Refinement-Based Game Semantics for Certified Abstraction Layers∗

Jérémie Koenig Zhong Shao Yale University Yale University [email protected] [email protected]

Abstract ACM Reference Format: Formal methods have advanced to the point where the func- Jérémie Koenig and Zhong Shao. 2020. Refinement-Based Game tional correctness of various large system components has Semantics for Certified Abstraction Layers. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science been mechanically verified. However, the diversity of seman- (LICS ’20), July 8–11, 2020, Saarbrücken, Germany. ACM, New York, tic models used across projects makes it difficult to connect NY, USA, 15 pages. https://doi.org/10.1145/3373718.3394799 these component to build larger certified systems. Given this, we seek to embed these models and proofs into a general- purpose framework where they could interact. We believe that a synthesis of game semantics, the refinement calculus, 1 Introduction and algebraic effects can provide such a framework. Certified software43 [ ] is software accompanied by mecha- To combine game semantics and refinement, we replace nized, machine-checkable proofs of correctness. To construct the downset completion typically used to construct strategies a certified program, we must not only write its code ina from posets of plays. Using the free completely distributive given programming language, but also formally specify its completion, we construct strategy specifications equipped intended behavior and construct, using specialized tools, evi- with arbitrary angelic and demonic choices and ordered by dence that the program indeed conforms to the specification. a generalization of alternating refinement. This provides a novel approach to nondeterminism in game semantics. 1.1 Certified systems at scale Connecting algebraic effects and game semantics, we in- The past decade has seen an explosion in the scope and scale terpret effect signatures as games and define two categories of practical software verification. Researchers have been of effect signatures and strategy specifications. The resulting able to produce certified compilers [30], program logics [8], models are sufficient to represent the behaviors of a variety operating system kernels [22, 28], file systems15 [ ] and more, of low-level components, including the certified abstraction often introducing new techniques and mathematical models. layers used to verify the operating system kernel CertiKOS. In this context, there has been increasing interest in making these components interoperable and combining them—and CCS Concepts: • Theory of computation → Logic and their proofs of correctness—into larger certified systems. verification; Program specifications; Program verifica- This is exemplified by the DeepSpec project [9], which tion; • Software and its engineering → Formal soft- seeks to connect various components specified and verified ware verification; Functionality; Abstraction, model- in the Coq proof assistant. The key idea behind DeepSpec ing and modularity. is to interpret specifications as interfaces between compo- Keywords: certified abstraction layers; dual nondetermin- nents. When a component providing a certain interface has ism; game semantics; strategy specification; program refine- been verified, client components can rely on this for their ment; interaction specification; algebraic effects own proofs of correctness. Standardizing this process would ∗Minor revision published by the authors on June 24, 2020 make it possible to construct large-scale certified systems by assembling off-the-shelf certified components. Permission to make digital or hard copies of all or part of this work for To an extent, these principles are already demonstrated personal or classroom use is granted without fee provided that copies in the structure of the certified C compiler CompCert [30], are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights where the semantics of intermediate languages serve as inter- for components of this work owned by others than the author(s) must mediate specifications for each compilation pass. The correct- be honored. Abstracting with credit is permitted. To copy otherwise, or ness of each pass is established by proving that the behavior republish, to post on servers or to redistribute to lists, requires prior specific of its target program refines that of its source program. As permission and/or a fee. Request permissions from [email protected]. passes are composed to obtain the overall C-to-assembly LICS ’20, July 8–11, 2020, Saarbrücken, Germany compiler, the correctness proofs are composed as well to © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. construct a correctness proof for the whole compiler. The ACM ISBN 978-1-4503-7104-9/20/07...$15.00 final theorem does not mention the intermediate programs https://doi.org/10.1145/3373718.3394799 or language semantics, so that a user only needs to trust the LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao accuracy of the C and assembly semantics, and the soundness makes this approach broadly applicable, and the typed as- of the proof assistant. pect of the resulting models makes it ideal to the task of Building on this precedent, the CertiKOS verification ef- describing the behavior of heterogeneous systems. fort [22–24] divided the kernel into several dozen abstraction However, the generality of game models often translates to layers which were then specified and verified individually. a fair amount of complexity, which imposes a high barrier to Layer specifications provide an abstract view of a layer’s entry for practitioners and makes them difficult to formalize functionality, hiding the procedural details and low-level in a proof assistant. While more restricted, the framework data representations involved in its implementation. Client of algebraic effects [40] is sufficient for many modeling tasks, code can be verified in terms of this abstract view in order fits within the well-known monadic approach to effectful to build higher-level layers. Certified layers with compatible and interactive computations, and can be adapted into a interfaces can then be chained together in the way passes particularly simple version of game semantics. Along these of a compiler can be composed when the target language of lines, interaction trees [46] have been developed for use in one corresponds to the source language of the other. and across several DeepSpec projects. Finally, while game models have been proposed for a wide 1.2 Semantic models for verification variety of programming languages, there has been compara- tively less focus on specifications and correctness properties. While this approach is compelling, there are difficulties asso- By contrast, the general approach of stepwise refinement sug- ciated with extending it to build larger-scale certified systems gests a uniform treatment of programs, specifications and by connecting disparate certified components. A key aspect their relationships. It has been studied extensively in the enabling composition in CompCert and CertiKOS is the uni- context of predicate transformer semantics [20] and in the formity of the models underlying their language semantics framework known as the refinement calculus [11]. and correctness proofs. By contrast, across projects there exist a great diversity of semantic models and verification techniques. This makes it difficult to formulate interface spec- 1.4 Contributions ifications to connect specific components, let alone devising Our central claim is that a synthesis of game semantics, al- a general system to express such interfaces. gebraic effects, and the refinement calculus can be usedto Worse yet, this diversity is not simply a historical accident. construct a hierarchy of semantic models suitable for con- The semantic models used in the context of individual verifi- structing large-scale, heterogeneous certified systems. To cation projects are often carefully chosen to make the verifi- provide evidence for this claim, we outline general tech- cation task tractable. The semantic model used in CompCert niques which can realize this synthesis and demonstrate alone has changed multiple times, addressing new require- their use in the context of certified abstraction layers: ments and techniques that were introduced alongside new compiler features and optimizations [31]. Given the difficulty • We adapt the work of Morris and Tyrrell [35, 36], of verification, preserving this flexibility is essential. which extends the refinement calculus to the level of Then, to make it possible to link components verified terms by using free completely distributive completions using a variety of paradigms, we need to identify a model of posets, to investigate dual nondeterminism in the expressive enough to embed the semantics, specifications context of game semantics and construct completely and correctness proofs of a variety of paradigms. distributive lattices of strategy specifications, partially ordered under a form of alternating refinement [7]. • In §3, we define a version of the free monad on an effect 1.3 General models for system behaviors signature which incorporates dual nondeterminism Fortunately, there is a wealth of semantics research to draw and refinement. The result can be used to formulate from when attempting to design models for this task. a theory of certified abstraction layers in which layer The framework of symmetric monoidal categories, which interfaces, layer implementations, and simulation rela- allows components to be connected in series (◦) and in paral- tions are treated uniformly and compositionally. lel (⊗), captures structures found in various kinds of systems • In §4, we outline a more general category of games and processes [12], and appears in different forms in many and strategy specifications; its object are effect signa- approaches to logic and programming language semantics. tures regarded as games and its morphisms specify A particularly expressive instance of this phenomenon well-bracketed strategies. The behavior of certified ab- is realized in game semantics [1], an approach to composi- straction layers can then be represented canonically, tional semantics which uses two-player games to model the and reentrant layer interfaces can be modeled. interaction between a component and its environment, and represents the externally observable behavior of the com- The model presented in §3 was designed to be simple but ponent as a strategy in this game. The generality of games general enough to embed CompCert semantics, certified ab- as descriptions of the possible interactions of components straction layers, and interaction trees. The main purpose for Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany the model presented in §4 is then to hide state and charac- Program refinement. Instead of proving program cor- terize certified abstraction layers through their externally rectness in one go, stepwise refinement techniques use a more observable interactions only. incremental approach centered on the notion of program re- Note that rather than providing denotational semantics for finement. A refinement C1 ⊑ C2 means that any correctness specific programming languages, our models are intended as property satisfied by C1 will also be satisfied by C2: a coarse-grained composition “glue” between components C1 ⊑ C2 := ∀PQ · P{C1}Q ⇒ P{C2}Q developed and verified in their own languages, each equipped with their own internal semantics. In this context, the models’ We say that C2 refines C1 or that C1 is refined by C2. restriction to first-order computation applies only to cross- Typically, under such approaches, the language will be component interactions, and conforms to our interest in extended with constructions allowing the user to describe connecting low-level system components. abstract specifications as well as concrete programs. Then the goal is to establish a sequence of refinements C1 ⊑ · · · ⊑ 2 Background and approach Cn to show that a program Cn involving only executable constructions correctly implements a specification C1, which The work presented in this paper draws from a broad range may be stated in much more abstract terms. of existing research. This section summarizes the relevant If the language is sufficiently expressive, then a correctness aspects of these various lines of work, and outlines how we property P{−}Q can itself be encoded [34] as a specification combine them to develop refinement-based game semantics. statement ⟨P, Q⟩ such that: 2.1 Dual nondeterminism and refinement P{C}Q ⇔ ⟨P, Q⟩ ⊑ C . Correctness properties for imperative programs are often In the context of refinement, the properties associated with stated as triples of the form P{C}Q asserting that when the demonic and angelic choice generalize as: program C is started in a state which satisfies the predicate C ⊑ C1 ∧ C ⊑ C2 ⇒ C ⊑ C1 ⊓ C2 P (the precondition), then the state in which C terminates C ⊑ C ∨ C ⊑ C ⇒ C ⊑ C ⊔ C will satisfy the predicate Q (the postcondition). For example: 1 2 1 2 Given the symmetry between the demon and angel, it is then x is odd {x := x ∗ 2} x is even natural to interpret demonic and angelic choices respectively as meets and joins of the refinement ordering. In the axiomatic approach [26] to programming language Until this point, we have discussed demonic (⊓) and an- semantics, inference rules corresponding to the different gelic (⊔) choices as implementation constructs (appearing to constructions of the language determine which triples are the right of ⊑), taking the point of view of a client seeking valid, and the meaning of a program is identified with the to use the program to achieve a certain goal. However, in set of properties P{−}Q which the program satisfies. this work we use them primarily as specification constructs Axiomatic semantics can accommodate nondeterminism (appearing to the left of ⊑), and are interested in what it in two different ways. In the program C ⊓ C , a demon 1 2 means for a system to implement them. As a specification, will choose which of C or C is executed. The program 1 2 C ⊓ C allows the system to refine either one of C or C , x := 2 ∗ x ⊓ x := 0 may be executed arbitrarily as x := 2 ∗ x or 1 2 1 2 while C ⊔ C requires it to refine both of them: x := 0, with no guarantee as to which branch will be chosen. 1 2 The demon works against us, so that if we want C1 ⊓ C2 to C1 ⊑ C ∨ C2 ⊑ C ⇒ C1 ⊓ C2 ⊑ C satisfy a given property, we need to make sure we can deal C1 ⊑ C ∧ C2 ⊑ C ⇒ C1 ⊔ C2 ⊑ C with either choice. This corresponds to the inference rule: In other words, demonic choices give us more implementa-

P{C1}QP{C2}Q tion freedom, whereas angelic choices make a specification stronger and more difficult to implement. Therefore we can P{C ⊓ C }Q 1 2 think of demonic choices as choices of the system, and think Conversely, in the program C1 ⊔ C2, an angel will decide of angelic choices as choices of the environment. whether C or C is executed. If possible, the angel will make 1 2 The refinement calculus. These basic ingredients have choices which validate the correctness property. This implies: been studied systematically in the refinement calculus, dat- P{C1}Q P{C2}Q ing back to Ralph-Johan Back’s 1978 PhD thesis [10]. In its modern incarnation [11], the refinement calculus sub- P{C ⊔ C }Q P{C ⊔ C }Q 1 2 1 2 sumes programs and specifications with contracts featuring The statement x := x ∗ 2 ⊔ x := 0 is more difficult to inter- unbounded angelic and demonic choices. pret than its demonic counterpart, but can be thought of as However, the refinement calculus only applies to imper- a program which magically behaves as x := x ∗ 2 or x := 0 ative programs with no side-effects beyond changes to the depending on the needs of its user. global state. Recent research has attempted to extend the LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao paradigm to a broader setting, and the present work can be replaces any outcome a of x with the computation f (a). We ← ( ) ∗( ) understood as a step in this direction as well. will use the notation a x; f a for fϕ x , or simply x;y ( ) Dually nondeterministic functions. Morris and Tyrrell when f is constant with f a = y. ∈ ( ) were able to extend the lattice-theoretic approach used in the A computation x FCD a can be understood as a struc- refinement calculus to functional programming [35, 36, 45]: tured collection of possible outcomes. More precisely, each element x ∈ FCD(A) can be written as x = à ϕ(a ) if types are interpreted as posets, dual nondeterminism can di ∈I j ∈Ji ij ∈ be added at the type level using free completely distributive where the index i I ranges over possible demonic choices, ∈ completions. This allows dual nondeterminism to be used in the index j Ji ranges over possible angelic choices, and ∈ a variety of new contexts. aij A is the corresponding outcome of the computation. ∗( ) = à ( ) Note that fϕ x di ∈I j ∈Ji f aij . Definition 2.1. A completely distributive lattice L is a free The algebraic properties of lattices underlie the model’s completely distributive completion of a poset C if there is a insensitivity to branching. Complete distributivity: monotonic function ϕ : C → L such that for any completely Ä Ä distributive lattice M and monotonic function f : C → M, l xi,j = l xi,fi ∗ Î → i ∈I j ∈Ji f ∈( i Ji ) i ∈I there exists a unique complete homomorphism fϕ : L M ∗ ◦ such that fϕ ϕ = f : further allows angelic and demonic choices to commute, and the status of f ∗ as a complete homomorphism enables the ϕ ϕ C L following properties: ∗ fϕ ! f Ä Ä ← [ ] ( ← [ ]) M a xi ; M a = a xi ; M a i ∈I i ∈I A free completely distributive completion of a poset always ! exists and it is unique up to isomorphism. We write FCD(C) a ← l xi ; M[a] = l(a ← xi ; M[a]) for the free completely distributive completion of C. i ∈I i ∈I a ← x;b ← y; M[a,b] = b ← y; a ← x; M[a,b] Morris [35] shows that the free completely distributive completion of (A, ≤) can be constructed as one of: Finally, the least element ⊥ := à œ, traditionally called FCD(A, ≤) := DU(A, ≤) FCD(A, ≤) := UD(A, ≤) abort, merits some discussion. As a specification construct, it places no constraint on the implementation (it is refined ( ) ↓↑ ( ) ↑↓ . ϕ a := a ϕ a := a by every element). As an implementation construct, we use In the expressions above, D and U are themselves comple- it indiscriminately to interpret failure, silent divergence, and tions. A downset of a poset (A, ≤) is a subset x ⊆ A satisfying: any other behavior which we want to exclude (it refines only itself). The assertion {P} ∈ FCD(1) of a proposition ∀a,b ∈ A · a ≤ b ∧ b ∈ x ⇒ a ∈ x . P evaluates to the unit value ϕ(∗) when the proposition is Unions and intersections preserve this property, giving rise true and to ⊥ otherwise. We will use it to formulate guards to the downset lattice D(A, ≤), which consists of all downsets blocking a subset of angelic choices. of (A, ≤), ordered by set inclusion (⊆) with unions as joins and intersections as meets. The dual upset lattice U(A, ≤) is 2.2 Game semantics ordered by set containment (⊇) with intersections as joins Game semantics [2, 13, 27] is an approach to compositional and unions as meets. semantics which interprets types as two-player games be- Categorically speaking, FCD : Poset → CDLat is the left tween a program component (the system) and the context in adjoint to the forgetful functor U : CDLat → Poset from which it appears (the environment). Terms of a given type are the category CDLat of completely distributive lattices and then interpreted as strategies for the corresponding game, complete homomorphisms to the category Poset of partially specifying for each position in the game the next action to ordered sets and monotonic functions. As such, U ◦ FCD is be taken by the system. a monad over Poset, and can be used to model dual nonde- For example, in a simple game semantics resembling that terminism as an effect. In the remainder of this paper, we of Idealized Algol [3], sequences of actions corresponding to identify FCD with the monad U ◦ FCD, and we refer to the the execution of x := 2 ∗ x could have the form: function U (f ∗) as the FCD extension of f . ϕ · · · [ ] · · ( ∈ N) Computationally, the FCD monad can be used to interpret run rdx n wrx 2n ok done n dual nondeterminism as an effect. As usual, ϕ(a) ∈ FCD(a) The moves of the system have been underlined. The environ- corresponds to a computation which terminates immediately ment initiates the execution with the move run. The system with the outcome a ∈ A. For a computation x ∈ FCD(A) and move rdx requests the value of the variable x, communicated → ( ) ∗( ) ∈ ( ) for f : A FCD B , the computation fϕ x FCD B in response by the environment move n. The system move Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany wrx(n) requests storing the value n into the variable x, and do not add enough meets, forcing the would-be specification is acknowledged by the environment move ok. Finally, the to become much coarser: system move done expresses termination. ′ Ø Ù σ := ↓(run · rdx · n · wrx[2n + δ] · ok · done) Traditional strategy models. The plays of a game are n ∈N −1≤δ ≤1 sequences of moves; they identify a position in the game and = {ϵ, run · rdx | n ∈ N} . describe the succession of actions that led to it. Most game We will remedy this by using a richer completion. models of sequential computation use alternating plays, in which the system and environment each contribute every Dually nondeterministic strategies. Our approach to other move. It is also common to require the environment demonic nondeterminism in game semantics will be to sub- to play first and to restrict plays to even lengths, so that stitute FCD for D in the construction of strategies presented ′ they specify which action the system took in response to the earlier. The more permissive strategy specification σ which latest environment move. We write PG for the set of plays of we attempted to construct above can then be expressed as: the game G, partially ordered by the prefix relation ⊑. ′ Ä σ := l ϕ run · rd · n · wr [2n + δ] · ok · done
Traditionally [4], strategies are defined as prefix-closed x x n ∈N −1≤δ ≤1 sets of plays, so that strategies σ ∈ SG for the game G are Because of the properties of FCD, the strategy specification downsets of PG satisfying certain requirements: σ ′ will retain not only angelic choices, but demonic choices SG ⊆ D(PG, ⊑) as well, expressing possible behaviors of the system. For the construction FCD := UD, strategy specifications A play s ∈ PG can be promoted to a strategy ↓s ∈ D(PG, ⊑): correspond to sets of traditional strategies, ordered by con- ↓s := {t ∈ PG | t ⊑ s} tainment (⊇). This outer set ranges over demonic choices. = · · · [ + ] · · Set inclusion corresponds to strategy refinement, and the Writing sn,δ : run rdx n wrx 2n δ ok done, the strategy specification σ ′ will be encoded as: downset completion augments PG with angelic choices. ′ Angelic nondeterminism allows us to range over all pos- σ = {σ ∈ D(PG ) | ∀n ∈ N · ∃δ ∈ [−1, 1] · sn,δ ∈ σ } . sible choices of the environment and record the resulting Upward closure ensures that a strategy specification which plays. For instance, the strategy for x := 2 ∗ x would be: contains a strategy σ contains all of its refinements as well. Ø σ := ↓(run · rdx · n · wrx[2n] · ok · done) For instance, the only strategy specification containing the n ∈N completely undefined strategy œ is the maximally permissive = { ϵ, strategy specification ⊥ = D(PG ). run · rdx, 2.3 Algebraic effects run · rdx · n · wrx[2n], The framework of algebraic effects [40] models computations run · rdx · n · wrx[2n] · ok · done | n ∈ N} as terms in an algebra whose operations represent effects: Note that this strategy admits refinements containing much a term m(x1,... xn) represents a computation which first more angelic nondeterminism, including with respect to triggers an effect m, then continues as a computation derived moves of the system. For instance: from the subcomputations x1,... xn. For example, the term: Ø Ø σ ⊆ ↓(run · rdx · n · wrx[2n + δ] · ok · done) readbit(print[”Hello”](done), print[”World”](done)) n ∈N −1≤δ ≤1 could denote a computation which first reads one bit of These refinements do not correspond to interpretations of information, then depending on the result causes the words concrete programs, and in game models which seek to achieve “Hello” or “World” to be output, and finally terminates. definability they are usually excluded. In our context, re- Note that somewhat surprisingly, the arguments of opera- taining them is algebraically important, and they can in fact tions correspond to the possible outcomes of the associated appear as intermediate terms in some applications. In the con- effect. For instance the readbit operation takes two argu- struction above, although δ appears in a system move, it is ments. Moreover, effects such as print which take parame- still associated with an angelic choice. This can be interpreted ters are represented by families of operations indexed by the as a choice of the environment which is not directly observed parameters’ values, so that there is a print[s] operation for (perhaps as a result of abstraction), but which nonetheless every s ∈ string. influences the behavior of the system. Under this approach, effects can be described as algebraic This is quite different from allowing the system to choose theories: a signature describes the set of operations together an answer in the interval [2n − 1, 2n + 1]. The model and with their arities, and a set of equations describes their be- refinement lattice which we have presented so far are insuf- haviors by specifying which computations are equivalent. ficient to express such a specification, because the downsets The example above uses a signature with the operations LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao done of arity 0, readbit of arity 2, and a family of operations 2.4 Certified abstraction layers (print[s])s ∈string of arity 1. An equation for this signature is: To demonstrate the applicability of our results, we will use print[s](print[t](x)) = print[st](x) , them to construct increasingly expressive theories of certified abstraction layers. As described in Gu et al.[22], a certified which indicates that printing the string s followed by printing abstraction layer consists of a layer implementation together the string t is equivalent to printing the string st in one go. In with two layer interfaces: the underlay provides specifica- this work, we use effect signatures to represent the possible tions for the primitives available to the layer implementation; external interactions of a computation, but we will not use the overlay provides specifications for the procedures which equational theories. We will however make it possible to the layer implements. A layer M implementing the over- interpret effects into another signature, modeling a limited lay interface L2 on top of the underlay interface L1 can be form of effect handlers [41]. depicted as follows: Definition 2.2. An effect signature is a set E of operations L2 together with a mapping ar, which assigns to each e ∈ E M L1 a set ar(e) called the arity of e. We will use the notation A layer interface L has three components. First, a signature E = {e1 : ar(e1), e2 : ar(e2),...} to describe effect signatures. enumerates primitive operations together with their types, Note that in this definition, arities are sets rather than given as op : A → B where A and B are sets. In terms of natural numbers. This allows the representation of effects Def. 2.2, this corresponds to a family {op[a] : B | a ∈ A}. with a potentially infinite number of outcomes. The examples Second, the set S contains the abstract states of the layer in- above use effects from the following signature: terface. Finally, for each primitive op : A → B, a specification is given as a function: Eio := {readbit : 2, print[s] : 1, done : œ | s ∈ string} L.op : A × S → P1(B × S) . The most direct way to interpret an effect signature is the algebraic point of view, in which it induces a set of terms Throughout the paper, we will use v@k ∈ V × S to denote a built out of the signature’s operations. pair containing the value v ∈ V and the state k ∈ S. In the An effect signature can also be used for describing the type of L.op above, P1 corresponds to the maybe monad: interface of a monad T , where each effect e ∈ E corresponds P1(A) := {x ⊆ A : |x| ≤ 1} , to a computation of type T (ar(e)). Presented as a monadic expression of type T (œ), the example above corresponds to: where the empty set œ ∈ P1(A) serves a purpose similar to the one discussed for ⊥ at the end of §2.1. ← [ ] b readbit ; print sb ; done As a running example, we will use the certified layer de- where s0 = ”Hello” and s1 = ”World”. Monads which offer picted in Fig.1, which implements a bounded queue with this structure include the free monad on the signature E, at most N elements using a circular buffer. The underlay in- N which leaves effects entirely uninterpreted; roughly, its com- terface Lrb contains an array f ∈ V with N values of type putations of type A correspond to terms over the signature V and two counters which will take values in the interval ≤ E ⊎ {v : œ | v ∈ A}. The interaction specification monad IE 0 c1, c2 < N . The array can be accessed through the primi- presented in §3 is a version of the free monad which com- tives get and set; the primitives inc1 and inc2 increment the bines the dual nondeterminism of FCD with uninterpreted corresponding counter and return the counter’s old value. effects taken in the signature E. The overlay Lbq features two primitives enq and deq which Finally, an effect signature can also be seen as a particu- respectively add a new element to the queue and remove the larly simple game, in which the proponent chooses a question oldest element. If we attempt to add an element which would m ∈ E and the opponent responds with an answer n ∈ ar(m). overflow the queue’s capacity N , or remove an element from Then the terms induced by the signature are strategies for an empty queue, the result is œ (i.e., the operation aborts). an iterated version of this game. Indeed, the abstract syntax The layer implementation Mbq stores the queue’s elements tree of our example term can directly be read as the strategy: into the array, between the indices given by the counters’ values. This is expressed by the simulation relation R, which 0 readbit 1 explains how overlay states are realized by Mbq in terms of underlay states. The code of Mbq can be interpreted in the print[”Hello”] print[”World”] 1 monad Srb → P (− × Srb), with calls to primitives of Lrb ∗ ∗ replaced by their specifications. We will write Mbq[Lrb] to done done denote the result. Correctness is proved by showing for each operation op ∈ {enq(v), deq(∗) | v ∈ V } the simulation: where we interpret node labels as moves of the system, and ≤ edge labels as moves of the environment. Lbq.op [R → P (= × R)] Mbq[Lrb].op , (1) Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany

∗ Lbq Sbq := V

enq : V → 1 Lbq.enq(v)@qì := {∗@qìv | |ìq| < N }

deq : 1 → VLbq.deq(∗)@qì := {v@pì |q ì = vpì}

Mbq R ⊆ Sbq × Srb

Mbq.enq(v) := i ← inc2; set(i,v)q ì R (f , c1, c2) ⇔ (c1 ≤ c2 < N ∧q ì = fc1 ··· fc2−1) ∨

Mbq.deq(∗) := i ← inc1; get(i)(c2 ≤ c1 < N ∧q ì = fc1 ··· fN −1 f0 ··· fc2−1)

N Lrb Srb := V × N × N ′ ′ set : N × V → 1 Lrb.set(i,v)@(f , c1, c2) := {∗@(f , c1, c2) | i < N ∧ f = f [i := v]}

get : N → VLrb.get(i)@(f , c1, c2) := {fi @(f , c1, c2) | i < N } 1 ′ ′ inc1 : → N Lrb.inc1@(f , c1, c2) := {c1@(f , c1, c2) | c1 = (c1 + 1) mod N } 1 ′ ′ inc2 : → N Lrb.inc2@(f , c1, c2) := {c2@(f , c1, c2) | c2 = (c2 + 1) mod N }

Figure 1. A certified abstraction layer Lrb ⊢R Mbq : Lbq implementing a bounded queue of size N using a ring buffer. The left-hand side of the figure shows the signatures of the overlay and underlay interfaces, and the code associated withthelayer. The right-hand side shows primitive specifications and the simulation relation used by the correctness proof. where the relators →, ×, P ≤ are defined by: kind of strategy for the game !E ⊸ F. We use this approach to define a first category of games and strategy specifications f [R → R ] д ⇔ ∀xy · x R y ⇒ f (x) R д(y) 1 2 1 2 Gib , where (Ie ) is the identity morphism for E and the x [R × R ] y ⇔ π (x) R π (y) ∧ π (x) R π (y) ⊑ E e ∈E 1 2 1 1 1 2 2 2 substitution operator is used to define composition. s P ≤(R) t ⇔ ∀x ∈ s · ∃y ∈ t · x R y .

We will write Lrb ⊢R Mbq : Lbq to express that condition (1) 3.2 Plays holds for each operation op in the Lbq layer interface. We first introduce the partially ordered sets of plays which we use to construct the interaction specification monad. 3 The interaction specification monad Since we intend to describe active computations, we use We begin our formal development by defining the interaction odd-length plays which start with system moves, by contrast specification monad, a variant of the free monad on an effect with the more common approach presented in §2.2. signature which incorporates dual nondeterminism. Definition 3.1. The set P¯E (A) of interactions for an effect signature E and a set of values A is defined inductively: 3.1 Overview ¯ Given an effect signature E, we construct a prefix-ordered s ∈ PE (A) ::= v | m | mns , ¯ ( ) set of plays PE A corresponding to the possible interactions where v ∈ A, m ∈ E and n ∈ ar(m). The set P¯E (A) is ordered between a computation with effects in E and its environment, by the prefix relation ⊑ ⊆ P¯E (A) × P¯E (A), defined as the including the computation’s ultimate outcome in A. The smallest relation satisfying: interaction specification monad I (A) is then obtained as the E s ⊑ t free completely distributive completion of the poset P¯E (A). v ⊑ v , m ⊑ m , m ⊑ mnt , . mns ⊑ mnt For each effect e ∈ E, the interaction specification monad e ∈ I ( ( )) has an operation IE E ar e which triggers an instance A play corresponds to a finite observation of an inter- of e and returns its outcome. Given a second effect signature action between the system and the environment. At any m m F, a family (f )m ∈F of computations f ∈ IE (ar(m)) can be point in such an interaction, the system can terminate the used to interpret the effects of F into the signature E. This is interaction with a given value (v), or it can trigger an effect achieved by a substitution operator [f ], which transforms a m ∈ E and wait to be resumed by an answer n ∈ ar(m) of computation x ∈ IF (A) into the computationr x[f ] ∈ IE (A), the environment (mns). A play which concludes before the where each occurrence of an effect m ∈ F in x is replaced by environment answers a query from the system (m) denotes the corresponding computation f m. that no information has been observed after that point. It can Effect signatures are used as simple games, and afamily be refined by a longer observation of an interaction which m (f )m ∈F as described above can be interpreted as a certain begin with the same sequence of questions and answers. LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao

m ∈ I ( ( )) 3.3 Interaction specifications IE E ar m is defined as: We define our monad as the free completely distributive Ä Im := mnn completion of the corresponding poset of plays. E n ∈ar(m) For the sake of conciseness and clarity, we will use the order embedding associated with FCD implicitly, so that an Note that in the play mnn, the first occurrence of n is the element of a poset s ∈ P can also be regarded as an element environment’s answer, whereas the second occurrence is the m of its completion s ∈ FCD(P). Likewise, for a completely value returned by IE . distributive lattice M, we can implicitly promote a monotonic To model effect handling for a signature F, we use a family m function f : P → M to its extension f : FCD(P) → M. of interaction specifications (f )m ∈F to provide an interpre- m These conventions are at work in the following definition. tation f ∈ IE (ar(m)) of each effect m ∈ F in terms of another effect signature E. This allows us to transform an The interaction specification monad for an Definition 3.2. interaction specification x ∈ IF (A) into an interaction speci- effect signature E maps a set A to the free completely dis- fication x[f ] ∈ IE (A), defined as follows. The constructions tributive completion of the corresponding poset of plays: ⊥ and {P} were discussed in §2.1; they carry similar mean- ings in the context of the interaction specification monad. IE (A) := FCD(P¯E (A)) (Interaction substitution) Given the effect An element x ∈ IE (A) is called an interaction specification. Definition 3.4 . The monad’s action on a function f : A → B replaces the signatures E, F and the set A, for an interaction specification m m values in an interaction specification with their image by f : x ∈ IF (A) and a family (f )m ∈F with f ∈ IE (ar(m)), the interaction substitution x[f ] ∈ IE (A) is defined by: IE (f )(v) := f (v) v[f ] := v I (f )(m) := m E m[f ] := r ← f m; ⊥ IE (f )(mns) := mn IE (f )(s) . mns[f ] := r ← f m; {r = n};s[f ] . The monad’s unit ηE : A → I (A) is the embedding of a A E The outcome of the interaction specification is left un- single play consisting only of the given value: changed, but effects are replaced by their interpretation. E ηA(v) := v Whenever that interpretation produces an outcome r, the substitution process resumes with the remainder of any E I (I ( )) → I ( ) Finally, the multiplication µA : E E A E A carries matching plays of the original computation. out the outer computation and sequences it with any com- putation it evaluates to: 3.5 Categorical structure E As presented so far, the interaction specification monad can µA(x) := x be seen as an extension of the refinement calculus able to µE (m) := m A model effectful computations for a given signature. Wenow E E µA(mns) := m ⊔ mnµA(s) . shift our point of view to game semantics and show how interaction substitutions can be used to define a simple cate- E ( ) The most subtle aspect of Def. 3.2 is the case for µA mns , gory of games and strategies featuring dual nondeterminism E which includes m as well as mnµA(s). This is both to ensure and alternating refinement. that the effects of the first computation are preserved when the second computation is ⊥, and to ensure the monotonicity Definition 3.5 (Morphisms). Consider the effect signatures m of the underlying function used to define µE . Consider for E, F and G. We will write f : E → F whenever (f )m ∈F is a A m ¯ E family of interactive computations such that f ∈ IE (ar(m)). example m ⊑ mn⊥ ∈ PE (IE (A)). Since µA(⊥) = ⊥ and the FCD extension of the function s 7→ mns preserves ⊥, it is For f : E → F and д : F → G, we define д ◦ f : E → G as: E m m not the case that m ⊑ mnµA(⊥). (д ◦ f ) = д [f ] . As usual, the Kleisli extension of a function f : A → IE (B) ∗ E The completely distributive lattice structure of IF (−) can is the function f = µB ◦ IE (f ). We extend the notations I be extended pointwise to morphisms, so that for a family used for FCD to the monad E . Ã (fi )i ∈I with fi : E → F, we can define i ∈I fi : E → F and 3.4 Interaction primitives di ∈I fi : E → F. For f ,д : E → F we define refinement as: The operations of an effect signature E can be promoted to f ⊑ д ⇔ ∀m ∈ F · f m ⊑ дm . interaction specifications of IE as follows. A morphism f : E → F can be interpreted as a well- Definition 3.3 (Interaction primitive). For an effect signa- bracketed strategy for the game !E ⊸ F. In this game, the ture E and an operation m ∈ E, the interaction specification environment first plays a move m ∈ F. The system can then Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany

Ë ask a series of questions q1,... qk ∈ E to which the environ- Note that for x : X → i ∈I Ei , i ∈ I and m ∈ Ei , we have: ment will reply with answers r ∈ ar(q ), and finally produce i i (π ◦ x)m = πm[x] = (i,m)[x] = x(i,m) an answer n ∈ ar(m) to the environment’s initial question m. i i The plays of !E ⊸ F are restricted to a single top-level ques- Hence, ⟨fi ⟩i ∈I is uniquely defined as: tion m. In addition, the well-bracketing requirement imposes ( , ) ⟨f ⟩ j m := f m . that at any point, only the most recent pending question i i ∈I j may be answered. □ Compared with the usual notion of strategy, our model introduces arbitrary demonic choices and relaxes constraints 3.7 Certified abstraction layers over angelic choices. The definition of д ◦ f given above oth- Certified abstraction layers can be embedded into the cate- ib erwise corresponds to the traditional definition of strategy gory G⊑ as follows. composition. The identity strategy is given by IE : E → E. The signature of a layer interface or implementation can be encoded as an effect signature. For example: Lemma 3.6. Consider the effect signatures E, F,G, H and the morphisms f : E → F, д : F → G and h : G → H. The Ebq := {enq[v] : 1, deq : V | v ∈ V } following properties hold: Erb := {set[i,v]:1, get[i]:V, inc1 :N, inc2 :N |i ∈ N,v ∈ V } IF ◦ f = f ◦ IE = f A layer implementation M with an underlay signature E h ◦ (д ◦ f ) = (h ◦ д) ◦ f and an overlay signature F can then be interpreted as a morphism M : E → F in a straightforward manner, by Composition preserves all extrema on the left, and all non- J K empty extrema on the right. replacing underlay operations used in the definition of M with the corresponding interaction primitives: Proof. Using properties of FCD and inductions on plays. □ m e M := (M.m)[e := IE ]e ∈E Having established the relevant properties, we can now J K In order to handle the layer’s abstract data, define our first category of games and strategies. Interfaces. we can extend signatures with state in the following way: Definition 3.7. The category Gib has effect signatures as ⊑ = { ( ) × | ∈ , ∈ } objects. Morphisms, identities and composition have been E@S : m@k : ar m S m E k S ib defined above. The hom-sets G⊑ (E, F) are completely dis- A layer interface L with a signature E and states in S can be tributive lattices, with composition preserving all extrema interpreted as a morphism L : 1 → E@S almost directly, on the left, and all non-empty extrema on the right. mapping œ to ⊥ in outcomesJ ofK primitive specifications: m@k Ä 3.6 Products L := L.m@k J K Effect signatures can be combined in the following way. Keeping state. For a morphism f : E → F, we construct Definition 3.8. We define the effect signature 1 := œ. For a f @S : E@S → F@S which keeps updating a state k ∈ S as it performs effects in E@S, then adjoins the final state family of effect signatures (Ei )i ∈I , we define: Ì to any answer returned by f . For a set A, we first define E := {(i, e) : ar(e) | i ∈ I, e ∈ E } i i −#− : P¯E (A) × S → IE@S (A × S): i v#k := v@k For example, the signature Eio above is equivalent to the following composite one: m#k := m@k Ä {readbit : 2} ⊗ {print[s] : 1 | s ∈ string} ⊗ {done : œ} mns#k := m@k n@k ′ s#k ′ , ib k′ ∈S The construction ⊗ gives products in the category G⊑ , as demonstrated below. and extend it to morphisms as (f @S)m@k := f m#k. Then in particular, running a layer implementation M : E → F on Theorem 3.9. The category Gib has all products. Objects are ⊑ → J K given by Ë E and projection arrows are given for each top of a layer interface L : 1 E@S yields the morphism i ∈I i J K ∈ M @S ◦ L : 1 → F@S. i I by the morphism: J K J K Ì m Simulation relations. The most interesting aspect of our πi : Ej → Ei πi := (i,m) . j ∈I embedding is the representation of simulation relations. We will see that dual nondeterminism allows us to represent Proof. We need to show that for an effect signature X and a them as regular morphisms. ( ) → collections of morphisms fi i ∈I with fi : X Ei , there is a Recall the definition of the judgment L ⊢ M : L , which ⟨ ⟩ → Ë ∈ 1 R 2 unique fi i ∈I : X i ∈I Ei such that for all i I: means that a layer implementation M correctly implements fi = πi ◦ ⟨fj ⟩j ∈I . L2 on top of L1 through a simulation relation R ⊆ S2 × S1. If LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao

′ we write L1 := M @S1 ◦ L1 for the layer interface obtained meaning that they will behave in the same way in response by interpretingJMKon topJ ofKL1, then: to the same question, regardless of the history of the compu- m ≤ ′ m tation. The model we introduce in this section relaxes this L1 ⊢R M : L2 ⇔ ∀m ∈ E2 · L [R → P (= × R)] L 2 1 constraint, allowing strategies to maintain internal state. ∗ We will use the families of morphisms R : E@S2 → E@S1 b E After outlining the construction of a new category G⊑ of E and R∗ : E@S1 → E@S2 to encode this judgment: games and strategies (§4.2–§4.5), we define an embedding Ä ib b (R∗ )m@k1 := n@k ′ ← Im@k2 ; l n@k ′ of G⊑ into G⊑ (§4.6), and show how the states used by a E 2 E@S2 1 −1 ′ ′ strategy σ : E@S → F@S can be internalized and hidden k2 ∈R (k1) k1 ∈R(k2) Ä from its interactions (§4.7). (RE )m@k2 := l n@k ′ ← Im@k1 ; n@k ′ ∗ 1 E@S1 2 ′ −1 ′ k1 ∈R(k2) k2 ∈R (k1) 4.2 Games They yield two equivalent ways to encode layer correctness To facilitate reasoning, and make it easier to describe opera- as refinement properties. tors on strategies in a systematic way, we describe games as ∗ a specific kind of graph where vertices represent players and In the first case, RE is intended to translate a high-level ′ edges determine which questions can be asked by one player specification σ which uses overlay states k2, k2 ∈ S2 into a ∗ to another. Generalizing from effect signatures, questions low-level specification RE ◦ σ which uses underlay states ′ ∗ are assigned an arity which gives the type of the answer. k1, k1 ∈ S1. The client calls RE with an underlay state k1, with the expectation that if there is any corresponding overlay ∗ Definition 4.1. A game signature Γ is a set of players with state, then RE ◦ σ will behave accordingly (it is angelic with ∗ a distinguished element O, together with an effect signature respect to its choice of k2). On the other hand, RE ◦ σ is free ′ Γ(u,v) for all u,v ∈ Γ. The operations m ∈ Γ(u,v) are called to choose any underlay representation k1 for the outcome ′ the questions of u to v, and the elements n ∈ ar(m) are called k2 produced by σ, and the client must be ready to accept it ′ answers to the question m. (it is demonic with respect to its choice of k1). E In the second case, R∗ ◦ τ is the strongest high-level spec- We depict game signatures as directed graphs whose ver- ification which a low-level component τ implements with tices are the players and whose edges are labeled by the respect to R. For an overlay state k2 ∈ S2, τ may behave corresponding effect signature. Missing edges correspond to in various ways depending on the corresponding underlay the empty signature œ. For example, the game !E ⊸ !F is state k1 ∈ S1 it is invoked with, and so the specification must generated by the game signature: allow them using demonic choice. On the other hand, when ′ E τ returns with a new underlay state k1, the environment is ′ free to choose how to interpret it as an overlay state k2. [E, F] = P O

Theorem 3.10. For σ := L2 and τ := M @S1 ◦ L1 : F J K J K J K R∗ ◦ σ ⊑ τ ⇔ L ⊢ M : L ⇔ σ ⊑ RE2 ◦ τ . E2 1 R 2 ∗ When we consider the ways in which questions propagate through a game signature, the distinguished player O serves Proof. The proof is straightforward but requires Thm. 5.3 the role of both a source and sink. As such, it is visually from Morris and Tyrrell [36]. □ useful to depict O as two nodes, one capturing the incoming 4 Stateful and reentrant strategies edges of O, and one capturing its outgoing edges. For exam- ple, the following game signature generates the interaction We now sketch a more general model allowing strategies sequences used in the definition of strategy composition: to retain state across different activations. We explain how the new model Gb can embed the morphisms of Gib , and E F G ⊑ ⊑ [ ] how it can be used to characterize certified abstraction layers E, F,G = O P1 P2 O independently of the states used in their description. As another example of a game signature, a situation where 4.1 Overview σ1 : E1 → F1 and σ2 : E2 → F2 interact with the environment ib independently of one another can be described as: As discussed in §3.5, the morphisms of G⊑ (E, F) correspond to the well-bracketed strategies for the game !E ⊸ F. As such, they can be promoted to well-bracketed strategies for E1 P1 F1 the more general game !E ⊸ !F, which allows the environ- [E1, F1] ∨ [E2, F2] = O O ment to ask multiple question of F in a row, and to ask nested E2 P2 F2 questions whenever it is in control. More precisely, strategies promoted in this way corre- The signature above will be used to compute tensor products spond to the innocent well-bracketed strategies for !E ⊸ !F, of strategies. These constructions generalize as follows. Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany

Definition 4.2 (Constructions on game signatures). For a 4.4 Operations on strategies collection of effect signature (Ei )1≤i ≤n and an effect signa- Definition 4.5. A transformation from the game signature ture F, the game signature [E ,..., E , F] has the players 1 n Γ1 to the game signature Γ2 associates to each player p ∈ Γ1 O, P ,..., P and the following edges: 1 n a player f (p) ∈ Γ2 with f (O) = O, and to each question m ∈ Γ1(u,v) a path of questions in Γ2: E1 E2 En F [ ] P ... P ′ ′ ′ E1,..., En, F := O 1 n O m1 m2 mn f (u) = p0 −−→ p1 −−→· · · −−→ pn = f (v) , For a collection of game signatures (Γi )i ∈I , the wedge sum written as f (m) = m′m′ ···m′ : f (u) ↠ f (v), and such that Ô 1 2 n i ∈I Γi has the players: ′ ′ ar(m1) = ··· = ar(mn) = ar(m). We extend f itself to the paths in Γ1 by taking the image of m1 ···mn : u ↠ v to be: {O} ∪ {(i,p) | i ∈ I ∧ p ∈ Γi \{O}} Ô f (m1 ···mn) := f (m1)··· f (mn) : f (u) ↠ f (v) . For i ∈ I and p ∈ Γi , the corresponding player in j ∈I Γj is: Game signatures and transformations form a category. ( O if p = O ιi (p) := In other words, a transformation is a structure-preserving ( , ) i p otherwise. map on paths. Transformations can be extended to plays.

Then for each question m : u → v in Γi , the wedge sum has Definition 4.6 (Action on plays). A transformation f : a corresponding question ι (m) : ι (u) → ι (v). i i i Γ1 → Γ2 induces a monotonic function P f : P Γ1 → P Γ2 as follows. For m ∈ Γ(u,v) and κ : O ↠ u, the image of the 4.3 Plays and strategies move m : (u, κ) → (v, κm) is the path: The well-bracketing requirement enforces a kind of stack ( ) ( ( ) ( )) ( ( ) ( ) ( )) discipline on the succession of questions and answers. A well- f m : f u , f κ ↠ f v , f κ f m . bracketed play can be interpreted as an activation tree, where For n ∈ ar(m), the image of n : (v, κm) → (u, κ) is the path: questions are understood as function calls and answers are |f (m)| understood as the corresponding calls returning. At any n : (f (v), f (κ)f (m)) ↠ (f (u), f (κ)) , point in a play over a signature Γ, its possible evolutions are where n |f (m)| denotes a sequence nn ··· n of copies of the characterized by the stack of pending questions. answer n ∈ ar(m) of same length as the path f (m). Definition 4.3. For a game signature Γ and a player p ∈ Γ, Operators on strategies will generally be defined by a a p-stack over Γ is a path: game signature of global interaction sequences, and will use

m1 m2 mn transformations to project out the corresponding plays of O = p0 −−→ p1 −−→· · · −−→ pn = p the arguments and the result. where pi ∈ Γ and mi ∈ Γ(pi−1,pi ). We will write this path as Composition. When composing the strategy specifica- ′ ′ κ = m1 ···mn : O ↠ p ∈ Γ. tions σ ∈ S [E, F] and τ ∈ S [F,G] to obtain τ ◦ σ ∈ S [E,G], we will use the transformation ψ c : [E, F,G] → [E,G] to Such stacks can in turn be arranged in a graph Γˆ over X describe the externally observable behavior of interaction which the game associated with Γ will be played. sequences in [E, F,G]: Definition 4.4 (Strategy specifications). For a signature Γ, ψ c (P ) = ψ c (P ) = P ψ c (O) = O ˆ ˆ X 1 X 2 X the graph Γ is defined as follows. The vertices of Γ are pairs ( ( ) ∈ ϵ if m ∈ F u, κ in which u Γ and κ is a u-stack. For each question ψ c (m) = m ∈ Γ(u,v) and stack κ : O ↠ u, there is an edge: X m otherwise ˆ c [ ] m : (u, κ) → (v, κm) ∈ Γ . This can be described concisely as ψX = 1, 0, 1 , with: c In addition, for each answer n ∈ ar(m), there is an edge: ψ1 := [1, 1, 0] : [E, F,G] → [E, F] ψ c := [0, 1, 1] : [E, F,G] → [F,G] n : (v, κm) → (u, κ) ∈ Γˆ . 2 defined similarly. The plays over Γ are paths of type (O, ϵ) ↠ (O, κ) ∈ Γˆ, We can now formulate the composition of strategy speci- ∈ where κ : O ↠ O Γ is a stack. We will write P Γ for the fications as follows. The “footprint” of the plays s1 ∈ P [E, F] poset of plays over Γ under the prefix ordering. The strategy and s2 ∈ P [F,G] can be defined as: specifications for Γ are given by the completion: c Ä c c c ψ (s1, s2) := {ψ1 (s) ⊑ s1 ∧ ψ2 (s) ⊑ s2};ψX (s) . S Γ := FCD(P Γ) . s ∈P[E,F ,G] LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao

ib In other words, the angel chooses a global play s matching 4.6 Embedding G⊑ c s1 and s2 and produces its external view. By extending ψ to ib Since a morphism f ∈ G⊑ (E, F) defined using the interac- strategy specifications in the expected way, we obtain: tion specification monad only describes the behavior ofa τ ◦ σ = s ← σ; t ← τ ;ψ c (s, t) . component for a single opponent question, to construct a b corresponding strategy W f ∈ G⊑(E, F) we must duplicate Identity. The strategy idE ∈ S [E, E] uses the signature: the component’s behavior, compounding the angelic and demonic choices of each copy. κ [E] = E O We proceed as follows. For a stack κ : O ↠ O, the set PΓ contains partial plays of type (O, κ) ↠ (O, κ′) ∈ Γˆ, and for and the transformation: ∈ ¯κq a question q F, the set PΓ contains partial plays of type ′ id (P, κq) ↠ (O, κ ) ∈ Γˆ. We will define an operator: ψX := [2] : [E] → [E, E] κ κ κ id id ω : PΓ → FCD(PΓ ) ψX (O) := O ψX (m) := mm which prepends an arbitrary number of copies of f to a play Then idE is defined as: κ κ ( ) of PΓ . Starting with ω0 t := t, we construct a series of Ä id approximations: idE := ψX (s) . s ∈P[E] κ Ä κq q κ ωi+1(t) := t ⊔ q ω¯i (f , ωi (t)) q ∈F Tensor. The tensor product of the strategies σ1 ∈ S [E1, F1] and σ2 ∈ S [E2, F2] is a strategy σ1 ⊗ σ2 ∈ S [E1 ⊗ E2, F1 ⊗ F2] The auxiliary construction: defined using interaction sequences in Γ = [E , F ] ∨ [E , F ]. 1 1 2 2 κq ¯ ( ( )) × κ → ( ¯κq ) ⊗ → [ ⊗ ⊗ ] ω¯ : PE ar q PΓ FCD PΓ The external projection ψX : Γ E1 E2, F1 F2 is: embeds an interaction s ∈ P¯ (ar(q)), inserting reentrant calls ψ ⊗(O) = O ψ ⊗(P ) = ψ ⊗(P ) = P E X X 1 X 2 as appropriate, and continues with the play t if s terminates: ⊗ ψX (ιi (m)) = ιi (m) κq ω¯i (v, t) = vt The internal projections ψ ⊗ : Γ → [E , F ] are given by: κq κqm i i i ω¯i (m, t) = m ωi (ϵ) ( ¯κq ( , ) = κqm( ¯κq ( , )) P if p = P ωi mns t m ωi n ωi s t ψ ⊗(p) = i i O otherwise The index i limits both the number of sequential and reen- ( trant copies of f which are instantiated. The strategy speci- m if i = j b ⊗ fication associated to f in G⊑ is: ψi (ιj (m)) = ϵ otherwise Ä W f := ωi (ϵ) . The footprint of the plays s1 ∈ P[E1, F1] and s2 ∈ P[E2, F2] is: i ∈N ⊗ Ä ⊗ ⊗ ⊗ 4.7 Hiding state ψ (s1, s2) := {ψ1 (s) ⊑ s1 ∧ ψ2 (s) ⊑ s2};ψX (s) ib b s ∈P Γ The functor W : G⊑ → G⊑ can be used to embed the layer The tensor product can then be defined as: theory defined in §3.7 as-is. In addition, the state of layer interfaces can be propagated across consecutive calls and ⊗ σ1 ⊗ σ2 := s1 ← σ1;s2 ← σ2;ψ (s1, s2) eliminated from the representation. The state-free observation at k ∈ S of a par- 4.5 Category Definition 4.7. 0 ( ) ( ′) [ ] b tial play s : O, κ ↠ O, κ over the signature E@S, F@S The category G⊑ has effect signatures as objects, and has the is written s/k0 and defined recursively as: elements of S [E, F] as morphisms σ : E → F. The categorical structure is defined in the previous section. ϵ/k0 := ϵ The associator, unitor and braiding associated with ⊗ can (m@k1 n@k2 s)/k0 := {k0 = k1};mn(s/k2) be obtained by embedding the corresponding morphisms of ib For σ : E@S → F@S, the strategy σ/k0 : E → F is obtained G⊑ using the process outlined in §4.6 below. Note however ib using the FCD extension of the operator above. that unlike that of G⊑ , the symmetric monoidal structure of ib G⊑ is not cartesian, because the interactions of a strategy When the strategy σ/k0 is first activated, σ is passed the σ : E → F1 ⊗ F2 which involve only one of the games F1 initial state k0. Then, whenever σ makes a move m@k, σ/k0 and F2 are not sufficient to characterize the behavior of σ in removes k from the visible interaction, but remember it in interactions that involve both of them. order to adjoin it to the next incoming move. Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany

5 Related work The implementation also has to rely on Coq’s support for Game semantics. Research on game semantics for pro- coinductive types, one of the less commonly well-understood gramming languages can be traced back to the model of lin- features of Coq which requires special proof techniques. ear logic proposed by Blass [13]. The fully abstract models of By contrast, our models are not designed with extraction PCF [2, 27] were an important milestone. Subsequent work in mind, but equivalent strategies become equal under pred- extended the approach to account for a variety of language icate extensionality axioms. This enables the use of simple features including state [3], control [29] and concurrency and efficient rewriting techniques in proof assistants, which [5, 21, 33]. Low-level applications of games have also been is important to maintain usability and performance in the proposed, for instance interface theories and interface au- practical applications we are envisioning. tomata [16–19], and games have been used in the context of Finally, some form of dual nondeterminism and refinement modal logic to model properties of open systems [6,7]. could be modeled in interaction trees by adding choice oper- A model of finite nondeterminism was first proposed in ators in the effect signature. Refinement would be defined Harmer and McCusker [25], with a different approximation as a new kind of simulation taking these choice operations ordering developed in Murawski [37]. For infinite nondeter- into account. However, devising a notion of refinement in- minism however, this model exhibits typical problems. Con- sensitive to branching would be more challenging. sider a process which nondeterministically chooses n ∈ N, then performs a given action n times in a row. Although this 6 Conclusion ∗ computation has no possible infinite executiona ( ), it cannot Game semantics has tremendous potential for the formal be distinguished through its set of finite prefixes from a com- verification of large and complex systems. To deploy game putation which allows the action to be performed an infinite semantics in this context, we have attempted to shift em- ∗ ω number of time (a ∪ a ). This issue is addressed in Tsukada phasis away from the precise characterization of specific and Ong [44] and Castellan et al.[14] by selectively retaining language features, seeking instead to maximize uniformity branching information, but sensitivity to branching makes and expressivity, and to integrate general verification tech- the resulting refinement algebra less agreeable. niques such as stepwise refinement and data abstraction into the game semantics landscape. Dual nondeterminism. On the other hand, the problem This requires a new treatment of nondeterminism in the finds a natural solution in the context of dual nondetermin- context of games, and in particular an account of dual non- ism, where the choice of n is demonic but divergence is determinism is crucial to this task. Compared with trace se- angelic in nature. The algebraic properties of distributive mantics of process calculi, the major distinguishing feature lattices and complete homomorphisms induce our model’s of game semantics is the polarization of moves. This estab- insensitivity to branching, which does not usually impact lishes a boundary between the system and the environment, the observable behavior of components [38, 39]. and is a key ingredient in the construction of compositional Beyond the work discussed in §1[ 10, 11, 20, 35, 36], models models [1]. Likewise, recognizing the distinction and the featuring dual nondeterminism include binary multirelations duality between angelic and demonic nondeterminism is [32, 42] and the trace semantics used in Alur et al.[7]. The crucial to a satisfactory treatment of refinement, especially distinguishing feature of the free completely distributive in the context of games. lattice is that it starts from a poset rather than a set, allowing It is interesting to note, however, that refinement orderings us to use it in the context of game semantics. The model of which bind too closely the polarity of moves with that of non- the process calculus CSP proposed in Tyrrell et al.[45] comes deterministic choices often end up requiring a fair amount closest to the models presented here, but to our knowledge its of sophistication, especially when they are constructed after- relevance to game semantics has not been fully appreciated. the-fact, on top of (or by adapting) an existing model. By contrast, our approach embraces dual nondeterminism to Algebraic effects and free monads. Algebraic effects a maximal extent and from the ground up, in a way that were introduced in Plotkin and Power [40]. An important de- is only loosely coupled with the structural details of plays. velopment was the introduction of effect handlers [41]. Uses While this carries an initial cost in the complexity of the and variants of the free monad on a signature are numerous, strategy model, this is more than offset by the simplicity and but in particular interaction trees [46] share structures and uniformity of the resulting refinement algebra. goals with our interaction specification monad (§3). The implementation of interaction trees in the Coq proof assistant is carefully designed to make them executable and Acknowledgments allow their extraction as ML code. However, to make this We would like to thank anonymous referees for helpful feed- possible, the definition and theory of interaction trees must back that improved this paper significantly. This research handle silent moves, with various notions of simulation and is based on work supported in part by NSF grants 1521523, bisimulation taking them into account in different ways. 1715154, and 1763399. LICS ’20, July 8–11, 2020, Saarbrücken, Germany Jérémie Koenig and Zhong Shao

References [18] Luca de Alfaro and Thomas A. Henzinger. 2001. Interface theories [1] Samson Abramsky. 2010. From CSP to Game Semantics. In Reflections for component-based design. In Embedded Software: First International on the Work of C.A.R. Hoare. Springer, London, 33–45. https://doi.org/ Workshop (EMSOFT 2001). Springer, Berlin, Heidelberg, 148–165. https: 10.1007/978-1-84882-912-1_2 //doi.org/10.1007/3-540-45449-7_11 [2] Samson Abramsky, Radha Jagadeesan, and Pasquale Malacaria. 2000. [19] Luca de Alfaro and Mariëlle Stoelinga. 2004. Interfaces: A game- Full Abstraction for PCF. Inf. Comput. 163, 2 (2000), 409–470. https: theoretic framework for reasoning about component-based systems. //doi.org/10.1006/inco.2000.2930 Electron. Notes Theor. Comput. Sci. 97 (2004), 3–23. https://doi.org/10. [3] Samson Abramsky and Guy McCusker. 1997. Linearity, Sharing and 1016/j.entcs.2004.04.030 State: A Fully Abstract Game Semantics for Idealized Algol with Active [20] Edsger W Dijkstra. 1975. Guarded commands, nondeterminacy, and Expressions. In Algol-like Languages. Birkhäuser, Boston, MA, 297–329. formal derivation of programs. Commun. ACM 18, 8 (Aug. 1975), https://doi.org/10.1007/978-1-4757-3851-3_10 453–457. https://doi.org/10.1145/360933.360975 [4] Samson Abramsky and Guy McCusker. 1999. Game semantics. In [21] Dan R. Ghica and Andrzej S. Murawski. 2004. Angelic Seman- Computational logic: Proceedings of the 1997 Marktoberdorf Summer tics of Fine-Grained Concurrency. In Proceedings of the 7th Interna- School. Springer, Berlin, Heidelberg, 1–55. https://doi.org/10.1007/978- tional Conference on Foundations of Software Science and Computa- 3-642-58622-4_1 tion Structures (FoSSaCS 2004). Springer, Berlin, Heidelberg, 211–225. [5] Samson Abramsky and Paul-André Melliès. 1999. Concurrent Games https://doi.org/10.1007/978-3-540-24727-2_16 and Full Completeness. In Proceedings of the 14th Annual IEEE Sympo- [22] Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, sium on Logic in Computer Science (LICS ’99). IEEE Computer Society, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu USA, 431–442. https://doi.org/10.1109/LICS.1999.782638 Guo. 2015. Deep Specifications and Certified Abstraction Layers. In [6] Rajeev Alur, Thomas A Henzinger, and Orna Kupferman. 2002. Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Alternating-Time Temporal Logic. J. ACM 49, 5 (Sept. 2002), 672– Principles of Programming Languages (POPL ’15). ACM, New York, NY, 713. https://doi.org/10.1145/585265.585270 USA, 595–608. https://doi.org/10.1145/2676726.2676975 [7] Rajeev Alur, Thomas A. Henzinger, Orna Kupferman, and Moshe Y. [23] Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vil- Vardi. 1998. Alternating refinement relations. In Proceedings of helm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible the 9th International Conference on Concurrency Theory (CONCUR Architecture for Building Certified Concurrent OS Kernels. In Proceed- ’98). Springer, Berlin, Heidelberg, 163–178. https://doi.org/10.1007/ ings of the 12th USENIX Conference on Operating Systems Design and BFb0055622 Implementation (OSDI’16). USENIX Association, Berkeley, CA, USA, [8] Andrew W. Appel. 2011. Verified Software Toolchain. In Proceedings of 653–669. https://dl.acm.org/doi/10.5555/3026877.3026928 the 20th European Symposium on Programming (ESOP 2011). Springer, [24] Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan Newman Wu, Jérémie Berlin, Heidelberg, 1–17. https://doi.org/10.1007/978-3-642-19718-5_1 Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ra- [9] Andrew W Appel, Lennart Beringer, Adam Chlipala, Benjamin C mananandro. 2018. Certified concurrent abstraction layers. In Proceed- Pierce, Zhong Shao, Stephanie Weirich, and Steve Zdancewic. 2017. ings of the 39th ACM SIGPLAN Conference on Programming Language Position paper: the science of deep specification. Phil. Trans. R. Soc. A Design and Implementation (PLDI 2018). ACM, New York, NY, USA, 375, 2104 (2017), 20160331. https://doi.org/10.1098/rsta.2016.0331 646–661. https://doi.org/10.1145/3192366.3192381 [10] Ralph-Johan Back. 1978. On the correctness of refinement steps in [25] Russell Harmer and Guy McCusker. 1999. A fully abstract game seman- program development. Technical Report A-1978-4. Department of tics for finite nondeterminism. In Proceedings of the 14th Annual IEEE Computer Science, University of Helsinky, Helsinki, Finland. Symposium on Logic in Computer Science (LICS ’99). IEEE Computer [11] Ralph-Johan Back and Joakim von Wright. 1998. Refinement Calculus: Society, USA, 422–430. https://doi.org/10.1109/LICS.1999.782637 A Systematic Introduction. Springer, New York. https://doi.org/10. [26] C. A. R. Hoare. 1969. An Axiomatic Basis for Computer Programming. 1007/978-1-4612-1674-2 Commun. ACM 12, 10 (Oct. 1969), 576–580. https://doi.org/10.1145/ [12] John Baez and Mike Stay. 2010. Physics, topology, logic and computa- 363235.363259 tion: a Rosetta Stone. In New structures for physics. Springer, Berlin, [27] J. M. E. Hyland and C.-H. L. Ong. 2000. On Full Abstraction for PCF: I, Heidelberg, 95–172. https://doi.org/10.1007/978-3-642-12821-9_2 II, and III. Inf. Comput. 163, 2 (2000), 285–408. https://doi.org/10.1006/ [13] Andreas Blass. 1992. A game semantics for linear logic. Ann. Pure Appl. inco.2000.2917 Log. 56, 1–3 (1992), 183–220. https://doi.org/10.1016/0168-0072(92) [28] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, 90073-9 David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal [14] Simon Castellan, Pierre Clairambault, Jonathan Hayman, and Glynn Kolanski, Michael Norrish, et al. 2009. seL4: formal verification of Winskel. 2018. Non-angelic concurrent game semantics. In Proceed- an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on ings of the 21st International Conference on Foundations of Software Operating Systems Principles (SOSP ’09). ACM, New York, NY, USA, Science and Computation Structures (FoSSaCS 2018). Springer, Cham, 207–220. https://doi.org/10.1145/1629575.1629596 Switzerland, 3–19. https://doi.org/10.1007/978-3-319-89366-2_1 [29] James Laird. 1997. Full abstraction for functional languages with [15] Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans control. In Proceedings of the 12th Annual IEEE Symposium on Logic Kaashoek, and Nickolai Zeldovich. 2015. Using Crash Hoare logic for in Computer Science (LICS ’97). IEEE Computer Society, USA, 58–67. certifying the FSCQ file system. In Proceedings of the 25th Symposium https://doi.org/10.1109/LICS.1997.614931 on Operating Systems Principles (SOSP ’15). ACM, New York, NY, USA, [30] Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Com- 18–37. https://doi.org/10.1145/2815400.2815402 mun. ACM 52, 7 (July 2009), 107–115. https://doi.org/10.1145/1538788. [16] Luca de Alfaro. 2003. Game Models for Open Systems. In Verification: 1538814 Theory and Practice: Essays Dedicated to Zohar Manna on the Occasion [31] Xavier Leroy. 2012. Mechanized semantics for compiler verification. In of His 64th Birthday. Springer, Berlin, Heidelberg, 269–289. https: Proceedings of the 10th Asian Symposium on Programming Languages //doi.org/10.1007/978-3-540-39910-0_12 and Systems (APLAS 2012). Springer, Berlin, Heidelberg, 386–388. https: [17] Luca de Alfaro and Thomas A. Henzinger. 2001. Interface automata. //doi.org/10.1007/978-3-642-35182-2_27 SIGSOFT Softw. Eng. Notes 26, 5 (Sept. 2001), 109–120. https://doi.org/ [32] C.E. Martin, S.A. Curtis, and I. Rewitzky. 2007. Modelling angelic and 10.1145/503271.503226 demonic nondeterminism with multirelations. Science of Computer Programming 65, 2 (2007), 140–158. https://doi.org/10.1016/j.scico. Refinement-Based Game Semantics for Certified Abstraction Layers LICS ’20, July 8–11, 2020, Saarbrücken, Germany

2006.01.007 org/10.1109/LICS.2009.12 [33] Paul-André Melliès and Samuel Mimram. 2007. Asynchronous Games: [40] Gordon Plotkin and John Power. 2001. Adequacy for Algebraic Effects. Innocence Without Alternation. In Proceedings of the 18th International In Proceedings of the 4th International Conference on Foundations of Conference on Concurrency Theory (CONCUR 2007). Springer, Berlin, Software Science and Computation Structures (FoSSaCS 2001). Springer, Heidelberg, 395–411. https://doi.org/10.1007/978-3-540-74407-8_27 Berlin, Heidelberg, 1–24. https://doi.org/10.1007/3-540-45315-6_1 [34] Carroll Morgan. 1988. The specification statement. ACM Trans. Pro- [41] Gordon Plotkin and Matija Pretnar. 2009. Handlers of algebraic effects. gram. Lang. Syst. 10, 3 (July 1988), 403–419. https://doi.org/10.1145/ In Proceedings of the 18th European Symposium on Programming (ESOP 44501.44503 2009). Springer, Berlin, Heidelberg, 80–94. https://doi.org/10.1007/978- [35] Joseph M. Morris. 2004. Augmenting Types with Unbounded De- 3-642-00590-9_7 monic and Angelic Nondeterminacy. In Proceedings of the 7th Interna- [42] Ingrid Rewitzky. 2003. Binary multirelations. In Theory and Applica- tional Conference on Mathematics of Program Construction (MPC 2004). tions of Relational Structures as Knowledge Instruments. Springer, Berlin, Springer, Berlin, Heidelberg, 274–288. https://doi.org/10.1007/978-3- Heidelberg, 256–271. https://doi.org/10.1007/978-3-540-24615-2_12 540-27764-4_15 [43] Zhong Shao. 2010. Certified Software. Commun. ACM 53, 12 (Dec. [36] Joseph M Morris and Malcolm Tyrrell. 2008. Dually nondeterministic 2010), 56–66. https://doi.org/10.1145/1859204.1859226 functions. ACM Trans. Program. Lang. Syst. 30, 6 (Oct. 2008), 34. https: [44] Takeshi Tsukada and C.-H. Luke Ong. 2015. Nondeterminism in game //doi.org/10.1145/1391956.1391961 semantics via sheaves. In Proceedings of the 30th Annual ACM/IEEE [37] Andrzej S. Murawski. 2008. Reachability Games and Game Semantics: Symposium on Logic in Computer Science (LICS 2015). IEEE Computer Comparing Nondeterministic Programs. In Proceedings of the 23rd Society, USA, 220–231. https://doi.org/10.1109/LICS.2015.30 Annual IEEE Symposium on Logic in Computer Science (LICS 2008). IEEE [45] Malcolm Tyrrell, Joseph M. Morris, Andrew Butterfield, and Arthur Computer Society, USA, 353–363. https://doi.org/10.1109/LICS.2008.24 Hughes. 2006. A Lattice-Theoretic Model for an Algebra of Communi- [38] Sumit Nain and Moshe Y. Vardi. 2007. Branching vs. Linear Time: Se- cating Sequential Processes. In Proceedings of the Third International mantical Perspective. In Proceedings of the 5th International Symposium Colloquium on Theoretical Aspects of Computing (ICTAC 2006). Springer, on Automated Technology for Verification and Analysis (ATVA 2007). Berlin, Heidelberg, 123–137. https://doi.org/10.1007/11921240_9 Springer, Berlin, Heidelberg, 19–34. https://doi.org/10.1007/978-3- [46] Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory 540-75596-8_4 Malecha, Benjamin C Pierce, and Steve Zdancewic. 2019. Inter- [39] Sumit Nain and Moshe Y Vardi. 2009. Trace semantics is fully abstract. action trees: representing recursive and impure programs in Coq. In Proceedings of the 24th Annual IEEE Symposium on Logic In Computer Proc. ACM Program. Lang. 4, POPL, Article 51 (Dec. 2019), 32 pages. Science (LICS 2009). IEEE Computer Society, USA, 59–68. https://doi. https://doi.org/10.1145/3371119