Results 1  10
of
23
The impact of higherorder state and control effects on local relational reasoning
, 2010
"... Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML o ..."
Abstract

Cited by 55 (16 self)
 Add to MetaCart
(Show Context)
Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML or Haskell. Much of the recent work in this direction has considered the interesting representation independence principles enabled by the use of local state, but it is also important to understand the principles that powerful features like higherorder state and control effects disable. This latter topic has been broached extensively within the framework of game semantics, resulting in what Abramsky dubbed the “semantic cube”: fully abstract gamesemantic characterizations of various axes in the design space of MLlike languages. But when it comes to reasoning about many actual examples, game semantics does not yet supply a useful technique for proving equivalences. In this paper, we marry the aspirations of the semantic cube to the powerful proof method of stepindexed Kripke logical relations. Building on recent work of Ahmed, Dreyer, and Rossberg, we define the first fully abstract logical relation for an MLlike language with recursive types, abstract types, general references and call/cc. We then show how, under orthogonal restrictions to the expressive power of our language—namely, the restriction to firstorder state and/or the removal of call/cc—we can enhance the proving power of our possibleworlds model in correspondingly orthogonal ways, and we demonstrate this proving power on a range of interesting examples. Central to our story is the use of state transition systems to model the way in which properties of local state evolve over time.
Environmental bisimulations for higherorder languages
 In TwentySecond Annual IEEE Symposium on Logic in Computer Science
, 2007
"... Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with d ..."
Abstract

Cited by 47 (14 self)
 Add to MetaCart
(Show Context)
Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with different features. To meet these challenges, we present environmental bisimulations, a form of bisimulation for higherorder languages, and its basic theory. We consider four representative calculi: pure λcalculi (callbyname and callbyvalue), callbyvalue λcalculus with higherorder store, and then HigherOrder πcalculus. In each case: we present the basic properties of environmental bisimilarity, including congruence; we show that it coincides with contextual equivalence; we develop some upto techniques, including upto context, as examples of possible enhancements of the associated bisimulation method. Unlike previous approaches (such as applicative bisimulations, logical relations, SumiiPierceKoutavasWand), our method does not require induction/indices on evaluation derivation/steps (which may complicate the proofs of congruence, transitivity, and the combination with upto techniques), or sophisticated methods such as Howe’s for proving congruence. It also scales from the pure λcalculi to the richer calculi with simple congruence proofs. 1
Logical StepIndexed Logical Relations
"... We show how to reason about “stepindexed ” logical relations in an abstract way, avoiding the tedious, errorprone, and proofobscuring stepindex arithmetic that seems superficially to be an essential element of the method. Specifically, we define a logic LSLR, which is inspired by Plotkin and Aba ..."
Abstract

Cited by 23 (8 self)
 Add to MetaCart
(Show Context)
We show how to reason about “stepindexed ” logical relations in an abstract way, avoiding the tedious, errorprone, and proofobscuring stepindex arithmetic that seems superficially to be an essential element of the method. Specifically, we define a logic LSLR, which is inspired by Plotkin and Abadi’s logic for parametricity, but also supports recursively defined relations by means of the modal “later ” operator from Appel et al.’s “very modal model” paper. We encode in LSLR a logical relation for reasoning (in)equationally about programs in callbyvalue System F extended with recursive types. Using this logical relation, we derive a useful set of rules with which we can prove contextual (in)equivalences without mentioning step indices. 1
A Relational Modal Logic for HigherOrder Stateful ADTs
"... The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it ha ..."
Abstract

Cited by 22 (12 self)
 Add to MetaCart
(Show Context)
The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it has been extended over the past two decades to reason about increasingly realistic languages. In particular, Appel and McAllester’s idea of stepindexing has been used recently to develop syntactic Kripke logical relations for MLlike languages that mix functional and imperative forms of data abstraction. However, while stepindexed models are powerful tools, reasoning with them directly is quite painful, as one is forced to engage in tedious stepindex arithmetic to derive even simple results. In this paper, we propose a logic LADR for equational reasoning about higherorder programs in the presence of existential type abstraction, general recursive types, and higherorder mutable state. LADR exhibits a novel synthesis of features from PlotkinAbadi logic, GödelLöb logic, S4 modal logic, and relational separation logic. Our model of LADR is based on Ahmed, Dreyer, and Rossberg’s stateoftheart stepindexed Kripke logical relation, which was designed to facilitate proofs of representation independence for “statedependent ” ADTs. LADR enables one to express such proofs at a much higher level, without counting steps or reasoning about the subtle, stepstratified construction of possible worlds.
Eager normal form bisimulation
 In Proc. 20th Annual IEEE Symposium on Logic in Computer Science
, 2005
"... Abstract. Normal form bisimulation is a powerful theory of program equivalence, originally developed to characterize LévyLongo tree equivalence and Boehm tree equivalence. It has been adapted to a range of untyped, higherorder calculi, but types have presented a difficulty. In this paper, we prese ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Normal form bisimulation is a powerful theory of program equivalence, originally developed to characterize LévyLongo tree equivalence and Boehm tree equivalence. It has been adapted to a range of untyped, higherorder calculi, but types have presented a difficulty. In this paper, we present an account of normal form bisimulation for types, including recursive types. We develop our theory for a continuationpassing style calculus, JumpWithArgument (JWA), where normal form bisimilarity takes a very simple form. We give a novel congruence proof, based on insights from game semantics. A notable feature is the seamless treatment of etaexpansion. We demonstrate the normal form bisimulation proof principle by using it to establish a syntactic minimal invariance result and the uniqueness of the fixed point operator at each type.
Normal form bisimulation for parametric polymorphism
 In LICS
, 2008
"... This paper presents a new bisimulation theory for parametric polymorphism which enables straightforward coinductive proofs of program equivalences involving existential types. The theory is an instance of typed normal form bisimulation and demonstrates the power of this recent framework for modeling ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
This paper presents a new bisimulation theory for parametric polymorphism which enables straightforward coinductive proofs of program equivalences involving existential types. The theory is an instance of typed normal form bisimulation and demonstrates the power of this recent framework for modeling typed lambda calculi as labelled transition systems. We develop our theory for a continuationpassing style calculus, JumpWithArgument, where normal form bisimulation takes a simple form. We equip the calculus with both existential and recursive types. An “ultimate pattern matching theorem ” enables us to define bisimilarity and we show it to be a congruence. We apply our theory to proving program equivalences, type isomorphisms and genericity. 1
A Complete Characterization of Observational Equivalence in Polymorphic λCalculus with General References
, 2009
"... We give a (sound and complete) characterization of observational equivalence in full polymorphic λcalculus with existential types and firstclass, higherorder references. Our method is syntactic and elementary in the sense that it only employs simple structures such as relations on terms. It is ne ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
We give a (sound and complete) characterization of observational equivalence in full polymorphic λcalculus with existential types and firstclass, higherorder references. Our method is syntactic and elementary in the sense that it only employs simple structures such as relations on terms. It is nevertheless powerful enough to prove many interesting equivalences that can and cannot be proved by previous approaches, including the latest work by Ahmed, Dreyer and Rossberg (to appear in POPL 2009). 1.
The marriage of bisimulations and Kripke logical relations
 In POPL
, 2012
"... There has been great progress in recent years on developing effective techniques for reasoning about program equivalence in MLlike languages—that is, languages that combine features like higherorder functions, recursive types, abstract types, and general mutable references. Two of the most promine ..."
Abstract

Cited by 13 (9 self)
 Add to MetaCart
(Show Context)
There has been great progress in recent years on developing effective techniques for reasoning about program equivalence in MLlike languages—that is, languages that combine features like higherorder functions, recursive types, abstract types, and general mutable references. Two of the most prominent types of techniques to have emerged are bisimulations and Kripke logical relations (KLRs). While both approaches are powerful, their complementary advantages have led us and other researchers to wonder whether there is an essential tradeoff between them. Furthermore, both approaches seem to suffer from fundamental limitations if one is interested in scaling them to interlanguage reasoning. In this paper, we propose relation transition systems (RTSs), which marry together some of the most appealing aspects of KLRs and bisimulations. In particular, RTSs show how bisimulations’ support for reasoning about recursive features via coinduction can be synthesized with KLRs ’ support for reasoning about local state via state transition systems. Moreover, we have designed RTSs to avoid the limitations of KLRs and bisimulations that preclude their generalization to interlanguage reasoning. Notably, unlike KLRs, RTSs are transitively composable.
Relational parametricity for references and recursive types
 In Proceedings Fourth ACM Workshop on Types in Language Design and Implementation, TLDI’09
, 2009
"... We present a possible world semantics for a callbyvalue higherorder programming language with impredicative polymorphism, general references, and recursive types. The model is one of the first relationally parametric models of a programming language with all these features. To model impredicative ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
We present a possible world semantics for a callbyvalue higherorder programming language with impredicative polymorphism, general references, and recursive types. The model is one of the first relationally parametric models of a programming language with all these features. To model impredicative polymorphism we define the semantics of types via parameterized (worldindexed) logical relations over a universal domain. It is wellknown that it is nontrivial to show the existence of logical relations in the presence of recursive types. Here the problems are exacerbated because of general references. We explain what the problems are and present our solution, which makes use of a novel approach to modeling references. We prove that the resulting semantics is adequate with respect to a standard operational semantics and include simple examples of reasoning about contextual equivalence via parametricity.
Local Memory via Layout Randomization
"... Abstract—Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plotkin (2010). ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract—Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plotkin (2010). We consider the execution of an idealized language in two environments. In the strict environment, opponents cannot access local variables of the user program. In the lax environment, opponents may attempt to guess allocated memory locations and thus, with small probability, gain access the local memory of the user program. We model these environments using two novel calculi: λµhashref and λµproberef. Our contribution to the AbadiPlotkin program is to enrich the programming language with dynamic memory allocation, first class and higher order references and call/ccstyle control. On the one hand, these enhancements allow us to directly model a larger class of system hardening principles. On the other hand, the class of opponents is also enhanced since our enriched language permits natural and direct encoding of attacks that alter the control flow of programs. Our main technical result is a fully abstract translation (upto probability) of λµhashref into λµproberef. Thus, in the presence of randomized layouts, the opponent gains no new power from being able to guess local references of the user program. Our numerical bounds are similar to those of Abadi and Plotkin; thus, the extra programming language features do not cause a concomitant increase in the resources required for protection via randomization. I.