Denotational semantics

Size: px

Start display at page:

Download "Denotational semantics"

Randolf Phillips
5 years ago
Views:

1 Denotational semantics Semantics and Application to Program Verification Antoine Miné École normale supérieure, Paris year Course 4 4 March 2016 Course 4 Denotational semantics Antoine Miné p. 1 / 58

2 Introduction Operational semantics (state and trace) (last two weeks) Defined as small execution steps, (transition relation) over low-level internal configurations. (states) Transitions are chained to ine maximal traces. Denotational semantics (today) Direct functions from programs to mathematical objects, ined by induction on the program syntax, ignoring intermediate steps and execution details. (denotations) (compositional) (no state) = Higher-level, more abstract, more modular. Tries to decouple a program meaning from its execution. Focus on the mathematical structures that represent programs. (founded by Strachey and Scott in the 70s: [Scott-Strachey71]) Assembly semantics vs. Functional programming semantics. often: semantics for practical verification vs. semantics for computer theorists Course 4 Denotational semantics Antoine Miné p. 2 / 58

3 Two very different programs Bubble sort in C int swapped; do { swapped = 0; for (int i=1; i<n; i++) { if (a[i-1] > a[i]) { swap(&a[i-1], &a[i]); swapped = 1; } } } while (swapped); Quick sort in OCaml let rec sort = function [] -> [] a::rest -> let lo, hi = List.partition (fun y -> y < x) rest in (sort (sort hi) different languages (C / OCaml) different algorithms (bubble sort / quick sort) different programming principles (loop / recursion) different data-types (array / list) Can we give them the same semantics? Course 4 Denotational semantics Antoine Miné p. 3 / 58

4 Denotation worlds imperative programs effect of a program: mutate a memory state natural denotation: input/output function domain D memory memory challenge: build a whole program denotation from denotations of atomic language constructs (modularity) functional programs effect of a program: return a value (without any side-effect) model a program of type a -> b as a function in D a D b challenge: choose D to allow polymorphic or untyped languages other paradigms: parallel, probabilistic, etc. = very rich theory of mathematical structures Scott domains, cartesian closed categories, coherent spaces, event structures, game semantics, etc. We will not present them in this overview! Course 4 Denotational semantics Antoine Miné p. 4 / 58

5 Course overview Imperative programs IMP: deterministic programs NIMP: handling non-determinism linking denotational and operational semantics Higher-order programs PCF : monomorphic typed programs linking denotational and operational semantics: full abstraction untyped λ calculus: recursive domain equations Practical session (room INFO 4) program the denotational semantics of a simple imperative (non-)deterministic language (IMP, NIMP) Course 4 Denotational semantics Antoine Miné p. 5 / 58

6 Deterministic imperative programs Deterministic imperative programs Course 4 Denotational semantics Antoine Miné p. 6 / 58

7 Deterministic imperative programs A simple imperative language: IMP IMP expressions expr ::= X (variable) c (constant) expr (unary operation) expr expr (binary operation) variables in a fixed set X V constants I = B Z: booleans B = { true, false } integers Z operations : integer operations: +,,, /, <, boolean operations:,, polymorphic operations: =, Course 4 Denotational semantics Antoine Miné p. 7 / 58

8 Deterministic imperative programs A simple imperative language: IMP Statements stat ::= skip (do nothing) X expr (assignment) stat; stat (sequence) if expr then stat else stat (conditional) while expr do stat (loop) (inspired from the presentation in [Benton96]) Course 4 Denotational semantics Antoine Miné p. 8 / 58

9 Deterministic imperative programs Expression semantics E expr : E I environments E = V I map variables in V to values in I E expr returns a value in I denotes partial functions (as opposed to ) necessary because some operations are unined 1 + true, 1 2 (type mismatch) 3/0 (invalid value) ined by structural induction on abstract syntax trees (next slide) when we use the notation X y, y is a syntactic object; X serves to distinguish between different semantic functions with different signatures, often varying with the kind of syntactic object y (expression, statement, etc.); X y z is the application of the function X y to the object z Course 4 Denotational semantics Antoine Miné p. 9 / 58

10 Deterministic imperative programs Expression semantics E expr : E I E c ρ E V ρ E e ρ E e ρ E e 1 + e 2 ρ E e 1 e 2 ρ E e 1 e 2 ρ E e 1 /e 2 ρ E e 1 e 2 ρ E e 1 e 2 ρ E e 1 < e 2 ρ E e 1 e 2 ρ E e 1 = e 2 ρ E e 1 e 2 ρ unined otherwise = c I = ρ(v ) I = v Z if v = E e ρ Z = v B if v = E e ρ B = v 1 + v 2 Z if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z = v 1 v 2 Z if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z = v 1 v 2 Z if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z = v 1 /v 2 Z if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z \ {0} = v 1 v 2 B if v 1 = E e 1 ρ B, v 2 = E e 2 ρ B = v 1 v 2 B if v 1 = E e 1 ρ B, v 2 = E e 2 ρ B = v 1 < v 2 B if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z = v 1 v 2 B if v 1 = E e 1 ρ Z, v 2 = E e 2 ρ Z = v 1 = v 2 B if v 1 = E e 1 ρ I, v 2 = E e 2 ρ I = v 1 v 2 B if v 1 = E e 1 ρ I, v 2 = E e 2 ρ I Course 4 Denotational semantics Antoine Miné p. 10 / 58

11 Deterministic imperative programs Statement semantics S stat : E E maps an environment before the statement to an environment after the statement partial function due to errors in expressions non-termination also ined by structural induction Course 4 Denotational semantics Antoine Miné p. 11 / 58

12 Deterministic imperative programs Statement semantics S stat : E E skip: do nothing S skip ρ = ρ assignment: evaluate expression and mutate environment S X e ρ = ρ[x v] if E e ρ = v sequence: function composition S s 1 ; s 2 = S s 2 S s 1 conditional S if e then s 1 else s 2 ρ = S s 1 ρ S s 2 ρ unined if E e ρ = true if E e ρ = false otherwise f [x y] denotes the function that maps x to y, and any z x to f (z) Course 4 Denotational semantics Antoine Miné p. 12 / 58

13 Deterministic imperative programs Statement semantics: loops How do we handle loops? The semantics of loops must satisfy: S while e do s ρ = ρ S while e do s (S s ρ) unined if E e ρ = false if E e ρ = true otherwise This is a recursive inition; we must prove that: the equation has solution(s); in case there are several solutions, there is a single right one; = we use fixpoints of operators over partially ordered sets. Course 4 Denotational semantics Antoine Miné p. 13 / 58

14 Deterministic imperative programs Flat orders and partial functions Flat ordering (I, ) on I: I = I { } (pointed set) a b a = a = b (partial order) every chain is finite, and so has a lub = it is a pointed complete partial order (cpo) denotes the value unined ( is an information order) Similarly for E = E { }. Note that (E E) (E E ) = we will now use total functions only. Course 4 Denotational semantics Antoine Miné p. 14 / 58

15 Deterministic imperative programs Poset of continuous partial functions c Partial order structure on partial functions (E E, ) E E extends E E domain = co-domain = allows composition f E E extended with f ( ) = (strictness) = if S s x is unined, so is (S s S s )x such functions are monotonic and continuous (a b = f (a) f (b) and f ( X ) = { f (x) x X }) c = we restrict E E to continuous functions: E E point-wise order on functions f g x: f (x) g(x) E c E has a least element: = λx. by point-wise lub of chains, it is also complete = a cpo F = λx. { f (x) f F } Course 4 Denotational semantics Antoine Miné p. 15 / 58

16 Deterministic imperative programs Fixpoint semantics of loops To solve the semantic equation, we use a fixpoint of a functional. We use actually the least fixpoint. S while e do s = lfp F (most precise for the information order) where : F : (E E ) (E E ) ρ if E e ρ = false F (f )(ρ) = f (S s ρ) if E e ρ = true otherwise Theorem lfp F is well-ined remember our equation on S while e do s? it can be rewritten exactly as: S while e do s = F (S while e do s ) Course 4 Denotational semantics Antoine Miné p. 16 / 58

17 Deterministic imperative programs Fixpoint semantics of loops (proof sketch) Recall Kleene s theorem: Kleene s theorem A continuous function on a cpo has a least fixpoint To use the theorem we prove that S stat is continuous (and is well-ined) by induction on the syntax of stat: base cases: S skip and S X e are continuous S if e then s 1 else s 2 : by induction hypothesis, as S s 1 and S s 2 are continuous S s 1 ; s 2 : by induction hypotheses and because respects continuity c F is continuous in (E E ) c c (E E ) by induction hypotheses = lfp F exists by Kleene s theorem moreover, lfp F is continuous (simple consequence of Kleene s proof) = S while e do s is continuous Course 4 Denotational semantics Antoine Miné p. 17 / 58

18 Deterministic imperative programs Join semantics of loops Recall another fact about Kleene s fixpoints: lfp F = n N F n ( ) F 0 ( ) = is completely unined (no information) { ρ if E e ρ = false F 1 ( )(ρ) = otherwise environment if the loop is never entered (partial information) ρ if E e ρ = false F 2 ( )(ρ) = S s ρ else if E e (S s ρ) = false otherwise environment if the loop is iterated at most once F n ( )(ρ) environment if the loop is iterated at most n 1 times n N F n ( ) environment when exiting the loop whatever the number of iterations (total information) Course 4 Denotational semantics Antoine Miné p. 18 / 58

19 Deterministic imperative programs Error vs. non-termination In our semantics S stat ρ = can mean: either stat starting on input ρ loops for ever or it stops prematurely with an error Note : we could distinguish between the two cases by : adding an error value Ω, distinct from propagating it in the semantics, bypassing computations (no further computation after an error) Course 4 Denotational semantics Antoine Miné p. 19 / 58

20 Summary Deterministic imperative programs Rewriting the semantics using total functions on cpos with : c E expr : E I returns for an error or if its argument is c S stat : E E S skip ρ = ρ S e 1 ; e 2 = S e 2 S e 1 { S X e ρ if E e ρ = = ρ[x E e ρ] otherwise S s 1 ρ if E e ρ = true S if e then s 1 else s 2 ρ = S s 2 ρ if E e ρ = false otherwise S while e do s = lfp F ρ where F (f )(ρ) = f (S s ρ) if E e ρ = false if E e ρ = true otherwise Course 4 Denotational semantics Antoine Miné p. 20 / 58

21 Non-determinism Non-determinism Course 4 Denotational semantics Antoine Miné p. 21 / 58

22 Non-determinism Why non-determinism? It is useful to consider non-deterministic programs, to: model partially unknown environments abstract away unknown program parts abstract away too complex parts handle a set of programs as a single one Kinds of non-determinism data non-determinism: expr ::= random() control non-determinism: stat ::= either s 1 or s 2 (user input) (libraries) (rounding errors in floats) (parametric programs) but we can write either s 1 or s 2 as if random() = 0 then s 1 else s 2 Consequence on semantics and verification we want to verify all the possible executions = the semantics should express all the possible executions Course 4 Denotational semantics Antoine Miné p. 22 / 58

23 Non-determinism Modified language We extend IMP to NIMP, an imperative language with non-determinism. NIMP language expr ::= X (variable) c (constant) [c 1, c 2 ] (constant interval) expr (unary operation) expr expr (binary operation) NIMP has the same statements as IMP c 1 Z { }, c 2 Z {+ } [c 1, c 2 ] means: return a fresh random value between c 1 and c 2 each time the expression is evaluated Question: is [0, 1] = [0, 1] true or false? Course 4 Denotational semantics Antoine Miné p. 23 / 58

24 Non-determinism Expression semantics E expr : E P(I) E V ρ E c ρ E [c 1, c 2 ] ρ E e ρ E e ρ E e 1 + e 2 ρ E e 1 /e 2 ρ E e 1 < e 2 ρ... = {ρ(v )} = {c} = { c Z c 1 c c 2 } = { v v E e ρ Z } = { v v E e ρ B } = { v 1 + v 2 v 1 E e 1 ρ Z, v 2 E e 2 ρ Z } = { v 1 /v 2 v 1 E e 1 ρ Z, v 2 E e 2 ρ Z \ {0} } = { true v 1 E e 1 ρ, v 2 E e 2 ρ: v 1 Z, v 2 Z, v 1 < v 2 } { false v 1 E e 1 ρ, v 2 E e 2 ρ: v 1 Z, v 2 Z, v 1 v 2 } we output a set of values, to account for non-determinism we can have E e ρ = due to errors (no need for a special Ω nor element) Course 4 Denotational semantics Antoine Miné p. 24 / 58

25 Non-determinism Statement semantic domain Semantic domain: a statement can output a set of environments = use E P(E) to allow composition, extend it to P(E) P(E) non-termination and errors can be modeled by (no need for a special Ω nor element) Course 4 Denotational semantics Antoine Miné p. 25 / 58

26 Non-determinism Statement semantics S stat : P(E) P(E) S skip R = R S s 1 ; s 2 = S s 2 S s 1 S X e R = { ρ[x v] ρ R, v E e ρ } pick an environment ρ pick an expression value v in E e ρ generate an updated environment ρ[x v] S if e then s 1 else s 2 R = S s 1 { ρ R true E e ρ } S s 2 { ρ R false E e ρ } filter environments according to the value of e execute both branch independently join them with Course 4 Denotational semantics Antoine Miné p. 26 / 58

27 Non-determinism Statement semantics S while e do s R = { ρ lfp F false E e ρ } where F (X ) = R S s { ρ X true E e ρ } Justification: lfp F exists (P(E),,,,, E) forms a complete lattice all semantic functions and F are monotonic and continuous in fact, they are strict complete join morphisms S s ( i X i ) = i S s X i and S s = which we write as S s P(E) P(E) it is really the image function of a function in E P(E) S s X = { S s {x} x X } we can apply both Kleene s and Tarksi s fixpoint theorems Course 4 Denotational semantics Antoine Miné p. 27 / 58

28 Non-determinism Join semantics of loops S while e do s R = { ρ lfp F false E e ρ } where F (X ) = R S s { ρ X true E e ρ } (F applies a loop iteration to X and adds back the environments R before the loop) Recall that lfp F = n N F n ( ) F 0 ( ) = F 1 ( ) = R environments before entering the loop F 2 ( ) = R S s { ρ R true E e ρ } environments after zero or one loop iteration F n ( ) : environments after at most n 1 loop iterations (just before testing the condition to determine if we should iterate a n th time) n N F n ( ): loop invariant Course 4 Denotational semantics Antoine Miné p. 28 / 58

29 Non-determinism Angelic non-determinism and termination If stat is deterministic (no [c 1, c 2 ] in expressions) c the semantics is equivalent to our semantics on E E Justification: ({ E E E 1 },,, ) is isomorphic to (E,,, ) In general, we can have several outputs for S stat {ρ} E {Ω}: : the program never terminates at all {Ω}: the program never terminates correctly R E \ {Ω}: when the program terminates, it terminates correctly, in an environment in R = we cannot express that a program always terminates! This is called the Angelic semantics, useful for partial correctness. Course 4 Denotational semantics Antoine Miné p. 29 / 58

30 Non-determinism Note on non-determinism and termination Other (more complex) ways to mix non-termination and non-determinism exist Based on distinguishing and, and on different order relations {0, 1} {0, 1} {0, 1} {0} {0, 1, } {1} {0} {0, 1, } {1} {0} {1} {0, } {1, } {0, } {1, } { } { } powerset order mixed order Egli-Milner order angelic semantics natural semantics natural semantics (this is a complex subject, we will say no more) Course 4 Denotational semantics Antoine Miné p. 30 / 58

31 Link between operational and denotational semantics Link between operational and denotational semantics Course 4 Denotational semantics Antoine Miné p. 31 / 58

32 Link between operational and denotational semantics Motivation Are the operational and denotational semantics consistent with each other? Note that: systems are actually described operationally (previous courses) the denotational semantics is a more abstract representation (more suitable for some reasoning on the system) = the denotational semantics must be proven faithful (in some sense) to the operational model to be of any use Course 4 Denotational semantics Antoine Miné p. 32 / 58

33 Link between operational and denotational semantics Transition systems for our non-deterministic language Labelled syntax l stat l ::= l skip l l X expr l l if expr then l stat else l stat l l while l expr do l stat l l stat; l stat l l L: control labels statements are decorated with unique control labels l L program configurations in Σ = L E (lower-level than E: we must track program locations) transition relation τ Σ Σ models atomic execution steps Course 4 Denotational semantics Antoine Miné p. 33 / 58

34 Link between operational and denotational semantics Transition systems for our language τ is ined by induction on the syntax of statements (σ, σ ) τ is denoted as σ σ τ[ l1 skip l2 ] = { (l1, ρ) (l2, ρ) ρ E } τ[ l1 X e l2 ] = { (l1, ρ) (l2, ρ[x v]) ρ E, v E e ρ } τ[ l1 if e then l2 s 1 else l3 s 2 l4 ] = { (l1, ρ) (l2, ρ) ρ E, true E e ρ } { (l1, ρ) (l3, ρ) ρ E, false E e ρ } τ[ l2 s 1 l4 ] τ[ l3 s 2 l4 ] τ[ l1 while l2 e do l3 s l4 ] = { (l1, ρ) (l2, ρ) ρ E } { (l2, ρ) (l3, ρ) ρ E, true E e ρ } { (l2, ρ) (l4, ρ) ρ E, false E e ρ } τ[ l3 s l2 ] τ[ l1 s 1 ; l2 s 2 l3 ] = τ[ l1 s 1 l2 ] τ[ l2 s 2 l3 ] Defines the small-step semantics of a statement (the semantics of expressions is still in denotational form) Course 4 Denotational semantics Antoine Miné p. 34 / 58

35 Link between operational and denotational semantics Special states Given a labelled statement le s lx we ine: and its transition system, initial states: I note that σ σ = { (l e, ρ) ρ E } = σ / I blocking states: B = { σ Σ σ : Σ, σ σ } correct termination: OK = { (l x, ρ) ρ E } note that OK B error: ERR = B { (l, ρ) l l x, ρ E } B = ERR OK ERR OK = Course 4 Denotational semantics Antoine Miné p. 35 / 58

36 Link between operational and denotational semantics Reminder: maximal trace semantics Trace: in Σ starting in an initial state I following transitions can only end in a blocking state B (finite or infinite sequence of states) (traces are maximal) i.e.: t s = t s t s ω where finite traces: t s = { (σ 0,..., σ n ) n 0, σ 0 I, σ n B, i < n: σ i σ i+1 } infinite traces: t s ω = { (σ 0,...) σ 0 I, i N: σ i σ i+1 } Course 4 Denotational semantics Antoine Miné p. 36 / 58

37 Link between operational and denotational semantics From traces to big-step semantics Big-step semantics: abstraction of traces only remembers the input-output relations many variants exist: angelic semantics, in P(Σ Σ): A s = { (σ, σ ) (σ 0,..., σ n ) t s : σ = σ 0, σ = σ n } (only give information on the terminating behaviors; can only prove partial correctness) natural semantics, in P(Σ Σ ): N s = A s { (σ, ) (σ 0,...) t s ω : σ = σ 0 } (models the terminating and non-terminating behaviors; can prove total correctness) Exercise: compute the semantics of while X > 0 do X X [0, 1] Course 4 Denotational semantics Antoine Miné p. 37 / 58

38 Link between operational and denotational semantics From big-step to denotational semantics The angelic denotational and big-step semantics are isomorphic (isomorphism between relations and strict complete join morphisms) S s = α(a s ) where α(x ) = λr.{ ρ ρ R, ((l e, ρ), (l x, ρ )) X } (image of a relation) α 1 (Y ) = { ((l e, ρ), (l x, ρ )) ρ E, ρ Y ({ρ}) } Proof idea: by induction on the syntax of s = our operational and denotational semantics match Also, the denotational semantics is an abstraction of the natural semantics (it forgets about infinite computations) Thesis All semantics can be compared for equivalence or abstraction this can be made formal in the abstract interpretation theory (see [Cousot02]) Course 4 Denotational semantics Antoine Miné p. 38 / 58

39 Link between operational and denotational semantics Semantic diagram denotational world operational world S s denotational α big step A s natural N s traces t s transition system (small step) τ[s] statement Course 4 Denotational semantics Antoine Miné p. 39 / 58

40 Link between operational and denotational semantics Fixpoint formulation Recall that traces can be expressed as fixpoints: t s = (lfp F ) (I Σ ) ( (I Σ ) restricts to traces starting in I ) where F (X ) = B { (σ, σ 0,..., σ n) σ σ 0 (σ 0,..., σ n) X } t s ω = (gfp F ) (I Σ ) where F (X ) = { (σ, σ 0,...) σ σ 0 (σ 0,...) X } This also holds for the angelic denotational semantics: S s = α(lfp F ) (α converts relations to functions) where F (X ) = (B B) { (σ, σ ) σ : σ σ (σ, σ ) X } and many others: natural, denotational, big-step, denotational,... (again [Cousot02]) Thesis All semantics can be expressed through fixpoints Course 4 Denotational semantics Antoine Miné p. 40 / 58

41 Higher-order programs Higher-order programs Course 4 Denotational semantics Antoine Miné p. 41 / 58

42 Higher-order programs Monomorphic typed higher order language PCF language (introduced by Scott in 1969) type ::= int (integers) bool (booleans) type type (functions) term ::= X (variable X V) c (constant) λx type.term (abstraction) term term (application) Y type term (recursion) Ω type (failure) PCF (programming computable functions) is a λ calculus with: a monomorphic type system explicit type annotations X type, Y type, Ω type an explicit recursion combiner Y constants, including Z, B and a few built-in functions (arithmetic and comparisons in Z, if-then-else, etc.) (unlike ML) (unlike ML) (unlike untyped λ calculus) Course 4 Denotational semantics Antoine Miné p. 42 / 58

43 Higher-order programs Semantic domains What should be the domain of T term? Difficulty: term contains heterogeneous objects: constants, functions, second order functions, etc. Solution: use the type information each term m can be given a type typ(m) use one semantic domain D t per type t then T m : E D typ(m) where E = V ( t type D t ) Domain inition by induction on the syntax of types D int = Z D bool = B D t1 t 2 c = (D t1 D t2 ) Course 4 Denotational semantics Antoine Miné p. 43 / 58

44 Higher-order programs Order on semantic domains Order: all domains are cpos D int = Z, D bool = B use a flat ordering D t1 t 2 c = (D t1 D t2 ) with order f g f = (f, g x: f (x) g(x)) D t1 c D t2 is ordered point-wise each domain has its fresh minimal element (to distinguish Ω int int from λx int.ω int ) we restrict to continuous functions (to be able to take fixpoints) (see [Scott93]) Course 4 Denotational semantics Antoine Miné p. 44 / 58

45 Higher-order programs Denotational semantics Environments: Semantics: E = V ( t type D t ) T m : E D typ(m) T X ρ T c ρ T λx t.m ρ T m 1 m 2 ρ T Y t m ρ T Ω t ρ = ρ(x ) = c = λx.t m (ρ[x x]) = (T m 1 ρ)(t m 2 ρ) = lfp (T m ρ) = t program functions λ are mapped to mathematical functions λ program recursion Y is mapped to fixpoints lfp errors and non-termination are mapped to (typed) we should prove that T m is indeed continuous (by induction) so that lfp exists, and also that T m 1 is indeed a function (by soundness of typing) Course 4 Denotational semantics Antoine Miné p. 45 / 58

46 Higher-order programs Operational semantics Operational semantics: states are terms: Σ = term based on the λ calculus transitions correspond to reductions: (λx t.m 1 ) m 2 m 1 [X m 2 ] Ω t Ω t Y t m m (Y t m) plus c 1 c 2 (c 1 + c 2 ) if true m 1 m 2 m 1 if false m 1 m 2 m 2 m 1 m 1 m 1 m 2 m 1 m 2... (λ reduction) (failure) (iteration) (arithmetic) (if-then-else) (if-then-else) (context rule) big-step semantics m : maximal reductions m = m (PCF is deterministic) m m m : m m Course 4 Denotational semantics Antoine Miné p. 46 / 58

47 Higher-order programs Links between operational and denotational semantics How do we check that operational and denotational semantics match? check that they have the same view of semantically equal programs denotational way: we can use T m 1 = T m 2 we need an operational way to compare functions comparing the syntax is too fine grained, Example: (λx int.0) (λx int.minus 1 1), but they have the same denotation Observational equivalence: contexts c: terms with holes observe terms in all contexts c[m] term obtained by substituting m in hole ground is the set of terms of type int or bool term equivalence : m 1 m 2 ( c: c[m 1 ] = c[m 2 ] when c[m 1 ] ground) (don t look at a function s syntax, force its full evaluation and look at the value result) Course 4 Denotational semantics Antoine Miné p. 47 / 58

48 Higher-order programs Full abstraction Full abstraction: m 1, m 2 : m 1 m 2 T m 1 = T m 2 Unexpected result: for PCF, holds (adequacy), but not! (full abstraction concept introduced by Milner in 1975, proof by Plotkin 1977) Compare with: IMP, NIMP are fully abstract s 1, s 2 stat: S s 1 = S s 2 Intuitive explanation: c: A c[s 1 ] = A c[s 2 ] Domains such as D t1 t 2 contain many functions, most of them do not correspond to any program (this is expected: many functions are not computable). The problem is that, if m 1, m 2 have the form λx t 1 t 2.m, T m 1 = T m 2 imposes T m 1 f = T m 2 f for all f D t1 t 2, including many f that are not computable. It is actually possible to construct m 1, m 2 where T m 1 f T m 2 f only for some non-program functions f, so that m 1 m 2 actually holds Two solutions come to mind: enrich the language to express more functions in D t1 t 2 restrict D t1 t 2 to contain less non-program objects (next slide) Fruitful but complex research topic... Course 4 Denotational semantics Antoine Miné p. 48 / 58

49 Higher-order programs Full abstraction Example: the parallel or function por por(a)(b) = true false if a = true b = true if a = false b = false otherwise por can observe a and b concurrently, and return as soon as one returns true compare with sequential or, where b: or( )(b) = We have the following non-obvious result: por cannot be ined in PCF (por is a parallel construct, PCF is a sequential language) PCF+por is fully abstract (see [Ong95], [Winskel97] for references on the subject) Course 4 Denotational semantics Antoine Miné p. 49 / 58

50 Recursive domain equations Recursive domain equations Course 4 Denotational semantics Antoine Miné p. 50 / 58

51 Recursive domain equations Untyped higher order language λ calculus (with arithmetic) term ::= X (variable X V) c (constants) λx.term (abstraction) term term (application) Ω (failure) we can write truly polymorphic functions: e.g., λx.x (in PCF we would have to choose a type: int int or bool bool or (int int) (int int) or...) no need for a recursion combinator Y (we can ine Y = λf.(λx.f (X X ))(λx.f (X X )), not typable in PCF) operational semantics based on reduction, similarly to PCF denotational semantics also similar to PCF, but... Course 4 Denotational semantics Antoine Miné p. 51 / 58

52 Recursive domain equations Domain equations How to choose the domain of denotations T m? we need a unique domain D for all terms (no type information to help us) λx.x is a function = it should have denotation in (X Y) for some X, Y D λx.x is polymorphic; it accepts any term as argument = D X, Y We have a domain equation to solve: D (Z B (D D)) Problem: no solution in set theory (D D has a strictly larger cardinal than D) Course 4 Denotational semantics Antoine Miné p. 52 / 58

53 Recursive domain equations Inverse limits Given a fixpoint domain equation D = F (D) we construct an infinite sequence of domains: D 0 = { } D i+1 = F (D i ) We require the existence of continuous retractions: γ i : D i D i+1 c α i : D i+1 D i c (embedding) (projection) α i γ i = λx.x (D i a subset of D i+1 ) γ i α i λx.x (D i+1 can be approximated by D i ) α This is denoted: D 0 0 α D 1 1 Inverse limit: γ 0 γ 1 D = { (a 0, a 1,...) i: a i D i a i = α(a i+1 ) } (infinite sequences of elements; able to represent an element of any D i ) Course 4 Denotational semantics Antoine Miné p. 53 / 58

54 Recursive domain equations Inverse limits Inverse limits: Theorem D = { (a 0, a 1,...) i: a i D i a i = α(a i+1 ) } D is a cpo and F (D ) is isomorphic to D Application to λ calculus If we restrict ourself to continuous functions retractions can be computed for F (D) = (Z B (D c D)) (γ i (f ) = λx.f α i (x) = x if x Z B { } and α i (f ) = f ( ) if f D i c D i ) = we found our semantic domain! (pioneered by [Scott-Strachey71], see [Abramsky-Jung94] for a reference) Course 4 Denotational semantics Antoine Miné p. 54 / 58

55 Recursive domain equations Restrictions of function spaces The restriction to continuous functions seems merely technical but there are some valid justifications: all the denotations in IMP, NIMP, PCF were continuous (this appeared naturally, not as an a priori restriction) intuitively, computable functions should at least be monotonic recall that is an information order a function cannot give a more precise result with less information e.g.: if f (a) = for some a, then f ( ) = continuity is also reasonable given a problem on an infinite data set S computers can only process finite parts S i of S continuity ensures that the solution of S is contained in that of all S i e.g.: if 0 1 ω and i < ω: f (i) = 0, then f (ω) should also be 0 Course 4 Denotational semantics Antoine Miné p. 55 / 58

56 Recursive domain equations Domain equations for data-types Solution domains of recursive equations can also give the semantics of a variety of inductive or polymorphic data-types Examples: integer lists: D = ({empty} (Z D)) pairs: D = (Z (D D)) (allows arbitrary nested pairs, and also contains trees and lists) records: D = (Z (N D)) (fields are named by integer position) sum types: D = (Z ({1} D) ({2} D)) (we tag each case of the sum with an integer) Course 4 Denotational semantics Antoine Miné p. 56 / 58

57 Bibliography Recursive domain equations Courses and references on denotational semantics: [Benton96] P. N. Benton. Semantics of programming languages In University of Cambridge, [Winskel97] G. Winskel. Lecture notes on denotational semantics. In University of Cambridge, [Schmidt86] D. Schmidt. Denotational semantics. A methodology for language development. In Allyn and Bacon, [Abramsky-Jung94] S. Abramsky and A. Jung. Domain theory. In Handbook of Logic in Computer Science, Clarendon Press, Oxford, Course 4 Denotational semantics Antoine Miné p. 57 / 58

58 Bibliography Recursive domain equations Research articles and surveys: [Scott-Strachey71] D. Scott and C. Strachey. Toward a mathematical semantics for computer languages. In Oxford Programming Research Group Technical Monograph. PRG [Scott93] D. Scott. A type-theoretical alternative to ISWIM, CUCH, OWHY. In TCS, 121(1 2): , [Cousot02] P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. In TCS, 277(1 2):47 103, [Ong95] C.-H. L. Ong. Correspondence between operational and denotational semantics: the full abstraction problem for PCF In Oxford University, Course 4 Denotational semantics Antoine Miné p. 58 / 58

Operational Semantics

Operational Semantics Semantics and applications to verification Xavier Rival École Normale Supérieure Xavier Rival Operational Semantics 1 / 50 Program of this first lecture Operational semantics Mathematical