Full Abstraction for Idealized Algol with Passive Expressions

model of Idealized Algol raises signi cant problems over and above those associated with the full abstraction problem for PCF [20, 29]. In a previous paper [5, 6], we gave the rst fully abstract model of Idealized Algol with active, i.e. possibly side-e ecting, expressions. It is signi cantly harder to capture the \pure" version of Idealized Algol originally proposed by Reynolds, in which a sharp distinction is drawn between \active" types such as commands, which are allowed to have side-e ects, and \passive" types such as expressions, which are not. In the present paper we will give a fully abstract model for the pure language. This will be done by re ecting the distinction between active and passive types in our model, which is based on game semantics [1, 11, 16, 17, 4, 3, 9, 22]. It is further evidence of the exibility and tractability of game semantics that it is possible to capture such a subtle behavioural condition in a compositional fashion, preserving the good properties of categories of games. 2 Idealized Algol Idealized Algol is an applied simply-typed -calculus, with a suitable stock of constants to express basic imperative features. For notational simplicity, we shall consider the version of Idealized Algol with a single basic data type N of natural numbers. The base types of Idealized Algol are then B ::= exp[N] j var[N] j com i.e. natural-number-valued expressions, assignable program variables in which natural numbers can be stored, and commands. We shall generally write simply exp and var rather than exp[N] and var[N]. The types of Idealized Algol are given by T ::= B j T ) T: The constants of the language are as follows: Recursion combinators YT : (T ) T )) T for each type T ; conditionals if0B : exp ) B ) B ) B for each base type B. We shall also make use of a family of conditional operators casem : exp) B ) ) B | {z } m ) B for each natural numberm and base type B. The term casemM N1 : : :Nm rst evaluates M to some number n, and then evaluates the term Nn provided 1 n m. Note that the constants casem can be de ned up to observation equivalence in terms of the ordinary conditional. The reason for adding them to the language explicitly is to ease the proof of our full abstraction result; 2 arithmetic operations n : exp (for n 2 N) succ; pred : exp) exp command sequencing seq : com) com) com skip : com variable dereferencing and assignment deref : var) exp assign : var) exp) com variable constructormkvar : exp) (exp) com)) var block structure new : (var) com)) com: With these constants, we can encode the usual imperative constructs. Examples 1. x := x+ 1 is represented by x : var ` assign x (succ (deref x)) : com: 2. while :(x = 0) do x := x 1 is represented by x : var ` Ycom( c : com: if0com (deref x) skip (seq (assign x (pred(deref x))) c)) : com: 3. The code new x in (x := 0; p(x := x+ 1); if x = 0 then else skip ) translates into p : com) com ` new( x : var: seq (assign x 0) (seq (p(assign x (succ(deref x)))) (if0com (deref x)) skip))) : com: 3 It is worth noting how the translation into Idealized Algol forces us to be precise about the types of the variables, and whether they occur free or bound. Idealized Algol is surprisingly expressive. For example, scoped arrays with dynamically computed bounds can be introduced by de nitional extension [37], as can classes, objects and methods [31]. It can thus serve as a prototypical language combining state and block structure with higher-order functional features in the same way that PCF has been studied as a prototypical functional language. A remark about mkvar It is well-known that Algol-like languages may contain so-called bad variables, that is, entities of type var which do not have the behvaiour of storage cells. For example, consider the behaviour of x : var; y : var ` if0var (deref x) x y over several uses. Reynolds [32] analyses such variables in an object-oriented fashion, treating them as objects with a \read method" of type exp and a \write method" of type exp) com. The mkvar construct allows such an object to be constructed from its methods. For example, x : var ` mkvar (deref x) ( n : exp: assign x (succ (deref x))) gives a variable object whose write method always increments x by one, regardless of the value passed in to be written. 3 Active vs Passive Types The simplicity of the syntactic presentation of Idealized Algol is misleading: the operational intentions behind the imperative features impose non-trivial constraints on a model if they are to be captured accurately. In particular, notice that the set of constants has been carefully chosen so that expression evaluation cannot have side-e ects. This means, for example, that in any Idealized Algol term-in-context ; x : var `M : exp the term M cannot perform any assignments to x. On the other hand, if exp is replaced by com, this clearly no longer holds, e.g. ; x : var ` x := 1 : com: (In contrast, the language considered in [5, 6] has explicit constants to allow expressions to have side-e ects. We shall refer to this extended language as Idealized Algol with active expressions or IAa for short; the pure language will be known as IA.) Say that a type T is passive if no term `M : T can have side-e ects on the variables in ; otherwise T is active . The basic example of a passive type is 4 exp; and the passive types form an exponential ideal, i.e. if P is passive then so is T ) P for any type T (since for example the activity of ` x:M : T ) P would contradict the assumed passivity of ; x : T `M : P ). The basic example of an active type is com. What about var? Following Reynolds [32], we can identify var with the product of its two \access methods"; reading (deref) and writing (assign): var = exp (exp) com): Under this identi cation, deref and assign are simply rst and second projection respectively. Dually, the constant mkvar is essentially the pairing operation for this type. (The reader should be warned that this is not quite the interpretation we shall give to var in our model.) Then we see that var combines both aspects, since reading is passive, while writing is active. 4 Models of Idealized Algol What should a model of Idealized Algol look like? Since the language is an applied simply-typed -calculus, we should expect to model it in a cartesian closed category C [14]. To accommodate the recursion in the language, we can ask for C to be cpo-enriched [13], or more minimally to be rational [1]. To capture the distinction between active and passive types, we assume that C has a full subcategory P of \passive objects", which forms an exponential ideal. For modelling exp, we require a passive object N such that there is an order-isomorphism C(1;N) = N? between the \points" of N and the usual at domain of natural numbers. We will use this to interpret the numerals n as morphisms [[n]] : 1! N (for n 2 N). We also assume there are morphisms s; p : N ! N which track the action of succ and pred on N? . The conditionals are to be interpreted similarly. All of this can be stated more succinctly by saying that C has standard datatypes : see [2]. We further assume an active object com of C, and morphisms [[skip]] : 1! com, [[seq]] : 1 ! (com ) com ) com). One should understand com as a unit type, i.e. a one-element data-type, with the proviso that it is an active unit type. Thus we expect the points of com to be in order-isomorphism with the Sierpinski poset 1?. We think of the single non-bottom element of com (the point [[skip]]) as signaling successful termination; [[seq]] forces each of its arguments to be evaluated in turn, thus having exactly the intended e ect of sequential composition. (We can also think of [[seq]] as a \unary conditional".) Finally, as already indicated, we think of var as a product var = exp comN where comN is the product of countably many copies of com. We use comN rather than exp ) com since assignment is intended to be a strict operation, 5 and assume a retraction c : comN exp) com : r so that we can de ne [[deref]] = fst [[assign]] = c snd [[mkvar]]ef = he; r fi: 5 The Functional/Imperative Boundary At this point, the reader should be experiencing a sense of vertigo, or at least puzzlement. We have provided a notion of model for Idealized Algol which is only the mildest extension of the usual notion of model for PCF, and yet which appears to account for all the imperative features of the language, without introducing states or any other device for explicitly modelling assignable variables! What is going on? The answer is indeed a very interesting consequence of Reynolds' analysis of imperative languages, although it is one which, as far as we are aware, he has not himself explicitly drawn. Firstly, note that a more precise statement is that the notion of model we have developed to this point accounts for everything in Idealized Algol except the new constants, i.e. block structure. We refer to the sub-language obtained by omitting the new constants as IA fnewg. We can now formulate the following thesis: IA fnewg is a pure functional language. At rst sight, this seems nonsensical, since the usual \basic imperative language" [38], which does not include block structure, can be represented in IA fnewg, as shown in Section 2. However, recall that the process of translating an imperative language into IA forced us to be more explicit about free and bound variables. The \basic imperative language" of the textbooks actually relies on an implicit convention by which the program variables, which are all global, are bound (and possibly initialized) at the top level. We claim that it is only when identi ers of type var are bound to actual \storage cell objects"|which is exactly what the new constants do|that real imperative behaviour arises. Of course, to substantiate this claim, we must show, not only that our simple speci cation of a \functional model" for IA fnewg su ces to interpret the syntax, but that actual models so arising do faithfully re ect the concepts in the language, and capture the operational behaviour of programs. We can in fact do this in a very strong sense. As we shall see in Section 8, a small modi cation of the categories of games used to give the rst syntax-independent constructions of fully abstract models for PCF [1, 11, 22], when used to give models for IA fnewg in the way we have described, again yield fully abstract models. Indeed, for IAa, exactly the same categories can be used; the re nement 6 we introduce here is necessary to capture the distinction between active and passive types. Moreover, the proof of full abstraction is a very easy extension of that for PCF, and can be given at the axiomatic level introduced in [2]. This latter point means that any model of the axioms in [2] yields a fully abstract model of IAa fnewg; re ned axioms can be given which describe fully abstract models of pure IA fnewg. Firstly, however, we shall turn to the question of modelling the new constants. 6 The semantics of new Our previous discussion has located the functional/imperative boundary, the point at which genuinely \stateful" behaviour arises, in the semantics of the new constant. What are the key features of this construct? Locality The \object" created by a local declaration new x in C must be \private" to C. This causes problems for traditional models based on representing the state in a global, monolithic fashion by a mapping from \locations" to values. The functor-category approaches [27, 37] address this problem by replacing the global state by a functor varying over \stages". Irreversibility When a variable is updated, the previous value is lost. Again, models based on representing states as functions nd it hard to account for this feature. For good discussions of this point see [23, 30]. Sharing Multiple occurrences of a variable in a functional program refer, conceptually at least, to di erent \copies" of the same, unchanging value (\referential transparency"); this implies that the temporal order in which these occurrences are dereferenced makes no di erence to the outcome. By contrast, multiple references to an assignable variable refer to di erent time-slots in the life of a single underlying object with state which changes over time; this is sharing rather than copying. How can we capture these features? The point of view we wish to adopt is one we have already hinted at, and indeed appears in a signi cant line of previous work [19, 21, 30]. We want to understand new x in C as binding the free identi er x of type var to an \object" or \process" which gives the behaviour of a storage cell. The behaviour of new x in C then arises from the interaction between C and this cell, which is \internalized", i.e. hidden from the environment. Such an account immediately addresses two of the key features of new noted above: Locality is addressed, since the interaction between C and the storage cell process is hidden from the environment. Irreversibility is addressed, since the state of the storage cell will change as C interacts with it. 7 How can we formalize this idea in our current framework? A rst attempt is to consider introducing a constantcell : 1 ! var such that, if f : var ! com, new(f) is given by the composition new(f) = 1 cell var fcom: The idea is that cell gives the \behaviour" of our storage cell process. However, recalling that var = exp comN this is clearly hopeless, since a constant of this type, which in particular will supply a constant value every time we read from the variable, is clearly just what we don't want!|We need to take account of the changing state of the variable. At this point we produce our deus ex machina: Linear Logic! Up to this point, we have been working exclusively with intuitionistic types; since everything except new was essentially functional, this was all we needed, at least to get a model. But now we need a loop-hole to get some access to the dynamics, and Linear Logic provides such a loop-hole. Suppose then that our cartesian closed category C arises as C = K!(L), the co-Kleisli category of a Linear category L with respect to the ! comonad [7, 33]. The intuitionistic function types we have been using get their standard decompositions into the Linear types: A) B = !A( B: In particular, we see that the type of new is: new : !( !var( com)( com: Now suppose that we have a morphism cell : I ! !var: 8 Then we can de ne new as the composition !( !var( com) !var( com der ? ( !var( com) I = ? ( !var( com) !var id cell ? com: Ap ? (Here der is the dereliction map (the counit of !), and Ap is the linear application.) Note that Linear types really are necessary here. If we had a constant cell : var in the language, and tried to de ne newf = f cell; then this would be interpreted in K!(L) by I celly0!var fcom where celly0 is the \promotion" of a morphism cell0 : I ! var: But the promotion will behave \uniformly" in each copy of var, whereas we clearly need behaviour which is history-sensitive, and depends on the previous history of accesses to other \copies" (which are really the previous time slots of the single shared underlying object with state). Thus the cell morphism we require will not be of the form celly0 for any cell0 : I ! var. Provided that we can de ne a suitable morphism cell : I ! !var 9 which does capture the behaviour of a storage cell object, then we have completed our semantics of Idealized Algol. In Section 9 we shall see that this can indeed be done for a suitable category of games, and by this means we will obtain the rst fully abstract model of Idealized Algol. The point to be emphasized here is how small an increment from the modelling of PCF is required to capture Idealized Algol, provided a su cient handle on the dynamics is present in our semantics in order to de ne the cell morphism. The key feature of game semantics is that the dynamics is already there. How is sharing represented in this approach? Firstly, the multiple references to a variable are interpreted using the cocommutative comonoid structure of !var, i.e. the contraction rule, so that the interpretation of a block new x in C looks like: !var I cell!var ... [[C]]com !var The contraction merges the accesses to the variable x arising from the various occurrences of it in C into a single \event stream". The task of the cell morphism is to impose the appropriate causality on this event stream, so that in particular a read will return the last value written. 7 A re ned games model We describe a cartesian closed category of games, Ca=p, built over a linear category Ga=p, which re nes those presented in [17, 16, 5, 6]; in fact, both the category of innocent strategies used to model functional languages and the category of history-sensitive strategies, which captures IAa, are contained as full subcategories of Ca=p. This hybrid nature allows us to model precisely the combination of functional and imperative behaviour present in pure IA. The re nement is quite simple: moves of our games are classi ed as either active or passive. The idea is that active moves make a change to the state, having a persistent e ect, while passive moves do not. Strategies are constrained to play innocently (i.e. functionally) with respect to passive moves but may exhibit arbitrary history-sensitive behaviour with respect to active moves. In our model of IA, the only active moves are those pertaining to the assignment operation. Assignments change the state for good; all other actions merely make passive use of the store. 10 7.1 Games As indicated above, the games to be introduced below are a reasonably straightforward re nement of those previously used in [17, 16, 5, 6]. In the development which follows, we will place special emphasis on the new features introduced by the active/passive distinction, and will only give those proofs which depend on the new features. For a full account of the simpler underlying setup, see [17]. De nition An a/p-arena A is speci ed by a structure hMA; A;`Ai where MA is a set of moves ; A : MA ! fO;Pg fQ;Ag fact; passg is a labelling function which indicates whether a move is by Opponent (O) or Player (P), whether it is a question (Q) or an answer (A), and whether it is active (act) or passive (pass). We refer to the three components of A as OP A , QA A and a=p A and write A for the function A with the O/P part reversed, so that A(m) = (O;Q; pass) () A(m) = (P;Q; pass) and so on. If OP(m) = O, we callm an O-move; otherwise,m is a P-move; `A is a relation between MA+ f?g (where ? is just a dummy symbol) and MA, called enabling , which satis es (e1) ? `A m) OP A (m) = O ^ QA A (m) = Q ^ [n `A m () n = ?]; (e2) m `A n ^ QA A (n) = A) QA A (m) = Q; (e3) m `A n ^m 6= ?) OP A (m) 6= OP A (n). (e4) m `A n ^ n active) m active or m = ?. The idea of the enabling relation is that when a game is played, a move can only be made if a move has already been made to enable it. The ? enabler is special|it says which moves are enabled at the outset. A move m such that ? `A m is called initial . Conditions (e2) and (e3) say that answers are enabled by questions, and that the protagonists always enable each other's moves, never their own. Condition (e4) was not present in previous de nitions of games. It ensures that active moves can only be enabled by other active moves, thus constraining when active play can begin. Given an arena, we are interested in sequences of moves of a certain kind. Before de ning these, let us x our notation for operations on sequences. If s and t are sequences, we write st for their concatenation. We also write sa for the sequence s with element a appended. Sometimes we use the notation s t or s a when it aids legibility. The empty sequence is written as ". We use v for the pre x ordering on sequences. If n is an element of a sequence s, then s n denotes the pre x of s up to and including n, while s<n is the same but excludes n. 11 De nition A justi ed sequence in an arena A is a sequence s of moves of A, together with an associated sequence of pointers: for each non-initial move m in s, there is a pointer to a move n earlier in s such that n `A m. We say that the move n justi es m. Note that the rst move in any justi ed sequence must be initial, since it cannot possibly have a pointer to an earlier move attached to it; so by (e1), justi ed sequences always start with an opponent question. Given a justi ed sequence s, de ne the player view psq and opponent view xsy of s by induction on jsj, as follows. p"q = ": psmq = psqm; if m is a P-move. psmq = m; if ? ` m. psmtnq = psqmn; if m justi es n and n is an O-move. x"y = ": xsmy = xsym; if m is an O-move. xsmtny = xsymn; if m justi es n and n is a P-move. The view of a sequence is intended to represent the \currently relevant" subsequence of moves. However, notice that the view of a justi ed sequence need not itself be justi ed: the appearance of a move m in the view does not guarantee the appearance of its justi er. This will be recti ed when we impose the visibility condition, to follow. A justi ed sequence s is well-formed if it satis es (w1) Players alternate: if s = s1mns2 then OP(m) 6= OP(n). (w2) The bracketing condition . We say that a question q in s is answered by a later answer a in s if q justi es a. The bracketing condition is satis ed by s if for each pre x tqua of s with q answered by a, the last unanswered question in tqu is q; in other words, when an answer is given, it is always to the most recent question which has not been answered|the pending question . A useful intuition is to think of questions as left parentheses, (, and answers as right parentheses, ). In order to satisfy the bracketing condition, the string of brackets must be a pre x of a well-formed string of brackets, and furthermore each ) must be justi ed by the corresponding (. Of course this is where the name \bracketing condition" comes from. (w3) The activity condition . Say that a position s is active if there is no pending question at s, or if the pending question is labelled as active. A position is passive otherwise. The activity condition is satis ed by s if for every pre x ta of s with a active, the position t is active. 12 Conditions (w1) and (w2) above are familiar in game semantics. Condition (w3) is new; it further constrains when active moves can be played. In particular, if there is a passive question pending, the whole discussion is deemed passive, so only passive moves can be played until the question is answered. In our model of IA, this is the key condition which prevents expressions, which are passive, from having active side-e ects. A well-formed sequence s is legal , or is a legal position , if it also satis es the following visibility condition : if tm v s where m is a P-move, then the justi er of m occurs in ptq. if tm v s where m is a non-initial O-move, then the justi er of m occurs in xty. We write LA for the set of legal positions of A. The following lemma is useful in analysing legal positions of a/p-arenas. Lemma 1 Let s m be an active position, and let the justi er of m in s be n. Then s<n is active. Proof The sequence s has the form s<n n : : :m: If m is an answer, it answers n so the pending question of s m is the same as that of s<n. Hence s<n is active since s m is. Otherwise, m is a question so is itself active (lest s m be a passive position). Therefore its justi er n is active, so by the activity condition, s<n is active. Corollary 2 Let s m be an active position, with m an O-move. For every O-move n in ps mq, s n is active. De nition Let s be a legal position of an arena A and let m be a move in s. We say that m is hereditarily justi ed by an occurrence of a move n in s if the chain of justi cation pointers leading back from m ends at n, i.e. m is justi ed by some move m1, which is in turn justi ed by m2 and so on until some mk is justi ed by an initial move n. We write s n for the subsequence of s containing all moves hereditarily justi ed by n. This notation is slightly ambiguous, because it confuses the move n with a particular occurrence of n; however, no di culty will arise in practice. We similarly de ne s I for a set I of (occurrences of) initial moves in s to be the subsequence of s consisting of all moves hereditarily justi ed by a move of I . A a/p-game A is speci ed by a structure hMA; A;`A; PAi where hMA; A;`Ai is an a/p-arena. PA is a non-empty, pre x-closed subset of LA, called the valid positions , and satisfying if s 2 PA and I is a set of initial moves of s then s I 2 PA: 13 7.1.1 A/P-views Given a valid position s 2 PA, the P-view psq is a subsequence of s in which each pair of moves m n in s, with m an O-move, is either included or excluded in its entirety. Corresponding to the intuition that active moves are \persistent", we introduce the notion of a/p-view which takes activity into account. De nition The a/p-view e s of a legal position s is the subsequence of s consisting of those pairs m n as above such that either m n appears in psq or s m is an active position. Lemma 3 For a legal position s, e s is a justi ed sequence. Proof Let m be a move in e s. We must show that the justi er of m also appears in e s. Ifm is in e s because it appears in psq, this follows easily. Otherwise, if m is an O-move, then s m is an active position. Let the justi er of m in s be n. By Lemma 1, s<n is an active position, so both n and its predecessor appear in e s. If m is a P-move then s<m is an active position and the justi er of m appears in ps<mq, by the visibility condition. But by Corollary 2, this move must occur at an active position, and hence must appear in e s. Remark Later, we will need to consider an extended notion of a/p-view for sequences of moves which are not necessarily legal positions. First note that the de nition of P-view makes sense for any sequence of moves, some with justi cation pointers, some without: if an O-move without a pointer is encountered, it is treated as an initial move; other O-moves are treated as usual. The notion of pending question also makes sense for arbitrary sequences. Say that a sequence s ending in an O-move is active if the pending question of psq is active. We can now extend the de nition of a/p-view above to arbitrary sequences of moves and justi cation pointers, provided the players alternate. Note also that this extended de nition coincides with the original one for legal positions, because the pending question of psq is the same as that of s for sequences satisfying the bracketing condition. 7.1.2 Multiplicatives Given games A and B, de ne new games A B and A( B as follows. MA B = MA +MB : A B = [ A; B ]: ? `A B n () ? `A n _ ? `B n: m `A B n () m `A n _m `B n: PA B = fs 2 LA B j s A 2 PA ^ s B 2 PBg: 14 MA(B = MA +MB: A(B = [ A; B ]: ? `A(B m () ? `B m m `A(B n () m `A n _m `B n _ [? `B m ^ ? `A n ^ (n active) m active)]; for m 6= ?. PA(B = fs 2 LA(B j s A 2 PA ^ s B 2 PBg: In the above, s A denotes the subsequence of s consisting of all moves from MA; s B is analogous. The con ict with the previously introduced notation s I should not cause any confusion. Note the additional constraint on the de nition of A ( B: where a new enabling is introduced between an initial move of B and one of A, it must be ensured that an active move is only enabled by another active move. The tensor unit is de ned by I = h;; ;; ;; f"gi. 7.1.3 Strategies De nition A strategy for a game A is a non-empty set of even-length positions from PA, satisfying (s1) sab 2 ) s 2 . (s2) sab; sac 2 ) b = c, and the justi er of b is the same as that of c. In other words, the justi ed sequences sab and sac are identical. The identity strategy for a game A is a strategy for A( A de ned by idA = fs 2 PA1(A2 j 8t veven s:(t A1 = t A2)g: We use subscripts to distinguish the two occurrences of A, and write t veven s to mean that t is an even-length pre x of s. All that idA does is to copy the move made by Opponent in one copy of A to the other copy of A. The justi er for Player's move is the copy of the justi er of Opponent's move. It is easy to check that this does indeed de ne a strategy. 7.1.4 Composition The categories we will work in have games as objects and strategies as morphisms. Therefore, given strategies : A ( B and : B ( C, we would like to compose them to form a strategy ; : A ( C. First, some auxiliary de nitions are necessary. De nition Let u be a sequence of moves from games A, B and C together with justi cation pointers from all moves except those initial in C. De ne u B;C to be the subsequence of u consisting of all moves from B and C; if a pointer from one of these points to a move of A, delete that pointer. Similarly de ne u A;B. 15 We say that u is an interaction sequence of A, B and C if u A;B 2 PA(B and u B;C 2 PB(C . The set of all such sequences is written as int(A;B;C). Suppose u 2 int(A;B;C). A pointer from a C-move must be to another C-move, and a pointer from an A-move a must be either to another A-move, or to an initial B-move, b, which in turn must have a pointer to an initial C-move, c. De ne u A;C to be the subsequence of u consisting of all moves from A and C, except that in the case outlined above, the pointer from a is changed to point to c. A B Cc b