Logical Step-Indexed Logical Relations Derek Dreyer Max Planck - PowerPoint PPT Presentation

Logical Step-Indexed Logical Relations Derek Dreyer Max Planck Institute for Software Systems Saarbrücken, Germany LICS 2009 UCLA August 12, 2009 Joint work with Amal Ahmed and Lars Birkedal

Logical Relations V � nat � ρ = { ( n , n ) | n ∈ N } V � τ ′ → τ ′′ � ρ = { ( λ x . e 1 , λ x . e 2 ) | ∀ v 1 , v 2 . ( v 1 , v 2 ) ∈ V � τ ′ � ρ = ⇒ ( e 1 [ v 1 / x ] , e 2 [ v 2 / x ]) ∈ E � τ ′′ � ρ } V � ∃ α. τ � ρ = { ( pack τ 1 , v 1 as · · · , pack τ 2 , v 2 as · · · ) | ∃ χ ∈ Rel ( τ 1 , τ 2 ) . ( v 1 , v 2 ) ∈ V � τ � ρ, α �→ ( τ 1 , τ 2 , χ ) } V � α � ρ = χ where ρ ( α ) = ( τ 1 , τ 2 , χ )

Logical Relations for Recursive Types? V � µα. τ � ρ = { ( fold v 1 , fold v 2 ) | ( v 1 , v 2 ) ∈ V � τ [ µα. τ/α ] � ρ }

Logical Relations for Recursive Types? V � µα. τ � ρ = { ( fold v 1 , fold v 2 ) | ( v 1 , v 2 ) ∈ V � τ [ µα. τ/α ] � ρ } Problem: The definition is no longer well-founded!

Step-Indexed Logical Relations (Appel-McAllester ’01) Idea: Index logical relations by n ∈ N representing “the number of steps left until the clock runs out.” • Two terms are related “infinitely” iff they are n -related (for all n ). V � µα. τ � ρ = { ( n , fold v 1 , fold v 2 ) | ( n − 1 , v 1 , v 2 ) ∈ V � τ [ µα. τ/α ] � ρ } Intuitively, this makes sense because it takes a step of computation to extract v i from fold v i .

Advantages of Step-Indexed Logical Relations Easy to develop using only elementary mathematical constructions. Applicable to “difficult” languages, e.g., with higher-order state: • Imperative self-adjusting computation (Acar et al. , POPL’08) • Representation independence for “generative” ADTs (POPL’09) • Parametricity in the presence of dynamic typing (ICFP’09) • Compiler correctness (Benton et al. , e.g., TLDI’09, ICFP’09) • . . .

Comparison With Other Approaches With more mathematically sophisticated approaches ( e.g., minimal invariance, FM-cpos, ultra-metric spaces): ✘ Hard to construct, not as (obviously) widely applicable With step-indexed logical relations: ✔ Easy to construct, widely applicable

Comparison With Other Approaches With more mathematically sophisticated approaches ( e.g., minimal invariance, FM-cpos, ultra-metric spaces): ✘ Hard to construct, not as (obviously) widely applicable ✔ Easy to develop high-level equational proof principles With step-indexed logical relations: ✔ Easy to construct, widely applicable ✘ Hard to develop high-level equational proof principles You get what you pay for!

Problem #1: Step-Index Arithmetic Pervades Proofs Steps make constructing the model easy, but the user of the model shouldn’t have to deal with them. • Important to develop clean, abstract, step-free proof principles

Problem #1: Step-Index Arithmetic Pervades Proofs Steps make constructing the model easy, but the user of the model shouldn’t have to deal with them. • Important to develop clean, abstract, step-free proof principles E.g. Appel-McAllester claim this extensionality property: • f 1 and f 2 are infinitely related ( e.g., related for any # of steps) iff for all v 1 and v 2 that are infinitely related, f 1 v 1 and f 2 v 2 are, too.

Problem #1: Step-Index Arithmetic Pervades Proofs Steps make constructing the model easy, but the user of the model shouldn’t have to deal with them. • Important to develop clean, abstract, step-free proof principles E.g. Appel-McAllester claim this extensionality property: • f 1 and f 2 are infinitely related ( e.g., related for any # of steps) iff for all v 1 and v 2 that are infinitely related, f 1 v 1 and f 2 v 2 are, too. Unfortunately, it is false! • In fact, f 1 and f 2 are infinitely related iff , for any step level n , for all v 1 and v 2 that are n -related, f 1 v 1 and f 2 v 2 are, too.

Problem #2: Lack of Equational Proof Principles Step-indexed logical relations are fundamentally asymmetric , i.e., they model approximation ( ≤ ), not equivalence ( ≡ ). • We can define e 1 ≡ e 2 to mean e 1 ≤ e 2 ∧ e 2 ≤ e 1 .

Problem #2: Lack of Equational Proof Principles Step-indexed logical relations are fundamentally asymmetric , i.e., they model approximation ( ≤ ), not equivalence ( ≡ ). • We can define e 1 ≡ e 2 to mean e 1 ≤ e 2 ∧ e 2 ≤ e 1 . We would like a symmetric extensionality principle, e.g., • f 1 ≡ f 2 iff ∀ v 1 , v 2 . we have that v 1 ≡ v 2 implies f 1 v 1 ≡ f 2 v 2 .

Problem #2: Lack of Equational Proof Principles Step-indexed logical relations are fundamentally asymmetric , i.e., they model approximation ( ≤ ), not equivalence ( ≡ ). • We can define e 1 ≡ e 2 to mean e 1 ≤ e 2 ∧ e 2 ≤ e 1 . We would like a symmetric extensionality principle, e.g., • f 1 ≡ f 2 iff ∀ v 1 , v 2 . we have that v 1 ≡ v 2 implies f 1 v 1 ≡ f 2 v 2 . But even ignoring Problem #1, this is false: • To show f 1 ≡ f 2 , we must show that v 1 ≤ v 2 implies f 1 v 1 ≤ f 2 v 2 , and that v 2 ≤ v 1 implies f 2 v 2 ≤ f 1 v 1 .

Our Contributions Define a relational modal logic, LSLR, for expressing step-indexed logical relations without mentioning steps. Define a step-free logical relation in LSLR for reasoning about program (in-)equivalence in System F + recursive types. Show logical relation is sound w.r.t. contextual equivalence by defining a suitable “step-indexed” model of LSLR. Develop a set of useful derivable rules concerning the logical relation. Demonstrate the effectiveness of our approach by proving several representative examples of contextual equivalences from the literature.

Outline 1 The Language F µ 2 The Logic LSLR 3 Encoding a Logical Relation for F µ in LSLR 4 Derivable Rules

Outline 1 The Language F µ 2 The Logic LSLR 3 Encoding a Logical Relation for F µ in LSLR 4 Derivable Rules

The Language F µ τ ::= α | unit | int | bool | τ 1 × τ 2 | τ 1 + τ 2 | Types τ 1 → τ 2 | ∀ α. τ | ∃ α. τ | µα. τ Prim Ops o ::= + | − | = | < | ≤ | . . . Terms e ::= x | () | ± n | o ( e 1 , . . . , e n ) | true | false | if e then e 1 else e 2 | � e 1 , e 2 � | fst e | snd e | inl τ e | inr τ e | case e of inl x 1 ⇒ e 1 | inr x 2 ⇒ e 2 | λ x : τ. e | e 1 e 2 | Λ α. e | e [ τ ] | pack τ, e as ∃ α. τ ′ | unpack e 1 as α, x in e 2 | fold τ e | unfold e Values v ::= x | () | ± n | true | false | � v 1 , v 2 � | inl τ v | inr τ v | λ x : τ. e | Λ α. e | pack τ 1 , v as ∃ α. τ | fold τ v

Outline 1 The Language F µ 2 The Logic LSLR 3 Encoding a Logical Relation for F µ in LSLR 4 Derivable Rules

The Logic LSLR (Basic Idea) Start with Plotkin and Abadi’s “logic for parametric polymorphism” (TLCA’93) • Adapt it to reason operationally about CBV small-step semantics Extend it with recursively defined relations • Enables straightforward logical relation for recursive types • To make sense of circularity, introduce “later” operator ⊲ A from Appel, Melliès, Richards, and Vouillon’s “very modal model” paper (POPL’07), which in turn was adapted from Gödel-Löb logic of provability

The Logic LSLR (Syntax) r , s ∈ Rel. Var’s RelVar F µ Ctxt’s Γ ::= · | Γ , α | Γ , x : τ | Γ , t : τ ∆ ::= · | ∆ , r : VRel ( τ 1 , τ 2 ) | r : TRel ( τ 1 , τ 2 ) Rel. Ctxt’s Log. Ctxt’s Θ ::= · | Θ , A 0 1 ∗ ::= e 1 = e 2 | e 1 �→ e 2 | e 1 �→ e 2 | e 1 �→ e 2 Atomic Prop’s P A , B ::= P | ⊤ | ⊥ | A ∧ B | A ∨ B | Propositions A ⊃ B | ∀ Γ . A | ∃ Γ . A | ∀ ∆ . A | ∃ ∆ . A | ( e 1 , e 2 ) ∈ R | ⊲ A R , S ::= r | ( x 1 : τ 1 , x 2 : τ 2 ) . A | Relations ( t 1 : τ 1 , t 2 : τ 2 ) . A | µ r . R

LSLR Main Judgment Γ; ∆; Θ ⊢ A

Relational Axioms ( v 1 , v 2 ) ∈ ( x 1 : τ 1 , x 2 : τ 2 ) . A ≡ A [ v 1 / x 1 , v 2 / x 2 ] ( e 1 , e 2 ) ∈ ( t 1 : τ 1 , t 2 : τ 2 ) . A ≡ A [ e 1 / t 1 , e 2 / t 2 ] ( e 1 , e 2 ) ∈ µ r . R ≡ ( e 1 , e 2 ) ∈ R [ µ r . R / r ]

Monotonicity A ⊃ ⊲ A

Löb Rule ( ⊲ A ⊃ A ) ⊃ A

Distributivity Laws ⊲ ( A ∧ B ) ≡ ⊲ A ∧ ⊲ B ⊲ ( A ∨ B ) ≡ ⊲ A ∨ ⊲ B ⊲ ( A ⊃ B ) ≡ ⊲ A ⊃ ⊲ B ⊲ ∀ Γ . A ≡ ∀ Γ .⊲ A ⊲ ∀ ∆ . A ≡ ∀ ∆ .⊲ A ⊲ ∃ Γ . A ≡ ∃ Γ .⊲ A ⊲ ∃ ∆ . A ≡ ∃ ∆ .⊲ A

Outline 1 The Language F µ 2 The Logic LSLR 3 Encoding a Logical Relation for F µ in LSLR 4 Derivable Rules