State-Dependent Representation Independence (Technical Appendix)

Size: px

Start display at page:

Download "State-Dependent Representation Independence (Technical Appendix)"

Pierce Andrews
5 years ago
Views:

1 State-Dependent Representation Independence (Technical Appendix) Amal Ahmed Derek Dreyer Andreas Rossberg TTI-C MPI-SWS MPI-SWS Contents August 4, The Language F µ! Syntax, Dynamic Semantics and Static Semantics Contexts and Contextual Equivalence Step-Indexed Logical Relation for F µ! 9 3 Logical Relation Proofs Basic Properties Properties of Step-Indexed Construction Approximation Yields Valid Semantic Objects World Extension and Store Satisfaction Properties Validity of Type Interpretations Substitution Property Fundamental Property Soundness w.r.t. Contextual Equivalence A Small Catalogue of Examples Redundant State Higher-Order Function Private Location Fixpoint Callback with Lock Cell Object Cell Class Name Generator Dynamic Data Structures Name Generator with References Twin Abstraction Abstract References Symbol Example Proofs Name Generator Name Generator with References Higher-Order Function Callback with Lock

2 1 The Language F µ! 1.1 Syntax, Dynamic Semantics and Static Semantics Types τ ::= α unit int bool τ 1 τ 2 τ 1 + τ 2 τ 1 τ 2 α. τ α. τ µα. τ ref τ Prim Ops o ::= + = <... Expressions e ::= x () l n o(e 1,..., e n) true false if e then e 1 else e 2 e 1, e 2 fst e snd e inl e inr e case e of inl x 1 e 1 inr x 2 e 2 λx : τ. e e 1 e 2 Λα. e e [τ] pack τ 1, e as α. τ unpack e 1 as α, x in e 2 fold e unfold e ref e!e e 1 := e 2 e 1 == e 2 Values v ::= () l n true false v 1, v 2 inl v inr v λx : τ. e Λα. e pack τ 1, v as α. τ fold v Eval. Contexts E ::= [ ] o(v 1,..., v i 1, E, e i+1,..., e n) if E then e 1 else e 2 E, e 2 v 1, E fst E snd E inl E inr E case E of inl x 1 e 1 inr x 2 e 2 E e v E E [τ] pack τ 1, E as α. τ unpack E as α, x in e 2 fold E ref E!E E := e v := E E == e v == E Figure 1: F µ! Syntax 2

3 s, e s, v s, if true then e 1 else e 2 s, e 1 s, if false then e 1 else e 2 s, e 2 s, fst v 1, v 2 s, v 1 s, snd v 1, v 2 s, v 2 s, case (inl v) of inl x 1 e 1 inr x 2 e 2 s, [v/x 1]e 1 s, case (inr v) of inl x 1 e 1 inr x 2 e 2 s, [v/x 2]e 2 s, (λx : τ. e) v s, [v/x]e s, (Λα. e) [τ] s, [τ/α]e s, unpack (pack τ, v as α. τ 1) as α, x in e s, [τ/α][v/x]e s, unfold (fold v) s, v s, l == l s, true s, l == l s, false where l l l / dom(s) s, ref v s[l v], l s(l) = v s,!l s, v s, e s, e s, E[e] s, E[e ] l dom(s) s, l:= v s[l v], () Figure 2: F µ! Dynamic Semantics Notation The notation s, e s, e denotes a single operational step. We write s, e j s, e to denote there there exists a chain of j steps of the form s, e s 1, e 1... s j, e j where s j = s and e j = e. We also use the following abbreviations (where val(e) denotes that e is a value). s, e s, e = k 0. s, e k s, e s, e s, e = s, e s, e val(e ) s, e = s, e. s, e s, e 3

4 Type Context ::=, α Value Context Γ ::= Γ, x : τ Store Typing Σ ::= Σ, l : τ where FTV (τ) = τ α α unit int bool τ 1 τ 2 τ 1 τ 2 τ 1 τ 2 τ 1 + τ 2 τ 1 τ 2, α τ, α τ, α τ τ τ 1 τ 2 α. τ α. τ µα. τ ref τ Γ Γ τ Γ, x : τ Figure 3: F µ! Static Semantics I 4

5 ; Γ; Σ e : τ Γ(x) = τ ; Γ; Σ x : τ ; Γ; Σ () : unit ; Γ; Σ true : bool ; Γ; Σ false : bool Σ(l) = τ ; Γ; Σ l : ref τ ; Γ; Σ n : int ; Γ; Σ e : bool ; Γ; Σ e 1 : τ ; Γ; Σ e 2 : τ ; Γ; Σ if e then e 1 else e 2 : τ ; Γ; Σ e 1 : τ 1 ; Γ; Σ e 2 : τ 2 ; Γ; Σ e 1, e 2 : τ 1 τ 2 ; Γ; Σ e : τ 1 τ 2 ; Γ; Σ fst e : τ 1 ; Γ; Σ e : τ 1 τ 2 ; Γ; Σ snd e : τ 2 ; Γ; Σ e : τ 1 ; Γ; Σ inl e : τ 1 + τ 2 ; Γ; Σ e : τ 2 ; Γ; Σ inr e : τ 1 + τ 2 ; Γ; Σ e : τ 1 + τ 2 ; Γ, x 1 : τ 1; Σ e 1 : τ ; Γ, x 2 : τ 2; Σ e 2 : τ ; Γ; Σ case e of inl x 1 e 1 inr x 2 e 2 : τ ; Γ, x : τ 1; Σ e : τ 2 ; Γ; Σ e 1 : τ 2 τ ; Γ; Σ e 2 : τ 2 ; Γ; Σ λx : τ 1. e : τ 1 τ 2 ; Γ; Σ e 1 e 2 : τ, α; Γ; Σ e : τ ; Γ; Σ Λα. e : α. τ τ 1 ; Γ; Σ e : [τ 1/α]τ ; Γ; Σ pack τ 1, e as α. τ : α. τ ; Γ; Σ e : [µα. τ/α]τ ; Γ; Σ fold e : µα. τ ; Γ; Σ e : α. τ τ 1 ; Γ; Σ e [τ 1] : [τ 1/α]τ ; Γ; Σ e 1 : α. τ 1 τ, α; Γ, x : τ 1; Σ e 2 : τ ; Γ; Σ unpack e 1 as α, x in e 2 : τ ; Γ; Σ e : µα. τ ; Γ; Σ unfold e : [µα. τ/α]τ ; Γ; Σ e : τ ; Γ; Σ ref e : ref τ ; Γ; Σ e : ref τ ; Γ; Σ!e : τ ; Γ; Σ e 1 : ref τ ; Γ; Σ e 2 : τ ; Γ; Σ e 1 := e 2 : unit ; Γ; Σ e 1 : ref τ ; Γ; Σ e 2 : ref τ ; Γ; Σ e 1 == e 2 : bool s : Σ l dom(σ). ; ; Σ s(l) : Σ(l) s : Σ Figure 4: F µ! Static Semantics II 5

6 1.2 Contexts and Contextual Equivalence Contexts C ::= [ ] o(e 1,..., e i 1, C, e i+1,..., e n) if C then e 1 else e 2 if e then C else e 2 if e then e 1 else C C, e 2 e 1, C fst C snd C inl C inr C case C of inl x 1 e 1 inr x 2 e 2 case e of inl x 1 C inr x 2 e 2 case e of inl x 1 e 1 inr x 2 C λx : τ. C C e e C Λα. C C [τ] pack τ 1, C as α. τ unpack C as α, x in e 2 unpack e 1 as α, x in C fold C unfold C ref C!C C := e e := C C == e e == C Figure 5: F µ! Syntax - Contexts 6

7 C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) Γ Γ Σ Σ [ ] : ( ; Γ; Σ τ) ( ; Γ ; Σ τ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ bool) ; Γ ; Σ e 1 : τ ; Γ ; Σ e 2 : τ if C then e 1 else e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e : bool C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e 2 : τ if e then C else e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e : bool ; Γ ; Σ e 1 : τ C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) if e then e 1 else C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1) ; Γ ; Σ e 2 : τ 2 C, e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 τ 2) ; Γ ; Σ e 1 : τ 1 C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 2) e 1, C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 τ 2) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 τ 2) fst C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1) inl C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 + τ 2) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 τ 2) snd C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 2) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 2) inr C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 + τ 2) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 + τ 2) ; Γ, x 1 : τ 1; Σ e 1 : τ ; Γ, x 2 : τ 2; Σ e 2 : τ case C of inl x 1 e 1 inr x 2 e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e : τ 1 + τ 2 C : ( ; Γ; Σ τ) ( ; Γ, x 1 : τ 1; Σ τ ) ; Γ, x 2 : τ 2; Σ e 2 : τ case e of inl x 1 C inr x 2 e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e : τ 1 + τ 2 ; Γ, x 1 : τ 1; Σ e 1 : τ C : ( ; Γ; Σ τ) ( ; Γ, x 2 : τ 2; Σ τ ) case e of inl x 1 e 1 inr x 2 C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) C : ( ; Γ; Σ τ) ( ; Γ, x : τ 1; Σ τ 2) λx : τ 1. C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 1 τ 2) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 2 τ ) ; Γ ; Σ e 2 : τ 2 C e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e 1 : τ 2 τ C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ 2) e 1 C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) Figure 6: F µ! Static Semantics - Contexts I 7

8 C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) (contd.) C : ( ; Γ; Σ τ) (, α; Γ ; Σ τ ) Λα. C : ( ; Γ; Σ τ) ( ; Γ ; Σ α. τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ α. τ ) τ 1 C [τ 1] : ( ; Γ; Σ τ) ( ; Γ ; Σ [τ 1/α]τ ) τ 1 C : ( ; Γ; Σ τ) ( ; Γ ; Σ [τ 1/α]τ ) pack τ 1, C as α. τ : ( ; Γ; Σ τ) ( ; Γ ; Σ α. τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ α. τ 1) τ, α; Γ, x : τ 1; Σ e 2 : τ unpack C as α, x in e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ; Γ ; Σ e 1 : α. τ 1 τ C : ( ; Γ; Σ τ) (, α; Γ, x : τ 1; Σ τ ) unpack e 1 as α, x in C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ [µα. τ /α]τ ) fold C : ( ; Γ; Σ τ) ( ; Γ ; Σ µα. τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) ref C : ( ; Γ; Σ τ) ( ; Γ ; Σ ref τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ µα. τ ) unfold C : ( ; Γ; Σ τ) ( ; Γ ; Σ [µα. τ /α]τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ ref τ )!C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) C : ( ; Γ; Σ τ) ( ; Γ ; Σ ref τ ) ; Γ ; Σ e 2 : τ C := e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ unit) ; Γ ; Σ e 1 : ref τ C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) e 1 := C : ( ; Γ; Σ τ) ( ; Γ ; Σ unit) C : ( ; Γ; Σ τ) ( ; Γ ; Σ ref τ ) ; Γ ; Σ e 2 : ref τ C == e 2 : ( ; Γ; Σ τ) ( ; Γ ; Σ bool) ; Γ ; Σ e 1 : ref τ C : ( ; Γ; Σ τ) ( ; Γ ; Σ ref τ ) e 1 := C : ( ; Γ; Σ τ) ( ; Γ ; Σ bool) Figure 7: F µ! Static Semantics - Contexts II Definition 1.1. (Contextual Approximation & Equivalence) Let ; Γ; Σ e 1 : τ and ; Γ; Σ e 2 : τ. ; Γ; Σ e 1 ctx e 2 : τ ; Γ; Σ e 1 ctx e 2 : τ = C, Σ, τ, s. C : ( ; Γ; Σ τ) ( ; ; Σ τ ) s : Σ s, C[e 1 ] = s, C[e 2 ] = ; Γ; Σ e 1 ctx e 2 : τ ; Γ; Σ e 2 ctx e 1 : τ 8

9 2 Step-Indexed Logical Relation for F µ! Type Interpretation χ ::= {(k, W, e 1, e 2),... } Store Relation ψ ::= {(k, W, s 1, s 2),... } Population V ::= {v 1,... } Knowledge η ::= (ψ, V, Σ 1, Σ 2) Law L ::= {(j, η),...} Island w ::= (η, L) World W ::= w 1,..., w n Figure 8: Notation Preliminaries We write Σ e : τ as shorthand for ; ; Σ e : τ. If W = w 1,..., w n and 1 j n, we write W [j] as shorthand for w j. If w = (η i, L i ) where η i = (ψ i, V i, Σ i1, Σ i2 ), we use the following shorthand to extract various elements out of the island w: w.η η i w.v V i w.l L i w.σ 1 Σ i1 w.ψ ψ i w.σ 2 Σ i2 If W is a world with n islands, we also use the following shorthand: Σ 1(W ) Σ 2(W ) = S 1 j n W [j].σ1 = S 1 j n W [j].σ2 We write Val for the set of all values, Store for the set of all stores (finite maps from locations to values), and StoreTy for the set of store typings (finite maps from locations to closed types). We write Population for the set of all subsets of Val (i.e., Population = P(Val)). We write CTerm for the set of all closed terms, (i.e., terms that may contain locations, but no free type or term variables. We use the metavariable χ to denote sets of the form (k, W, e 1, e 2 ) where k is a natural number (the step index), W is a world, and e 1 and e 2 are closed terms. Given a set χ of this form, we write χ val to denote the subset of χ such that e 1 and e 2 are values. We write S 1 # S 2 to denote that the sets S 1 and S 2 are disjoint. 9

10 CandAtom k CandType k CandStoreAtom k CandStoreRel k CandKnowledge k CandLawAtom k CandLaw k CandIsland k CandWorld k = {(j, W, e 1, e 2) N S j<k CandWorld j CTerm CTerm j < k W CandWorld j} = P(CandAtom val k ) = {(j, W, s 1, s 2) N S j<k CandWorld j Store Store j < k W CandWorld j} = P(CandStoreAtom k ) = CandStoreRel k Population StoreTy StoreTy = {(j, η) N S j k CandKnowledge j j k η CandKnowledge j } = P(CandLawAtom k ) = CandKnowledge k CandLaw k = {W CandIsland n k n 0} CandAtom ω CandType ω CandStoreAtom ω CandStoreRel ω CandKnowledge ω CandLawAtom ω CandLaw ω CandIsland ω CandWorld ω = S k 0 CandAtom k = P(CandAtom val ω ) S k 0 CandType k = S k 0 CandStoreAtom k = P(CandStoreAtom ω) S k 0 CandStoreRel k = CandStoreRel ω Population StoreTy StoreTy S k 0 CandKnowledge k = S k 0 CandLawAtom k = P(CandLawAtom ω) S k 0 CandLaw k = CandKnowledge ω CandLaw ω S k 0 CandIsland k = S k 0 CandWorld k χ k ψ k η k L k w k W k = {(j, W, e 1, e 2) j < k (j, W, e 1, e 2) χ} CandType ω CandType k = {(j, W, s 1, s 2) j < k (j, W, s 1, s 2) ψ} CandStoreRel ω CandStoreRel k = ( ψ k, V, Σ 1, Σ 2) where η = (ψ, V, Σ 1, Σ 2) CandKnowledge ω CandKnowledge k = {(j, η) j k (j, η) L} CandLaw ω CandLaw k = ( η k, L k ) where w = (η, L) = w 1 k,..., w n k where W = w 1,..., w n CandWorld ω CandWorld k Figure 9: Auxiliary Definitions: Candidate Sets and k-approximation 10

11 (ψ, V, Σ 1, Σ 2) (ψ, V, Σ 1, Σ 2) (η, L ) (η, L) w 1,..., w n+m w 1,..., w n (j, W ) (k, W ) = V V Σ 1 Σ 1 Σ 2 Σ 2 = η η L = L = m 0 i {1,..., n}. w i w i = j k W W j W W orld j W W orld k Atom[τ 1, τ 2] k = {(j, W, e 1, e 2) CandAtom k W World j Σ 1(W ) e 1 : τ 1 Σ 2(W ) e 2 : τ 2} Type[τ 1, τ 2] k StoreAtom k StoreRel k Knowledge k LawAtom k Law k Island k World k = {χ P(Atom[τ 1, τ 2] val k ) (j, W, v 1, v 2) χ. (i, W ) (j, W ). (i, W, v 1, v 2) χ} = {(j, W, s 1, s 2) CandStoreAtom k W World j} CandStoreAtom k = {ψ P(StoreAtom k ) (j, W, s 1, s 2) ψ. (i, W ) (j, W ). (i, W, s 1, s 2) ψ} CandStoreRel k = {(ψ, V, Σ 1, Σ 2) CandKnowledge k ψ StoreRel k ( s 1, s 2, s 1, s 2. ( l dom(σ 1). s 1(l) = s 1(l) l dom(σ 2). s 2(l) = s 2(l) ) = j, W. (j, W, s 1, s 2) ψ (j, W, s 1, s 2) ψ )} CandKnowledge k = {(j, η) CandLawAtom k η Knowledge j } CandLawAtom k = {L P(LawAtom k ) (j, η) L. i < j. (i, η i) L} CandLaw k = {(η, L) Knowledge k Law k (k, η) L} CandIsland k = {W Island n k n 0 a, b {1,..., n}. a b = dom(w [a].σ 1) # dom(w [b].σ 1) dom(w [a].σ 2) # dom(w [b].σ 2)} CandWorld k Type[τ 1, τ 2] = {χ CandType ω k 0. χ k Type[τ 1, τ 2] k } S k 0 Type[τ1, τ2] k Figure 10: Auxiliary Definitions: World Extension and Well-Formedness Conditions 11

12 s 1, s 2 : k W = s 1 : Σ 1(W ) s 2 : Σ 2(W ) w W. j < k. (j, W j, s 1, s 2) w.ψ (i, W ) (j, W ) = i < j (i, W ) (j, W ) Figure 11: Auxiliary Definitions: Relational Store Satisfaction and Strict World Extension Notation A type substitution ρ is a finite map from type variables α to triples (χ, τ 1, τ 2 ), where τ 1 and τ 2 are closed types and χ T ype[τ 1, τ 2 ]. If ρ(α) = (χ, τ 1, τ 2 ), then ρ 1 (α) denotes τ 1 and ρ 2 (α) denotes τ 2. Let ρ = {α 1 (χ 1, τ 11, τ 12 ),..., α n (χ n, τ n1, τ n2 )}. Then ρ 1 denotes {α 1 τ 11,..., α n τ n1 } ρ 2 denotes {α 1 τ 12,..., α n τ n2 } ρ 1 (τ) is shorthand for [τ 11 /α 1,..., τ n1 /α n ]τ ρ 2 (τ) is shorthand for [τ 12 /α 1,..., τ n2 /α n ]τ ρ 1 (e) is shorthand for [τ 11 /α 1,..., τ n1 /α n ]e ρ 2 (e) is shorthand for [τ 12 /α 1,..., τ n2 /α n ]e A relational value substitution γ is a finite map from term variables x to pairs (v 1, v 2 ) where v 1 and v 2 are closed values (i.e., values that may have free locations, but no free type or term variables). If γ(x) = (v 1, v 2 ), then γ 1 (x) denotes v 1 and γ 2 (x) denotes v 2. Let γ = {x 1 (v 11, v 12 ),..., x n (v n1, v n2 )}. Then γ 1 denotes {x 1 v 11,..., x n v n1 } γ 2 denotes {x 1 v 12,..., x n v n2 } γ 1 (e) is shorthand for [v 11 /x 1,..., v n1 /x n ]e γ 2 (e) is shorthand for [v 12 /x 1,..., v n2 /x n ]e 12

13 V n τ ρ = V n τ ρ Atom[ρ 1(τ), ρ 2(τ)] val n V n α ρ = χ where ρ(α) = (χ, τ 1, τ 2) V n unit ρ = { (k, W, (), ()) } V n int ρ = { (k, W, n, n) v N } V n bool ρ = { (k, W, v, v) v = true v = false } V n τ τ ρ = { (k, W, v 1, v 1, v 2, v 2 ) (k, W, v 1, v 2) V n τ ρ (k, W, v 1, v 2) V n τ ρ } V n τ + τ ρ = { (k, W, inl v 1, inl v 2) (k, W, v 1, v 2) V n τ ρ } { (k, W, inr v 1, inr v 2) (k, W, v 1, v 2) V n τ ρ } V n τ τ ρ = { (k, W, λx : ρ 1(τ). e 1, λx : ρ 2(τ). e 2) (j, W ) (k, W ). v 1, v 2. (j, W, v 1, v 2) V n τ ρ = (j, W, [v 1/x]e 1, [v 2/x]e 2) E n τ ρ } V n α. τ ρ = { (k, W, Λα. e 1, Λα. e 2) (j, W ) (k, W ). τ 1, τ 2, χ Type[τ 1, τ 2]. (j, W, [τ 1/α]e 1, [τ 2/α]e 2) E n τ ρ[α (χ, τ 1, τ 2)] } V n α. τ ρ = { (k, W, pack τ 1, v 1 as α. ρ 1(τ), pack τ 2, v 2 as α. ρ 2(τ)) χ Type[τ 1, τ 2]. (k, W, v 1, v 2) V n τ ρ[α (χ, τ 1, τ 2)] } V n µα. τ ρ = { (k, W, fold v 1, fold v 2) k < n j < k. (j, W j, v 1, v 2) V k [µα. τ/α]τ ρ } V n ref τ ρ = { (k, W, l 1, l 2) k < n w ref (k, ρ, τ, l 1, l 2) W } w ref (k, ρ, τ, l 1, l 2) = (η, L) where η = (ψ, {}, {l 1 : ρ 1(τ)}, {l 2 : ρ 2(τ)}) ψ = { (j, W, s 1, s 2) (j, W, s 1(l 1), s 2(l 2)) V k τ ρ } L = {(j, η j) j k} E n τ ρ = { (k, W, e 1, e 2) Atom[ρ 1(τ), ρ 2(τ)] n j < k. s 1, s 2, s 1, v 1. s 1, s 2 : k W s 1, e 1 j s 1, v 1 = s 2, v 2, W. s 2, e 2 s 2, v 2 (k j, W ) (k, W ) s 1, s 2 : k j W (k j, W, v 1, v 2) V n τ ρ } Figure 12: Step-Indexed Logical Relations I 13

14 V τ ρ = S n 0 Vn τ ρ E τ ρ = S n 0 En τ ρ D = { } D, α = { ρ[α (χ, τ 1, τ 2)] ρ D χ Type[τ 1, τ 2] } G ρ = { (k, W, ) W World k } G Γ, x : τ ρ = { (k, W, γ[x (v 1, v 2)]) (k, W, γ) G Γ ρ (k, W, v 1, v 2) V τ ρ } S Σ = {(k, W ) (l : τ) Σ. (k, W, l, l) V ref τ } ; Γ; Σ e 1 log e 2 : τ = k 0. ρ, γ, W. ρ D (k, W, γ) G Γ ρ (k, W ) S Σ = (k, W, ρ 1(γ 1(e 1)), ρ 2(γ 2(e 2))) E τ ρ ; Γ; Σ e 1 log e 2 : τ = ; Γ; Σ e 1 log e 2 : τ ; Γ; Σ e 2 log e 1 : τ Figure 13: Step-Indexed Logical Relations II 14

15 3 Logical Relation Proofs 3.1 Basic Properties Properties of Step-Indexed Construction Lemma 3.1. Proof Let τ and ρ D. If j k then V j τ ρ = V k τ ρ j. Proof by induction on the derivation τ. Lemma 3.2. Proof Let τ and ρ D and j, k N. Then V k τ ρ j V k τ ρ. By inition of χ j. Lemma 3.3. Proof Let τ and ρ D. If j < k then V j τ ρ k = V j τ ρ. By inition of V j τ ρ, for any (i, W, v 1, v 2 ) V j τ ρ, it must be that i < j. Furthermore, since we have j < k as a premise, it follows that i < k. Thus, from the inition of χ k, and since i < j and i < k, it follows that (i, W, v 1, v 2 ) V j τ ρ k iff (i, W, v 1, v 2 ) V j τ ρ. Lemma 3.4. Proof Let τ and ρ D. Then V τ ρ k = V k τ ρ. V τ ρ k = n 0 V n τ ρ k since V τ ρ = n 0 V n τ ρ = n 0 V n τ ρ k by distributivity of k over = ( n<k V n τ ρ k ) ( n k V n τ ρ k ) = ( n<k V n τ ρ k ) ( n k V k τ ρ) since for k n, V n τ ρ k = V k τ ρ by Lemma 3.1 = ( n<k V n τ ρ k ) V k τ ρ = ( n<k V n τ ρ) V k τ ρ since for n < k, V n τ ρ k = V n τ ρ by Lemma 3.3 = ( n<k V k τ ρ n ) V k τ ρ since for n < k, V n τ ρ = V k τ ρ n by Lemma 3.1 = V k τ ρ since V k τ ρ n V k τ ρ by Lemma

16 Lemma 3.5. If ψ StoreRel k then ψ = ψ k. Lemma 3.6. If η Knowledge k then η = η k. Lemma 3.7. If L Law k then L = L k. 16

17 3.1.2 Approximation Yields Valid Semantic Objects Lemma 3.8. (Store Relation Approximation Valid) If ψ StoreRel k and j k, then ψ j StoreRel j. Lemma 3.9. (Knowledge Approximation Valid) If η Knowledge k and j k, then η j Knowledge j. Lemma (Law Approximation Valid) If L Law k and j k, then L j Law j. Lemma (Island Approximation Valid) If w Island k and j k, then w j Island j. Lemma (World Approximation Valid) If W World k and j k, then W j World j. 17

18 3.1.3 World Extension and Store Satisfaction Properties Lemma (Reflexivity: Island ) If w Island k then w w. Lemma (Reflexivity: World ) If W World k then W W. Lemma (Reflexivity of World Extension) If W World k then (k, W ) (k, W ). Lemma (World Approximation is Valid Extension) Proof If W World k and j k, then (j, W j ) (k, W ). We are required to show that j k, which is a premise, W World k, which is a premise, W j World j, which follows from Lemma 3.12 applied to W World k and j k, and W j W j, which follows from Lemma 3.14 applied to W j World j. Lemma If (j, W ) (k, W ) and j i, then (j, W ) (i, W i ). Lemma (Transitivity of World Extension) If (i, W ) (j, W ) and (j, W ) (k, W ), then (i, W ) (k, W ). Lemma (Store Satisfaction Downward Closed) Suppose W World k. If s 1, s 2 : k W and j k, then s 1, s 2 : j W j. 18

19 3.1.4 Validity of Type Interpretations Lemma (Closure Under World Extension) Proof Let τ and ρ D. If (k, W, v 1, v 2 ) V n τ ρ and (j, W ) (k, W ), then (j, W, v 1, v 2 ) V n τ ρ. Proof by induction on n and nested induction on the derivation τ. Lemma (Logical Relations Closed Under World Extension) Proof Let τ and ρ D. If (k, W, v 1, v 2 ) V τ ρ and (j, W ) (k, W ), then (j, W, v 1, v 2 ) V τ ρ. Follows from Lemmas 3.4 and Lemma Proof Let Γ and ρ D. If (k, W, γ) G Γ ρ and (j, W ) (k, W ), then (j, W, γ) G Γ ρ. Proof by induction on Γ. Follows from Lemma Lemma Proof If (k, W ) S Σ and (j, W ) (k, W ), then (j, W ) S Σ. Follows from Lemma Lemma (Logical Relations Are Valid Type Interpretations) Proof If τ and ρ D, then V τ ρ Type[ρ 1 (τ), ρ 2 (τ)]. Follows from Lemma

20 3.1.5 Substitution Property Lemma (Semantic Type Substitution) Let τ and ρ D and, α τ. Let χ = V τ ρ. Then V τ ρ[α (χ, ρ 1 (τ ), ρ 2 (τ ))] = V [τ /α]τ ρ. 20

21 3.2 Fundamental Property The Fundamental Property of the logical relation follows from the fact that the latter is a congruence [7]. To establish congruence we have to show that the logical relation satisfies the compatibility and substitutivity properties. Note: Below we give detailed proofs of the compatibility lemmas that involve references see Lemmas 3.29 (locations), 3.47 (allocation), 3.48 (dereferencing), and 3.49 (assignment). Proofs of the compatibility lemmas that do not involve references essentially follow the proofs given in Ahmed s earlier work [1]. Lemma (Compatibility: Var) If Γ(x) = τ then ; Γ; Σ x log x : τ. Lemma (Compatibility: Unit) ; Γ; Σ () log () : unit. Lemma (Compatibility: Int) ; Γ; Σ n log n : int. 21

22 Lemma Proof (Compatibility: Loc) If Σ(l) = τ then ; Γ; Σ l log l : ref τ. Consider arbitrary k, ρ, γ, W such that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. We are required to show that (k, W, ρ 1 (γ 1 (l)), ρ 2 (γ 2 (l))) E ref τ ρ (k, W, l, l) E ref τ ρ. Consider arbitrary j, s 1, s 2, s 1, v 1 such that j < k, s 1, s 2 : k W, and s 1, l j s 1, v 1. Since l is a value, we have that j = 0, s 1 = s 1, and v 1 = l. Note that we have the following facts: W World k, which follows from (k, W, γ) G Γ ρ above, and (k, W, l, l) V ref τ, which follows from (k, W ) S Σ since Σ(l) = τ. Take s 2 = s 2, v 2 = l, and W = W. We are required to show that (1) s 2, l s 2, v 2 s 2, l s 2, l, which is immediate, (2) (k 0, W ) (k, W ) (k, W ) (k, W ), which follows from Lemma 3.15 (reflexivity of, page 18) applied to W World k, (3) s 1, s 2 : k 0 W s 1, s 2 : k W, which follows from above, and (4) (k 0, W, v 1, v 2 ) V ref τ ρ (k, W, l, l) V ref τ ρ (k, W, l, l) V ref τ (since we can conclude from the premise that FTV (τ) = ), which follows from above. 22

23 Lemma (Compatibility: True) ; Γ; Σ true log true : bool. Lemma (Compatibility: False) ; Γ; Σ false log false : bool. Lemma (Compatibility: If) If ; Γ; Σ e 10 log e 20 : bool, ; Γ; Σ e 11 log e 21 : τ, and ; Γ; Σ e 12 log e 22 : τ, then ; Γ; Σ if e 10 then e 11 else e 12 log if e 20 then e 21 else e 22 : τ. Lemma (Compatibility: Pair) If ; Γ; Σ e 1 log e 2 : τ and ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ e 1, e 1 log e 2, e 2 : τ τ. Lemma (Compatibility: Fst) If ; Γ; Σ e 1 log e 2 : τ τ, then ; Γ; Σ fst e 1 log fst e 2 : τ. Lemma (Compatibility: Snd) If ; Γ; Σ e 1 log e 2 : τ τ, then ; Γ; Σ snd e 1 log snd e 2 : τ. Lemma (Compatibility: Inl) If ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ inl e 1 log inl e 2 : τ + τ. Lemma (Compatibility: Inr) If ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ inr e 1 log inr e 2 : τ + τ. Lemma (Compatibility: Case) If ; Γ; Σ e 10 log e 20 : τ + τ, ; Γ, x : τ; Σ e 1 log e 2 : τ, and ; Γ, x : τ ; Σ e 1 log e 2 : τ, then ; Γ; Σ case e 10 of inl x e 1 inr x e 1 log case e 20 of inl x e 2 inr x e 2 : τ. 23

24 Lemma (Compatibility: Fun) If ; Γ, x : τ; Σ e 1 log e 2 : τ, then ; Γ; Σ λx : τ. e 1 log λx : τ. e 2 : τ τ. Lemma (Compatibility: App) If ; Γ; Σ e 1 log e 2 : τ τ and ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ e 1 e 1 log e 2 e 2 : τ. Lemma (Compatibility: All) If, α; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ Λα. e 1 log Λα. e 2 : α. τ. Lemma (Compatibility: Type App) If ; Γ; Σ e 1 log e 2 : α. τ and τ, then ; Γ; Σ e 1 [τ ] log e 2 [τ ] : [τ /α]τ. Lemma (Compatibility: Pack) If τ and ; Γ; Σ e 1 log e 2 : [τ /α]τ, then ; Γ; Σ pack τ, e 1 as α. τ log pack τ, e 2 as α. τ : α. τ. Lemma (Compatibility: Unpack) If ; Γ; Σ e 1 log e 2 : α. τ, τ, and, α; Γ, x : τ; Σ e 1 log e 2 : τ then ; Γ; Σ unpack e 1 as α, x in e 1 log unpack e 2 as α, x in e 2 : τ. Lemma (Compatibility: Fold) If ; Γ; Σ e 1 log e 2 : [µα. τ/α]τ, then ; Γ; Σ fold e 1 log fold e 2 : µα. τ. Lemma (Compatibility: Unfold) If ; Γ; Σ e 1 log e 2 : µα. τ, then ; Γ; Σ unfold e 1 log unfold e 2 : [µα. τ/α]τ. 24

25 Lemma (Compatibility: Ref) Proof If ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ ref e 1 log ref e 2 : ref τ. Consider arbitrary k, ρ, γ, W such that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. We are required to show that (k, W, ρ 1 (γ 1 (ref e 1 )), ρ 2 (γ 2 (ref e 2 ))) E ref τ ρ (k, W, ref (ρ 1 (γ 1 (e 1 ))), ref (ρ 2 (γ 2 (e 2 )))) E ref τ ρ. Consider arbitrary j, s 1, s 2, s 1, v 1 such that j < k, s 1, s 2 : k W, and s 1, ref (ρ 1 (γ 1 (e 1 ))) j s 1, v 1. Hence, by inspection of the operational semantics, it follows that there exist j 1, s 1a, v 1a, and l 1 such that s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, v 1a, s 1a, ref v 1a 1 s 1a [l 1 v 1a ], l 1, l 1 / dom(s 1a ), j = j 1 + 1, s 1 = s 1a [l 1 v 1a ], and v 1 = l 1. Instantiate the premise ; Γ; Σ e 1 log e 2 : τ with k, ρ, γ, and W. Note that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. Hence, (k, W, ρ 1 (γ 1 (e 1 )), ρ 2 (γ 2 (e 2 ))) E τ ρ. Instantiate this with j 1, s 1, s 2, s 1a, v 1a. Note that j 1 < k, which follows from j 1 = j 1 and j < k, s 1, s 2 : k W and 25

26 s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, v 1a. Hence, there exist s 2a, v 2a, and W a such that s 2, ρ 2 (γ 2 (e 2 )) s 2a, v 2a, (k j 1, W a ) (k, W ), s 1a, s 2a : k j1 W a, and (k j 1, W a, v 1a, v 2a ) V τ ρ. Take s 2 = s 2a [l 2 v 2a ], where l 2 / dom(s 2a ), and v 2 = l 2. If W a = w a1,..., w an, then take W = w a1 k j,..., w an k j, w, where w = (η, L ), η = (ψ,, {l 1 : ρ 1 (τ)}, {l 2 : ρ 2 (τ)}) ψ = {(i, W, s 1, s 2) (i, W, s 1(l 1 ), s 2(l 2 )) V τ ρ k j } L = {(i, η i ) i k j}. Note that we have the following facts: s 1a : Σ 1 (W a ) and s 2a : Σ 2 (W a ), which follow from s 1a, s 2a : k j1 W a, W a World k j1, which follows from (k j 1, W a ) (k, W ) above, w ai k j Island k j for all i such that 1 i n, which follows from Lemma 3.11 (page 17) applied to w ai Island k j1, which follows from w ai W a and the fact that W a World k j1, and k j k j 1. W World k j, which follows from (i) and (ii) below: (i) w a1 k j,..., w an k j, w Island n+1 k j, which follows from w ai k j Island k j for all i such that 1 i n, which follows from above, and w Island k j, which follows from (a), (b), and (c) below: (a) η Knowledge k j, which follows from ψ StoreRel k j, which follows from the closure of ψ under world extension; the latter, given the inition of ψ, follows from the closure of V τ ρ k j under world extension (i.e., from Lemma 3.21 (page 19) applied to τ and ρ D ). 26

27 s 1, s 2, s 1, s 2. ( l 1 dom(η.σ 1 ).s 1 (l 1 ) = s 1(l 1 ) l 2 dom(η.σ 2 ).s 2 (l 2 ) = s 2(l 2 )) = j, W. (j, W, s 1, s 2 ) ψ (j, W, s 1, s 2) ψ ), which is immediate from the inition of η since dom(η.σ 1 ) = {l 1 } and dom(η.σ 2 ) = {l 2 } and since ψ is ined to rely only on the contents of location l 1 in the first store and the contents of l 2 in the second store. More formally, note that from the inition of ψ it follows that (j, W, s 1, s 2 ) ψ (j, W, s 1, s 2) ψ (j, W, s 1 (l 1 ), s 2 (l 2 )) V τ ρ k j (j, W, s 1(l 1 ), s 2(l 2 )) V τ ρ k j The latter is clearly a tautology when s 1 (l 1 ) = s 1(l 1 ) and s 2 (l 2 ) = s 2(l 2 ). (b) L Law k j, which follows from the downward closure of L (i.e., the property that (i, η) L. i < i. (i, η i ) L ), which is immediate from the inition of L. (c) (k j, η ) L (k j, η k j ) L (since η = η k j by Lemma 3.6 (page 16) applied to η Knowledge k j ), which is immediate from the inition of L. (ii) c, d {1,..., n + 1}. c d = dom(w [c].σ 1 ) # dom(w [d].σ 1 ) dom(w [c].σ 2 ) # dom(w [d].σ 2 ), which we conclude as follows: Suppose c, d {1,..., n} and c d. Note that dom(w [c].σ 1 ) # dom(w [d].σ 1 ) dom(w [c].σ 2 ) # dom(w [d].σ 2 ) dom(w a [c].σ 1 ) # dom(w a [d].σ 1 ) dom(w a [c].σ 2 ) # dom(w a [d].σ 2 ) (since W [i].σ 1 = W a [i].σ 1 and W [i].σ 2 = W a [i].σ 2 for i {1,..., n}, by n of W ) dom(w ac.σ 1 ) # dom(w ad.σ 1 ) dom(w ac.σ 2 ) # dom(w ad.σ 2 ) (since W a [i] = w ai for i {1,..., n}) Note that the latter follows from W a World k j1 (which follows from above). Thus, it remains for us to show that the last island in W, namely W [n + 1] w is such that i {1,..., n}. dom(w.σ 1 ) # dom(w [i].σ 1 ) dom(w.σ 2 ) # dom(w [i].σ 2 ) i {1,..., n}. dom(w.σ 1 ) # dom(w a [i].σ 1 ) dom(w.σ 1 ) # dom( 1 i n W a[i].σ 1 ) dom(w.σ 2 ) # dom(w a [i].σ 2 ) dom(w.σ 2 ) # dom( 1 i n W a[i].σ 2 ) dom(w.σ 1 ) # dom(σ 1 (W a )) dom(w.σ 2 ) # dom(σ 2 (W a )) {l 1 } # dom(σ 1 (W a )) {l 2 } # dom(σ 2 (W a )) l 1 / dom(σ 1 (W a )) l 2 / dom(σ 2 (W a )) Note that from s 1a, s 2a : k j1 W a it follows that s 1a : Σ 1 (W a ) and s 2a : Σ 2 (W a ). Hence, it follows that dom(s 1a ) dom(σ 1 (W a )) and dom(s 2a ) dom(σ 2 (W a )). Hence, we can conclude that l 1 / Σ 1 (W a ), which follows from l 1 / dom(s 1a ) (from above) and dom(s 1a ) dom(σ 1 (W a )), and l 2 / Σ 2 (W a ), which follows from l 2 / dom(s 2a ) (from above) and dom(s 2a ) dom(σ 2 (W a )). 27

28 We are required to show that (1) s 2, ref (ρ 2 (γ 2 (e 2 ))) s 2, v 2 s 2, ref (ρ 2 (γ 2 (e 2 ))) s 2a [l 2 v 2a ], l 2, which follows from s 2, ref (ρ 2 (γ 2 (e 2 ))) s 2a, ref v 2a 1 s 2a [l 2 v 2a ], l 2, where l 2 / dom(s 2a ) as required. (2) (k j, W ) (k, W ), which follows from Lemma 3.18 (transitivity of, page 18) applied to (k j, W ) (k j 1, W a ), which follows (by the inition of ) from: and k j k j 1, which follows from k j = k j 1 1 (since j = j 1 + 1), W a World k j1, which follows from above, W World k j, which follows from above, and W W a k j w a1 k j,..., w an k j, w w a1,..., w an k j w a1 k j,..., w an k j, w w a1 k j,..., w an k j, which we conclude as follows: Note that it suffices to show i {1,..., n}. w ai k j w ai k j. Applying Lemma 3.13 (page 18) to w ai k j Island k j (from above), we conclude that w ai k j w ai k j. (k j 1, W a ) (k, W ), which follows from above. (3) s 1, s 2 : k j W s 1a [l 1 v 1a ], s 2a [l 2 v 2a ] : k j W, which follows (by inition of the store satisfaction relation) from s 1a [l 1 v 1a ] : Σ 1 (W ) l dom(σ 1 (W )). ; ; Σ 1 (W ) s 1a [l 1 v 1a ](l) : Σ 1 (W )(l), which, since Σ 1 (W ) Σ 1 (W a ) {l 1 : ρ 1 (τ)}, follows from (I) and (II) below: (I) l dom(σ 1 (W a )). ; ; Σ 1 (W ) s 1a [l 1 v 1a ](l) : (Σ 1 (W ))(l), which follows from: Consider l dom(σ 1 (W a )). Hence, note that l l 1. We are required to show that ; ; Σ 1 (W ) s 1a [l 1 v 1a ](l) : (Σ 1 (W ))(l) ; ; Σ 1 (W ) s 1a (l) : (Σ 1 (W ))(l) (since l l 1 and l 1 / dom(s 1a )) ; ; Σ 1 (W ) s 1a (l) : (Σ 1 (W a ))(l) (since l l 1 and l 1 / dom(σ 1 (W a ))) ; ; Σ 1 (W a ) {l 1 : ρ 1 (τ)} s 1a (l) : (Σ 1 (W a ))(l) which follows from ; ; Σ 1 (W a ) s 1a (l) : (Σ 1 (W a ))(l), which in turn follows from s 1a : Σ 1 (W a ) since l dom(σ 1 (W a )). (II) l dom({l 1 : ρ 1 (τ)}). ; ; Σ 1 (W ) s 1a [l 1 v 1a ](l) : (Σ 1 (W ))(l) ; ; Σ 1 (W ) s 1a [l 1 v 1a ](l 1 ) : (Σ 1 (W ))(l 1 ) ; ; Σ 1 (W ) v 1a : ρ 1 (τ), which follows from ; ; Σ 1 (W a ) v 1a : ρ 1 (τ), which in turn follows from (k j 1, W a, v 1a, v 2a ) V τ ρ. 28

29 s 2a [l 2 v 2a ] : Σ 2 (W ), which follows by reasoning analogous to that used for s 1a [l 1 v 1a ] : Σ 1 (W ) above. w W. i < k j. (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w.ψ, which we conclude as follows: Consider arbitrary w W and i < k j. We are required to show (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w.ψ. Note that by the inition of W, there are two cases to consider: either w = W [i] (where 1 i n), or w = W [n + 1]. Case w = W [i] = w ai k j (where 1 i n) : We are required to show that (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) ( w ai k j ).ψ (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w ai.ψ k j (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w ai.ψ (since i < k j) Note that from s 1a, s 2a : k j1 W a it follows that w ai W a. i < k j 1. (i, W i, s 1a, s 2a ) w ai.ψ. Hence, since w ai W a (where 1 i n) and since k j < k j 1 (which follows from j = j 1 + 1), it follows that (k j, W k j, s 1a, s 2a ) w ai.ψ. Let w ai.σ 1 = Σ ai1 and let w ai.σ 2 = Σ ai2. Then it must be that l 1 / dom(σ ai1 ), which follows from l 1 / dom(σ 1 (W a )), which follows from above, and Σ ai1 Σ 1 (W a ), which follows from the inition of Σ 1 (W a ) since w ai W a and w ai.σ 1 = Σ ai1. l 2 / dom(σ ai2 ), which follows from l 2 / dom(σ 2 (W a )), which follows from above, and Σ ai2 Σ 2 (W a ), which follows from the inition of Σ 2 (W a ) since w ai W a and w ai.σ 2 = Σ ai2. Hence, note that l dom(σ ai1 ). s 1a (l) = s 1a [l 1 v 1a ](l), and l dom(σ ai2 ). s 2a (l) = s 2a [l 2 v 2a ](l). Note that w ai.η Knowledge k j1, which follows from W a World k j1 since W a [i] = w ai. Now, from W a.η Knowledge k j1, together with l dom(σ ai1 ). s 1a (l) = s 1a [l 1 v 1a ](l), l dom(σ ai2 ). s 2a (l) = s 2a [l 2 v 2a ](l), and (k j, W a k j, s 1a, s 2a ) w ai.ψ (from above), it follows that (k j, W a k j, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w ai.ψ. Note that (i, W i ) (k j, W a k j ), which follows from Lemma 3.18 (page 18) applied to 29

30 (i, W i ) (k j, W ), which follows from Lemma 3.16 (page 18) applied to W World k j and i < k j, and (k j, W ) (k j, W a k j ), which follows from Lemma 3.17 (page 18) applied to (k j, W ) (k j 1, W a ), which follows from above, and k j k j. Next, note that w ai.ψ StoreRel k j1, which follows from w ai.η Knowledge k j1. Since w ai.ψ is closed under world extension, and since we have that (k j, W a k j, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w ai.ψ (from above) and (i, W i ) (k j, W a k j ), it follows that (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w ai.ψ as required. Case w = W [n + 1] = w : We are required to show that (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) w.ψ (i, W i, s 1a [l 1 v 1a ], s 2a [l 2 v 2a ]) ψ (since w.ψ = ψ ) (i, W i, s 1a [l 1 v 1a ](l 1 ), s 2a [l 2 v 2a ](l 2 )) V τ ρ k j (by inition of ψ ) (i, W i, v 1a, v 2a ) V τ ρ k j (i, W i, v 1a, v 2a ) V τ ρ (since i < k j) Note that (i, W i ) (k j 1, W a ), which follows from Lemma 3.18 (page 18) applied to (i, W i ) (k j, W ) which follows from Lemma 3.16 (page 18) applied to W World k j and i < k j, and (k j, W ) (k j 1, W a ), which follows from above. Applying Lemma 3.21 (page 19) to (k j 1, W a, v 1a, v 2a ) V τ ρ (from above) and (i, W i ) (k j 1, W a ), we conclude that (i, W i, v 1a, v 2a ) V τ ρ as required. (4) (k j, W, v 1, v 2 ) V ref τ ρ (k j, W, l 1, l 2 ) V ref τ ρ, which follows (by the inition of V ref τ ρ) from w ref (k j, ρ, τ, l 1, l 2 ) W (η, L ) W (since w ref (k j, ρ, τ, l 1, l 2 ) = (η, L ) = w ) w W, which follows from W [n + 1] = w. 30

31 Lemma (Compatibility: Deref) Proof If ; Γ; Σ e 1 log e 2 : ref τ, then ; Γ; Σ!e 1 log!e 2 : τ. Consider arbitrary k, ρ, γ, W such that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. We are required to show that (k, W, ρ 1 (γ 1 (!e 1 )), ρ 2 (γ 2 (!e 2 ))) E τ ρ (k, W,!(ρ 1 (γ 1 (e 1 ))),!(ρ 2 (γ 2 (e 2 )))) E τ ρ. Consider arbitrary j, s 1, s 2, s 1, v 1 such that j < k, s 1, s 2 : k W, and s 1,!(ρ 1 (γ 1 (e 1 ))) j s 1, v 1. Hence, by inspection of the operational semantics, it follows that there exist j 1, s 1a, and l 1 such that s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, l 1, s 1a (l 1 ) = v 1, s 1a,!l 1 1 s 1a, v 1, j = j 1 + 1, and s 1 = s 1a. Instantiate the premise ; Γ; Σ e 1 log e 2 : ref τ with k, ρ, γ, and W. Note that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. Hence, (k, W, ρ 1 (γ 1 (e 1 )), ρ 2 (γ 2 (e 2 ))) E ref τ ρ. Instantiate this with j 1, s 1, s 2, s 1a, l 1. Note that j 1 < k, which follows from j 1 = j 1 and j < k, s 1, s 2 : k W and s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, l 1. 31

32 Hence, there exist s 2a, v 2a, and W a such that s 2, ρ 2 (γ 2 (e 2 )) s 2a, v 2a, (k j 1, W a ) (k, W ), s 1a, s 2a : k j1 W a, and (k j 1, W a, l 1, v 2a ) V ref τ ρ. Hence, v 2a l 2. Note that we have the following facts: k j < k j 1, which follows from j < k and j = j 1 + 1, and W a World k j1, which follows from (k j 1, W a ) (k, W ). Also, note that w ref (k j 1, ρ, τ, l 1, l 2 ) W a (which follows from (k j 1, W a, l 1, v 2a ) V ref τ ρ), where w ref (k j 1, ρ, τ, l 1, l 2 ) = (η, L) η = (ψ,, {l 1 : ρ 1 (τ)}, {l 2 : ρ 2 (τ)}) ψ = {(i, W, s 1, s 2) (i, W, s 1(l 1 ), s 2(l 2 )) V τ ρ k j1 } L = {(i, η i ) i k j 1 } Note that w W a. i < k j 1. (i, W a i, s 1a, s 2a ) w.ψ, which follows from s 1a, s 2a : k j1 W a. Hence, since (η, L) W a, it follows that i < k j 1. (i, W a i, s 1a, s 2a ) (η, L).ψ i < k j 1. (i, W a i, s 1a, s 2a ) ψ (since (η, L).ψ ψ) Hence, since k j < k j 1, it follows that (k j, W a k j, s 1a, s 2a ) ψ Hence, from the inition of ψ, it follows that (k j, W a k j, s 1a (l 1 ), s 2a (l 2 )) V τ ρ k j1. Note that, from the latter, it follows that l 2 dom(s 2a ). Take s 2 = s 2a, v 2 = s 2a (l 2 ), and W = W a k j. We are required to show that (1) s 2,!(ρ 2 (γ 2 (e 2 ))) s 2, v 2 s 2,!(ρ 2 (γ 2 (e 2 ))) s 2a, s 2a (l 2 ), which follows from s 2,!(ρ 2 (γ 2 (e 2 ))) s 2a,!v 2a s 2a,!l 2, where l 2 dom(s 2a ) as required 1 s 2a, s 2a (l 2 ). 32

33 (2) (k j, W ) (k, W ) (k j, W a k j ) (k, W ), which follows from Lemma 3.18 (transitivity of, page 18) applied to (k j, W a k j ) (k j 1, W a ), which follows from Lemma 3.16 (page 18) applied to W a World k j1 and k j < k j 1, and (k j 1, W a ) (k, W ), which follows from above. (3) s 1, s 2 : k j W s 1a, s 2a : k j W a k j, which follows from Lemma 3.19 (page 18) applied to s 1a, s 2a : k j1 W a and k j < k j 1. (4) (k j, W, v 1, v 2 ) V τ ρ (k j, W a k j, s 1a (l 1 ), s 2a (l 2 )) V τ ρ, which follows from (k j, W a k j, s 1a (l 1 ), s 2a (l 2 )) V τ ρ k j1 (since k j < k j 1 ). 33

34 Lemma (Compatibility: Assign) Proof If ; Γ; Σ e 1 log e 2 : ref τ and ; Γ; Σ e 1 log e 2 : τ, then ; Γ; Σ e 1 := e 1 log e 2 := e 2 : unit. Consider arbitrary k, ρ, γ, W such that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. We are required to show that (k, W, ρ 1 (γ 1 (e 1 := e 1)), ρ 2 (γ 2 (e 2 := e 2))) E unit ρ (k, W, ρ 1 (γ 1 (e 1 )) := ρ 1 (γ 1 (e 1)), ρ 2 (γ 2 (e 2 )) := ρ 2 (γ 2 (e 2))) E unit ρ. Consider arbitrary j, s 1, s 2, s 1, v 1 such that j < k, s 1, s 2 : k W, and s 1, ρ 1 (γ 1 (e 1 )) := ρ 1 (γ 1 (e 1)) j s 1, v 1. Hence, by inspection of the operational semantics, it follows that there exist j 1, j 2, s 1a, s 1b, l 1, and v 1b such that s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, l 1, s 1a, ρ 1 (γ 1 (e 1)) j2 s 1b, v 1b, l 1 dom(s 1b ), s 1b, l 1 := v 1b 1 s 1b [l 1 v 1b ], (), j = j 1 + j 2 + 1, s 1 = s 1b [l 1 v 1b ], and v 1 = (). Instantiate the premise ; Γ; Σ e 1 log e 2 : ref τ with k, ρ, γ, and W. Note that k 0, ρ D, (k, W, γ) G Γ ρ, and (k, W ) S Σ. Hence, (k, W, ρ 1 (γ 1 (e 1 )), ρ 2 (γ 2 (e 2 ))) E ref τ ρ. Instantiate this with j 1, s 1, s 2, s 1a, l 1. Note that j 1 < k, which follows from j 1 = j j 2 1 and j < k, 34

35 s 1, s 2 : k W and s 1, ρ 1 (γ 1 (e 1 )) j1 s 1a, l 1. Hence, there exist s 2a, v 2a, and W a such that s 2, ρ 2 (γ 2 (e 2 )) s 2a, v 2a, (k j 1, W a ) (k, W ), s 1a, s 2a : k j1 W a, and (k j 1, W a, l 1, v 2a ) V ref τ ρ. Hence, v 2a l 2. Instantiate the premise ; Γ; Σ e 1 log e 2 : τ with k j 1, ρ, γ, and W a. Note that k j 1 0, which follows from j 1 = j j 2 1 and j < k, ρ D, (k j 1, W a, γ) G Γ ρ, which follows from Lemma 3.22 (page 19) applied to (k, W, γ) G Γ ρ and (k j 1, W a ) (k, W ), and (k j 1, W a ) S Σ, which follows from Lemma 3.23 (page 19) applied to (k, W ) S Σ and (k j 1, W a ) (k, W ). Hence, (k j 1, W a, ρ 1 (γ 1 (e 1)), ρ 2 (γ 2 (e 2))) E τ ρ. Instantiate this with j 2, s 1a, s 2a, s 1b, v 1b. Note that j 2 < k j 1, which follows from j 2 = j j 1 1 and j < k, s 1a, s 2a : k j1 W a, which follows from above, and s 1a, ρ 1 (γ 1 (e 1)) j2 s 1b, v 1b, which follows from above. Hence, there exist s 2b, v 2b, and W b such that s 2a, ρ 2 (γ 2 (e 2)) s 2b, v 2b, (k j 1 j 2, W b ) (k j 1, W a ), s 1b, s 2b : k j1 j 2 W b, and (k j 1 j 2, W b, v 1b, v 2b ) V τ ρ. Note that we have the following facts: s 1b : Σ 1 (W b ) and s 2b : Σ 2 (W b ), which follow from s 1b, s 2b : k j1 j 2 W b, 35

36 k j < k j 1 j 2, which follows from j < k and j = j 1 + j 2 + 1, W b World k j1 j 2, which follows from (k j 1 j 2, W b ) (k j 1, W a ), W b k j World k j, which follows from Lemma 3.12 (page 17) applied to W b World k j1 j 2 and k j k j 1 j 2, Suppose W a = w a1,..., w an. Then m {1,..., n}. W a [m] = w ref (k j 1, ρ, τ, l 1, l 2 ) (or alternatively, w ref (k j 1, ρ, τ, l 1, l 2 ) W a, which follows from (k j 1, W a, l 1, v 2a ) V ref τ ρ), where w ref (k j 1, ρ, τ, l 1, l 2 ) = (η, L) η = (ψ,, {l 1 : ρ 1 (τ)}, {l 2 : ρ 2 (τ)}) ψ = {(i, W, s 1, s 2) (i, W, s 1(l 1 ), s 2(l 2 )) V τ ρ k j1 } L = {(i, η i ) i k j 1 } {l 1 : ρ 1 (τ)} Σ 1 (W a ) and {l 2 : ρ 2 (τ)} Σ 2 (W a ), which follow from the initions of Σ 1 (W a ) and Σ 2 (W a ) and the fact that (η, L) W a (above) where (η, L).Σ 1 = {l 1 : ρ 1 (τ)} and (η, L).Σ 2 = {l 2 : ρ 2 (τ)}. Σ 1 (W b ) Σ 1 (W a ) and Σ 2 (W b ) Σ 2 (W a ), which follow from (k j 1 j 2, W b ) (k j 1, W a ). {l 1 : ρ 1 (τ)} Σ 1 (W b ) and {l 2 : ρ 2 (τ)} Σ 2 (W b ), which follow, respectively, from {l 1 : ρ 1 (τ)} Σ 1 (W a ) since Σ 1 (W b ) Σ 1 (W a ), and from {l 2 : ρ 2 (τ)} Σ 2 (W a ) since Σ 2 (W b ) Σ 2 (W a ). l 2 dom(s 2b ), which follows from the fact that l dom(σ 2 (W b ). ; ; Σ 2 (W b ) s 2b (l) : Σ 2 (W b )(l) (which follows, by inition, from s 2b : Σ 2 (W b )), since l 2 dom(σ 2 (W b )). Take s 2 = s 2b [l 2 v 2b ], v 2 = (), and W = W b k j. We are required to show that (1) s 2, (ρ 2 (γ 2 (e 2 ))) := (ρ 2 (γ 2 (e 2))) s 2, v 2 s 2, (ρ 2 (γ 2 (e 2 ))) := (ρ 2 (γ 2 (e 2))) s 2b [l 2 v 2b ], (), which follows from s 2, (ρ 2 (γ 2 (e 2 ))) := (ρ 2 (γ 2 (e 2))) s 2a, v 2a := (ρ 2 (γ 2 (e 2))) s 2a, l 2 := (ρ 2 (γ 2 (e 2))) s 2b, l 2 := v 2b, where l 2 dom(s 2b ) as required 1 s 2b [l 2 v 2b ], (). (2) (k j, W ) (k, W ) (k j, W b k j ) (k, W ), which follows from Lemma 3.18 (transitivity of, page 18) applied to (k j, W b k j ) (k j 1 j 2, W b ), which follows from Lemma 3.16 (page 18) applied to W b World k j1 j 2 and k j < k j 1 j 2, and 36

37 (k j 1 j 2, W b ) (k, W ), which follows from Lemma 3.18 (transitivity of, page 18) applied to (k j 1 j 2, W b ) (k j 1, W a ), which follows from above, and (k j 1, W a ) (k, W ), which follows from above. (3) s 1, s 2 : k j W s 1b [l 1 v 1b ], s 2b [l 2 v 2b ] : k j W b k j, which follows (by inition of the store satisfaction relation) from s 1b [l 1 v 1b ] : Σ 1 ( W b k j ) s 1b [l 1 v 1b ] : Σ 1 (W b ) l dom(σ 1 (W b )). ; ; Σ 1 (W b ) s 1b [l 1 v 1b ](l) : (Σ 1 (W b ))(l), which, since l 1 dom(σ 1 (W b )), follows from (I) and (II) below: (I) l (dom(σ 1 (W b )) \ {l 1 }). ; ; Σ 1 (W b ) s 1b [l 1 v 1b ](l) : (Σ 1 (W b ))(l), which follows from: Consider l dom(σ 1 (W b )) \ {l 1 }). Hence, note that l l 1. We are required to show that ; ; Σ 1 (W b ) s 1b [l 1 v 1b ](l) : (Σ 1 (W b ))(l) ; ; Σ 1 (W b ) s 1b (l) : (Σ 1 (W b ))(l) (since l l 1 ) which follows from l dom(σ 1 (W b )). ; ; Σ 1 (W b ) s 1b (l) : (Σ 1 (W b ))(l), which in turn follows from s 1b : Σ 1 (W b ) since l dom(σ 1 (W b )). (II) l {l 1 }. ; ; Σ 1 (W b ) s 1b [l 1 v 1b ](l) : (Σ 1 (W b ))(l) ; ; Σ 1 (W b ) s 1b [l 1 v 1b ](l 1 ) : (Σ 1 (W b ))(l 1 ) ; ; Σ 1 (W b ) v 1b : (Σ 1 (W b ))(l 1 ) ; ; Σ 1 (W b ) v 1b : ρ 1 (τ) (since {l 1 : ρ 1 (τ)} Σ 1 (W b )) which follows from (k j 1 j 2, W b, v 1b, v 2b ) V τ ρ. s 2b [l 2 v 2b ] : Σ 2 ( W b k j ), which follows by reasoning analogous to that used for s 1b [l 1 v 1b ] : Σ 1 ( W b k j ) above. w W. i < k j. (i, W i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w.ψ w W b k j. i < k j. (i, W b k j i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w.ψ w W b k j. i < k j. (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w.ψ, which we conclude as follows: Suppose W b = w b1,..., w bn. Note that we have the following facts: m n n, which follows from (k j 1 j 2, W b ) (k j 1, W a ) together with 1 m n (from above) and W a = w a1,..., w an (from above). W b k j = w b1 k j,..., w bn k j, which is immediate from the inition of world approximation. Note that since W a [m] = (η, L) and since (k j, W b k j ) (k j 1, W a ), it follows from the inition of the latter that there exist η, L such that ( W b k j )[m] = (η, L ) (or alternatively (η, L ) W b k j ), (η, L ) (η, L) k j, which follows from ( W b k j )[m] W a k j [m], which in turn follows from W b k j W a k j, which in turn is immediate from the inition of (k j, W b k j ) (k j 1, W a ), 37

38 (η, L ) Island k j, which follows from W b k j World k j since (η, L ) = ( W b k j )[m], {l 1 : ρ 1 (τ)} (η, L ).Σ 1, which follows from the fact that (η, L).Σ 1 = {l 1 : ρ 1 (τ)}, and (η, L ).Σ 1 (η, L).Σ 1 (η, L ).Σ 1 (η, L) k j.σ 1, which follows, by inition, from (η, L ) (η, L) k j, {l 2 : ρ 2 (τ)} (η, L ).Σ 2, which follows from the fact that (η, L).Σ 2 = {l 2 : ρ 2 (τ)}, and (η, L ).Σ 2 (η, L).Σ 2 (η, L ).Σ 2 (η, L) k j.σ 2, which follows, by inition, from (η, L ) (η, L) k j, L = L k j, which follows from (η, L ) (η, L) k j, and η = η k j, which we conclude from: (k j, η ) L (which follows from (η, L ) Island k j ) (k j, η ) L k j (since L = L k j ) (k j, η ) {(i, η i ) i k j 1 } k j (since L = {(i, η i ) i k j 1 }) (k j, η ) {(i, η i ) i k j} (by the n of law approximation) (η, L ).ψ = ψ k j, which follows from η = η k j since η = (ψ,, {l 1 : ρ 1 (τ)}, {l 2 : ρ 2 (τ)}). (Recall from above that ψ = {(i, W, s 1, s 2) (i, W, s 1(l 1 ), s 2(l 2 )) V τ ρ k j1 }.) Consider arbitrary w W b k j and i < k j. We are required to show (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w.ψ. There are two cases to consider: either w = ( W b k j )[i] where 1 i n and i m, or w = ( W b k j )[m]. Case w = ( W b k j )[i] = w bi k j (where 1 i n and i m) : We are required to show that (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) ( w bi k j ).ψ (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w bi.ψ k j (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w bi.ψ (since i < k j) Note that from s 1b, s 2b : k j1 j 2 W b it follows that w W b. i < k j 1 j 2. (i, W b i, s 1b, s 2b ) w.ψ. Hence, since w bi W b (where 1 i n) and since k j < k j 1 j 2 (which follows from j = j 1 + j 2 + 1), it follows that (k j, W b k j, s 1a, s 2a ) w bi.ψ. 38

39 Let w bi.σ 1 = Σ bi1 and let w bi.σ 2 = Σ bi2. Then it must be that l 1 / dom(σ bi1 ) l 1 / dom( W b k j [i].σ 1 ), which follows from l 1 dom( W b k j [m].σ 1 ) l 1 dom((η, L ).Σ 1 ) (since W b k j [m] = (η, L )) which follows from {l 1 : ρ 1 (τ)} (η, L ).Σ 1, and dom( W b k j [m].σ 1 ) # dom( W b k j [i].σ 1 ), which follows from i m and W b k j World k j (since the locations that distinct islands in W b k j care about must be disjoint), l 2 / dom(σ bi2 ) l 2 / dom( W b k j [i].σ 2 ), which follows from l 2 dom( W b k j [m].σ 2 ) l 2 dom((η, L ).Σ 2 ) (since W b k j [m] = (η, L )) which follows from {l 2 : ρ 2 (τ)} (η, L ).Σ 2, and dom( W b k j [m].σ 2 ) # dom( W b k j [i].σ 2 ), which follows from i m and W b k j World k j (since the locations that distinct islands in W b k j care about must be disjoint), Hence, note that l dom(σ bi1 ). s 1b (l) = s 1b [l 1 v 1b ](l), and l dom(σ bi2 ). s 2b (l) = s 2b [l 2 v 2b ](l). Note that w bi.η Knowledge k j1 j 2, which follows from W b World k j1 j 2 since W b [i] = w bi. Now, from W b.η Knowledge k j1 j 2, together with l dom(σ bi1 ). s 1b (l) = s 1b [l 1 v 1b ](l), l dom(σ bi2 ). s 2b (l) = s 2b [l 2 v 2b ](l), and (k j, W b k j, s 1b, s 2b ) w bi.ψ (from above), it follows that (k j, W b k j, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w bi.ψ. Note that (i, W b i ) (k j, W b k j ) (i, W b k j i ) (k j, W b k j ) (since i < k j) which follows from Lemma 3.16 (page 18) applied to W b k j World k j and i < k j. Next, note that w bi.ψ StoreRel k j1 j 2, which follows from w bi.η Knowledge k j1 j 2. Since w bi.ψ is closed under world extension, and since we have that (k j, W b k j, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w bi.ψ (from above) and (i, W b i ) (k j, W b k j ), it follows that (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) w bi.ψ as required. 39

40 Case w = ( W b k j )[m] = (η, L ) : We are required to show that (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) (η, L ).ψ (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) ψ k j (since (η, L ).ψ = ψ k j ) (i, W b i, s 1b [l 1 v 1b ], s 2b [l 2 v 2b ]) ψ (since i < k j) (i, W b i, s 1b [l 1 v 1b ](l 1 ), s 2b [l 2 v 2b ](l 2 )) V τ ρ k j1 (by inition of ψ) (i, W b i, s 1b [l 1 v 1b ](l 1 ), s 2b [l 2 v 2b ](l 2 )) V τ ρ (since i < k j 1 ) (i, W b i, v 1b, v 2b ) V τ ρ Note that (i, W b i ) (k j 1 j 2, W b ), which follows from Lemma 3.18 (page 18) applied to (i, W b i ) (k j, W b k j ) (i, W b k j i ) (k j, W b k j ) (since i < k j) which follows from Lemma 3.16 (page 18) applied to W b k j World k j and i < k j, and (k j, W b k j ) (k j 1 j 2, W b ), which follows from above. Applying Lemma 3.21 (page 19) to (k j 1 j 2, W b, v 1b, v 2b ) V τ ρ (from above) and (i, W b i ) (k j 1 j 2, W b ), we conclude that (i, W b i, v 1b, v 2b ) V τ ρ as required. (4) (k j, W, v 1, v 2 ) V τ ρ (k j, W b k j, (), ()) V unit ρ, which follows from the inition of V unit ρ since W b k j World k j (from above) and since it is immediate from the typing rules that Σ 1 ( W b k j ) () : unit and Σ 2 ( W b k j ) () : unit. 40

41 Lemma (Compatibility: Ref Equality) Proof If ; Γ; Σ e 1 log e 2 : ref τ and ; Γ; Σ e 1 log e 2 : ref τ, then ; Γ; Σ e 1 == e 1 log e 2 == e 2 : bool. To be filled in. 41

42 Theorem (Fundamental Property) Proof If ; Γ; Σ e : τ then ; Γ; Σ e log e : τ. Proof by induction on the derivation ; Γ; Σ e : τ. Each case follows from the corresponding compatibility lemma (i.e., Lemmas 3.26 through 3.50). 42

43 3.3 Soundness w.r.t. Contextual Equivalence Lemma Proof (Logically Related Terms Are Related in Any Context) If C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ) and ; Γ; Σ e 1 log e 2 : τ, then ; Γ ; Σ C[e 1 ] log C[e 2 ] : τ. Proof by induction on the derivation C : ( ; Γ; Σ τ) ( ; Γ ; Σ τ ). The base case (i.e., when C = [ ]) follows easily from the premise ; Γ; Σ e 1 log e 2 : τ. The remaining cases follow from the induction hypothesis and application of the appropriate compatibility lemma (i.e., one of Lemmas 3.32 through 3.50). 43

44 Value Parametricity and Store Parametricity To prove that the logical relation is sound with respect to contextual equivalance, we will need a notion of store parametricity (see Lemma 3.58 on page 46). Informally, this is the property that if s : Σ and W is a world comprised of one w ref island for each location l dom(σ) (see Definition 3.55, page 45), then s is related to itself at world W for any number of steps k. Notice that to prove this lemma, we will need to show that if Σ(l) = τ, then the value stored at location l in store s (where we know that ; ; Σ s(l) : τ) is related to itself at the type τ (i.e., (k, W, s(l), s(l)) V τ ). To show the latter, we ine a notion of value relatedness below and prove that any well typed value is related to itself in the appropriate value relation V τ ρ, not just in the computation relation E τ ρ as established by the Fundamental Property. Definition (Value Relatedness) Let ; Γ; Σ v 1 : τ and ; Γ; Σ v 2 : τ. ; Γ; Σ v 1 log val v 2 : τ = k 0. ρ, γ, W. ρ D (k, W, γ) G Γ ρ (k, W ) S Σ = (k, W, ρ 1 (γ 1 (v 1 )), ρ 2 (γ 2 (v 2 ))) V τ ρ Lemma (Well-typed Values in Value Relation V τ ) Proof If ; Γ; Σ v : τ then ; Γ; Σ v log val v : τ. Proof by induction on the derivation ; Γ; Σ v : τ. The proofs of all cases are similar to the corresponding compatibility lemmas. In all cases where the value v contains only values as subexpressions, the proof follows by application of the induction hypothesis. However, this is not the case when the value v contains a term e as a subexpression as in the case for functions and type abstraction (which we discuss next). Consider the function case. Suppose ; Γ; Σ λx : τ 1. e : τ 1 τ 2. Then we know that ; Γ, x : τ 1 ; Σ e : τ 2. Here we make use of the Fundamental Property (Lemma 3.51, page 42) to conclude that ; Γ, x : τ 1 ; Σ e log e : τ 2. The rest of the proof is similar to the proof of Lemma 3.39 (compatibility lemma for functions). Similarly, in the case of type abstraction, suppose ; Γ; Σ Λα. e : α. τ 1. Then we have that, α; Γ; Σ e : τ 1. Now from the Fundamental Property (Lemma 3.51, page 42) it follows that, α; Γ; Σ e log e : τ 1. The rest of the proof is similar to that of the Lemma 3.41 (compatibility lemma for type abstraction). 44

State-Dependent Representation Independence

State-Dependent Representation Independence Amal Ahmed TTI-C amal@tti-c.org Derek Dreyer MPI-SWS dreyer@mpi-sws.mpg.de Andreas Rossberg MPI-SWS rossberg@mpi-sws.mpg.de Abstract Mitchell s notion of representation