Documente Academic
Documente Profesional
Documente Cultură
10 lectures for Part II CST 2012/13 Marcelo Fiore Course web page: http://www.cl.cam.ac.uk/teaching/1213/DenotSem/
Lecture 1
Introduction
General area.
Formal methods: Mathematical techniques for the specication, development, and verication of software and hardware systems.
Specic area.
Formal semantics: Mathematical theories for ascribing meanings to computer languages.
Why do we care?
Why do we care?
Rigour.
. . . specication of programming languages . . . justication of program transformations
Why do we care?
Rigour.
. . . specication of programming languages . . . justication of program transformations
Insight.
. . . generalisations of notions computability . . . higher-order functions . . . data structures
Reasoning principles.
. . . Scott induction . . . Logical relations . . . Co-induction
Axiomatic.
Denotational.
Styles of formal semantics Operational. Meanings for program phrases dened in terms of the steps of computation they can take during program execution. Axiomatic.
Denotational.
Styles of formal semantics Operational. Meanings for program phrases dened in terms of the steps of computation they can take during program execution. Axiomatic. Meanings for program phrases dened indirectly via the axioms and rules of some logic of program properties. Denotational.
Styles of formal semantics Operational. Meanings for program phrases dened in terms of the steps of computation they can take during program execution. Axiomatic. Meanings for program phrases dened indirectly via the axioms and rules of some logic of program properties. Denotational. Concerned with giving mathematical models of programming languages. Meanings for program phrases dened abstractly as elements of some suitable mathematical structure.
[[]]
Semantics
[[P ]]
[[]]
[[P ]]
[[]]
[[P ]]
P
Concerns:
[[]]
[[P ]]
P
Concerns:
[[]]
[[P ]]
Compositionality.
Lectures 5 and 6.
P
Concerns:
[[]]
[[P ]]
Compositionality.
Lectures 5 and 6.
Each phrase (= part of a program), P , is given a denotation, [[P ]] a mathematical object representing the contribution of P to the meaning of any complete program in which it occurs. The denotation of a phrase is determined just by the
denotations of its subphrases (one says that the semantics is compositional).
A Aexp ::= n | L | A + A | . . . where n ranges over integers and L over a specied set of locations L
Boolean expressions
A : Aexp (State Z)
where
Z = { . . . , 1, 0, 1, . . . } State = (L Z)
10
10
10
A[[n]] = s State . n A[[L]] = s State . s(L) A[[A1 + A2 ]] = s State . A[[A1 ]](s) + A[[A2 ]](s)
11
B [[true]] = s State . true B [[false]] = s State . false B [[A1 = A2 ]] = s State . eq A[[A1 ]](s), A[[A2 ]](s)
where eq (a, a
)=
true if a = a false if a = a
12
[[skip]] = s State . s
13
]] : State State and a function [[B ]] : State {true , false }, we can dene [[if B then C else C ]] = s State . if [[B ]](s), [[C ]](s), [[C ]](s)
where
if (b, x, x ) =
x x
if b
= true if b = false
14
= L, [[A]](s), s( )
15
16
C, s s
C ,s s
C; C , s s
16
[[while B do C ]]
17
c : State
as
fb,c : (State
fb,c = w (State
17
c : State
as
fb,c : (State
fb,c = w (State
Why does w = f[[B ]],[[C ]] (w) have a solution? What if it has several solutionswhich one do we take to be [[while B do C ]]?
17
Approximating [[while
B do C ]]
18
Approximating [[while
B do C ]]
f[[B ]],[[C ]] n () = s State . k (s) if 0 k < n. [[B ]]([[C ]]k (s)) = false [[ C ]] and 0 i < k. [[B ]]([[C ]]i (s)) = true if 0 i < n. [[B ]]([[C ]]i (s)) = true
18
def
State )
for all s State , if w is dened at s then so is w and moreover w (s) = w (s). the graph of w is included in the graph of w . :
(satises
19
Lecture 2
Least Fixed Points
20
Thesis
21
Thesis
21
Partially ordered sets A binary relation reexive: transitive: on a set D is a partial order iff it is
d D. d
d d d d d d
d, d , d D. d d, d D. d
dd=d.
22
y x
y z
x=y
23
24
24
iff iff
24
Monotonicity
x f (x)
y f (y )
(f monotone)
25
26
: D D be a function.
f (d )
d.
x (f )
It is thus (uniquely) specied by the two properties:
f (x (f ))
x (f ) d x (f ) d.
(lfp1) (lfp2)
d D. f (d)
27
Proof principle
: D D be a function with a least pre-xed point x (f ) D . x it is enough to For all x D , to prove that x (f ) establish that f (x) x.
28
Proof principle
: D D be a function with a least pre-xed point x (f ) D . x it is enough to For all x D , to prove that x (f ) establish that f (x) x. f (x) x (f ) x x
28
Proof principle 1.
f (x (f ))
2. Let D be a poset and let f
x (f )
: D D be a function with a least pre-xed point x (f ) D . x it is enough to For all x D , to prove that x (f ) establish that f (x) x. f (x) x (f ) x x
28
Least pre-xed points are xed points If it exists, the least pre-xed point of a mononote function on a partial order is necessarily a xed point.
29
Thesis
All domains of computation are complete partial orders with a least element.
30
Thesis
All domains of computation are complete partial orders with a least element.
30
Cpos and domains A chain complete poset, or cpo for short, is a poset (D, which all countable increasing chains d0 least upper bounds,
n 0 dn :
d1
d2
) in . . . have
m 0 . dm
n0
dn d)
n0
(lub1)
d D . ( m 0 . d m
dn
d.
(lub2)
d D .
d.
31
xi
n0 xn
(i 0 and xn a chain)
n 0 . xn
n0 xn
x x
( xi a chain)
32
33
Underlying set: all partial functions, f , with domain of denition dom (f ) X and taking values in Y .
33
Underlying set: all partial functions, f , with domain of denition dom (f ) X and taking values in Y . Partial order:
iff iff
33
Underlying set: all partial functions, f , with domain of denition dom (f ) X and taking values in Y . Partial order:
iff iff
dom (f ) dom (g ) and x dom (f ). f (x) = g (x) graph (f ) graph (g ) f2 . . . is the partial function f with n0 dom (fn ) and fn (x)
undened if x
Lub of chain
f0 dom (f ) = f (x) =
f1
otherwise
33
Underlying set: all partial functions, f , with domain of denition dom (f ) X and taking values in Y . Partial order:
iff iff
dom (f ) dom (g ) and x dom (f ). f (x) = g (x) graph (f ) graph (g ) f2 . . . is the partial function f with n0 dom (fn ) and fn (x)
undened if x
Lub of chain
f0 dom (f ) = f (x) =
f1
otherwise
Least element
D,
nd
= d. d1
n
...
n
dn dN + n
. . . in D,
dn =
for all N
N.
34
e0
e1
if dn
...
en
d1 . . . . . . in D,
n dn
dn
. . . and
n en .
35
e0
e1
if dn
...
en
d1 . . . . . . in D,
n dn
dn
. . . and
n en .
n 0 . xn
n xn
yn
n yn
( xn and yn chains)
35
Diagonalising a double chain Lemma. Let D be a cpo. Suppose that the doubly-indexed family of elements dm,n D (m, n 0) satises
m m & n n dm,n
Then
dm ,n . ...
( )
d0,n
n0 n0
d1,n
n0
d2,n
and
dm,0
m0 m0
dm,1
m0
dm,3
...
36
Diagonalising a double chain Lemma. Let D be a cpo. Suppose that the doubly-indexed family of elements dm,n D (m, n 0) satises
m m & n n dm,n
Then
dm ,n . ...
( )
d0,n
n0 n0
d1,n
n0
d2,n
and
dm,0
m0 m0
dm,1
m0
dm,3
...
Moreover
m0
n0
dm,n =
dk,k =
k 0 n0
m0
dm,n .
36
d0
d1
dn ) =
n0
f (dn ) in E .
37
d0
d1
dn ) =
n0
f (dn ) in E .
37
f n ().
Moreover, x (f ) is a xed point of f , i.e. satises f x (f ) = x (f ), and hence is the least xed point of f .
38
= s State . k ( s) [[ C ]]
if k
0 is such that [[B ]]([[C ]]k (s)) = false and [[B ]]([[C ]]i (s)) = true for all 0 i < k = true for all i 0
undened
39
Lecture 3
Constructions on Domains
40
Discrete cpos and at domains For any set X , the relation of equality
x
makes (X, set X .
x x=x
def
(x, x X )
41
Discrete cpos and at domains For any set X , the relation of equality
x
makes (X, set X . Let X
def
x x=x
def
(x, x X )
(d, d X )
41
Binary product of cpos and domains The product of two cpos (D1 , set
1 ) and
(D2 ,
2 ) has underlying
D1 D2 = {(d1 , d2 ) | d1 D1 & d2 D2 }
and partial order dened by
def
(d 1 , d 2 )
(d 1 , d 2 ) d 1
d1 & d2
d2 .
(x1 , x2 ) x1
1
( y1 , y2 ) x2
2
y1
y2
42
(d1,n , d2,n ) = (
n0 i 0
d1,i ,
j 0
d2,j ) .
If (D1 ,
1 ) and
and D1 D2
43
Continuous functions of two arguments Proposition. Let D , E , F be cpos. A function f : (D E ) F is monotone if and only if it is monotone in each argument separately:
d, d D, e E. d d D, e, e E. e
d f (d, e) e f (d, e)
f (d , e) f (d, e ).
Moreover, it is continuous if and only if it preserves lubs of chains in each argument separately:
f(
m0
dm , e) =
m0
f (dm , e) f (d, en ).
n0
f (d ,
n0
en ) =
44
f (x, y )
f (x , y )
f(
m xm ,
n yn )
f (xk , yk )
45
(E,
f d D . f (d )
def
f (d ).
46
(E,
f d D . f (d )
def
f (d ).
A derived rule: f
(D E )
x g (y )
f (x)
46
fn = d D.
n0 n0
f n (d ) .
If E is a domain, then so is D
d D.
47
fn = d D.
n0 n0
f n (d ) .
A derived rule:
n fn
m xm )
k fk (xk )
If E is a domain, then so is D
d D.
47
: (E F ) (D E ) (D F )
dened by setting, for all f
(D E ) and g (E F ),
g f = d D. g f (d)
is continuous.
48
Continuity of the xpoint operator Let D be a domain. By Tarskis Fixed Point Theorem we know that each continuous function f
x : (D D) D
is continuous.
49
Lecture 4
Scott Induction
50
x (f ) S ,
it sufces to prove
d D (d S f (d ) S ) .
51
Chain-closed and admissible subsets Let D be a cpo. A subset S for all chains d0
d1
( n 0 . d n S )
If D is a domain, S
52
Chain-closed and admissible subsets Let D be a cpo. A subset S for all chains d0
d1
( n 0 . d n S )
If D is a domain, S
D is called admissible iff it is a chain-closed subset of D and S . D is called chain-closed (resp. admissible) iff {d D | (d)} is a chain-closed (resp. admissible) subset of D .
A property (d) of elements d
52
d}
53
d}
y}
{(x, y ) D D | x = y }
of D
D are chain-closed.
53
Example (I): Least pre-xed point property Let D be a domain and let f
: D D be a continuous function. d = x (f ) d
d D. f (d)
54
Example (I): Least pre-xed point property Let D be a domain and let f
: D D be a continuous function. d = x (f ) d
d D. f (d)
Proof by Scott induction. Let d
Hence,
x (f ) (d) .
54
f 1 S = {x D | f (x) S }
is an chain-closed subset of D .
55
Example (II) Let D be a domain and let f, g : D D be continuous functions such that f g g f . Then,
f ()
g () = x (f )
x (g ) .
56
Example (II) Let D be a domain and let f, g : D D be continuous functions such that f g g f . Then,
f ()
g () = x (f )
x (g ) . f (x) g (x)
f (x)
g (x) g (f (x)) f (x (g ))
g (g (x)) f (g (x)) g (x (g )) .
g (g (x))
we have that
56
If S, T D are chain-closed subsets of D then ST and ST are chain-closed subsets of D . If { Si }iI is a family of chain-closed subsets of D indexed by a set I , then iI Si is a chain-closed subset of D . If a property P (x, y ) determines a chain-closed subset of D E , then the property x D. P (x, y ) determines a chain-closed subset of E .
57
: State
while X > 0 do (Y := X Y ; X := X 1) .
For all x, y
0, F [X x, Y y ] = F [X x, Y y ] = [X 0, Y !x y ].
58
Recall that
F = x (f )
where f
: (State
State ) (State
State ) is given by
59
State ) given by
S=
60
Lecture 5
PCF
61
62
62
62
62
::= | | |
where x
62
::= | | |
where x
Technicality: We identify expressions up to -conversion of bound variables (created by the fn expression-former): by denition a PCF term is an -equivalence class of expressions.
62
M :
63
M :
M : holds.
63
(:fn )
[x ]
M :
fn x : . M :
if x
/ dom ()
64
(:fn )
[x ]
M :
fn x : . M : M1 :
if x
/ dom ()
(:app )
M2 :
M1 M2 :
64
(:fn )
[x ]
M :
fn x : . M : M1 : (:x )
if x
/ dom ()
(:app )
M2 :
M1 M2 : M : x(M ) :
64
65
Primitive recursion. h(x, 0) = f (x) h(x, y + 1) = g (x, y, h(x, y )) Minimisation. m(x) = the least y 0 such that k (x, y ) = 0
65
M V
where
is a PCF type M, V PCF are closed PCF terms of type V is a value, V ::= 0 | succ(V ) | true | false | fn x : . M .
66
(val ) V V
(V a value of type )
67
(val ) V V
(V a value of type )
(cbn )
M1 fn x : . M1
M1 [M2 /x] V
M1 M2 V
67
(val ) V V
(V a value of type )
(cbn )
M1 fn x : . M1
M1 [M2 /x] V
M1 M2 V M x(M ) V x(M ) V
(x )
67
Contextual equivalence Two phrases of a programming language are contextually equivalent if any occurrences of the rst phrase in a complete program can be replaced by the second phrase without affecting the observable results of executing the program.
68
Contextual equivalence of PCF terms Given PCF terms M1 , M2 , PCF type , and a type environment , the relation is dened to hold iff
M1 =ctx M2 : M2 : hold.
M1 : and
For all PCF contexts C for which C [M1 ] and C [M2 ] are closed terms of type , where = nat or = bool , and for all values V : , C [M1 ] V C [M2 ] V.
69
70
70
PCF types domains [[ ]]. Closed PCF terms M : elements [[M ]] [[ ]].
Denotations of open terms will be continuous functions.
70
PCF types domains [[ ]]. Closed PCF terms M : elements [[M ]] [[ ]].
Denotations of open terms will be continuous functions.
70
PCF types domains [[ ]]. Closed PCF terms M : elements [[M ]] [[ ]].
Denotations of open terms will be continuous functions.
70
PCF types domains [[ ]]. Closed PCF terms M : elements [[M ]] [[ ]].
Denotations of open terms will be continuous functions.
PCF , if [[M1 ]] and [[M2 ]] are equal elements of the domain [[ ]], then M1 =ctx M2 : .
Theorem. For all types and closed terms M1 , M2
71
PCF , if [[M1 ]] and [[M2 ]] are equal elements of the domain [[ ]], then M1 =ctx M2 : .
Theorem. For all types and closed terms M1 , M2 Proof.
C [M1 ] nat V [[C [M1 ]]] = [[V ]] (soundness) [[C [M2 ]]] = [[V ]]
(compositionality on [[M1 ]]
= [[M2 ]])
C [M2 ] nat V
and symmetrically.
(adequacy)
71
M1 =ctx M2 :
it sufces to establish
[[M1 ]] = [[M2 ]] in [[ ]]
72
M1 =ctx M2 :
it sufces to establish
[[M1 ]] = [[M2 ]] in [[ ]]
The proof principle is sound, but is it complete? That is, is equality in the denotational model also a necessary condition for contextual equivalence?
72
Lecture 6
Denotational Semantics of PCF
73
M :
[[
between domains.
M ]] : [[]] [[ ]]
74
[[nat ]] = N [[bool ]] = B
def
def
(at domain)
(at domain)
where N
75
[[nat ]] = N [[bool ]] = B [[ ]] = [[ ]] [[ ]]
where N
def def
def
(at domain)
(at domain)
(function domain).
75
[[]]
def
xdom ()
[[(x)]]
(-environments)
76
[[]]
def
xdom ()
[[(x)]]
(-environments)
the domain of partial functions from variables to domains such that dom () = dom () and (x) [[(x)]] for all x dom ()
76
[[]]
def
xdom ()
[[(x)]]
(-environments)
the domain of partial functions from variables to domains such that dom () = dom () and (x) [[(x)]] for all x dom ()
[[]] = { }
where denotes the unique partial function with
dom () = .
76
2.
[[ x ]] = { x } [[ ]]
77
2.
[[ x ]] = { x } [[ ]] = [[ ]]
77
2. 3.
[[ x ]] = { x } [[ ]] = [[ ]]
77
[[ [[ [[
0]]() = 0 [[nat ]]
def
def
78
[[ [[ [[
0]]() = 0 [[nat ]]
def
def
x dom ()
78
[[
succ(M )]]()
def
[[
M ]]() + 1 if [[ if [[
M ]]() = M ]]() =
79
[[
succ(M )]]()
def
[[
M ]]() + 1 if [[ if [[
M ]]() = M ]]() =
[[
pred(M )]]()
def
[[
M ]]() 1 if [[ if [[
79
[[
succ(M )]]()
def
[[
M ]]() + 1 if [[ if [[
M ]]() = M ]]() =
[[
pred(M )]]()
def
M ]]() 1 if [[ M ]]() > 0 = if [[ M ]]() = 0, true if [[ M ]]() = 0 def [[ zero(M )]]() = false if [[ M ]]() > 0 if [[ M ]]() = [[
79
[[
if M1 then M2 else M3 ]]() [[ M2 ]]() if [[ M1 ]]() = true def = [[ M3 ]]() if [[ M1 ]]() = false if [[ M1 ]]() =
80
[[
[[
if M1 then M2 else M3 ]]() [[ M2 ]]() if [[ M1 ]]() = true def = [[ M3 ]]() if [[ M1 ]]() = false if [[ M1 ]]() = M1 M2 ]]() = [[
def
M1 ]]() ([[
M2 ]]())
80
[[
def
= d [[ ]] . [[[x ]
x / dom ()
81
[[
def
M ]]())
Recall that x is the function assigning least xed points to continuous functions.
82
M : , the
[[
M ]] : [[]] [[ ]]
83
= { }, we have M () [[ ]] (M PCF )
[[M ]] =
84
Compositionality
[[
M ]] = [[
M ]] : [[]] [[ ]] C [M ] : [[ ]] [[ ]]
then
C [M ] =
85
PCF ,
86
[x ]
Then,
M [M/x] () = [x ] M x [[ M ]]
for all
[[]].
87
[x ]
Then,
M [M/x] () = [x ] M x [[ M ]]
for all
In particular when
M [M/x] =
87
Lecture 7
Relating Denotational and Operational Semantics
88
89
89
89
fn x : . (fn y : . y ) x fn x : . x
89
90
Adequacy proof idea 1. We cannot proceed to prove the adequacy statement by a straightforward induction on the structure of terms. Consider M to be
M1 M2 , x(M ).
90
Adequacy proof idea 1. We cannot proceed to prove the adequacy statement by a straightforward induction on the structure of terms. Consider M to be
M1 M2 , x(M ).
2. So we proceed to prove a stronger statement that applies to terms of arbitrary types and implies adequacy.
90
Adequacy proof idea 1. We cannot proceed to prove the adequacy statement by a straightforward induction on the structure of terms. Consider M to be
M1 M2 , x(M ).
2. So we proceed to prove a stronger statement that applies to terms of arbitrary types and implies adequacy. This statement roughly takes the form:
[[M ]]
[[ ]] PCF
{nat , bool },
[[M ]]
91
Denition of
n b
nat
M M
def
def
bool
92
[[M ]]
M implies adequacy
= nat .
for some n
M
by denition of
nat
= M succn (0)
Case
= bool is similar.
93
Requirements on the formal approximation relations, II We want to be able to proceed by induction. Consider the case M
= M1 M2 . ; logical denition
94
Denition of
95
Denition of
f f
M M
def
x [[ ]], N PCF (x
N f (x)
M N)
95
Requirements on the formal approximation relations, III We want to be able to proceed by induction. Consider the case M
96
Admissibility property
{ d [[ ]] | d
is an admissible subset of [[ ]].
M}
97
Further properties
M, N, V PCF ,
1. If 2. If
d d
d and d
M then d
M.
M and V (M V = N V ) then d N .
98
Requirements on the formal approximation relations, IV We want to be able to proceed by induction. Consider the case M
99
[[
M : , if d1
M ]][x1 d1 , . . . , xn dn ]
100
[[
M : , if d1
M ]][x1 d1 , . . . , xn dn ]
= reduces to [[M ]]
for all M
PCF .
100
M : is a valid PCF typing, then for all -environments and all -substitutions
[[
M ]]()
M [ ]
(x)
M [ ] is the PCF term resulting from the simultaneous substitution of (x) for x in M , each x dom ().
101
, the relation
For all PCF contexts C for which C [M1 ] and C [M2 ] are closed terms of type , where = nat or = bool , and for all values V PCF , C [M1 ] V = C [M2 ] V .
102
At a ground type
{bool , nat },
M1 ctx
103
Lecture 8
Full Abstraction
104
PCF ,
Hence, to prove
M1 =ctx M2 :
it sufces to establish
[[M1 ]] = [[M2 ]] in [[ ]] .
105
Full abstraction A denotational model is said to be fully abstract whenever denotational equality characterises contextual equivalence.
106
Full abstraction A denotational model is said to be fully abstract whenever denotational equality characterises contextual equivalence. The domain model of PCF is not fully abstract. In other words, there are contextually equivalent PCF terms with different denotations.
106
T1 =ctx T2
and
[[T1 ]] = [[T2 ]]
107
We achieve T1
108
We achieve T1
108
We achieve T1
PCFbool (bool bool ) . = [[T2 ]] by making sure that [[T1 ]](por ) = [[T2 ]](por )
We achieve [[T1 ]]
por (B (B B )) .
108
: B (B B ) such
por true = true por true = true por false false = false
109
: B (B B ) such
por true = true por true = true por false false = false
In which case, it necessarily follows by monotonicity that
por true true = true por true false = true por false true = true
109
[[P ]] = por : B (B B ) .
110
111
= 1, 2 dene
def
Ti =
fn f : bool (bool bool ) . if (f true ) then if (f true) then if (f false false) then else Bi else else
def
where B1
def
Proposition.
112
M ::= | por(M, M ) M1 : bool M2 : bool por(M1 , M2 ) : bool M2 bool true por(M1 , M2 ) bool true
113
The denotational semantics of PCF+por is given by extending that of PCF with the clause
def
[[
M1 ]]() [[
M2 ]]()
This denotational semantics is fully abstract for contextual equivalence of PCF+por terms:
M1 =ctx M2 : [[
M1 ]] = [[
M2 ]].
114