Behavioural Equivalence via Modalities for Algebraic Effects
Alex Simpson, Niels Voorneveld

TL;DR
This paper develops a logic with effect-specific modalities to characterize behavioural equivalence in effectful functional programs, ensuring congruence under certain conditions for various algebraic effects.
Contribution
It introduces a general theory of modalities for behavioural equivalence, establishing conditions for their effectiveness and applicability to multiple algebraic effects.
Findings
Modalities satisfy openness and decomposability for several effects
Behavioural equivalence coincides with applicative bisimilarity under these modalities
The approach ensures congruence via a generalized Howe's method
Abstract
The paper investigates behavioural equivalence between programs in a call-by-value functional language extended with a signature of (algebraic) effect-triggering operations. Two programs are considered as being behaviourally equivalent if they enjoy the same behavioural properties. To formulate this, we define a logic whose formulas specify behavioural properties. A crucial ingredient is a collection of modalities expressing effect-specific aspects of behaviour. We give a general theory of such modalities. If two conditions, openness and decomposability, are satisfied by the modalities then the logically specified behavioural equivalence coincides with a modality-defined notion of applicative bisimilarity, which can be proven to be a congruence by a generalisation of Howe's method. We show that the openness and decomposability conditions hold for several examples of algebraic effects:…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Behavioural Equivalence via Modalities for Algebraic Effects
Alex Simpson111Email: [email protected]. Supported by the Slovenian Research Agency, research core funding No. P1–0294. Niels Voorneveld222Email: [email protected]. This material is based upon work supported by the Air Force Office of Scientific Research under award number FA9550-17-1-0326. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 731143.
University of Ljubljana
Ljubljana, Slovenia
Abstract
The paper investigates behavioural equivalence between programs in a call-by-value functional language extended with a signature of (algebraic) effect-triggering operations. Two programs are considered as being behaviourally equivalent if they enjoy the same behavioural properties. To formulate this, we define a logic whose formulas specify behavioural properties. A crucial ingredient is a collection of modalities expressing effect-specific aspects of behaviour. We give a general theory of such modalities. If two conditions, openness and decomposability, are satisfied by the modalities then the logically specified behavioural equivalence coincides with a modality-defined notion of applicative bisimilarity, which can be proven to be a congruence by a generalisation of Howe’s method. We show that the openness and decomposability conditions hold for several examples of algebraic effects: nondeterminism, probabilistic choice, global store and input/output.
1 Introduction
Many tasks in software development and analysis rely on abstracting away from program syntax to an appropriate notion of program behaviour. For example, the goal of specification is to specify (constraints on) the behaviour of a program. Similarly, verification concerns validating that a program indeed exhibits the behaviour specified. Closely associated with the general concept of behaviour is the related concept of behavioural equivalence, under which two programs are deemed equivalent if they exhibit the same behaviour.
Studying the interrelated concepts of behaviour and equivalence is important from both theoretical and practical perspectives. On the theoretical side, these are fundamental notions, whose understanding sheds light not just on any particular programming language under consideration, but more generally on the question of how to mathematically model the process of computation. On the practical side, the engineering tasks of program specification, verification and synthesis all depend on having a precise mathematical model of program behaviour; and notions of program equivalence play a key role in applications, such as compiler optimisation, that involve program transformation.
For applications such as those described above to be possible, it is crucial that the mathematical notion of behaviour is appropriately chosen. For example, in the case of compiler transformations, it is essential that aspects of computational behaviour, such as execution time, that one specifically does not want preserved, are ignored. Whereas, for other applications, for example ones in which resources need to be quantified, it may be important to have a notion of behaviour in which execution time is taken into account. In general, therefore, there is no single all-encompassing approach to defining behaviour and equivalence. Nonetheless, as general desirability criteria, one would like to have definitions that are, on the one hand, mathematically natural and convenient to work with and, on the other, suitable for practical applications.
In the present paper, we explore and relate two complementary methodologies for defining notions of behaviour and equivalence, within a particular programming context: call-by-value functional programming with effects. The methodologies themselves make sense, however, within a more-or-less arbitrary programming context, so we introduce and motivate them at this greater generality.
Behavioural logic
The first methodology is to specify program behaviour via a formal logic, which we call a behavioural logic, whose formulas are constructed using operators that express primitive properties of program behaviour. Mathematically, one defines a satisfaction relation , expressing that program satisfies behavioural property . The idea is that the logic should be designed in such a way that its formulas are capable of expressing all properties of programs that are bona fide properties of program behaviour (as opposed to, for example, properties of program syntax).
Given such a program logic, one derives a corresponding notion of behavioural equivalence. Two programs are said be logically equivalent if, for all formulas , it holds that iff ; that is if they exhibit the same behaviour.
Bisimilarity
It is a remarkably general phenomenon that, in numerous computation contexts, program behaviour can be modelled as an interactive process, leading to a natural coinductive definition of program equivalence as bisimilarity: roughly speaking, the largest (equivalence) relation that relates interaction points only if their local behaviour is indistinguishable modulo the relation.
Having given such a mathematical definition of bisimilarity, one can derive an associated notion of behavioural property. Namely, a property of programs is behavioural if it respects bisimilarity; that is, whenever a program satisfies the property, then so does any bisimilar program .
The above complementary approaches to defining behaviour and equivalence have been particularly prominent in concurrency theory. Indeed, the idea of bisimilarity as a notion of behavioural equivalence between systems was first introduced in that context, in the work of Milner and Park [26, 31]. The logical approach to defining behaviour emerged around the same time, with the characterisation, by Hennessy and Milner, of bisimilarity as the behavioural equivalence induced by an infinitary propositional modal logic, now known as Hennessy-Milner logic [9].
In the case of bisimilarity, Abramsky realised that a similar style of definition generalises to other programming contexts. In particular, he developed the notion of applicative bisimilarity for functional languages [2]. Subsequently, numerous variant notions of bisimilarity have been given across a plethora of computational contexts (for example, [43, 44, 7, 18]). To highlight one recent example, which is important for the present paper, Dal Lago, Gavazzo and Levy have provided a uniform generalisation of applicative bisimilarity to a functional programming language with effects [17].
A major goal of the present paper is to show that the logical approach to defining program behaviour can also be adapted very naturally to the context of functional programming languages with effects. In doing so, we establish that the corresponding behavioural equivalence coincides with effectful applicative bisimilarity in the style of Dal Lago et al. [17].
More precisely, we consider a typed call-by-value functional programming language with algebraic effects in the sense of Plotkin and Power [38]. Broadly speaking, effects are those aspects of computation that involve a program interacting with its ‘environment’; for example: nondeterminism, probabilistic choice (in both cases, the choice is deferred to the environment); input/output; mutable store (the machine state is modified); control operations such as exceptions, jumps and handlers (which interact with the continuation in the evaluation process); etc. Such general effects collectively enjoy common properties identified in the work of Moggi on monads [27]. Among them, algebraic effects play a special role. They can be included in a programming language by adding effect-triggering operations, whose ‘algebraic’ nature means that effects act independently of the continuation. From the aforementioned examples of effects, only jumps and handlers are non-algebraic. Thus the notion of algebraic effect covers a broad range of effectful computational behaviour. Call-by-value functional languages provide a natural context for exploring effectful programming. From a theoretical viewpoint, other programming paradigms are subsumed; for example, imperative programs can be recast as effectful functional ones. From a practical viewpoint, the combination of effects with call-by-value leads to the natural programming style supported by impure functional languages such as OCaml.
In order to focus on the main contributions of the paper (the behavioural logic and its induced behavioural equivalence), we instantiate “call-by-value functional language with algebraic effects” using a very simple language. Our language is a simply-typed -calculus with a base type of natural numbers, general recursion, call-by-value function evaluation, and algebraic effects. That is, it is a call-by-value version of PCF [36], extended with effects. A very similar language is used by Plotkin and Power [38]; although, for technical convenience, we adopt an alternative (but equivalent) formulation using fine-grained call-by-value [22]. The language is defined precisely in Section 2, using an operational semantics that evaluates programs to effect trees [38, 14].
Section 3 introduces the behavioural logic. In our impure functional setting, the evaluation of a program of type results in a computational process that may or may not invoke effects, and which may or may not terminate with a return value of type . The key ingredient in our logic is an effect-specific family of modalities, where each modality converts a property of values of some given type to a property of general programs (called computations) of type . The idea is that such modalities capture all relevant effect-specific behavioural properties of the effects under consideration. For example, in the context of probabilistic computation, we have a modality for every rational , where the formula is satisfied by a computation if the evaluation of the computation has a probability greater than of terminating with a return value satisfying .
A main contribution of the paper is to give a general framework for defining such effect modalities, applicable across a wide range of algebraic effects. The technical setting for this is that we have a signature of effect operations, which determines the programming language, and a collection of modalities, which determines the behavioural logic. In order to specify the semantics of the logic, we require each modality to be assigned a set of unit-type effect trees, which defines the meaning of the modality. For example, the modality is specified by the set of effect trees that have probability greater than of terminating if considered as a Markov chain. Several further examples and a detailed general explanation are given in Section 3.
In Section 4, we consider the relation of behavioural equivalence between programs determined by the logic. This equivalence directly relates to the notion of behaviour that is made explicit by the modalities. A fundamental well-behavedness property that any reasonable program equivalence should enjoy is that it should be a congruence with respect to the syntactic constructs of the programming language. (If an equivalence is not a congruence then there are aspects of program behaviour that are not distinguished by the equivalence but which can be separated within the programming language itself.) The major result of the paper about the logically induced behavioural equivalence is that it is indeed a congruence, as long as two conditions, openness and decomposability, hold of the collection of modalities (Theorem 1). These two conditions do indeed hold for the natural sets of modalities associated with the principal examples of algebraic effects.
As a second indication of the reasonableness of the logically defined behavioural equivalence, we establish that it has an alternative characterisation as an effect-sensitive version of Abramsky’s notion of applicative bisimilarity [2]. This is achieved, in Section 5, by using the modalities in a logic-free context to define a relation of applicative -bisimilarity. The resulting equivalence relation is closely related to the effect-sensitive version of bisimilarity developed by Dal Lago et al. [17] for an untyped language with general algebraic effects. Our use of modalities as a uniform method for generating the bisimilarity relation is, however, novel. Theorem 2 shows that applicative -bisimilarity coincides with the logically defined relation of behavioural equivalence.
In addition to its conceptual value, establishing the coincidence of the logically defined equivalence with applicative -bisimilarity also serves an important technical purpose: this result is used crucially in the proof of Theorem 1. We adapt the well-known proof method of Howe [11, 12] to show that applicative -bisimilarity is a congruence. By the coincidence theorem, this means that the logically defined equivalence is indeed a congruence; establishing Theorem 1. Our adaptation of Howe’s method is presented in Section 6. Although the argument is technically involved, a similar adaptation of Howe’s method to a language with algebraic effects has been previously given by Dal Lago et al. [17]. Accordingly, this proof is not a main contribution of the present paper, and we give only an outline argument in the main body of the paper, with details deferred to Appendix A.
In the discussion thus far we have ignored one nuance within the development of Sections 3–6. In addition to working with the full behavioural logic, we also identify a positive fragment of the logic, which omits negation. Whereas the full logic defines an equivalence relation that coincides with applicative bisimilarity, the positive logic defines a preorder between programs that coincides with the coarser relation of applicative similarity, from which it follows that the equivalence relation determined by the positive logic coincides with mutual applicative similarity. In Section 7 we compare the above equivalence relations and preorders, and we relate them to contextual preorder and equivalence, which can also be naturally defined in terms of the set of modalities. In general, applicative bisimilarity is contained in mutual applicative similarity which is contained in contextual equivalence. For some effects, however, these inclusions are strict. For example, as has been shown by Lassen [19] and Ong [30], there are examples involving nondeterminism that separate the equivalences. For the sake of completeness, we recall such separating examples in Section 7, with the novelty that we use the logical characterisations of bisimilarity and mutual similarity as a tool for proving and disproving the equivalences in question.
In cases in which the equivalences differ, there is a question of which (if any) of the equivalences should be taken as being the most fundamental. In the literature, contextual equivalence is often taken as the equivalence of choice for applicative languages. From this viewpoint, bisimilarity and mutual similarity are considered important for providing sound (but incomplete) proof methods for reasoning about contextual equivalence, which is the relation of ultimate interest. We would like to argue instead that the logical viewpoint makes a strong case for considering bisimilarity as being the primary equivalence. Every formula in the logic in this paper states a meaningful property of program behaviour. It is a truism that, when two programs are not bisimilar, there is some property of behaviour, expressible in the logic, that distinguishes them. If one takes the logic seriously, then the desirable property that and imply holds only in the case that the equivalence relation is bisimilarity, because of its characterisation as the logically induced equivalence.
The above (almost trivial) argument of course relies on accepting arbitrary formulas as expressing behaviourally meaningful properties. Readers can read Section 3 and make up their own minds about this. Alternatively, one might take a more pragmatic viewpoint. Another reason for accepting a logic for expressing properties of programs is if it provides the expressivity needed to formulate proof principles for reasoning about programs. In Section 9, we show that our logic does indeed support such principles. Furthermore, they arise in the form of compositional proof rules that allow properties of a compound program to be proved by establishing appropriate properties of its constituent subprograms. In order to achieve this, we provide, in Section 8, a reformulation of our behavioural logic, which is of interest in its own right. This reformulation enjoys the property that the syntax of the logic is independent of the syntax of the programming language, which is not true of the logic of Section 3. This property is appealing, as one would like to be able to specify behaviour without knowing the syntax in which programs are written. More practically, the reformulation is used to formulate, in Section 9, the compositional proof principles referred to above. There is one significant qualification to add to this perspective. The infinitary propositional logics considered in the present paper are by no means suitable for serving as practical logics for specification and verification. Nevertheless, we view these logics as relevant to the development of more practical non-propositional but finitary logics, as they can potentially act as low-level ‘target’ logics into which high-level practical logics can be ‘compiled’. We elaborate further on this point in Section 9. However, the development of practical logics is left as a topic for future work.
Finally, in Section 10 we discuss other related and further work.
This paper is an extended and revised version of a conference paper [46], presented at the 27th European Symposium on Programming (ESOP). One principal difference from the conference version is that full proofs are included. Other extensions include: normal form results for the logic (Propositions 4.5 and 4.6); a significantly expanded presentation of the crucial decomposability properties in Section 4; explicit descriptions of the -relators determined by our running examples in Section 5; the comparison between bisimilarity, similarity and contextual equivalence in Section 7; and the discussion of compositional reasoning principles in Section 9.
2 A simple programming language
As motivated in the introduction, our chosen base language is a simply-typed call-by-value functional language with general recursion and a ground type of natural numbers, to which we add (algebraic) effect-triggering operations. This means that our language is a call-by-value variant of PCF [36], extended with algebraic effects, resulting in a language similar to the one considered in Plotkin and Power [38]. In order to simplify the technical treatment of the language, we present it in the style of fine-grained call-by-value [22]. This means that we make a syntactic distinction between values and computations, separating the static and dynamic aspects of the language respectively. Furthermore, all sequencing of computations is performed using a single language construct, the let construct. The resulting language is straightforwardly intertranslatable with the more traditional call-by-value formulation. But the encapsulation of all sequencing within a single construct has the benefit of avoiding redundancy in proofs.
Our types are just the simple types obtained by iterating the function type construction over two base types: of natural numbers, and also a unit type .
Types:
Contexts:
As usual, term variables are taken from a countably-infinite stock of such variables, and the context can only be formed if the variable does not already appear in .
As discussed above, program terms are separated into two mutually defined but disjoint categories: values and computations.
Values:
Computations:
Here, is the unique value of the unit type. The values of the type of natural numbers are the numerals represented using zero and successor . The values of function types are the -abstractions. And a variable can be considered a value, because, under the call-by-value evaluation strategy of the language, it can only be instantiated with a value.
The computations are: function application ; the computation that does nothing but return a value ; a let construct for sequencing; a fix construct for recursive definition333By defining to be a computation which reduces to a lambda term, it holds that the only values of function types are lambda terms.; and a case construct that branches according to whether its natural-number argument is zero or positive. The computation ‘’ implements sequencing in the following sense. First the computation is evaluated. Only in the case that the evaluation of terminates, with return value , does the thread of execution continue to . In this case, the computation is evaluated, and its return value (if any) is then returned as the result of the **let ** computation.
To the pure functional language described above, we add effect operations. The collection of effect operations is specified by a set (the signature) of such operations, together with, for each an associated arity which takes one of the four forms below444These four forms of arity suffice for the examples we consider. Similar choices were made in [14, 37]. Going beyond such discrete arities is an interesting direction for future research; see Section 10.
[TABLE]
The notation here is chosen to be suggestive of the way in which such arities are used in the typing rules of Fig. 1, viewing as a type variable. Each of the forms of arity has an associated term constructor, for building additional computation terms, with which we extend the above grammar for computation terms.
Computations:
Motivating examples of effect operations and their computation terms can be found in Examples ‣ 2–5 below.
The typing rules for the language are given in Figure 1. Note that the choice of typing rule for an effect operation depends on its declared arity.
The terms of type are the values and computations generated by the constructors above. Every term has a unique aspect as either a value or computation. We write and respectively for closed values and computations. So the closed terms of are . For a natural number, we write for the numeral . Thus .
We now consider some illustrative signatures of computationally interesting effect operations, which will be used as running examples throughout the paper. (We use the same examples as in Johann et al. [14].)
Example 0** (Pure functional computation).**
This is the trivial case (from an effect point of view) in which the signature of effect operations is empty. The resulting language is a fine-grained call-by-value variant of PCF [36].
Example 1** (Error).**
We take a set of error labels . For each there is an effect operation which, when invoked by the computation , aborts evaluation and outputs ‘’ as an error message.
Example 2** (Nondeterminism).**
There is a binary choice operation which gives two options for continuing the computation. The choice of continuation is under the control of some external agent, which one may wish to model as being cooperative (angelic), antagonistic (demonic), or neutral.
Example 3** (Probabilistic choice).**
Again there is a single binary choice operation which gives two options for continuing the computation. In this case, the choice of continuation is probabilistic, with a probability of either option being chosen. Other weighted probabilistic choices can be programmed in terms of this fair choice operation.
Example 4** (Global store).**
We take a set of locations for storing natural numbers. For each we have and . The computation looks up the number at location and passes it as an argument to the function , and stores at and then continues with the computation .
Example 5** (Input/output).**
Here we have two operations, which reads a number from an input channel and passes it as the argument to a function, and which outputs a number (the first argument) and then continues with the computation given as the second argument.
We next present an operational semantics for our language, under which a computation term evaluates to an effect tree: essentially, a coinductively generated term using operations from , and with values and (nontermination) as the generators. This idea appears in Plotkin and Power [38], and our technical treatment follows the approach of Johann et al. [14], adapted to (fine-grained) call-by-value.
We define a single-step reduction relation between configurations consisting of a stack and a computation . The computation is the term under current evaluation. The stack represents a continuation computation awaiting the termination of . First, we define a stack-independent reduction relation on computation terms that do not involve let at the top level.
[TABLE]
The behaviour of let is implemented using a system of stacks where:
Stacks:
We write for the computation term obtained by ‘applying’ the stack to , defined by:
[TABLE]
We write for the set of stacks such that for any , it holds that is a well-typed expression of type . We define a reduction relation on pairs (denoted ) by:
[TABLE]
We define the notion of effect tree for an arbitrary set , where is thought of as a set of abstract ‘values’.
Definition 2.1**.**
An effect tree (henceforth tree), over a set , determined by a signature of effect operations, is a labelled and possibly infinite tree whose nodes have the possible forms:
A leaf node labelled with (the symbol for nontermination). 2. 2.
A leaf node labelled with where . 3. 3.
A node labelled with children , when has arity . 4. 4.
A node labelled with children , when has arity . 5. 5.
A node labelled where with children , when has arity . 6. 6.
A node labelled where with children , when has arity .
See Examples 2 and 4 later on in this section for examples of effect trees.
We write for the set of trees over . We define a partial ordering on where , if can be obtained by pruning by removing a possibly infinite number of subtrees of and putting leaf nodes labelled in their place. This forms an -complete partial order, meaning that every ascending sequence has a least upper bound . Let , we will define a reduction relation from computations to such trees of values.
Given and a tree , we write or for the tree whose leaves are renamed to . We have a function , which takes a tree of trees and flattens it to a tree , by taking the tree labelling each non- leaf of to be the subtree rooted at the corresponding node in . The function is the multiplication associated with the monad structure of the operation. The unit of the monad is the map which takes an element and returns the leaf labelled qua tree.
The operational mapping from a computation to an effect tree is defined intuitively as follows. Start evaluating the in the empty stack id, until the evaluation process (which is deterministic) terminates. If termination never happens the tree is . If the evaluation process terminates at a configuration of the form then the tree is the leaf . Otherwise the evaluation process can only terminate at a configuration of the form for some effect operation . In this case, create an internal node in the tree of the appropriate kind (depending on ) and continue generating each child tree of this node by repeating the above process by evaluating an appropriate continuation computation, starting from a configuration with the current stack .
The following (somewhat technical) definition formalises the idea outlined above in a mathematically concise way. We define a family of maps indexed over and by:
[TABLE]
It follows that in the given ordering on trees. We write
[TABLE]
for the function defined by . Using this we can give the operational interpretation of computation terms as effect trees by defining by
[TABLE]
We illustrate the above definitions with a couple of examples of effect computations and their corresponding effect trees.
Example 2** (Nondeterminism).**
Nondeterministically generate a natural number:
oror\textstyle{|?N|=}$$\textstyle{\overline{1}}or
Example 4** (Global store).**
Save and load a value, returning its successor:
\textstyle{\textit{update}_{l}(1)}$$\textstyle{|V\overline{1}|=}$$\textstyle{\textit{lookup}_{l}\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$$\textstyle{\overline{1}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$$\scriptstyle{0}$$\textstyle{\quad\overline{2}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$$\scriptstyle{1}$$\textstyle{\overline{3}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$$\scriptstyle{2}$$\textstyle{\dots}$$\textstyle{\overline{n+1}\ignorespaces\ignorespaces\ignorespaces\ignorespaces\ignorespaces}$$\scriptstyle{n}
In the second example above, we see that the resulting tree exhibits redundancies with respect to the expected model of computation with global store. Since the operation sets the value of location to , the ensuing operation will retrieve the value , and so execution will proceed down the branch labelled resulting in the return value . The other infinitely many leaves of the tree are redundant. The issue here is that the operational semantics of the language has been defined independently of any implementation model for the effect operations. An effect tree provides a normal form that records in its nodes all effect operations that may potentially be performed during execution, and the dependencies between them. But nothing is stated about which effect operations will actually be performed in practice, and what effect they have if invoked. It is precisely this lack of specificity that allows the operational semantics to be defined in a uniform way depending only on the signature of effect operations and their arities.
In order to be able to reason about programs with effects (for example, to establish properties of or equivalences between them), it is necessary to supply the missing information about how effect operations behave when executed. As motivated in the introduction, we now proceed to do this by introducing a behavioural logic for expressing behavioural properties of our language.
3 Behavioural logic and modalities
The goal of this section is to motivate and formulate a logic for expressing behavioural properties of programs. In our language, program means (well-typed) term, and we shall be interested both in properties of computations and in properties of values. Accordingly, we define a logic that contains both value formulas and computation formulas. We shall use lower case Greek letters for the former, and upper case Greek letters for the latter. Our logic will thus have two satisfaction relations
[TABLE]
which respectively assert that “value enjoys the value property expressed by ” and “computation enjoys the computation property expressed by ”.
In order to motivate the detailed formulation of the logic, it is useful to identify criteria that will guide the design.
(C1)
The logic should express only ‘behaviourally meaningful’ properties of programs. This guides us to build the logic upon primitive notions that have a direct behavioural interpretation according to a natural understanding of program behaviour.
(C2)
The logic should be as expressive as possible within the constraints imposed by criterion (C1).
For every type , we define a collection of value formulas, and a collection of computation formulas, as motivated above.
Since boolean logical connectives say nothing themselves about computational behaviour, it is a reasonable general principle that ‘behavioural properties’ should be closed under such connectives. Thus, in keeping with criterion (C2), which asks for maximal expressivity, we close each set and , of computation and value formulas, under infinitary propositional logic.
In addition to closure under infinitary propositional logic, each set contains a collection of basic value formulas, from which compound formulas are constructed using (infinitary) propositional connectives.555We call such formulas basic rather than atomic because they include formulas such as , discussed below, which are built from other formulas. The choice of basic formulas depends on the type .
In the case of the natural numbers type, we include a basic value formula , for every . The semantics of this formula are given by:
[TABLE]
By the closure of under infinitary disjunctions, every subset of can be represented by some value formula. Moreover, since a general value formula in is an infinitary boolean combination of basic formulas of the form , every value formula corresponds to a subset of .
For the unit type, we do not require any basic value formulas. The unit type has only one value, . The two subsets of this singleton set of values are defined by the formulas (‘falsum’, given as an empty disjunction), and (the truth constant, given as an empty conjunction).
For a function type , we want each basic formula to express a fundamental behavioural constraint on values (i.e., -abstractions) of type . In keeping with the applicative nature of functional programming, the only way in which a -abstraction can be used to generate behaviour is to apply it to an argument of type , which, because we are in a call-by-value setting, must be a value . The application of to results in a computation of type , whose properties can be probed using computation formulas in . Based on this, for every value and computation formula , we include a basic value formula with the semantics:
[TABLE]
Using this simple construct, based on application to a single argument , other natural mechanisms for expressing properties of -abstractions are definable, using infinitary propositional logic. For example, given and , the definition
[TABLE]
defines a formula whose derived semantics is
[TABLE]
In Section 8, we shall consider the possibility of changing the basic value formulas in to formulas .
It remains to explain how the basic computation formulas in are formed. For this we require a given set of modalities, which depends on the algebraic effects contained in the language. The basic computation formulas in then have the form , where is one of the available modalities, and is a value formula in . Thus a modality lifts properties of values of type to properties of computations of type .
In order to give semantics to computation formulas , we need a general theory of the kind of modality under consideration. This is one of the main contributions of the paper. Before presenting the general theory, we first consider motivating examples, using our running examples of algebraic effects.
Example 0** (Pure functional computation).**
Define . Here the single modality is the termination modality: asserts that a computation terminates with a return value satisfying . This is formalised using effect trees:
[TABLE]
Note that, in the case of pure functional computation, all trees are leaves: either value leaves , or nontermination leaves .
Example 1** (Error).**
Define . The semantics of the termination modality is defined as above. The error modality flags error :
[TABLE]
(Because is an operation of arity [math], a node in a tree has [math] children.) Note that the semantics of makes no reference to . Indeed it would be natural to consider as a basic computation formula in its own right, which could be done by introducing a notion of [math]-argument modality, and considering as such. In this paper, however, we keep the treatment uniform by always considering modalities as unary operations, with natural [math]-argument modalities subsumed as unary modalities with a redundant argument.
Example 2** (Nondeterminism).**
Define with:
[TABLE]
Including both modalities amounts to a neutral view of nondeterminism. In the case of angelic nondeterminism, one would include just the modality; in that of demonic nondeterminism, just the modality. Because of the way the semantic definitions interact with termination, the modalities and are not De Morgan duals. Indeed, each of the three possibilities for leads to a logic with a different expressivity.
Example 3** (Probabilistic choice).**
Define with:
[TABLE]
where the probability on the right is the probability that a run through the tree , starting at the root, and making an independent fair probabilistic choice at each branching node, terminates at a value node with a value in the set . We observe that the restriction to rational thresholds is immaterial, as, for any real with , we can define:
[TABLE]
Similarly, we can define non-strict threshold modalities, for , by:
[TABLE]
Also, we can exploit negation to define modalities expressing strict and non-strict upper bounds on probabilities. Notwithstanding the definability of non-strict and upper-bound thresholds, we shall see later that it is important that we include only strict lower-bound modalities in our set of primitive modalities.
Example 4** (Global store).**
Given the set of locations , we define the set of states by . The modalities are , where informally:
[TABLE]
We make the above definition precise using the effect tree of . Define
[TABLE]
for any set , to be the least partial function satisfying:
[TABLE]
where is the evident modification of state . Intuitively, defines the result of “executing” the tree of commands in effect tree starting in state , whenever this execution terminates. In terms of operational semantics, it can be viewed as defining a ‘big-step’ semantics for effect trees (in the signature of global store). We can now define the semantics of the modality formally:
[TABLE]
In Section 9, we show an example of how to encode Hoare Logic in the above logic.
Example 5** (Input/output).**
Define an i/o-trace to be a word over the alphabet
[TABLE]
The idea is that such a word represents an input/output sequence, where means the number is given in response to an input prompt, and means that the program outputs . Define the set of modalities
[TABLE]
The intuitive semantics of these modalities is as follows.
[TABLE]
In order to define the semantics of formulas precisely, we first define relations and , between and , by induction on words. (Note that we are overloading the symbol.) In the following, we write for the empty word, and we use textual juxtaposition for concatenation of words.
[TABLE]
The formal semantics of modalities is now easily defined by:
[TABLE]
Note that, as in Example 1, the formula argument of the modality is redundant. Also, note that our modalities for input/output could naturally be formed by combining the termination modality , which lifts value formulas to computation formulas, with sequences of atomic modalities and acting directly on computation formulas. In this paper, we do not include such modalities, acting on computation formulas, in our general theory. But this is a natural avenue for future consideration.
We now give a formal treatment of the logic and its semantics, in full generality. We assume a signature of effect operations, as in Section 2. We also assume a given set , whose elements we call modalities.
We call our main behavioural logic , where the letter is chosen as a reference to the fact that the basic formula at function type specifies function behaviour on individual value arguments .
Definition 3.1** (The logic ).**
The classes and of value and computation formulas, for each type , are mutually inductively defined by the rules in Fig. 2.
In this, can be instantiated to any set, allowing for arbitrary conjunctions and disjunctions. When is , we get the special formulas and . The use of arbitrary index sets means that formulas, as defined, form a proper class. However, we shall see below that countable index sets suffice.
In order to specify the semantics of modal formulas, we require a connection between modalities and effect trees, which is given by an interpretation function
[TABLE]
That is, every modality is mapped to a subset of unit-type effect trees. Given a subset (e.g. given by a formula) and a tree we can define a unit-type tree as the tree created by replacing the leaves of that belong to by and the others by . In the case that is the subset specified by a formula , we also write for .
We now define the two satisfaction relations and , mutually inductively, where for the basic formulas we have:
[TABLE]
and for the other formulas we have:
[TABLE]
We remark that all conjunctions and disjunctions are semantically equivalent to countable ones, because value and computation formulas are interpreted over sets of terms, and , which are countable.
The lemma below is standard. It states that every formula in infinitary propositional logic can be written in infinitary disjunctive normal form. (It can also be written in infinitary conjunctive normal form.)
Lemma 3.2**.**
Each formula (value or computation) is equivalent to a formula of the form where for each and the formula is either a basic formula or the negation of a basic formula.
We omit the proof, which is both routine and standard.
We end this section by revisiting our running examples, and observing, in each case, that the example modalities presented above are all specified by suitable interpretation functions .
Example 0** (Pure functional computation).**
We have . Define:
[TABLE]
Example 1** (Error).**
We have . Define:
[TABLE]
Example 2** (Nondeterminism).**
We have . Define:
[TABLE]
Example 3** (Probabilistic choice).**
. Define:
[TABLE]
Example 4** (Global store).**
. Define:
[TABLE]
Example 5** (Input/output).**
\mathcal{O}=\{{\langle w\rangle\!\!\downarrow},\,\langle w\rangle_{\!\dots}\mid\text{w an i/o-trace}\}. Define:
[TABLE]
In this section we have defined our logic expressing behavioural properties. We next proceed to derive the induced notion of behavioural equivalence between programs, as motivated in Section 1.
4 Behavioural equivalence
The goal of this section is to precisely formulate our main theorem: under suitable conditions, the behavioural equivalence determined by the logic of Section 3 is a congruence. In addition, we shall obtain a similar result for a coarser behavioural preorder determined by a natural positive fragment of , which we call . In addition to being natural in its own right, the preorder induced by the positive fragment turns out to be an indispensable technical tool for establishing properties of the behavioural equivalence induced by the full logic .
Definition 4.1** (The logic ).**
The logic is the fragment of consisting of those formulas in and that do not contain negation. It is inductively defined using rules 1-5, 7 and 8 from Fig. 2.
Whenever we have a logic whose value and computation formulas are given as subcollections and , then determines a preorder (and hence also an equivalence relation) between terms of the same type and aspect.
Definition 4.2** (Logical preorder and equivalence).**
Given a fragment of , we define the logical preorder , between well-typed terms of the same type and aspect, by:
[TABLE]
The logical equivalence on terms is the equivalence relation induced by the preorder (the intersection of and its converse).
In the case that formulas in are closed under negation, the preorder is already an equivalence relation, and hence coincides with . Thus we shall only refer specifically to the preorder , for fragments, such as , that are not closed under negation.
The two main relations of interest to us in this paper are the primary relations determined by and : full behavioural equivalence ; and the positive behavioural preorder (which induces positive behavioural equivalence ). Since is a subset of , it is apparent that is finer than , as it considers more behavioural properties which could distinguish terms. For the same reason, it holds that .
Before formulating the required notions to prove congruence of the behavioural equivalences, we shall make some observations about the preorders and discuss a possible simplification of the logic (Proposition 4.5).
Lemma 4.3**.**
For any , we have if and only if:
[TABLE]
Lemma 4.4**.**
For any , we have if and only if:
[TABLE]
Both these lemmas are a consequence of the fact that satisfaction of conjunctions and disjunctions are completely determined by satisfaction of the formulas over which the connectives are taken. As such, the logical preorder is completely determined by satisfaction of basic formulas. Similar characterisations, but replacing ‘implies’ and with ‘if and only if’ and respectively, hold for the behavioural equivalence .
Proposition 4.5**.**
Let be the fragment of inductively defined by rules 1 to 6 from Fig. 2 (so computation formulas are not closed under propositional connectives), then the induced logical equivalence is the same as .
Proof.
We prove that any value formula is equivalent to a value formula from . We do this by induction on types. For value formulas of natural numbers type, note that , so the statement is trivially true by taking .
For value formulas of function type, assume is a basic formula , where by Lemma 3.2 we may assume w.l.o.g. that is a disjunction over conjunctions over formulas of the form or . We can now use the equivalences and to construct a formula equivalent to , using the induction hypothesis to replace each occurrence of with where is equivalent to . In the case that is not a basic formula, we can do an induction on its structure to find the desired , where , , , and basic formulas are handled as above.
So every value formula has an equivalent value formula in , so the logical preorder on value terms remains unchanged. To see that the logical equivalence on computation terms remains unchanged, simply use Lemma 4.4. ∎
Altering the proof slightly, we can derive a similar result for the positive logic.
Proposition 4.6**.**
Let be the fragment of defined by rules 1 to 5 from Fig. 2 (so computation formulas are not closed under propositional connectives), then the induced logical preorder is the same as .
We next formulate the appropriate technical notion of (pre)congruence666A precongruence is a preorder enjoying the properties of a congruence relation apart from symmetry. to apply to the relations and . These two preorders are examples of well-typed relations on closed terms. Any such relation can be extended to a relation on open terms in the following way. Given a well-typed relation on closed terms, we define the open extension where precisely when, for every well-typed vector of closed values , it holds that . The correct notion of precongruence for a well-typed preorder on closed terms, is to ask for its open extension to be compatible in the sense of the definition below; see, e.g., Lassen and Pitts [19, 35] for further explanation.
Definition 4.7** (Compatibility).**
A well-typed open relation is said to be compatible if it is closed under the rules in Fig. 3.
We now state our main congruence result, although we have not yet defined the conditions it depends upon.
Theorem 1**.**
If is a decomposable set of Scott-open modalities then the open extensions of and are both compatible. (It is an immediate consequence that the open extension of is also compatible.)
The Scott-openness condition refers to the Scott topology on , which can be divided into two properties.
Definition 4.8**.**
We say that is upwards closed if is an upwards closed subset of ; i.e., if implies whenever .
Definition 4.9**.**
The modality is Scott-open if is an open set in the Scott topology on ; i.e., is upwards closed and, whenever is an ascending chain in with supremum , we have for some .
We now turn to the decomposability condition in Theorem 1, which will eventually be given in Definition 4.15 below, following the introduction of certain auxiliary relations that are required for the definition. Because the formulation is unavoidably technical, we first give some motivation for where we are heading.
The main purpose of the decomposability property is to enable us to prove that the positive behavioural preorder is preserved by the let term constructor. (This motivation will eventually manifest itself in case 5 in the proof of Lemma 6.4 in Appendix A.) The particular technical challenge presented by let is that it sequences effects. Semantically, the operation of effect sequencing is distilled into the monad multiplication map defined in Section 2. Accordingly, we formulate the required notion of decomposability as a property of . It turns out that we need only consider in the case that is the singleton set . Thus decomposability will involve trees of unit type, that is trees in , as well as double trees, that is trees in . We shall define it as the property that the monad multiplication is order-preserving with respect to preorders and defined on double and single trees respectively.
The relation on is a natural extension of the positive behavioural preorder , at unit type, from a relation on computation terms to a relation on arbitrary effect trees. To accommodate this perspective, we introduce a new notation, allowing us to apply a modality to an arbitrary subset of a set of values: for and we define
[TABLE]
We will often write instead of when is clear from the context. For instance, if then means . One case of particular interest is when , for which we note that . Using the extended interpretation of modalities, we similarly extend the satisfaction relation of type positive computation formulas, from computation terms of type to arbitrary computation trees.777In general, there are uncountably many trees, whereas there are only countably many computation terms. For each , we define its denotation over unit type trees inductively, according to the following rules:888For a set of formulas, we denote and for respectively the disjunction and conjunction over X.
[TABLE]
The above definition can be seen as an extension of the satisfaction relation on unit type computation terms, since for any computation term and formula it holds that .
We can now define the required preorder between arbitrary trees of type .
Definition 4.10**.**
We define the preorder on by: for any two trees ,
[TABLE]
It is immediate that is a conservative extension of the positive behavioural preorder on computation terms of type in the following sense:
Proposition 4.11**.**
For any , it holds that if and only if .
We give some alternative characterisations of .
Proposition 4.12**.**
For any , the following three statements are equivalent:
. 2. 2.
. 3. 3.
.
Proof.
The equivalence (1) (3) follows from a straightforward induction on the structure of positive unit type computation formulas. Using the previous equivalence, the equivalence (1) (2) follows from the fact that . ∎
In the examples given in this paper, the preorder can be characterised in a simpler way, where
[TABLE]
This is a consequence of the fact that each modality given in the examples satisfy one of the two following properties:
- (i)
. The modalities with this property are: and .
- (ii)
. The modalities with this property are and .
There do however exist sets of Scott open modalities for which the characterisation of via (3) does not hold. For example, for and where .
We next define the relation on double trees .
Definition 4.13**.**
We define the preorder on by: for any two double trees ,
[TABLE]
We give some characterisations of . These use the notion of right-set, that is; for any relation and subset , we write for the right-set of under the relation .
Lemma 4.14**.**
If is a set of upwards-closed modalities, then for all , the following are equivalent:
. 2. 2.
. 3. 3.
.
Proof.
(1) (2) Let , then since and is upwards closed, , which means . Let , then as perfectly replicates the condition of membership in . So by (1) it holds that , hence . If , then hence (since and ), so . We can conclude that .
(2) (3) If , then for any it holds that , which is identical to the statement .
(3) (1) If with , then by (3) it holds that . By the definition of it holds that , and since is reflexive . Hence and we conclude that . ∎
We can now finally define the promised notion of decomposability.
Definition 4.15** (Decomposability).**
We say that is decomposable if, for all double trees , implies .
Since decomposability is such a technical notion, we give two lemmas providing alternative characterisations of it. The first gives a reformulation that is immediate in the case of our examples, where the statement can be simplified via (3). The general case, however, requires a rather technical proof.
Lemma 4.16**.**
A set of upwards-closed modalities is decomposable if and only if for all , if , then .
Proof.
We use the equivalences from Proposition 4.12.
() The result follows by observing that implies .
() Assume: (I) .
Take some , and suppose that , hence with Lemma 4.14 it holds that:
(II) .
We need to prove that . By (I) we derive that . To prove we need only prove .
Assume for , then . We prove that . Suppose for some and , it holds that . Let , then . By (II) it holds that .
For , there is a such that . Since , and hence . So , and we can use upwards closure of to derive . Hence by Lemma 4.14, .
We can apply (I) to derive . So since , it holds that and and hence . We conclude that , so we are finished. ∎
The second reformulation of decomposability shows that it is equivalent to being able to ‘decompose’ statements of the form into a collection of modal properties of .
Lemma 4.17**.**
A set of upwards-closed modalities is decomposable if and only if for any and such that , there is a collection of pairs , with each and , satisfying the following two properties:
. 2. 2.
.
Proof.
We use the equivalent statement for decomposability established in Lemma 4.16.
() Assume decomposability, and that for some and , it holds that . For any such that , choose a pair where and such that , if such a pair exists. All these chosen pairs together form our desired collection. Since for any such , , this collection satisfies condition (1). For any , if for any pair in the collection, then for any for which there is a pair such that , it holds that . So . Hence by decomposability, , so in particular , and thus condition (2) holds.
() Assume the statement given in the lemma, we need to prove decomposability. For some , suppose that . Now let such that , then there is a collection of pairs satisfying the properties given above. So by property (1), , and since it holds that . By property (2) we conclude that which is what we needed to prove. ∎
Below, we shall show that all our running examples satisfy the decomposability property. In all cases we can do this by establishing a stronger property that is easier to verify. This strengthened notion of decomposability is obtained by simplifying the property given in Lemma 4.17.
Definition 4.18** (Strong decomposability).**
We say that is strongly decomposable if, for every and for which , there exists a collection of pairs of modalities such that:
; and 2. 2.
for every , if for all , then .
Proposition 4.19**.**
If is strongly decomposable set of upwards closed modalities, then is decomposable.
Proof.
Using Lemma 4.17, this result is a simple consequence of the fact that for any , and . ∎
Not all decomposable sets of Scott open modalities are strongly decomposable. Take for instance for the signature , where and .
We end this section by again looking at our running examples, and showing, in each case, that the identified collection only has Scott-open (hence upwards closed) modalities and is strongly decomposable (hence decomposable). For any of the examples, upwards closure is easily established, so we will not show it here.
Example 0** (Pure functional computation).**
We have and . Scott openness holds since if then for some we must already have . It is strongly decomposable since: , which means returns a tree which is a leaf .
Example 1** (Error).**
We have and . Scott-openness holds for both modalities for the same reason as in the previous example, and strong decomposability holds since: like in the previous example, and:
.
Which means raises an error, or returns a tree that raises an error.
Example 2** (Nondeterminism).**
We have for angelic nondeterminism and for demonic nondeterminism. The Scott-openness of \llbracket{\Diamond}\rrbracket=\{t\mid\text{t leaf}\} holds because if has a leaf, then that leaf must already be contained in for some . Similarly, if then, because \llbracket{\Box}\rrbracket=\{t\mid\text{t}\}, the tree has finitely many leaves and all must be contained in for some . Hence for that . Strong decomposability holds because:
The former states that has as a leaf a tree , which itself has a leaf . The latter states that is finite and all leaves are finite trees that have only leaves. We can conclude that and are both strongly decomposable sets of Scott open modalities. Moreover, it is obvious that their union , for neutral nondeterminism, is a strongly decomposable set of Scott open modalities too.
Example 3** (Probabilistic choice).**
. For the Scott-openness of \llbracket\mathsf{P}_{>q}\rrbracket=\{t\mid\mathbf{P}(\,\text{t leaf}\,)>q\}, note that \mathbf{P}(\,\text{\sqcup_{i}t_{i} leaf}\,) is determined by some countable sum over the leaves of . If this sum is greater than a rational , then some finite approximation of the sum must already be above . The finite sum is over finitely many leaves from , all of which will be present in for some . Hence .
For strong decomposability, suppose . However, \mathbf{P}(\,\text{\mu r* leaf}\,) equals the integral of the (monotone decreasing) function from to . Informally, is the probability that returns a tree in the set . Since , we can find a monotone decreasing rational step function below whose integral is also greater than . This rational step function can be specified by rational numbers and satisfying and . Then the collection of pairs of modalities satisfies the properties required by strong decomposability.
Example 4** (Global store).**
We have . For the Scott-openness of , note that if , there is a single finite branch of that follows the path the recursive function exec took. This branch must already be contained in for some . We also have strong decomposability since:
.
Which just means that for some , it holds that and .
Example 5** (Input/output).**
We have \mathcal{O}=\{{\langle w\rangle\!\!\downarrow},\,\langle w\rangle_{\!\dots}\mid\text{w an i/o-trace}\}. For the Scott-openness of , note that the i/o-trace is given by some finite branch, which if in must be in for some . The Scott-openness of holds for similar reasons. We have strong decomposability because of the implications:
i/o-traces.
Which means follows trace returning , and follows trace returning .
.
Which means either follows trace immediately, or it follows returning a tree that follows .
In Example 2 above, we used the obvious fact that the property of being strongly decomposable is preserved under union. Similarly, if all modalities are upwards-closed, then by Lemma 4.17, the property of being decomposable is preserved under union.
Lemma 4.20**.**
If and are decomposable sets of upwards closed modalities for the same signature , then is decomposable.
In order to prove Theorem 1, we need to relate the behavioural equivalence with a modality-defined notion of applicative bisimilarity. As motivated in the introduction, the connection between these two equivalences is interesting on its own. We will spend the next two sections defining this notion of bisimilarity, establishing the connection with behavioural equivalence and proving that the two relations are compatible. From Section 7 and onwards, we will return to only studying the behavioural equivalence.
5 Applicative -(bi)similarity
In this section, we define this notion of applicative bisimilarity based on a set of modalities , and establish that it is equal to the behavioural equivalence . Central to such a definition lies the concept of a relator [49, 21], which we use to lift a relation on value terms to a relation on computation terms. Later on in this section, we will prove that this relator, if based on a decomposable set of Scott open modalities , satisfies the right properties in order to prove the compatibility of bisimilarity in Section 6.
Let be some set of modalities for an effect signature . We define a relator based on .
Definition 5.1** (-relator).**
The -relator lifts for each two sets and a relation to a relation , such that
[TABLE]
Remember that , and means . By Proposition 4.12 it holds that , and by Lemma 4.14 we know that .
We will use this relator to define an -tailored variant of Abramsky’s applicative similarity [3]. First however, we describe the specific -relators that arise for each of our running examples.
Example 0** (Pure functional computation).**
The statement holds if and only if:
When evaluates to then evaluates to a such that .
Example 1** (Error).**
The statement holds precisely when the following two statements hold:
When evaluates to then evaluates to a such that . 2. -
When raises an error (meaning it is node ), then raises the same error .
Example 2** (Nondeterminism).**
holds precisely when the following statements hold:
If is a leaf of , then has a leaf such that . 2. -
If is finite and has no leaf, then is finite and has no -leaf. 3. -
If is finite, has no leaf, and is a leaf of , then has a leaf such that .
Example 3** (Probabilistic choice).**
It holds that if and only if:
For any , the probability of terminating with an element of is at most the probability of terminating with a related to some element of (meaning there is an such that ).
Example 4** (Global store).**
The statement holds if:
For any , if then there is a such that and .
Example 5** (Input/output).**
holds precisely when the following two statements hold:
If has as initial execution trace, then has as an initial execution trace. 2. -
If has execution trace terminating with , then has trace terminating with some such that .
In each of the examples above, we obtain an -relator that acts in line with expectations, based on the explicit definitions of relators for different effects in the paper by Dal Lago et al. [17]. In our case, these relators have been obtained in a uniform way from the corresponding sets of modalities .
A direct comparison with definitions in the paper [17] is slightly involved, because our relators act on the set of effect trees, given by applying the effect-tree monad , whereas those in the paper [17] are defined using effect-dependent monads . For example, for probabilistic choice the distribution monad is used. Despite this difference, there is still a tight relationship between the two approaches. The tree monad is the free-continuous-algebra monad over the effect signature . There is thus an induced , mapping trees to elements of the effect-specific monad . It then holds, for each effect example, that
[TABLE]
where is the relevant relator from the paper [17] and is the corresponding set of modalities from this paper.
Following the paper [17], we use the relation-lifting operation of Definition 5.1 to define notions of applicative similarity and bisimilarity. We assume that all modalities of are upwards closed.
Definition 5.2** (Similarity).**
An applicative -simulation is a pair of relations and for each type , where and , such that:
. 2. 2.
. 3. 3.
.
Applicative -similarity is the largest applicative -simulation, which is equal to the union of all applicative -simulations.
Definition 5.3** (Bisimilarity).**
An applicative -bisimulation is a symmetric -simulation. The relation of -bisimilarity is the largest applicative -bisimulation.
Applicative -similarity and -bisimilarity may not exist for all sets of modalities . But, if all modalities of are upwards closed (as asserted above), their existence is guaranteed. Though this fact can be proven directly from relational properties established in Lemma 5.6, we can also see it as a consequence of Theorem 2.
Lemma 5.4**.**
Applicative -bisimilarity is identical to the relation of applicative -similarity, where , so .
Proof.
Let be the -bisimilarity, then by symmetry we have . So if we have , and by the simulation rules we derive and , so is an -simulation.
Let be the -similarity. If then so which results in . Verifying the other simulation conditions as well, we can conclude that the symmetric closure is an -simulation. So and hence is a symmetric -simulation. ∎
For brevity, we will leave out the word “applicative” from here on out. The key result now is that the maximal relation, the -similarity is, given our assertion that all modalities are upwards closed, the same object as our logical preorder. We first give a short Lemma.
Lemma 5.5** (Characteristic formulas).**
For any fragment of closed under countable conjunction, it holds that for each value there is a formula such that . Similarly, for every computation , there is a computation formula such that .
Proof.
We prove the statement for values . For each such that , choose a formula such that and . Then if we define it holds that , which is what we want. ∎
As in the proof above, we usually omit the superscript when clear from the context. Note that when is the full logic , it holds that
[TABLE]
and similarly for value formulas.
Theorem 2** (A).**
For any family of upwards closed modalities , we have that the logical preorder is identical to -similarity.
Proof.
We write instead of to make room for other annotations. We first prove that our logical preorder is an -simulation by induction on types.
Values of . If , then since we have that , hence . 2. 2.
Computations of . Assume , we prove that . Take and such that . Taking the following formula (where as in Lemma 5.5), then and . So , hence since is upwards closed, . By we have and hence . We conclude that . 3. 3.
Function values of . This step follows from Lemma 4.3 and the induction hypothesis.
We can conclude that is an -simulation. Now take an arbitrary -simulation . We prove by induction on types that .
Values of . If then , hence by reflexivity we get . 2. 2.
Computations of . Assume , we prove that using the characterisation from Lemma 4.4. Say for and we have . Let , then hence by and the simulation property, we derive . By the induction hypothesis on values of , we know that , hence ‘’ implies . We get that , so by upwards closure of we have meaning . We conclude that . 3. 3.
Function values of . Assume . We prove using the characterisation from Lemma 4.3. Assume where and , so . By we have and by the induction hypothesis we have , so . Hence meaning . We can conclude that . 4. 4.
Values of . If then hence .
In conclusion: any -simulation is a subset of the -simulation . So is -similarity. ∎
Adapting the proof slightly, we can find the connection between full behavioural equivalence and -bisimilarity.
Theorem 2** (B).**
For any family of upwards closed modalities , we have that the logical equivalence is identical to -bisimilarity.
Proof.
Note first that is symmetric. Secondly, note that since we know by Lemma 5.5, that for any , there is a formula such that . Using these observations and the appropriate adjustments to Lemma 4.3 and 4.4, the proof of this result is as in Theorem 2(A), proving is a symmetric -simulation and contains any other symmetric -simulation. ∎
Given Theorem 2(b), it is straightforward to observe an expressive completeness result with respect to the notion of behavioural property induced by -bisimilarity (as adumbrated in Section 1). A subset (respectively ) may be called behavioural if it respects bisimilarity; that is, in the case of computations, if and is bisimilar to then . It follows from Theorem 2(b) that the behavioural subsets coincide with the logically definable subsets. Namely, is behavioural if and only if there exists a formula such that ; and similarly, any is behavioural if and only if there exists a formula such that . The proof is straightforward, given the observation that every behavioural is a union of equivalence classes under bisimilarity. Hence, for example, may be defined as an infinite disjunction
[TABLE]
using the characteristic formulas obtained in (4) above.
5.1 Relator properties
In this subsection, we identify abstract properties of our relation lifting , which will be used in our application of Howe’s method, in Section 6. The necessary properties were identified in the paper [17]. The contribution of this paper is that all the required properties follow from our modality-based definition of .
The first set of properties tell us that is indeed a relator in the sense of Levy [21].
Lemma 5.6**.**
If the modalities from are upwards closed, then is a relator, meaning that:
If is reflexive, then so is . 2. 2.
, where is relation composition. 3. 3.
. 4. 4.
**
where 999In general, given , , and , we write and ..
Proof.
We prove each property separately.
For any set we have by reflexivity of . So for any , if then by upwards closure of we have . We conclude that . 2. 2.
We can see this by observing that , and with it holds that . 3. 3.
With it holds that for any set . Assume and , then . Hence with and by upwards closure of , . 4. 4.
If then for all and , . Assume that for some we have , then so . Considering that and is upwards closed, we derive that and hence . This is for all such and , so we can conclude that .
Now assume and , then since we have so . This is for all such and , hence .
∎
The next property together with the previous lemma establishes that is a monotone relator in the sense of Thijs [49].
Lemma 5.7**.**
If the modalities from are upwards closed, then is monotone, meaning for any , , and :
[TABLE]
Proof.
Let and . Assume: (i) and (ii) .
Take and such that . Take , then . So by (ii), . For , there is an such that , hence by (i) we have . Since means , it holds that , hence . Using upwards closure of , , and hence . Since this is for all and with , we can conclude that . ∎
The relator also interacts well with the monad structure on .
Lemma 5.8**.**
If is a decomposable set of upwards closed modalities, then:
. 2. 2.
.
Proof.
We prove the properties separately.
Note that either means and , or . By upwards closure, if then . If then . Either way, . 2. 2.
Take and where . Take and such that . Let , then . By we get .
In the following paragraph we prove that for , , using characterisation 3 of from Proposition 4.12.
For , there is an such that and . If for some , then , so and hence . If for some , then , so we have . Since , and hence . With the previous two derivations, we see that , hence since . So the following inclusion holds:
[TABLE]
By upwards closure of and we get . So we have derived that for all and . By Lemma 4.14, , hence by decomposability we get . Hence with assumed at the beginning, we get , and we conclude .
∎
Finally, the following properties show that relators behave well with respect to the order on trees.
Lemma 5.9**.**
If only contains Scott open modalities, then for :
If is reflexive, then for any it holds that . 2. 2.
For any two sequences from and from :
**
Proof.
We separate the proofs by property.
If is reflexive then is reflexive by Lemma 5.6. Now for , if then since we have . By reflexivity , so . 2. 2.
Take and such that . Now so by Scott openness, there is an such that . Using the assumption we derive . Note that , hence , so since is Scott open we conclude that .
∎
The lemmas above list the core properties of the relator, which are satisfied when our set is decomposable and contains only Scott open modalities. The results below follow from those above, specifically the next result combines Lemma 5.8 with the fact that and .
Corollary 5.10**.**
If contains only upwards closed modalities, then:
[TABLE]
Lastly, we verify that sequencing and the algebraic effect operations interact in the appropriate way with the relator action.
Corollary 5.11**.**
If is a decomposable set of upwards closed modalities, then lifted relations are preserved by Kleisli lifting and effect operations:
Given , , and , if for all and we have and if then . 2. 2.
**
Proof.
We prove the properties separately.
Using Lemma 5.7 on the assumptions we get . We can then apply property 2 of Lemma 5.8 to get the correct result. 2. 2.
We apply the previous property to the following data; , , for all , and . The conclusion follows directly.
∎
Point 2 of Corollary 5.11 has been stated in such a way that it contains both the infinite arity case and the finite arity case of effect operations . So it states that any lifted relation is preserved under any of the predefined algebraic effects (assuming equality between any possible natural numbers arguments given by the arity). The next section focusses on proving Theorem 1 using a generalisation of Howe’s method.
6 Howe’s method
In this section, we apply Howe’s method [11, 12] to establish the compatibility of applicative -similarity and -bisimilarity, and hence compatibility of the positive behavioural preorder and full behavioural equivalence. Given a relation on terms, one defines its Howe closure , which is compatible and contains the open extension . Our proof makes use of the relator properties from Section 5, closely following the approach of Dal Lago et al. [17]. We will only give an outline of the proof, focussing on the main steps. Detailed proofs can be found in Appendix A.
Recall from Section 4 that, for any closed relation , we can define the open extension as . We define two more closure operations.
Definition 6.1**.**
Taking an open relation , we define the compatible refinement using the derivation rules in Fig. 4. For a closed relation we define the Howe closure as the smallest open relation closed under the rules:
[TABLE]
Note that is compatible if and only if . The Howe closure can also be expressed as the least solution for of the equation , or of the inclusion .
The following result contains the main properties of the Howe closure we are interested in, e.g. from Lassen [19].
Lemma 6.2**.**
If is reflexive, then:
* is compatible, hence reflexive.* 2. 2.
. 3. 3.
If and such that , then
The main step of the Howe’s method proof is establishing the following result.
Proposition 6.3**.**
If is a decomposable set of Scott open modalities, then for any preorder applicative -simulation , the Howe closure limited to closed terms is an applicative -simulation.
This is proven by checking the simulation properties of Definition 5.2 one by one. The most difficulty arises when trying to prove property 2, which is done inductively using the following lemma, and uses most of the relator properties from Subsection 5.1.
Lemma 6.4** (Key Lemma).**
For any , given two closed computation terms and , if then .
Having established the Key Lemma, we can use Lemma 5.9, implying , to derive property 2 of -simulations and finalise the proof of Proposition 6.3. The complete proofs of the previous lemmas and Proposition 6.3 can be found in Appendix A.
Using Proposition 6.3, we can derive the compatibility of applicative -similarity and -bisimilarity.
Theorem 3** (A).**
If is a decomposable set of Scott open modalities, then the open extension of the relation of applicative -similarity is compatible.
Proof.
Before we start the proof, we observe the following general result. If a compatible relation is contained in a closed relation when limited to closed terms, then since:
[TABLE]
We write for the relation of -similarity. Since is an -simulation, we know by Proposition 6.3 that limited to closed terms is one as well, and hence is contained in the largest -simulation . By Lemma 6.2 it holds that is compatible, and by the observation before we know it is contained in the open extension . Again by Lemma 6.2, we also know that is contained in . We can conclude that is equal to the Howe closure , which is compatible. ∎
To prove that -bisimilarity is compatible, we need another result from Lassen [19] (a proof is also given in Appendix A).
Lemma 6.5**.**
If is symmetric and reflexive, then (the transitive closure of ) is symmetric.
Given these facts, we can derive the following.
Theorem 3** (B).**
If is a decomposable set of Scott open modalities, then the open extension of the relation of applicative -bisimilarity is compatible.
Proof.
We write -bisimilarity as . From Proposition 6.3 we know that on closed terms is an -simulation. Using property 2 of Lemma 5.6, we can verify that the transitive closure is an -simulation as well. Since is reflexive and symmetric, we know by the previous lemma that is symmetric. Hence is an -bisimulation, implying by compatibility of (due to Lemma 6.2 and the same reasoning from the previous proof). Again by Lemma 6.2, it holds that , hence . We can conclude that is compatible. ∎
Note that Theorem 1 is an immediate consequence of Theorems 2 and 3. As such, we have finished the proof of compatibility of the full behavioural equivalence and positive behavioural preorder.
7 Comparing equivalences
Our development thus far has focused on two main relations for comparing programs. The first is the behavioural equivalence defined via the full logic with negation and characterised as -bisimilarity. The second is the positive behavioural preorder , defined via the negation-free logic and characterised as -similarity. The latter preorder induces the equivalence relation of mutual -similarity.
As discussed after Definition 4.2, there is an inclusion . That is, -bisimilarity implies mutual -similarity. It is a standard fact in concurrency theory that ordinary mutual similarity is in general a strictly coarser relation than bisimilarity. A similar fact holds in the context of the present paper: it is possible that the inclusion is strict. We illustrate this with an example, adapted from Lassen’s PhD thesis [19, page 92], for which the two relations do not coincide. (Ong gives another example of a similar phenomenon [30].)
Example 7.1** (Separating the full and positive behavioural equivalence, cf. [19]).**
We take and from Example 2. Let be some always diverging computation term. We consider the following two computation terms of type :
[TABLE]
We make use of our logics and to give simple proofs that but .
By definition, if the two terms satisfy the same positive computation formulas of type . Note that and are not satisfied by any terms, is satisfied precisely if is, and is satisfied precisely if is. Moreover, and are equivalent to and respectively. By these observations and Lemma 4.4, we can reduce the set of formulas we need to check to establish equivalence between two computation terms of type to:
[TABLE]
The terms and both satisfy the same formulas from this set, namely and . We conclude that .
The terms and are not however equivalent under full behavioural equivalence, since satisfies the formula , but does not. (This formula says of a computation of type that it may return a lambda term which, when applied to argument , results in a nondeterministic computation that may diverge and may also terminate.) Thus .
It is also instructive to compare and to contextual equivalence, which is often taken to be the default equivalence for applicative programming languages. For the language of this paper, the collection of modalities used to define our logics serves a further purpose: via the preorder on unit-type computation trees from Section 4, it gives rise to a natural definition of contextual preorder between terms of the same type and aspect (value or computation). The idea is that two terms of the same type and aspect are related by the contextual preorder if for any context of unit type, accepting terms of type of the relevant aspect, we have .101010If one expands the use of in this definition as in statement 3 of Proposition 4.12, one obtains a definition of contextual preorder in terms of basic unit-type ‘observations’ of the form and . The same definition can be given more elegantly using compatibility.
Definition 7.2** (Contextual preorder/equivalence).**
The contextual preorder relation is the largest compatible preorder satisfying:
[TABLE]
The relation of contextual equivalence is the equivalence relation determined by (i.e., the intersection of and its converse).
If is a decomposable set of Scott-open modalities then, by Theorem 1 and Proposition 4.11, is a compatible preorder satisfying condition (5) above. Hence, there is an inclusion of relations . We thus have a chain of inclusions between equivalence relations.
[TABLE]
Having already shown the left-hand inclusion to be strict in general, we now show that the right-hand inclusion can also be strict. This is again based on an example from Lassen [19].
Example 7.3** (Separating contextual equivalence and positive behavioural equivalence, c.f. [19]).**
We take and from Example 2, that is we consider angelic nondeterminism.
The example we give differs marginally from Lassen [19, page 90], in that one of the terms involved does not exhibit any effectful behaviour. Let be the value term given by the identity function . We can define approximations of this identity function, using a term such that for any two natural numbers :
[TABLE]
So for any natural number , ‘’ returns the -th approximation of the identity function.
Given the computation term of type from Example 2 at the end of Section 2, which nondeterministically returns any natural number, we define the nondeterministic approximation of the identity function:
[TABLE]
This term nondeterministically returns any approximation of the identity function. It holds that is contextually equivalent to under the angelic interpretation of nondeterminism, since if a context holding the function terminates, it will have in the process of computation only fed the function a finite number of arguments. As such, in any context, there is always a large enough approximation of the identity which cannot be distinguished from the identity function. This outline argument that can be made precise along the lines of Lassen [19, Example 6.4.4].
However, and are distinguished by the positive logic, since cannot return the identity function itself. Specifically, the formula is satisfied by but not by . Thus .
It is an interesting question whether our modal behavioural logic can be used to better understand the relationship between applicative (bi)similarity and contextual equivalence/preorder. For example, in the case of effects for which the relations differ (such as nondeterminism), can the logic be restricted to characterise contextual equivalence/preorder?
8 Pure behavioural logic
In this section, we explore an alternative formulation of our logic. This has both conceptual and practical motivations. Our very approach to behavioural logic, fits into the category of endogenous logics in the sense of Pnueli [42]. Formulas ( and ) express properties of individual programs, through satisfaction relations ( and ). Programs are thus considered as ‘models’ of the logic, with the satisfaction relation being defined via program behaviour.
It is conceptually appealing to push the separation between program and logic to its natural conclusion, and ask for the syntax of the logic to be independent of the syntax of the programming language. Indeed, it seems natural that it should be possible to express properties of program behaviour without knowledge of the syntax of the programming language. Under our formulation of the logic , this desideratum is violated by the value formula at function type, which mentions the programming language value .
This issue can be addressed, by replacing the basic value formula with the alternative , already mentioned in Section 3. Such a change also has a practical motivation. The formula declares a precondition and postcondition for function application, supporting a useful specification style. It also supports the expression of various other properties that are natural from the point of view of program specification. For example, using negation, we can define the dual formula , with the resulting semantics111111Given compatibility of , this formula is equivalent to , where is from Lemma 5.5. As such, it may also be formulated without the use of negation in the positive behavioural logic .:
[TABLE]
Further examples of the usefulness of the pure behavioural logic will be given in Section 9.
Definition 8.1**.**
The pure behavioural logic is defined by replacing rule (2) in Fig. 2 with the alternative:
[TABLE]
The semantics is modified by defining using formula (2) of Section 3.
[TABLE]
With the definition of within , given in (1) of Section 3, we can see as a fragment of (and a fragment of ), resulting in the following fact.
Lemma 8.2**.**
Any formula of and is equivalent to some formula of and respectively.
Moreover, once we have established compatibility, we have the following result.
Proposition 8.3**.**
If the open extension of is compatible then the logics and are equi-expressive. Similarly, if the open extension of is compatible then the logics and are equi-expressive.
Proof.
Lemma 8.2 tells us we can translate any formula from into an equivalent formula from . For the reverse translation, whose correctness proof is more interesting, we give more detail. Every value (respectively computation) formula, (respectively ), of is inductively translated to a corresponding formula (respectively ) of . We do this by induction on the structure of the formula, where we define the following translation:
[TABLE]
where, in the last case, is the formula from Lemma 5.5. Hence: ; and, for any , if then (meaning that implies , for all ).
One now proves, by induction on types, followed by an induction on formulas (or ) of this type, that the -semantics of (resp. ) coincides with the -semantics of (resp. ). This induction is obvious in all cases except for formula of a function type, for which we need to show that: if and only if .
For the interesting right-to-left implication, suppose that , and consider any satisfying . By the induction hypothesis, using the defining property of , we have that . It then follows from the compatibility of that , whence , again by the induction hypothesis. Thus it follows from that , as required.
The proof in the case of the positive logics is similar. ∎
Combining the above proposition with Theorem 1 we obtain the following.
Corollary 8.4**.**
Suppose is a decomposable family of Scott-open modalities. Then coincides with , and coincides with . Hence the open extensions of , , and are compatible.
We do not know any proof of the compatibility of the and relations that does not go via the logic . In particular, it is the presence of general recursion in the programming language (via the fix operator) that has thwarted attempts to give direct proofs of compatibility for the pure-logic-induced preorder and equivalence.
9 Reasoning with the logic
The behavioural logics considered in this paper are designed for the purpose of formalising the notion of ‘behavioural property’, and for defining behavioural equivalence. As infinitary propositional logics, they are not directly suited to practical applications such as specification and verification. Nevertheless, they serve as low-level logics into which more practical finitary logics can be translated. For this, the closure of the logics under infinitary propositional logic is important. For example, there are standard translations of quantifiers and least and greatest fixed points into infinitary propositional logic. Furthermore, practical idioms for expressing effect-related properties can also be translated into logical combinations of modal formulas.
We illustrate this last point, by showing how Hoare triples, the standard formalism for specifying programs with global store, compile into our propositional logic with modalities, for the language with lookup and update operations (Example 4). Take for example the statement , where are two locations, and is an auxiliary variable ranging over the natural numbers, and is a unit-type computation term. This statement asserts that after executing , the location will contain the factorial of whatever number was stored at before starting the computation. In the case of the total-correctness version of Hoare logic, in which is required to terminate, the property stated by the Hoare triple is equivalent to:121212For some property on , we write for . If the predicate is always true, we write . We use a similar notation for .
[TABLE]
where the formula on the right expresses the combined effect of the precondition and postcondition. Similarly, the partial correctness interpretation, under which termination is not guaranteed, is captured by:
[TABLE]
Such compilations of high-level formulas (for example, Hoare triples) into low-level formulas (the infinitary propositional modal logic) are cumbersome. Nevertheless, they serve two purposes. The first is that translatability into the infinitary logic serves as a test for any proposed high-level specification syntax, as the existence of such a translation guarantees that the syntax expresses only behaviourally meaningful properties. The second purpose is that the propositional modal logic can potentially serve as a guideline for the extraction of compositional proof rules for the high-level logic. This is based on an interesting fact: such compositional proof rules are available for the infinitary propositional modal logic itself. Interestingly, this property is intimately related to the notion of strong decomposability defined in Section 4. We now expand on this point.
We consider a format for a style of compositional proof rule for programs whose outermost constructor is a sequential composition: . The proof rule we consider is specified by a modality together with a family of pairs of modalities: . This data determines the let proof rule below, which makes use of the pure behavioural logic from Section 8.
[TABLE]
In this rule, the modalities , and and their index set have been determined by the specifying data. The other components of the rule may be instantiated arbitrarily, thus the rule is parametric with respect to terms and and the formulas , and . The rule is compositional in the sense that its premises require properties to be established of and separately.
Definition 9.1**.**
A let proof rule (6) is said to be sound if, for all types , computation terms and , and value formulas and , the following implication holds:
[TABLE]
The modalities and required to specify a let proof rule are reminiscent of the definition of strong decomposability 4.18. In fact, there is a precise connection. Whenever is a strongly decomposable set of Scott open modalities, the set of sound let proof rules is complete in the sense of the proposition below, which informally states that every true modal property of a let term can be proved from properties of its component terms by means of a suitably chosen sound let proof rule.
Proposition 9.2**.**
Suppose that is a strongly decomposable set of Scott open modalities. Suppose also that holds (where and ). Then there is a sound let proof rule (6) for , with premise modalities , such that
[TABLE]
for some choice of value formulas .
Proof.
Assume that is strongly decomposable and . By the operational semantics, , so
[TABLE]
By strong decomposability, there is a collection of pairs of modalities such that: (1) , and (2) , if then . We prove that this collection specifies the desired let proof rule for .
Soundness: To prove that the proof rule is sound, consider types and , terms and , and value formulas and such that:
[TABLE]
Let . For any and such that , we have . We have by monotonicity and because , that . This holds for all , so by property (2) of strong decomposability (given above), , hence and we conclude that .
Completeness: We now prove that suitable value formulas exist, allowing us to use the rule as a method for proving that . For any , define
[TABLE]
where is the characteristic function for , as given by Lemma 5.5, but translated into the pure logic using Proposition 8.3. So if then , and since and is compatible, . Hence, whenever , we have that , so .
By the definition of and the observation above, it holds that, for any closed value term , if and only if . By property (1) above of strong decomposability, , so , and hence . ∎
We remark that Proposition 9.2 also works if we restrict to the logic of positive pure formulas.
We illustrate Proposition 9.2, by giving examples of complete collections of sound let proof rules in the case of two of our example effects: global store, and probabilistic choice. For global store, such a collection is given by let proof rules of the form:
[TABLE]
For probabilistic choice, such a collection of rules is:
[TABLE]
where each rule in the collection is specified by some and rationals and satisfying . Completeness can be derived from Proposition 9.2, using the fact that such collections arise in the proof of strong decomposability for the probability modalities in Section 4.
The above discussion concerns compositional proof rules for the let construction of the programming language. Compositional proof rules are available for the other program constructors too. For example, it turns out to be a consequence of Proposition 9.2 that compositional proof rules are available for the algebraic effect operations. Indeed such rules can be derived from the let proof rules by recasting the effect operations in terms of their generic effects in the sense of Plotkin and Power [38]; for example for a binary operation:
[TABLE]
Carrying this out in full generality would be excessively technical for this late point in the paper. So instead we illustrate the end result by giving examples of the proof rules one obtains for a selection of the effect operations in our running examples.
In the case of nondeterminism, the only effect operation is nondeterministic choice. For this, one obtains separate rules for the and modalities.
[TABLE]
For a second example, in the case of global store, one obtains the following rules for the and operations.
[TABLE]
In all cases the rules are sound as expected, and also complete in the following sense. Every valid assertion stating that a program whose outermost constructor is an effect operation satisfies a modal property can be derived by one of the compositional proof rules. For example, if it is true that then there exists such that and . (Indeed, let be such that is is the numeral .)
There is much that is preliminary in the above account of compositional reasoning principles. As we have already discussed, for reasoning to be practical one needs an expressive finitary program logic, and one needs the compositional principles in the proof rules to also be expressible using the finitary language. For example, in the case of global store, one would not use low-level modalities of the form where are individual states, but rather of the form where and are formulas in an appropriate logic for expressing general preconditions and postconditions constraining states. Also, one would reformulate the proof rules above to directly deal with such a practical language for preconditions and postconditions. Nonetheless, the general point remains that such more practical constructions can be compiled down into our infinitary propositional logic and its primitive modalities. In the end, in the case of global store, one will end up with a logic looking very much like an extension of Hoare logic to a higher-order language (e.g., there will be some similarities with Hoare Type Theory [29]).
Another issue we have not addressed in the discussion above is that, in general, the verification of interesting programs will involve proving properties of open terms (with free variables) rather than just the closed terms considered above. For this reason, one needs a proof system that deals with sequents of the form
[TABLE]
where we write and as syntactic assertions representing the statements and . The sequents above state that properties and hold of and , conditional on properties of the free variables. For example, with such sequents, there is then a natural proof rule for -abstraction:
[TABLE]
Summarising the above considerations, while the infinitary modal propositional logic of the present paper is not itself a practical vehicle for specification and verification, it may potentially inform the design of expressive finitary logics suitable for practical specification and reasoning with effects. In this regard, the compositional rules for the infinitary logic may provide templates for such rules in the practical logics. Moreover, the propositional logic suggests a general sequent-based format for verification, whose mature realisation should be something like an expressive refinement-type system for algebraic effects, supporting compositional verification. The development of such a system is a goal for future research.
The discussion thus far has concerned reasoning to establish assertions of the form stating that an individual program satisfies a property of programs. Another important side of reasoning is establishing equivalences between programs. Although a main motivation for introducing the behavioural logic was as a means for defining equivalence between programs, we do not primarily view it as a tool for establishing or reasoning about equivalences. Indeed, in regard to equivalences, the logic is most easily used as a means for establishing non-equivalences between programs. In order to show that , one just needs to exhibit a property that is satisfied by one of but not the other. Examples of such arguments were given in Examples 7.1 and 7.3. Using the logic as a means for proving that two terms are equivalent is trickier since it requires showing that the terms satisfy the same set of logical formulas. Again, one example of such an argument has been given in Example 7.1, where two terms were shown to be equivalent with respect to mutual similarity, by showing that they satisfy the same positive formulas. We now give one further example of such an argument, as a means of illustrating a general point.
The general point is that the logical properties of programs, as captured by the modalities and their interaction with the effect operations, suffice to establish the usual equalities between algebraic terms comprising of effect operations, which are central to Plotkin and Power’s approach to algebraic effects [38]. For the present paper, we illustrate this using one of the equations for global store as an example. For any value term , we prove the following equivalence between computation terms of type :
[TABLE]
By Lemma 4.4, we need only check that both sides of the equation satisfy the same formulas of the form . To show this, we argue using the proof principles discussed above for the and operations.
[TABLE]
The above derivation and others like it illustrate an alternative to taking equations between algebraic terms as the basic data defining the behaviour of algebraic effects, which is the mainstream approach in the theory of algebraic effects. Instead one can take the modal behavioural properties of effects and their associated proof principles as primitive, and then derive the equations. Indeed the latter is the natural approach if one views the equations as expressing empirical truths about computational behaviour rather than as a priori axiomatic facts.
10 Discussion and related work
In this paper we have introduced an infinitary propositional logic for expressing properties of programs with algebraic effects, with the principal aim of using the logic to define behavioural equivalence for effectful programs. Although our logics exhibit certain similarities in form with the endogenous logic developed in Abramsky’s domain theory in logical form [3], our motivation and approach are quite different. Whereas Abramsky shows the usefulness of an axiomatic approach to a finitary logic as a way of characterising denotational equality, the present paper shows that there is a similar utility in considering an infinitary logic from a semantic perspective (based on operational semantics) as a method for defining behavioural equivalence.
In the literature, logics for effects have primarily been considered for the purpose of reasoning about programs with effects. We review the main approaches to such logics.
Pitts’ evaluation logic was an early logic for general computational effects [34]. Evaluation logic has built-in and modalities, which can be given natural interpretations for some effects, but whose interpretation in the case of other effects is rather forced. In the light of the general theory of modalities in the present paper, it would be natural to reconsider evaluation logic with the built-in and modalities replaced with effect-specific modalities, as in Section 3. It is left for future work to assess the extent to which this provides a useful basis for a program logic for effects.
The logic for algebraic effects, of Plotkin and Pretnar [40], axiomatises effectful behaviour by means of an equational theory over a signature of effect operations, following the algebraic approach to effects advocated by Plotkin and Power [39]. Although we also have effect operations in the present paper, we do not take equational axioms as primitive. Instead, it is the choice of the set of modalities that determines the equational properties that the effect operations satisfy, as discussed in Section 9. A different kind of modality is also present in the logic of Plotkin and Pretnar [40]. Their operation modalities are generated by the signature , with each modality being associated with a single effect operation. It is our view that the behavioural modalities of the present paper provide a more natural vocabulary for specifying and reasoning about program behaviour, as discussed in Section 9. It is possible that a reformulation of Plotkin and Pretnar’s logic for algebraic effects, using behavioural modalities instead of operation modalities, might provide a more usable framework for specification and verification of programs with algebraic effects.
A different approach to logics for effects has been proposed by Goncharov, Mossakowski and Schröder [28, 6]. They assume a semantic setting in which the programming language is rich enough to contain a pure fragment that itself acts as a program logic. This approach is very powerful for certain effects. For example, Hoare logic can be derived in the case of global store. However, it appears not to be as adaptable across as wide a range of effects as the approach of the present paper.
The project [47] takes a complementary approach to reasoning about effects, under which an effectful programming language is embedded within a powerful general purpose theorem proving environment based on dependent type theory. The framework supports a generalisation of Hoare-logic-style reasoning, based on preconditions and postconditions, which is applicable to those effects that can be given associated Dijkstra monads [48, 47, 4, 25]. Indeed, an underlying philosophy of the project is to identify, for each eligible effect, the relevant form of precondition, postcondition and composition principle related to them. In contrast, in the logic of the present paper, the precondition-postcondition style arises naturally for global store, as it is built into the format of the store modality ; whereas other modalities provide different specification formats that nonetheless support compositional proof methods, as discussed in Section 9. In principle, this latter view is more general, as there is no a priori reason to force specifications into a precondition-postcondition format. In particular, for effects, such as input/output, in which there is observable mid-execution behaviour, it is not clear that such a format is the most useful (although it can be achieved; see, for example Penninckx et al. [32] and Maillard et al. [24]).
Examples in Sections 7 and 9 show how our logic can be used directly for reasoning about program equivalence. Its main practical use in this regard is as a method of establishing non-equivalence: the non-equivalence of and can be shown by exhibiting a single logical property that distinguishes between them. In this regard, there is a useful complementarity underpinning the coincidence of logical equivalence and bisimilarity. For, in contrast, a principal virtue of bisimilarity is that it provides practical reasoning techniques for establishing equivalences between programs that do hold. (Such techniques include exhibiting bisimilarities and ‘up-to’ methods [43, 45].) The relationship with other techniques for reasoning about equivalences between applicative and effectful programs, such as logical relations [33, 35, 5, 14, 15, 10], which are often directed towards contextual equivalence, is a question for future investigation.
In addition to the question of reasoning about equivalences and non-equivalences, the formulation of our logic as a language of formulas expressing behavioural properties, raises the question of its potential usefulness as a vehicle for reasoning about properties of programs. As discussed in Section 9, we view the infinitary propositional logic of this paper as providing a low-level language, into which practical high-level finitary logics for expressing program properties can potentially be compiled. In order to be sufficiently expressive, such a logic may well incorporate full first-order classical logic (including negation), as well as logical constructs such as the definition of relations as least or greatest fixed points, all of which are translatable into the logic of the present paper. For such an expressive logic, bisimilarity is likely to be the only program equivalence that supports the interchangeability property ( and imply ) discussed in Section 1. We view the development of such high-level logics and their compositional reasoning principles, aimed at practical specification and verification, as a particularly promising topic for future research.
We end the paper with a brief discussion of some of the choices made in the present paper, and of their extensions and limitations. The work in this paper has been carried out for fine-grained call-by-value [22], which is equivalent to call-by-value. The definitions can, however, be adapted to work for call-by-name, and even call-by-push-value [20]. Similarly, they can be adapted to other type constructions such as sums, products, recursive types, and polymorphism, all of which will be addressed in the second authors forthcoming PhD thesis. A more challenging direction for development, is to generalise the theory to permit algebraic operations with more general arities than the possibilities allowed in the present paper. Such a generalisation is needed to include effects such as local and/or higher-order store. This is nontrivial at several levels. For example, the notion of effect tree requires nontrivial modification. Also, the relevant notion of bisimilarity (so-called environmental bisimilarity [44, 16]) is much more subtle and probably requires a logic whose formulas express relations rather than properties.
The central notion of modality, in the present paper, was adapted from the notion of observation in Johann et al. [14]. The crucial change is from sets of trees of type (observations) to a set of unit-type trees (modalities). This change allows value formulas to be lifted to computation formulas, analogously to predicate lifting in coalgebra (cf., e.g., Jacobs [13]), which is a key characteristic of our modalities. The properties of Scott-openness and decomposability play a similar role in the present paper to the role they play in Johann et al. [14]. However, the notion of decomposability for modalities (Definition 4.15) is substantially more subtle than the corresponding notion for observations in Johann et al. [14].
There are certain limitations to the theory of modalities in the present paper. For example, for the combination of probability and nondeterminism, one might naturally consider modalities and asserting the possibility and necessity of the termination probability exceeding . However, the decomposability property fails. (A related observation appears in Lopez and Simpson [23].) In recent work, the second author has shown that this situation can be rescued by changing to a quantitative logic, with a corresponding notion of quantitative modality [51].
In Hasuo [8], a general framework for quantitative effect-specific modalities is proposed, where modalities are given by structure maps for algebras for a monad , with being an object of (potentially quantitative) truth values. From a semantic perspective, the Scott-open modalities of the present paper can be equivalently described as continuous functions from , where is the two element Sierpinski-space domain . In general, they are not, however, algebras for the tree monad . We leave a thorough comparison of the approach of the present paper (and its quantitative generalisation) with the proposed framework of Hasuo [8] for future work.
One topic we have not touched upon in the paper is extending the programming language with handlers, which are powerful control operators associated with algebraic effects [41]. If added to the language in unrestricted form, handlers violate the usual equations associated with algebraic effects. Nevertheless, it is interesting to consider if our modalities can be used, on the one hand, to reason about handlers, and, on the other, to help constrain handlers to ‘safe’ usages that respect the expected program equivalences. For example, various operators from concurrency can be defined using handlers [1, 50], and it would be interesting to see if this allows the usual Hennessy-Milner logic to be subsumed in our setting.
Acknowledgements.
We thank Francesco Gavazzo, Aliaume Lopez and the anonymous conference and journal reviewers for helpful discussions and comments.
Appendix A Howe’s method proof
In this appendix, we give the details that were left out from the Howe’s method proof in Section 6. The results in this appendix are indexed according to whether they were previously stated in Section 6 or are only stated here. Remember the definitions of the Howe closure given in Definition 6.1. We first look at some preliminary results, mostly from Lassen [19].
See 6.2
Proof.
This proof is adapted from [19, Lemma 3.8.2]. We prove the properties separately.
Since is reflexive, so is . Hence . 2. 2.
Note that the compatible refinement of a reflexive relation is reflexive (since the compatible refinement rules line up with the typing rules). Hence is reflexive, since is. So . 3. 3.
This requires an induction on the shape of (which may be a value or a computation). If then by HC or HV we have and . So we know . We need to prove, . In each of the cases of , is derived from rule Cn for some number . This rule has as its premise some sequence of relations . By induction hypothesis we have , this is also trivially true in the base cases since then the sequence is empty. Using Cn we can then derive that . Hence by HV or HC we get . One can verify that this argument works for each of the cases of Cn.
∎
We can also say something about composing the Howe closure with the original relation, which by Lemma 5.6 works well with our relator.
Lemma A.1**.**
If is a preorder relation on closed terms, then we have:
If and , then . 2. 2.
For closed terms such that and we have .
Proof.
We proof the properties individually.
We use that is transitive, hence is transitive meaning . Hence with we have . 2. 2.
This follows from applying Lemma 5.6 to the previous statement.
∎
Lastly, we prove the result needed to deal with the -bisimilarity.
See 6.5
Proof.
This proof is taken from [19, Lemma 3.8.2(4)]. Looking at the compatible refinement rules, it is not difficult to see for any relation . From Lemma 6.2 we know that , and is compatible hence . So we get that:
[TABLE]
[TABLE]
Hence is a solution for to the inclusion . Since is the least solution, we have . So if , then for some choice of sequence , so we can derive that meaning . We conclude that , so is symmetric. ∎
Now we specifically take to be a pre-order -simulation . We assume to be a decomposable set of Scott open modalities. The lemmas stated before are satisfied, hence we know that by Lemma 6.2. We prove that is an -simulation, starting with condition 1 of Definition 5.2:
Lemma A.2**.**
If for we have , then .
Proof.
For a value term of type , we have that for some natural number . Assume , then for some we have and . The latter means by property 1 of -simulations, so . If and hence , then must have been derived from C2, so . As an induction step, we assume and . We derive which must be from C3 hence where . So by assumption which means . We can conclude by induction that . ∎
So condition 1 of Definition 5.2 holds. Condition 3 is satisfied by compatibility of (shown in Lemma 6.2), specifically by rule C6 of compatibility. Condition 2 is the most difficult to prove and requires an induction on the reduction relation of terms. In the order of trees, and . So by the properties in Lemma 5.9 we have:
[TABLE]
Now for the important result, following the techniques used in [17].
See 6.4
Proof.
We do an induction on .
Base case, where , which means . So we have . By Lemma 6.2 we know is reflexive, so using Lemma 5.9 we get .
Induction step . We assume as the Induction Hypothesis that for any two terms and , if and we have . We want to prove .
By HC in Definition 6.1, there is a such that and . Since is an -simulation, we have . So we aim to prove that such that by Lemma A.1 we get . To prove this, we do a case distinction on the shape of to derive: .
, we have and . This is only possible from rule C4, meaning and . By Lemma 5.8 we have , hence . That concludes this case. 2. 2.
, hence . We have which can only be concluded from C6. Hence for some value terms and , with and . Now can only be from a combination of rule HV with C5, hence we have and . From , and Lemma 6.2 we get , hence by the induction hypothesis, . Since , we have , hence with it holds that , so by Lemma A.1, . 3. 3.
, we have which can only be concluded from C7, hence and . Take to be the following term:
[TABLE]
This value term has been specifically chosen such that reduces in one step to for any term , so . We have by reflexivity, hence with and Lemma 6.2 we get . Hence by the induction hypothesis. 4. 4.
, then can only be concluded from C8, hence for some terms , , and where , , and . Since we have by Lemma A.2. We do a case distinction on .
- (a)
If , then by the reduction relation. Using the induction hypothesis on we have , so we are finished. 2. (b)
If , then . By we have (Lemma 6.2), hence by the induction hypothesis,
. 5. 5.
. Looking at the -term, one can observe that we have the following upper bound
[TABLE]
The only derivation of is by C9, from which we know that for some terms and , where and . Using the above observation we know that and . Using property 1 of Corollary 5.11, we want to prove that .
Note that for all it holds by and Lemma 6.2 that . Hence by the induction hypothesis: . Define function where and . We also have by the induction hypothesis on that . Take and . So we can use property 1 of Corollary 5.11 on , , , and to conclude that
[TABLE]
Using a combination of property 1 of Lemma 5.9 to prove , and property 2 of Lemma 5.6 we can derive . 6. 6.
where . The statement can only follow from CA, hence where for all , . By the induction hypothesis, , hence by property 2 of Corollary 5.11. 7. 7.
where . The statement follows only from CB, hence where meaning for any we have . By the induction hypothesis, , hence by property 2 of Corollary 5.11. 8. 8.
where either or . Very similar to the previous cases, from either CC or CD we have where and hence by Lemma A.2. The rest follows by repeating the proof in the previous cases depending on what shape is.
∎
We can conclude that for any . Hence with and Lemma 5.9 we can finally conclude . Hence the relation satisfies all conditions of Definition 5.2, resulting in the following proposition.
See 6.3
Proof.
By Lemma A.2, satisfies condition (1) of being an -simulation. By Lemma 6.4 and for any term , it satisfies condition (2). By compatibility it satisfies condition (3). We conclude that is an -simulation. ∎
The Howe’s method proof is finalised in Section 6 with Theorem 3 A and B and their proofs.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Martin Abadi and Gordon Plotkin. A model of cooperative threads. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages , POPL ’09, pages 29–40, New York, NY, USA, 2009. ACM.
- 2[2] Samson Abramsky. The lazy lambda calculus. In David A. Turner, editor, Research Topics in Functional Programming , pages 65–116. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1990.
- 3[3] Samson Abramsky. Domain theory in logical form. Annals of Pure and Applied Logic , 51(1–2):1–77, 1991.
- 4[4] Danel Ahman, Catalin Hritcu, Kenji Maillard, Guido Martínez, Gordon Plotkin, Jonathan Protzenko, Aseem Rastogi, and Nikhil Swamy. Dijkstra monads for free. In 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL) , pages 515–529, New York, NY, USA, January 2017. ACM.
- 5[5] Nick Benton, Martin Hofmann, and Vivek Nigam. Abstract effects and proof-relevant logical relations. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014 , pages 619–632, New York, NY, USA, 2014. ACM.
- 6[6] Sergey Goncharov and Lutz Schröder. A relatively complete generic Hoare logic for order-enriched effects. In Proc. 28th Annual Symposium on Logic in Computer Science (LICS 2013) , pages 273–282, Washington, DC, USA, 2013. IEEE Computer Society.
- 7[7] Andrew D. Gordon and Gareth D. Rees. Bisimilarity for a first-order calculus of objects with subtyping. In Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages , POPL ’96, pages 386–395, New York, NY, USA, 1996. ACM.
- 8[8] Ichiro Hasuo. Generic weakest precondition semantics from monads enriched with order. Theoretical Computer Science , 604:2–29, 2015.
