term)$. 443 | \begin{align*} 444 | \den{-}_{-} &: \types \to \typesEnv \to \worlds \mto \urel(\term \times \term)\\ 445 | \den{\alpha}_\eta(w) &= \eta(\alpha)(w)\\ 446 | \den{\fn{\tau_1}{\tau_2}}_\eta(w_1) &= 447 | \{(e_1, e_2) \mid \forall w_2 \ge w_1.\ \forall (a_1, a_2) \in \den{\tau_1}_\eta(w_2).\\ 448 | &\qquad (\ap{e_1}{a_1}, \ap{e_2}{a_2}) \in \den{\tau_2}_\eta(w_2)\}\\ 449 | \den{\allNoKind{\alpha}{\tau}}_\eta(w_1) &= 450 | \{(e_1, e_2) \mid \forall w_2 \ge w_1.\ \forall c_1, c_2 : \kappa,\ S.\\ 451 | &\qquad (\Ap{e_1}{c_1}, \Ap{e_2}{c_2}) \in \den{\tau}_{\eta[\alpha \mapsto S]}\}\\ 452 | \den{\cmd{\tau}}_\eta(w_1) &= \{(e_1, e_2) \mid \forall w_2 \ge w_1.\ \exists m_1, m_2\\ 453 | & \qquad \steps{e_i}{\cmd{m_i}} \land{} \\ 454 | & \qquad \forall h_1 \sim_{w_2} h_2 \implies (m_1, h_1) \simeq (m_2, h_2) \land {}\\ 455 | & \qquad \forall k_1, k_2, v_1', v_2', h_1', h_2'.\ \stepsM[k_i]{m_i}{h_i}{\ret{v_i}}{h_i'} \implies\\ 456 | & \qquad\qquad \exists w_3 \ge w_2.\ \ilater^{k_1} (h_1' \sim_{w_3} h_2' \land (v_1', v_2') \in \den{\tau}_{w_3}) 457 | \end{align*} 458 | The real challenge is adapting this logical relation to use an 459 | alternative presheaf of semantic types. Ideally, it would be the 460 | case that allowed us to avoid entangling the definition of the 461 | logical relation with the concrete number of steps a program 462 | takes. In particular, this would mean avoiding $\ilater^k$. 463 | 464 | This work consisted of various attempts to explore alternative 465 | semantic universes to do this. None proved sufficient. 466 | 467 | \color{SaddleBrown} 468 | \section*{Conclusions} 469 | 470 | \begin{itemize} 471 | \item Step-indexed logical relations are here to stay without the 472 | invention of a fundamentally new technique. 473 | \item Syntactic minimal invariance does not appear to scale to any 474 | system richer than System F with recursive types. 475 | \item By exploring richer semantic universes many of the pain-points 476 | and issues with step-indexing can be 477 | alleviated~\citep{Svendsen:16}. 478 | \end{itemize} 479 | 480 | \color{DarkSlateGray} 481 | \tiny 482 | \bibliographystyle{plainnat} 483 | \bibliography{../citations}{} 484 | \end{multicols} 485 | \end{document} 486 | -------------------------------------------------------------------------------- /secs/ack.tex: -------------------------------------------------------------------------------- 1 | \section*{Acknowledgments} 2 | 3 | I would like to thank the huge number of people who have been 4 | instrumental in writing this thesis and the research of the last four 5 | years that went into it. I am greatly indebted to the POP group at CMU 6 | for a unique environment to study. A special thanks to Carlo Angiuli, 7 | Evan Cavallo, Adrien Guatto, Anders M{\"o}rtberg, Jonathan Sterling, 8 | and Joseph Tassarotti for countless hours of discussions on 9 | programming languages. In particular, I must thank Jonathan Sterling and 10 | Carlo Angiuli for valuable feedback on a draft of this thesis. Thanks 11 | to Lars Birkedal and Robert Harper for feedback and advice on this 12 | work. Finally, I must thank Karl Crary for advice, encouragement, and 13 | much wisdom into how to do research in type theory. 14 | 15 | %%% Local Variables: 16 | %%% mode: latex 17 | %%% TeX-master: "../main" 18 | %%% End: 19 | -------------------------------------------------------------------------------- /secs/conclusion.tex: -------------------------------------------------------------------------------- 1 | \section{Conclusions} 2 | 3 | This thesis has illustrated the difficulty of constructing a logical 4 | relation for a language with higher-order state. The current set of 5 | techniques which work are complex and despite this they only provide 6 | sound but incomplete reasoning principles. Even with this logical 7 | relations are among the best known techniques for handling 8 | effects. They strike a combination between using simpler mathematics 9 | and providing useful reasoning principles. 10 | 11 | The difficulty and complexity of the attempts to remove step-indexing 12 | from the logical relation raises a question: is it worth it? The 13 | motivations for step-index-free logical relations were basically the 14 | following: 15 | \begin{itemize} 16 | \item Logical relations for step-indexing were complicated and 17 | painful to use and construct correctly. 18 | \item Step-indexing is ad-hoc and difficult to justify. 19 | \item Step-indexing is ill-suited for capturing properties beyond 20 | safety. 21 | \end{itemize} 22 | The first two issues are addressed in the same way: a generalization 23 | in the way we view logical relations. If logical relations are just 24 | structure-preserving relations, there's no reason to limit ourselves 25 | to traditional set-theoretic relations. Already with Kripke logical 26 | relations there is the same indexing structure. Rather than viewing 27 | relations as holding or not holding it is quite natural to replace 28 | them with a more internsional, local notion of truth as is done in 29 | both step-indexing and Kripke logical relations. Mathematically, this 30 | is just a switch from relations in sets to relations in an appropriate 31 | presheaf category. If we make use of more sophisticated tools for 32 | working with these relations, either by working internally to a type 33 | theory, a higher-order logic, or a topos much of the day-to-day issues 34 | of step-indexing can be resolved. 35 | 36 | The last issue is a real problem. The nature of step-indexing is 37 | inherently limiting because it is only is suited for properties that 38 | are sound with respect to finite prefixes. Consider for instance, the 39 | set of programs producing a stream of natural numbers. The program 40 | outputting $1$, $2$, $3$, etc. At any finite step this program 41 | produces a maximal number but it is not the case that it ever actually 42 | outputs a maximum globally. This is a classic issue in mathematics: 43 | global truth is not truth in every localization and step-indexing only 44 | allows us to discuss local truth. 45 | 46 | In order to fix this, one can either remove the indexing structure and 47 | never work with local truth or add enough locales so that local truth 48 | is strong enough. For instance, if we work with $\omega^2$ in the 49 | example above the problematic program is ruled out: it does not 50 | satisfy the program at $(\omega, 0)$. A fuller theory of logical 51 | relation in this setting is given by \citet{Svendsen:16}. 52 | 53 | Further investigation is needed in both directions. There are many 54 | unstudied generalizations of relations beyond merely a set-theoretic 55 | subset of a product. On the other hand, there is an undeniable appeal to 56 | just being able to work with sets and to find some new clever 57 | technique to avoid the indexing all together. At the moment though, 58 | there seems to be far more unexplored and accessible space in the 59 | first direction than the second; constructing a step-index-free 60 | logical relation appears to require some new approach beyond 61 | applications of classic tools as was done in this thesis. 62 | 63 | %%% Local Variables: 64 | %%% mode: latex 65 | %%% TeX-master: "../main" 66 | %%% End: 67 | -------------------------------------------------------------------------------- /secs/domains.tex: -------------------------------------------------------------------------------- 1 | \section{Tying the Knot Using Domains}\label{sec:domains} 2 | 3 | This section describes the first and most obvious approach to building 4 | a step-index-free logical relation for state. It would seem that the 5 | real crux of the issue was this Kripke world. Nothing past the 6 | construction of the Kripke world in Section~\ref{sec:steps} 7 | was particularly challenging, especially when a logical approach is 8 | taken. So a natural approach is to find a different setting in which 9 | to solve the following equation 10 | \[ 11 | \worlds \cong \assignables \pto (\worlds \mto \pow{\term \times \term}) 12 | \] 13 | Traditionally, domains have been used for exactly this purpose. The 14 | impetus of domain theory as an investigation separate from order 15 | theory in general was the observation by Dana Scott that domains 16 | possessed solutions to equations that sets did not. For instance, a 17 | model of the lambda calculus may be constructed by solving the 18 | equation 19 | \[ 20 | D \cong D \to D 21 | \] 22 | This equation is not possible to solve in sets without trivializing 23 | $D$. In fact, Theorem~\ref{thm:steps:fixed-points} uses a construction 24 | derived originally from domain theory itself. 25 | 26 | \subsection{Domain Theory, Briefly} 27 | 28 | A domain is a particular sort of partial order which comes equipped 29 | with enough structure to accurately describe a notion of continuous 30 | functions upon it. 31 | \begin{defn}\label{def:domains:directed-set} 32 | In a partial order $P$, a directed set $D \supseteq P$ is a set so 33 | that $D \neq \emptyset$ and if $a, b \in D$ then there is a $c \in 34 | D$ so that $a, b \le c$. 35 | \end{defn} 36 | \begin{defn}\label{def:domains:domain} 37 | A domain\footnote{In this text domains are directed complete partial 38 | orders as opposed to any of the myriad varierties of domains one 39 | might have chosen.} is partial order possessing joins (least upper 40 | bounds) of all directed subsets. Given a directed subset $D$ we 41 | write this join as $\join D$. 42 | \end{defn} 43 | Intuitively, elements of a domain represent a (partial) piece of 44 | knowledge. Moving to a larger element represents moving to a piece of 45 | knowledge that extends what was already known. The ability to 46 | construct joins of directed sets fits into this intuition as the 47 | ability to take a great many fragments of compatible knowledge and 48 | glue them together. 49 | 50 | This intuition primarily comes from the example domain of a partial 51 | function. The function is not everywhere defined so it is not a 52 | complete piece of knowledge, but given a collection of partial 53 | functions which agree on the intersection, they can be glued 54 | together. More precisely, fix our underlying set of $S \pto D$ to be 55 | partial functions from some set $S$ to a domain $D$. The ordering on 56 | these functions is given by the following: 57 | \[ 58 | f_1 \reach f_2 \defs \forall s \in S.\ f_1(s) \Downarrow \implies f_1(s) = f_2(s) 59 | \] 60 | Then, joins are constructed on directed sets as follows: 61 | \[ 62 | (\join_i f_i)(s) = \join \{d \mid \exists i.\ f_i(s) = d\} 63 | \] 64 | Showing that this is a partial function relies crucially on the 65 | directedness of $(f_i)_i$. 66 | 67 | The extra structure on domains gives rise to a new class of maps that 68 | preserve this structure. These maps are called (Scott) continuous in 69 | that they preserve joins. 70 | \begin{defn}[Scott continuity] 71 | A map between domains is (Scott) continuous if it preserves the 72 | joins of directed sets. That is, if $f : D \to E$ and 73 | $I \subseteq D$ is directed, then 74 | $f(\join I) = \join \{f(i) \mid i \in I\}$. 75 | \end{defn} 76 | Calling this definition continuity can be justified by considering the 77 | Scott topology on domains, in which continuous functions are precisely 78 | those which preserve upper bounds. For a complete account of the 79 | theory of domains, see for instance \citet{Girez:03,Abramsky:94}. 80 | \begin{thm} 81 | Domains form an a category, $\DCPO$, where morphisms are continuous 82 | functions. This category is bicartesian closed, in particular the 83 | set of continuous maps between two domains is a domain. 84 | \end{thm} 85 | The interesting portion of domain theory for these purposes is the 86 | ability to solve domain equations. Specifically, locally continuous 87 | functors of domains again have solutions. 88 | \begin{defn} 89 | A functor, $F : \DCPO \to \DCPO$ is locally continuous if its action 90 | on morphisms is a continuous function. That is, there is a 91 | continuous map of domains $B^A \to F(B)^{F(A)}$. This definition 92 | generalizes readily to a mixed variance n-ary functor. 93 | \end{defn} 94 | \begin{thm}\label{thm:domains:fixed-points} 95 | Any mixed variance locally continuous functor 96 | $F : \op{\DCPO} \times \DCPO \to \DCPO$ has an invariant object $I$ 97 | so that $F(I, I) \cong I$. 98 | \end{thm} 99 | 100 | \subsection{Domains for State} 101 | 102 | The domains involved in expression the desired equation are quite 103 | straightforward. Power sets are always a complete lattice and 104 | therefore a domain. Scott continuous functions are always monotone so 105 | instead of considering monotone functions it's more natural to pick 106 | Scott continuous functions to get a domain. Finally, partial maps form 107 | a domain as shown above with the small complication that they cannot 108 | be limited to finite partial maps. 109 | 110 | This gives us a proper functor $F : \op{\DCPO} \to \DCPO$ defined by 111 | \begin{align*} 112 | D \mapsto& \assignables \pto (D \mto \pow{\term \times \term})\\ 113 | f \mapsto& \lambda x.\ \lambda \alpha.\ \lambda d.\ x(\alpha)(f(d)) 114 | \end{align*} 115 | There is only one exceptional feature of all of this, the ordering on 116 | the partial map aspect of this domain is nonstandard. A Kripke world 117 | is supposed to map an assignable to a semantic type. The ordering on 118 | these worlds should let us add new mappings, but old mappings should 119 | stay the same. They must in fact, if a location is allocated so that 120 | it can be either $\littrue$ or $\litfalse$, it would be a real 121 | problem if suddenly it could also be a natural number. This ordering, 122 | explicitly, is then defined by the following formula. 123 | \[ 124 | w_1 \reach w_2 \iff \forall \alpha \in \dom(w_1).\ w_1(\alpha) \simeq w_2(\alpha) 125 | \] 126 | This ordering, however natural, means that $F$ is not locally 127 | continuous and therefore there is no way to construct a solution to 128 | it. 129 | 130 | Supposing for a moment that a solution to $F$ did exist. There would 131 | still seemingly be a problem because one of these worlds could have 132 | full support, making modeling allocation impossible. This can be 133 | avoided by defining the logical relation on compact 134 | elements~\citep{Girez:03} of the world domain, precisely those worlds 135 | enjoying only finite support. 136 | 137 | By defining the logical relation on these worlds, it is trivial to 138 | extend it to an arbitrary world by taking $\den{\tau}(w)$ on such a 139 | world to be the join of the results of $\den{\tau}$ on all the compact 140 | elements below $w$. This is automatically continuous and recovers 141 | exactly $\den{\tau}$ on compact elements which are, after all, the 142 | worlds of interest. 143 | 144 | %%% Local Variables: 145 | %%% mode: latex 146 | %%% TeX-master: "../main" 147 | %%% End: 148 | -------------------------------------------------------------------------------- /secs/guarded-recursion.tex: -------------------------------------------------------------------------------- 1 | \section{A Logical Relation in $\presheaves{\omega}$ with Syntactic Minimal Invariance}\label{sec:guarded} 2 | 3 | The final proposed approach to handling logical relations for state is 4 | to instead study a language which allows us to merely encode 5 | state. This is not sufficient to solve many of the original goals of 6 | this work but it's a simpler problem and a natural stop along the way 7 | to a proper logical relation. The natural candidate for a logical 8 | relation is to consider (guarded) recursive kinds as described by 9 | \citet{Pottier:11}. The motivation for doing this is that a language 10 | with guarded recursive kinds is quite complex but in a very different 11 | way than a language with state. It does not require Kripke worlds in 12 | particular, the recursion is instead present in the kind structure. By 13 | being present in the structure of types itself it is easier to handle 14 | with type-based methods. 15 | 16 | Recursive kinds require us to switch to a richer language where the 17 | types themselves support computation. For our purposes, the language 18 | is given by the following grammar. 19 | \[ 20 | \begin{array}{lcl} 21 | e & ::= & x \mid \lam{x}{\tau}{e} \mid \ap{e}{e} \mid \Lam{\alpha}{\kappa}{e} \mid \Ap{e}{c}\\ 22 | c, \tau & ::= & \alpha \mid \fn{\tau}{\tau} \mid \all{\alpha}{\kappa}{\tau} \\ 23 | & \mid & \lam{\alpha}{\kappa}{c} \mid \ap{c}{c} \mid \into{c} 24 | \mid \out{c}\\ 25 | \kappa & ::= & j \mid \tp \mid \fn{\kappa}{\kappa} \mid \rec{j}{\kappa} 26 | \end{array} 27 | \] 28 | This language features a simple term language but a much richer type 29 | language, here called \emph{constructors}. Constructors allow for 30 | computation which produces types. This is formally captured by two 31 | judgments: $\hasTJ{\Omega}{\Delta}{c}{\kappa}$ and 32 | $\hasTJ{\Omega}{\Delta}{c_1 \equiv c_2}{\kappa}$. The first judgment 33 | specifies that a constructor $c$ has a kind $\kappa$ in a context of 34 | kind variables $\Omega$ and constructor variables $\Delta$. The second 35 | specifies when two constructors are equal. This latter judgment is 36 | related to the actual expressions of the language by the following 37 | rule. 38 | \[ 39 | \inferrule{ 40 | \hasEJ{\Omega}{\Delta}{\Gamma}{e}{\tau_1}\\ 41 | \hasTJ{\Omega}{\Delta}{\tau_1 \equiv \tau_2}{\tp} 42 | }{\hasEJ{\Omega}{\Delta}{\Gamma}{e}{\tau_2}} 43 | \] 44 | The constructor language typing judgments are standard for F$\omega$ 45 | (see \citet{Barendregt:13} for an explanation) except for the 46 | following rules. 47 | \begin{mathparpagebreakable} 48 | \inferrule{ 49 | \hasKJ{\Omega, j}{\kappa} 50 | }{\hasKJ{\Omega}{\rec{j}{\kappa}}}\and 51 | \inferrule{ 52 | \hasTJ{\Omega}{\Delta}{c}{\rec{j}{\kappa}} 53 | }{\hasTJ{\Omega}{\Delta}{\out{c}}{[\rec{j}{\kappa}/j]\kappa}}\and 54 | \inferrule{ 55 | \hasTJ{\Omega}{\Delta}{c}{\rec{j}{\kappa}} 56 | }{\hasTJ{\Omega}{\Delta}{\out{c}}{[\rec{j}{\kappa}/j]\kappa}} 57 | \end{mathparpagebreakable} 58 | The calculus described so far is a version of F$\omega$ with recursive 59 | kinds. This language is quite expressive because recursive kinds allow 60 | for recursive constructor definitions of arbitrary kind through 61 | encoding the Y-combinator at the constructor level. It is 62 | exceptionally poorly behaved because recursive kinds allow 63 | for constructors which do not have a weak head normal form. This 64 | forces choices in the language that seem to have no good answers. For 65 | instance, what terms belong to a constructor of kind $\tp$ that has no 66 | weak head normal form. 67 | 68 | There is a technique for potentially approaching a logical relation 69 | for even this language with general recursive types. It draws on two 70 | key ideas, one from Section~\ref{sec:domains} and one from 71 | Section~\ref{sec:smi}. We define a pair of logical relations 72 | $\definitely{-}$ and $\possibly{-}$ as in Section~\ref{sec:smi}. This 73 | logical relation is defined on the \emph{normal forms} of 74 | constructors however. In order to handle the cases where a term has an 75 | infinite normal form or simply diverges, we actually work with finite 76 | fragments of the B\"ohm tree of a term~\citep{Barendregt:13}. Two terms 77 | are related at a type with an infinite normal form if and only if they 78 | are in all finite approximations of that type. In this case, there is 79 | actually a meaningful difference between $\definitely{-}$ and 80 | $\possibly{-}$: if we reach a node in the B\"ohm tree which indicates 81 | that more information exists but we are not allowed access to it in 82 | this approximation, say ?, $\definitely{?} = \{(\bot, \bot)\}$ while 83 | $\possibly{?} = \term \times \term$. 84 | 85 | This approach for logical relations works in that the logical relation 86 | is well-defined and if both sides of the birelation $\eta$ are 87 | well-defined, then $\definitely{\tau}_\eta = 88 | \possibly{\tau}_\eta$. The issue is that this fact does not scale to 89 | general case of $c : \kappa$. In particular, it is not the case that 90 | for an $\eta = \op{\eta}$ that 91 | $\definitely{\lam{\alpha}{\kappa}{c}}_\eta = \possibly{\lam{\alpha}{x}{\kappa}}_\eta$. 92 | The issue is that these must be equal as functions on pairs of 93 | relations $(R_1, R_2)$ and not merely on a single relation $R$. If 94 | $R_1 = R_2$ they are equal but this information is not sufficient to 95 | get the case for $\forall$ to go through in the fundamental 96 | theorem. This failure will be instructive for the coming issue: 97 | $\forall$ is the only case where the higher-typed constructors factor 98 | in to the expression language. This interaction is crucial for 99 | \citet{Pottier:11} so it cannot be ignored, but it will be at the 100 | heart of the failure of the next attempt. 101 | 102 | Instead of considering full recursive kinds, we restrict our attention 103 | to a particular class of them: the class of guarded recursive 104 | kinds. Guarded recursion in general originates with 105 | \citet{Nakano:00}. The idea is to isolate which recursive definitions 106 | are \emph{productive}: productivity is informally the idea that after 107 | a finite number of steps something must be produced. The program need 108 | not compute to a normal form but it should produce some observable 109 | output. The classic example of productivity is a stream: an infinite 110 | stream should never evaluate to a normal form but we would like to be 111 | able to calculate the $n$th element of the stream in finite 112 | time. Productive programming is an extremely natural paradigm for many 113 | programs which are never expected to terminate but still expected to 114 | produce work as they go. 115 | 116 | The question is how to ensure that a definition is productive. One 117 | line of work is to consider a syntactic condition on programs. This is 118 | used by some proof assistants~\citep{coq} and is simple and 119 | sound. The idea is to check that no recursive calls occur without 120 | being underneath a constructor. In the stream example, for instance, 121 | this means that an element of the stream has to be produced before the 122 | function is entitled to recurse. The issue is that a syntactic check 123 | is too brittle. It does not, for instance, work if a productive 124 | definition has been factored into two different parts since one of 125 | these parts may not be syntactically unguarded. It is also ill-suited 126 | for handling higher-order functions where the productivity may rely on 127 | the supplied function being productive. 128 | 129 | A more robust solution is to follow the approach of 130 | \citet{Nakano:00} and equip the type theory with a modality 131 | indicating that something is only available to use ``at a later point 132 | in time''. Then, for instance, in a language with streams the 133 | constructor for a stream would have the type 134 | $\fn{\tau}{\fn{\later \mathrm{Stream}_\tau}{\mathrm{Stream}_\tau}}$ 135 | indicating that it is sufficient to provide the tail of a list so that 136 | it is only available later. In order to make this modality useful, 137 | $\later$ comes equipped with a number of operations. Two of the basic 138 | ones ensure that $\later$ is an applicative functor: 139 | \begin{align} 140 | \delay{-} &: \fn{\tau}{\later \tau}\label{eqn:guarded:delay}\\ 141 | - \zap - &: \later (\fn{\tau_1}{\tau_2}) \to \fn{\later \tau_1}{\later \tau_2}\label{eqn:guarded:ap} 142 | \end{align} 143 | Finally, $\later$ can be used to construct fixed points. 144 | \begin{align} 145 | \fix{} : \fn{(\fn{\later \tau}{\tau})}{\tau} \label{eqn:guarded:fix} 146 | \end{align} 147 | All of this is extremely similar to the operations available in 148 | $\presheaves{\omega}$. The operations~\ref{eqn:guarded:delay} 149 | and~\ref{eqn:guarded:ap} were facts about the functor $\later$ and 150 | \ref{eqn:guarded:fix} is L\"ob induction. Nakano's work on guarded 151 | recursion provides a syntactic account of this modality. In the 152 | original presentation the operations written above were presented as 153 | subtyping relations in the calculus rendering them all silent. In more 154 | recent 155 | presentations~\citep{Birkedal:steps:11,Bizjak:16,Birkedal:16,Bahr:17} 156 | these operations are all made explicit again as they are mediated by 157 | nontrivial isomorphisms. For our purposes, we will continue the 158 | subtyping presentation for consistency with \citet{Pottier:11} which 159 | describes the encoding motivating this construction. 160 | 161 | Guarded recursive kinds are slightly different than guarded recursion 162 | in general because the term language contains divergent and 163 | nonproductive terms. The guarantees provided by guardedness apply only 164 | at the level of constructors where it is the case that all 165 | constructors are productive (have a weak head normal form). In this 166 | sense, the language of guarded recursive kinds can be seen as a 167 | particular simply-typed calculus with guarded recursion and a 168 | distinguished base type $\tp$. The term-formers of this type are the 169 | type-formers of our expression language: $\fn{-}{-}$ and 170 | $\all{\alpha}{\kappa}{-}$. A further distinction between this calculus 171 | and other type theories is that our type formers are all 172 | contractive. This means that they take arguments available only later 173 | and produce a result available now. In type theories with a universe, 174 | for instance, the operations on the universe are all nonexpansive: 175 | they preserve $\later$s by taking arguments available later and producing 176 | a result later (the inverse of the $- \zap -$ operation would do this 177 | for instance). This extra strength provided by contractiveness is 178 | exactly what allows for the construction of divergent terms in our 179 | language. This would present a soundness issue for a type theory but 180 | from our perspective it is a natural convenience of a programming 181 | language unconcerned with serving as a logic. 182 | 183 | To make this discussion precise, the (selected) rules of our language are the 184 | following. 185 | \begin{mathparpagebreakable} 186 | \declareJudgement{\hasKJ{\Omega}{\kappa}}\\ 187 | \inferrule{ 188 | j \in \Omega 189 | }{\hasKJ{\Omega}{j}} \and 190 | \inferrule{ 191 | \hasKJ{\Omega}{\kappa} \\ 192 | \hasKJ{\Omega}{\kappa'} 193 | }{\hasKJ{\Omega}{\fn{\kappa}{\kappa'}}}\and 194 | \inferrule{ 195 | \hasKJ{\Omega}{\kappa} 196 | }{\hasKJ{\Omega}{\later \kappa}} \and 197 | \inferrule{ } 198 | {\hasKJ{\Omega}{\tp}} \and 199 | \inferrule{ 200 | \hasKJ{\Omega, j : \kind}{\kappa}\\ 201 | \guardJ{j}{\kappa} 202 | }{\hasKJ{\Omega}{\rec{j}{\kappa}}} 203 | \end{mathparpagebreakable} 204 | \begin{mathparpagebreakable} 205 | \declareJudgement{\guardJ{j}{\kappa}}\\ 206 | \inferrule{ 207 | \mbox{$j$ not free in $\kappa$} 208 | }{\guardJ{j}{\kappa}}\and 209 | \inferrule{ 210 | \guardJ{j}{\kappa_1}\\ 211 | \guardJ{j}{\kappa_2} 212 | }{\guardJ{j}{\fn{\kappa_1}{\kappa_2}}} \and 213 | \inferrule{ }{\guardJ{j}{\later \kappa}} \and 214 | \inferrule{ 215 | \guardJ{j}{\kappa} 216 | }{\guardJ{j}{(\rec{j'}{\kappa})}} 217 | \end{mathparpagebreakable} 218 | \begin{mathparpagebreakable} 219 | \declareJudgement{\subKJ{}{\kappa}{\kappa'}}\\ 220 | \inferrule{ 221 | \subKJ{}{\kappa_1'}{\kappa_1} \\ 222 | \subKJ{}{\kappa_2}{\kappa_2'} 223 | }{\subKJ{}{\fn{\kappa_1}{\kappa_2}}{\fn{\kappa_1'}{\kappa_2'}}} \and 224 | \inferrule{ 225 | \subKJ{}{\kappa}{\kappa'} 226 | }{\subKJ{}{\later \kappa}{\later \kappa'}} \and 227 | \inferrule{ 228 | }{\subKJ{}{\kappa}{\later \kappa}} \and 229 | \inferrule{ 230 | }{\subKJ{}{\later (\fn{\kappa}{\kappa'})}{\fn{\later \kappa}{\later \kappa'}}} \and 231 | \inferrule{ 232 | }{\subKJ{}{\fn{\later \kappa}{\later \kappa'}}{\later (\fn{\kappa}{\kappa'})}} 233 | \end{mathparpagebreakable} 234 | \begin{mathparpagebreakable} 235 | \declareJudgement{\hasTJ{}{\Delta}{c}{\kappa} \qquad \hasEJ{}{\Delta}{\Gamma}{e}{\tau}}\\ 236 | \inferrule{ 237 | \hasTJ{}{\Delta}{\tau_1}{\later \tp}\\ 238 | \hasTJ{}{\Delta}{\tau_2}{\later \tp} 239 | }{\hasTJ{}{\Delta}{\fn{\tau_1}{\tau_2}}{\tp}}\and 240 | \inferrule{ 241 | \hasTJ{}{\Delta, \alpha : \kappa}{\tau}{\later \tp} 242 | }{\hasTJ{}{\Delta}{\all{\alpha}{\kappa}{\tau}}{\tp}} 243 | \and 244 | \inferrule{ 245 | \hasTJ{}{\Delta}{\tau}{\later^n\,\tp} \\ 246 | \hasEJ{}{\Delta}{\Gamma, x : \tau}{e}{\tau'} 247 | }{\hasEJ{}{\Delta}{\Gamma}{\lam{x}{\tau}{e}}{\fn{\tau}{\tau'}}} 248 | \and 249 | \inferrule{ 250 | \hasEJ{}{\Delta}{\Gamma}{e}{\forall \alpha : \kappa . \tau}\\ 251 | \hasTJ{}{\Delta}{c}{\later^n \kappa} 252 | }{\hasEJ{}{\Delta}{\Gamma}{\Ap{e}{c}}{[c / \alpha] \tau}} 253 | \end{mathparpagebreakable} 254 | Turning now to the question of how to construct a logical relation for 255 | this language there are two questions to be answered: 256 | \begin{enumerate} 257 | \item We want to interpret kinds as objects of a category. Which 258 | category should be used? 259 | \item Pairs of related terms should then be points of this object. 260 | What does it mean to be a point of $\den{\tp}$. 261 | \end{enumerate} 262 | This two-layer approach is typical of a logical relation for languages 263 | with a rich kind structure. We need to interpret kinds as some sort of 264 | semantic object so that $\den{\tp}$ is the collection of semantic 265 | types needed for the logical relation. Traditionally the literature 266 | around logical relations for higher-kinded languages has been 267 | concerned with notions of parametricity at higher 268 | kind~\citep{Hasegawa:94,Robinson:94,Dunphy:04,Vytiniotis:10,Atkey:12}, 269 | which extends the object-relational interpretation of 270 | Reynolds~\citep{Reynolds:83} to include natural 271 | notions of candidates at higher kind. These candidates include more 272 | complex conditions that also necessitate the use of semantic tools to 273 | handle but it is not the goal of our work. In particular, 274 | parametricity arguments will only be interesting for type variables of 275 | kind $\tp$. At all other kinds the candidates are not relations 276 | between semantic types but rather just semantic types. For instance 277 | the interpretation of a constructor function of kind $\fn{\tp}{\tp}$ 278 | is a map between relations, not a relation between maps of semantic 279 | types. 280 | 281 | This is an undesirable simplification for a general purpose logical 282 | relation but the only motivation for constructing this logical 283 | relation is to study the semantics of guarded recursive kinds and 284 | their impact on the definition. The technical complications introduced 285 | by studying reflexive graphs would be wasted when we plan to move to a 286 | setting with only $\tp$ and Kripke worlds. It is not clear what it 287 | would mean to consider a model where Kripke worlds were subject to a 288 | relational interpretation as well. Such work is latent in work like 289 | \citet{Dreyer:10} where the Kripke world is more relational to allow 290 | for relations between heaps that are not merely point-wise. 291 | 292 | Now the answer to these questions is given by the earlier remark that 293 | our language is the guarded simply-typed lambda calculus with guarded 294 | recursive types and a strange base type. Models of this language are 295 | readily available in $\presheaves{\omega}$~\citep{Birkedal:guarded:10,Birkedal:steps:11} and we 296 | make use of these. 297 | 298 | Specifically, we interpret kinds as follows as maps a functor from 299 | environments to presheaves. These environments are mixed-variance. 300 | They send a kind variable to two distinct presheaves, one 301 | used covariantly and one contravariantly. Let us signify these 302 | environments by $\theta$ (to distinguish them from the 303 | environment used by the interpretation of constructors) and write 304 | $\op{\theta}$ for the operation exchanging all the components of 305 | $\theta$. Finally, by convention let $\theta(\alpha)$ project out the 306 | presheaf being used covariantly. 307 | \begin{align*} 308 | \den{j}_\theta &= \theta(j)\\ 309 | \den{\later \kappa}_\theta &= \later \den{\kappa}_\theta\\ 310 | \den{\fn{\kappa_1}{\kappa_2}}_\theta &= \den{\kappa_2}_\theta^{\den{\kappa_1}_{\op{\theta}}}\\ 311 | \den{\rec{j}{\kappa}}_\theta &= \fix((P_1, P_2) \mapsto \den{\kappa}_{\theta[j \mapsto (P_1, P_2)]})\\ 312 | \den{\tp}_\theta &= \semtypes\\ 313 | \end{align*} 314 | It is a straightforward proof to show that this defines a functor. The 315 | only exceptional fact is that it is necessary to show that taking a 316 | fixed point of some arguments of a mixed-variance functor results in a 317 | functor in the remaining arguments. This is proven in Section 7 of 318 | \citet{Birkedal:steps:11} for instance. 319 | 320 | The interesting part of this definition is the interpretation of 321 | $\tp$, $\den{\semtypes}$. The other clauses are simply induced by the 322 | logical meaning of the connectives. Interpreting $\to$ as the 323 | exponential, for instance, induces a canonical interpretation of 324 | $\lam{\alpha}{\kappa}{c}$ and $\ap{c_1}{c_2}$. 325 | 326 | The space of semantic types is where we make crucial use of syntactic 327 | minimal invariance. First we need to define a class of relations 328 | appropriate for semantic types. 329 | \begin{defn}\label{def:guarded:urel} 330 | A uniform relation is a subset 331 | $R \subseteq \term_{\tau_1} \times \term_{\tau_2}$ for some $\tau_1$ 332 | and $\tau_2$ so that the following hold. 333 | \begin{itemize} 334 | \item $R$ is closed on both sides under contextual equivalence. 335 | \item $R$ is admissible and in particular contains limits of all 336 | $\pi$-chains. 337 | \item If $(e_1, e_2) \in R$ then for all $n$, 338 | $(\ap{\pi_{\tau_1}^n}{e_1}, \ap{\pi_{\tau_2}^n}{e_2}) \in R$. 339 | \end{itemize} 340 | The set of uniform relations is denoted $\urel$. 341 | \end{defn} 342 | Uniform relations are a natural setting for our logical relation since 343 | the assumptions imposed on them are quite natural for anything to be 344 | called a semantic type. Items 1 and 3 require that we respect 345 | observation in and item 2 is a technically necessary and quite 346 | reasonable assumption. The definition of projection in this language 347 | is identical to what it is was for the System F-like language considered 348 | previously with the slight proviso that instead of 349 | $\pi_{\alpha}^{n + 1} = \lam{x}{\alpha}{x}$ we must generalize it to 350 | $\pi_{K[\alpha]}^{n + 1} = \lam{x}{\alpha}{x}$ so that any 351 | \emph{neutral type} is impossible to truncate. This definition is 352 | forced; there are no other reasonable moves to make at higher kind 353 | since without knowing anything about $\alpha$ no information can be 354 | deduced about $K[\alpha]$ 355 | 356 | The presheaf structure on uniform relations is an instance of a more 357 | general and well-known embedding of complete 1-bounded ultrametric 358 | spaces into $\presheaves{\omega}$ described for instance in \citet{Birkedal:steps:11}: 359 | \[ 360 | \semtypes(n) = \urel / {\equiv_n} 361 | \] 362 | The equivalence relation at $n$ is defined to equate uniform relations 363 | which agree on $n$ truncations. Formally, this is expressed as 364 | follows. 365 | \begin{align*} 366 | R \equiv_n &S =\\ 367 | &(\forall (e_1, e_2) \in R.\ (\ap{\pi^i_{\tau_1}}{e_1}, \ap{\pi^i_{\tau_2}}{e_2}) \in S) \land {}\\ 368 | &(\forall (e_1, e_2) \in S.\ (\ap{\pi^i_{\tau_1}}{e_1}, \ap{\pi^i_{\tau_2}}{e_2}) \in R) 369 | \end{align*} 370 | Restriction maps simply send equivalence classes of uniform relations 371 | to even coarser equivalence classes of uniform relations. 372 | 373 | This definition implies that a global point, $h : 1 \to \semtypes$, 374 | precisely in correspondence to a particular uniform relation. It picks 375 | out a family of equivalence classes so that each is increasingly fine 376 | $h(0)(\star) \supseteq h(1)(\star) \supseteq ... \supseteq h(n)(\star)$. 377 | Syntactic minimal invariance and closure of uniform relation under $\pi$-chains 378 | tells us that if two uniform relations are equated by $\equiv_n$ for 379 | all $n$ then they are equal on the nose. This means that there can be 380 | at most one uniform relation in all the equivalence classes selected 381 | by $h$ and $h$ is uniquely induced by the uniform relation. This 382 | result is in fact a corollary of the fact that the aforementioned 383 | embedding preserves finite limits. 384 | 385 | Now the logical relation (the constructor interpretation) is really a 386 | standard interpretation of the simply-typed lambda calculus with a 387 | base type of relations. It is defined as follows. 388 | {\allowdisplaybreaks 389 | \begin{align*} 390 | \den{\alpha}_\eta(n) &= \eta(\alpha)(n)\\ 391 | \den{\lam{\alpha}{\kappa}{c}}_\eta(n) &= (\star, S) \mapsto \den{c}_{\eta[\alpha \mapsto S]}(n)\\ 392 | \den{\ap{c_1}{c_2}}_\eta(n) &= \den{c_1}_\eta(n)(\star)(\den{c_2}_\eta(n))\\ 393 | \den{\out{c}}_\eta &= \mathsf{out}_n(\den{c}_\eta(n))\\ 394 | \den{\into{c}}_\eta &= \mathsf{in}_n(\den{c}_\eta(n))\\ 395 | \den{\fn{\tau_1}{\tau_2}}_\eta(n) &=\\ 396 | \{(e_1, e_2) \mid&\ e_1 \Downarrow \iff {e_2 \Downarrow} \AND \\ 397 | & \forall (a_1, a_2) \in \den{\tau_1}_\eta(n). \ (\ap{e_1}{a_1}, \ap{e_2}{a_2}) \in \den{\tau_2}_\eta\}\\ 398 | \den{\all{\alpha}{\kappa}{\tau}}_\eta &=\\ 399 | \{(e_1, e_2) \mid&\ e_1 \Downarrow \iff {e_2 \Downarrow} \AND\\ 400 | &\forall c_1, c_2 : \kappa,\ S \in \den{\kappa}. 401 | \ (\Ap{e_1}{c_1}, \Ap{e_2}{c_2}) \in \den{\tau}_{\eta[\alpha \mapsto S]}\} 402 | \end{align*} 403 | } 404 | In this definition we are using $\mathsf{out}$ and $\mathsf{in}$ as 405 | the isomorphisms mediating a recursive type and its unfolding. There 406 | is a technical issue with this presentation: it properly should be 407 | done on \emph{derivations} of terms and a coherence theorem must be 408 | proven. This is because while it is the case that if 409 | $\kappa_1 \le \kappa_2$ then there is a canonical 410 | $i : \den{\kappa_1} \mono \den{\kappa_2}$, it is not the case that $i$ 411 | is an identity. This means that when the subtyping rule is applied in 412 | a derivation the resulting semantic object must be adjusted 413 | explicitly. This issue is obliviated when working in ultrametric 414 | spaces because the subtyping coercions are simply identities 415 | there. This technical detail is not relevant to the issue with this 416 | approach and thus we have suppressed it. 417 | 418 | The extra applications of $n$ and $\star$ are results of the fact that 419 | the interpretation is a natural transformation from $\den{\Delta}$, 420 | here written $\eta$, to $\den{\kappa}$. This is defined by an indexed 421 | family of functions which is what has been done here. Additionally, 422 | since constructor functions are exponentials in the category at stage 423 | $n$ they are natural transformations 424 | $\yoneda(n) \times \den{\kappa_1}_\eta \to \den{\kappa_2}_\eta$ so we 425 | must apply them to an element of $\yoneda(n)(n) = \{\star\}$ in 426 | addition to the actual argument. 427 | 428 | The issue arises from the fact that this must be made well-typed and 429 | natural. These two requirements are inexorably tied together by the 430 | interpretation of $\lambda$ which is only a valid natural 431 | transformation if $\den{c}$ is natural in $\eta$. It is unfortunately 432 | the case that these properties fail to hold for the definition of 433 | $\den{\all{\alpha}{\kappa}{\tau}}$. In this case, being well-typed 434 | implies that for at $n$, for every pair $\eta$, $\eta'$ which are 435 | equal at stage $n$ it must be that 436 | $\den{\all{\alpha}{\kappa}{\tau}}_\eta \equiv_n \den{\all{\alpha}{\kappa}{\tau}}_{\eta'}$. 437 | Importantly, equality at stage $n$ is \emph{not} necessarily just 438 | pointwise equality because two semantic types are equal at stage $n$ 439 | if they are related by $\equiv_n$. This essentially is a statement 440 | that $\den{\all{\alpha}{\kappa}{\tau}}$ is functional with respect to 441 | $\equiv_n$ and this is simply false. 442 | 443 | As a counterexample, consider the following instance of $\tau$. 444 | \[ 445 | \tau = \fn{\ap{\alpha}{\beta}}{\ap{\alpha}{\gamma}} 446 | \] 447 | For convenience, let us denote 448 | $\all{\alpha}{\fn{\tp}{\tp}}{\fn{\ap{\alpha}{\beta}}\ap{\alpha}{\gamma}}$ 449 | as $\tau'$. In this case we must show that show that 450 | $\den{\tau'}_\eta \equiv_n \den{\tau'}_{\eta'}$ provided that 451 | $\eta(\beta) \equiv_n \eta'(\beta)$ and 452 | $\eta(\gamma) \equiv_n \eta'(\gamma)$. Let us suppose that 453 | $\eta(\beta)$ is a uniform relation $R \subseteq \tau_a \times \tau_a$ 454 | and $\eta'(\beta)$ is $S \subseteq \tau_a \times \tau_a$ and both 455 | $\eta(\gamma)$ and $\eta'(\gamma)$ are $R$. Assume that $R \neq S$. If 456 | such $R$ and $S$ cannot be constructed then $\urel$ is trivial and 457 | our logical relation is degenerate. 458 | 459 | We are required to show that $\pi^n$ transports from 460 | $\den{\tau'}_\eta(n)$ to $\den{\tau'}_{\eta'}(n)$ and back again. Proving 461 | the first part of this means showing that if 462 | $(e_1, e_2) \in \den{\tau'}_\eta(n)$ then the following holds. 463 | \[ 464 | (\ap{\pi_{[\tau_a/\beta]\tau'}}{e_1}, \ap{\pi_{[\tau_a/\beta]\tau'}}{e_1}) 465 | \in \den{\tau'}_{\eta'}(n) 466 | \] 467 | However, if $n > 2$ and $e_1$ and $e_2$ do not diverge, then this is 468 | equivalent to showing the following. 469 | \[ 470 | (\Lam{\alpha}{\tp}{\Ap{e_1}{\alpha}}, \Lam{\alpha}{\tp}{\Ap{e_1}{\alpha}}) 471 | \in \den{\tau'}_{\eta'}(n) 472 | \] 473 | This can be simplified further since $\den{\tau'}_{\eta'}(n)$ is a uniform 474 | relation to just the following. 475 | \[ 476 | (e_1, e_2) \in \den{\tau'}_{\eta'}(n) 477 | \] 478 | Which is to say, we are required to show that if $\eta$ and $\eta'$ 479 | are only related by $\equiv_n$ then we must show that 480 | $\den{\tau'}_{\eta}$ and $\den{\tau'}_{\eta'}$. However, it is not 481 | hard to show that the following two facts are true. 482 | \[ 483 | (\Lam{\alpha}{\fn{\tp}{\tp}}{\lam{x}{\ap{\alpha}{\tau_a}}{x}}, 484 | \Lam{\alpha}{\fn{\tp}{\tp}}{\lam{x}{\ap{\alpha}{\tau_a}}{x}}) 485 | \in \den{\tau'}_\eta 486 | \] 487 | \[ 488 | (\Lam{\alpha}{\fn{\tp}{\tp}}{\lam{x}{\ap{\alpha}{\tau_a}}{x}}, 489 | \Lam{\alpha}{\fn{\tp}{\tp}}{\lam{x}{\ap{\alpha}{\tau_a}}{x}}) 490 | \not\in \den{\tau'}_{\eta'} 491 | \] 492 | This means that $\den{-}$ is not type-correct and not a well-formed 493 | definition. At the root of the issue is the fact that syntactic 494 | minimal invariance does not seem to scale to higher kinds without some 495 | fundamentally new idea. Without something akin to a type-casing 496 | operation it does not seem possible to define a correct version of 497 | $\pi$ at neutral types. It really seems that it must proceed by 498 | induction on the variable the neutral constructor is stuck on. This 499 | issue does not arise in domain theory because in this setting 500 | projections are untyped and case on the structure of the element of 501 | the domain not the ``type'' that this element may later be shown to 502 | inhabit. 503 | 504 | Any cure for this issue seems worse than the illness. Adding type-case 505 | for instance allows us to define a correct projection for instance but 506 | it destroys the parametricity of the system. One could consider a 507 | system like LX~\citep{Crary:99} and define projection with respect to 508 | the reification of a type. This solves the issue for all the 509 | types that we have reifications of, but there is a diagonalization 510 | issue here: codes are needed for every single constructor but the 511 | codes themselves are constructors. 512 | 513 | Finally, as mentioned previously $\urel$ is inadequate for 514 | representation independence results. Since we have required that 515 | uniform relations are closed under truncations any uniform relation 516 | between different types will relate divergent terms on one side to 517 | nondivergent terms on the other. This puts a complicates using 518 | technique to construct a logical relation for state. Essentially, we 519 | have removed the explicitly need for $\trunc_i$ but all proofs must 520 | act as though $\trunc_i$ is still in the language. All together, this 521 | means that even fixing this particular logical relation is likely 522 | inadequate for our purposes. 523 | 524 | %%% Local Variables: 525 | %%% mode: latex 526 | %%% TeX-master: "../main" 527 | %%% End: 528 | -------------------------------------------------------------------------------- /secs/handedness.tex: -------------------------------------------------------------------------------- 1 | \section{Understanding State through (Syntactic) Minimal Invariance}\label{sec:smi} 2 | 3 | Now that domains are seen to be unhelpful, there is some question 4 | about where to turn next. There are not many well-studied 5 | algebraically complete categories~\citep{Freyd:70} which support 6 | interesting denotational semantics. The semantic structures for 7 | step-indexing that support solving recursive domain equation require 8 | more than continuity or approximation. They require a notion of 9 | closeness for two semantic types. In $\presheaves{\omega}$ for 10 | instance, there was a natural notion of when two points 11 | $p, q : 1 \to P$ were close by checking at what stage they became 12 | equal, eg when $p_n = q_n : \{\star\} \to P$. 13 | 14 | Crucially, in order for this to make sense for semantic types every 15 | equality was judged relative to a step. Two semantic types are equal 16 | at $n$ if they agree on equalities that hold at stage $n$ or earlier, 17 | eg, equalities which hold if the two sides are only allowed to run for 18 | $n$ steps. Without step-indexing what could this be replaced by? 19 | 20 | The answer is suggested by an idea in domain theory to resolve a 21 | seemingly unrelated problem. The observant reader may have noticed 22 | that there is a crucial strengthening that 23 | Theorem~\ref{thm:steps:fixed-points} provides over 24 | Theorem~\ref{thm:domains:fixed-points}: the former provides unique 25 | solutions. In fact, there may be many nonisomorphic domains satisfying 26 | a given equation. This state of affairs can prove troublesome for 27 | semantics in domains because it means that not all the properties of 28 | the domain are determined by the equation. There may be ``exotic'' 29 | elements which are not required to satisfy the domain equation but are 30 | nevertheless present which impedes reasoning about recursive domain 31 | equations by induction or similar. \citet{Pitts:96} proposes a 32 | solution to this by imposing an additional requirement on the solution 33 | to a domain equation: minimal invariance. 34 | 35 | Minimal invarianceis the statement that given a $D$ so 36 | that $D \cong F(D, D)$ the following equation holds. 37 | \[ 38 | \join_i \pi_i = 1 39 | \] 40 | The family of functions $\pi_i$ is determined by induction on $i$. 41 | \begin{align*} 42 | \pi_i &: D \to D\\ 43 | \pi_0 &\defs \bot\\ 44 | \pi_{i + 1} &\defs F(\pi_i, \pi_i) 45 | \end{align*} 46 | The intuition behind this definition is that if $\pi_i$ converges to 47 | $1$ then every element in $D$ must have arisen as the limit of 48 | elements computed by the inclusion $F^n(\bot, \bot) \to D$ which can 49 | be viewed as semantic requirement that elements of $D$ are 50 | finite\footnote{Or rather, determined as the limits of ``finite'' 51 | elements. This is not to be confused here with \emph{compact} elements and 52 | algebraic domains which share a similar intuition but require 53 | technically different properties since there is no reason to assume 54 | that $F$ preserves algebraicness}. It is not difficult to prove that 55 | if $D \cong F(D)$ and $E \cong F(E)$ with $D$ and $E$ both being 56 | minimally invariant then $E \cong D$ and the standard $D_\infty$ 57 | construction produces a minimally invariant domain. Therefore, domain 58 | equations have a unique minimally invariant solution and these satisfy 59 | a form of induction. 60 | 61 | An interesting observation made originally by 62 | \citet{Birkedal:99} and extend by 63 | \citet{Crary:07} is that for the class of domains arising 64 | naturally in semantics (so called ``universal domains'') the 65 | projection functions, $\pi_i$, are computable 66 | syntactically. Additionally, since contextual equivalence can be 67 | generalized to contextual approximation in a natural way, minimal 68 | invariance can be stated as a syntactic property of the programming 69 | language itself. In this setting, projections are naturally 70 | type-indexed and this is denoted $\pi_\tau^i : \fn{\tau}{\tau}$. The 71 | definition of $\pi_\tau^i$ behaves almost as an $\eta$-expansion where 72 | after $i$ $\eta$-expansions the function diverges. 73 | 74 | \begin{defn}\label{def:smi:contextual-approximation} 75 | Two terms $\hasESigJ{\Delta}{\Gamma}{\Sigma}{e_1, e_2}{\tau}$ are 76 | said to be contextually approximate at type $\tau$, written 77 | $\approxESigJ{\Delta}{\Gamma}{\Sigma}{e_1}{e_2}{\tau}$ if for all 78 | contexts 79 | $\hasCEJ{\Delta}{\Gamma}{\Sigma}{\tau}{C}{\cdot}{\cdot}{\Sigma'}{\cmd{\tau'}}$, 80 | $\steps{C[e_1]}{\cmd{m_1}}$ and $\steps{C[e_2]}{\cmd{m_2}}$ such 81 | that for any heap $h : \Sigma$ then 82 | $(m_1, h) \Downarrow \implies (m_2, h) \Downarrow$. 83 | \end{defn} 84 | We will adopt the traditional abuse of abandoning the context 85 | annotations and just writing $e_1 \cless e_2$ when the contexts and 86 | $\tau$ are obvious. 87 | \begin{defn}\label{def:smi:contextual-limits} 88 | A family of terms $(e_i)_{i \in I}$ is said to have a limit $e$ if 89 | for all $i \in I$ $e_i \cless e$ and $e$ is the smallest element 90 | with this property. 91 | \end{defn} 92 | Since limits are only unique up to contextual equivalence, it is not 93 | necessarily well defined to write $\join_i e_i$ as if it were a term 94 | rather than an equivalence class of terms. We will instead often make 95 | use of the notation $\join_i e_i = e$ to signify that $e$ belongs to 96 | this equivalence class. The syntactic version of minimal 97 | invariance can now be precisely stated. 98 | \begin{thm}\label{thm:smi:smi} 99 | For all $\hasTJ{}{\Gamma}{\tau}{\tp}$ and $e : \tau$, 100 | $\join_i \ap{\pi_\tau^i}{e} = e$. 101 | \end{thm} 102 | The idea behind using syntactic minimal invariance is that instead of 103 | defining a single logical relation $\den{-}_{-}$ a pair of logical 104 | relations is defined instead: $\definitely{-}_{-}$ and 105 | $\possibly{-}_{-}$ (pronounced ``definitely'' and ``possibly''). The 106 | definition of these two logical relations are mutually recursive and 107 | provide a decomposition of the logical relation two monotone 108 | halves. The idea is that one should think of 109 | $\definitely{\tau}_{\eta}$ containing equalities that are certainly 110 | true but it does not contain all of them. On the other hand 111 | $\possibly{\tau}_\eta$ contains all equalities that are true as well 112 | as a few that might not be. This suggests a natural relationship 113 | between these two sets where 114 | $\definitely{\tau}_\eta \subseteq \possibly{\tau}_\eta$. The crucial 115 | move that syntactic minimal invariance provides is to show the 116 | following. 117 | \[ 118 | \forall i.\ (e_1, e_2) \in \definitely{\tau}_\eta \implies 119 | (\ap{\pi_\tau^i}{e_1}, \ap{\pi_\tau^i}{e_2}) \in \possibly{\tau}_\eta 120 | \] 121 | Then, by showing the comparatively easy lemma that 122 | $\possibly{\tau}_\eta$ is always closed under limits when $\eta$ is it 123 | immediately follows that 124 | $\definitely{\tau}_\eta = \possibly{\tau}_\eta$. This maneuver is 125 | useful because these two definitions are naturally monotone. 126 | It is then easy to express a natural definition of recursive types, as is 127 | done in \citet{Crary:07} for instance. The only complication 128 | is that environments must generalize from relations to birelations, a 129 | map to a pair of relations rather than a map to a single 130 | relation. Define $\op{\eta}$ to be the environment mapping $\alpha$ to 131 | the relations $\eta(\alpha)$ with the components swapped. The crucial 132 | insight is that when the variance in the definition of the logical 133 | relation swaps, we switch from $\definitely{-}$ to $\possibly{-}$ and 134 | vice-versa, for instance: 135 | \begin{align*} 136 | \definitely{\fn{\tau_1}{\tau_2}}_\eta &= 137 | \{(e_1, e_2) \mid \forall (a_1, a_2) \in \possibly{\tau_1}_\eta. 138 | \ (\ap{e_1}{a_1}, \ap{e_2}{a_2}) \in \definitely{\tau_2}_\eta\} 139 | \end{align*} 140 | This approach seems to naturally fit recursive types and one might 141 | wonder then if it can be scaled to support state just as step-indexing 142 | does. 143 | 144 | The key insight is that while the distinction of 145 | $\definitely{-}$/$\possibly{-}$ is not useful, projection functions 146 | give us a notion akin to step-indexing. We can say that two semantic 147 | types are equal at stage $i$ if they are equal upon truncating all the 148 | programs in the equalities by $\pi^i$. In order to define $\pi_\tau^i$ 149 | we need a divergence at the level of expressions, this can be easily 150 | accomplished by adding fixed points or just adding a formal term 151 | $\bot$ so that $\step{\bot}{\bot}$. 152 | \begin{align*} 153 | \pi_\tau^0 &= \lam{x}{\tau}{\bot}\\ 154 | \pi_{\fn{\tau_1}{\tau_2}}^{i + 1} &= 155 | \lam{f}{\fn{\tau_1}{\tau_2}}{\lam{x}{\tau_1}{\ap{\pi_{\tau_2}^i}{(\ap{f}{(\ap{\pi_{\tau_1}^i}{x})})}}}\\ 156 | \pi_{\allNoKind{\alpha}{\tau}}^{i + 1} &= 157 | \lam{f}{\allNoKind{\alpha}{\tau}}{\LamNoKind{\alpha}{\ap{\pi_\tau^i}{(\Ap{f}{\alpha})}}}\\ 158 | \pi_{\cmd{\tau}}^{i + 1} &= 159 | \lam{x}{\cmd{\tau}}{\cmd{\bnd{x'}{x}{\ret{\ap{\pi_\tau^i}{x'}}}}} 160 | \end{align*} 161 | This approach, while effective for recursive types, is not quite what 162 | is needed to handle state. After all, the issue in 163 | Section~\ref{sec:steps} was not the definition of 164 | $\den{\cmd{\tau}}_\eta(w)$. The issue was was the construction of the 165 | set in which $w$ lives. On the other hand, the projections themselves 166 | are interesting, they provide a way to construct an indexing of 167 | semantic types without actually counting steps. This approach was 168 | explored in \citet{Birkedal:domain:10} and successfully used to 169 | construct a logical relation for a similar language. This work, 170 | however, made use of the normal domain theoretic projections rather 171 | than their syntactic counterparts. The question of producing a logical 172 | relation for our language is then reduced to the question of producing 173 | a syntactic account of \citet{Birkedal:domain:10}. 174 | 175 | In this account, monadic computations are represented by 176 | store-passing. 177 | \begin{align*} 178 | \states &= \assignables \pto D\\ 179 | D &\cong (D \to D) \oplus (D \times D) \oplus ... \oplus \states \to (\states \times D) 180 | \end{align*} 181 | Projections, $\pi^i$, work by casing on which branch of the domain 182 | equation the argument is in and proceeding accordingly. This is 183 | analogous to how with syntactic minimal invariance the projection 184 | function is split according the type of the argument. Most of the 185 | clauses are standard with the interesting one being the last one for 186 | commands. Denote the injection of $\states \to (\states \times D)$ 187 | into $D$ by $\cmd{-}$. Then $\pi^{i + 1}$ on this satisfies the 188 | following formula. 189 | \begin{align*} 190 | \pi^{i + 1}(\cmd{f}) &= 191 | \cmd{\lambda s. (\trunc^i(\pi_1 f(s)), \pi^i(\pi_2 f(s)))} 192 | \trunc^i(s) = \pi^i \circ s 193 | \end{align*} 194 | In words: truncation on a command runs the command a point-wise 195 | truncates the heap and then truncates the return value as well as the 196 | resulting heap. 197 | 198 | In order to implement this syntactically, there's an issue. How can it 199 | be possible to replicate in a setting where accessing the whole heap 200 | is forbidden? In fact, this cannot be implemented as is. This presents 201 | a serious issue in scaling up syntactic minimal invariance and there 202 | is no clear solution. 203 | 204 | If, for instance, a new command $\trunc_i \div \mathrm{unit}$ is 205 | added to the language, it is possible to express the projections. With 206 | the other definition left unchanged the new case, 207 | $\pi_{\cmd{\tau}}^{i + 1}$, is as follows. 208 | \begin{align*} 209 | \lam{c}{\cmd{\tau}} 210 | {\cmd{& \bnd{\_}{\cmd{\trunc_i}}{\\ 211 | & \bnd{x}{c}{\\ 212 | & \bnd{\_}{\cmd{\trunc_i}}{\\ 213 | & \ret{\ap{\pi_\tau^i}{x}}}}}}} 214 | \end{align*} 215 | If this is added then Theorem~\ref{thm:smi:smi} holds when we add the 216 | following rule for evaluating $\trunc^i$. 217 | \begin{mathpar} 218 | \inferrule{ 219 | }{\stepsM{\trunc^0}{h}{\trunc^0}{h}}\and 220 | \inferrule{ 221 | h(\alpha) = \ap{\pi_\tau^i}{\alpha} 222 | }{\stepsM{\trunc^{i + 1}}{h}{\ret{()}}{h'}} 223 | \end{mathpar} 224 | It is worth noting the strangeness of the last rule which morally 225 | ``truncates the full heap''. This strangeness is twofold. It bakes in 226 | the $\pi_\tau$ functions into the very operational semantics despite 227 | them just being chunks of user-defined code. It also requires that the 228 | heap be in some way typed so that when projecting at some particular 229 | cell it is possible to determine the type to truncate at. 230 | 231 | Beyond the strangeness of the rule, however, it works. A logical 232 | relation can be defined using Kripke worlds which index semantic types 233 | by truncation. This is problematic, however, because it changes the 234 | notion of contextual equivalence. By adding new constructs to the 235 | language new contexts are added and this impacts contextual 236 | equivalence. In this extended language, programs that ought to be 237 | equal are no longer. For instance, the following program should be 238 | equivalent to $\cmd{\cmd{\ret{\lam{x}{\tau}{x}}}}$ but is not. 239 | \begin{align*} 240 | \cmd{& \dcl{\alpha}{\lam{x}{\tau}{x}}{\\ 241 | & \ret{\cmd{\get{\alpha}}}}} 242 | \end{align*} 243 | The issue is that another part of the program could truncate the heap, 244 | replacing $\lam{x}{\tau}{x}$ with a truncation of itself. This 245 | truncation would diverge strictly more than the original and thus the 246 | second piece of code only contextually approximates the first. This 247 | weakening is discussed more in subsequent work to 248 | \citet{Birkedal:domain:10}, for instance in 249 | \citet{Birkedal:adts:12}. In our case, however, this restriction is 250 | damaging. It makes it impossible to prove any information-hiding 251 | results using our logical relation and this makes it difficult to 252 | prove that certain effects are benign. 253 | 254 | This puts a stop to naively extending syntactic minimal invariance to 255 | our language with state. Instead, a better approach seems to be to 256 | isolate a more type-theoretic characterization of the difficulty of a 257 | logical relation for state. 258 | 259 | %%% Local Variables: 260 | %%% mode: latex 261 | %%% TeX-master: "../main" 262 | %%% End: 263 | -------------------------------------------------------------------------------- /secs/introduction.tex: -------------------------------------------------------------------------------- 1 | \section{Introduction}\label{sec:introduction} 2 | 3 | In the study of programming languages a great number of important 4 | questions hinge on the equality of programs. 5 | \begin{itemize} 6 | \item The verification of a compiler pass is nothing but a 7 | question of equality of the naive program and its optimized 8 | version. 9 | \item An optimized data structure may be shown to be correct relative to a 10 | much simpler reference solution. 11 | \item Much of the research in dependent type theory centers around 12 | what terms should be judged equal. 13 | \end{itemize} 14 | Given the role that equality plays in programming languages it is 15 | unsurprising that a great variety of mathematical tools have been 16 | developed to study it. 17 | 18 | Before anything can be said about tools for analyzing equality, 19 | however, a precise characterization of equality must be given. There 20 | are many reasonable notions of equality between programs and all of 21 | them are suitable for different circumstances. For instance, one can 22 | compare programs up to renaming of variables, $\alpha$-equivalence, in 23 | compilers and other applications where it is important that no 24 | information is lost. In type-checkers for dependently typed languages, 25 | it is natural to be more flexible and regard programs as the same if 26 | they share a normal form, some sort of $\beta$-equivalence at 27 | least. Here we are interested in studying program behavior 28 | and verifying properties about it so an even more relaxed notion of 29 | equality is called for: \emph{contextual equivalence}. 30 | 31 | Contextual equivalence is formally defined later (see 32 | Definition~\ref{def:language:cxt}) but informally contextual 33 | equivalence of two programs, $e_1 \cong e_2$, expresses that $e_1$ and 34 | $e_2$ are internally indistinguishable. This means that there is no 35 | program of base type containing $e_1$ so that if $e_1$ is replaced 36 | with $e_2$ then the program returns a different result. This notion of 37 | equivalence is appealing because there is no aspect of a program at 38 | base type we care about other than what it computes to. Contextual 39 | equivalence allows us to ignore unimportant differences in the precise 40 | way that the answer of a program is computed and focus instead on the 41 | answer itself. This means that two implementations of a data 42 | structure, for instance, are contextually equivalent even if they 43 | differ greatly in complexity or efficiency. 44 | 45 | For all the appeal of contextual equivalence, it is very difficult to 46 | establish any instances of it. In order to show that 47 | $e_1 \cong e_2$ it is necessary to quantify over all possible programs 48 | using $e_1$ and $e_2$ and reason about their behavior. This includes 49 | programs which do not really make use of $e_1$ or $e_2$ such as 50 | $\ap{(\lam{x}{\fn{\unit}{\tau}}{1})}{(\lam{x}{\unit}{e_1})}$. This lack 51 | of constraints on how $e_1$ or $e_2$ is used is precisely what makes 52 | contextual equivalence so useful but it makes even the most basic 53 | proofs involved affairs. In order to compensate for this, a variety of 54 | tools have been specialized to simplify the process of establishing when 55 | $e_1 \cong e_2$. 56 | 57 | Broadly speaking, there are two classes of these tools. One may 58 | consider denotational approaches, where in the equality of programs is 59 | reduced to the question of the equality of normal mathematical 60 | objects. This line of study begins with Dana Scott's investigations of 61 | the lambda calculus~\citep{Scott:76}. Such tools have been 62 | immensely effective when they may be applied but they are difficult to 63 | use. Complex programming languages often make use of extremely 64 | sophisticated mathematical objects and using the model requires 65 | understanding them. This has meant that denotational semantics is 66 | traditionally out of reach for the verification of programs by an 67 | average programmer or anyone besides a domain expert. 68 | 69 | On the other hand, there are syntactic approaches to equality. Some of 70 | these date back to the original study of the lambda calculus and its 71 | reduction properties. Syntactic tools tend to be simpler to use, 72 | relying only one elementary mathematics and an understanding of the 73 | syntax itself. For equality, the tool of choice when working 74 | syntactically is a logical 75 | relation~\citep{Tait:67,Girard:72,Pitts:98,Appel:01,Ahmed:04,Ahmed:06,Appel:07,Dreyer:09,Dreyer:10}. 76 | Dating back to~\citet{Tait:67} logical relations generalize 77 | homomorphisms and can be thought of as \emph{structure preserving 78 | relations}\footnote{This viewpoint is more liberating than the 79 | traditional explanation that they are a type-indexed inductively 80 | defined family of relations. Logical relations arise for general 81 | mathematical structure. A programming language is merely one example 82 | of such structure.}. Logical relations are used for a wide variety 83 | of tasks but the most important one for us is as a method for 84 | demonstrating contextual equivalences. The study of logical relations 85 | has given rise to a powerful generalization of the theory of data 86 | abstraction called parametricity~\citep{Reynolds:83}. Parametric 87 | reasoning has been so important that there have even been attempts to 88 | reconstruct it in a denotational 89 | sense~\citep{Bainbridge:90,Abadi:90,Ma:91,Birkedal:05,Dunphy:04}. This 90 | work is important for crystallizing the connections between naturality 91 | and parametricity as well as cementing parametricity in the broader 92 | tradition of logical relations. At the present time this program is 93 | still incomplete however. \citet{Hermida:14} is a good summary of the 94 | state of the art and the fundamental challenges in 2014. 95 | 96 | To be precise, a logical relation for us is a family of binary 97 | relations indexed by the types of the language, 98 | $(R_\tau)_{\tau \in \types}$. It is constructed by induction over the 99 | types indexing it so that $R_{\fn{\tau_1}{\tau_2}}$ is defined in 100 | terms of $R_{\tau_1}$ and $R_{\tau_2}$. For each $\tau$, the following 101 | property is expected to hold: 102 | \[ 103 | (e_1, e_2) \in R_\tau \implies 104 | \hasE{e_1, e_2}{\tau} \land e_1 \cong e_2 105 | \] 106 | This property expresses the soundness of the logical relation with 107 | respect to contextual equivalence. The reverse property, completeness, 108 | is desirable but often unachievable\footnote{Instead a variety of 109 | techniques for \emph{forcing} completeness to hold are 110 | employed. These amount to adding all the missing identifications to 111 | the logical relation. While theoretically desirable, this is useless 112 | for the problem of actually establishing an 113 | equivalence.}. Completeness is usually unnecessary for establishing 114 | certain concrete equivalences so in this context it is less 115 | important. 116 | 117 | Finally, an important property of logical relations which is difficult 118 | to capture formally is that it is much easier to prove that 119 | $(e_1, e_2) \in R_\tau$ than to directly show that $e_1 \cong e_2$. 120 | Typically, $R_\tau$ is meant to capture the logical action of $\tau$; 121 | it expresses the precise set of observations possible to make of 122 | expressions of type $\tau$ without all the duplication of contextual 123 | equivalence. For instance, in order to show that 124 | $(e_1, e_2) \in R_{\fn{\tau_1}{\tau_2}}$ it suffices to show the 125 | following. 126 | \[ 127 | \forall (a_1, a_2) \in R_{\tau_1}. 128 | \ (\ap{e_1}{a_1}, \ap{e_2}{a_2}) \in R_{\tau_2} 129 | \] 130 | This is significantly easier than showing that any program using two 131 | functions must behave the same. This definition expresses the fact 132 | that the only real way to use a function is to apply it. 133 | 134 | Given the obvious appeal of having a logical relation defined for a 135 | language, it would seem that the construction of a logical relation 136 | characterizing equality is a natural first step in the study of a new 137 | programming language. The central stumbling block to this goal is that 138 | logical relations are difficult to extend to new programming languages 139 | and especially to new types and computational effects. 140 | 141 | To see where trouble might arise, consider a language with polymorphic 142 | types: $\allNoKind{\alpha}{\tau}$. What should the definition of 143 | $R_{\allNoKind{\alpha}{\tau}}$ be? Phrased differently, when are two 144 | polymorphic functions indistinguishable? One might expect a definition 145 | like the following: 146 | \[ 147 | (e_1, e_2) \in R_{\allNoKind{\alpha}{\tau}} \defs 148 | \forall \tau'.\ (\Ap{e_1}{\tau'}, \Ap{e_2}{\tau'}) \in R_{[\tau'/\alpha]\tau} 149 | \] 150 | This does correctly characterize contextual equivalence but it is 151 | ill-suited as a definition in a logical relation because it is not 152 | well-founded. A logical relation is constructed by induction on the 153 | types and with impredicative polymorphism there is absolutely no 154 | reason why $\tau'$ should be prior than $\allNoKind{\alpha}{\tau}$ in 155 | the ordering used for induction. This is not a minor issue, defining a 156 | correct logical relation for a language with impredicative 157 | polymorphism requires the method of 158 | candidates~\citep{Girard:71,Girard:72}. This situation has been a 159 | recurring issue: features in programming languages tend to have some 160 | recursive structure which prevents them from easily fitting into the 161 | inductive definition of a logical relation. For many features, clever 162 | constructions have been found which circumvent well-foundedness 163 | issues: for instance, for parametric 164 | polymorphism~\citep{Girard:71,Girard:72}, first-order 165 | state~\citep{Pitts:98}, simple exceptions, and recursive 166 | types~\citep{Birkedal:99,Crary:07}. Despite this work, logical 167 | relations are still a long way away from being able to cope with many 168 | full programming languages. The state of the art for dealing with 169 | features like higher-order references, nontrivial control passing, or 170 | concurrency is to use step-indexing. 171 | 172 | Step-indexing is a technique first proposed by \citet{Appel:01}. It is 173 | based on a simple but ingenious idea: if your logical relation is not 174 | well-defined by induction on the type just add a number which 175 | decreases and induct on that. This idea means that a logical relation 176 | is no longer a type-indexed relation but a relation indexed by a 177 | number (called a \emph{step}) and a type, $(R_\tau^i)_{i, \tau}$. 178 | 179 | The meaning of two programs related at step $i$ and type $\tau$ is 180 | that they are indistinguishable at type $\tau$ for $i$ steps. Two 181 | programs are related for $i$ steps intuitively if it will take at 182 | least $i$ steps in order to make an observation which distinguishes 183 | them. For instance, if a program $e_1$ runs to $\mathsf{true}$ in 10 184 | steps while $e_2$ runs to $\mathsf{false}$ in 20, it takes 20 steps to 185 | distinguish them. Semantically, this idea is crystallized in models of 186 | programming languages in metric spaces~\citep{Escardo:98}. 187 | 188 | This idea of steps has proven to be incredibly robust and easily 189 | extend to many different 190 | settings~\citep{Appel:01,Ahmed:04,Ahmed:06,Appel:07,Dreyer:09,Dreyer:10,Birkedal:steps:11,Turon:13,Svendsen:16}. 191 | There is a price to be paid for this extra flexibility. Firstly, steps 192 | now pervade the definition of the logical relation and any proof now 193 | must contain pointless bookkeeping activity to keep track of 194 | them. Secondly, the evaluation behavior of the programs under 195 | consideration has begun to matter again. The goal of contextual 196 | equivalence was to erase it from consideration. Now there are 197 | instances where in order to use a logical relation a program must be 198 | modified with spurious NO-OP statements in order to make it take extra 199 | steps, a clear violation of this principle. These issues are even 200 | present when just using the logical relation to validate contextual 201 | equivalences~\citep{Svendsen:16}. In practice, this has meant that 202 | while step-indexing is incredibly widely used it is almost universally 203 | disliked.\footnote{Citation: I walked around at POPL and the five 204 | people I asked seemed like REALLY bummed about it.} 205 | 206 | The structure of this thesis is as follows. In 207 | Section~\ref{sec:language} we describe the ML-like language that will 208 | serve as target for our logical relations. In Section~\ref{sec:steps} 209 | we construct a step-indexed logical relation for this language, paying 210 | attention to its shortcomings. In Section~\ref{sec:domains} we 211 | describe the first failed step-index-free logical relation: the most 212 | na\"ive approach centered around using domain theory. In 213 | Sections~\ref{sec:smi} and~\ref{sec:guarded} we explore a variety of 214 | approaches at step-index-free logical relations for languages powerful 215 | enough to encode general references, largely built around (guarded) 216 | recursive kinds. 217 | 218 | %%% Local Variables: 219 | %%% mode: latex 220 | %%% TeX-master: "../main" 221 | %%% End: 222 | -------------------------------------------------------------------------------- /secs/language.tex: -------------------------------------------------------------------------------- 1 | \section{An ML-like Language with General References}\label{sec:language} 2 | 3 | In order to make the discussion of logical relations more concrete, a 4 | particular language is necessary. In this section we develop a core 5 | calculus suitable for studying the effects of general references on 6 | reasoning. 7 | 8 | The language under consideration here is heavily influenced by the 9 | Modernized Algol discussed by Harper~\citep{Harper:16}. It features a 10 | syntactic separation between commands and expressions. Expressions are 11 | unable to depend on in any way on the heap. Commands may modify the 12 | heap using assignables, a mutable ``variable'' that clarifies the 13 | binding structure (nominal rather than substitutive). A crucial 14 | component of the system is a modality for internalizing and suspending 15 | commands to treat them as expressions. Arguably this language is 16 | heavier-weight than the ML-like languages usually discussed; normally 17 | languages considered allow imperative computation anywhere in the 18 | program. A language with isolated commands has the advantage that 19 | handling state is now isolated in the logical action of the command 20 | modality. In traditional presentations this complexity is is not 21 | littered throughout the full logical relation. Indeed, the definitions 22 | of the logical relation at $\to$ or $\forall$ are almost completely 23 | unchanged from System F for our logical relation. 24 | 25 | The syntax of our language has three sorts: commands, expressions, and 26 | types defined by the following grammar. 27 | \[ 28 | \begin{array}{lcl} 29 | \tau & ::= & \alpha \mid \fn{\tau}{\tau} \mid \allNoKind{\alpha}{\tau} 30 | \mid \cmd{\tau}\\ 31 | c & ::= & \ret{e} \mid \get{\alpha} \mid \set{\alpha}{e} \\ 32 | & \mid & \dcl{\alpha}{e}{c} \mid \bnd{x}{e}{c}\\ 33 | e & ::= & x \mid \ap{e}{e} \mid \lam{x}{\tau}{e} \mid 34 | \LamNoKind{\alpha}{e} \mid \cmd{e} 35 | \end{array} 36 | \] 37 | Only one point of this syntax must be clarified, which is the 38 | unfortunate coincidence of $\alpha$s. In an attempt to maintain 39 | consistency with the standard literature on System F and Harper's 40 | Modernized Algol $\alpha$ here refers either to an assignable (a 41 | symbol) or a type variable. 42 | 43 | A crucial point of this language is that assignables are \emph{not} 44 | variables. Assignables are bound by the operators of our language and 45 | they do $\alpha$-vary as a variable might but you can not substitute 46 | for an assignable. This justifies comparing bound symbols for 47 | equality; they are less placeholders and more pointers to binders. It 48 | is nonsensical to talk about a rule like the following. 49 | \[ 50 | \inferrule{ }{\step{\dcl{\alpha}{v}{c}}{[v/\alpha]c}} 51 | \] 52 | This is similar to the confusion that many programmers have when 53 | discussing languages with ``variables'': C-like languages do not 54 | permit substitution because they do not possess variables but rather 55 | assignables. In C a rule like the above is clearly false and leads to 56 | statements such as \verb+1 = 2+. One can understand the difference 57 | between $\bnd{x}{e}{c}$ and $\dcl{x}{e}{c}$ as the difference between 58 | \emph{variables}, defined through substitution, and \emph{assignables} 59 | which are defined by the site in which they are bound. The former is 60 | like a let-binding while the latter is closer to a declaration in 61 | C. In our language this separation exists which is why the operators 62 | for reading and writing a mutable cell are indexed by symbol rather 63 | than taking an arbitrary term. There is much to be said on the subject 64 | of symbols and, more generally, nominal binding but it is sadly 65 | out-of-scope for this discussion. The interested reader is referred 66 | to~\citep{Pitts:13}. 67 | 68 | The static semantics of the language are divided into three judgments, 69 | the first of which is the judgment ensuring a type is a 70 | well-formed. Informally, a type is well formed in a context $\Delta$ 71 | if $\Delta$ contains all the free variables of the type. 72 | \begin{mathpar} 73 | \declareJudgement{\hasTJ{}{\Delta}{\tau}{\tp}}\\ 74 | \inferrule{ 75 | \alpha \in \Delta 76 | }{\hasTJ{}{\Delta}{\alpha}{\tp}}\and 77 | \inferrule{ 78 | \hasTJ{}{\Delta}{\tau_1}{\tp}\\ 79 | \hasTJ{}{\Delta}{\tau_2}{\tp} 80 | }{\hasTJ{}{\Delta}{\fn{\tau_1}{\tau_2}}{\tp}}\and 81 | \inferrule{ 82 | \hasTJ{}{\Delta, \alpha}{\tau}{\tp} 83 | }{\hasTJ{}{\Delta}{\allNoKind{\alpha}{\tau}}{\tp}}\and 84 | \inferrule{ 85 | \hasTJ{}{\Delta}{\tau}{\tp} 86 | }{\hasTJ{}{\Delta}{\cmd{\tau}}{\tp}} 87 | \end{mathpar} 88 | In order to explain the statics of expressions and commands two 89 | judgments are necessary and they must depend on each other. This 90 | dependence stems from $\cmd{-}$ which internalizes the command 91 | judgment. First the expression judgment is given, it is completely 92 | standard except that it must also be fibered over a specification of 93 | the available assignables. This extra context is necessary in order to 94 | make sense of the binding done in $\mathsf{dcl}$. 95 | \begin{mathpar} 96 | \declareJudgement{\hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau}}\\ 97 | \inferrule{ 98 | x : \tau \in \Gamma 99 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{x}{\tau}}\and 100 | \inferrule{ 101 | \hasESigJ{\Delta}{\Gamma, x : \tau_1}{\Sigma}{e}{\tau_2} 102 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\lam{x}{\tau_1}{e}}{\fn{\tau_1}{\tau_2}}}\and 103 | \inferrule{ 104 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e_1}{\fn{\tau_1}{\tau_2}}\\ 105 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e_2}{\tau_1}\\ 106 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\ap{e_1}{e_2}}{\tau_2}}\and 107 | \inferrule{ 108 | \hasESigJ{\Delta, \alpha}{\Gamma}{\Sigma}{e}{\tau} 109 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\LamNoKind{\alpha}{e}}{\allNoKind{\alpha}{\tau}}}\and 110 | \inferrule{ 111 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\allNoKind{\alpha}{\tau_1}}\\ 112 | \hasTJ{}{\Delta}{\tau_2}{\tp} 113 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{\Ap{e}{\tau_2}}{[\tau_2/\alpha]\tau_1}}\and 114 | \inferrule{ 115 | \hasMJ{\Delta}{\Gamma}{\Sigma}{m}{\tau} 116 | }{\hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau}} 117 | \end{mathpar} 118 | These are the rules of System F with the exception of the final 119 | one. This makes use of the judgment for commands, where 120 | $\hasM{m}{\tau}$ signifies that $m$ is a command which (when executed 121 | on the appropriate heap) will run to a $\ret{v}$ for some 122 | $\hasE{v}{\tau}$. It is worth noting that $\Sigma$ in this judgment is 123 | unimportant except in this rule as well. It is only necessary to track 124 | the available assignables because without this information it is not 125 | possible to determine if a command is well-typed. The rules for 126 | commands are as follows. 127 | \begin{mathpar} 128 | \inferrule{ 129 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau} 130 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\ret{e}}{\tau}}\and 131 | \inferrule{ 132 | \alpha \div \tau \in \Sigma 133 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\get{\alpha}}{\tau}}\and 134 | \inferrule{ 135 | \alpha \div \tau \in \Sigma\\ 136 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau} 137 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\set{\alpha}{e}}{\tau}}\and 138 | \inferrule{ 139 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau_2}\\ 140 | \hasMJ{\Delta}{\Gamma}{\Sigma, \alpha : \tau_2}{m}{\tau_1} 141 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\dcl{\alpha}{e}{m}}{\tau_1}}\and 142 | \inferrule{ 143 | \hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\cmd{\tau_1}}\\ 144 | \hasMJ{\Delta}{\Gamma, x : \tau_1}{\Sigma}{m}{\tau_2} 145 | }{\hasMJ{\Delta}{\Gamma}{\Sigma}{\bnd{x}{e}{m}}{\tau_2}}\and 146 | \end{mathpar} 147 | The operational semantics of this language can be presented in two 148 | distinct ways differing in the way that the allocation of a fresh heap 149 | cell is done. In classical literature, an expression is evaluated 150 | using traditional small step semantics. Commands in this framework are 151 | evaluated by a small step semantics as well but the relation is 152 | between configurations, not just commands. A configuration is a pair 153 | $(m, h)$, a command and the heap it is running on. In 154 | \citet{Harper:16} the binding structure of symbols is preserved in the 155 | operational semantics so that a running command is represented as a 156 | configuration $\nu \Sigma.\ (m, h)$ where $\Sigma$ is a collection of 157 | symbols bound in both $m$ and $h$. 158 | 159 | The advantage of this presentation is that it eliminates the choice of 160 | how to pick a fresh symbol during allocation. Allocated assignables 161 | are bound and so they automatically $\alpha$-vary to avoid collisions 162 | with other assignables. In the more traditional set up the stepping 163 | relation is nondeterministic, allowing for any fresh location to be 164 | chosen. This nondeterminism complicates many metatheoretic properties 165 | and obscures what is really happening since the language is 166 | fundamentally deterministic! The formal presentation has just obscured 167 | the precise meaning of a construct and approximated it with 168 | nondeterminism. For the problems discussed in this thesis, however, 169 | this advantage is not significant and it proves to be (while not 170 | impossible) onerous to convert from semantic objects to $\Sigma$ when 171 | running programs. For concision and expository purposes the 172 | traditional operational semantics are chosen. 173 | \begin{mathparpagebreakable} 174 | \declareJudgement{\valueJ{v}}\\ 175 | \inferrule{ }{\valueJ{\lam{x}{\tau}{e}}}\and 176 | \inferrule{ }{\valueJ{\LamNoKind{\alpha}{e}}}\and 177 | \inferrule{ }{\valueJ{\cmd{m}}}\\ 178 | \declareJudgement{\step{e}{e'}}\\ 179 | \inferrule{ 180 | \step{e_1}{e_1'} 181 | }{\step{\ap{e_1}{e_2}}{\ap{e_1'}{e_2}}}\and 182 | \inferrule{ 183 | \valueJ{v}\\ 184 | \step{e_2}{e_2'} 185 | }{\step{\ap{v}{e_2}}{\ap{v}{e_2'}}}\and 186 | \inferrule{ 187 | \valueJ{v} 188 | }{\step{\ap{(\lam{x}{\tau}{e})}{v}}{[v/x]e}}\and 189 | \inferrule{ 190 | \steps{e}{e'} 191 | }{\steps{\Ap{e}{c}}{\Ap{e'}{c}}}\and 192 | \inferrule{ }{\step{\ap{(\LamNoKind{\alpha}{e})}{c}}{[c/\alpha]e}}\\ 193 | \declareJudgement{\finalJ{m}{h}}\\ 194 | \inferrule{ 195 | \valueJ{v} 196 | }{\finalJ{\ret{v}}{h}}\\ 197 | \declareJudgement{\stepsM{m}{h}{m'}{h'}}\\ 198 | \inferrule{ 199 | \step{e}{e'} 200 | }{\stepM{\ret{e}}{h}{\ret{e'}}{h}}\and 201 | \inferrule{ 202 | \step{e}{e'} 203 | }{\stepM{\bnd{x}{e}{m}}{h}{\bnd{x}{e'}{m}}{h}}\and 204 | \inferrule{ 205 | \stepM{m_1}{h}{m_1'}{h'} 206 | }{\stepM{\bnd{x}{\cmd{m_1}}{m_2}}{h}{\bnd{x}{\cmd{m_1'}}{m_2}}{h'}}\and 207 | \inferrule{ 208 | \valueJ{v} 209 | }{\stepM{\bnd{x}{\cmd{\ret{v}}}{m}}{h}{[v/x]m}{h}}\and 210 | \inferrule{ 211 | \step{e}{e'} 212 | }{\stepM{\dcl{\alpha}{e}{m}}{h}{\dcl{\alpha}{e'}{m}}{h}}\and 213 | \inferrule{ 214 | \valueJ{v}\\ 215 | \alpha \disjoint h 216 | }{\stepM{\dcl{\alpha}{v}{m}}{h}{m}{h[\alpha \mapsto v]}}\and 217 | \inferrule{ }{\stepsM{\get{\alpha}}{h}{\ret{h(\alpha)}}{h}}\and 218 | \inferrule{ 219 | \step{e}{e'} 220 | }{\stepsM{\set{\alpha}{e}}{h}{\set{\alpha}{e'}}{h}}\and 221 | \inferrule{ 222 | \valueJ{v} 223 | }{\stepsM{\set{\alpha}{v}}{h}{\ret{v}}{h[\alpha \mapsto v]}}\and 224 | \end{mathparpagebreakable} 225 | This gives a precise account of the language under consideration. 226 | Still undefined, however, is the right notion of equivalence. It was 227 | informally sketched in the introduction as the ability to replace one 228 | program with the other in an arbitrary context. It is now possible to 229 | make this definition formal. First, a context is a term with a 230 | distinguished hole in it, written $\hole$. They are generated from the 231 | following grammar: 232 | \[ 233 | \begin{array}{lcl} 234 | C &::=& \hole \mid \ap{C}{e} \mid \ap{e}{C} \mid \lam{x}{\tau}{C} \mid 235 | \LamNoKind{\alpha}{C} \mid \Ap{C}{c} \mid \cmd{C_m}\\ 236 | C_m &::=& \ret{C} \mid \bnd{x}{C}{m} \mid \bnd{x}{e}{C_m}\\ 237 | & \mid & \dcl{\alpha}{C}{m} \mid \dcl{\alpha}{e}{C_m} \mid \set{\alpha}{C}\\ 238 | C^m &::=& \ap{C^m}{e} \mid \ap{e}{C^m} \mid \lam{x}{\tau}{C^m} \mid 239 | \LamNoKind{\alpha}{C^m} \mid \Ap{C^m}{c} \mid \cmd{C_m^m}\\ 240 | C_m^m &::=& \hole \mid \ret{C^m} \mid \bnd{x}{C^m}{m} \mid \bnd{x}{e}{C_m^m}\\ 241 | & \mid & \dcl{\alpha}{C^m}{m} \mid \dcl{\alpha}{e}{C_m^m} \mid \set{\alpha}{C^m}\\ 242 | \end{array} 243 | \] 244 | There are four varieties of contexts, representing that an 245 | \{expression, command\} may be put into another \{expression, 246 | command\}. $C$ is the class of contexts inserting expressions into 247 | expressions while $C_m$ allows for inserting expressions into 248 | commands. $C^m$ and $C_m^m$ allow for inserting commands into 249 | expressions and commands into commands respectively. 250 | 251 | All of these come equipped with a natural operation replacing $\hole$ 252 | with an expression or command, denoted $C[e]$ or $C[m]$. Notice that 253 | crucially this operation allows variable capture; $e$ is allowed to make use of 254 | the variables bound in $C$. This is important for allowing contextual 255 | equivalence to work on open terms. 256 | 257 | A small point of interest is that having two sorts which may mention 258 | each other leads to four different varieties of contexts. This 259 | quadratic growth continues which makes contextual equivalence 260 | difficult to define for complex languages. This has been addressed in 261 | Crary~\citep{Crary:17} by defining contextual equivalence as the 262 | unique relation satisfying Theorem~\ref{thm:language:cxt}. Finally, 263 | contexts can be equipped with a notion of typing. This typing relation 264 | for a context representing an expression with an expression hole, $C$, 265 | expresses that when filled with a program 266 | $\hasESigJ{\Delta}{\Gamma}{\Sigma}{e}{\tau}$ then 267 | $\hasESigJ{\Delta'}{\Gamma'}{\Sigma'}{C[e]}{\tau'}$. This typing 268 | relation is unsurprising and therefore omitted. This judgment is 269 | written as 270 | $\hasCEJ{\Delta}{\Gamma}{\Sigma}{\tau}{C}{\Delta'}{\Gamma'}{\Sigma'}{\tau'}$ 271 | if $C$ sends an object of type $\tau$ in context 272 | $\Delta; \Gamma; \Sigma$ to an object of type $\tau'$ in context 273 | $\Delta'; \Gamma'; \Sigma'$. 274 | 275 | In order to define contextual equivalence, two supplementary 276 | definitions are required. 277 | \begin{defn}\label{def:language:heapmatch} 278 | A heap, $h$ matches $\Sigma$, written $h : \Sigma$, if for all 279 | $\alpha \div \tau \in \Sigma$, 280 | $\hasESigJ{\cdot}{\cdot}{\Sigma}{h(l)}{\tau}$. 281 | \end{defn} 282 | \begin{defn}\label{def:language:kleene} 283 | Two programs are said to be Kleene equal at $\Sigma$, written 284 | $e_1 \simeq_\Sigma e_2$ if for all $h : \Sigma$ and $m_1, m_2$ so 285 | that $\steps{e_i}{\cmd{m_i}}$ then $(m_1, h) \Downarrow$ and 286 | $(m_2, h) \Downarrow$ or $(m_1, h) \Uparrow$ and 287 | $(m_2, h) \Uparrow$. 288 | \end{defn} 289 | This definition of Kleene equality is slightly non-standard in two 290 | ways: it is defined for expressions which compute to commands and it 291 | only checks if the resulting commands coterminate, not that they 292 | result in the same value. These deviations are natural in this 293 | language because without them Kleene equivalence is unhelpful. There 294 | is no base observable type in this language and so there is no 295 | observation to be made besides termination. Furthermore, it is not 296 | hard to prove that expressions always terminate (they behave as System 297 | F with a new base type) so \emph{no} interesting observations may be 298 | made of just expressions. 299 | 300 | We will also make use of the notation $(m_1, h_1) \simeq (m_2, h_2)$ 301 | to signify just the final part of this definition. Finally, we can 302 | lift Kleene equality to a definition of contextual equivalence. 303 | \begin{defn}\label{def:language:cxt} 304 | Two programs are contextually equivalent, 305 | $\equivESigJ{\Delta}{\Gamma}{\Sigma}{e_1}{e_2}{\tau}$ if for all 306 | contexts 307 | $\hasCEJ{\Delta}{\Gamma}{\Sigma}{\tau}{C}{\cdot}{\cdot}{\Sigma'}{\cmd{\tau'}}$, 308 | $C[e_1] \simeq_{\Sigma'} C[e_2]$. 309 | 310 | Similarly, two commands are said to be contextually equivalent if 311 | $\hasCEJ{\Delta}{\Gamma}{\Sigma}{\tau}{C^m}{\cdot}{\cdot}{\Sigma'}{\cmd{\tau'}}$, 312 | $C^m[m_1] \simeq_{\Sigma'} C^m[m_2]$. 313 | \end{defn} 314 | This definition formalizes our earlier intuitions and it makes obvious 315 | the issues that were mentioned with contextual equivalence previously. 316 | In order to establish contextual equivalence we must write a proof 317 | which handles an arbitrary choice of $C$. This means that proving two 318 | functions are equal requires us to consider the case in which a 319 | context passes them about, applies them to a few hundred arguments, 320 | and then ignores all those results and returns $\mathsf{true}$. This 321 | roundabout usage of expressions we are interested in requires more 322 | sophisticated proofs. 323 | 324 | Most proofs of contextual equivalence make use of a coinductive 325 | characterization of it. Contextual equivalence is the coarsest 326 | consistent congruence relation on terms. A consistent relation is one 327 | where if two terms are related by the relation than they 328 | coterminate. A congruence relation is an equivalence relation 329 | (reflexive, symmetric, transitive) which respects the structure of the 330 | terms. 331 | 332 | To make this precise, a pair of relations $(\relR, \relS)$ (the first 333 | on expressions, the second on commands) is said to respect the 334 | structure of terms if the following inferences are valid. 335 | \begin{mathparpagebreakable} 336 | \inferrule{ 337 | e_1 \relR e_2 338 | }{\lam{x}{\tau}{e_1} \relR \lam{x}{\tau}{e_2}}\and 339 | \inferrule{ 340 | e_1 \relR e_1'\\ 341 | e_2 \relR e_2' 342 | }{\ap{e_1}{e_2} \relR \ap{e_1'}{e_2'}}\and 343 | \inferrule{ 344 | e_1 \relR e_2 345 | }{\LamNoKind{\alpha}{e_1} \relR \LamNoKind{\alpha}{e_2}}\and 346 | \inferrule{ 347 | e_1 \relR e_2 348 | }{\Ap{e_1}{c} \relR \Ap{e_2}{c}}\and 349 | \inferrule{ 350 | m_1 \relS m_2 351 | }{\cmd{m_1} \relR \cmd{m_2}}\and 352 | \inferrule{ 353 | e_1 \relR e_2 354 | }{\ret{e_1} \relS \ret{e_2}}\and 355 | \inferrule{ 356 | e_1 \relR e_2\\ 357 | m_1 \relS m_2 358 | }{\bnd{x}{e_1}{m_1} \relS \bnd{x}{e_2}{m_2}}\and 359 | \inferrule{ 360 | e_1 \relR e_2\\ 361 | m_1 \relS m_2 362 | }{\dcl{\alpha}{e_1}{m_1} \relS \dcl{\alpha}{e_2}{m_2}}\and 363 | \inferrule{ 364 | e_1 \relR e_2\\ 365 | }{\set{\alpha}{e_1} \relS \set{\alpha}{e_2}}\and 366 | \inferrule{ 367 | }{\get{\alpha} \relS \get{\alpha}} 368 | \end{mathparpagebreakable} 369 | The standard result is then captured by the following theorem. 370 | \begin{thm}\label{thm:language:cxt} 371 | Contextual equivalence on expressions and commands is the coarsest 372 | consistent congruence. 373 | \end{thm} 374 | We now turn to discussing logical relations for this language. 375 | 376 | %%% Local Variables: 377 | %%% mode: latex 378 | %%% TeX-master: "../main" 379 | %%% End: 380 | -------------------------------------------------------------------------------- /secs/step-indexing.tex: -------------------------------------------------------------------------------- 1 | \section{A Step-Indexed Logical Relation}\label{sec:steps} 2 | 3 | Before diving into the various approaches for constructing a logical 4 | relation without step-indexing, it is well worth the time to see how a 5 | logical relation can be done with it. The purpose of this section is 6 | to sketch the complications intrinsic to any logical relation for 7 | state and show how step-indexing obliterates them, though at a high 8 | cost. 9 | 10 | Our first step is to begin with a mapping from types to semantic types 11 | (merely sets of terms). In order to handle impredicative polymorphism 12 | we use Girard's method~\citep{Girard:71,Girard:72}. See 13 | \citet{Harper:16} for an introduction of the technique. This means 14 | that our logical relation is of the form 15 | \[ 16 | \den{-}_{-} : \types \to \typesEnv \to \pow{\term \times \term} 17 | \] 18 | The central challenge is the meaning of $\den{\cmd{\tau}}$: the action 19 | of the logical relation at commands. At an intuitive level, for two 20 | commands are rather like (partial) functions: they map heaps to heaps 21 | and a return value. Drawing inspiration from how logical relations for 22 | functions are defined, we might write the following for the definition 23 | of the logical relation at $\cmd{\tau}$: 24 | \begin{align*} 25 | \den{\cmd{\tau}}_\eta \triangleq \{(e_1, e_2) \mid {} 26 | &\exists m_1, m_2.\ \steps{e_i}{\cmd{m_i}} \land{}\\ 27 | &\forall h_1 \sim h_2. 28 | \ (m_1, h_1) \simeq (m_2, h_2) \land{}\\ 29 | &\quad \forall v_1, h_1', v_2, h_2'. 30 | \ (\stepsM{m_i}{h_i}{\ret{v_i}}{h_i'}\\ 31 | &\qquad \implies (h_1' \sim h_2' \land (v_1, v_2) \in \den{\tau}_\eta) 32 | \end{align*} 33 | This definition states that two programs are equal as commands if they 34 | satisfy the following constraints: 35 | \begin{enumerate} 36 | \item They both run two commands. 37 | \item When those commands are run on related heaps they terminate. 38 | \item The resulting heaps and return values from this execution are 39 | related. 40 | \end{enumerate} 41 | Here left undefined is the definition of when two heaps are related, 42 | $\sim$. This is in fact a major issue because there appears to be no 43 | good way to identify when two heaps ought to be equal. The first issue 44 | here is that semantic equality of terms (be it contextual or logical) 45 | is type-indexed. This means that in order to compare heaps pointwise 46 | for equality (a reasonable first approach) requires that we at least 47 | know the types of the entries. Furthermore, we should not compare 48 | these heaps for equality at all locations necessarily. Two heaps 49 | should only need to agree on the cells that the programs are going to 50 | use. 51 | 52 | These two caveats are important if we want to prove programs to be 53 | equivalent which do not use the heap identically. For instance, 54 | consider the two programs: 55 | \[ 56 | \dcl{\alpha}{1}{\ret{\cmd{\get{\alpha}}}} \qquad\qquad 57 | \ret{\cmd{\ret{1}}} 58 | \] 59 | These are contextually equivalent (because the assignable of the first 60 | program is hidden from external manipulation) and yet they allocate in 61 | different ways. So $\sim$ must not be \emph{merely} pointwise equality 62 | of all cells in the most general case. It is also easy to see that 63 | proving that the programs above are equal requires showing that 64 | $h_1 \sim h_2$ if and only if $h_1(\alpha) = 1$. That is, this program 65 | doesn't merely require that heap cells contain values of some 66 | syntactic type, but they may need to belong to an arbitrary semantic 67 | type. 68 | 69 | In order to reconcile these constraints, one thing is clear: the 70 | logical relation must somehow vary depending on the state that the 71 | heap is supposed to be in. It is simply not the case that programs 72 | that are equivalent in a heap where no cells are required to exist if 73 | and only if they're equivalent in a heap where one cell is required to 74 | exist. 75 | 76 | The solution to this is called a Kripke logical relation. Kripke 77 | logical relations, and more generally sheaf models, are a recurring 78 | phenomenon in computer 79 | science~\citep{Plotkin:80,Mitchell:91,Appel:01,Ahmed:04}. The 80 | underlying idea of Kripke logical relations, or sheaf models, is to 81 | abandon the notion of a single global truth and judge truth relative 82 | to a current state of the world. The notion of ``state of the world'' 83 | varies from application to application but is always a described as a 84 | partially ordered set, $\worlds$. Elements of $\worlds$ represent the 85 | different states of knowledge we may have about the world and the 86 | partial order. The partial order, $w_1 \reach w_2$, describes when 87 | $w_2$ is a consistent expansion of the knowledge of $w_1$. 88 | 89 | For a Kripke logical relation, rather than considering 90 | $\den{\tau}_\eta$, we work relative to a world $w$: 91 | $(e_1, e_2) \in \den{\tau}_\eta(w)$. Importantly, Kripke logical relations 92 | should be monotone in relation to $\reach$: 93 | \[ 94 | \forall w_1, w_2. 95 | \ w_1 \reach w_2 \land (e_1, e_2) \in \den{\tau}_{w_1} 96 | \implies (e_1, e_2) \in \den{\tau}_{w_2} 97 | \] 98 | Intuitively, if we know that some fact holds at a world, $w_1$, and we 99 | add more knowledge to $w_1$ to reach $w_2 \breach w_1$ it should not 100 | reduce what we know to be true. Put in a more philosophical way: the 101 | absence of knowledge does not imply its negation. 102 | 103 | In this case, the choice of Kripke world is meant to express the 104 | current state of the heap that programs are being compared at, or at 105 | least, what is known about it. What is this world concretely however? 106 | As a first cut, one could consider a simple collection of symbols and 107 | types. That is, 108 | $\worlds \triangleq \powfin{\assignables \times \types}$ equipped with 109 | $\subseteq$. We can change our clause for the logical relation to take 110 | these worlds into account. 111 | \begin{align*} 112 | \den{\cmd{\tau}}_\eta\different{(w_1)} \triangleq \{(e_1, e_2) \mid 113 | &\exists m_1, m_2.\ \steps{e_i}{\cmd{m_i}} \land{}\\ 114 | &\forall \different{w_2 \breach w_1}.\ \forall h_1 \different{\sim_{w_2}} h_2. 115 | \ (m_1, h_1) \simeq (m_2, h_2) \land{}\\ 116 | &\quad \forall v_1, h_1', v_2, h_2'. 117 | \ (\stepsM{m_i}{h_i}{\ret{v_i}}{h_i'}\\ 118 | &\qquad \implies (\different{\exists w_3 \breach w_2}. 119 | \ h_1' \different{\sim_{w_3}} h_2' \land (v_1, v_2) \in \den{\tau}_\eta\different{(w_3)}) 120 | \end{align*} 121 | These changes are largely forced. We must quantify over all possible 122 | $w_2$ extending $w_1$ at the beginning: if this was elided then 123 | $\den{\cmd{\tau}}_\eta$ would not be monotone. The extension at the 124 | end, $w_3 \breach w_2$, is so that the world may be updated to reflect 125 | the changes that were caused by allocating new cells or updating 126 | existing ones. Still unexplained is $h_1 \sim_w h_2$. At this point it 127 | can be defined in a slightly more refined way since $w$ at least 128 | specifies what cells we ought to compare for equality. However, the 129 | notion of equality that we want is problematic. The problem appears in 130 | the \emph{fundamental theorem}, the proof that the logical relation is 131 | reflexive. 132 | \begin{itemize} 133 | \item If some stronger notion of equality than logical equivalence, 134 | such as $\alpha$-equivalence, is used the fundamental theorem will 135 | fail in the clause for $\set{\alpha}{e}$. 136 | \item If a weaker equality than logical equivalence is used then the 137 | fundamental theorem will fail in the clause for $\get{\alpha}$. 138 | \item If logical equivalence itself is used, the definition will 139 | become ill-founded. This is because the heap may contain cells with 140 | a type larger than $\cmd{\tau}$. 141 | \end{itemize} 142 | What is needed is an maneuver in the vein of Girard's method. Instead 143 | of attempting to decide what the equality for a particular heap 144 | location should be in the definition of $\sim_w$, it should be told to 145 | us already by $w$. This idea, originating with the very early work on 146 | denotational models of state, means that our Kripke worlds should 147 | instead satisfy the relation: 148 | \[ 149 | \worlds = \assignables \pto \pow{\term \times \term} 150 | \] 151 | Now the world extension relation is defined by the following. 152 | \[ 153 | w_1 \reach w_2 \triangleq 154 | \dom(w_1) \subseteq \dom(w_2) \land 155 | \forall \alpha.\ w_1(\alpha) = w_2(\alpha) 156 | \] 157 | This version is much more plausible. With the definition of the clause 158 | of the logical relation described previously together with the 159 | following definition of $\sim_w$ the logical relation is well-defined. 160 | \[ 161 | h_1 \sim_w h_2 \triangleq \forall \alpha \in \dom(w). 162 | \ (h_1(\alpha), h_2(\alpha)) \in w(\alpha) 163 | \] 164 | The issue here is more subtle and causes the fundamental theorem to 165 | fail in the rule for allocation: what relation should we pick when a 166 | fresh cell is allocated? It seems that the only choice when allocating 167 | a cell of type $\tau$ at world $w$ is to extend our world with 168 | $\alpha \mapsto \den{\tau}_\eta(w)$. The complication arises when we 169 | allocate more cells later and move to a fresh world. The relation at 170 | $\alpha$ is now stale. It refers to an outdated world and doesn't 171 | allow for equivalences that are true at this new world but were 172 | previously false. To concretely see this, consider the program: 173 | \begin{align*} 174 | \cmd{ 175 | &\dcl{\alpha}{\lam{x}{\nat}{\cmd{\ret{1}}}}{\\ 176 | &\quad \ret{\cmd{\set{\alpha}{\lam{x}{\nat}{ 177 | \bnd{x}{\cmd{\get{\alpha}}}{\\ & \qquad\qquad\qquad\qquad\ret{x + 1}} 178 | }}}} 179 | } 180 | } 181 | \end{align*} 182 | This style of program is used to encode recursion in this language. 183 | In this case, however, the central point of interest is that 184 | $\alpha$ is updated to contain a command which mentions $\alpha$. In 185 | logical relation, $\alpha$ could only ever contain terms in 186 | $\den{\fn{\nat}{\cmd{\nat}}}(\emptyset)$. In particular, this never 187 | includes a command which mentions $\alpha$. This prevents this 188 | perfectly type-safe program from being included in the logical 189 | relation and so the fundamental theorem must fail. 190 | 191 | What is to be done here? The root of the issue is that when we 192 | allocate a cell it is impossible to determine precisely what programs 193 | will occupy it because programs in the cell may mention cells that are 194 | yet to be allocated at the time of the construction. What is needed is 195 | for the semantic type stored in a heap cell to vary according to the 196 | world. This fixes an asymmetry between the Kripke world and the 197 | logical relation: the Kripke world supposedly maps locations to 198 | semantic types but the semantic types (as determined by the logical 199 | relation) vary in the Kripke worlds. This leads us to the final form 200 | of the definition of Kripke worlds. 201 | \[ 202 | \worlds = \assignables \pto (\worlds \to \pow{\term \times \term}) 203 | \] 204 | Herein lies the rub: this definition of the set of worlds is precisely 205 | what is required for this logical relation but it is not a set. A 206 | simple cardinality argument shows that there can be no such set since 207 | it would have to be larger than its own power set. This is not an 208 | easily avoided problem. It is unknown how to simply avoid this using 209 | ingenuity in the choice of the Kripke world. 210 | 211 | This is where step-indexing enters the picture: to break these 212 | circularities and solve the recursive equation up to an approximation. 213 | 214 | With step-indexing, the space of semantic types becomes indexed by 215 | natural numbers and we will likewise index the world by these same 216 | natural numbers. The idea is that a world at stage $n$ maps to 217 | assignables to semantic types which only vary at the previous $n - 1$ 218 | stages, past $n - 1$ they are simply constant. The issue is that this 219 | approach requires a number of complex definitions which obscure the 220 | underlying intent: to solve this recursive equation. 221 | 222 | Instead of slogging through the classical step-indexed definitions, we 223 | will make use of a more modern categorical approach. Instead of 224 | working with sets, from the beginning we will work with sets varying 225 | over natural numbers: presheaves over $\omega$ (the preorder category 226 | given by $\nat$ and $\le$). 227 | \begin{defn} 228 | A presheaf over a category $\Ccat$ is a functor from $\op{\Ccat}$ to 229 | $\SET$. Presheaves form a category with morphisms being natural 230 | transformations. This category is written $\presheaves{\Ccat}$. 231 | \end{defn} 232 | \begin{example} 233 | A presheaf over $\omega$ is a family of sets $(X_i)_{i \in \nat}$ 234 | with a map $r_n : X_{n + 1} \to X_n$ for all $n$ called restriction 235 | maps. A map between presheaves is then a family of maps 236 | $f_n : X_n \to Y_n$ so that the following commutes for all $n$. 237 | \[ 238 | \begin{tikzcd} 239 | X_{n + 1} \ar[r, "f_{n + 1}"] \ar[d, swap, "r_n"] & Y_{n + 1} \ar[d, "r_n"]\\ 240 | X_n \ar[r, swap, "f_n"] & Y_n 241 | \end{tikzcd} 242 | \] 243 | \end{example} 244 | Rather than working directly with sets, we can instead work with 245 | presheaves synthetically. For instance, we can define the exponential 246 | of two presheaves rather than mucking about to create an implication 247 | which interacts properly with the step. 248 | \begin{lem} 249 | For all small diagrams of presheaves the (co)limit exists and is 250 | determined pointwise. 251 | \end{lem} 252 | The above theorem tells us, for instance, that if we want to form the 253 | product of two presheaves, $X$ and $Y$, over $\omega$, at time $n$ it's just the 254 | product of the $X(n)$ and $Y(n)$. More generally, this lemma gives a 255 | wide-variety of ways to construct complex presheaves from simple ones 256 | without ever having to deal with the step manually. The main missing 257 | element is the ability to form exponentials, the categorical analog of 258 | function types. For presheaves these are slightly more complicated since 259 | functions between presheaves must respect the indexing structure. 260 | \begin{lem} 261 | Given two presheaves $X, Y : \presheaves{\Ccat}$, the exponential 262 | between them is 263 | \[ 264 | (Y^X)(c) \triangleq \hom(\yoneda(c) \times X, Y) 265 | \] 266 | where $\yoneda$ is the Yoneda embedding, defined by the following. 267 | \[ 268 | \yoneda(c) = hom_\Ccat(-, c) 269 | \] 270 | \end{lem} 271 | This definition may seem abstract but it is, importantly, monotone and 272 | so determines a valid presheaf. The real power of this approach is 273 | that \emph{it does not matter} that this definition is complex. The 274 | point is that this definition determines a function of presheaves in 275 | that it contains exactly and only elements we can apply. Beyond these 276 | two facts its construction is entirely irrelevant. % TASTE IT. 277 | 278 | The constructions so far have given us a wide variety of constructible 279 | presheaves but nothing thus far has increased our expressive power of 280 | what we had in $\SET$. For that we need the ability to solve certain 281 | recursive equations. In fact, it will turn out that we can solve 282 | \emph{guarded} domain equations in $\presheaves{\omega}$. In order to 283 | see this, first let us define a functor on $\presheaves{\omega}$. 284 | \begin{defn} 285 | The later functor, 286 | $\later : \presheaves{\omega} \to \presheaves{\omega}$, is defined 287 | on objects as follows. 288 | \begin{align*} 289 | (\later X)(n + 1) &= X(n)\\ 290 | (\later X)(0) &= \{\star\} 291 | \end{align*} 292 | This family of sets is a presheaf in the obvious way: 293 | $r_0 = \lambda x.\ \star$ in $\later X$ and $r_{n + 1}$ of 294 | $\later X$ is the $r_n$ of $X$. The action on morphisms is as 295 | follows. 296 | \begin{align*} 297 | (\later f)(n + 1) &= f_n\\ 298 | (\later f)(0) &= \lambda x.\ \star 299 | \end{align*} 300 | 301 | The later functor comes equipped with a natural transformation 302 | $\delay : 1 \to \later$. Explicitly, this means $\delay$ is a family 303 | of maps $\delay_X : X \to \later X$ so that 304 | $\delay_Y \circ f = f \circ \delay_X$ for any $f : X \to Y$. 305 | \end{defn} 306 | The later modality is the logical essence of step-indexing. 307 | The key insight of step-indexing is actually two-fold: 308 | \begin{enumerate} 309 | \item In order to show that two programs are indistinguishable, it 310 | suffices to show that they're indistinguishable for $n$ steps for 311 | any $n$. 312 | \item When showing that two programs are indistinguishable from other 313 | programs at $n$ steps it suffices to show that subcomponents are 314 | only indistinguishable for $n - 1$ steps. 315 | \end{enumerate} 316 | If this second point was not the case, then it would never be possible 317 | to decrement the step-index and the exercise would have been largely 318 | moot. The later modality internalizes the idea of ``$n - 1$ steps'' 319 | without ever mentioning $n$. Using $\later X$ we can talk about 320 | (uniformly) constructing an element at stage $n$ from an element at 321 | stage $n - 1$. The $\delay$ operation even crystallizes the 322 | monotonicity of the logical relation: if we have an element at stage 323 | $n$ we can always construct one at stage $n - 1$. 324 | 325 | A crucial point about using natural numbers for step-indexing is that 326 | natural numbers are well-founded; there's no way to pick a natural 327 | number that we can decrement forever. This justifies reasoning by 328 | induction on the natural numbers and, in particular 329 | constructing an object at any stage provided we can take a 330 | construction of it at stage $n - 1$ and construct it at stage 331 | $n$. This principle may be expressed with the later modality: it's 332 | precisely the existence of a family of morphisms: 333 | \[ 334 | \fix_A : A^{\later A} \to A 335 | \] 336 | These functions express L\"ob induction: in order to construct $A$, it 337 | suffices to assume $\later A$ and construct $A$. 338 | 339 | These morphisms allow us to take a particular sort of fixed-point at 340 | any level of maps $\later A \to A$. These morphisms belong to the 341 | class of contractive morphisms: morphisms $X \to Y$ that can be 342 | factored as $X \to \later X \to Y$. In particular, suppose we have 343 | some $f : B \times \later A \to A$. Then the following equality holds: 344 | \[ 345 | \fix_A \circ \transpose{f} = f \circ \pair{1}{\delay_A \circ \fix_A \circ \transpose{f}} 346 | \] 347 | Written out using more type-theoretic notation this is easier to 348 | process. 349 | \[ 350 | \forall a, b.\ \fix_A(f(b, -))(a) = f (b, \delay_A(\fix_A(f(b))(a))) 351 | \] 352 | This fixed-point construction allows us to build many interesting 353 | structures inside this category. Through the inclusion of 354 | universes~\citep{Hofmann:90s}, one can even construct solutions to 355 | certain (small) domain equations entirely internally to the 356 | category~\citep{Birkedal:13}. The basic idea is that 357 | $\presheaves{\omega}$ can be easily made to support an object, 358 | $\mathcal{U}$, for which global sections (maps $1 \to \mathcal{U}$) 359 | classify other smaller objects. This is the categorical analog of a 360 | Grothendieck universe~\citep{Streicher:04} and proves to be an 361 | important concept in the semantics of dependent type theory. Then, by 362 | using $\fix_\univ$ it is possible to construct the recursively defined 363 | presheaves necessary to build logical relations. This approach, while 364 | not always explicit, is latent in the work done in constructing 365 | logical relations in guarded type theory and guarded 366 | logics~\citep{Dreyer:09,Paviotti:15,Krogh-Jespersen:17}. 367 | 368 | We will consider the more traditional approach of using proper domain 369 | equations rather than just small ones. With this methodology, we model 370 | equations as functors and solutions as fixed points of these functorsf. This 371 | approach in domain theory originates from \citet{Smyth:77} and 372 | subsumed prior work by \citet{Scott:76} constructing recursive domain 373 | equations by hand. 374 | 375 | One potential issue is that we would like to solve domain equations 376 | which are not strictly speaking functorial. In particular, we want to 377 | handle the case where the equation contains both positive and negative 378 | occurences. We handle these by viewing them as functors 379 | $F : \op{\presheaves{\omega}} \times \presheaves{\omega} \to 380 | \presheaves{\omega}$ 381 | in the style of \citet{Pitts:96} for instance. The question then 382 | becomes, for what functors can we construct an object, $I$, so that 383 | $F(I, I) \cong I$, an invariant object. This construction is a 384 | generalization of the theorem of America and 385 | Rutten~\citep{America:87}. The fully general statement the theorem can 386 | be found in \citet{Birkedal:domain:10,Birkedal:steps:11}. For our 387 | purposes though a much less general theorem suffices. 388 | \begin{defn} 389 | A functor, $F$, is said to be locally contractive if there is a 390 | family of contractive morphisms 391 | \[ 392 | f_{X_1, X_2, Y_1, Y_2} : 393 | X_1^{X_2} \times Y_2^{Y_1} \to F(X_2, Y_2)^{F(X_1, Y_1)} 394 | \] 395 | So that this family respects composition and identity and 396 | so that for each $\pair{g}{h} : 1 \to X_1^{X_2} \times Y_2^{Y_1}$ 397 | then the following equation holds. 398 | \[ 399 | f_{X_1, X_2, Y_1, Y_2} \circ \pair{g}{h} = 400 | \transpose{F(\transpose{g}, \transpose{h})} 401 | \] 402 | If just the latter condition holds (no respect for identity or 403 | composition) $F$ is said to have a strength $f$ and if the family of 404 | morphisms is not contractive we shall call the functor locally 405 | nonexpansive. 406 | \end{defn} 407 | This definition is subtly different than some presentations of this 408 | theorem, which require only that $F$ have a strength comprised of 409 | contractive morphisms. This version essentially states that $F$ must 410 | be an enriched functor for the category $\presheaves{\omega}$ enriched 411 | over itself. The central theorem, Theorem~\ref{thm:steps:fixed-points} 412 | is true even in this weakened version but I am unable to find a proof 413 | of this fact. The relative strengthening that this generality provides 414 | seems barren as well; none of the examples of the fixed point theorem 415 | used either in this section or Section~\ref{sec:guarded} require it. 416 | \begin{example} 417 | The functors $\times$, $\to$, and $+$ are all locally 418 | nonexpansive. The functor $\later$ is locally 419 | contractive. Additionally, any locally contractive functor is locally 420 | nonexpansive. 421 | \end{example} 422 | \begin{lem} 423 | The composition of locally nonexpansive functors is locally 424 | nonexpansive. The composition of a locally contractive functor with 425 | a locally nonexpansive functor is locally contractive. 426 | \end{lem} 427 | We may now state the theorem which makes working a 428 | $\presheaves{\omega}$ so appealing. 429 | \begin{thm}\label{thm:steps:fixed-points} 430 | For any locally contractive functor $F$ there exists an object $I$, 431 | unique up to isomorphism, so that $F(I, I) \cong I$. 432 | \end{thm} 433 | This theorem allows us to solve a wide variety of domain equations, 434 | including a small modification of the crucial one for Kripke 435 | worlds. First, let us define $\upred{S}$ as a ``time-varying 436 | predicate'' on a set $S$. This will be the analog of the sets of terms 437 | used in step-indexed models. 438 | \[ 439 | \upred{X}(n) \triangleq \{(m, x) \mid x \in X \land m < n\} 440 | \] 441 | There is an evident restriction mapping sending a uniform predicate at 442 | stage $n + 1$ to the uniform predicate containing the entries indexed 443 | by numbers smaller than $n$. Next, the presheaf of partial maps from 444 | assignables to presheaves can be defined as follows: 445 | \[ 446 | (\assignables \pto X)(n) \triangleq 447 | \{f \in X(n)^{F} \mid F \subseteq \assignables \land F\ \mathsf{finite}\} 448 | \] 449 | Importantly, it is not hard to see that $\assignables \pto -$ defines 450 | a functor which is locally nonexpansive. The final piece necessary is 451 | a subobject of the exponential $Y^{\assignables \pto X}$ which 452 | isolates those functions which are monotone. In order to define this, 453 | we must assume that $Y$ comes equipped with a partial order. Viewed 454 | from the external perspective this is a family of relations indexed by 455 | natural numbers which respects reindexing. If one views the partial 456 | order internally, however, it is just a normal partial order presented 457 | categorically. The subobject desired can be defined internally in a 458 | way which is obviously correct using the internal logic of 459 | $\presheaves{\omega}$ as follows. 460 | \begin{align*} 461 | (\assignables \pto X) \mto Y &\triangleq \\ 462 | \{f : Y^{\assignables \pto X} \mid{}& 463 | \forall w_1 w_2 : \assignables \pto X.\ w_1 \reach w_2 \implies f(w_1) \le f(w_2)\} 464 | \end{align*} 465 | Constructed externally this presheaf is somewhat more difficult to 466 | construct, but still quite possible. It's 467 | \begin{align*} 468 | ((\assignables \pto X) \mto Y)(n) &= \\ 469 | \{f : (Y^{\assignables \pto X})(n) \mid{}& 470 | \forall m \le n.\ \forall w_1, w_2 : (\assignables \pto X)(n).\\ 471 | &\qquad w_1 \reach_n w_2 \implies f(m)(\star, w_1) \le_n f(m)(\star, w_2)\} 472 | \end{align*} 473 | This external definition is neither more precise nor more intuitive, 474 | so it is more helpful to read the internal version and understand that 475 | all the quantifiers in the predicate implicitly handle the steps 476 | correctly. A more technical discussion of the internal language of 477 | $\presheaves{\omega}$ is postponed until the end of this section. 478 | 479 | We may define the following contractive functor. 480 | \[ 481 | X \mapsto \later ((\assignables \pto X) \mto \upred{\term \times \term}) 482 | \] 483 | Solving this for a fixed point gives the desired presheaf of Kripke 484 | worlds. Defining the rest of the logical relation proves to be quite 485 | straightforward now that the right definition of Kripke worlds is in 486 | place. The type of our logical relation is slightly different now; 487 | it's defined as a monotone map: 488 | \[ 489 | \den{-}_{-} : \types \to \typesEnv \to \worlds \mto \upred{\term \times \term} 490 | \] 491 | Here $\mto$ is an subobject of the exponential in the presheaf 492 | category so it is indexed by natural numbers and subject to a 493 | naturality condition. Then the crucial clause of our logical relation 494 | can be defined as follows. 495 | \begin{align*} 496 | \den{\cmd{\tau}}_\eta(n)(w_1)& \triangleq \{(k, e_1, e_2) \mid 497 | k_1 \le n \land \exists m_1, m_2.\ \steps{e_i}{\cmd{m_i}} \land{}\\ 498 | &\forall w_2 \breach_{k_1} \different{r_{k_1}^n(w_1)}.\ \forall h_1 \different{\sim_{w_2}^{k_1}} h_2. 499 | \ (m_1, h_1) \simeq (m_2, h_2) \land{}\\ 500 | &\quad \different{\forall d.}\ \forall v_1, h_1', v_2, h_2'. 501 | \ (\stepsM[\different{d}]{m_1}{h_1}{\ret{v_1}}{h_1'} \land \stepsM{m_2}{h_2}{\ret{v_2}}{h_2'})\\ 502 | &\qquad \implies (\different{\exists w_3 \breach r^{k_2 - d}w_2}. 503 | \ h_1' \different{\sim_{w_3}} h_2' \land (v_1, v_2) \in \den{\tau}_\eta(k_2 - d)\different{(w_3)}) 504 | \end{align*} 505 | We can now also define $\sim$ making use of the following isomorphism. 506 | \[ 507 | \iota : \worlds \cong 508 | \later (\assignables \pto \worlds \mto \upred{\term \times \term}) 509 | \] 510 | The following definition is then quite naturally expressed 511 | internally. The external version merely involves a preponderance of 512 | indices. Let us suppose that $w$ is a world at step $n$, then: 513 | \begin{align*} 514 | h_1 &{}\sim_w h_2 \defs\\ 515 | &\begin{cases} 516 | \forall \alpha \in \dom(\iota(w)).\ (n - 1, h_1(\alpha), h_2(\alpha)) \in \iota(w)(\alpha)(r^{n - 1}(w)) 517 | & n > 1\\ 518 | \text{true} & \text{otherwise} 519 | \end{cases} 520 | \end{align*} 521 | The essence of the definition is the self-application. A heap is 522 | related to another heap at a world if all of the points are related 523 | relative to the same world. It was this circularity and 524 | self-application which drove us to step-indexing in the first place. 525 | 526 | The rest of the logical relation is entirely standard step-indexing 527 | and the curious reader is referred to \citet{Ahmed:04}. 528 | 529 | A final consideration here is that the version of step-indexing 530 | presented in this paper is ``half-baked''. We have eschewed explicit 531 | indexing in the entire construction of the semantic domains and made 532 | use of $\later$ and presheaves, but then chosen to define the logical 533 | relation with explicit indexing. All the same issues that applied to 534 | the construction of the domain of discourse for the logical relation 535 | apply the actual definition of the logical relations itself. Since our 536 | definition of the logical relation is just constructing a subpresheaf 537 | pointwise using standard logical formulas and passing around the index, 538 | can we isolate the handling of the index and abstract away from it? 539 | 540 | A powerful approach to handling this comes from topos theory. Topos 541 | theory is a subfield of category theory concerned with studying 542 | categories which are similar to $\SET$. It is a standard result in 543 | topos theory that all presheaf categories are toposes and so all the 544 | tools of topos theory are applicable to $\presheaves{\omega}$. For 545 | instance, the explicit definition of $\upred{A}$ can be replaced with 546 | the topos-theoretic definition of power sets. Of particular interest 547 | is the ``internal logic''\footnote{In fact, the internal logic of a 548 | topos can be generalized to a full dependent type theory with a 549 | distinguished impredicative universe. This type theory provides even 550 | more flexibility than the logic. In it, we could have defined the 551 | entirety of our construction of Kripke worlds in a setting analogous to 552 | programming in type theory.} of the topos. It turns out that 553 | $\presheaves{\omega}$ supports a version of intuitionistic 554 | higher-order logic whose interpretation is precisely the standard 555 | set-theoretic interpretation with a little extra work to pass around 556 | the index. One can take a presheaf, $A$, and a predicate, $\phi$, on 557 | it and form a subpresheaf $\{ a \in A \mid \phi(a) \}$ so that every 558 | element of this comprehension satisfies $\phi$ as one would hope. 559 | 560 | The internal logic of $\presheaves{\omega}$ includes everything we 561 | need to define our logic including even a version of L\"ob induction and 562 | a logical version of later, $\ilater$. Working this way sweeps the 563 | step-index entirely under the rug and obliterates the requirement to 564 | perform explicit index math anywhere. Instead, the frustrating 565 | mismatch of having a fact at $n - 1$ and needing it at $n$ manifests 566 | through having $\ilater \phi$ and needing $\phi$. Proper index 567 | discipline is replaced by the proper handling of the later 568 | modality. For instance, here is the definition of world satisfaction 569 | working in the internal logic. 570 | \[ 571 | h_1 \sim_w h_2 \triangleq 572 | \forall \alpha \in \dom(w). 573 | \ \sincl{\iota(w) \zap \delay(w) \zap (h_1, h_2)} 574 | \] 575 | No explicit steps are present only a handful of logical operations to 576 | handle the new type-constructor later. This approach to step-indexing, 577 | whether explicitly topos-theoretic or not is the subject of a long 578 | line of work. Importantly, this logical approach to step-indexing 579 | enables abstraction from the natural numbers themselves and suggests 580 | more general notions of step-indexing~\citep{Svendsen:16}. The most 581 | approachable introduction to this approach is \citet{Dreyer:09} and 582 | \citet{Birkedal:steps:11} provides a thorough topos-theoretic 583 | grounding explicitly using Kripke-Joyal semantics. 584 | 585 | %%% Local Variables: 586 | %%% mode: latex 587 | %%% TeX-master: "../main" 588 | %%% End: 589 | -------------------------------------------------------------------------------- /slides/happy-karl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jozefg/undergraduate-thesis/8bf8c11b7ad7d81efa5c51cabbde083a36155302/slides/happy-karl.png -------------------------------------------------------------------------------- /slides/meeting-of-the-minds.tex: -------------------------------------------------------------------------------- 1 | \documentclass{beamer} 2 | \usepackage{mathtools} 3 | \usepackage{mathpartir} 4 | \usepackage{stmaryrd} 5 | \usepackage{wasysym} 6 | \usepackage[normalem]{ulem} 7 | \usepackage{listings} 8 | \usepackage{multicol} 9 | \usepackage{microtype} 10 | \usepackage{color} 11 | \usepackage{listings} 12 | 13 | \usefonttheme[onlymath]{serif} 14 | \definecolor{JadeGreen}{RGB}{0,168,107} 15 | \definecolor{MunsellPurple}{RGB}{159,0,197} 16 | 17 | \definecolor{CobaltBlue}{RGB}{0,71,171} 18 | \definecolor{FireBrick}{RGB}{228,34,23} 19 | \definecolor{Alabaster}{RGB}{250,250,250} 20 | 21 | \definecolor{PaleGray}{gray}{0.93} 22 | 23 | \setbeamertemplate{navigation symbols}{} 24 | \setbeamertemplate{headline}{} 25 | \setbeamercolor{example text}{fg=CobaltBlue} 26 | \setbeamertemplate{itemize items}{$\bullet$} 27 | \setbeamercolor{alert text}{fg=FireBrick} 28 | 29 | \lstset{language=ML, 30 | columns=fullflexible, 31 | keepspaces=true, 32 | basicstyle=\ttfamily, 33 | tabsize=4, 34 | keywordstyle={\color{CobaltBlue}}, 35 | morekeywords={,dcl,set,get,cmd,return,} 36 | escapeinside={"*}{*"}, 37 | moredelim=*[is][\color{FireBrick}]{`}{'}, 38 | literate={->}{{$\shortrightarrow$}}1 39 | {->}{{$\gets$}}1 40 | {\\}{{$\lambda$}}1 41 | {times}{{$\times$}}1 42 | {alpha}{{$\alpha$}}1 43 | {beta}{{$\beta$}}1 44 | {gamma}{{$\gamma$}}1 45 | {vdots}{{\vdots}}1} 46 | 47 | % Formatting tools 48 | \newcommand{\declareJudgement}[1]{\framebox{$\displaystyle{}{#1}$}} 49 | \newcommand{\different}[1]{{\color{red} #1}} 50 | 51 | % Categories stuff 52 | \newcommand{\Ccat}{\ensuremath{\mathbb{C}}} 53 | \newcommand{\Dcat}{\ensuremath{\mathbb{D}}} 54 | \newcommand{\op}[1]{\ensuremath{#1^{\mathsf{op}}}} 55 | \newcommand{\SET}{\ensuremath{\mathbf{Set}}} 56 | \newcommand{\DCPO}{\ensuremath{\mathbf{Dcpo}}} 57 | \newcommand{\presheaves}[1]{\ensuremath{\widehat{#1}}} 58 | \newcommand{\transpose}[1]{\ensuremath{\widehat{#1}}} 59 | \newcommand{\pair}[2]{\ensuremath{\left\langle #1, #2 \right\rangle}} 60 | \newcommand{\univ}{\ensuremath{\mathcal{U}}} 61 | \newcommand{\mono}{\ensuremath{\rightarrowtail}} 62 | \newcommand{\yoneda}{\ensuremath{\mathsf{y}}} 63 | 64 | % Math stuffs 65 | \newcommand{\upred}[1]{\ensuremath{\mathsf{UPred}(#1)}} 66 | \newcommand{\reach}{\ensuremath{\mathrel{\sqsubseteq}}} 67 | \newcommand{\breach}{\ensuremath{\mathrel{\sqsupseteq}}} 68 | \newcommand{\mto}{\ensuremath{\xrightarrow{\mathsf{mon}}}} 69 | \newcommand{\pto}{\ensuremath{\xrightharpoonup{\mathsf{fin}}}} 70 | \newcommand{\pow}[1]{\ensuremath{\mathcal{P}(#1)}} 71 | \newcommand{\powfin}[1]{\ensuremath{\mathcal{P_{\mathrm{fin}}}(#1)}} 72 | \newcommand{\card}[1]{\ensuremath{\left\vert #1 \right\vert}} 73 | \newcommand{\real}{\ensuremath{\mathbb{R}}} 74 | \newcommand{\nat}{\ensuremath{\mathbb{N}}} 75 | \newcommand{\cbult}{\ensuremath{\mathrm{CBUlt}}} 76 | \newcommand{\cle}{\ensuremath{\lesssim}} 77 | \newcommand{\ceq}{\ensuremath{\cong}} 78 | \newcommand{\relR}{\ensuremath{\mathrel{\mathcal{R}}}} 79 | \newcommand{\relS}{\ensuremath{\mathrel{\mathcal{S}}}} 80 | \newcommand{\AND}{\ensuremath{\mathrel{\wedge}}} 81 | \newcommand{\OR}{\ensuremath{\mathrel{\vee}}} 82 | \newcommand{\den}[1]{\ensuremath{\llbracket #1 \rrbracket}} 83 | \newcommand{\definitely}[1]{\ensuremath{\lceil #1 \rceil}} 84 | \newcommand{\possibly}[1]{\ensuremath{\lfloor #1 \rfloor}} 85 | \newcommand{\defs}{\ensuremath{\mathrel{\triangleq}}} 86 | \newcommand{\bifix}{\ensuremath{\mathsf{bifix}}} 87 | \newcommand{\disjoint}{\ensuremath{\mathop{\#}}} 88 | \newcommand{\hole}{\ensuremath{\square}} 89 | \newcommand{\sincl}[1]{\ensuremath{\mathsf{succ}(#1)}} 90 | \newcommand{\join}{\ensuremath{\bigvee}} 91 | \newcommand{\cless}{\ensuremath{\lessapprox}} 92 | \newcommand{\aless}{\ensuremath{\lesssim}} 93 | 94 | \DeclareMathOperator{\dom}{dom} 95 | \DeclareMathOperator{\cod}{cod} 96 | 97 | % Sets 98 | \newcommand{\states}{\ensuremath{\mathrm{State}}} 99 | \newcommand{\worlds}{\ensuremath{\mathbb{W}}} 100 | \newcommand{\assignables}{\ensuremath{\mathrm{Assignable}}} 101 | \newcommand{\nrel}[1]{\ensuremath{\mathbb{R}_{#1}}} 102 | \newcommand{\semtypes}{\ensuremath{\mathbb{T}}} 103 | \newcommand{\types}{\ensuremath{\mathrm{Type}}} 104 | \newcommand{\typesEnv}{\ensuremath{\mathrm{TypeEnv}}} 105 | \newcommand{\term}{\ensuremath{\mathrm{Term}}} 106 | \newcommand{\urel}{\ensuremath{\mathrm{URel}}} 107 | 108 | % judgments 109 | \newcommand{\guardJ}[2]{\ensuremath{\text{$#1.\,#2$\ \textsf{guarded}}}} 110 | \newcommand{\hasE}[2]{\ensuremath{#1 \mathrel{:} #2}} 111 | \newcommand{\hasM}[2]{\ensuremath{#1 \mathrel{\div} #2}} 112 | \newcommand{\hasKJ}[2]{\ensuremath{#1 \vdash \hasE{#2}{\mathrm{\kind}}}} 113 | \newcommand{\hasTJ}[4]{\ifthenelse{\isempty{#1}}% 114 | {\ensuremath{#2 \vdash \hasE{#3}{#4}}}% 115 | {\ensuremath{#1;#2 \vdash \hasE{#3}{#4}}}} 116 | \newcommand{\hasEJ}[5]{\ifthenelse{\isempty{#1}}% 117 | {\ensuremath{#2; #3 \vdash \hasE{#4}{#5}}}% 118 | {\ensuremath{#1; #2; #3 \vdash \hasE{#4}{#5}}}} 119 | \newcommand{\hasESigJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4}{#5}}} 120 | \newcommand{\hasMJ}[5]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4}{#5}}} 121 | \newcommand{\hasCEJ}[9]{\ensuremath{#5 : (#1; #2 \vdash_{#3} #4) \rightsquigarrow (#6; #7 \vdash_{#8} #9)}} 122 | 123 | \newcommand{\subKJ}[3]{\ifthenelse{\isempty{#1}}% 124 | {\ensuremath{{#2} \leq {#3}}}% 125 | {\ensuremath{{#1} \vdash {#2} \leq {#3}}}} 126 | 127 | \newcommand{\equivESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \cong #5}{#6}}} 128 | \newcommand{\approxESigJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasE{#4 \aless #5}{#6}}} 129 | \newcommand{\equivMJ}[6]{\ensuremath{#1; #2 \vdash_{#3} \hasM{#4 \cong #5}{#6}}} 130 | 131 | \newcommand{\step}[2]{\ensuremath{#1 \mapsto #2}} 132 | \newcommand{\steps}[2]{\ensuremath{#1 \mapsto^* #2}} 133 | \newcommand{\stepM}[4]{\ensuremath{(#1, #2) \mapsto (#3, #4)}} 134 | \newcommand{\stepsM}[5][*]{\ensuremath{(#2, #3) \mapsto^{#1} (#4, #5)}} 135 | 136 | \newcommand{\dec}[4][i]{\ensuremath{#2 \rhd^{#1} #3 : #4}} 137 | \newcommand{\valueJ}[1]{\ensuremath{#1\ \mathsf{value}}} 138 | \newcommand{\finalJ}[2]{\ensuremath{(#1, #2)\ \mathsf{final}}} 139 | 140 | % language 141 | \newcommand{\kind}{\ensuremath{\mathsf{kind}}} 142 | \newcommand{\later}{\ensuremath{{\blacktriangleright}}} 143 | \newcommand{\ilater}{\ensuremath{{\triangleright}}} 144 | \newcommand{\rec}[2]{\ensuremath{\mu #1.\, #2}} 145 | \newcommand{\fn}[2]{\ensuremath{#1 \to #2}} 146 | \newcommand{\tp}{\ensuremath{\mathsf{T}}} 147 | \newcommand{\unit}{\ensuremath{\mathsf{unit}}} 148 | \newcommand{\cmd}[1]{\ensuremath{\mathsf{cmd}(#1)}} 149 | 150 | \newcommand{\ap}[2]{\ensuremath{#1\ #2}} 151 | \newcommand{\lam}[3]{\ensuremath{\lambda #1 {:} #2.\, #3}} 152 | \newcommand{\into}[1]{\ifthenelse{\isempty{#1}}% 153 | {\ensuremath{\mathsf{in}}}% 154 | {\ensuremath{\mathsf{in}\,#1}}} 155 | \newcommand{\out}[1]{\ifthenelse{\isempty{#1}}% 156 | {\ensuremath{\mathsf{out}}}% 157 | {\ensuremath{\mathsf{out}\,#1}}} 158 | \newcommand{\delay}{\mathsf{next}} 159 | \newcommand{\fix}{\mathsf{fix}} 160 | \newcommand{\letdelay}[3]{\ensuremath{\mathsf{let\ next\ } #1 = #2 \mathsf{\ in\ } #3}} 161 | \newcommand{\all}[3]{\ensuremath{\forall #1 {:} #2.\, #3}} 162 | \newcommand{\allNoKind}[2]{\ensuremath{\forall #1.\, #2}} 163 | 164 | \newcommand{\Ap}[2]{\ensuremath{#1[#2]}} 165 | \newcommand{\Lam}[3]{\ensuremath{\Lambda #1 {:} #2.\, #3}} 166 | 167 | \newcommand{\LamNoKind}[2]{\ensuremath{\Lambda #1.\, #2}} 168 | \newcommand{\ret}[1]{\ensuremath{\mathsf{ret}(#1)}} 169 | \newcommand{\get}[1]{\ensuremath{\mathsf{get}[#1]}} 170 | \newcommand{\set}[2]{\ensuremath{\mathsf{set}[#1](#2)}} 171 | \newcommand{\dcl}[3]{\ensuremath{\mathsf{dcl}\ #1 := #2\ \mathsf{in}\ #3}} 172 | \newcommand{\bnd}[3]{\ensuremath{\mathsf{bnd}\ #1 \gets #2;\ #3}} 173 | 174 | \newcommand{\trunc}{\ensuremath{\mathsf{trunc}}} 175 | 176 | \newcommand{\littrue}{\ensuremath{\mathsf{true}}} 177 | \newcommand{\litfalse}{\ensuremath{\mathsf{false}}} 178 | 179 | \newcommand{\zap}{\ensuremath{\circledast}} 180 | 181 | \title{The Next 700 Failed \\Step-Index-Free Logical Relations} 182 | \author{Daniel Gratzer} 183 | \date{\today} 184 | 185 | \begin{document} 186 | \begin{frame} 187 | \titlepage 188 | \end{frame} 189 | 190 | \begin{frame} 191 | \centering 192 | Goals for today's talk: 193 | \begin{itemize} 194 | \item Sketch what logical relations are. 195 | \item Sketch what step-indexing is. 196 | \end{itemize} 197 | \end{frame} 198 | 199 | \begin{frame} 200 | \begin{center} 201 | \bf When are two programs equal? 202 | \end{center} 203 | \begin{enumerate} 204 | \item<2-> Compiler optimizations 205 | \item<3-> Data abstraction 206 | \item<4-> Compositional verification proofs 207 | \end{enumerate} 208 | \end{frame} 209 | 210 | \begin{frame} 211 | \begin{center} 212 | Two programs are equal \textbf{if} you can replace one with 213 | another in a bigger program without causing a change in termination 214 | behavior. 215 | \end{center} 216 | \end{frame} 217 | 218 | \begin{frame} 219 | \centering 220 | To prove that two programs, $e_1$ and $e_2$ are equal... 221 | \begin{enumerate} 222 | \item Pick a program with a hole in it, $C$ 223 | \item Test whether $C[e_1]$ terminates 224 | \item Test whether $C[e_2]$ terminates 225 | \item If the results disagree, they're not equal 226 | \item Repeat for every possible $C$ 227 | \end{enumerate} 228 | \end{frame} 229 | 230 | \begin{frame} 231 | \centering 232 | \begin{quote} 233 | \centering\it Repeat for every possible $C$ 234 | \end{quote} 235 | There are a lot of $C$s. 236 | \end{frame} 237 | 238 | \begin{frame} 239 | \centering 240 | Key idea: use {\color<2>{PaleGray} the structure of the} types 241 | {\color<2>{PaleGray} to classify what contexts are worth considering.} 242 | \pause 243 | \bigskip 244 | 245 | \begin{figure} 246 | \includegraphics[height=5cm,keepaspectratio]{happy-karl} 247 | \end{figure} 248 | \end{frame} 249 | 250 | \begin{frame} 251 | \centering 252 | This works well for ``logical'' connectives: $\to$, $\times$, $+$, 253 | $\exists$, $\forall$... 254 | \[ 255 | f_1 \sim f_2 : \fn{\tau_1}{\tau_2} \triangleq 256 | \forall a_1 \sim a_2 : \tau_1.\ \ap{f_1}{a_1} \sim \ap{f_2}{a_2} : \tau_2 257 | \] 258 | \pause 259 | \bigskip 260 | 261 | What about types that are not so obviously logical? 262 | \end{frame} 263 | 264 | \begin{frame} 265 | \centering 266 | What about state? 267 | 268 | \bigskip 269 | 270 | We consider a language with a type classifying imperative 271 | computation: $\cmd{\tau}$. 272 | \end{frame} 273 | 274 | % \begin{frame}[fragile] 275 | % \centering 276 | % \begin{minipage}{0.5\textwidth} 277 | % \centering 278 | % \begin{lstlisting} 279 | % cmd( 280 | % dcl alpha := 1 in 281 | % return cmd(get alpha) 282 | % ) 283 | % \end{lstlisting} 284 | % \end{minipage}% 285 | % \begin{minipage}{0.5\textwidth} 286 | % \centering 287 | % \begin{lstlisting} 288 | % cmd(cmd(return 1)) 289 | % \end{lstlisting} 290 | % \end{minipage} 291 | % \end{frame} 292 | 293 | \begin{frame} 294 | \centering 295 | How do we define $\cmd{m_1}$ is equal to $\cmd{m_2}$? 296 | \pause 297 | \bigskip 298 | \begin{itemize} 299 | \item Commands are functions: heap to heap and a result 300 | \item How do we compare heaps for equality? 301 | \item Which heaps do we need to consider? 302 | \end{itemize} 303 | \end{frame} 304 | 305 | \begin{frame} 306 | \centering 307 | \textbf{Kripke Logical Relations} 308 | 309 | \begin{itemize} 310 | \item Equip the logical relations by $\worlds$ to describe the 311 | possible heaps 312 | \item Evolve the world to represent new allocations and other 313 | changes 314 | \end{itemize} 315 | \end{frame} 316 | 317 | \begin{frame} 318 | \centering What should $\worlds$ be? 319 | \begin{align*} 320 | \semtypes &= \worlds \mto \pow{\term \times \term}\\ 321 | \worlds &= \assignables \pto \semtypes 322 | \end{align*} 323 | \pause 324 | \bigskip 325 | No solutions in sets. 326 | \end{frame} 327 | 328 | \begin{frame} 329 | Step-indexing: solve these equations up to $n$ unfoldings. 330 | 331 | \begin{itemize} 332 | \item $\sim$ can now means that two programs are equal for at least 333 | $n$ steps 334 | \item Can't get rid of these steps 335 | \item Lose ability to talk about any ``global truth'' 336 | \end{itemize} 337 | \end{frame} 338 | 339 | \begin{frame} 340 | \centering 341 | Idea of this thesis: can we solve these equations in a different 342 | way? 343 | 344 | \pause 345 | \bigskip 346 | No 347 | 348 | \pause 349 | \bigskip 350 | We couldn't figure out how. 351 | \end{frame} 352 | 353 | \begin{frame} 354 | Many theories for solving recursive equations outside of $\SET$ 355 | \begin{itemize} 356 | \item All about finding restrictions on $\to$ to avoid cardinality 357 | issues 358 | \item None of them are sufficient 359 | \end{itemize} 360 | \end{frame} 361 | 362 | \begin{frame} 363 | \centering 364 | Going forward 365 | \begin{itemize} 366 | \item Adopt more modern approaches to step-indexing (internal 367 | logics, etc) 368 | \item Explore richer settings for indexing structures 369 | \item Develop a more complete theory of logical relations to explain 370 | why this issue is so persistent 371 | \end{itemize} 372 | \pause 373 | \bigskip 374 | Thank you. 375 | \end{frame} 376 | \end{document} 377 | --------------------------------------------------------------------------------