Meta-reasoning in the concurrent logical framework CLF

Size: px

Start display at page:

Download "Meta-reasoning in the concurrent logical framework CLF"

Dustin Gerald Mills
6 years ago
Views:

1 Meta-reasoning in the concurrent logical framework CLF Jorge Luis Sacchini (joint work with Iliano Cervesato) Carnegie Mellon University Qatar campus Nagoya University, 27 June 2014 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 1 / 48

2 Objectives Concurrency and distribution are essential features in modern systems. PLs are engineered (or retrofitted) to support them. Their formal semantics is not as well understood or studied as in the sequential case. Formal semantics will enable, e.g., development of formal verification, logical frameworks, verifying programs and program transformations. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 2 / 48

3 Logical frameworks Logical frameworks are formalisms used to specify PL and their metatheory. Coq, Agda, Twelf, Beluga, Delphin,... Our goal is to develop logical frameworks for specifying concurrent and distributed PL. Two main approaches. Deep approach: specify a concurrency model in a general purpose LF (Coq, Agda) Shallow approach: provide direct support in a special purpose LF (Twelf, Beluga, Delphin, LLF, HLF, CLF) We follow the shallow approach, using CLF as our LF. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 3 / 48

4 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 4 / 48

5 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 5 / 48

6 Twelf Logical framework designed to specify and prove properties about deductive systems (e.g. logics, programming languages). Based on the Edinburgh logical framework (LF). Binders are represented using Higher-Order Abstract Syntax (HOAS). Used in large specifications: SML, TALT, Proof-Carrying Code... Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 6 / 48

7 Twelf Example Natural numbers: Addition: z nat z + n = n n nat s(n) nat m + n = p s(m) + n = s(p) In Twelf: nat : type. z : nat. s : nat -> nat. plus : nat -> nat -> nat -> type. plus/z : plus z N N. plus/s : plus (s M) N (s P) <- plus M N P. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 7 / 48

8 Twelf Addition in Twelf: plus : nat -> nat -> nat -> type. plus/z : plus z N N. plus/s : plus (s M) N (s P) <- plus M N P. Backward chaining proof search: plus (s(s z)) (s(s z)) X X? Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 8 / 48

9 Twelf Addition in Twelf: plus : nat -> nat -> nat -> type. plus/z : plus z N N. plus/s : plus (s M) N (s P) <- plus M N P. Backward chaining proof search: plus (s z) (s(s z)) X 1 plus (s(s z)) (s(s z)) X X = s X 1 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 8 / 48

10 Twelf Addition in Twelf: plus : nat -> nat -> nat -> type. plus/z : plus z N N. plus/s : plus (s M) N (s P) <- plus M N P. Backward chaining proof search: plus z (s(s z)) X 2 plus (s z) (s(s z)) X 1 plus (s(s z)) (s(s z)) X X = s X 1 = s (s X 2 ) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 8 / 48

11 Twelf Addition in Twelf: plus : nat -> nat -> nat -> type. plus/z : plus z N N. plus/s : plus (s M) N (s P) <- plus M N P. Backward chaining proof search: plus z (s(s z)) X 2 plus (s z) (s(s z)) X 1 plus (s(s z)) (s(s z)) X X = s X 1 = s (s X 2 ) = 4 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 8 / 48

12 Meta-theorems in Twelf Example: m, n, p. m + n = p n + m = p In Twelf: plus/comm: plus M N P -> plus N M P -> type. (Proof proceeds by induction on M). Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 9 / 48

13 Specifying PLs in Twelf Simply-typed λ-calculus: e ::= x λx.e e 1 e 2 τ ::= ρ τ τ (Expressions) (Types) In Twelf: exp : type. lam : (exp -> exp) -> exp. app : exp -> exp -> exp. tp : type. arr : tp -> tp -> tp. HOAS: variables in Twelf represent variables in the object language. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 10 / 48

14 Specifying PLs in Twelf Typing judgment: Γ e : τ x : τ Γ Γ x : τ Γ, x : τ e : τ Γ e 1 : τ τ Γ e 2 : τ Γ λx.r : τ τ Γ e 1 e 2 : τ In Twelf: of : exp -> tp -> type. of/lam : of (lam \x. E x) (arr T T ) <- ({x} of x T -> of (E x) T ). of/app : of (app E1 E2) T <- of E1 (arr T T) <- of E2 T. HOAS: Twelf context represents the object language context. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 11 / 48

15 Meta-theorems in Twelf Type preservation: Γ, e 1, e 2, τ. Γ e 1 : τ e 1 e 2 Γ e 2 : τ In Twelf: type-pres: of E1 T -> red E1 E2 -> of E2 T -> type. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 12 / 48

16 Extensions of Twelf Many PL features are difficult to represent in Twelf: State Concurrency Parallelism Distribution Several extensions have been proposed: Linear LF (state, linear logic) Hybrid LF (hybrid logic, reasoning about LLF) Concurrent LF (concurrency, distribution)... Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 13 / 48

17 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 14 / 48

18 CLF CLF is an extension of the Edinburgh logical framework (LF) designed to specify distributed and concurrent systems. Large number of examples: semantics of PL, Petri nets, voting protocols, etc. CLF extends LF with linear types and a monad to encapsulate concurrent effects: K ::= type Π!x : A.K (Kinds) A ::= P Πx : A.A A B A B {S} (Async types) S ::= 1!A A S S x : A.S (Sync types) as well as proof terms for these types (more on that later) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 15 / 48

19 CLF CLF combines: Asynchronous types (Π,, &) Linear Logical Framework Backward chaining operational semantics Synchronous types (, ) Encapsulated in a monad ({S}) Forward chaining operational semantics Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 16 / 48

20 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

21 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N plus N 1 M {count M} Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

22 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

23 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

24 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

25 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

26 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

27 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 t 5 : tick, c 1 : count 3, c 2 : count 1 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

28 CLF Synchronous fragment Monadic types are used to encapsulate concurrent effects: A B {C} (Multiset) Rewriting interpretation of linear logic. Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 1, c 2 : count 0 t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 0 t 4 : tick, t 5 : tick, c 1 : count 2, c 2 : count 1 t 5 : tick, c 1 : count 3, c 2 : count 1 c 1 : count 3, c 2 : count 2 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 17 / 48

29 Proof terms Monadic types are introduced by traces A trace is basically a sequence of rule applications: ε ::= { } c S ε 1 ; ε 2 Trace composition (;) is associative and is a neutral element Forward chaining with committed choice after every step. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 18 / 48

30 Traces Example: in : tick count N {count (N + 1)} t 1 : tick, t 2 : tick, t 3 : tick, t 4 : tick, t 5 : tick, c 1 : count 0, c 2 : count 0 {c 11 } in t 1, c 1 {c 12 } in t 2, c 11 {c 21 } in t 3, c 2 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 : c 13 : count 3, c 22 : count 2 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 19 / 48

31 Traces Equality on traces: α-equivalence modulo permutation of independent subtraces. Allows encoding of concurrent and distributed features. Two traces are independent (ε 1 ε 2 ) if they operate on different sets of variables. Trace interface: ( ) = ({ } c S) = FV(S) (ε 1 ; ε 2 ) = ε 1 ( ε 2 \ ε 1 ) ( ) = ({ } c S) = dom( ) (ε 1 ; ε 2 ) = ε 2 (ε 1 \ ε 2 )!(ε 1 ) ε 1 ε 2 ε 1 ε 2 = ε 1 ε 2 =. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 20 / 48

32 Traces Trace equality: ε; ε ε ε; ε 1 ; (ε 2 ; ε 3 ) (ε 1 ; ε 2 ); ε 3 Example: ε 1 ε 2 ε 1 ε 1 ε 2 ε 2 ε 1 ; ε 2 ε 2 ; ε 1 ε 1 ; ε 2 ε 1; ε 2 ε 1 ; ε 2 ε 1 ; ε 2 {c 11 } in t 1, c 1 {c 12 } in t 2, c 11 {c 21 } in t 3, c 2 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 {c 11 } in t 1, c 1 {c 21 } in t 3, c 2 {c 12 } in t 2, c 11 {c 13 } in t 4, c 12 {c 22 } in t 5, c 21 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 21 / 48

33 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 22 / 48

34 Substructural operational semantics Substructural operational semantics combines Structural operational semantics Substructural logics Extensible: we can add features without breaking previous developments Expressive: wide variety of concurrent and distributed mechanisms (Simmons12). Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 23 / 48

35 Higher-order abstract syntax Simply-typed λ-calculus In (C)LF: exp : type. lam : (exp exp) exp. app : exp exp exp. e ::= x λx.e e e Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 24 / 48

36 SSOS Linear-destination passing style (Pfenning04) Based on multiset rewriting; suitable for specifying in linear logic Multiset of facts: eval e d ret e d fapp d 1 d 2 d Evaluate expression e in destination d Value e in destination d Application: expects the function and argument to be evaluated in d 1 and d 2, and the result is evaluated in d Evaluation rules transform multisets of facts Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 25 / 48

37 SSOS Multiset of facts: eval e d, ret e d, fapp d 1 d 2 d In CLF: dest : type. eval : exp dest type. ret : exp dest type. fapp : dest dest dest type. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 26 / 48

38 Evaluation rules Multiset rewriting rules (parallel semantics): eval e d ret e d if e is a value In CLF: step/eval : eval e d value e {ret e d}. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 27 / 48

39 Evaluation rules Multiset rewriting rules (parallel semantics): eval (e 1 e 2 ) d eval e 1 d 1, eval e 2 d 2, fapp d 1 d 2 d In CLF: where d 1, d 2 fresh step/app : eval (app e 1 e 2 ) d {!d 1!d 2 : dest, eval e 1 d 1, eval e 2 d 2, fapp d 1 d 2 d}. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 27 / 48

40 Evaluation rules Multiset rewriting rules (parallel semantics): ret (λx.e 1 ) d 1, ret e 2 d 2, fapp d 1 d 2 d eval (e 1 [e 2 /x]) d In CLF: step/beta : ret (lam e 1 ) d 1 ret e 2 d 2 fapp d 1 d 2 d {eval (e 1 e 2 ) d} Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 27 / 48

41 Example eval ((λx.x)(λy.y)) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d : (!d : dest)(x 0 : eval (app (lam λx.x) (lam λy.y)) d) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

42 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; :!d!d 1!d 2 : dest, x : eval (lam λx.x) d 1, y : eval (lam λy.y) d 2, z : fapp d 1 d 2 d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

43 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; :!d!d 1!d 2 : dest, x : ret (lam λx.x) d 1, y : eval (lam λy.y) d 2 z : fapp d 1 d 2 d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

44 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; :!d!d 1!d 2 : dest, x : ret (lam λx.x) d 1, y : ret (lam λy.y) d 2 z : fapp d 1 d 2 d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

45 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; {w} step/beta x y z; :!d!d 1!d 2 : dest, w : eval (lam λy.y) d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

46 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d ret (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {x } step/eval x; {y } step/eval y; {w} step/beta x y z; {w } step/eval w; :!d!d 1!d 2 : dest, w : ret (lam λy.y) d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

47 Example eval ((λx.x)(λy.y)) d eval (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, eval (λy.y) d 2, fapp d 1 d 2 d ret (λx.x) d 1, ret (λy.y) d 2, fapp d 1 d 2 d eval (λy.y) d ret (λy.y) d In CLF:!d : dest, x 0 : eval (app (lam λx.x) (lam λy.y)) d {!d 1,!d 2, x, y, z} step/app x 0 ; {y } step/eval y; {x } step/eval x; {w} step/beta x y z; {w } step/eval w; :!d!d 1!d 2 : dest, w : ret (lam λy.y) d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 28 / 48

48 π-calculus in CLF Example Process expressions: In CLF: exp : type. chan : type. P, Q ::= 0 (P Q) ν u.p!p u(v).p u v zero : exp. par : exp -> exp -> exp. new : (chan -> exp) -> exp.! : exp -> exp. inp : chan -> (chan -> exp) -> exp. outp : chan -> chan -> exp. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 29 / 48

49 π-calculus in CLF Example Operational semantics: In CLF: proc : exp -> type. msg : chan -> chan -> type. u(v) u w.p [v/w]p proc/zero : proc zero -o {1}. proc/par : proc (par P Q) -o {proc P proc Q}. proc/outp : proc (out U V) -o { msg U V }. proc/inp : proc U (inp \v. P v) -o msg U W -o { proc (P W) }. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 30 / 48

50 SSOS Many PL features can be represented using SSOS: State Threads Futures Concurrency (e.g. π-calculus) Distribution How to reason about CLF specifications? Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 31 / 48

51 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 32 / 48

52 Safety Recall that the previous semantics is parallel (more complex languages can have concurrent and distributed semantics as well). Safety is the conjunction of the following properties: Preservation: evaluation preserves well-typed multisets. If is a well-typed multiset, and (step), then is a well-typed multiset. Progress: a well-typed multiset is either final (result) or is possible to take a step. If is a well-typed multiset, then either = {ret e d} or there exists such that. We need a notion of well-typed multiset for SSOS specifications. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 33 / 48

53 Well-typed multisets Example: eval e 1 d, eval e 2 d $ (repeated destination) fapp d 1 d 2 d, eval e 1 d 1 $ (no fact for d 2 ) Well-typed multisets form a tree: fapp d 1 d 2 d eval plus d 1 fapp d 21 d 22 d 2 ret 0 d 21 eval 2 d 22 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 34 / 48

54 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d gen d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

55 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d fapp d 1 d 2 d gen d 1 gen d 2 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

56 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d fapp d 1 d 2 d eval plus d 1 gen d 2 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

57 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d fapp d 1 d 2 d eval plus d 1 fapp d 21 d 22 d 2 gen d 21 gen d 22 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

58 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d fapp d 1 d 2 d eval plus d 1 fapp d 21 d 22 d 2 ret 0 d 21 gen d 22 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

59 Well-typed multisets Well-typed multisets can be described by rewriting rules. gen t d means generate a term of type t rooted at d fapp d 1 d 2 d eval plus d 1 fapp d 21 d 22 d 2 ret 0 d 21 eval 2 d 22 Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 35 / 48

60 Well-typed multisets Generating well-typed states: gen t d A where A contains no fact of the form gen t 0 d 0. In CLF: gen : tp dest type. gen/eval : gen t d of e t {eval e d}. gen/ret : gen t d of e t {ret e d}. gen/fapp : gen t d {!d 1!d 2 : dest, fapp d 1 d 2 d, gen (arr t 1 t) d 1, gen t 1 d 2 }. We call these type of rules generative invariants (Simmons 12). Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 36 / 48

61 Safety Lemma (Safety) Preservation If {gen t d} gen A and A step A then {gen t d} gen A. Progress if {gen t d} gen A, then either A Is of the form {ret e d} or there exists A such that A step A. Proof. Preservation The proof proceeds by case analysis on the evaluation step. Progress The proof proceeds by induction on the generating trace. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 37 / 48

62 Limitations of CLF In CLF it is not possible to express preservation and progress. CLF lacks support for first-order traces, and quantification over contexts. We propose an extension of LF with trace types: Meta-CLF. Similar approaches are taken in Beluga, Delphin, Abella (in the sense of using a two-level approach). Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 38 / 48

63 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 39 / 48

64 Meta-CLF Meta-CLF is an extension of LF with trace types and quantification over contexts and names: A ::=... { } Σ { } { } Σ 1 { } Πψ : ctx.a x.a { } Σ { } is the type of all traces ε satisfying ε : that use only rules in the signature Σ. { } Σ 1 { } is the type of all 1-step traces ε satisfying ε : that use only rules in the signature Σ. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 40 / 48

65 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

66 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

67 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

68 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

69 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

70 Meta-CLF In Meta-CLF we can express properties about traces: preservation : Πt : tp. d. g. Πψ 1 : ctx. Πψ 2 : ctx. {!d : dest, g : gen d t} Σ gen {ψ 1 } {ψ 1 } Σ 1 step {ψ 2 } {!d : dest, g : gen d t} Σ gen {ψ 2 } type. If ψ 1 is a well-typed state (generated from a single gen d) and there is a step from ψ 1 to ψ 2, then ψ 2 is a well-typed state Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 41 / 48

71 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. A, eval e d step A, ret e d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

72 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. gen t 0 d 0 A, eval e d step A, ret e d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

73 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. gen t 0 d 0 gen A, gen t d gen A, eval e d step A, ret e d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

74 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. gen t 0 d 0 gen t 0 d 0 gen A, gen t d gen A, eval e d step A, ret e d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

75 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A.gen t d gen gen A, eval e d step A, ret e d Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

76 Meta-CLF The safety proof in Meta-CLF follows closely the paper proof. gen t 0 d 0 gen t 0 d 0 gen gen A, gen t d A.gen t d gen gen A, eval e d step A, ret e d In Meta-CLF: pres/ret : preservation (X 1 ; { x} gen/eval e d 0 g 0 H) ({ y} step/eval e d 0 x H v ) (X 1 ; { y} gen/ret e d 0 g 0 H H v ) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 42 / 48

77 Meta-CLF Both proofs of preservation and progress in Meta-CLF follow the pen-and-paper proofs. Preservation is performed by case analysis (no induction). Progress relies on induction, but termination is easy (size of the trace). However, we rely on coverage to ensure the proof is total. Coverage checking in the presence of traces is tricky, due to the possibility of permuting steps. (Left for future work.) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 43 / 48

78 SSOS We can extend this semantics with other features without invalidating the previous rules Example: store, futures, call/cc, communication,... location : type. loc : location exp. get : exp exp. ref : exp exp. set : exp exp exp. cell : location exp type. step/ref : eval (ref e) d {!d 1 : dest,!l : loc, fref d 1 l, eval e d 1, ret (loc l) d}. step/fref : ret e d fref d l {cell l e}. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 44 / 48

79 SSOS We can extend this semantics with other features without invalidating the previous rules Example: store, futures, call/cc, communication,... future : exp exp. promise : dest exp. deliver : exp dest type. step/fut : eval (future e) d {!d 1 : dest, eval e d 1, fdel d 1, ret (promise d 1 ) d}. step/fdel : ret e d fdel d 1 {!deliver e d}. step/promise : ret (promise d 1 ) d delivee e d 1 ret e d. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 44 / 48

80 Outline 1 Twelf 2 CLF 3 Substructural operational semantics 4 Safety for SSOS 5 Meta-CLF 6 Conclusions and future work Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 45 / 48

81 Conclusions Our goal is to develop logical frameworks suitable for specifying concurrent and distributed systems. We introduced Meta-CLF, an extension of LF to reason about CLF specifications. We showed that it is expressive enough to write safety proofs of parallel/concurrent PL. Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 46 / 48

82 Future work Decidability of type checking Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 47 / 48

83 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : preservation (X 1 ; { x} gen/eval e d 0 g 0 H) ({ y} step/eval e d 0 x H v ) (X 1 ; { y} gen/ret e d 0 g 0 H H v ) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 47 / 48

84 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : x. y. d. g. d 0. g 0.Πψ 1 : ctx.πe : exp. Πt : tp.πt 0 : tp.πh : of e t 0.ΠH v : value e ΠX : {!d : dest, g : gen d t} Σ gen {ψ 1,!d 0 : dest, g 0 : gen d 0 t 0 }. preservation t d g (ψ 1,!d 0 : dest, x : eval e d 0 ) (ψ 1,!d 0 : dest, y : ret e d 0 ) (X 1 ; { x} gen/eval e d 0 g 0 H) ({ y} step/eval e d 0 x H v ) (X 1 ; { y} gen/ret e d 0 g 0 H H v ) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 47 / 48

85 Future work Decidability of type checking Type reconstruction for implicit arguments (very important for usability) pres/ret : x. y. d. g. d 0. g 0.Πψ 1 : ctx.πe : exp. Πt : tp.πt 0 : tp.πh : of e t 0.ΠH v : value e ΠX : {!d : dest, g : gen d t} Σ gen {ψ 1,!d 0 : dest, g 0 : gen d 0 t 0 }. preservation t d g (ψ 1,!d 0 : dest, x : eval e d 0 ) (ψ 1,!d 0 : dest, y : ret e d 0 ) (X 1 ; { x} gen/eval e d 0 g 0 H) ({ y} step/eval e d 0 x H v ) (X 1 ; { y} gen/ret e d 0 g 0 H H v ) Implementation Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 47 / 48

86 Future work Coverage checking Coverage checking for traces is difficult due to the equality relation. Easier when restricted to generative invariants GI look like a generalization of context-free grammars gen/eval : gen t d of e t {eval e d}. gen/ret : gen t d of e t {ret e d}. gen/fapp : gen t d {!d 1!d 2 : dest, fapp d 1 d 2 d, gen (arr t 1 t) d 1, gen t 1 d 2 }. Non-terminal: gen. Terminals: eval, ret, fapp. Example: X 1 ; ({y} gen/eval x); X 2 X 1 ; X 2 ; ({y} gen/eval x) Termination (trace size) Jorge Luis Sacchini (joint work with Iliano Cervesato) Meta-reasoning in CLF 48 / 48

Meta-Reasoning in a Concurrent Logical Framework

Meta-Reasoning in a Concurrent Logical Framework Iliano Cervesato and Jorge Luis Sacchini Carnegie Mellon University Chalmers University, 16 Oct 2013 Iliano Cervesato and Jorge Luis Sacchini Meta-Reasoning