Thinking About Mechanizing the Meta-Theory of Session Types - - PowerPoint PPT Presentation

/27

Thinking About Mechanizing the Meta-Theory of Session Types

Francisco Ferreira (joint work with Nobuko Yoshida) 17th Dec ABCD Meeting - Imperial College London

1

/27

Engineering the Meta-Theory of Session Types

17th Dec ABCD Meeting - Imperial College London Francisco Ferreira (joint work with Nobuko Yoshida)

2

/27

–Ludwig Wittgenstein

“The limits of my language mean the limits of my world.”

3

/27

Who Am I?

• I did my PhD at McGill University, advised by Brigitte Pientka.
• I worked with Higher Order Abstract Syntax.
• Also on the meta-theory of programming languages.

4

/27

Who Am I?

• I did my PhD at McGill University, advised by Brigitte Pientka.
• I worked with Higher Order Abstract Syntax.
• Also on the meta-theory of programming languages.
• I worked in the implementation of:

4

/27

Who Am I?

• I did my PhD at McGill University, advised by Brigitte Pientka.
• I worked with Higher Order Abstract Syntax.
• Also on the meta-theory of programming languages.
• I worked in the implementation of:
• Beluga — My supervisor’s project on computational reasoning about LF

definitions.

4

/27

Who Am I?

• I did my PhD at McGill University, advised by Brigitte Pientka.
• I worked with Higher Order Abstract Syntax.
• Also on the meta-theory of programming languages.
• I worked in the implementation of:
• Beluga — My supervisor’s project on computational reasoning about LF

definitions.

• Babybel — Our project on supporting HOAS in functional programming

languages (e.g.: OCaml).

4

/27

Who Am I?

• I did my PhD at McGill University, advised by Brigitte Pientka.
• I worked with Higher Order Abstract Syntax.
• Also on the meta-theory of programming languages.
• I worked in the implementation of:
• Beluga — My supervisor’s project on computational reasoning about LF

definitions.

• Babybel — Our project on supporting HOAS in functional programming

languages (e.g.: OCaml).

• Orca — Our project on combining HOAS and Type Theory.

4

/27

Mechanising the Meta-Theory Session Types

• Names are ubiquitous.
• The binding structure is quite rich.
• Channels are handled linearly.
• Names exist besides binders. Names are a first

class notion.

5

/27

The First Step

• Do a case study:
• Language Primitives and Type Discipline for

Structured Communication-Based Programming Revisited, by Yoshida and Vasconcelos.

6

/27

How Best To Represent Session Types Calculi?

Logical framework LF Constructive FOL
 +
 Induction Contextual types

7

/27

Nominal Equation Logic

How Best To Represent Session Types Calculi?

Constructive FOL
 +
 Induction

7

/27

But, Really? Another Proof Assistant?

8

/27

But, Really? Another Proof Assistant?

• What if we relax the requirement for


α-conversion?

8

/27

But, Really? Another Proof Assistant?

• What if we relax the requirement for


α-conversion?

• Work by Ernesto Copello, Maribel Fernandez, et al.
• Defines a notion of α-compatible relations.
• Defines a notion of α-structural induction.

8

/27

But, Really? Another Proof Assistant?

• What if we relax the requirement for


α-conversion?

• Work by Ernesto Copello, Maribel Fernandez, et al.
• Defines a notion of α-compatible relations.
• Defines a notion of α-structural induction.

It can be readily implemented in Agda and Coq!

8

/27

But, Really? Another Proof Assistant?

• What if we relax the requirement for


α-conversion?

• Work by Ernesto Copello, Maribel Fernandez, et al.
• Defines a notion of α-compatible relations.
• Defines a notion of α-structural induction.

It can be readily implemented in Agda and Coq! Induction on judgments is still an “it should be possible” problem in this approach.

8

/27

Time To Consider Existing Solutions

• Well established work on Locally Nameless:
• Use names for free variables.
• Use indices for bound variables.
• Mediate between them with open & close
• perations.

9

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

• k E

(x : T) ∈ E E ⊢ fvar x : T

typing-var

E ⊢ t1 : T1 → T2 E ⊢ t2 : T1 E ⊢ app t1 t2 : T2

typing-app

∀ x ̸∈ L, E, x : T1 ⊢ t x : T2 E ⊢ abs t : T1 → T2

typing-abs

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

• k E

(x : T) ∈ E E ⊢ fvar x : T

typing-var

E ⊢ t1 : T1 → T2 E ⊢ t2 : T1 E ⊢ app t1 t2 : T2

typing-app

∀ x ̸∈ L, E, x : T1 ⊢ t x : T2 E ⊢ abs t : T1 → T2

typing-abs

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

• k E

(x : T) ∈ E E ⊢ fvar x : T

typing-var

E ⊢ t1 : T1 → T2 E ⊢ t2 : T1 E ⊢ app t1 t2 : T2

typing-app

∀ x ̸∈ L, E, x : T1 ⊢ t x : T2 E ⊢ abs t : T1 → T2

typing-abs

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

• k E

(x : T) ∈ E E ⊢ fvar x : T

typing-var

E ⊢ t1 : T1 → T2 E ⊢ t2 : T1 E ⊢ app t1 t2 : T2

typing-app

∀ x ̸∈ L, E, x : T1 ⊢ t x : T2 E ⊢ abs t : T1 → T2

typing-abs

10

/27

STLC

t :=

bvar x

|

fvar p

|

abs x t

|

app t t t x ≡ {0 → x} t

\xt

≡ {0 ← x} t

• k E

(x : T) ∈ E E ⊢ fvar x : T

typing-var

E ⊢ t1 : T1 → T2 E ⊢ t2 : T1 E ⊢ app t1 t2 : T2

typing-app

∀ x ̸∈ L, E, x : T1 ⊢ t x : T2 E ⊢ abs t : T1 → T2

typing-abs

10

Open and close should admit several lemmas:

• Opening locally closed terms does not change the

term

• Opening and substitution commute
• The interaction of opening and substitutions of

variables

/27

The Send Receive System and its Cousins the Relaxed and the Revisited System.

11

/27

The Send Receive System and its Cousins the Relaxed and the Revisited System.

Start developing the infrastructure and eventually move on to MPST

11

/27

A Tale of Three Systems

• We set out to represent the three systems described

in the paper:

• The Honda, Vasconcelos, Kubo system from ESOP’98
• Its naïve but ultimately unsound extension
• Its revised system inspired by Gay and Hole in Acta

Informatica

12

/27

The Send Receive System

P ::= request a(k) in P session request | accept a(k) in P session acceptance | k![˜ e]; P data sending | k?(˜ x) in P data reception | k ✁ l; P label selection | k ✄ {l1 : P1[ ] · · · [ ]ln : Pn} label branching | throw k[k′]; P channel sending | catch k(k′) in P channel reception | if e then P else Q conditional branch | P | Q parallel composition | inact inaction | (νu)P name/channel hiding | def D in P recursion | X[˜ e˜ k] process variables e ::= c constant | e + e′ | e − e′ | e × e | not(e) | . . .

• perators

D ::= X1(˜ x1˜ k1) = P1 and · · · and Xn(˜ xn˜ kn) = Pn declaration for recursion

13

/27

The Send Receive System

P ::= request a(k) in P session request | accept a(k) in P session acceptance | k![˜ e]; P data sending | k?(˜ x) in P data reception | k ✁ l; P label selection | k ✄ {l1 : P1[ ] · · · [ ]ln : Pn} label branching | throw k[k′]; P channel sending | catch k(k′) in P channel reception | if e then P else Q conditional branch | P | Q parallel composition | inact inaction | (νu)P name/channel hiding | def D in P recursion | X[˜ e˜ k] process variables e ::= c constant | e + e′ | e − e′ | e × e | not(e) | . . .

• perators

D ::= X1(˜ x1˜ k1) = P1 and · · · and Xn(˜ xn˜ kn) = Pn declaration for recursion

13

/27

α-Conversion for Free

• The original system depends crucially on names

(throw k[k′]; P1) | (catch k(k′) in P2) → P1 | P2

14

/27

α-Conversion for Free

• The original system depends crucially on names

(throw k[k′]; P1) | (catch k(k′) in P2) → P1 | P2

14

/27

α-Conversion for Free

• The original system depends crucially on names

(throw k[k′]; P1) | (catch k(k′) in P2) → P1 | P2

This is a bound variable.

14

/27

α-Conversion for Free

• The original system depends crucially on names

(throw k[k′]; P1) | (catch k(k′) in P2) → P1 | P2

This is a bound variable.

• If α-conversion is built in, this rule collapses to:

(throw k[k′]; P1) | (catch k(k′′) in P2) → P1 | P2[k′/k′′]

14

/27

α-Conversion for Free

• The original system depends crucially on names

(throw k[k′]; P1) | (catch k(k′) in P2) → P1 | P2

This is a bound variable.

• If α-conversion is built in, this rule collapses to:

(throw k[k′]; P1) | (catch k(k′′) in P2) → P1 | P2[k′/k′′]

14

Locally Nameless makes it impossible to express the

• riginal system’s name

handling!

/27

The Typing Judgement

The rule for parallel composition is where the fun begins:

15

/27

The Typing Judgement

Θ; Γ ⊢ P ◃ ∆ Θ; Γ ⊢ Q ◃ ∆′ Θ; Γ ⊢ P | Q ◃ ∆ ◦ ∆′ (∆ ≍ ∆′) [Conc]

The rule for parallel composition is where the fun begins:

15

/27

The Typing Judgement

Θ; Γ ⊢ P ◃ ∆ Θ; Γ ⊢ Q ◃ ∆′ Θ; Γ ⊢ P | Q ◃ ∆ ◦ ∆′ (∆ ≍ ∆′) [Conc]

The rule for parallel composition is where the fun begins:

15

/27

The Typing Judgement

Θ; Γ ⊢ P ◃ ∆ Θ; Γ ⊢ Q ◃ ∆′ Θ; Γ ⊢ P | Q ◃ ∆ ◦ ∆′ (∆ ≍ ∆′) [Conc]

The rule for parallel composition is where the fun begins:

15

/27

The Typing Judgement

Θ; Γ ⊢ P ◃ ∆ Θ; Γ ⊢ Q ◃ ∆′ Θ; Γ ⊢ P | Q ◃ ∆ ◦ ∆′ (∆ ≍ ∆′) [Conc]

The rule for parallel composition is where the fun begins:

Definition 2.4 (Type algebra) Typings ∆0 and ∆1 are compatible, written ∆0 ≍ ∆1, if ∆0(k) = ∆1(k) for all k ∈ dom(∆0) ∩ dom(∆1). When ∆0 ≍ ∆1, the com- position of ∆0 and ∆1, written ∆0 ◦ ∆1, is given as a typing such that (∆0 ◦ ∆1)(k) is (1) ⊥, if k ∈ dom(∆0) ∩ dom(∆1); (2) ∆i(k), if k ∈ dom(∆i) \ dom(∆i+1 mod 2) for i ∈ {0, 1}; and (3) undefined otherwise.

15

/27

Typing Environments

16

/27

Typing Environments

16

/27

Typing Environments

16

/27

Typing Environments

• Store their assumptions in a unique order 


(easy to compare)

• Only store unique assumptions 


(easy to split)

17

/27

Typing Environments

• Store their assumptions in a unique order 


(easy to compare)

• Only store unique assumptions 


(easy to split)

This together requires implementing our

• wn LN infrastructure.

But it allows for names and linearity.

17

/27

The Revisited System

• Now we distinguish between the endpoints of

channels.

• It can be represented with LN-variables and

names.

18

/27

Two Kinds of Atoms

19

/27

Two Kinds of Atoms

19

/27

Channels and Expressions

20

/27

Channels and Expressions

20

/27

Channels and Expressions

20

/27

Processes

21

Binders are “invisible”

/27

Processes

21

Binders are “invisible”

/27

Processes

21

Binders are “invisible”

/27

Processes

21

Binders are “invisible”

/27

But Mechanical Proofs Are..

• Well, very mechanical. We have to be very precise

with the theorems.

22

The typing judgements:

/27

One of the Substitution Lemmas

Lemma 3.1 (Channel Replacement) If Θ; Γ ⊢ P◃∆·x: α, then Θ; Γ ⊢ P[κp/x]◃ ∆ · κp : α.

• Proof. A straightforward induction on the derivation tree for P.

23

/27

One of the Substitution Lemmas

Lemma 3.1 (Channel Replacement) If Θ; Γ ⊢ P◃∆·x: α, then Θ; Γ ⊢ P[κp/x]◃ ∆ · κp : α.

• Proof. A straightforward induction on the derivation tree for P.

Becomes:

23

/27

One of the Substitution Lemmas

Lemma 3.1 (Channel Replacement) If Θ; Γ ⊢ P◃∆·x: α, then Θ; Γ ⊢ P[κp/x]◃ ∆ · κp : α.

• Proof. A straightforward induction on the derivation tree for P.

Becomes:

23

/27

One of the Substitution Lemmas

Lemma 3.1 (Channel Replacement) If Θ; Γ ⊢ P◃∆·x: α, then Θ; Γ ⊢ P[κp/x]◃ ∆ · κp : α.

• Proof. A straightforward induction on the derivation tree for P.

Becomes:

23

/27

One of the Substitution Lemmas

Lemma 3.1 (Channel Replacement) If Θ; Γ ⊢ P◃∆·x: α, then Θ; Γ ⊢ P[κp/x]◃ ∆ · κp : α.

• Proof. A straightforward induction on the derivation tree for P.

Becomes: Coq also demanded to be convinced about substituting expressions and various weakening lemmas

23

/27

Subject Reduction

Theorem 3.3 (Subject Reduction) If Θ; Γ ⊢ P ◃ ∆ with ∆ balanced and P →∗ Q, then Θ; Γ ⊢ Q ◃ ∆′ and ∆′ balanced.

24

/27

Subject Reduction

Theorem 3.3 (Subject Reduction) If Θ; Γ ⊢ P ◃ ∆ with ∆ balanced and P →∗ Q, then Θ; Γ ⊢ Q ◃ ∆′ and ∆′ balanced.

Is straightforward to represent:

24

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

And Lots of Fun To Prove

25

/27

Finally:

26

/27

What We Have:

• The definition two systems, the unsound proved with a

counter example, and the revised with a proof by induction.

• There are still some lemmas to prove (≈4.5 KLOC so far).
• All using a locally nameless representation
• Some use ssreflect and overloaded-lemmas to simply proofs.
• More automation using overloaded-lemmas in the future.

27

/27

What We Have:

• The definition two systems, the unsound proved with a

counter example, and the revised with a proof by induction.

• There are still some lemmas to prove (≈4.5 KLOC so far).
• All using a locally nameless representation
• Some use ssreflect and overloaded-lemmas to simply proofs.
• More automation using overloaded-lemmas in the future.

Thanks for your attention. Questions?

27