Fooling the Parallel Or Tester with Probability $8/27$
Jean Goubault-Larrecq

TL;DR
This paper investigates a probabilistic version of PCF and demonstrates that the maximum success probability of fooling the parallel or tester is exactly 8/27, achieved by a simple probabilistic program.
Contribution
It introduces a probabilistic variant of PCF and establishes a precise success probability bound for fooling the parallel or tester, extending understanding of operational semantics in probabilistic languages.
Findings
Maximum success probability is exactly 8/27.
A simple probabilistic program achieves this bound.
The bound cannot be exceeded.
Abstract
It is well-known that the higher-order language PCF is not fully abstract: there is a program - the so-called parallel or tester, meant to test whether its input behaves as a parallel or - which never terminates on any input, operationally, but is denotationally non-trivial. We explore a probabilistic variant of PCF, and ask whether the parallel or tester exhibits a similar behavior there. The answer is no: operationally, one can feed the parallel or tester an input that will fool it into thinking it is a parallel or. We show that the largest probability of success of such would-be parallel ors is exactly . The bound is reached by a very simple probabilistic program. The difficult part is to show that that bound cannot be exceeded.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Fooling the Parallel Or Tester with Probability
Jean Goubault-Larrecq
LSV, ENS Paris-Saclay, CNRS, Université Paris-Saclay, France
Email: [email protected] This research was partially supported by Labex DigiCosme (project ANR-11-LABEX-0045-DIGICOSME) operated by ANR as part of the program “Investissement d’Avenir” Idex Paris-Saclay (ANR-11-IDEX-0003-02).
Abstract
It is well-known that the higher-order language PCF is not fully abstract: there is a program—the so-called parallel or tester, meant to test whether its input behaves as a parallel or—which never terminates on any input, operationally, but is denotationally non-trivial. We explore a probabilistic variant of PCF, and ask whether the parallel or tester exhibits a similar behavior there. The answer is no: operationally, one can feed the parallel or tester an input that will fool it into thinking it is a parallel or. We show that the largest probability of success of such would-be parallel ors is exactly . The bound is reached by a very simple probabilistic program. The difficult part is to show that that bound cannot be exceeded.
1 Introduction
There is a recurring theme in security: to defeat a strong adversary, you need to rely on random choice. This paper will be a somewhat devious illustration of that principle, in the field of programming language semantics.
The higher-order, functional language PCF [Plo77] forms the core of actual programming languages such as Haskell [Bir98]. Plotkin [Plo77], and independently Sazonov [Saz76], had shown that PCF, while being adequate (i.e., its operational and denotational semantics match, in a precise sense), is not fully abstract: there are programs that are contextually equivalent (a notion arising from the operational semantics), but have different denotational semantics. (One should note that, conversely, two programs with the same denotational semantics are always contextually equivalent.)
The argument is as follows. In the denotational model, there is a function of type called parallel or, which maps the pair to , and both and to [math], for whatever program (including non-terminating programs). One can show that parallel or is undefinable in PCF. More is true. One can define a PCF program, the parallel or tester, which takes an argument , and tests whether is a parallel or, by testing whether , , and , where is a canonical non-terminating program. The parallel or tester is contextually equivalent to the always non-terminating program , meaning that applying it to any PCF program (for ) will never terminate. However, the denotational semantics of the parallel or tester and of differ: applied to any given parallel or map (which exists in the denotational model), one returns and the other one does not.
We introduce a probabilistic variant of PCF which we call PCFP, and we define a suitable parallel or tester . A PCFP program fools the parallel or tester if applied to terminates. In PCF, there is no way of fooling the parallel or tester. Our purpose is to show that one can fool the parallel or tester of PCFP with probability at most , and that this bound is attained. The optimal fooler is easy to define. The hard part is to show that one cannot do better.
A final word before we start. Even though we started by motivating it from matters related to full abstraction, which involves both operational and denotational semantics, the question we are addressing is purely operational in nature: it is only concerned with the behavior of under its operational semantics, under arbitrary PCFP contexts. Nonetheless, denotational semantics will be essential in our proof.
Outline. We define the syntax of in Section 2, its operational semantics in Section 3, and—once we have stated the required basic facts we need from domain theory in Section 4—its denotational semantics in Section 5. We state the adequacy theorem at the end of the latter section. This says that the operational and denotational probabilities that a term of type terminates on any given value are the same. We define the parallel tester, and show that it can be fooled with probability at most, in Section 6. We conclude by citing some recent related work in Section 7.
2 The syntax of PCFP
PCFP is a typed language. The types are given by the grammar:
[TABLE]
Mathematically, will be the type of subprobability valuations of elements of type . Operationally, an element of type is just a random value of type . There is only one basic type, , but one could envision a more expressive algebra of datatypes.
A computation type is a type of the form or where is a computation type. The computation types are the types where one can do computation, in particular whose objets can be defined by recursion.
Our language will have functions, and a function mapping inputs of type to outputs of type will have type . We write for , and this is a type of functions taking inputs, of respective types , , …, and returning outputs of type .
We fix a countably infinite set of variables , , , …, for each type . Each variable has a unique type, which we read off from its subscript. We will occasionally omit the type subscript when it is clear from context, or irrelevant.
The terms , , …, of our language are defined inductively, together with their types, in Figure 1. We agree to write to mean “ is a term, of type ”. We shall write for , and for . We shall also use the abbreviations for and , where , for . Finally, we shall write for , of type (draw at random along distribution , then run ). is meant to execute either or with probability .
The free variables and the bound variables of a term are defined as usual. A term with no free variable is ground. For a substitution (where each has the same type as , and the variables are pairwise distinct), we write for the parallel substitution of each for each , and for . We say that is ground if , …, are all ground.
Example 2.1
The term is of type . As we will see, this draws a natural number at random, with probability .
Example 2.2
Rejection sampling* is a process by which one draws an element of a subset of a space , as follows: we draw an element of at random, and we return it if it lies in , otherwise we start all over again. Here is a simple example of rejection sampling, meant to draw a number uniformly among . The idea is to draw two independent bits at random, representing a number in , and to use rejection sampling on . Formally, we define the PCFP term . Note that this uses recursion to define a distribution, not a function.*
3 Operational semantics
The elementary contexts , with their types , are defined as:
- •
of type , for every , and for every type ;
- •
and , of type ;
- •
, of type , for all ;
- •
, of type , for every .
The initial contexts are (of type for any ) and (of type ). The (evaluation) contexts are the finite sequences , , where is an initial context of type , each () is an elementary context of type . Then we say that has type .
The notation makes sense for every context of type and every , and is defined as , where is defined by removing the square brackets in and replacing the hole by . E.g., if , then .
A configuration (of type ) is a pair , where is a context of type and .
The operational semantics of PCFP—an abstract interpreter that runs PCFP programs—is a probabilistic transition system on configurations, defined by the rules of Figure 2. We write to say that one can go from configuration to configuration in one step, with probability .
A trace is a sequence , where , and where each is an instance of a rule of Figure 2. The trace starts at , ends at , its length is and its weight is the product . In that case, we also write .
The run starting at is the tree of all traces starting at . Its root is itself, and for each vertex in the tree, for each instance of a rule of the form , is a successor of , and the edge from to is labeled .
For every configuration of type , and every , we define as the sum of the weights of all traces that start at and end at . This is the subprobability that eventually computes . We also write for , where .
Example 3.1
The run starting at (see Example 2.1) is shown in Figure 3. We have abbreviated some sequences of steps as . One sees that for every , and is zero for every . Notice the infinite branch on the left, whose weight is [math].
Example 3.2
We let the reader draw the run starting at (see Example 2.2), and check that is equal to if , [math] otherwise. Explicitly, if , show that the traces that start at and end at have respective weights , , …, , …, and that the sum of those weights is .
The following is immediate.
Lemma 3.3
The following hold:
For every rule , and have the same type. 2. 2.
For every rule of the form of type , for every , . 3. 3.
*. *
4 A refresher on domain theory
We will require some elementary domain theory, for which we refer the reader to [GHK*+*03, AJ94, Gou13]. A poset is a set with a partial ordering, which we will always write as . A directed family is a non-empty family such that every pair of points of has an upper bound in . A dcpo is a poset in which every directed family has a supremum \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}D. If , we also write \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}x_{i} for \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}D.
The product of two dcpos is the set of pairs , , , ordered by if and only if and .
For any two dcpos and , a map is Scott-continuous if and only if it is monotonic ( implies ) and preserves directed suprema (for every directed family in , \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}f(x_{i})=f(\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}x_{i})). There is a category of dcpos and Scott-continuous maps.
We order maps from to by if and only if for every . The poset of all Scott-continuous maps from to is then again a dcpo, and directed suprema are computed pointwise: (\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}f_{i})(x)=\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}(f_{i}(x)). is a Cartesian-closed category—a model of simply-typed -calculus—and that can be said more concretely as follows:
- •
for all dcpos , , there is a Scott-continuous map defined by ;
- •
for all dcpos , , , for every Scott-continuous map , the map defined by is Scott-continuous;
- •
those satisfy certain equations which we will not require.
If the dcpo is pointed, namely if it has a least element , then every Scott-continuous map has a least fixed point \mathop{\mathrm{lfp}}\nolimits_{X}(f)\mathrel{\buildrel\text{def}\over{=}}\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{n\in\mathbb{N}}f^{n}(\bot). This is used to interpret recursion. Additionally, the map is itself Scott-continuous.
The set of extended non-negative real numbers is a dcpo under the usual ordering. We write for . Its elements are called the lower semicontinuous functions in analysis.
A Scott-open subset of a dcpo is an upwards-closed subset ( and imply ) that is inaccessible from below (every directed family such that \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}D\in U intersects ). The lattice of Scott-open subsets is written , and forms a topology, the Scott topology on . Note that is itself a dcpo under inclusion, and directed suprema are computed as unions.
The Scott-closed sets are the complements of Scott-open sets, i.e., the downwards-closed subsets such that for every directed family , \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}D\in C.
In order to give a denotational semantics to probabilistic choice, we will follow Jones [JP89, Jon90]. A continuous valuation on is a map that is strict (), monotone ( implies ), modular (), and Scott-continuous (\nu(\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\bigcup}_{i\in I}U_{i})=\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}\nu(U_{i})). A subprobability valuation additionally satisfies . Continuous valuations and measures are very close concepts: see [KL05] for details.
Among subprobability valuations, one finds the Dirac valuation , for each , defined by if , [math] otherwise. One can integrate any Scott-continuous map , and the integral is Scott-continuous and linear (i.e., commutes with sums and scalar products by elements of ) both in and in .
We write for the poset of subprobability valuations on . This is a dcpo under the pointwise ordering ( if and only if for every ), and directed suprema are computed pointwise ((\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}\nu_{i})(U)=\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}(\nu_{i}(U))). Additionally, defines a monad on . Concretely:
- •
there is a unit , which is the continuous map ;
- •
every Scott-continuous map has an extension , defined by ;
- •
those satisfy a certain number of equations, of which we will need the following:
[TABLE]
for all Scott-continuous maps , , and every .
Note that the map is itself Scott-continuous.
5 Denotational semantics
The types are interpreted as dcpos \left\llbracket{\tau}\right\rrbracket, as follows: \left\llbracket{\mathtt{int}}\right\rrbracket\mathrel{\buildrel\text{def}\over{=}}\mathbb{Z}, with equality as ordering; \left\llbracket{D\tau}\right\rrbracket\mathrel{\buildrel\text{def}\over{=}}\mathbf{V}_{\leq 1}\left\llbracket{\tau}\right\rrbracket; and \left\llbracket{\sigma\to\tau}\right\rrbracket\mathrel{\buildrel\text{def}\over{=}}[\left\llbracket{\sigma}\right\rrbracket\to\left\llbracket{\tau}\right\rrbracket]. Note that \left\llbracket{\tau}\right\rrbracket is pointed for every computation type , so \mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\tau}\right\rrbracket} makes sense in those cases.
An environment is a map sending each variable to an element of \left\llbracket{\tau}\right\rrbracket. The dcpo of environments is the product \prod_{x_{\tau}\text{ variable}}\left\llbracket{\tau}\right\rrbracket, with the usual componentwise ordering. When V\in\left\llbracket{\sigma}\right\rrbracket, we write for the environment that maps to , and all other variables to .
Let us write for the function that maps every to the value . We can now define the value \left\llbracket{M}\right\rrbracket of terms , as Scott-continuous maps \rho\in Env\mapsto\left\llbracket{M}\right\rrbracket\rho, by induction on , see Figure 4.
The operational semantics and the denotational semantics match, namely:
Theorem 5.1** (Adequacy)**
For every ground term , for every , \left\llbracket{M}\right\rrbracket(\{n\})=\mathop{\text{Pr}}[M\mathbin{\downarrow}n].
The proof is relatively standard, and given in the appendices. Appendix A establishes soundness, namely \left\llbracket{M}\right\rrbracket(\{n\})\geq\mathop{\text{Pr}}[M\mathbin{\downarrow}n], and Appendix B shows the converse inequality, using appropriate logical relations.
Example 5.2
We retrieve the result of Example 3.1 using adequacy as follows. \left\llbracket{\lambda r_{\mathtt{int}\to D\mathtt{int}}.\lambda m_{\mathtt{int}}.r({\mathtt{s}}m)\oplus\mathop{\mathtt{ret}}\nolimits_{\mathtt{int}}m}\right\rrbracket is the function that maps every \varphi\in\left\llbracket{\mathtt{int}\to D\mathtt{int}}\right\rrbracket (the value of ) and every m\in\left\llbracket{\mathtt{int}}\right\rrbracket=\mathbb{Z} to . Let , for every . Then maps every to the zero valuation [math], for every , for every , etc. By induction on , . Taking suprema over , we obtain that \mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\mathtt{int}\to D\mathtt{int}}\right\rrbracket}(F) maps every to . Then \left\llbracket{\mathtt{rand\_nat}}\right\rrbracket=\mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\mathtt{int}\to D\mathtt{int}}\right\rrbracket}(F)(0)=\sum_{n\in\mathbb{N}}\frac{1}{2^{n+1}}\delta_{n}.
Example 5.3
We retrieve the result of Example 2.2, using adequacy, as follows. The semantics of is the function that maps every \nu\in\left\llbracket{D\mathtt{int}}\right\rrbracket to . For every , where . Since \left\llbracket{\mathtt{int}}\right\rrbracket has equality as ordering, the ordering on \left\llbracket{D\mathtt{int}}\right\rrbracket is given by comparing the coefficients of each , N\in\left\llbracket{\mathtt{int}}\right\rrbracket. In particular, the least fixed point of is obtained as , where a\mathrel{\buildrel\text{def}\over{=}}\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{n\in\mathbb{N}}a_{n}=1/3.
Example 5.4
Here is a lengthier example, which we will leave to the reader. While lengthy, working denotationally is doable. Proving the same argument operational would be next to impossible, even in the special case .
We define a more general form of rejection sampling, as follows. Let be any type. We consider the PCFP term:
[TABLE]
The idea is that we draw according to distribution , then we call as a predicate on . If the result, , is true (zero) then we return , otherwise we start all over. Note that can itself return a random .
For every g\in{\mathcal{L}}{\left\llbracket{\tau}\right\rrbracket}, and every \nu\left\llbracket{D\tau}\right\rrbracket, we let (sometimes written ) be the continuous valuation defined from by using as a density, namely (g\cdot\nu)(U)\mathrel{\buildrel\text{def}\over{=}}\int_{x\in\left\llbracket{\tau}\right\rrbracket}\chi_{U}(x)g(x)d\nu for every open subset of \left\llbracket{\tau}\right\rrbracket, where is the characteristic map of . One can check that , using the equality , and, using (2), that for every h\in{\mathcal{L}}{\left\llbracket{\tau}\right\rrbracket}, .
For every s\in\left\llbracket{\tau\to D\mathtt{int}}\right\rrbracket, for every x\in\left\llbracket{\tau}\right\rrbracket, let , . We let the reader check that, for every environment , \left\llbracket{\mathtt{sample}}\right\rrbracket\rho maps every subprobability valuation on \left\llbracket{\tau}\right\rrbracket and every s\in\left\llbracket{\tau\to D\mathtt{int}}\right\rrbracket to the subprobability valuation \frac{1}{1-(s_{1}\cdot\nu)(\left\llbracket{\tau}\right\rrbracket)}(s_{0}\cdot\nu) if (s_{1}\cdot\nu)(\left\llbracket{\tau}\right\rrbracket)\neq 1, to the zero valuation otherwise.
In particular, if is a predicate, implemented as a function that maps every x\in U\subseteq\left\llbracket{\tau}\right\rrbracket to and every x\in V\subseteq\left\llbracket{\tau}\right\rrbracket (for some disjoint open sets and ) to , so that and , then \left\llbracket{\mathtt{sample}}\right\rrbracket\rho(\nu)(s) is the subprobability valuation if , the zero valuation otherwise. ( denotes the restriction of to , defined by .)
In the special case where is the complement of , it follows that implements conditional probabilities: \left\llbracket{\mathtt{sample}}\right\rrbracket\rho(\nu)(s)(W) is the probability that a -random element lies in , conditioned on the fact that it is in .
6 The parallel or tester
In PCFP, computation happens at type , not , hence let us call parallel or function any f\in\left\llbracket{D\mathtt{int}\to D\mathtt{int}\to\allowbreak D\mathtt{int}}\right\rrbracket such that and for every \nu\in\left\llbracket{D\mathtt{int}}\right\rrbracket. Realizing that every element of \left\llbracket{D\mathtt{int}}\right\rrbracket is of the form , with such that , the function defined by is such a parallel or function.
Note how parallel ors differ from the usual left-to-right sequential or used in most programming languages:
[TABLE]
whose semantics is given by \left\llbracket{\mathtt{lror}}\right\rrbracket(a\delta_{0}+b\delta_{1})(a^{\prime}\delta_{0}+b^{\prime}\delta_{1})=(a+ba^{\prime})\delta_{0}+bb^{\prime}\delta_{1}—so \left\llbracket{\mathtt{lror}}\right\rrbracket maps to , and to , but maps to , not . Symmetrically, there is a right-to-left sequential or:
[TABLE]
We define a parallel or tester as follows:
[TABLE]
where . One can check that \left\llbracket{\mathtt{portest}}\right\rrbracket(por)=\delta_{0}, and that would hold for any other parallel or function instead of . If things worked in PCFP as in PCF, we would be able to show that is contextually equivalent to the constant map that loops on every input .
However, that is not the case. As we will now see, there is a PCFP term, the poor man’s parallel or , such that terminates with non-zero probability. That term takes its two arguments of type , then decides to do one of the following three actions with equal probability : (1) call on the two arguments; (2) call on the two arguments; or (3) return true ([math]), regardless of its arguments.
In order to define , we need to draw an element out of three with equal probability. We do that by rejection sampling, imitating (Examples 2.2, 3.2 and 5.3): we draw one element among four with equal probability, and we repeat until it falls in a specified subset of three. Hence we define:
[TABLE]
One can show that \left\llbracket{\mathtt{pmpor}}\right\rrbracket maps every pair of subprobability distributions , on \left\llbracket{\mathtt{int}}\right\rrbracket to \frac{1}{3}\left\llbracket{\mathtt{rlor}}\right\rrbracket(\mu)(\nu)+\frac{1}{3}\left\llbracket{\mathtt{lror}}\right\rrbracket(\mu)(\nu)+\frac{1}{3}\delta_{0}. Intuitively, will terminate with probability : with , the first test will succeed whether acts as or as (but not as the constant map returning ), which happens with probability ; the second test will succeed whether acts as or as the constant map returning (but not as ), again with probability ; and the final test will symmetrically succeed with probability .
We now show that the probability is optimal. To this end, we need to use a logical relation , namely a family of relations , one for each type , and related by certain constraints to be described below. Each will be an -ary relation on values in \left\llbracket{\tau}\right\rrbracket, for some non-empty set , namely {\triangleright}_{\tau}\subseteq(\left\llbracket{\tau}\right\rrbracket)^{I}. In practice, we will take , but the proofs are easier if we keep arbitrary for now.
Our construction will be parameterized by an -ary relation . We will also define an auxiliary family of relations , as certain subsets of ({\mathcal{L}}{\left\llbracket{\tau}\right\rrbracket})^{I}. We require to contains the all zero tuple , to be closed under directed suprema, and to be convex. (By convex, we mean that for all and , is in as well.)
We define:
- •
if and only if all are equal;
- •
if and only if for all , ;
- •
if and only if for all , {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\nu_{i})}_{i\in I}\in{\triangleright};
- •
if and only if for all , .
We also define by if and only if for every variable , . We prove the following basic lemma of logical relations:
Proposition 6.1
For all , for every , {(\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I} is in .
Proof. Step 1. We claim that for every type , is closed under directed suprema taken in {(\left\llbracket{\tau}\right\rrbracket)}^{I}, and contains the least element if is a computation type. This is by induction on . The claim is trivial for , since \left\llbracket{\mathtt{int}}\right\rrbracket^{I} is ordered by equality. For every directed family in , with , we form its supremum pointwise, namely f_{i}\mathrel{\buildrel\text{def}\over{=}}\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{j\in J}f_{ji}. For every , is in for every , so by induction hypothesis is also in . It follows that is in . For every directed family in , with , we form its supremum pointwise, that is \nu_{i}\mathrel{\buildrel\text{def}\over{=}}\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{j\in J}\nu_{ji}. For all , {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\nu_{ji})}_{i\in I}\in{\triangleright} for every , by induction hypothesis. We take suprema over . Since is closed under directed suprema, and integration is Scott-continuous in the valuation, {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\nu_{i})}_{i\in I} is in . Since is arbitrary, .
We also show that for every computation type . For function types, this is immediate. For types of the form , we must check that is in . For all , we indeed have {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d0)}_{i\in I}\in{\triangleright}, since .
Step 2. We claim that for all , for all , . We wish to use the definition of , so we consider an arbitrary tuple , and we aim to prove that {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)df_{i}^{\dagger}(\nu_{i}))}_{i\in I} is in . For that, we use equation (2), to the effect that \int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)df_{i}^{\dagger}(\nu_{i})=\int_{x\in\left\llbracket{\sigma}\right\rrbracket}\left(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)df_{i}(x)\right)d\nu_{i}, for every .
Let us define h^{\prime}_{i}(x)\mathrel{\buildrel\text{def}\over{=}}\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)df_{i}(x). We claim that . Let . Then , and since , is in , by definition of . Since is arbitrary, .
Since and , by definition of we obtain that {(\int_{x_{i}\in\left\llbracket{D\sigma}\right\rrbracket}h^{\prime}_{i}(x_{i})d\nu_{i})}_{i\in I} is in , and this is exactly what we wanted to prove.
We now prove the claim by induction on . If is a variable, this is by assumption. If , this is trivial. If is of the form , then all the values \left\llbracket{N}\right\rrbracket\rho_{i} are equal, hence also all the values \left\llbracket{M}\right\rrbracket\rho_{i}=\left\llbracket{N}\right\rrbracket\rho_{i}+1. Similarly for terms of the form . The case of applications is by definition of . In the case of abstractions with , we must show that, letting be the map V\in\left\llbracket{\sigma}\right\rrbracket\mapsto\left\llbracket{M}\right\rrbracket(\rho_{i}[x_{\sigma}\mapsto V]) (), for all , . This boils down to checking that {(\left\llbracket{M}\right\rrbracket(\rho_{i}[x_{\sigma}\mapsto V_{i}]))}_{i\in I}\in{\triangleright}_{\tau} for all , which follows immediately from the induction hypothesis and the easily checked fact that is in .
The case of terms of the form , where is a computation type, is more interesting. Let be the map \left\llbracket{M}\right\rrbracket\rho_{i}\colon\left\llbracket{\tau}\right\rrbracket\to\left\llbracket{\tau}\right\rrbracket. By induction hypothesis is in , so for all , is in . Iterating this, we have for every . By Step 1, is in . Hence for every . Since is closed under directed suprema by Step 1, {(\mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\tau}\right\rrbracket}f_{i})}_{i\in I}={(\left\llbracket{\mathop{\mathtt{rec}}\nolimits_{\tau}M}\right\rrbracket\rho_{i})}_{i\in I} is in .
For terms of the form of type , by induction hypothesis {(\left\llbracket{N}\right\rrbracket\rho_{i})}_{i\in I}\in{\triangleright}_{\mathtt{int}}, so all values \left\llbracket{N}\right\rrbracket\rho_{i} are the same integer, say . (And this term exists because is non-empty.) If , then for every , \left\llbracket{M}\right\rrbracket\rho_{i} is then equal to \left\llbracket{P}\right\rrbracket\rho_{i}, so {(\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I}={(\left\llbracket{P}\right\rrbracket\rho_{i})}_{i\in I} is in . We reason similarly if .
For terms of the form , of type , we consider an arbitrary tuple . By induction hypothesis {(\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I} and {(\left\llbracket{N}\right\rrbracket\rho_{i})}_{i\in I} are in , so {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I} and {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\left\llbracket{N}\right\rrbracket\rho_{i})}_{i\in I} are in . Since is convex, and integration is linear in the valuation, {(\int_{V\in\left\llbracket{\tau}\right\rrbracket}h_{i}(V)d\left\llbracket{M\oplus N}\right\rrbracket\rho_{i})}_{i\in I} is also in . Since is arbitrary, {(\left\llbracket{M\oplus N}\right\rrbracket\rho_{i})}_{i\in I} is in .
For terms of the form , we again consider an arbitrary tuple in . By induction hypothesis, {(\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I} is in , so by definition of , {(h_{i}(\left\llbracket{M}\right\rrbracket\rho_{i}))}_{i\in I} is in . Equivalently, {(\int_{V\in\left\llbracket{\sigma}\right\rrbracket}h_{i}(V)d\delta_{\left\llbracket{M}\right\rrbracket\rho_{i}})}_{i\in I} is in , and that means that {(\left\llbracket{\mathop{\mathtt{ret}}\nolimits_{\sigma}M}\right\rrbracket\rho_{i})}_{i\in I} is in .
Finally, for terms , we have {(\left\llbracket{M}\right\rrbracket\rho_{i})}_{i\in I}\in{\triangleright}_{D\sigma} and {(\left\llbracket{N}\right\rrbracket\rho_{i})}_{i\in I}\in{\triangleright}_{\sigma\to D\sigma} by induction hypothesis, so {(\left\llbracket{\mathop{\mathtt{bind}}\nolimits_{\sigma,\tau}MN}\right\rrbracket\rho_{i})}_{i\in I}\in{\triangleright}_{D\tau}by Step 2.
Proposition 6.2
For every ground PCFP term , \left\llbracket{\mathtt{portest}\;P}\right\rrbracket\leq 8/27\cdot\delta_{0}.
Proof. We specialize the construction of the logical relation
to and to , defined as the downward closure in of the convex hull of the three points , , and . The relation has an alternate description as the set of those points of such that and . This is depicted on the right.
The relations and are ternary to account for the three calls to in the definition of , and is designed so that is as small a relation as possible that contains the triples and . Considering the three tests , and , the triple consists of the first arguments to in those tests, and the triple consists of the second arguments. Hence, with bound to , the triple consisting of the three values of , and respectively will also be contained in , by the basic lemma of logical relations (Proposition 6.1). We will then show that the largest probability that those values are , [math] and [math] respectively is , and this will complete the proof.
First, let us check that and are in . To that end, we simplify the expression of . For all h_{1},h_{2},h_{3}\in{\mathcal{L}}\left\llbracket{\mathtt{int}}\right\rrbracket, if and only if for every n\in\left\llbracket{\mathtt{int}}\right\rrbracket, . Next, is in if and only if for all , . Since is convex and downwards-closed, it suffices to check the latter when the triples and each range over the three points , (nine possibilities). Let us write as . Hence is in if and only if the nine triples () are in , namely consist of non-negative numbers that sum up to a value at most . Verifying that this holds for (, , , , ) and (, , , , ) means verifying that for all , between and , and are in , which is obvious since those are triples of numbers equal to [math] or to .
Using Proposition 6.1, (\left\llbracket{P}\right\rrbracket\allowbreak(\delta_{1})\allowbreak(\delta_{1}),\left\llbracket{P}\right\rrbracket(\delta_{0})(0),\left\llbracket{P}\right\rrbracket(0)(\delta_{0})) is also in . Let us write that triple as . Then \left\llbracket{\mathtt{portest}\;P}\right\rrbracket is equal to , as one can check. We wish to maximize subject to the constraint . That constraint rewrites to the following list of twelve inequalities, not mentioning the constraints that say that each and each is non-negative:
- •
, , and should be at most ,
- •
and the nine values , , , , , , , and should be at most .
That is not manageable. To help us, we have run a Monte-Carlo simulation: draw a large number of values at random for the variables and so as to verify all constraints (using rejection sampling), and find those that lead to the largest value of . That simulation gave us the hint that the maximal value of was indeed , attained for , , , , , . We now have to verify that formally. Knowing which values of and maximize allows us to select which constraints are the important ones, and then one can simplify slightly further.
In order to obtain a formal argument, we therefore choose to maximize with respect to the relaxed constraints that (an inequality implied by all the above constraints), all numbers being non-negative. This will give us an upper bound, which may fail to be optimal (but won’t).
In order to do so, we first maximize under the constraints and . Rewrite as , as , and as , where and . (Namely, let ; if , let and be arbitrary; otherwise, let ; if , then let be arbitrary; otherwise, let .) The maximal value of is obtained by maximizing:
- •
(as ),
- •
when (value obtained at , see Figure 5, left),
- •
and when (value obtained at , see Figure 5, right),
hence is equal to . It follows that for all such that , , by taking for each .
We sum up our results as follows. Note that , for any , if .
Theorem 6.3
For every ground PCFP term , the probability that fools the parallel or tester never exceeds . That bound is attained by taking .
7 Conclusion and Related Work
There is an extensive literature on the semantics of higher-order functional languages, and extensions that include probabilistic choice are now attracting attention more than ever.
Concerning denotational semantics, we should cite the following. Probabilistic coherence spaces provide a fully abstract semantics for a version of PCF with probabilistic choice, as shown by Ehrhard, Tasson, and Pagani [ETP14]. Quasi-Borel spaces and predomains have recently been used to give adequate semantics to typed and untyped probabilistic programming languages, see e.g. [VKS19]. QCB spaces form a convenient category in which various effects, including probabilistic choice, can be modeled [Bat06]. Comparatively, the domain-theoretic semantics we are using in this paper is rather mundane, and I have used similar models for further extensions that also include angelic [Gou15] and demonic [Gou19b] non-deterministic choice. In those papers, I obtain full abstraction at the price of adding some extra primitives, but also of considering a richer semantics that also includes forms of non-deterministic choice. The latter allows us to work in categories with nice properties. That is not available in the context of PCFP, because there is no known Cartesian-closed category of continuous dcpos that is closed under [JT98].
Let me remind the reader that denotational semantics is only a tool here: the result we have presented concerns the operational semantics, and domain-theory is only used, through adequacy, in order to bound . One may wonder whether a direct operational approach would work, but I doubt it strongly. Eventually, any operational approach would have to find suitable invariants, and such invariants will be hard to distinguish from an actual denotational semantics.
One may wonder whether such semantical proofs would be useful in the realm of probabilistic process algebras as well. In non-probabilistic process algebras, syntactic reasoning is usually enough, using bisimulations and up-to techniques. The case of probabilistic processes is necessarily more complex, and may benefit from such semantical arguments.
Appendix A Soundness
There is a unique way of defining a denotational semantics \left\llbracket{C}\right\rrbracket\rho of contexts in such a way that \left\llbracket{C[M]}\right\rrbracket\rho=\left\llbracket{C}\right\rrbracket\rho(\left\llbracket{M}\right\rrbracket\rho) for every of the right type and every . For , \left\llbracket{C}\right\rrbracket\rho is the composition of the maps \left\llbracket{E_{0}}\right\rrbracket\rho, \left\llbracket{E_{1}}\right\rrbracket\rho, …, \left\llbracket{E_{n}}\right\rrbracket\rho, where for each elementary or initial context , \left\llbracket{E}\right\rrbracket\rho is defined by:
- •
for every , \left\llbracket{[\_N]}\right\rrbracket\rho(f)\mathrel{\buildrel\text{def}\over{=}}f(\left\llbracket{N}\right\rrbracket\rho);
- •
\left\llbracket{[{\mathtt{p}}\_]}\right\rrbracket\rho(n)\mathrel{\buildrel\text{def}\over{=}}n-1, \left\llbracket{[{\mathtt{s}}\_]}\right\rrbracket\rho(n)\mathrel{\buildrel\text{def}\over{=}}n+1;
- •
\left\llbracket{[\mathop{\mathtt{if}}\nolimits{\_}=0\;\mathtt{then}\;{N}\;\mathbin{\mathtt{else}}{P}]}\right\rrbracket\rho(n)\mathrel{\buildrel\text{def}\over{=}}\left\llbracket{N}\right\rrbracket\rho if , \left\llbracket{P}\right\rrbracket\rho otherwise;
- •
\left\llbracket{[\mathop{\mathtt{bind}}\nolimits_{\sigma,\tau}\_N]}\right\rrbracket\rho\mathrel{\buildrel\text{def}\over{=}}(\left\llbracket{N}\right\rrbracket\rho)^{\dagger};
- •
\left\llbracket{[\mathop{\mathtt{ret}}\nolimits_{\mathtt{int}}\_]}\right\rrbracket\rho(n)\mathrel{\buildrel\text{def}\over{=}}\eta(n)=\delta_{n};
- •
\left\llbracket{[\_]}\right\rrbracket\rho(\nu)\mathrel{\buildrel\text{def}\over{=}}\nu;
It is standard that \left\llbracket{M}\right\rrbracket\rho only depends on the value of on the free variables of (if for every free variable of , then \left\llbracket{M}\right\rrbracket\rho=\left\llbracket{M}\right\rrbracket\rho^{\prime}), and that for every substitution , \left\llbracket{M\theta}\right\rrbracket\rho=\left\llbracket{M}\right\rrbracket(\left\llbracket{\theta}\right\rrbracket\rho), where \left\llbracket{\theta}\right\rrbracket\rho is the environment that maps every , , to \left\llbracket{N_{i}}\right\rrbracket\rho and all other variables to . In particular, \left\llbracket{M[x_{\sigma}:=N]}\right\rrbracket\rho=\left\llbracket{M}\right\rrbracket(\rho[x_{\sigma}\mapsto\left\llbracket{N}\right\rrbracket\rho]). Finally, \left\llbracket{(\lambda x_{\sigma}.M)N}\right\rrbracket\rho is equal to \left\llbracket{M[x_{\sigma}:=N]}\right\rrbracket\rho. We have:
Lemma A.1
Let be an environment.
For every rule of the form , \left\llbracket{s}\right\rrbracket\rho=\left\llbracket{t}\right\rrbracket\rho. 2. 2.
For every context of type , for all , \left\llbracket{C\cdot M\oplus N}\right\rrbracket\rho=\frac{1}{2}\left\llbracket{C\cdot M}\right\rrbracket\rho+\frac{1}{2}\left\llbracket{C\cdot N}\right\rrbracket\rho.
Proof.
-
All the cases are easily checked, except perhaps for the rule . That reduces to showing the equality \left\llbracket{\mathop{\mathtt{bind}}\nolimits_{\sigma,\tau}(\mathop{\mathtt{ret}}\nolimits_{\sigma}M)N}\right\rrbracket\rho=\left\llbracket{NM}\right\rrbracket\rho. The left-hand side is (\left\llbracket{N}\right\rrbracket\rho)^{\dagger}(\eta(\left\llbracket{M}\right\rrbracket\rho)), which is equal to \left\llbracket{N}\right\rrbracket\rho(\left\llbracket{M}\right\rrbracket\rho), by (1). In turn, that is \left\llbracket{NM}\right\rrbracket\rho.
-
Let . By inspection of types, all the elementary contexts , , must be of the form for some , , and .
We observe that \left\llbracket{E_{i}}\right\rrbracket\rho=(\left\llbracket{N_{i}}\right\rrbracket\rho)^{\dagger} is a linear map. In fact, is linear for every Scott-continuous map , in the following sense: for all with , for all , . Indeed, for every , .
It follows that \left\llbracket{C}\right\rrbracket\rho is also a linear map. Then \left\llbracket{C\cdot M\oplus N}\right\rrbracket\rho=\left\llbracket{C}\right\rrbracket\rho(\frac{1}{2}\left\llbracket{M}\right\rrbracket\rho+\frac{1}{2}\left\llbracket{N}\right\rrbracket\rho)=\frac{1}{2}\left\llbracket{C}\right\rrbracket\rho(\left\llbracket{M}\right\rrbracket\rho)+\frac{1}{2}\left\llbracket{C}\right\rrbracket(\left\llbracket{N}\right\rrbracket\rho)=\frac{1}{2}\left\llbracket{C\cdot M}\right\rrbracket\rho+\frac{1}{2}\left\llbracket{C\cdot N}\right\rrbracket\rho.
Proposition A.2** (Soundness)**
For every configuration of type , for every , for every environment , \left\llbracket{s}\right\rrbracket\rho(\{n\})\geq\mathop{\text{Pr}}[s\mathbin{\downarrow}n].
Proof. It suffices to show that for every such that , r\leq\left\llbracket{s}\right\rrbracket\rho(\{n\}). We write as a possibly infinite sum. Since , there is a finite subset of the summands which sum to at least . In other words, there is a finite set of traces starting at and ending at , whose weights sum up to at least . Let be some upper bound on the lengths of those traces. By induction on , we show that the sum of all weights of traces of length at most , starting at and ending at , is less than or equal to \left\llbracket{s}\right\rrbracket\rho(\{n\}), and this will prove the claim.
If , then \left\llbracket{s}\right\rrbracket\rho(\{n\})=\delta_{\left\llbracket{n}\right\rrbracket\rho}(\{n\})=1. Therefore \mathop{\text{Pr}}_{\leq N}[s\mathbin{\downarrow}n]\leq\left\llbracket{s}\right\rrbracket\rho(\{n\}).
From now on, we assume that is not of the form .
If , then there is no trace of length at most starting at and ending at , so \mathop{\text{Pr}}_{\leq N}[s\mathbin{\downarrow}n]=0\leq\left\llbracket{s}\right\rrbracket\rho(\{n\}).
If , then we explore three cases.
If no rule applies to , namely if for no and no , then \mathop{\text{Pr}}_{\leq N}[s\mathbin{\downarrow}n]=0\leq\left\llbracket{s}\right\rrbracket\rho(\{n\}).
If if of the form then \mathop{\text{Pr}}_{\leq N-1}(C\cdot M\mathbin{\downarrow}n)\leq\left\llbracket{C\cdot M}\right\rrbracket\rho(\{n\}) and \mathop{\text{Pr}}_{\leq N-1}(C\cdot N\mathbin{\downarrow}n)\leq\left\llbracket{C\cdot N}\right\rrbracket\rho(\{n\}), by induction hypothesis. Now , which is less than or equal to \frac{1}{2}\left\llbracket{C\cdot M}\right\rrbracket\rho(\{n\})+\frac{1}{2}\left\llbracket{C\cdot N}\right\rrbracket\rho(\{n\})=\left\llbracket{C\cdot M\oplus N}\right\rrbracket\rho(\{n\}), by Lemma A.1, item 2.
In all other cases, for some unique configuration , so that \mathop{\text{Pr}}_{\leq N}(s\mathbin{\downarrow}n)=\mathop{\text{Pr}}_{\leq N-1}(t\mathbin{\downarrow}n)\leq\left\llbracket{t}\right\rrbracket\rho(\{n\}), by induction hypothesis. By Lemma A.1, item 1, the latter is equal to \left\llbracket{s}\right\rrbracket\rho(\{n\}).
Appendix B Adequacy
The key to proving the converse of soundness is the design of a suitable logical relation , where each is a binary relation between ground terms of type and elements of \left\llbracket{\tau}\right\rrbracket. Since \left\llbracket{M}\right\rrbracket\rho does not depend on when is ground, we simply write \left\llbracket{M}\right\rrbracket in that case. We write \left\llbracket{C}\right\rrbracket similarly for ground contexts .
The definition of is by induction on , using auxiliary relations between ground contexts and Scott-continuous maps h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket:
- •
for all ground and , if and only if ;
- •
for all types , , for all ground and f\in\left\llbracket{\sigma\to\tau}\right\rrbracket, if and only if for all , (we say “for all ” instead of “for every ground and for every a\in\left\llbracket{\sigma}\right\rrbracket such that ”);
- •
for every type , for all ground and \nu\in\left\llbracket{D\tau}\right\rrbracket, if and only if for every ground context , for every Scott-continuous map h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket such that , for every , ;
- •
for every type , for every ground context , for every Scott-continuous map h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket, if and only if for all , for every , .
Lemma B.1
If by any sequence of rules except the rule , then for every context of the expected type, .
Proof. It suffices to show the claim under the assumption that by any other rule than the one we excluded. This is clear, since no rule except the one we excluded requires the context to have any specific shape.
Lemma B.2
For every context , for every term ,
* by using the exploration rules only;* 2. 2.
the run starting at must start with the trace , followed by the run starting at .
Proof. 1 is clear. 2 is because the operational semantics is deterministic, in the sense that and implies .
Lemma B.3
For every context , if is a computation type, then so is .
Proof. By inspection of the elementary contexts.
Lemma B.4
For every configuration of type , every trace satisfies . Moreover, it does not use the rule .
Proof. It is enough to show the claim under the assumption that . Let us write as , where is of type and . By Lemma B.3, cannot be a computation type. It follows that the rule that was used cannot be or , since has a computation type. Similarly, it cannot be , again because has a computation type.
Lemma B.5
For all terms and , for every context , for every V\in\left\llbracket{\tau}\right\rrbracket, if without using the rule , and if , then .
Proof. By induction on . If , means that . By Lemma B.2, item 2, our trace starting at and ending at must factor as . Hence , showing that .
For types of the form , our task is to show that , where is any subprobability valuation in \left\llbracket{D\tau}\right\rrbracket, knowing that . We let be an arbitrary ground context, h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket be an arbitrary Scott-continuous map such that , and we wish to show that for every n\in\left\llbracket{\mathtt{int}}\right\rrbracket, . By Lemma B.1, . Since , . By Lemma B.2, item 2, the run starting at must factor as a trace followed by a run starting at , so . Prepending instead the trace (i.e., using Lemma 3.3, item 2), we see that . That is equal to , which is larger than or equal to since and .
For function types , we wish to show that , where f\in\left\llbracket{\sigma\to\tau}\right\rrbracket, knowing that . The latter means that for all , . For every , there is a trace , by Lemma B.1 with context , and this trace does not use the rule . By induction hypothesis (using instead of ), . Since and are arbitrary, .
By taking , we obtain the following.
Corollary B.6
Let , and V\in\left\llbracket{\tau}\right\rrbracket. If by any sequence of rules except , and if then .
Lemma B.7
For every ground term , the set , defined as the set of elements a\in\left\llbracket{\tau}\right\rrbracket such that , is Scott-closed. If is a computation type, then it also contains the least element of \left\llbracket{\tau}\right\rrbracket.
Proof. By induction on . When , this is obvious. Let us consider the case of types of the form . For every ground context , for every Scott-continuous map h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket such that , for every n\in\left\llbracket{\mathtt{int}}\right\rrbracket, the set \Gamma_{C,h,n}\mathrel{\buildrel\text{def}\over{=}}\{\nu\in\left\llbracket{D\tau}\right\rrbracket\mid h(\nu)(\{n\})\leq\mathop{\text{Pr}}[C\cdot M\mathbin{\downarrow}n]\} is Scott-closed: it is easily seen to be downwards-closed, and for every directed family in , h(\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}\nu_{i})(\{n\})=\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}h(\nu_{i})(\{n\})\leq\mathop{\text{Pr}}[C\cdot M\mathbin{\downarrow}n], so \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}\nu_{i}\in\Gamma_{C,h,n}. is the intersection of all the sets , hence is Scott-closed as well. It also contains the least element of \left\llbracket{D\mathtt{int}}\right\rrbracket, the zero valuation, since for all and .
Finally, we consider function types. Let be ground, and let us show that is Scott-closed. That is equal to the intersection over all of the sets , where \Delta_{N,a}\mathrel{\buildrel\text{def}\over{=}}\{f\in\left\llbracket{\sigma\to\tau}\right\rrbracket\mid f(a)\in(MN\mathrel{R}_{\tau})\}. is clearly downwards-closed; for Scott closure, for every directed family in , (\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}f_{i})(a)=\sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{i\in I}f_{i}(a) is in , because the latter is Scott-closed by induction hypothesis. Taking intersections, is Scott-closed as well.
When is a computation type, is one, too, and by induction hypothesis for all . That means that for all , hence that .
Corollary B.8
For every computation type , for all , \mathop{\mathtt{rec}}\nolimits_{\tau}M\mathrel{R}_{\tau}\mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\tau}\right\rrbracket}f.
Proof. By the second part of Lemma B.7, .
Additionally, for every a\in\left\llbracket{\tau}\right\rrbracket, if then , since . Using Corollary B.6 with the step , it follows that .
Hence for every , is also in . It follows that is in for every . By Lemma B.7, \sideset{}{{}^{\,\makebox[0.0pt]{\scriptstyle\uparrow}\!}}{\sup}_{n\in\mathbb{N}}f^{n}(\bot_{\tau}) must also be in , and that is just \mathop{\mathrm{lfp}}\nolimits_{\left\llbracket{\tau}\right\rrbracket}(f).
Lemma B.9
Let be a type. For all , .
Proof. Relying on the definition of , let be a basic type, be a ground context, h\colon\left\llbracket{D\sigma}\right\rrbracket\to\left\llbracket{D\beta}\right\rrbracket be Scott-continuous, and assume that . By definition of , and since , we obtain , and that is what we wanted to show.
Lemma B.10
Let , be types. For all and , we have .
Proof. We plan to use the definition of , and for that we fix an arbitrary ground context , an arbitrary Scott-continuous map h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket such that , and we wish to show: for every , .
For all , by definition of , we have . Since , and using the definition of , we obtain that for every . We note that and we use Lemma 3.3, item 2, so . By (1), , so . Since , and are arbitrary such that , we obtain that , by definition of .
From that and , it follows that, for every , . Since , and using Lemma 3.3, item 2, we obtain . Since , and are arbitrary such that , .
The crucial property of logical relations is the following basic lemma of logical relations. For a ground substitution and an environment , we write to mean that for every , , , where is the type of . The following is the basic lemma of logical relations for the case at hand.
Proposition B.11
For every PCFP term , for every ground substitution such that all the free variables of are in , and for every environment such that , M\theta\mathrel{R}_{\tau}\left\llbracket{M}\right\rrbracket\rho.
Proof. This is by induction on the structure of . If for some , (where ), then this follows from the assumption .
If is a constant , then , because , trivially. If , then by induction hypothesis , where n\mathrel{\buildrel\text{def}\over{=}}\left\llbracket{N}\right\rrbracket\rho. Therefore . By Lemma B.4, that trace does not use the rule . We can therefore apply Lemma B.5 to the effect that . Then [\_]\cdot{\mathtt{s}}M\mathrel{\buildrel 1\over{\to}}[{\mathtt{s}}\_]\cdot N\mathrel{\buildrel 1\over{\to}{}^{*}}[{\mathtt{s}}\_]\cdot n\mathrel{\buildrel 1\over{\to}}[\_]\cdot n+1=\left\llbracket{M}\right\rrbracket\rho. We reason similarly if .
In the case of terms of the form , we must show that \mathop{\mathtt{if}}\nolimits{M\theta}=0\;\mathtt{then}\;{N\theta}\;\mathbin{\mathtt{else}}{P\theta}\mathrel{R}_{\tau}\left\llbracket{\mathop{\mathtt{if}}\nolimits{M}=0\;\mathtt{then}\;{N}\;\mathbin{\mathtt{else}}{P}}\right\rrbracket\rho, knowing that M\theta\mathrel{R}_{\mathtt{int}}\left\llbracket{M}\right\rrbracket\rho, N\theta\mathrel{R}_{\tau}\left\llbracket{N}\right\rrbracket\rho and P\theta\mathrel{R}_{\tau}\left\llbracket{P}\right\rrbracket\rho by induction hypothesis. Let n\mathrel{\buildrel\text{def}\over{=}}\left\llbracket{M}\right\rrbracket\rho. Since , we have a trace , which cannot use the rule by Lemma B.4. Hence , and therefore by using an additional instance of the leftmost exploration rule. If , by doing one more computation step, we obtain , still not using the rule . We now use Lemma B.5, and we obtain that \mathop{\mathtt{if}}\nolimits{M\theta}=0\;\mathtt{then}\;{N\theta}\;\mathbin{\mathtt{else}}{P\theta}\mathrel{R}_{\tau}\left\llbracket{N}\right\rrbracket\rho=\left\llbracket{M}\right\rrbracket\rho. When , we reason similarly and we obtain that \mathop{\mathtt{if}}\nolimits{M\theta}=0\;\mathtt{then}\;{N\theta}\;\mathbin{\mathtt{else}}{P\theta}\mathrel{R}_{\tau}\left\llbracket{P}\right\rrbracket\rho=\left\llbracket{M}\right\rrbracket\rho.
In the case of applications, we must show that (MN)\theta\mathrel{R}_{\tau}\left\llbracket{M}\right\rrbracket\rho(\left\llbracket{N}\right\rrbracket\rho). This follows from the definition of , since by induction hypothesis M\theta\mathrel{R}_{\sigma\to\tau}\left\llbracket{M}\right\rrbracket\rho and N\theta\mathrel{R}_{\sigma}\left\llbracket{N}\right\rrbracket\rho.
In the case of abstractions, we must show that (\lambda x_{\sigma}.M)\theta\mathrel{R}_{\sigma\to\tau}\left\llbracket{\lambda x_{\sigma}.M}\right\rrbracket\rho. We write as , we fix an arbitrary ground term , and a value a\in\left\llbracket{\sigma}\right\rrbracket such that . We rename to a fresh variable if necessary, and we define as , so that and . We must show that (\lambda x_{\sigma}.M\theta)N\mathrel{R}_{\tau}\left\llbracket{M}\right\rrbracket(\rho[x_{\sigma}\mapsto a]). By induction hypothesis, M\theta^{\prime}\mathrel{R}_{\tau}\left\llbracket{M}\right\rrbracket(\rho[x_{\sigma}\mapsto a]). We now apply Corollary B.6, noticing that . This allows us to conclude that (\lambda x_{\sigma}.M\theta)N\mathrel{R}_{\tau}\left\llbracket{M}\right\rrbracket(\rho[x_{\sigma}\mapsto a]), as desired.
Let us deal with terms of the form , of type . We must show that for every ground context , for every Scott-continuous map h\colon\left\llbracket{D\tau}\right\rrbracket\to\left\llbracket{D\mathtt{int}}\right\rrbracket such that , for every , . By induction hypothesis, M\theta\mathrel{R}_{D\tau}\left\llbracket{M}\right\rrbracket\rho, so . Similarly, . By Lemma 3.3, item 3,
[TABLE]
The case of terms of the form , and follow from Corollary B.8, Lemma B.9, and Lemma B.10 respectively.
Lemma B.12
[\_]\mathrel{R}_{D\mathtt{int}}^{\perp}\mathrm{id}_{\left\llbracket{D\mathtt{int}}\right\rrbracket}.
Proof. We must show that for all , for every n\in\left\llbracket{\mathtt{int}}\right\rrbracket, . By definition of , and since , . By Lemma B.4, that trace does not use the rule . We can therefore use Lemma B.1, and we obtain . Together with , we obtain that . That is, is equal to if , [math] otherwise. This is precisely .
Theorem B.13** (Adequacy)**
For every ground term , for every , \left\llbracket{M}\right\rrbracket(\{n\})=\mathop{\text{Pr}}[M\mathbin{\downarrow}n].
Proof. By soundness (Proposition A.2), \left\llbracket{M}\right\rrbracket(\{n\})\geq\mathop{\text{Pr}}[M\mathbin{\downarrow}n]. In the converse direction, we use Proposition B.11 with and we obtain M\mathrel{R}_{D\mathtt{int}}\left\llbracket{M}\right\rrbracket. By Lemma B.12, [\_]\mathrel{R}_{D\mathtt{int}}^{\perp}\mathrm{id}_{\left\llbracket{D\mathtt{int}}\right\rrbracket}. Hence, using the definition of , for every , \mathop{\text{Pr}}[M\mathbin{\downarrow}n]\geq\mathrm{id}_{\left\llbracket{D\mathtt{int}}\right\rrbracket}(\left\llbracket{M}\right\rrbracket)(\{n\})=\left\llbracket{M}\right\rrbracket(\{n\}).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[AJ 94] Samson Abramsky and Achim Jung. Domain theory. In S. Abramsky, D. M. Gabbay, and T. S. E. Maibaum, editors, Handbook of Logic in Computer Science vol. III , pages 1–168. Oxford University Press, 1994.
- 2[Bat 06] Ingo Battenfeld. Computational effects in topological domain theory. Electronic Notes in Theoretical Computer Science , 158:59–80, 2006.
- 3[Bir 98] B. Bird. Introduction to Functional Programming using Haskell . Prentice-Hall Series in Computer Science, 1998.
- 4[ETP 14] Thomas Ehrhard, Christine Tasson, and Michele Pagani. Probabilistic coherence spaces are fully abstract for probabilistic PCF. In Suresh Jagannathan and Peter Sewell, editors, Proc. 41st Ann. ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’14) , pages 309–320, 2014.
- 5[GHK + 03] Gerhard Gierz, Karl Heinrich Hofmann, Klaus Keimel, Jimmie D. Lawson, Michael Mislove, and Dana Stewart Scott. Continuous Lattices and Domains , volume 93 of Encyclopedia of Mathematics and its Applications . Cambridge University Press, 2003.
- 6[Gou 13] Jean Goubault-Larrecq. Non-Hausdorff Topology and Domain Theory—Selected Topics in Point-Set Topology , volume 22 of New Mathematical Monographs . Cambridge University Press, 2013.
- 7[Gou 15] Jean Goubault-Larrecq. Full abstraction for non-deterministic and probabilistic extensions of PCF I: the angelic cases. Journal of Logic and Algebraic Methods in Programming , 84(1):155–184, January 2015.
- 8[Gou 19a] Jean Goubault-Larrecq. Fooling the parallel or tester with probability 8 / 27 8 27 8/27 . ar Xiv, 2019.
