Decorated proofs for computational effects: States Jean-Guillaume - - PowerPoint PPT Presentation

decorated proofs for computational effects states
SMART_READER_LITE
LIVE PREVIEW

Decorated proofs for computational effects: States Jean-Guillaume - - PowerPoint PPT Presentation

Sep 23, 2023 348 likes •910 views

Decorated proofs for computational effects: States Jean-Guillaume Dumas, Dominique Duval, Laurent Fousse, Jean-Claude Reynaud LJK, University of Grenoble April 1., 2012 ACCAT 2012 Tallinn Outline From computer algebra to effects

slide-1
SLIDE 1

Decorated proofs for computational effects: States

Jean-Guillaume Dumas, Dominique Duval, Laurent Fousse, Jean-Claude Reynaud

LJK, University of Grenoble

April 1., 2012 – ACCAT 2012 – Tallinn

slide-2
SLIDE 2

Outline

slide-3
SLIDE 3

From computer algebra to effects

About the history of the authors:

◮ Computer algebra: exact computations on large integers,

matrices, polynomials, field extensions,. . .

◮ Sophisticated programmation in several kinds of languages:

C, C++, Axiom,. . .

◮ Questions about the languages: semantics of computational

effects? (e.g., states, exceptions,. . . )

slide-4
SLIDE 4

Effects and monads

Breaking a taboo:

effect = monad

slide-5
SLIDE 5

Effects and monads

Breaking a taboo:

effect = monad

[Moggi’91]: When there is an effect:

  • 1. a term f : X → Y should not always be interpreted as

a function [[f ]] : [[X]] → [[Y ]]

  • 2. it should often be interpreted as

a function [[f ]] : [[X]] → T[[Y ]] for some monad T

slide-6
SLIDE 6

Effects and monads

Breaking a taboo:

effect = monad

[Moggi’91]: When there is an effect:

  • 1. a term f : X → Y should not always be interpreted as

a function [[f ]] : [[X]] → [[Y ]]

  • 2. it should often be interpreted as

a function [[f ]] : [[X]] → T[[Y ]] for some monad T [Plotkin & Power 2002]: The operations and equations associated with the effect are described by a Lawvere theory.

slide-7
SLIDE 7

Effects and monads

Breaking a taboo:

effect = monad

[Moggi’91]: When there is an effect:

  • 1. a term f : X → Y should not always be interpreted as

a function [[f ]] : [[X]] → [[Y ]]

  • 2. it should often be interpreted as

a function [[f ]] : [[X]] → T[[Y ]] for some monad T [Plotkin & Power 2002]: The operations and equations associated with the effect are described by a Lawvere theory.

  • Example. In an imperative language

T[[Y ]] = (S × [[Y ]])S

slide-8
SLIDE 8

Effects and monads

Breaking a taboo:

effect = monad

[Moggi’91]: When there is an effect:

  • 1. a term f : X → Y should not always be interpreted as

a function [[f ]] : [[X]] → [[Y ]]

  • 2. it should often be interpreted as

a function [[f ]] : [[X]] → T[[Y ]] for some monad T [Plotkin & Power 2002]: The operations and equations associated with the effect are described by a Lawvere theory.

  • Example. In an imperative language

T[[Y ]] = (S × [[Y ]])S

We agree with (1), not always with (2). And we get operations and equations in a different way.

slide-9
SLIDE 9

What is an effect?

Informally:

An effect is an apparent lack of soundness.

slide-10
SLIDE 10

What is an effect?

Informally:

An effect is an apparent lack of soundness.

A lack of soundness: syntax

  • /

\ semantics which can be “repaired”:

  • syntax

semantics

slide-11
SLIDE 11

What is an effect?

Informally:

An effect is an apparent lack of soundness.

A lack of soundness: syntax

  • /

\ semantics which can be “repaired”:

  • syntax

semantics Formally: [Dom´ ınguez&Duval MSCS’10]

slide-12
SLIDE 12

Outline

slide-13
SLIDE 13

A property of imperative languages

The annihilation lookup-update (ALU) property: X := X does not modify the state

slide-14
SLIDE 14

A property of imperative languages

The annihilation lookup-update (ALU) property: X := X does not modify the state Proof. Let n be the value of X in the current state.

◮ First “X” (on the right) is evaluated as n. ◮ Then “X :=” (on the left) puts the value of X to n,

without modifying the value of other locations. Hence the state is not modified.

slide-15
SLIDE 15

Towards a formalization: a specification for states

Locations (or identifiers, or variables) X, Y , . . . . The unit (or void, or singleton) type ✶, with A :A→✶ for each A. ✶ ✶

slide-16
SLIDE 16

Towards a formalization: a specification for states

Locations (or identifiers, or variables) X, Y , . . . . The unit (or void, or singleton) type ✶, with A :A→✶ for each A. For each X, a type VX for values, two operations: ℓX : ✶ → VX (lookup) uX : VX → ✶ (update) and equations: ℓX ◦ uX ≡ id ℓY ◦ uX ≡ ℓY ◦ when Y = X formalizing the intended semantics:

◮ ℓX returns the value of X in the current state ◮ uX(n) modifies the current state: the value of X becomes n,

and the value of Y is not modified, for every Y = X

slide-17
SLIDE 17

A property of imperative languages: proof # 1

Let Σ be the specification made of ℓX : ✶ → VX and uX : VX → ✶ such that ℓX ◦ uX ≡ id and ℓY ◦ uX ≡ ℓY ◦ when Y = X. Then Σ satisfies the annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

slide-18
SLIDE 18

A property of imperative languages: proof # 1

Let Σ be the specification made of ℓX : ✶ → VX and uX : VX → ✶ such that ℓX ◦ uX ≡ id and ℓY ◦ uX ≡ ℓY ◦ when Y = X. Then Σ satisfies the annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

  • Proof. By observation: prove that ℓY ◦ uX ◦ ℓX ≡ ℓY for each Y .

When Y = X: ℓX ◦ uX ≡ id (subst) ℓX ◦ uX ◦ ℓX ≡ ℓX

slide-19
SLIDE 19

A property of imperative languages: proof # 1

Let Σ be the specification made of ℓX : ✶ → VX and uX : VX → ✶ such that ℓX ◦ uX ≡ id and ℓY ◦ uX ≡ ℓY ◦ when Y = X. Then Σ satisfies the annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

  • Proof. By observation: prove that ℓY ◦ uX ◦ ℓX ≡ ℓY for each Y .

When Y = X: ℓX ◦ uX ≡ id (subst) ℓX ◦ uX ◦ ℓX ≡ ℓX When Y = X: ℓY ◦ uX ≡ ℓY ◦ (subst) ℓY ◦ uX ◦ ℓX ≡ ℓY ◦ ◦ ℓX (unit)

  • ℓX ≡ id

(repl) ℓY ◦ ◦ ℓX ≡ ℓY (trans) ℓY ◦ uX ◦ ℓX ≡ ℓY

slide-20
SLIDE 20

A property of imperative languages: proof # 1

Let Σ be the specification made of ℓX : ✶ → VX and uX : VX → ✶ such that ℓX ◦ uX ≡ id and ℓY ◦ uX ≡ ℓY ◦ when Y = X. Then Σ satisfies the annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

  • Proof. By observation: prove that ℓY ◦ uX ◦ ℓX ≡ ℓY for each Y .

When Y = X: ℓX ◦ uX ≡ id (subst) ℓX ◦ uX ◦ ℓX ≡ ℓX When Y = X: ℓY ◦ uX ≡ ℓY ◦ (subst) ℓY ◦ uX ◦ ℓX ≡ ℓY ◦ ◦ ℓX (unit)

  • ℓX ≡ id

(repl) ℓY ◦ ◦ ℓX ≡ ℓY (trans) ℓY ◦ uX ◦ ℓX ≡ ℓY

Hence the state is not modified.

slide-21
SLIDE 21

A property of imperative languages, proof # 2

The annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id ✶ ✶ ✶ ✶ ✶ ✶

slide-22
SLIDE 22

A property of imperative languages, proof # 2

The annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id Another proof. The (unit) rule states that id is the unique f : ✶ → ✶. uX ◦ ℓX : ✶ → ✶ (unit) uX ◦ ℓX ≡ id

slide-23
SLIDE 23

A property of imperative languages, proof # 2

The annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id Another proof. The (unit) rule states that id is the unique f : ✶ → ✶. uX ◦ ℓX : ✶ → ✶ (unit) uX ◦ ℓX ≡ id

  • BUT in the same way, we could prove for all Y :

uX ◦ ℓY : ✶ → ✶ (unit) uX ◦ ℓY ≡ id which obviously is FALSE!

slide-24
SLIDE 24

Questions

Two proofs of (ALU). Proof #1 is right, proof #2 is wrong. WHY? ✶ ✶

slide-25
SLIDE 25

Questions

Two proofs of (ALU). Proof #1 is right, proof #2 is wrong. WHY? The (unit) rule should state that id is the unique f : ✶ → ✶ under the assumption that f cannot modify the state, and it should be impossible to apply this rule to uX ◦ ℓY . How can we formalize this fact?

slide-26
SLIDE 26

Questions

Two proofs of (ALU). Proof #1 is right, proof #2 is wrong. WHY? The (unit) rule should state that id is the unique f : ✶ → ✶ under the assumption that f cannot modify the state, and it should be impossible to apply this rule to uX ◦ ℓY . How can we formalize this fact? By decorating terms and equations.

slide-27
SLIDE 27

Decorations: terms and equations

Terms are classified:

◮ f (0): f is pure if it cannot use nor modify the state. ◮ f (1): f is an accessor if it can use the state, not modify it. ◮ f (2): f is a modifier if it can use and modify the state.

Hierarchy rules: f (0) f (1) , f (1) f (2) .

slide-28
SLIDE 28

Decorations: terms and equations

Terms are classified:

◮ f (0): f is pure if it cannot use nor modify the state. ◮ f (1): f is an accessor if it can use the state, not modify it. ◮ f (2): f is a modifier if it can use and modify the state.

Hierarchy rules: f (0) f (1) , f (1) f (2) . Equations are classified:

◮ f ≡ g: strong equation: f and g return the same value

and they have the same effect on the state.

◮ f ∼ g: weak equation: f and g return the same value

but they may have different effects on the state. Hierarchy rule: f ≡ g f ∼ g .

slide-29
SLIDE 29

Decorated rules

The rules of the logic are also decorated, for instance: (unit) f : ✶ → ✶ f ∼ id ✶ ✶

slide-30
SLIDE 30

Decorated rules

The rules of the logic are also decorated, for instance: (unit) f : ✶ → ✶ f ∼ id There are new rules (which become trivial without decorations): (1-∼-to-≡) f (1) g(1) f ∼ g f ≡ g ✶ ✶

slide-31
SLIDE 31

Decorated rules

The rules of the logic are also decorated, for instance: (unit) f : ✶ → ✶ f ∼ id There are new rules (which become trivial without decorations): (1-∼-to-≡) f (1) g(1) f ∼ g f ≡ g Hence there are new derived rules, like: (1-unit) f (1) : ✶ → ✶ f ≡ id

slide-32
SLIDE 32

Proof #2 is wrong: it cannot be properly decorated

Proof #2 of (ALU) can be decorated as follows: (unit) uX ◦ ℓX : ✶ → ✶ uX ◦ ℓX ∼ id which does not entail uX ◦ ℓX ≡ id. ✶ ✶

slide-33
SLIDE 33

Proof #2 is wrong: it cannot be properly decorated

Proof #2 of (ALU) can be decorated as follows: (unit) uX ◦ ℓX : ✶ → ✶ uX ◦ ℓX ∼ id which does not entail uX ◦ ℓX ≡ id. In fact for each Y there is a proof: (unit) uX ◦ ℓY : ✶ → ✶ uX ◦ ℓY ∼ id which is right but without any interest.

slide-34
SLIDE 34

Decorated rules for substitution and replacement

Strong equations form a congruence: (≡-subs) g1 ≡ g2 g1 ◦ f ≡ g2 ◦ f (≡-repl) f1 ≡ f2 g ◦ f1 ≡ g ◦ f2

slide-35
SLIDE 35

Decorated rules for substitution and replacement

Strong equations form a congruence: (≡-subs) g1 ≡ g2 g1 ◦ f ≡ g2 ◦ f (≡-repl) f1 ≡ f2 g ◦ f1 ≡ g ◦ f2 Weak equations do not form a congruence: (∼-subs) g1 ∼ g2 g1 ◦ f ∼ g2 ◦ f (0-∼-repl) f1 ∼ f2 g(0) g ◦ f1 ∼ g ◦ f2 : X → Z Indeed: f1 and f2 may modify the state in a different way, so that g ◦ f1 and g ◦ f2 may return different values if g is not pure.

slide-36
SLIDE 36

A decorated specification for states

For each X, a type VX for values, two operations: ℓ(1)

X : ✶ → VX

(lookup) : an accessor u(2)

X

: VX → ✶ (update) : a modifier and weak equations: ℓX ◦ uX ∼ id ℓY ◦ uX ∼ ℓY ◦ when Y = X

slide-37
SLIDE 37

Proof #1 is right: it can be properly decorated

The annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

  • Proof. By observation: prove that ℓY ◦ uX ◦ ℓX ∼ ℓY for each Y .

When Y = X: ℓX ◦ uX ∼ id (∼-subs) ℓX ◦ uX ◦ ℓX ∼ ℓX

slide-38
SLIDE 38

Proof #1 is right: it can be properly decorated

The annihilation lookup-update (ALU) property: uX ◦ ℓX ≡ id

  • Proof. By observation: prove that ℓY ◦ uX ◦ ℓX ∼ ℓY for each Y .

When Y = X: ℓX ◦ uX ∼ id (∼-subs) ℓX ◦ uX ◦ ℓX ∼ ℓX When Y = X: ℓY ◦ uX ∼ ℓY ◦ (∼-subs) ℓY ◦ uX ◦ ℓX ∼ ℓY ◦ ◦ ℓX ℓ(1)

X

(1-unit)

  • ℓX ≡ id

(≡-repl) ℓY ◦ ◦ ℓX ≡ ℓY (≡-to-∼) ℓY ◦ ◦ ℓX ∼ ℓY (∼-trans) ℓY ◦ uX ◦ ℓX ∼ ℓY

slide-39
SLIDE 39

Other properties of imperative languages

The 7 properties in [Plotkin&Power 02] can be proved similarly. For instance the commutation update-update (CUU) property, is proved in the paper. ✶ ✶ ✶

slide-40
SLIDE 40

Other properties of imperative languages

The 7 properties in [Plotkin&Power 02] can be proved similarly. For instance the commutation update-update (CUU) property, is proved in the paper. When X = Y : The order of storing values in X and Y does not matter ✶ ✶ ✶

slide-41
SLIDE 41

Other properties of imperative languages

The 7 properties in [Plotkin&Power 02] can be proved similarly. For instance the commutation update-update (CUU) property, is proved in the paper. When X = Y : The order of storing values in X and Y does not matter which is formalized as: uY ◦ (uX × id) ≡ uX ◦ (id × uY ) : VX × VY → ✶ where × is the semi-pure product from [Dumas&Duval&Reynaud]

Cartesian effect categories are Freyd-categories JSC 2011. ACCAT’09.

VX

u(2)

X

VX × VY

(uX ×id)(2)

  • ✶ × VY

VY

id(0)

VY

slide-42
SLIDE 42

Outline

slide-43
SLIDE 43

Explicit proofs

Another way to prove results about states:

  • 1. introduce explicitly a type of states S
slide-44
SLIDE 44

Explicit proofs

Another way to prove results about states:

  • 1. introduce explicitly a type of states S
  • 2. expand (translate) the decorations

f (0) : X → Y f : X → Y f (1) : X → Y f : X × S → Y f (2) : X → Y f : X × S → Y × S f ≡ g : X → Y f ≡ g : X × S → Y × S f ∼ g : X → Y π ◦ f ≡ π ◦ g : X × S → Y

slide-45
SLIDE 45

Explicit proofs

Another way to prove results about states:

  • 1. introduce explicitly a type of states S
  • 2. expand (translate) the decorations

f (0) : X → Y f : X → Y f (1) : X → Y f : X × S → Y f (2) : X → Y f : X × S → Y × S f ≡ g : X → Y f ≡ g : X × S → Y × S f ∼ g : X → Y π ◦ f ≡ π ◦ g : X × S → Y

  • 3. prove in the “usual” (not decorated) logic
slide-46
SLIDE 46

Explicit proofs

Another way to prove results about states:

  • 1. introduce explicitly a type of states S
  • 2. expand (translate) the decorations

f (0) : X → Y f : X → Y f (1) : X → Y f : X × S → Y f (2) : X → Y f : X × S → Y × S f ≡ g : X → Y f ≡ g : X × S → Y × S f ∼ g : X → Y π ◦ f ≡ π ◦ g : X × S → Y

  • 3. prove in the “usual” (not decorated) logic

But the notion of effect is lost.

slide-47
SLIDE 47

A span of “logics”

decorations

  • syntax

semantics

◮ decorations → syntax :

forget the decorations

◮ decorations → semantics :

expansion, with an explicit S for states

slide-48
SLIDE 48

From proofs to models

The expansion:

◮ maps decorated proofs to “usual” explicit proofs

slide-49
SLIDE 49

From proofs to models

The expansion:

◮ maps decorated proofs to “usual” explicit proofs ◮ and provides a notion of decorated model

because it can be seen as a functor F with a right adjoint: decorations

F

semantics

G

  • Moddeco(Σ, GΘ) ∼

= Modexpl(FΣ, Θ) For instance: Σ is the decorated specification for states Θ is Set with the distinguished set S =

X VX

slide-50
SLIDE 50

From states to exceptions

◮ We can prove properties of imperative languages in a logic

which respects the syntax of the language.

slide-51
SLIDE 51

From states to exceptions

◮ We can prove properties of imperative languages in a logic

which respects the syntax of the language.

◮ THUS, we can prove properties of exceptions in a logic which

respects the syntax of exceptions.

[Dumas&Duval&Fousse&Reynaud] Decorated proofs for computational effects: exceptions. Submitted for publication.

slide-52
SLIDE 52

From states to exceptions

◮ We can prove properties of imperative languages in a logic

which respects the syntax of the language.

◮ THUS, we can prove properties of exceptions in a logic which

respects the syntax of exceptions.

[Dumas&Duval&Fousse&Reynaud] Decorated proofs for computational effects: exceptions. Submitted for publication.

◮ This is due to the duality between states and the core part of

exceptions.

[Dumas&Duval&Fousse&Reynaud] A duality between exceptions and

  • states. To appear in MSCS. ACCAT’11.
slide-53
SLIDE 53

Conclusion and future work

We have designed a framework for effects which provides a denotational semantics and a proof system.

slide-54
SLIDE 54

Conclusion and future work

We have designed a framework for effects which provides a denotational semantics and a proof system. Our projects include:

◮ Using a proof assistant for proving decorated properties. ◮ Extending our framework for combining effects by composing

spans.

slide-55
SLIDE 55

Thank you!