Meta-Reasoning in a Concurrent Logical Framework

Size: px

Start display at page:

Download "Meta-Reasoning in a Concurrent Logical Framework"

Elinor Rice
5 years ago
Views:

1 Meta-Reasoning in a Concurrent Logical Framework Iliano Cervesato and Jorge Luis Sacchini Carnegie Mellon University Chalmers University, 16 Oct 2013 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 1 / 39

2 Objectives Concurrency and distribution are essential features in modern systems. PLs are engineered (or retrofitted) to support them. Their formal semantics is not as well understood or studied as in the sequential case. Formal semantics will enable, e.g., formal verification, static analyses, verifying program transformations. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 2 / 39

3 Logical frameworks Formalisms used to specify PL and their metatheory. Coq, Agda, Twelf, Beluga, Delphin,... Our goal is to develop logical frameworks for specifying concurrent and distributed PL. Deep approach: specify a concurrency model in a general purpose LF (Coq, Agda) Shallow approach: provide direct support in a special purpose LF (Twelf, Beluga, Delphin, LLF, HLF, CLF) We follow the shallow approach, using CLF as our LF. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 3 / 39

4 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 4 / 39

5 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 5 / 39

6 CLF CLF is an extension of the Edinburgh logical framework (LF) designed to specify distributed and concurrent systems. Large number of examples: semantics of PL, Petri nets, voting protocols, etc. CLF extends LF with linear types and a monad to encapsulate concurrent effects: K ::= type Π!x : A.K (Kinds) A ::= P Πx : A.B A B A B {S} (Async types) S ::= 1!A A S S x : A.S (Sync types) as well as proof terms for these types (more on this later) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 6 / 39

7 CLF Synchronous types: is associative and commutative, 1 is a neutral element. x : A.!B C 1!x : A,!y 1 : B, y 2 : C Arguments can be uncurrified. Πx : A.B C {D} Π!x : A,!y 1 : B, y 2 : C. {D} We can redefine types in CLF to use contexts: A ::= Π.P Π.{ } (Async types) ::= x : A,!x : A, (Contexts) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 7 / 39

8 CLF CLF combines: Asynchronous types (Π,, &) Linear Logical Framework Backward chaining operational semantics Synchronous types (, ) Encapsulated in a monad ({S}) Forward chaining operational semantics Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 8 / 39

9 CLF Asynchronous fragment Backward chaining (as in Twelf): plus : nat nat type. plus/z : plus 0 N N. plus/s : plus (s M) N (s P) plus M N P. Example: plus 2 2 X X? Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 9 / 39

10 CLF Asynchronous fragment Backward chaining (as in Twelf): plus : nat nat type. plus/z : plus 0 N N. plus/s : plus (s M) N (s P) plus M N P. Example: plus 1 2 X 1 plus 2 2 X X = s X 1 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 9 / 39

11 CLF Asynchronous fragment Backward chaining (as in Twelf): plus : nat nat type. plus/z : plus 0 N N. plus/s : plus (s M) N (s P) plus M N P. Example: plus 0 2 X 2 plus 1 2 X 1 plus 2 2 X X = s X 1 = s (s X 2 ) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 9 / 39

12 CLF Asynchronous fragment Backward chaining (as in Twelf): plus : nat nat type. plus/z : plus 0 N N. plus/s : plus (s M) N (s P) plus M N P. Example: plus 0 2 X 2 plus 1 2 X 1 plus 2 2 X X = s X 1 = s (s X 2 ) = s (s 2) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 9 / 39

13 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

14 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

15 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

16 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

17 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

18 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 t 5 : tick, c 1 : count 3, c 2 : count 1 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

19 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 t 5 : tick, c 1 : count 3, c 2 : count 1 c 1 : count 3, c 2 : count 2 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 10 / 39

20 Proof terms Monadic types are introduced by traces A trace is basically a sequence of rule applications: ε ::= { } c S ε 1 ; ε 2 Trace composition (;) is associative and is a neutral element Forward chaining with committed choice after every step. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 11 / 39

21 Traces Typing rules for traces: ε : can be read as trace ε transforms (rewrites) into : c : Π 0.{ 1 } Σ 0 { 1 } c 0 : 1 0 ε 1 : 1 1 ε 2 : 2 0 ε 1 ; ε 2 : 2 = 0 1 iff Persistent declarations in appear in both 0 and 1 Linear declarations in appear in exactly one of 0 and 1 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 12 / 39

22 Traces Example: in : tick count N {count (s N)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 {c 11 } in t 1, c 1 {c 12 } in t 2, c 11 {c 21 } in t 3, c 2 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 : c 13 : count 3, c 22 : count 2 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 13 / 39

23 Traces Equality on traces: α-equivalence modulo permutation of independent subtraces. Allows encoding of concurrent and distributed features. Two traces are independent (ε 1 ε 2 ) if they operate on different sets of variables. Trace interface: ( ) = ({ } c S) = FV(S) (ε 1 ; ε 2 ) = ε 1 ( ε 2 \ ε 1 ) ( ) = ({ } c S) = dom( ) (ε 1 ; ε 2 ) = ε 2 (ε 1 \ ε 2 )!(ε 1 ) ε 1 ε 2 ε 1 ε 2 = ε 1 ε 2 =. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 14 / 39

24 Traces Trace equality: ; ε ε ε; ε ε 1 ; (ε 2 ; ε 3 ) (ε 1 ; ε 2 ); ε 3 Example: ε 1 ε 2 ε 1 ε 1 ε 2 ε 2 ε 1 ; ε 2 ε 2 ; ε 1 ε 1 ; ε 2 ε 1; ε 2 ε 1 ; ε 2 ε 1 ; ε 2 {c 11 } in t 1, c 1 {c 12 } in t 2, c 11 {c 21 } in t 3, c 2 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 {c 11 } in t 1, c 1 {c 21 } in t 3, c 2 {c 12 } in t 2, c 11 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 15 / 39

25 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 16 / 39

26 Substructural operational semantics Substructural operational semantics combines Structural operational semantics Substructural logics Extensible: we can add features without breaking previous developments Expressive: wide variety of concurrent and distributed mechanisms (Simmons12). Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 17 / 39

27 Example Simply-typed λ-calculus HOAS representation in (C)LF: exp : type. lam : (exp exp) exp. app : exp exp exp. e ::= x λx.e e e Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 18 / 39

28 SSOS Linear-destination passing style (Pfenning04) Based on multiset rewriting; suitable for specifying in linear logic Multiset of facts: eval e d ret e d fapp d 1 d 2 d Evaluate expression e in destination d Return value e to destination d Application: expects the function and argument to be evaluated in d 1 and d 2, and the result is evaluated in d Evaluation rules transform multisets of facts Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 19 / 39

29 SSOS Expressions represented as multiset of facts: eval e d, ret e d, fapp d 1 d 2 d In CLF: dest : type. eval : exp dest type. ret : exp dest type. fapp : dest dest dest type. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 20 / 39

30 Parallel evaluation semantics Transitions as multiset rewriting rules: eval e d ret e d if e is a value In CLF: step/eval : eval e d value e {ret e d}. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 21 / 39

31 Parallel evaluation semantics Transitions as multiset rewriting rules: eval (e 1 e 2 ) d eval e 1 d 1, eval e 2 d 2, fapp d 1 d 2 d In CLF: where d 1, d 2 fresh step/app : eval (app e 1 e 2 ) d {!d 1!d 2 : dest, eval e 1 d 1, eval e 2 d 2, fapp d 1 d 2 d}. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 21 / 39

32 Parallel evaluation semantics Transitions as multiset rewriting rules: ret (λx.e 1 ) d 1, ret e 2 d 2, fapp d 1 d 2 d eval (e 1 [e 2 /x]) d In CLF: step/beta : ret (lam e 1 ) d 1 ret e 2 d 2 fapp d 1 d 2 d {eval (e 1 e 2 ) d} Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 21 / 39

33 Example eval ((λx.x)(λy.y)) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d :!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

34 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; :!d!d 1!d 2 : dest, x : eval (lam λx.x) d 1, y : eval (lam λy.y) d 2, z : fapp d 1 d 2 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

35 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; :!d!d 1!d 2 : dest, x : ret (lam λx.x) d 1, y : eval (lam λy.y) d 2 z : fapp d 1 d 2 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

36 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; :!d!d 1!d 2 : dest, x : ret (lam λx.x) d 1, y : ret (lam λy.y) d 2 z : fapp d 1 d 2 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

37 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; {w} step/beta x y z; :!d!d 1!d 2 : dest, w : eval (lam λy.y) d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

38 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d ret (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; {w} step/beta x y z; {w } step/eval w; :!d!d 1!d 2 : dest, w : ret (lam λy.y) d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

39 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d ret (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {y } step/eval y; {x } step/eval x; {w} step/beta x y z; {w } step/eval w; :!d!d 1!d 2 : dest, w : ret (lam λy.y) d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 22 / 39

40 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 23 / 39

41 Safety Recall that the previous semantics is parallel (more complex languages can have concurrent and distributed semantics as well). Safety. Preservation: evaluation preserves well-typed multisets. If is a well-typed multiset and (step), then is a well-typed multiset. Progress: a well-typed multiset is either final (result) or is possible to take a step. If is a well-typed multiset, then either = {ret e d} or there exists such that. We need a notion of well-typed multiset for SSOS specifications. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 24 / 39

42 Well-formed multisets Example: eval e 1 d, eval e 2 d $ (repeated destination) fapp d 1 d 2 d, eval e 1 d 1 $ (no fact for d 2 ) Well-formed multisets form a tree: fapp d 1 d 2 d eval d 1 fapp d 21 d 22 d 2 ret 0 d 21 eval 2 d 22 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 25 / 39

43 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

44 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 fapp d 1 d 2 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

45 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 eval plus d 1 fapp d 1 d 2 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

46 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 gen d 21 gen d 22 eval plus d 1 fapp d 1 d 2 d fapp d 21 d 22 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

47 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 gen d 21 gen d 22 eval plus d 1 fapp d 1 d 2 d ret 0 d 21 fapp d 21 d 22 d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

48 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 gen d 21 gen d 22 eval plus d 1 fapp d 1 d 2 d ret 0 d 21 fapp d 21 d 22 d eval 2 d 22 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

49 Well-formed multisets Well-formed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d gen d 1 gen d 2 gen d 21 gen d 22 = eval plus d 1, fapp d 1 d 2 d, ret 0 d 21, fapp d 21 d 22 d, eval 2 d 22 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 26 / 39

50 Well-typed multisets Add a type argument: gen t d A where A contains no fact of the form gen t 0 d 0. In CLF: gen : tp dest type. gen/eval : gen t d of e t {eval e d}. gen/ret : gen t d of e t value e {ret e d}. gen/fapp : gen t d {!d 1!d 2 : dest, fapp d 1 d 2 d, gen (arr t 1 t) d 1, gen t 1 d 2 }. We call these type of rules generative invariants (Simmons 12). Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 27 / 39

51 Safety Lemma (Safety) Preservation If {gen t d} gen A and A step A then {gen t d} gen A. Progress if {gen t d} gen A, then either A is of the form {ret e d} or there exists A such that A step A. Proof. Preservation The proof proceeds by case analysis on the evaluation step. Progress The proof proceeds by induction on the generating trace. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 28 / 39

52 Limitations of CLF In CLF it is not possible to express preservation and progress. CLF lacks support for first-order traces, and quantification over contexts. We propose an extension of LF with trace types: Meta-CLF. Similar approaches are taken in Beluga, Delphin, Abella (in the sense of using a two-level approach). Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 29 / 39

53 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 30 / 39

54 Meta-CLF Meta-CLF is an extension of LF with trace types and quantification over contexts and names: A ::=... { } Σ { } { } Σ 1 { } Πψ : ctx.a x.a { } Σ { } is the type of all traces ε satisfying ε : that use only rules in the signature Σ. { } Σ 1 { } is the type of all 1-step traces ε satisfying ε : that use only rules in the signature Σ. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 31 / 39

55 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 32 / 39

56 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 1, then ψ 2 is a well-typed state. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 32 / 39

57 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 32 / 39

58 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 32 / 39

59 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 32 / 39

60 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. A, eval e d step A, ret e d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

61 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen The multiset A, eval e d is generated from gen t 0 d 0. A, eval e d step A, ret e d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

62 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen A, gen t d gen A, eval e d step A, ret e d There must be one step that generates eval e d using gen/eval; this step can be moved to the end, since no other step depends on it. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

63 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen t 0 d 0 gen A, gen t d gen gen A, eval e d step A, ret e d? We want to show that it is possible to generate the multiset A, ret e d. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

64 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A, gen t d We generate the multiset A using the same rules as on the left. gen A, eval e d step A, ret e d Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

65 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A, gen t d gen gen A, eval e d step A, ret e d We generate the multiset A using the same rules as on the left. But change the last step to generate ret e d. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

66 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A, gen t d gen gen A, eval e d step A, ret e d In Meta-CLF: Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

67 Safety proof in Meta-CLF Case step/eval : eval e d value e {ret e d}. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A, gen t d gen gen A, eval e d step A, ret e d In Meta-CLF: pres/ret : preservation (X 1 ; {x} gen/eval g 0 H) ({y} step/eval x H v ) (X 1 ; {y} gen/ret g 0 H H v ) where x : eval e d, g 0 : gen t d, H : of e t, H v : value e. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 33 / 39

68 Meta-CLF Both proofs of preservation and progress in Meta-CLF follow the pen-and-paper proofs. Preservation is performed by case analysis (no induction). Progress relies on induction, but termination is easy (size of the trace). However, we rely on coverage to ensure the proof is total. Coverage checking in the presence of traces is tricky, due to the possibility of permuting steps. (Left for future work.) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 34 / 39

69 SSOS We can extend this semantics with other features without invalidating the previous rules Example: store, futures, call/cc, communication,... location : type. loc : location exp. get : exp exp. ref : exp exp. set : exp exp exp. cell : location exp type. step/ref : eval (ref e) d {!d 1 : dest,!l : location, fref d 1 l, eval e d 1, ret (loc l) d}. step/fref : ret e d fref d l {cell l e}. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 35 / 39

70 SSOS We can extend this semantics with other features without invalidating the previous rules Example: store, futures, call/cc, communication,... future : exp exp. promise : dest exp. deliver : exp dest type. step/fut : eval (future e) d {!d 1 : dest, eval e d 1, fdel d 1, ret (promise d 1 ) d}. step/fdel : ret e d fdel d 1 {!deliver e d}. step/promise : ret (promise d 1 ) d delivee e d 1 ret e d. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 35 / 39

71 Outline 1 CLF 2 Substructural operational semantics 3 Safety for SSOS 4 Meta-CLF 5 Conclusions and future work Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 36 / 39

72 Conclusions Our goal is to develop logical frameworks suitable for specifying concurrent and distributed systems. We introduced Meta-CLF, an extension of LF to reason about CLF specifications. We showed that it is expressive enough to write safety proofs of parallel/concurrent PL. Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 37 / 39

73 Future work Decidability of type checking Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 38 / 39

74 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : preservation (X 1 ; {x} gen/eval g 0 H) ({y} step/eval x H v ) (X 1 ; {y} gen/ret g 0 H H v ) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 38 / 39

75 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : x. y. d. g. d 0. g 0.Πψ 1 : ctx.πe : exp. Πt : tp.πt 0 : tp.πh : of e t 0.ΠH v : value e ΠX : {!d : dest, g : gen d t} Σ gen {ψ 1,!d 0 : dest, g 0 : gen d 0 t 0 }. preservation t d g (ψ 1,!d 0 : dest, x : eval e d 0 ) (ψ 1,!d 0 : dest, y : ret e d 0 ) (X 1 ; {x} gen/eval e t d 0 g 0 H) ({y} step/eval e d 0 x H v ) (X 1 ; {y} gen/ret e t d 0 g 0 H H v ) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 38 / 39

76 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : x. y. d. g. d 0. g 0.Πψ 1 : ctx.πe : exp. Πt : tp.πt 0 : tp.πh : of e t 0.ΠH v : value e ΠX : {!d : dest, g : gen d t} Σ gen {ψ 1,!d 0 : dest, g 0 : gen d 0 t 0 }. preservation t d g (ψ 1,!d 0 : dest, x : eval e d 0 ) (ψ 1,!d 0 : dest, y : ret e d 0 ) (X 1 ; {x} gen/eval e t d 0 g 0 H) ({y} step/eval e d 0 x H v ) (X 1 ; {y} gen/ret e t d 0 g 0 H H v ) Implementation Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 38 / 39

77 Future work Coverage checking Coverage checking for traces is difficult due to the equality relation. Easier when restricted to generative invariants GI look like a generalization of context-free grammars gen/eval : gen t d of e t {eval e d}. gen/ret : gen t d of e t {ret e d}. gen/fapp : gen t d {!d 1!d 2 : dest, fapp d 1 d 2 d, gen (arr t 1 t) d 1, gen t 1 d 2 }. Non-terminal: gen. Terminals: eval, ret, fapp. Example: X 1 ; ({y} gen/eval x); X 2 X 1 ; X 2 ; ({y} gen/eval x) Termination (trace size) Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning in CLF 39 / 39

Meta-reasoning in the concurrent logical framework CLF

Meta-reasoning in the concurrent logical framework CLF Jorge Luis Sacchini (joint work with Iliano Cervesato) Carnegie Mellon University Qatar campus Nagoya University, 27 June 2014 Jorge Luis Sacchini