A Coq - definition al implementation of the Lax Logical Framework LLF - PowerPoint PPT Presentation

A Coq - definition al implementation of the Lax Logical Framework LLF P , for “fast and loose” reasoning F. Alessi, A. Ciaffaglione, P. Di Gianantonio, F. Honsell, M. Lenisa name.surname@uniud.it Department of Mathematics, Computer Science, and Physics University of Udine - Udine, Italy Logical Frameworks and Meta-Languages: Theory and Practice (LFMTP-2019) Vancouver, Canada - June 22, 2019 We are grateful to Ivan Scagnetto and anonymous referees for helpful comments and suggestions F. Alessi et alii LLF P for fast and loose reasoning 1 / 1

Outline Motivation 1 The Logical Frameworks LLF P and LLF P + 2 The monadic nature of Locks in LLF P and LLF P + 3 Applications of Locks 4 Implementation of LLF P and LLF P + in Coq 5 Call-by-value λ -calculus 6 Branch prediction 7 Optimistic concurrency control 8 F. Alessi et alii LLF P for fast and loose reasoning 2 / 1

Motivation for LLF P ’s Prudentially and incrementally, extend conservatively LF so as to: integrate in a unique Logical Framework, different epistemic sources of evidence deriving from special-purpose tools, oracles, and even non-apodictic ones e . g . explicit computations, deduction up-to, diagrams, physical analogies; factor-out, postpone, run in parallel the verification of “morally” proof-irrelevant and time-consuming judgments and side conditions ; for supporting formal reasoning according to the fast and loose reasoning paradigm , which trades off correctness for efficiency , by running in parallel computationally demanding checks, or postponing tedious verifications until worthwhile. This paradigm is used in everyday mathematics carried out in na¨ ıve Set Theory, or when introducing blanket assumptions to be formalized and checked later, e . g . typical ambiguity U ∈ U ; in branch prediction in processor architecture or optimistic concurrency in distributed systems . LLF P ’s appear in a series of papers by subsets of the authors and also I.Scagnetto, L.Liquori, and P.Maksimovi´ c since 2007 [8,9,10,11]. LLF P ’s were presented at LFMTP in 2012-13-15-17. F. Alessi et alii LLF P for fast and loose reasoning 3 / 1

The LLF P Logical Framework Syntax Σ ∈ S Σ ::= ∅ | Σ , a : K | Σ , c : σ Signatures Γ ∈ C ∅ | Γ , x : σ Γ ::= Contexts K ∈ K K ::= Type | Π x : σ. K Kinds a | Π x : σ.τ | σ N | L P σ, τ, ρ ∈ F σ ::= N ,σ [ ρ ] Families M , N ∈ O M ::= c | x | λ x : σ. M | M N | L P N ,σ [ M ] | U P N ,σ [ M ] Objects P ::= . . . Propositions Reduction U P N ,σ [ L P ( λ x : σ. M ) N → β L M [ N / x ] N ,σ [ M ]] → β L M Typing judgments Σ sig Σ is a valid signature ⊢ Σ Γ Γ is a valid context in Σ Γ ⊢ Σ K K is a kind in Γ and Σ Γ ⊢ Σ σ : K σ has kind K in Γ and Σ Γ ⊢ Σ M : σ M has type σ in Γ and Σ F. Alessi et alii LLF P for fast and loose reasoning 4 / 1

The extended LLF P + Logical Framework Syntax Σ ∈ S Σ ::= ∅ | Σ , a : K | Σ , c : σ Signatures Γ ∈ C ∅ | Γ , x : σ Γ ::= Contexts K ∈ K K ::= Type | Π x : σ. K Kinds a | Π x : σ.τ | σ N | L P N ,σ [ ρ ] | L P σ, τ, ρ ∈ F σ ::= σ, K [ ρ ] Families M , N ∈ O M ::= c | x | λ x : σ. M | M N | L P N ,σ [ M ] | U P N ,σ [ M ] | L P σ, K [ M ] | U P σ, K [ M ] Objects Reduction ( λ x : σ. M ) N → β L M [ N / x ] U P U , V [ L P L P U , V [ U P U , V [ W ]] → β L W U , V [ W ]] → β L W Typing judgments Σ sig Σ is a valid signature ⊢ Σ Γ Γ is a valid context in Σ Γ ⊢ Σ K K is a kind in Γ and Σ Γ ⊢ Σ σ : K σ has kind K in Γ and Σ Γ ⊢ Σ M : σ M has type σ in Γ and Σ F. Alessi et alii LLF P for fast and loose reasoning 5 / 1

LLF P ’s typing rules (objects) The crucial rules are those dealing with lock types: lock-introduction Γ ⊢ Σ M : ρ Γ ⊢ Σ N : σ N ,σ [ ρ ] ( O · Lock ) Γ ⊢ Σ L P N ,σ [ M ] : L P lock-elimination Γ ⊢ Σ M : L P N ,σ [ ρ ] Γ ⊢ Σ N : σ P (Γ ⊢ Σ N : σ ) ( O · Top · Unlock ) Γ ⊢ Σ U P N ,σ [ M ] : ρ guarded lock-elimination Γ , x : τ ⊢ Σ L P S ,σ [ M ] : L P S ,σ [ ρ ] Γ ⊢ Σ N : L P β L σ ′ β L S ′ S ′ ,σ ′ [ τ ] σ = S = S ′ ,σ ′ [ N ] / x ]] ( O · Guarded · Unlock ) Γ ⊢ Σ L P S ,σ [ M [ U P S ′ ,σ ′ [ N ] / x ]] : L P S ,σ [ ρ [ U P F. Alessi et alii LLF P for fast and loose reasoning 6 / 1

Extended LLF P + ’s typing rules Locks can access all sorts of judgments Γ ⊢ U : V : lock-introduction Γ ⊢ Σ M : ρ Γ ⊢ Σ U : V U , V [ ρ ] ( O · Lock ) Γ ⊢ Σ L P U , V [ M ] : L P un-guarded lock-elimination Γ ⊢ Σ N : L P Γ , x : τ ⊢ Σ M : ρ U , V [ τ ] P (Γ ⊢ Σ U ′ : V ′ ) β L V ′ β L U ′ V = U = ( O · Top · Unlock ) Γ ⊢ Σ M [ U P U ′ , V ′ [ N ] / x ] : ρ [ U P U ′ , V ′ [ N ] / x ] guarded lock-elimination Γ , x : τ ⊢ Σ M : L P Γ ⊢ Σ N : L P U ′ , V ′ [ ρ ] U , V [ τ ] β L V ′ β L U ′ V = U = ( O · Guarded · Unlock ) Γ ⊢ Σ M [ U P U ′ , V ′ [ N ] / x ] : L P U ′ , V ′ [ ρ ][ U P U ′ , V ′ [ N ] / x ] F. Alessi et alii LLF P for fast and loose reasoning 7 / 1

LLF P + ’s typing rules (signatures, contexts, kinds, families) Valid signatures Family rules ∅ sig ( S · Empty ) ⊢ Σ Γ a : K ∈ Σ ( F · Const ) Γ ⊢ Σ a : K ⊢ Σ K a �∈ Dom(Σ) ( S · Kind ) Γ ⊢ Σ σ : Π x : τ. K Γ ⊢ Σ N : τ ( F · App ) Σ , a : K sig Γ ⊢ Σ σ N : K [ N / x ] ⊢ Σ σ :Type c �∈ Dom(Σ) Γ , x : σ ⊢ Σ τ : Type ( S · Type ) Γ ⊢ Σ Π x : σ.τ : Type ( F · Pi ) Σ , c : σ sig Γ ⊢ Σ K ′ β L K ′ Context rules Γ ⊢ Σ σ : K K = ( F · Conv ) Σ sig Γ ⊢ Σ σ : K ′ ⊢ Σ ∅ ( C · Empty ) Γ ⊢ Σ ρ : Type Γ ⊢ Σ U : V ( F · Lock ) Γ ⊢ Σ σ :Type x �∈ Dom(Γ) Γ ⊢ Σ L P U , V [ ρ ] : Type ( C · Type ) ⊢ Σ Γ , x : σ Kind rules ⊢ Σ Γ Γ , x : τ ⊢ Σ L P U , V [ ρ ] : Type Γ ⊢ Σ Type ( K · Type ) Γ ⊢ Σ N : L P U ′ , V ′ [ τ ] β L U ′ β L V ′ Γ , x : σ ⊢ Σ K U = V = ( K · Pi ) ( F · Guarded · Unlock ) Γ ⊢ Σ Π x : σ. K Γ ⊢ Σ L P U , V [ ρ [ U P U ′ , V ′ [ N ] / x ]] : Type F. Alessi et alii LLF P for fast and loose reasoning 8 / 1

LLF P ’s formal properties strong normalization confluence subject reduction (for well-behaved predicates) Definition (Well-behaved predicates) A finite set of predicates {P i } i ∈ I is well-behaved if each P in this set satisfies the following conditions: Closure under signature, context weakening and permutation. If Σ and Ω are valid signatures with every declaration in Σ also occurring in Ω, and Γ and ∆ are valid contexts with every declaration in Γ also occurring in ∆, and P (Γ ⊢ Σ α ) holds, then P (∆ ⊢ Ω α ) also holds. Closure under substitution. If P (Γ , x : σ ′ , Γ ′ ⊢ Σ N : σ ) holds, and Γ ⊢ Σ N ′ : σ ′ , then P (Γ , Γ ′ [ N ′ / x ] ⊢ Σ N [ N ′ / x ] : σ [ N ′ / x ]) also holds. β L N ′ ( σ → β L σ ′ ) Closure under reduction. If P (Γ ⊢ Σ N : σ ) holds and N → holds, then P (Γ ⊢ Σ N ′ : σ ) ( P (Γ ⊢ Σ N : σ ′ )) also holds. F. Alessi et alii LLF P for fast and loose reasoning 9 / 1

The monadic nature of and LLF P and LLF P + for each U , V such that Γ ⊢ U : V and well behaved P the operator L P U , V [ ] induces a strong monad , or equivalently a Kleisli triple , once we view the Term Model of LLF P as a category; the monad ( T P , η, µ ) is given by ∆ = λ x : ρ. L P U , V [ x ] : ρ → L P η U , V [ ρ ] ∆ = λ x : L P U , V [ L P U , V [ ρ ]] . L P U , V [ U P U , V [ U P U , V [ x ]]] : L P U , V [ L P U , V [ ρ ]] → L P µ U , V [ ρ ]; the guarded-unlock rules “morally” amount to Kleisli-composition , namely, we can define an operator let P , U , V : ( σ → L P U , V [ τ ]) → L P U , V [ σ ] → L P U , V [ τ ] as λ x : σ → L P U , V [ τ ] . λ y : L P U , V [ σ ] . x ( U P U , V [ y ]) : ( σ → L P U , V [ τ ]) → L P U , V [ σ ] → L P U , V [ τ ]; the let P , U , V constructor could be taken as primitive instead of U P U , V [ ], but then it should be extended also to types in the F · Guarded · Unlock rule; the monad equalities hold: L P U , V [ ] induces a congruence , + reduction rules amount to T .β an T .η ; LLF P associativity of Kleisli composition holds by computation, namely for terms Q , N , P of appropriate types both let P Q ( let P NM ) and let P ( let P QN ) M reduce to λ x : τ. Q ( U P U , V [ N ( U P U , V [ Mx ])]. F. Alessi et alii LLF P for fast and loose reasoning 10 / 1

Applications of Locks: side-conditions are MONADS modal logics: a proof term is closed ; substructural logics e . g . affine elementary linear logic, non-commutative linear logic : variables in proof terms are constrained appropriately; Hoare’s logic: quantifier-free formulæ, and non-interference predicates; Fitch-Prawitz Set Theory: proof terms are normalizable ; Poincar´ e ’s principle: terms are computationally( definitionally ) equivalent; Deduction Modulo , A ⊃ B A ≡ C C B reasoning on totality ; reasoning and programming up-to equivalence relations. F. Alessi et alii LLF P for fast and loose reasoning 11 / 1