Correctness of Program Translations for Observational Semantics

ing from these examples, a calculus in our framework consists of a collection of types, typed programs, typed contexts, a notion of observation and a notion of closedness. In the following we use a slightly more neutral terminology and, instead ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Month 20YY. Correctness of Program Translations for Observational Semantics · 9 of contexts, speak of tests or observers. This makes it easier to fit formalisms without an obvious notion of context into the framework, like abstract machines. Definition 2.8 (OSP calculus). A program calculus with observational semantics (OSP-calculus) is a tuple (T ,P,O,OBS,G, CO) where —T is a set of types, ranged over by τ . —P is a family of sets Pτ for every type τ ∈ T , where Pτ is the set of programs of type τ , ranged over by p. In abuse of notation we write P for ⋃ τ∈T Pτ . —O is a family of sets of functions Oτ1,τ2 for every pair τ1, τ2 ∈ T of types, called observers, with O : Pτ1 → Pτ2 for O ∈ Oτ1,τ2 , such that —the identity function Idτ is included in Oτ,τ for every type τ . —O is closed wrt. function composition, i.e. for all τ1, τ2, τ3 ∈ T and all O1 ∈ Oτ1,τ2 , O2 ∈ Oτ2,τ3 : O2 ◦O1 ∈ Oτ1,τ3 . For notational convenience we write O for ⋃ τ1,τ2∈T Oτ1,τ2 . —OBS = {⇓1,⇓2, . . .} is a set of observations (or convergence predicates) where each ⇓i is a predicate on P written in postfix notation. For an observation ⇓i we write ⇑i for its negation, i.e. p ⇑i iff p⇓i does not hold. —G is a predicate on P, where we write G(p) if G holds for p. Intuitively, we think of G(p) as meaning that p is a closed program. —CO (closing observers) is a family of sets of functions COτ for every type τ ∈ T , such that ∅ 6 = COτ ⊆ Oτ,τ and such that CO is closed w.r.t. function composition, i.e. for all τ1, τ2, τ3 ∈ T and all D1 ∈ COτ1,τ2 , D2 ∈ COτ2,τ3 : D2 ◦D1 ∈ COτ1,τ3 . The following conditions relating CO and G must hold: (OSP-C1) For all types τ and all p ∈ Pτ , there is some D ∈ COτ , such that G(D(p)) holds. (OSP-C2) For all programs p ∈ Pτ , all D ∈ COτ : G(p) =⇒ G(D(p)). (OSP-C3) For all programs p ∈ Pτ , all D ∈ COτ and for all i: G(p) =⇒ (D(p)⇓i ⇐⇒ p⇓i). The above examples match this definition by taking Pτ to be the set of (all or only the closed) expressions of type τ , Oτ1,τ2 the set of τ2-valued contexts with hole of type τ1, and where C(t) is C[t]. In Examples 2.1, 2.2, 2.3 and 2.4, the observations are {⇓1,⇓2, . . .} = {↓}, in Example 2.6 we have {⇓1,⇓2, . . .} = {↓,⇓}, and in Example 2.7 the observations are {⇓1,⇓2, . . .} = {↓n | n ∈ Z}. The motivation for including G and CO (test for closedness and a set of closing observers, respectively) is to provide a common framework for call-by-name and call-by-value calculi and their contextual equivalence relation (see Example 2.3). The closing observers from CO may be used to close expressions before applying the tests. However, CO should be chosen as a particular small subset of the observers that behave similar to substitutions that replace free variables by closed expressions. For example, in lambda calculi, an appropriate choice of CO would be the closed (substitutive) contexts (λx1, . . . xn.[·]) s1 . . . sn and their compositional closure. It is also possible to permit the substitutions {x1 7→ a1, . . . , xn 7→ an} where ai are 2A predicate is understood like a function from programs to Boolean values ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Month 20YY. 10 · Manfred Schmidt-Schauß et al. closed values (or other closed programs), provided the substitutions are observers. On the other hand, if CO would be chosen as all closed contexts, then the last property of Definition 2.8 is in general false, since for example in call-by-value lambda calculi: true↓, and for D := (Ω [·]), we have D[true]↑. The abstract properties of OSP-calculi are sufficient to ensure that observational equivalence is a congruence (proved in Proposition 2.10). In our example calculi (Example 2.1,2.2, 2.3, 2.4, 2.6, and 2.7) so far, the conditions on G and CO hold using the substitutive contexts and their compositions, or the substitutions: Every expression can be closed with some observer from CO and for closed expressions e, the expression D[e] for D ∈ CO has the same convergence behavior as e. In Example 2.1, the lazy lambda calculus, the most appropriate modeling is to use the definition of contextual equivalence via closing contexts. However, it is also possible to choose G to be true for all programs and use the singleton containing the empty context (i.e. the identity observer) as the set CO, which results in the same contextual equivalence. Definition 2.8 allows for untyped calculi by considering a single, ‘universal’ type. Note that in this case the conditions simply state that O is a monoid with unit Id . The definition of contextual equivalence generalizes in the evident way from the above examples. In fact, we will also consider a preorder that allows more flexibility and is an analogue of the domain-theoretic information preorder. Definition 2.9 Observational preorder and observational equivalence. For a fixed OSP calculus, and for each τ ∈ T , we define the following relations on Pτ : —p1 ≤⇓i,τ p2 iff for all τ ′ ∈ T and all O ∈ Oτ,τ ′ , if G(O(p1)) and G(O(p2)), then O(p1)⇓i implies O(p2)⇓i. —p1 ≤τ p2 iff ∀i : p1 ≤⇓i,τ p2. —p1 ∼⇓i,τ p2 iff p1 ≤⇓i,τ p2 and p2 ≤⇓i,τ p1. —p1 ∼τ p2 iff p1 ≤τ p2 and p2 ≤τ p1. The relations ≤⇓i,τ and ≤τ are precongruences, and the relations ∼⇓i,τ and ∼τ are congruences, in the following sense: Proposition 2.10 (Pre-) congruence. (1 ) The relations ≤⇓i,τ and ≤τ are precongruences, i.e. they are preorders, and p1 ≤⇓i,τ p2 implies O(p1) ≤⇓i,τ ′ O(p2) for all O ∈ Oτ,τ ′ (similarly for ≤τ ). (2 ) The relations ∼⇓i,τ and ∼τ are congruences, i.e. they are precongruences and equivalence relations. Proof. It is easy to see that ≤⇓i,τ is reflexive. In order to check that each ≤⇓i,τ is transitive, let p1 ≤⇓i,τ p2 ≤⇓i,τ p3 and O be an observer in Oτ,τ ′ , such that G(O(p1)) and G(O(p3)), and such that O(p1)⇓i. We have to show that O(p3)⇓i. If G(O(p2)), then O(p1)⇓i implies O(p2)⇓i, which in turn implies O(p3)⇓i. In the other case, there is some observer D ∈ COτ ′ , such that G(D(O(p2))). By the conditions on G, D(O(p1))⇓i ⇐⇒ O(p1)⇓i and D(O(p3))⇓i ⇐⇒ O(p3)⇓i, hence D(O(p1))⇓i. Since D ◦ O is also an observer, we obtain D(O(p2))⇓i, and also ACM Transactions on Programming Languages and Systems, Vol. V, No. N, Month 20YY. Correctness of Program Translations for Observational Semantics · 11 D(O(p3))⇓i, since G(D(O(p3))), and thus O(p3)⇓i. It remains to show that ≤⇓i,τ is compatible with observers: Let p1 ≤⇓i,τ p2 and O ∈ Oτ,τ ′ . For any observer O ′ ∈ Oτ ′,τ ′′ with G(O(O(p1))) and G(O(O(p2))) the inequation p1 ≤⇓i,τ p2 obviously implies O(O(p1))⇓i =⇒ O(O(p2))⇓i, since O′ ◦O is also an observer. Part (2) of the proposition follows immediately from the first part and the definition of ∼τ in terms of ≤τ . Lemma 2.11. Let p1, p2 be programs of the same type τ with G(p1),G(p2). If p1⇓i and one of the following holds: p1 ∼τ p2, p1 ∼⇓i,τ p2, p1 ≤τ p2, or p1 ≤⇓i,τ p2, then also p2⇓i. In the following, types are sometimes omitted in the notation, and we implicitly assume that type information follows from the context. 2.3 Further Examples The framework may be instantiated by lambda calculi with a small-step operational semantics, like the lazy lambda calculus, call-by-name and call-by-value PCF as in our previous examples, etc. Also abstract machines fit into the framework where machine environments, stacks, heaps etc. may be modelled as observers. We also do not rely only on small-step semantics, also calculi with big-step operational semantics fit into our framework. We sketch some further examples to illustrate the range of situations that fit the definition of an abstract OSP calculus. In particular, Definition 2.8 captures not only variants of the lambda calculus, but can also be applied to process calculi: Example 2.12 CCS. CCS [Milner 1989] may be viewed as an (untyped) OSP calculus: for a fixed action set Σ, both programs and observers are given by the set of CCS processes P,Q, . . ., and P ◦Q as well as P (Q) are given by the parallel composition P |Q. More precisely, observers are given by the functions fP with fP (Q) = P |Q. By considering observation predicates ↓σ for every σ ∈ Σ such that P↓σ holds if σ is a trace of P , we obtain a trace-based testing equivalence ∼ on processes. Variations are possible, for instance by restricting the observations to finite traces σ ∈ Σ∗ (see [Nain and Vardi 2007]). The term “calculus” in Definition 2.8 is to be understood in a loose sense. For instance, also semantic models fit in: Example 2.13 Cpos. A semantic counterpart to PCF, as described in Example 2.3, is given by ω-complete pointed partial orders (cppos) and continuous maps. More precisely, if DB and DN are the flat cppos with underlying sets {0, 1} and Z respectively, we let Dτ1→τ2 = Dτ1 → (Dτ2)⊥ be the set of strict continuous functions from Dτ1 to Dτ2 extended with a new least element, and order Dτ1→τ2 pointwise. We can then take Pτ to be the underlying set of Dτ . The observers are continuous maps, i.e., Oτ1→τ2 = Dτ1 → Dτ2 , and for a ∈ Pτ the observation a↓ holds if a 6= ⊥. In this example, a ∼τ a′ if and only if a = a′.