\documentclass[11pt]{article} % \documentclass[11pt,twoside]{article} \usepackage{lecnotes} \usepackage{graphicx} \usepackage{textcomp} \usepackage{comment} \input{fp-macros} \newcommand{\lecdate}{February 6, 2012} % e.g. January 12, 2010 \newcommand{\lecnum}{6} % e.g. 1 \newcommand{\lectitle}{Quantification} % e.g. Judgments and Propositions \newcommand{\lecturer}{Frank Pfenning} % e.g. Frank Pfenning \begin{document} \maketitle \noindent We introduce quantification into linear logic. The domains of the quantifiers are external to linear logic, which requires that we have a new external typing judgment. We analyze the quantifiers within the Curry-Howard interpretation of linear propositions as session types. The universal quantified represents data input, while the existential quantifier represents data output. More details can be found in a recent paper~\cite{Caires12tldi}. \section{Universal Quantification} We write $\forall n{:}\tau. A$, universally quantifying over objects of type $\tau$. We will also refer to objects as \emph{terms} (taking a syntactic point of view) or \emph{values} (to contrast them with channels). We will specify little about the types $\tau$, essentially giving a presentation that does not depend on how the new types and their inhabiting objects are chosen. However, we will make some requirements of this language so that the quantifiers indeed make sense. We start with the left rule: how to we use a resource $\forall n{:}\tau. A$? Since it means that $A$ is true for all objects of type $\tau$, we can instantiate the quantifier with any particular object $M$. This suggests: \[ \infer[{\forall}L] {\Gamma \semi \Delta, \forall n{:}\tau. A \seq C} {M : \tau & \Gamma \semi \Delta, A\{M/n\} \seq C} \] We will need to slightly generalize this presently. The right rule answers the questions how we can prove that $\forall n{:}\tau. A$ is true. We proceed by showing $A\{m/n\}$ for a new parameter $m$ of type $\tau$. But where do we record the type of $m$? To be explicit about the type, and also the parameters currently available in a proof, we introduce a new context $\Psi$ which contains typings for term variables. We write: \[ \underbrace{m_1{:}\tau_1, \ldots, m_k{:}\tau_k}_{\displaystyle \Psi} \semi \underbrace{u_1{:}B_1, \ldots, u_j{:}B_j}_{\displaystyle \Gamma} \semi \underbrace{x_1{:}A_1, \ldots, u_i{:}A_i}_{\displaystyle \Delta} \seq P :: z : C \] where all variables are distinct, $m$ are term variables, $u$ are shared channels, and $x$ are linear channels. Term variables stand for data that are \emph{not} considered resources. They can be used arbitrarily often, including zero times. With this notation, the right rule becomes \[ \infer[{\forall}R] {\Psi \semi \Gamma \semi \Delta \seq \forall n{:}\tau. A} {\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A\{m/n\}} \] The freshness condition is implicit, because we assume the rule can only be applied if $m$ is not already declared in $\Psi$. We can always choose a fresh name. Note also that we currently do not have any way for $n$ to actually appear in $A$, unless we allow some atomic propositions to depend on term variables. We will see an example of this in \autoref{sec:atm}. With this notation we can now generalize the left rule. \[ \infer[{\forall}L] {\Psi \semi \Gamma \semi \Delta, \forall n{:}\tau. A \seq C} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta, A\{M/n\} \seq C} \] Here, the typing of $M$ does not depend $\Gamma$ or $\Delta$, because we stipulate that terms cannot depend on channels of processes. \section{Harmony for Universal Quantification} We are, of course, obligated to check that the left and right rules are in harmony. This will impose some constraints on the judgment $\Psi \vdash M : \tau$. First reduction. The situation we must consider for reduction is \[ \infer[\cut_{\forall n{:}\tau. A}] {\Psi \semi \Gamma \semi \Delta, \Delta' \seq C} {\infer[{\forall}R] {\Psi \semi \Gamma \semi \Delta \seq \forall n{:}\tau. A} {\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A\{m/n\}} & \infer[{\forall}L] {\Psi \semi \Gamma \semi \Delta', \forall n{:}\tau. A \seq C} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta', A\{M/n\} \seq C}} \] We would like to reduce this to a cut of the two premises, but the formulas do not match: it is $A\{m/n\}$ in the first premise, and $A\{M/n\}$ in the second premise. How do we get one from the other? The solution is to \emph{substitute} $M$ for $m$ throughout the sequent $\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A\{m/n\}$. Since $m$ was chosen fresh (so it does not occur in $\Gamma$, $\Delta$ or $A$), we obtain $\Psi \semi \Gamma \semi \Delta \seq A\{M/n\}$. We therefore need to postulate: \begin{quote} \textbf{Substitution Principle.} If $\Psi \vdash M : \tau$ and $\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A$ then $\Psi \semi \Gamma \semi \Delta \seq A\{M/m\}$, provided $\Gamma$ and $\Delta$ do not depend on $m$. \end{quote} We will need to generalize this in order to verify it for our sequent calculus. For example, if $A$ is a linear implication, after the ${\lolli}R$ rule the type of some channels may now depend on $m$ even if the proviso is satisfied in the conclusion. We return to this when discussing functional interpretations. As a notational device, we use a dashed line to indicate that we are applying some principle or theorem about proofs, rather than a rule of inference. For example, the dashed line in \[ \infer-[\m{subst}] {\Psi \semi \Gamma\{M/m\} \semi \Delta\{M/m\} \seq A\{M/m\}} {\Psi \vdash M : \tau & \Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A} \] indicates the application of the substitution principle, which is an assumption about how our typing judgment $\Psi \vdash M : \tau$ interacts with sequents. This is also called an \emph{admissible rule} in the sense that whenever we have proofs of the premises then we can construct a proof of the conclusion. Using this notation, the evidence for cut reduction is: \[ \begin{array}{c} \infer[\cut_{\forall n{:}\tau. A}] {\Psi \semi \Gamma \semi \Delta, \Delta' \seq C} {\infer[{\forall}R] {\Psi \semi \Gamma \semi \Delta \seq \forall n{:}\tau. A} {\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A\{m/n\}} & \infer[{\forall}L] {\Psi \semi \Gamma \semi \Delta', \forall n{:}\tau. A \seq C} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta', A\{M/n\} \seq C}} \\[1em] \longrightarrow_R \\[1em] \infer[\cut_{A\{M/n\}}] {\Psi \semi \Gamma \semi \Delta, \Delta' \seq C} {\infer-[\m{subst}] {\Psi \semi \Gamma \semi \Delta \seq A\{M/n\}} {\Psi \vdash M : \tau & \Psi, m{:}\tau \semi \Gamma \semi \Delta \seq A} & \Psi \semi \Gamma \semi \Delta', A\{M/n\} \seq C} \end{array} \] Here $\Gamma\{M/n\} = \Gamma$ and $\Delta\{M/n\} = \Delta$ by the freshness of $m$ in the ${\forall}R$ rule. For the identity expansion, we have \[ \infer[\id_{\forall n{:}\tau.A}] {\cdot \semi \cdot \semi \forall n{:}\tau.A \seq \forall n{:}\tau.A} {\mathstrut} \longrightarrow_E \hspace*{-2em} \infer[{\forall}R] {\cdot \semi \cdot \semi \forall n{:}\tau.A \seq \forall n{:}\tau.A} {\infer[{\forall}L] {m{:}\tau \semi \cdot \semi \forall n{:}\tau. A \seq A\{m/n\}} {\infer-[\m{hyp}]{m{:}\tau \vdash m : \tau}{\mathstrut} & \infer[\id_{A\{m/n\}}] {m{:}\tau \semi \cdot \semi A\{m/n\} \seq A\{m/n\}} {\mathstrut}}} \] We see, that we need to assume a hypothesis rule or principle for the typing judgments of terms. Usually, this is simply a rule, but we do not want to fix this, since it is external to the sequent calculus. \begin{quote} \textbf{Hypothesis.} $m{:}\tau \vdash m : \tau$ for any variable $m$ and type $\tau$ \end{quote} We also need to allow hypotheses in $\Psi$ to appear in applications of the identity rule in sequent calculus. In general, we can \emph{weaken} any judgment with new typing assumptions $m{:}\tau$, because they do not need to be used. We apply this principle silently. \begin{quote} \textbf{Weakening.} If $\Psi \semi \Gamma \semi \Delta \seq C$ then $\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq C$. \end{quote} Here we suppose that $m$ is not already declared in $\Psi$ so that our presupposition about the judgments (no variable is declared more than once) remains satisfied. Analogous substitution and weakening principles also have to apply internally to the term typing judgment itself. \section{Existential Quantification} \label{sec:exists} Existential quantification is somehow dual. In order to prove it, we have to supply some term of the correct type. In order to use it, we have to suppose some new parameter. \[ \infer[{\exists}R] {\Psi \semi \Gamma \semi \Delta \seq \exists n{:}\tau. A} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta \seq A\{M/n\}} \qquad \infer[{\exists}L] {\Psi \semi \Gamma \semi \Delta, \exists n{:}\tau. A \seq C} {\Psi, m{:}\tau \semi \Gamma \semi \Delta, A\{m/n\} \seq C} \] Here, $m$ must not already be declared in $\Psi$ (and therefore not used in $\Gamma$, $\Delta$, $A$, or $C$). We leave it to Exercise~\ref{exc:harmony-exists} to check the cut reduction and identity expansion properties. \section{Term Passing} So far, we have stayed very close to the $\pi$-calculus, establishing an interpretation of linear propositions as session types, sequent proofs as processes, and cut reduction as process reduction. Structural congruence arises from structural equivalences between sequent proofs. Next we incorporate the passing of data, or terms, rather than channels, by giving a process assignment for universal and existential quantification. The result is somewhat reminiscent of the applied $\pi$-calculus~\cite{Abadi01popl}. We now generalize all the sequent judgments so far by adding new hypotheses $\Psi$, assigning types to term variables, written as \[ \Psi \semi \Gamma \semi \Delta \seq P :: x : A \] Like the shared names in $\Gamma$, the typing assumptions in $\Psi$ are propagated to all premises in all rules we have presented so far. For example, the identity and cut rules are now \[\begin{array}{c} \infer[\id_A] {\Psi \semi \Gamma \semi x{:}A \seq [x \fwd z] :: z : A} {\mathstrut} \\[1em] \infer[\cut_A] {\Psi \semi \Gamma \semi \Delta, \Delta' \seq (\nu x)(P \mid Q) :: z : C} {\Psi \semi \Gamma \semi \Delta \seq P :: x : A & \Psi \semi \Gamma \semi \Delta', x{:}A \seq Q :: z : C} \end{array}\] \section{Term Input} Input of terms is modeled simply by universal quantification. \[ \infer[{\forall}R] {\Psi \semi \Gamma \semi \Delta \seq \recv{x}{n}.P :: x : \forall n{:}\tau. A} {\Psi, m{:}\tau \semi \Gamma \semi \Delta \seq P\{m/n\} :: x : A\{m/n\}} \] As before, the type of channel $x$ evolves through interaction. In order for cut reduction to work correctly, the ${\forall}L$ rule must provide a matching output. \[ \infer[{\forall}L] {\Psi \semi \Gamma \semi \Delta', x{:}\forall n{:}\tau.A \seq \send{x}{M}.Q :: z : C} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta', x{:}A\{M/n\} \seq Q :: z : C} \] Again, as before, we reuse the name $x$ in the premise without conflict since $x$ is linear. Note that $m$ must be chosen fresh so that the new context $\Psi, m{:}\tau$ is well-formed in the ${\forall}R$ rule. Applying cut to the right and left rules as formulated above yields the conclusion \[ \Psi \semi \Gamma \semi \Delta, \Delta' \seq (\nu x)(\recv{x}{n}.P \mid \send{x}{M}.Q) :: z : C \] To applying the usual reduction step from the sequent calculus, we must substitute $M$ for $n$ in the premise of the ${\forall}R$. We see that we need the substitution property for hypotheses in $\Psi$ to justify reduction. After that we obtain the following cut: \[ \infer[\cut] {\Psi \semi \Gamma \semi \Delta, \Delta' \seq (\nu x)(P\{M/n\} \mid Q) :: z : C} {\begin{array}[b]{l} \Psi \semi \Gamma \semi \Delta \seq P\{M/n\} :: x : A\{M/n\} \\ \Psi \semi \Gamma \semi \Delta', x{:}A\{M/n\} \seq Q :: z : C \end{array}} \] from which we read off the reduction \[ (\nu x)(\recv{x}{n}.P \mid \send{x}{M}.Q) \longrightarrow (\nu x)(P\{M/n\} \mid Q) \] In other words, we just use term passing instead of name passing in the $\pi$-calculus. \section{Term Output} A channel $x : \exists y{:}\tau. A$ offers to output a term $M$ of type $\tau$ along $x$ and then offer $A\{M/y\}$. This is symmetric to term input as described for $\forall y{:}\tau. A$. So even though our logic is intuitionistic, we obtain a strong duality between universal and existential quantification. \[\begin{array}{c} \infer[{\exists}R] {\Psi \semi \Gamma \semi \Delta \seq \send{x}{M}.P :: x : \exists n{:}\tau. A} {\Psi \vdash M : \tau & \Psi \semi \Gamma \semi \Delta \seq P :: x : A\{M/n\}} \\[1em] \infer[{\exists}L] {\Psi \semi \Gamma \semi \Delta', x{:}\exists n{:}\tau. A \seq \recv{x}{n}. Q :: z : C} {\Psi, m{:}\tau \semi \Gamma \semi \Delta', x{:}A\{m/n\} \seq Q\{m/n\}:: z : C} \end{array}\] Applying cut to these two rules yields the conclusion \[ \Psi \semi \Gamma \semi \Delta, \Delta' \seq (\nu x)(\send{x}{M}.P \mid \recv{x}{n}.Q) :: z : C \] which is reduced with the same term-passing communication as for the ${\forall}R$/${\forall}L$ pair: \[ (\nu x)(\send{x}{M}.P \mid \recv{x}{n}.Q) \longrightarrow (\nu x)(P \mid Q\{M/n\}) \] \section{Example: An ATM} \label{sec:atm} We now exercise our interpretation by building a model of a very simple ATM\@. Just being able to do a balance inquiry could be \[ \m{Atm}_1 \defeq \forall k{:}\m{userid}.\, \exists n{:}\m{val}.\, \one \] Assuming we have a shared channel $u{:}\m{Atm}_1$, we can build a simple client that punches in a user id $\m{'fp'}$ and obtains the balance. \[ u{:}\m{Atm}_1 \semi \cdot \seq (\nu a)\send{u}{a}.\, \send{a}{\m{'fp'}}.\, \recv{a}{n}. \recv{a}{}.\, \send{z}{}.\, \zero :: z : \one \] A slightly more complicated example would be to also offer a withdrawal of $n$ dollars and then indicate failure (due, for example, to insufficient funds) or return the cash. Since cash is a resource that way data (like account balances) are not, we represent it as an ephemeral proposition $\m{cash}(n)$ to indicate $n$ dollars. This is an example where a quantified variable can actually appear. \[ \m{Atm}_2 \defeq \forall k{:}\m{userid}.\, ((\exists n{:}\m{val}.\, \one) \with \forall n{:}\m{val}.\, \one \oplus (\m{cash}(n) \tensor \one)) \] A client that withdraws \$100 cash and puts into a wallet $w$, might look like this: \[ \begin{array}{l} u{:}\m{Atm}_2 \semi \cdot \seq (\nu a)\send{u}{a}.\, \send{a}{\m{'fp'}}.\, a.\inr; \send{a}{\$100}.\\ \hspace{7em} a.\case(\mbox{??}, \recv{a}{c}. \recv{a}{}. [c \fwd w]) :: w : \m{cash}(\$100) \end{array} \] However, we notice one problem: in case there are insufficient funds, we will actually not be able to full the goal of putting \$100 into our wallet. So we need to hedge our bets and say we are either putting \$100 into our wallet or nothing, where ``nothing'' represent by the logical constant $\one$. \[ \begin{array}{lcl} u{:}\m{Atm}_2 \semi \cdot & \seq & (\nu a)\send{u}{a}.\, \send{a}{\m{'fp'}}.\, a.\inr; \send{a}{\$100}.\\ & & \hspace{3em} a.\case(w.\inr;\recv{a}{}.\send{w}{}.\zero,\\ & & \hspace{6em} w.\inl;\recv{a}{c}. \recv{a}{}. [c \fwd w])\\ & & \hspace{2em} \null :: w : \m{cash}(\$100) \oplus \one \end{array} \] The type of the channel $c$, input in the second to last line along channel $a$, will be $\m{cash}(\$100)$. This is because we instantiated the universal quantifier on $n$ with $\$100$. We leave the implementation of the ATM itself to Exercise~\ref{exc:atm}. The client's goal is not very expressive, in this and many other examples. Just consider the following typing: \[ u{:}\m{Atm}_2 \semi \cdot \vdash w.\, \inr; \send{w}{}.\, \zero :: w : \m{cash}(\$100) \oplus \one \] which represents a client that blithely decides to ignore the ATM and walk past it without carrying out any transaction at all. Of course, in that case there will also be no cash in the client's pocket. This illustrates that the information in the process is critical. The type, while important, clearly does not fully specify the behavior. In particular, it doesn't prescribe the client's internal choices, which includes the trival inaction in this case. \clearpage \phantomsection \addcontentsline{toc}{section}{Exercises} \section*{Exercises} \begin{exercise}\rm Clearly, a service $x{:}\exists n{:}\tau.A$ should not be sufficient to satisfy goal $z{:}\forall m{:}\tau. A$. Illustrate how this fails because parameters must be chosen to be fresh. \end{exercise} \begin{exercise}\rm Under which conditions (if any) can a service $x : (\forall k{:}\tau.\exists n{:}\sigma. \one)$ be used to provide service $y : (\exists n{:}\sigma. \forall k{:}\tau. \one)$? How about the other direction? All services should be assumed to be linear. \end{exercise} \begin{exercise}\rm \label{exc:harmony-exists} We explore here the existential quantifier from \autoref{sec:exists} \begin{enumerate} \item[(i)] Write out the cut reduction. \item[(ii)] Write out the identity expansion. \item[(iii)] Check that the cut reduction is appropriately modeled by a term-passing communication. \end{enumerate} \end{exercise} \begin{exercise}\rm \label{exc:atm} In this exercise we explore the ATM example from \autoref{sec:atm}. You may assume the following persistent services offered by the bank: \[ \begin{array}{lcl} \m{Balance} & \defeq & \forall k{:}\m{userid}.\, \exists n{:}\m{val}.\, \one \\ \m{Withdraw} & \defeq & \forall k{:}\m{userid}.\, \forall n{:}\m{val}.\, \one \oplus \one \\ \m{Deposit} & \defeq & \forall k{:}\m{userid}.\, \forall n{:}\m{val}.\, \one \end{array} \] In the type of $\m{Withdraw}$, the left alternative of $\oplus$ means there were insufficient funds and the transaction failed, while the right alternative of $\oplus$ means that the transaction succeeded. In that case, the ATM should only close the channel once the transaction with the client has completed. Provide an implementation of a process $P$ such that it offers the service $\m{Atm}$ along channel $x$, using persistent services $\mathit{bal}:\m{Balance}$, $\mathit{wd}:\m{Withdraw}$, and $\mathit{dep}:\m{Deposit}$ from the bank. In other words, \[ \mathit{bal}{:}\m{Balance}, \mathit{wd}{:}\m{Withdraw}, \mathit{dep}{:}\m{Deposit} \semi \cdot \seq P :: x : \m{Atm}_2 \] The process $P$ should withdraw an additional $\$2$ service charge from the user account and deposit it under the userid $\m{'atm'}$ at the bank. \end{exercise} \begin{exercise}\rm This is a continuation of Exercise~\ref{exc:atm}. Use $\cutbang$ to compose your implementation of $\m{atm}_2$ with the client from \autoref{sec:atm} and an unspecified implementation of the banks services, and show the evolution of the composition until no further communication is possible. Assume that the bank processes $Q$, $Q'$ and $Q''$ communicate correctly, and that there are sufficient funds to withdraw $\$102$ ($\$100$ for the client, and $\$2$ for the ATM's service charge). \end{exercise} \clearpage \phantomsection \addcontentsline{toc}{section}{References} \bibliographystyle{alpha} \bibliography{fp,lfs} % \cleardoublepage \end{document}