An Interview with Robin Milner

Karen Frenkel:

Please describe, in the simplest terms possible, the essence of Logical for Com- putable Functions (LCF). RObin MIIner:

I came quite late to research. I taught for five years in City University in London, and before that I'd worked for three years for Ferranti Com- puters, where I did some programming. While I was teaching at City University, I became interested in artificial intelligence, but also in what programming means. I also got interested in mathematical logic, but all of these were separate threads. KF: That would have been in the late 1960s? An interview with

RM: Yes, from 1960 to 1963, I was at Ferranti, and from 1963 to 1968, I was at City University. Then I got a chance to do a full-time research post with David Cooper who was head of the computer science department at Swansea College in the University of Wales. Under the stimulus of David, I worked on understanding programming and program verification. I wrote myself a small theorem- proving program. At that time, there was a tremendous research effort in mathematical theorem proving, trying to do automatically what mathematicians have done with deep thought over the centuries. Another thread was stimulated by the work of Michael Paterson, who had written a wonderful thesis on program schematology--part of his joint work with David Luckham and David Park. That thread was the study of the shapes of different programs as opposed to their content, or put another way, studying the general shape of their evaluation structure as opposed to the actual numbers that they were processing. The work of Paterson and Cooper made me want to understand how you could verify computer programs. Pioneering work had recently been done by Bob Floyd at Stanford and by Tony Hoare in Britain.

~0 January 1993/Vol.36, No.l /COMMUNICATION| OP TNiACM n ilner

COImlmUlUC~T|ONSOFTHIEAClm/~anuary19931Vol.36, No.l ~J My first attempt was to take a sim- tions of computer science, or mean- ple program--many people were ings of programming languages, doing similar work at that time--and along with the artificial intelligence. extract from it what you would need But we all need, in order to satisfy to prove that it was working prop- our funding agencies, something erly. Those were called verification that actually runs and buzzes and conditions. They were fed into an whistles, something that actually con- automatic theorem-proving program vinces them that not only are we try- that would then prove that the origi- ing to understand computers but nal program was working properly. [that] we're also using them; you This ran into the sand because it is have to make your work concrete in far too difficult for a computer to do. order to get credibility. I remember a Human intelligence must accompany meeting in McCarthy's AI lab where we use the business of verifying that pro- we were all wondering what imple- the term grams, which are human construc- mentation should be done next to get tions, actually work. So, I wasn't sure machines to help in understanding "'metalanguage'" how human assistance could be our own software activities. I was the for a brought to bear on this in a rigorous new boy, and I actually wanted to do way. the next implementation because I language Then I learned of Dana Scott, realized that Scott's work was just that talks who, with Christopher Strachey, waiting to go into a computer pro- went into the foundations of program that would then help us to rea- about Other gramming languages. I not only had son about other computer programs. languages. some discussion with Strachey about So I said, "I'll implement Scott's programming languages, I also lis- logic." That was exciting because That's why ML tened to Scott's lectures while he was Scott had created something more came into visiting Oxford University and read general than most people realized. his writings. It was a very exciting We worked on proving that a com- existence. time, because together they began to piler was correct. If you write a pro- work out the mathematical meaning gram in a high-level programming of programming languages. language, it's then converted by the I hoped to start from the very rock compiler into a low-level program. bottom with the mathematical mean- That shouldn't change the meaning. ing of languages, and use that as a If it does, that's a disaster. So one of firm foundation for reasoning about the first things you must do is show computer programs that anyone that the translation is correct. Mc- might have written. I wondered how Carthy and his students had done one might do this. And Scott actually some initial case studies on this. And gave the hint by building, so to speak, we proved with LCF the correctness some of his mathematical models of a more complex compiler, which into a formal logical system that worked with a richer language. I could be used as a basis for computer hadn't realized that was going to be assistance. When you want to get a possible. To me, it was part of the computer to assist with something, it general activity of eventually reach- has to be formal; it has to be exact. ing something that ordinary pro- The way it's going to help must be grammers could use to check out absolutely formal. Scott didn't actu- their own programs. ally call it the Logic for Computable Functions. I called it that. But he Designing ML embedded some of his mathematical KF: Did you try your proof techniques on understanding in this formal, logical certain languages already in existence system. when you were ~zt Stanford? I was very excited about this. I RM: Yes, and I'd also tried that at went to Stanford University in 1971, Swansea, but I rapidly began trying and got the chance to work with John to prove properties of whole lan- McCarthy in his artificial intelligence guages, so I wasn't focused on a par- lab. When I arrived, it was quite ticular language. McCarthy, (Allan) amusing because they wanted to do Newell, and (Herb) Simon's lan- this kind of work, but they were also guage, LISP, was a wonderful tool very keen to do some practical work. with which to write all the software There was a lot of work on founda- that would eventually do this verifi-

92 January 1993/Vol.36, No.l /COMHUNICATIONSOPTHBACiR cation. So McCarthy's laboratory and languages avoid talking certain kinds he'd finished it. Nobody ever found McCarthy himself were a wonderful of nonsense. But it also had to be any mistakes in it. It was the first liaison for me because LISP process- very flexible because it was actually implementation of ML. And Newey ing was a wonderful vehicle for what going to be used, and I didn't want to and I worked on other parts of the you might call nonnumerical pro- design a language that would slow implementation as well. gramming--programming which me down. It had to have certain fea- When Wadsworth and Gordon realizes different forms of thinking tures that were at the frontier of pro- came, we developed the language than numerical mathematics. That gramming language design, such as more carefully so that it could serve was a vehicle for doing all my work. higher-order functions of the great- as a basis for really big reasoning In fact, LISP led to the design of est possible power, and also side ef- projects. At that point, the project Metalanguage (ML). fects and exceptions. An exception is divided; the reasoning work went on I left Stanford after two years, just a way of getting out of something along one line, and language devel- having had reasonable success with that you shouldn't be doing because opment of ML itself went along an- this reasoning tool. But it was very it's not working. Since strategies other. ML went from being a special rigid. That is, the way I could inter- don't work every so often, you use an language for this particular task to a act with this machine in helping me exception to say, "Wrap this up. I'm general language. And that hap- to reason, was that I could ask it to do going to try something else." In a pened in a beautiful, but unplanned certain formal transformations, and programming language, an excep- way. One now-famous contributor it would do them correctly. By the tion is absolutely vital. And it was was an Italian graduate student, way, the real pioneer of machine- vital for this particular application. Luca Cardelli, who wanted a lan- assisted reasoning was deBruijn in All of this directed the design of guage for his Ph.D. work, so he im- Holland who invented his Automath ML, which occurred in Edinburgh plemented an extension of ML. system before this; I didn't know with other colleagues from 1974 Then somebody else discovered this about it at the time. onward. was a good language to teach to stu- But the way that I wanted LCF to Xlm: That was a 12-year project? dents. It then began a life as a gen- help in the reasoning business was Ha: Yes, ML began just as a vehicle eral-purpose language because we this: If you've got a machine helping for communicating proof strategies started teaching it to second-year you, you want to not only get it to within the LCF work. Malcolm undergraduate students. It turned check what you're doing, but to be Newey and Lockwood Morris, both out to be a way of learning to pro- able to communicate to it certain of whom I had met at Stanford, and gram. general strategies for reasoning. I later Christopher Wadsworth and KI~: Was that one of the surprises? needed a medium by which I could Mike Gordon came to work with me, Hi: Yes, one of the reasons it communicate to the machine certain and we created this language and turned out to be general-purpose general procedures for reasoning some mathematical understanding was because the demands of the ap- that it would later invoke, at my be- for it. plication-the LCF work--were so hest, on particular problems. I would The LCF system at Edinburgh strong that if a language could do all not have to lead it through the ele- then became the language ML with of that, then it would also do a lot of mentary steps every time. I wanted to some particular reasoning power other things as well. That happened be able to give it larger and larger expressed within that language. in an uncontrolled way for a while. chunks of reasoning power, built up Gradually, the language became People used different dialects either from the smaller chunks. So I would more and more important. because they liked experimenting in have to have a language by which I language design, or because they could communicate to the machine A Longtlme Collaboration wanted it for teaching more clearly, I these tactics or strategies. KF: What was it like to collaborate with suppose. Then, you come back to the prob- people on developing a language over the About 1983, on suggestion of Ber- lem of building houses on sand be- course of more than a decade? How did nard Sufrin at Oxford, I felt we cause the more languages you bring you work together? ought to pull the threads together to into your process, the more possibili- RM= That was a wonderful experi- see if there was a bigger language ties you have for appearing to talk ence. It came together in ways that that comprised all the ideas people sense but are actually talking non- could not be predicted or planned. had been tossing about. I produced a sense. So the language we needed to When I got to Edinburgh, I had a proposal for standardizing this lan- express the reasoning capabilities research project funded by the Sci- guage. We began to have very intense had to be very robust. We use the ence and Engineering Research discussions because language design term "metalanguage," for a language Council (the British equivalent of the isn't easy, and people disagree about that talks about other languages. NSF). The first to join me were it. But we acquired a group of about That's why ML came into existence. Newey and Morris. We weren't quite 15 people who worked via email. We It was the metalanguage with which clear what the language should be, had a distributed effort involving we would interact with the machine and we tossed ideas around among David MacQueen at Bell Labs. So we in doing verification. It had to have ourselves. I remember Morris wrote began to play with the design and what we call a rigorous type structure the first compiler for ML and left it tried to firm it up. because that's the way programming behind in Edinburgh six weeks after Then another splendid thing hap-

COHHUNICA'IrlONIIOIBTHI ACH/~anuar F 1993/'Vo|.36, NoA ~ pened. MacQueen invented a new you might go back to the design be- upper level to the language that cause something was not imple- made it more appropriate for large mented very well. programming exercises. This enabled you to write large modular Concurrency and Parallelism programs and assist "programming KID: Let's move on to Calculus for Com- in the large." MacQueen had been in municating Systems ( CCS). Edinburgh working with Rod RM: The development of CCS also Burstall, who had a mathematical went on for a long time. As Stanford, project which actually led to Mac- I got interested in trying to under- Queen's idea of modules of ML. So stand concurrent computing and some of the mathematical, or the the- parallel computing programs. I tried The great oretical research, fed into the design to express the meaning of concur- of the language in that way. rent computing in terms that had challenge and For the next four to five years we been used for other programming greatest were standardizing this language. It languages that were sequential. I went through design after design. In found it wasn't easy, and I felt that excitement 1989 we still didn't all completely concurrency needed a conceptual agree, but those charged with writing framework, which we did not have. was that the formal definition of the language And I didn't know what it should be. we were published it with MIT Press. Of course, I didn't know about his KP: What was the greatest challenge in work, but Carl-Adam Petri had al- always those 12 years? ready pursued such a goal. But my interacting RM: In terms of the language de- motivation was actually to show how sign, for me it was creating the for- you could build concurrent systems-- with three mal definition, because the design how you could create a conceptual things: the had to be enshrined in an absolutely framework in which you could com- rigorous definition. pose and synthesize larger and larger design of the KF: Enshrined? concurrent systems from smaller language, its aM: Yes, it had to be expressed ones and still retain a handle on what completely rigorously. Not many lan- it all means. That's why I eventually implementation, guages have had that completely rig- approached the algebraic method. and the orous definition. Others have had it Algebra is about combining things to in part. Our aim was to have not only make other things and the laws that formal a definition that was completely rig- govern the ways you stick things to- orous, but was also quite small. The gether. In multiplication, A × B is a definition language was supposed to be power- more complicated thing than A or B. itself. ful but so harmonious and so well Multiplication has certain laws. That structured that it didn't take many was exactly the same as parallel com- pages to write down the definition of position. Two programs, P in parallel everything you could do in it. Even- with Q, give you a more complicated tually it took 100 pages, which is per- program, and that parallel composi- haps an order of magnitude smaller tion obeys some algebraic laws. So than for some powerful languages CCS was an attempt to algebraicize like ADA, for which the formal defi- the primitives of concurrency. nition is not easy. For me, the greatest challenge and Concurrency Theory and the greatest excitement was that we Hardware were always interacting with three KF: To what extent does the hardware things: the design of the language, its affect the theory of concurrency? Doesn't implementation (because it always it matter the way the processors are linked was being implemented experimen- and whether the machine is fine- or tally), and the formal definition it- coarse-grained ? self. You would design something, Rill: Yes, that's a big question be- and then you would find out that you cause there are two things you might could implement it well, perhaps, but be trying to do when you're studying that you couldn't write down the for- parallelism. You might be studying mal definition very clearly because the meaning of a parallel program- the formal definition showed there ming language that is going to run was something missing in the design. on some hardware. Or you might be So you'd go back to the design. Or trying to describe a concurrent sys-

g4 January 1993/Vo1.36, No.l /COMMUNICATIONS OF THE ACM tem that is a piece of hardware. What always be sequential, and that gave us sometimes fail. Actually, researchers I was really aiming at was not just a an inroad into understanding com- in these three algebraic endeavors theory of programming, but a way to puting. have been collaborating lately to iron describe concurrent activity of any But back to concurrency, I needed out some differences. But it keeps kind. And the machine is just one a new conceptual framework. When exploding because no sooner do you example of something that has I went to Denmark in 1979 and 1980, try to bring them together than you highly concurrent activity. So there I gave some lectures in which it came discover that there are extra things must be a theory of concurrency that together rather well. I wrote the that you want to add. In the begin- can describe the machines on which book on CCS (A Calculus of Communi- ning, we didn't talk about real time you might run a parallel program- cating Systems), which was essentially a or probability. We wanted to attach ming language. You must be able to ramification of 10 lectures I gave probabilities to the possibilities that apply your theory at these different there. For the next five or so years, I are expressed in these process alge- levels. Parallel programming is just just studied CCS. Between 1980 and bras. one kind of concurrent activity. 1985 I began to develop the mathe- One line of development that links It does matter from the point of matics to see whether you could find the algebraic concurrency endeavor view of efficiency, and even feasibil- some abstract mathematical under- and the already existing and very ity, on what hardware you will run a standing underneath it. fruitful work of Petri on Petri nets parallel language. Some languages CCS was obviously not perfect, but has become rather promising and yet will be much easier to run on some it existed as a concrete language and difficult because the conceptual basis hardware than others. But that very method of description. It had an al- in the two cases doesn't line up per- match, that very question, "What is it gebraic theory, and you could go fectly. So the theory of concurrency about a machine that makes it pos- underneath it as I began to see is enriched by having these different sible or impossible to run a certain whether it could be explained more approaches and then looking for programming language?" should be smoothly, more abstractly mathemat- what it takes to commonize them, to part of the theory of computer sci- ically. But then it could also be used actually find out that they're not con- ence. Computer science should be in design studies. That is, it could be tradictory and that they're about dif- able to address that machine- used as a way of understanding com- ferent aspects of essentially the same language link, just as it addresses the munications protocols, how traffic problem. This field has become language itself. lights work for example, or simple enormously rich in the last decade. The theory should also address concurrent systems in practice. interaction between humans and in- CCS was used to explain the speci- Object-Oriented Programming teraction in any organization. The fication language LOTOS, which is a KF: There are three characterizations of programming language is a small way of describing communications programming methods: imperative or part of concurrent activity. So one is protocols and which is very widely structured, functional, which is what you aiming for a theory that is actually used now. CCS was at a level that started out doing, and object oriented. broader than computer science. enabled you to dig below for seman- Can you comment on the strong trend KF: Do you think the interrelationship tic understanding, but you could also toward object-oriented programming in between a parallel language and a paraL build on top of it to get more useful the U.S. ? lel machine is more problematic than that things in the field. RM: Object-oriented programming of sequential languages and sequential During the 1980s, Tony Hoare's is a wonderful example of how fruit- machines? work was going along in parallel. ful things don't happen very pre- Rim: Yes, I do. I don't think it's And he had similar ideas to mine. He cisely. That is, the programming more problematic just because it's invented the language CSP before I community has come up with this one step up. It's more problematic did the algebraic work on CCS. tantalizing, powerful, and productive because it has a larger number of Later, he pursued the theory of CSP way of thinking that is obviously with degrees of freedom. The only limita- in a way that was complementary to us to stay because it gives people just tion in trying to understand concur- my algebraic theory. So the algebraic what they want. But at the same time rency in the way that computer scien- field became very rich. His ideas it's very difficult to understand tists do, is that we're trying to were very different and very impor- mathematically and semantically. understand it discretely rather than tant. Then there began a search for a People at the forefront of object- continuously. On the whole, we're general framework that encom- oriented programming are aware interested in discrete events in com- passed his ideas and those in CCS that it's important and powerful. puting, rather than continuous ones. and other process algebras, notably And they want to deepen semantic At least that's been the fashion for those of Jan Bergstra and Jan Willem understanding of it. the last three decades. Klop in Holland on ACP. And that, It's a challenge to somebody who There are also so many different in turn, was used on a lot of applica- wants to develop a theory to make ways by which you might tackle the tions. sure it will actually contribute to that problem. Sequential computing was We've been looking at these differ- understanding. Different computer a wonderful beginning for us. The ent approaches for many years, try- science theories are needed to ex- normal way you would write a pro- ing to subsume them into a whole. plain object-oriented programming gram from the very beginning would We sometimes succeed, and we because it is partly about concur-

¢OMNUNI¢IliYIONIIII O1~ TllUl ACM/J anuary 1993/Mol,36, No.l ~ rency. It naturally talks about objects field. that coexist and must therefore be My present concurrency research allowed to behave simultaneously. is in developing a mathematical the- That's parallelism or concurrency. ory of this model, constantly testing it It's also about the classification of (either myself or asking others to) in objects: the type structure, how ob- various, more practical frameworks, jects inherit methods from the class like object-oriented programming, to which they belong. If you define logic programming, even functional new subclasses, then you can add or imperative programming, to make new methods. An object's methods sure it can underlie all of these determine how it may be used. You things. If it can't, then it's the wrong want to insert some fire walls into a approach. programming language design so I'm not saying everybody wants to Computer people will stop trying to subject an think at this low level. But if you're science object to operations that are mean- ever going to run a functional pro- ingless for that object. That's what gram on a big concurrent machine is not only a type structuring is all about. while running an object-oriented One theory that is contributing a program on the same machine, and study of lot to object-oriented programming even communicate between them, a basic theory, is the development of a type struc- then you'd have to have some com- ture. That part does not primarily mon theoretical framework in which and it is not have to do with concurrency. On the they can both be explained. Other- just the other hand, the dynamic part, or the wise, it's awful. We have total incom- behavioral aspect of object-oriented prehension. We do have these heter- business of programming, particularly concur- ogeneous systems with one part making things rent object-oriented programming, is understood in terms of functional precisely what we should try to un- programming or some different happen. It's derstand from the point of view of model, and other parts in object ori- actually a concurrency because concurrency is ented. But you must be able to un- about independent objects. These derpin them all. Reliability really is study of may work together, cooperate, or terribly important. how things confuse one another. So you have to The theory is still not as clean as it be able to explain object-oriented should be. There is a basic theory happen. programming of the concurrent kind waiting to be revealed more clearly. in terms of a basic concurrency the- It has elements of Petri net theory; it ory. Otherwise that theory isn't any has elements of the important no- good. tions of reference and naming. There have been some very excit- This theory is guided--it's not ing initiatives to create that under- wandering along in a trackless fash- standing on the basis of theories we ion. It's being submitted to the math- have currently. Carl Hewitt comes in ematical test all the time: Can we here because his notion of Actors, really work with it? Is it tractable which he invented 20 years ago, was mathematically? Does it really under- a great stimulus in providing the pin all of the different things that conceptual framework for object- people are doing in practice? If it oriented programming. We need to tries to escape from these criteria underpin both object-oriented pro- then we shall notice. And then, it gramming and the Actors model should cease to be interesting. with something more formal or more KP: The title of a paper you wrote in basic. That's where may process alge- 1987, "'Is Computing an Experimental bra work (with Joachim Parrow and Science?" raises a very interesting ques- David Walker) is going now. In my tion. What prompted you to write it at the lecture I discuss the dynamic behav- time ? ior of objects in object-oriented pro- RM: It resulted from ideas that had gramming. Very interesting work by been around for a long time coming Japan's Kohei Honda and Mario together with a particular practical Tokoro bridges between our process need. We had good funding from algebra work and concurrent object- our Science and Engineering Coun- oriented programming. It shows how cil. In the middle of the 1980s, the one can be adapted or trained to Alvey Program was supposed to explain the other. That's a very active stimulate industry and join it onto

S6 January 1993/Vol.36, No.l /¢OUMUNICATIONS OF THR ACre academic research. We feared the made the case that if you look deeply, whether you're of a theoretical or a effort would be drained from the you find less difference between practical bent, is to treat the subject theoretical part of the research and computer science and other estab- as neither purely theoretical or that funding would be devoted to lished sciences than you might ex- purely practical. The worst thing you shorter-term activities. These are pect. The experiments we do in com- can do is to follow your bent, which highly necessary, but we didn't want puter science are not that much would probably be on one of those that to happen to the detriment of dirtier or fuzzier than some experi- sides, and ignore the other side. The theoretical work. The trouble with ments in other sciences. Of course, whole richness of the subject comes computer science is that it's so appli- physics is the queen of the sciences, from the interplay between practice cable you can be blamed if you're not and the experimental discipline is and theory. doing immediately applicable re- extremely sophisticated. We can't Many will pretty soon find them- search. There is such a demand for match physics in the refinement of selves ignoring one of those compo- application research that if you are our experimental discipline, but that nents because they will naturally be- doing something with longer-term isn't to say we're not an experimental come very applications oriented or implications, you can be criticized for discipline. When you test a piece of very basic-research oriented. But the not doing the most urgent thing. software to see whether it works, longer we can keep the link between That's a great danger, because com- that's some kind of experiment. And the theoretical frontier and the prac- puter science is so broad that if it in testing a piece of software, what tical frontier, the better the whole doesn't have a basic theory, we will be are you testing at the same time? thing will be. We should encourage ' lost. There's so much going on, so You're also testing the language in the next generation to respect that much computing, so much commu- which it's written, and you're testing link. If you don't respect that, you nications. How could it be that this the formal theory that underlies that lose a whole degree of freedom in doesn't have a theory? It has to go language. Why can't that be called the interest of the subject. alongside the practice. experimental science? I suppose the What makes it interesting is that Therefore, the more you respond way I say it seems defensive. Many the link is there. Computer science is to shorter term, however necessary people would say, "Yes, of course, it's actually a study of things that hap- and important the demands, the an experiment." But enough people pen. It's not only a study of a basic more you run the risk that you're will have assumed there isn't a sci- theory, and it is not just the business starving the basic science, which ence. So it is actually worth underlin- of making things happen. It's actu- should be growing up at the same ing that I think it is experimental. ally a study of how things happen. So time. We asked the Alvey Directorate I claimed further in that paper the advice is: Don't lose the link! [] to remember that the basic research that there are concepts from com- About the Author: program is pretty strong in Britain puter science that will influence KAREN A. FRENKEL is senior editor, ACM and argued it should not be a casu- mathematics. Most people learned Publications and Special Projects. Author's Current alty of this new and exciting effort. about sets in mathematics when they Address: ACM, 1515 Broadway, New York, NY 10036. We asked them to recognize us as a were children. When we understand Permission to copy without fee all or part of this laboratory that would link between about processes as mathematical ob- material is granted provided that the copies are not made or distributed for direct comn]ercial advantage, the theoretical research and indus- jects, school children in the second the ACM copyright notice and the title of the publi- trial practice. They responded gen- and third decade in the twenty-first cation and its date appear, and notice is give that erously. century will actually think about pro- copying is by permission of the Association for Computing Machinery. To copy otherwise, or to My colleagues and I decided to cesses in the same abstract way they republish, requires a fee and/or specific permission. make the case that the relationship now think about sets. That will be between us and the Alvey initiative because of computer science. It's © ACM0002-0782/93/0100-078 $1.50 should be bidirectional. You don't experimental in that you're drawing just take things out of academia and concepts out of practice. Obviously, apply them. You use the industrial you don't draw concepts out which experience as a guide. That's the don't inform the activity. Experi- experiment. That's what computer mental science is a way of developing science is at the moment--one large a conceptual framework by drawing experiment. And it's a very uncon- out the concepts that actually do ap- trolled experiment. pear to underlie the practice, but So the questions are, "Is that abso- testing them all the time. lute nonsense? Is it an experiment? Or is that just a crazy thing to say?" Advice to Students Some will say it's crazy--all that com- KIm: Do you have any advice that you puter science is is a bag of tricks. You would like to give to young people who are use computers, and you use them in starting out in computer science about the different ways, just as you use water best way to prepare themselves in comput- for different purposes. ing? In the paper which I gave at the Ha: One doesn't want to sound inauguration of our laboratory, I pompous. The best thing to do,

COMMUNICATIONS OP'IrHG ACM/January 1993/Vol.36, No.l 97