Syntactic Control of Interference Revisited

Syracuse University SURFACE

College of Engineering and Computer Science - Former Departments, Centers, Institutes and College of Engineering and Computer Science Projects

1995

Peter W. O'Hearn Syracuse University

A. J. Power University of Edinburgh

M. Takeyama University of Edinburgh

R. D. Tennent Queen's University

Follow this and additional works at: https://surface.syr.edu/lcsmith_other

Part of the Programming Languages and Compilers Commons

Recommended Citation O'Hearn, Peter W.; Power, A. J.; Takeyama, M.; and Tennent, R. D., "Syntactic Control of Interference Revisited" (1995). College of Engineering and Computer Science - Former Departments, Centers, Institutes and Projects. 12. https://surface.syr.edu/lcsmith_other/12

This Article is brought to you for free and open access by the College of Engineering and Computer Science at SURFACE. It has been accepted for inclusion in College of Engineering and Computer Science - Former Departments, Centers, Institutes and Projects by an authorized administrator of SURFACE. For more information, please contact [email protected].

OHearn et al

Syntactic Control of Interference Revisited

P W OHearn

Syracuse University Syracuse New York USA

A J Power and M Takeyama

University of Edinburgh Edinburgh Scotland EH JZ

R D Tennent

Queens University Kingston Canada KL N

Dedicated to John C Reynolds in honor of his th birthday

Abstract

In Syntactic Control of Interference POPL J C Reynolds prop oses three

design principles intended to constrain the scop e of imp erative state eects in Algol

like languages The resulting linguistic framework seems to b e a very satisfac

tory way of combining functional and imp erative concepts having the desirable

attributes of both purely functional languages such as pcf and simple imp erative

languages such as the language of while programs

However Reynolds p oints out that the obvious syntax for interference control

has the unfortunate prop erty that reductions do not always preserve typings

Reynolds has subsequently presented a solution to this problem ICALP but

it is fairly complicated and requires intersection typ es in the typ e system Here we

present a much simpler solution which do es not require intersection typ es

We rst describ e a new typ e system inspired in part by linear logic and verify

that reductions preserve typings We then dene a class of bireective mo dels

which provide a categorical analysis of structure underlying the new typing rules

a companion pap er Bireectivity in this volume exp oses wider ramications of

this structure Finally we describ e a concrete mo del for an illustrative programming

language based on the new typ e system this improves on earlier such eorts in that

states are not assumed to b e structured using lo cations

OHearn et al

Contents

Intro duction

Syntax

Passive Uses

The SCIR Typ e System

An Illustrative Programming Language

Examples

Typing and Reduction

Relation and NonRelation to Linear Logic

Semantics

Bireective Mo dels

Interpretation of the Typing Rules

Coherence

Discussion NonBireective Mo dels

A FunctorCategory Mo del

The Category of Worlds

Semantic Category and Basic Functors

NonInterference

Passivity

Interpretation of the Constants

An Alternative Presentation

Concluding Remarks

Intro duction

It has long been known that a variety of anomalies can arise

when a programming language combines assignment with a

suciently powerful procedure mechanism

J C Reynolds

In an imp erative programming language a term C is said to interfere with a

term E if executing or as appropriate assigning to or calling C can aect

the outcome of E For example command x a interferes with expression

x but not vice versa

In purely functional languages there is no interference b etween terms

and it is usually taken for granted that this explains why reasoning

Current address Department of Computer Science Queen Mary and Westeld College

London England E NS This author was supp orted by NSF grant CCR

This author gratefully acknowledges the supp ort of ESPRIT Basic Research Action

Typ es for pro ofs and programs

Current address Department of Computing Science Chalmers University of Technology

Eklandagatan Gteb org Sweden This author was supp orted by an Edinburgh

University Postgraduate Studentship

This author was supp orted by an op erating grant from the Natural Sciences and Engi

neering Research Council of Canada

OHearn et al

ab out purely functional programs is relatively straightforward However for

simple imp erative languages without full pro cedures Hoares logic and

totalcorrectness variants of it are quite satisfactory This suggests that it

is simplistic to attribute the serious diculties that arise in reasoning ab out

programs in conventional pro cedural languages to the presence of interference

J C Reynolds has provided a more rened analysis He argues

that conventional pro cedural languages are problematical primarily b ecause

they p ermit covert interference that is to say interference that is not syn

tactically obvious For example if identiers x and y are aliases denote the

same storage variable then y a interferes with x and this is prob

lematic b ecause the interference is not obvious from insp ecting these phrases

In general alias detection in a conventional higherorder pro cedural language

requires complex interpro cedural dataow analysis of an entire program

Similarly if a pro cedure accesses a nonlo cal variable and the value of that

variable can b e changed b etween calls of the pro cedure then identical calls

of the pro cedure may have dierent eects Covert interference via nonlo cal

variables can also result in subtle bugs in the use of pro cedural parameters

For example supp ose Traverse p applies pro cedural parameter p to every

no de of a data structure and Remove has the eect of deleting the no de to

which it is applied then a call such as Traverse Remove will often fail to

have the eect the programmer intends b ecause removing a no de can interfere

with a traversal

The problem of covert interference also aects language designers For

example programmers exp ect that immediately after assigning a value to a

variable the variable has the value just assigned but this obvious prop erty

fails for socalled bad variables such as the subscripted variable AAi

whose subexpression Ai is interfered with by the array variable A when

Ai i A language designer might want to forbid bad variables syntactically

but covert interference makes this very dicult for example Aj is a bad

variable if j is an alias for Ai Similar diculties arise for a language designer

trying to provide a blo ck expression a command within an expression

without allowing side eects to nonlo cal variables trying to provide secure

features for unions of typ es or trying to allow concurrent comp osition of non

interfering commands

The diculties created by covert interference are esp ecially evident if one

considers reasoning principles For example in sp ecication logic a Hoare

like logic for full Algollike languages the axiom for assignments is

gvV V P fP E g V E fP V g

The consequent is essentially the familiar axiom from but assumption

V P asserts that assignments to variable V do not covertly interfere with

the pre and p ostconditions and assumption gvV asserts that V is a go o d

variable Similarly the Constancy axiom in sp ecication logic diers from

the corresp onding axiom in Hoares logic in that a simple syntactic side con

dition must b e replaced by a noninterference assumption Finally b ecause

of p ossible covert interference pro cedure sp ecications must b e more com

OHearn et al

plex explicit assumptions ab out what pro cedures do not do are required

cf the frame problem in articial intelligence in order to discharge

noninterference assumptions in the context of pro cedure calls All of these

complexities are clearly evident in the examples in

For these reasons many language designers have argued that program

ming languages should b e designed so that it is easy for programmers and

compilers to verify that program phrases do not interfere some early exam

ples are In three general design principles intended to facilitate

verication of noninterference are prop osed

i There should b e no anonymous channels of interference then the prob

lem of verifying that C do esnt interfere with E reduces to showing that

no free identier of C interferes with any free identier of E

ii Distinct identiers should not interfere then if two sets of identiers are

disjoint they are guaranteed not to interfere

iii Some typ es of phrases such as side eectfree expressions are passive

do not interfere with anything and so the disjointness requirement can

b e relaxed to allow sharing of identiers used only passively

In summary to verify in this setting that C do es not interfere with E it is

sucient to ensure that no actively o ccurring free identier of C is also free

in E

But of course the programming language must b e designed so that there

are no anonymous channels of interference and in every context distinct iden

tiers do not interfere The rst requirement is straightforward but to achieve

the second it is prop osed that the following basic constraint b e imp osed on

pro cedure calls P A the pro cedure part P and the argument part A should

b e mutually noninterfering and similarly for dened language constructs

such as lo cal denitions that have implicit pro cedure calls Note the elegant

circularity of the approach the syntactic restriction ensures that distinct iden

tiers do not interfere and this prop erty makes it feasible to implement the

restriction using the syntactic criterion describ ed in the preceding paragraph

The syntax of an Algollike programming language designed according to

these principles is describ ed in This design is extremely successful in

most resp ects combining the desirable attributes of both purely functional

languages such as pcf and simple imp erative languages such as the lan

guage of while programs however a problem in the treatment of passivity

is noted In the approach used to incorp orate the third principle allowing

sharing of passive identiers the syntax is such that the subjectreduction

prop erty fails ie reductions may fail to preserve typing Reynolds subse

quently presented a solution to this problem in but it is fairly complicated

and requires intersection typ es in the typ e system We feel that the meth

o ds of interference control should b e applicable relatively indep endently of the

sp ecics of intersection typ es which of course have substantial other merits

In this work we present a very simple and intuitive alternative solution to

the problem of passive uses Our solution do es not require intersection typ es

allowing interference control to b e investigated without unnecessary syntactic

OHearn et al

or semantic complexity Also it would b e conceivable to apply these metho ds

in contexts such as MLlike or Haskelllike languages where the addition of

intersection typ es would b e far from trivial

The typ e system presented here was actually worked out by the rst author

in but lay dormant for a numb er of years b ecause it contained features

for which no satisfactory semantic explanation was known More precisely at

that time it would have b een straightforward to formulate a typ e soundness

theorem based on an op erational semantics or a simple denotational mo del

with an adequacy theorem that correctly predicted b ehaviour of complete

programs The p erceived diculty however was not whether some mo del

existed but rather that the typing rules for passivity exhibited intricate inter

actions which in the absence of a semantic analysis deep er than that provided

by adequacy or typ e soundness app eared discomfortingly ad hoc In particu

lar the typ e system hinges on a treatment of passively o ccuring identiers

ie identiers p ossibly of active typ e that in some contexts are only used

passively This treatment is subtle but crucial for treating typ es that com

bine passivity and activity such as typ es for storage variables or pro ducts of

passive and active typ es

So a central role is played in this pap er by a semantic analysis of passivity

couched in terms of a new categorical concept of bireectivity The bireective

semantics exp oses structural prop erties underlying our typ etheoretic treat

ment where the typing rules for passivity corresp ond to certain adjunctions

This provides a measure of relief for our previous fears of the p otential ad hoc

nature of the typing rules further supp ort is provided by a companion pap er

Bireectivity in this volume which intro duces bireective sub categories and

studies their mathematical prop erties

To ground this analysis we describ e a concrete mo del in which a sub cate

gory of passive ob jects is built using semantic entities that in a precise sense

can read from but not write to the computer store The mo del improves on

earlier eorts in that states are not assumed to b e structured using

lo cations As a result we obtain a much cleaner mo del in which the dis

jointness of identiers is clearly visible Distinct identiers get asso ciated

with separate statesets and the sharing of passivelyused state is explained

through semantic contraction mappings

We are grateful to Uday Reddy for numerous discussions that inuenced

the content and presentation of this pap er In fact the revival of the typ e

system came ab out originally as a result of his mo del of passivity in follow

up corresp ondence in which he p ointed out that our rules of Passication and

Activation corresp onded to a monad structure in his mo del and his challenge

to lo ok for similar structure in Tennents mo del of sp ecication logic This

challenge led to the identication of bireective category structure which it

nally turns out is subtly dierent from the structure in Reddys mo del see

Section A crucial step forward in this development was the utilization

of Days tensor pro duct construction the relevance of which was suggested by

Andy Pitts

A preliminary version of this pap er app eared in

OHearn et al

Syntax

Passive Uses

The treatment of passivity in is based on designating certain phrase typ es

such as state reader expression typ es as b eing passive and then for any

phrase R determining

the set of identiers which have at least one free o ccurrence in R which is

outside of any subphrase of passive typ e

These are considered to b e the actively occurring free identiers of R Unfor

tunately this denition b eing contextindep endent cannot take account of

the fact that when R itself o ccurs within a passive phrase none of its free

identiers can b e used actively This means that the syntactic constraints on

pro cedure calls are unnecessarily restrictive which results in anomalies when

typ es combine passive and nonpassive capabilities

For example a storage variable is used passively when it is read from as

on the righthand side of an assignment statement and actively when it is

assigned to Supp ose that identiers x and w are of typ e var ie they

are valued variable identiers with a data typ e such as int or b o ol and

consider the following command

z x y w z w

where typings of the form indicate that is a valued expression identier

Although w o ccurs in b oth the pro cedure and argument parts of the outer

call the phrase is legal b ecause b oth o ccurrences are in expressions and hence

regarded as passive However the command reduces to

x y w w

in which the righthand side is il legal according to Reynoldss treatment b e

cause variable identier w is deemed to o ccur actively in the pro cedure which

has typ e var and also o ccurs in the argument But the pro cedure

call is actually an expression and so there cannot b e any interference via w

indeed the assignment reduces to the legal x w

It can b e argued that the anomaly in this example could b e avoided if

dereferencing co ercions were explicit however more complex examples as

in show that the problem is a fundamental one An example of this

kind from loc cit will b e discussed in Section The problem arises essen

tially b ecause the contextindep endent notion of active o ccurrence cannot b e

sensitive to situations in which the context ensures passive use of p otentially

nonpassive entities To avoid the anomalies it is necessary to consider when

identiers o ccur actively in instances of phrases taking context into account

The SCIR Type System

The phrase typ es are built from certain primitive typ es hprimi as follows

0 0 0 0

hprimi j j j j

OHearn et al

A subset hprim i of the primitive typ es is singled out as passive and this

generates the passive typ es as follows

0 0 0

hprim i j j j j

There are two pro ducts for which the comp onents can interfere and

for which the comp onents must b e noninterfering There are also two

exp onentials which is the typ e of ordinary pro cedures which cannot

interfere with or b e interfered with by their arguments and which

is the typ e of passive pro cedures A passive pro cedure do es not assign to any

global variables though a cal l of a passive pro cedure may b e active if the

argument of the call is

We prop ose a syntax based on typing judgements j P in which the

usual typing context on the left of the turnstile is partitioned into a passive

zone and an active zone No identier can b e in b oth the passive and

the active zones Intuitively if an identier is in the passive zone it can only

b e used passively even if the typ e of the identier is nonpassive The typing

rules will b e arranged so that when a phrase under a typ e assignment is placed

in a context that context must prevent identiers in the passive zone from

b eing used actively

This use of zones is reminiscent of Girards LU with the passiveactive

distinction here b eing similar to the classicallinear distinction there however

the permeability rules that govern movement across the zone separator j do

not app ear in LU nor as far as we are aware in other previous systems These

rules are the most distinctive asp ect of the treatment of passivity here See

Section for further discussion

The rules concerning identiers and contexts are in Table Identiers

are initially intro duced in the active zone but may change zones with the

help of the p ermeability rules of Passication and Activation Movement

to the passive zone is accomplished using Passication when the phrase on

the righthand side of the turnstile is of passive typ e This is the only way

that an identier can move to the passive zone On the other hand a passive

identier can always b e activated using the Activation rule Notice that

is unrestricted in the Passication rule and that the changeofzone is not

accompanied by a changeoftyp e for the assumption this is a key dierence

from the otherwise similar use of zones in LU

Weakening and Exchange can b e used in either zone When typ e assign

ments are concatenated as in the Weakening rule we implicitly assume that

e e

the domains are disjoint and are p ermutations of and resp ectively

Contraction can only b e used in the passive zone This is the essential

restriction that implements the requirement that distinct identiers do not

interfere We are using the notation P Q to denote the result of

substituting Q for free o ccurrences of in P

This fabricated word seems more attractive as a name for this rule than alternatives such

as Passivation or Deactivation

OHearn et al

Table Identity and Structural Rules

Identity

Axiom

Structure

j P

Activation

Passication

j P j P

j P

Exchange

Weakening

0 0

e e

j P j P

0 0

j P

Contraction

0 0

j P

Rules for the typ e constructors are given in Table Note that the ac

tive zone in rule I is empty Also note that the typ e assignments for

the pro cedure and the argument parts of pro cedure calls rule E must b e

disjoint however Contraction allows sharing of identiers from the passive

zone Similar remarks apply to the intro duction rule for

In the preliminary version of this pap er we used a rule for elimination

based on pro jections

j P

E i

j P

This rule was used on the grounds that pro jections are denable in the presence

of Weakening and the erroneous remark was made that the two forms of

elimination would thus b e equivalent

The formulation with pro jections has two problems First it is not p ossible

in general to unpack a term of typ e into noninterfering comp onents

Second it is not p ossible to mimic the isomorphism taking f to

x let x y b e z in f xy

These remarks do not invalidate any of the technical results in however

we now regard the formulation using pro jections as a languagedesign mistake

OHearn et al

Table Rules for Typ e Constructors

j P j P j Q

E i

j hP Qi j P

i i

0 0

j P j Q

0 0

j P Q j let b e P in Q

0 0

j P

j P j Q

0 0

j P j P Q

0 0

j Q j Q

I E

P P

0 0

j promote Q j derelict Q

An Il lustrative Programming Language

An illustrative Algollike programming language is obtained by cho osing ap

propriate primitive typ es and constants We use a typ e comm of commands

and typ es for valued expressions

hprimi j comm

where ranges over say int and b o ol The only passive primitive typ es are

the expression typ es

The typ e var of valued variables abbreviates comm Deref

erencing is implemented by the second pro jection in examples we will sup

press explicit mention of this pro jection and assume a rule

j V var

Dereferencing

j V

We can consider constants representing various imp erative constructs such as

var comm assignment

comm comm comm sequential comp osition

jj comm comm comm parallel comp osition

if b o ol conditional

Y recursion

new var comm comm lo cal allo cation

do var comm blo ck expression

OHearn et al

The blo ckexpression form requires some explanation the call do p is eval

uated by allo cating a new lo cal variable and applying p to it as with the ordi

nary command blo ck new p but then returning the nal value of the lo cal

variable as the value of the expression The passivity of p var comm

ensures that the blo ck expression do es not interfere with nonlo cal variables

and so no snapback eect is needed to restore their original values

Examples

We illustrate the op eration of the rules by presenting derivations of some

typing judgements

Consider rst the unreduced example discussed in Section The

assignment can b e typ ed as follows

j w var w var

Weakening

j w var y w var

j w var y w var j z z

j w var z y w z var

Dereferencing

j w var z y w z

Passication

j x var x var w var j z y w z

w var j x var z x y w z comm

where the last step abbreviates use of the constant I E and Weaken

ing Note that after Dereferencing of the righthand side w can b e moved to

the passive zone The typing is then completed as follows using a Contraction

0 0

j w var w var

0 0

w var j x var z x y w z comm j w var w

I Pass

0 0

w var j x var z x y w z comm w var j w

0 0

w w var j x var z x y w z w comm

Contraction

w var j x var z x y w z w comm

The following shows how to derive a typing for the righthand side of the

illegal assignment in Section

j w var w var

Weak

0 0

j w var w var j w var y w var

Dereferencing

0 0

j w var y w var j w var w

0 0

var y w w var j w w

Dereferencing

0 0

j w w var y w w

Passication

0 0

w w var j y w w

Contraction

w var j y w w

Activation

j w var y w w

Even though the typ es of w and w are active Contraction can b e applied

when they are in the passive zone but Dereferencing must b e used b efore

these identiers can b e passied The assignment can then b e typ ed as usual

j w var y var w w j x var x var

j x w var x y var w w comm

OHearn et al

The next example demonstrates that an identier can b e used b oth ac

tively and passively The following derivation involves shared passive use of a

variable identier x

j x var x var

j x var x

Pass

j y var y var x var j x

0 0

x var j y var y x comm x var j z var z x comm

0 0

x x var j y z var y x jj z x comm

Contraction

x var j y z var y x jj z x comm

Activation

j x y z var y x jj z x comm

where the derivation for z x is similar to that for y x and the step for

k uses the intro duction rule for followed by the elimination rule for with

the constant k This can then b e combined with nonpassive use of x as in

the following derivation

j x y z var y x jj z x comm j w x var x w comm

j w x y z var x w y x jj z x comm

We now consider the problematic example from p Supp ose

n y varint then the parallel command in

D E

n n k y hn n i

is illegal in the treatment of b ecause n is used on b oth sides of k However

the entire term is of typ e int and so these uses should b e regarded as passive

To typ e this in our system we can pro ceed as follows

0 0 0

j n n y var int hn n k y hn n ii int

0 0

Passication

0 0 0

n n var int j y var int hn n k y hn n ii int

0 0

Contraction

n varint j y varint hn n k y hn n ii int

0 0

Activation

j n y varint hn n k y hn n ii int

0 0

The rst line can b e typ ed straightforwardly b ecause the identiers on either

side of k are distinct

Notice that the subterm n k y hn n i do es not itself have

any typing in the SCIR typ e system But it can nevertheless app ear in a larger

term b ecause Contraction can b e applied when a subterm with o ccurrences

of n remaned apart app ears within a passive phrase This subtle interaction

of Contraction and Passication is what allows the sub ject reduction prob

lems from to b e solved An equivalent typ e system that do es not use

Contraction explicitly can b e formulated but replaces this subtle interaction

by explicitly accounting for the semiwelltyp ed status of phrases such as

n k y hn n i or more simply x x y y

Finally it is natural to ask ab out the relationship b etween the SCIR treat

ment of passivity in the SCI treatment in

We have argued that a merit of our approach is that it shows that subtyp es

are not necessary for the treatment of passivity But a comp ensating merit of

OHearn et al

Table reductions

hP Qi P hP Qi Q

let b e P Q in M M P Q

P Q P Q derelictpromote Q Q

P Q

for termwithhole C

C P C Q

SCI is that it can typ echeck programs that SCIR cannot One example is

c comm c comm c comm hc c i k hc c i

comm comm comm comm

In SCIR this program is not typable b ecause the active identier c app ears in

b oth arms of the parallel comp osition and b ecause there are no passive phrases

to allow use of the rule of Passication But in SCI pro ducts are represented

as records with named alternatives and a forgettingelds conversion can b e

applied which in eect assigns a passive unit typ e to c this is reasonable

as c is never used

It can b e argued that this p oints to an incompleteness in the SCIR typ e

system b ecause c is used passively in the example A counterargument is

that the example has not so much to do with passive use but with the ability

of subtyping to account for some circumstances when parts of a record are not

used at all We wonder if there is a precise relationship b etween SCI and a

version as yet unformulated of SCIR with conjunctive typ es

These details aside we would like to emphasize that the central asp ects

of syntactic control of interference including passivity were already identied

in and we regard the typ e theoretic solution presented in this pap er as a

further development and analysis of ideas present there

Typing and Reduction

The principal reductions for the SCIR typ e system are in Table A com

prehensive treatment would require commuting conversions for which

are omitted here

Theorem Sub ject Reduction If j P and P Q then

j Q 2

OHearn et al

Typing is also preserved by various laws

To prove this result we will concentrate on the reduction from xP Q to

P Q The pro ofs for let is similar pro jections and PromotionDereliction

elimination are easier and the extension to subterms via the rule for C is

not dicult We need two lemmas

0 0 0

Lemma If j P then j P

Pro of We have assumed without loss of generality that is not in or

The result clearly holds if the last step of the derivation for P is an

instance of I and is preserved by any structural rules that might b e used

after I 2

Next is a generalized form of the Cut rule

Lemma If j P and for al l

n n n n m m

i m j Q then

i i i i

j P Q Q

m n n m m m

Pro of The pro of is by induction on the size of the derivation for P We

discuss only the key cases of structural rules that make use of the separation

of a typ e assignment into zones

Case Contraction the last step is

j P

n n n n n m m

j P

n n n n m m

where P P By the induction hyp othesis

m n n m

P Q Q Q

m m

where j Q is a variant of j Q with fresh identiers not

n n n n n

app earing in any or Then and b eing in the passive zone can b e

i i

contracted to and resp ectively using Contractions and Exchanges

n n

and the resulting judgement is the desired conclusion

Case Activation The last rule is

j P

n n n n m m

j P

n n n n m m

By the induction hyp othesis

j P Q Q

m n n m m m

Using a numb er of applications of Activation we can move to the right

of j obtaining the desired conclusion

j P Q Q

m n n m m m

Case Passication The last rule is

j P

n n n n m m

j P

n n n n m m

OHearn et al

By the induction hyp othesis

j P Q Q

m n n m m m

Because is passive as Passication was the last rule we can use Passica

tion a numb er of times to move to the left of j and we obtain the desired

conclusion 2

We can now prove the following desired result if j P Q

then j P Q For the pro of rst note that if a derivation ends

in an application M N then there are only a numb er of p ossibilities for the

last rule These are E and the structural rules of Contraction Exchange

Weakening Passication and Activation Further the structure of such a

derivation must always consist at the end of an instance of E followed by

a numb er of applications of these other rules The pro of go es by induction on

the size of this last part of the derivation after the nal elimination rule

The basis case when the last rule is of the form

0 0 0 0 0

j P j Q

0 0 0

j P Q

follows directly from the two lemmas taking

to b e

n n

to b e

n n m m

to b e

m m

j Q to b e j i m

i i i i i i i i

0 0 0

j Q to b e j Q

m m m m

The inductive steps of the pro of of the theorem consist of straightforward

verications that the preservation of typing by a reduction is preserved by

any use of structural rules 2

Relation and NonRelation to Linear Logic

The SCIR typ e system was inspired by linear logic sp ecically in the fo cus

on a restricted use of Contraction The sp ecic presentation based on zones

was inuenced by LU but the basic typ e system was worked out in May

prior to seeing LU Previously the syntax worked by marking identiers

in typing contexts as b eing passively used with Passication and Activation

manipulating the marks the zones are a notational variant of this This was

similar to the marking in except that marking of identiers was done

without changing typ es

In linear logic Contraction and Weakening are allowed only for typ es of

the form A whereas in SCIR Contraction is allowed only for passivelyused

identiers in the passive zone Furthermore the Dereliction and Promotion

OHearn et al

rules for the passive typ e constructor are obviously inspired by the corre

sp onding linear logic rules for the mo dality though they have precursors

in Reynoldss original presentation of SCI These facts supp orted by

semantic mo dels were the basis for the analogy of passivity as and SCI as

ane linear logic prop osed in It was known then that the passivity

analogy was not an exact corresp ondence and that there were some prop erties

of passivity not accounted for by

For example it would have b een p ossible in principle to use a linear

logicbased typ e system to design an alternate typ e system for SCI satisfying

the sub ject reduction prop erty But if we had followed up the passivity

analogy the most obvious candidate syntax would have had a form of b ox

ing For example the Promotion rule for passive pro cedures would b e

something like cf

x A x A j Q j E A

n n i i i

j promote E E for x x in Q

n n n P

While this syntax is p erhaps appropriate for in linear logic it seems overly

heavy with no conceivable justication from the p oint of view of interference

control

More imp ortantly the concept of passivity involves a notion of passive use

which has additional prop erties b eyond those for These extra prop erties

are emb o died syntactically in the rules of Passication and Activation which

have the side b enet of allowing us to avoid these syntactic complications

retaining a relatively simple syntax p ossessing the sub ject reduction prop erty

Compare the implicit syntax mentioned ab ove with that just given for Pro

motion These two rules do not corresp ond to any rules in linear logic or

LU this dierence will b e seen again when we consider categorical mo dels of

the SCIR typ e system

Semantics

The p ermeability rules of Passication and Activitation can exhibit subtle

b ehaviour as we saw in Section To understand this b ehaviour it is

b enecial to have an analysis that exp oses their essential structure in more

abstract terms To this end in this section we dene a class of categorical

mo dels of the SCIR typ e system We do not attempt to formulate a most

general p ossible notion of mo del Rather we fo cus on a particularly cohesive

class which we term bireective mo dels that are sucient to secure our ba

sic aim of showing a sound interpretation which accounts for the p ermeability

rules

A concrete mo del for the programming language of Section will b e

presented in Section

OHearn et al

Bireective Models

As usual the typ es and terms of the language are to b e interpreted as ob jects

and morphisms resp ectively of an appropriate semantic category C We re

quire rst that C come equipp ed with a symmetric monoidal closed structure

I and nite pro ducts This enables us to interpret the noninterfering

pro duct the interfering pro duct and function typ es in standard ways For

example the closed structure will provide application maps

B A B app A B A

for all ob jects A and B and for every map f A B C a curried map

f A B C

satisfying appropriate and laws

Typing contexts to the left of in any syntax judgement will b e

interpreted as pro ducts built using

n n n

To interpret the Weakening rule the tensor pro duct must allow for

projection maps A B A and A B B We therefore require

the unit I for b e a terminal ob ject of C then is id where

A B B

is the unique map from B to and A A is the unity isomorphism

and similarly for

To treat passivity we b egin by assuming a full sub category P of C to b e

thought of as the sub category of passive ob jects The typing context in the

passive zone will b e interpreted as a passive ob ject Thus every judgement

j P will b e interpreted by a map

where S is an ob ject of P and and are ob jects of C To treat b oth

Contraction and Weakening in the passive zone we simply require that b e a

categorical pro duct in P The interactions of p ermeability rules and rules for

the passive function typ e are accounted for by making a further assumption

on P

Denition Bireective Sub category A bireective subcategory of a

category C is a full sub category P of C with inclusion J P C that has left

and right adjoints equal say S C P with the comp osite

JSA A JSA

b eing the identity where is the unit of the adjunction S a J and is the

counit of J a S

This denition is from where its categorical prop erties are studied Our

main concern here is to explain its connection to the SCIR typ e system

The adjunction S a J is used to interpret the p ermeability rules of Pas

sication and Activation For Passication consider rst the sp ecial case in

which there is only one identier in the active zone and none in the passive

zone

OHearn et al

j M

The adjunction determines a transformation of maps

f A JP

passify f SA P

where P is any ob ject of P and A is an arbitrary Cob ject This interprets

the indicated instance of the rule and unit of the left adjunction gives us a

natural family of maps A SA to interpret an instance

j M

of the Activation rule by precomp osition

f SA B

f A B

Instances of these rules involving more than one contextual identier can b e

dealt with by assuming that S b e a strong monoidal functor ie that it

SA SB preserves tensor pro ducts up to coherent isomorphism S A B

and S

The right adjunction J a S is utilized in the treatment of Clearly

we would like to b ehave like a function typ e But as evidenced by the

intro duction rule I these functions are sub ject to constraints ensuring the

B passive use of free identiers within them If we set A B S A

then using J a S this determines an adjunction

JP A B

P A B

where P is a passive ob ject That is A P C is left adjoint to

S A for all Cob jects A Thus we have an interpretation of

that takes into account b oth passive use and functional prop erties such as

and

The further requirement of bireectivitythe coincidence of the left and

right adjoints to J and the coherence conditionimplies certain equations

relating the left and right adjunctions First as the analysis in shows

bireectivity implies that the transformation of maps f passify f asso

ciated with the left adjunction S a J can b e calculated using the counit

SA A where SA JSA of the right adjunction J a S

passify f f

where f A P Similarly the transformation asso ciated with the right

adjunction

g P A

promote g P SA

OHearn et al

can b e calculated using the unit A SA where SA JSA of the left

adjunction

promote g g

The simplifying eect of these equations is dramatic

For instance in it is emphasized that naturality requirements lead to

a syntactic treatment of promotion rules such as I that involve binding

much like the rule discussed in Section But by interpreting I using

comp osition on the right as in equation all necessary naturality require

ments are met by the simpler form of syntax rule that we use Similarly the

interpretation of the Passication rule can now b e given simply by comp os

ing on the left as indicated by This will b e a great aid in establishing

the connection b etween mo del and syntax as given by the coherence theorem

b elow

Denition Bireective Mo del A bireective model of SCIR is given

by the following data

i a symmetric monoidal closed category C with nite pro ducts

and

ii a bireective sub category J P C in which is a nitepro duct

structure and the bireector S C P is a strong symmetric monoidal

functor for which S a J a S are monoidal adjunctions

Note that since we have required that b e a cartesian pro duct structure

in the full sub category P the category P is monoidal and the inclusion J is

a strong monoidal functor with comparison morphisms JP JQ J P

Q and J b eing identities An adjunction is monoidal when certain

equations hold involving the units and counits and the comparison morphisms

SA SB S A B and S Monoidal functors and adjunctions

are useful for treating rules involving typing contexts

The conditions that S b e strong monoidal and that S a J and J a S b e

monoidal adjunctions are equivalent to the condition that for A and B in C

A B

A B JS A B

A B

JSA JSB A B

0 0

A B

commutes where is the unit of S a J and is the counit of J a S

To simplify the presentation we assume that the counit of S a J is the

identity and identify P with JP in C Then the isomorphism m SA

SB S A B asso ciated with the strong monoidal functor S can b e written

0 0

A B

SA SB A B S A B

with inverse and m S is

A B

Notice that the units of the monoidal and cartesian structures coincide

The adjunction J a S determines a comonad on C and this is the asp ect of

OHearn et al

passivity that is similar but not identical to from linear logic The left

adjoint to J determines additional structure that of a monad

P for al l passive P and hence S is idempotent Prop osition SP

Pro of Standard for reective sub categories see 2

Prop osition

i P is Cartesian closed

P Q when P and Q are Pobjects ii P Q

iii P is an exponential ideal of C ie A P lies in P up to isomor

phism when P is a Pobject and A is any Cobject 2

Part of the prop osition corresp onds to the following intuition the passive

fragment of SCIR has no interference constraints and so a mo del of this frag

ment should b e a mo del of the full typ ed calculus Parts and corresp ond

to the syntactic classication of passive typ es For instance typ es of the form

and are isomorphic so that the two exp onentials coincide for

passive result typ es

The adjunction S a J could b e used to show that passifying all variables

is bijective but we also want to passify one variable at a time That passifying

one variable is bijective is the content of the following

Lemma There is a bijection

f JQ A B JP

id id f JQ JSA C JP

where P and Q are passive objects

Pro of Immediate from prop erties of monoidal functors and adjunctions or

it can also b e proven directly using the fact that P is an exp onential ideal

Example This is essentially from and is related to the functor

category mo del given later which is based on

Let N b e the category with a single ob ject and where the morphisms

are natural numb ers together with an extra numb er The comp osition m n

is the minimum of m and n with m m m The functor category

Sets is a mo del of SCIR

The category P of passive ob jects is the sub category of constant functors

where each morphism in N gets mapp ed to an identity Functor S Sets P

is given by S A fAa j a Ag and SAma S a The functors

SA are constant b ecause Given a map f A P the corresp onding

0 0

map f SA P is given by f a f Aa The adjunction J a S is

given by comp osing with the inclusion SA A

To give some intuition consider a lo cations functor Lo c N Sets

Lo c is the set of natural numb ers together with an extra element For

natural numb ers n and m Lo cnm m if m n and otherwise and

Lo cm m One may think of function Lo cn as disallowing access

OHearn et al

to lo cations greater than or equal to n by mapping these lo cations to

S Lo c has only one element

In this category we can b egin to see a glimpse of semantic structure re

lated to side eects But the category P do es not quite match computational

intuitions concerning passivity It consists of constant functors which are

eectively stateless State will b e b etter treated in Section by adopting a

category of worlds with multiple ob jects to account for lo cal state to use in

place of N

Interpretation of the Typing Rules

In this section we explain how typing rules are interpreted in any bireective

mo del of SCIR Each of the primitive typ es is interpreted as an ob ject

of C with passive primitive typ es interpreted as ob jects of subcategory P

This then determines interpretations of nonprimitive typ es as follows

0 0 0 0

It is clear that each syntactically passive typ e is interpreted as an ob ject in P

or an ob ject isomorphic to an ob ject in P

Each typing judgement j P is interpreted as a morphism from

S to where for any typing context

n n

n n n

and where by S we mean explicitly

S S S

n n n

SA SB in the pre In eect we are bypassing the isomorphism S A B

sentation and we are glossing over asso ciativity and unity isomorphisms We

are most concerned with an analysis of the rules of Passication Activation

and Contraction and so will concentrate for the most part on these

The interpretation go es by induction on derivations so we are assigning a

meaning to each proof of a typing judgement

The Axiom and the structural rules of Weakening and Exchange are treated

in the standard way using identities id weakenings and

symmetries A B B A resp ectively

For Activation supp ose f S then we dene the

desired map from S to as the following comp osite

S S

id id

where A passify id is the unit of the adjunction S a J

For Passication supp ose f S The interpretation is

OHearn et al

id id

S S

where is the counit of J a S This interpretation is p ossible b ecause of

equation

0 0

For Contraction supp ose f S then we dene

the desired map from S to as follows

S S S

id duplicate S id

S S

Here duplicate is the diagonal map for the cartesian structure in P

For rule I supp ose that f S then the desired map

f S

where f is the currying of f as discussed in Section For rule E

0 0

supp ose f S and f S then

the desired map is

f f

0 0

S S

app

S S

where app is the application map discussed in Section and is the evident

isomorphism

then the desired map is For rule I supp ose f S

where A A SA This interpretation utilizes equation

For rule E supp ose f S S then the desired

map is

OHearn et al

S S

0 0

where A SA A is the counit of J a S denable as promote id

The remaining rules for tensor and categorical pro ducts can b e treated

in an obvious way Each constant is interpreted by a map out of the terminal

ob ject

Coherence

Notice that the presence of structural rules in the typ e system allows for mul

tiple pro ofs of a typing judgement and it is imp ortant to show that this do es

not lead to semantic ambiguity In this section we verify that the semantics

is in fact coherent ie all pro ofs of any syntax judgement have the same

interpretation

Theorem Coherence Let and be proofs of j P then

The pro of o ccupies the remainder of this section It will b e convenient to

have a notation for certain comp osite pro ofs Supp ose is a pro of of a

judgement j Q and that we can extend by applications of

only the structural rules of Contraction Exchange Weakening Activation

0 0 0 0

and Passication to obtain a pro of of j Q We write for the

comp osite pro of and call a structural extension of

Notice that b ecause all structural rules are interpreted by comp osing on

0 0 0 0

the left the denotation of any pro of of j P can b e decomp osed

so that

0 0 0

for a map h S S induced by structural rules in We

often write to denote a map of this form induced by a pro of extension

0 0

If is empty then we declare to b e the identity

One imp ortant prop erty to isolate is coherence of structural extensions

Lemma Coherence of Structural Extensions Suppose that is a

proof of j Q and that and are structural extensions

0 0 0

that prove judgement j Q then

This is really a statement ab out the maps induced by structural extensions

and is indep endent of Q and Q A structural extension determines a

0 0

function from variables in j to those in j with x b eing the

variable to which x contracts We omit a formal denition which is a simple

induction on derivations The desired result with data as in the statement

OHearn et al

of the lemma is then

If structural extensions and determine the same then

0 0 0

A where here is an appropriate comp onent of the

counit of J a S and

B if is nonpassive so neither derivation uses Passica

tion

It is easy to verify that this formulation which now has more the avour

of a categorical coherence result implies the Coherence of Structural Exten

sions Note that we cannot generally ask for equality of the b ecause

of Passication In cases where is passive we use A and the prop erty

0 0

f g A JP i f g to conclude the lemma

We indicate the pro of of

0 0

Pro of Given and a function from j to j we can dene a

canonical extension that determines as follows

i Passify all identiers if is passive

ii Perform all Contractions indicated by

iii Activate all variables in the intersection of the image of and the domain

iv Perform appropriate Weakenings for variables not in the image of

Step ii assumes that all Contractions indicated by are for identiers in the

passive zone this is an assumption on and

We thus obtain an extension P C A W consisting of Passications

followed by Contractions Activations and Weakenings with some Exchanges

sprinkled throughout We prove the prop erty for a canonical exten

sion by induction on the length of We consider two sample cases

Base case length is the identity whereas is either empty or a

sequence P A of Passications and Activations if is passive B is trivial

and A follows from the identity f f where f X JP This equation

in turn follows from the identities f passify f and passify f f

the former a consequence of bireectivity and the latter of S a J

Case last rule is Passication Part B is trivial For A the induction

0 0 0 0 0 0 0 0 0

hyp othesis gives us where P C A W is canonical

and p with p an instance of Passication Supp ose that x is the

identier moved by p There are three sub cases to consider

no rule in explicitly involves x

x was intro duced in the active zone through a Weakening step in W or

x was moved into the active zone through an Activation step in A

In sub case we mean that x is not moved by Passication or Activation or

intro duced via Contaction or Weakening Clearly one of these three cases must

apply note that if x was involved in Contraction Activation or Passication

then sub case would apply Sub case is straightforward since x is interpreted

by an identity in we concentrate on and

OHearn et al

For sub case we can replace the instance of Weakening that intro duces

0 00

x in W by another instance that puts x in the passive zone giving us W

00 0

Then W W p b ecause of the identity

A SB A

A B

0 0 0 00 0 0 0 00

Thus P C A W and P C A W is of the form prescrib ed

ab ove for the canonical extension Simple p ermutations within each com

0 0 0 00

p onent P A C W suce to show that it is semantically equal to the

prescrib ed extension in any case there is some trivial imprecision involving

order of rules in the prescription iiv for extensions

For sub case we rst move p to the left of W and then comp ose the

resulting instance of Passication with the instance of A that activates x this

comp osition yields the identity The involved equations for this are

SA B SA SA SA

0 0

and

A B A A

0 0 00 00 0 0 0 0 00

Thus P C A W P C A W p where A has the mentioned o ccur

00 00

rence of Activation removed so later rules in A and W are slightly adjusted

and the desired result follows as in sub case

Other rules are treated in a similar fashion using the induction hyp othesis

and various identities to reduce a pro of to a canonical extension 2

With coherence of structural extensions we may deduce the desired theo

rem as a corollary of the following result

Lemma Suppose j P is derivable both from j P and

from j P using only the structural rules Suppose further that for

i is any proof of j P then

i i i i

0 0

for al l structural extensions such that proves j P for

i i

Note that for i P P for identier substitutions intro duced by

i i i

Contractions

Pro of The pro of is by induction on the sum of the sizes of pro ofs and

The main base case is when and are b oth instances of the Axiom

for identiers This case follows from the coherence of structural extensions

OHearn et al

The other base cases for constants are immediate if any constant C is

interpreted as a map C

If the last step in is an instance of a structural rule then we prove the

result as follows Supp ose that RR is the last rule applied in and consider

any appropriate structural extensions i We want to show

0 0

Since the last rule in is RR which is one of the rules p ermissible in pro of

0 0

extensions this means that is the same pro of as where is

0 0

with the nal instance of RR stripp ed o and is with the corresp onding

instance of RR placed on the front We have simply moved the breakp oint

indicating a structural extension Since the pro of is smaller than

the induction hyp othesis applies and we may conclude

0 0

The result follows from the identity The case when ends

in a structural rule is symmetric

The only remaining cases are when b oth and end in a nonstructural

rule for a typ e constructor There are two groups of rules to consider those

that involve disjoint hyp otheses and those that do not

For the latter group we consider one example I Supp ose the last rules

of and are I with pro ofs of their premises

j P j Q j P j Q

0 0

j hP Q i j hP Q i

Let h S S k b e the maps induced

k k k

by the structural extensions Then by the induction hyp othesis h

h j The desired result is then immediate from the usual

identity h hf g i hh f h g i Other rules not involving disjoint contexts

k k k

are proven similarly using the induction hyp othesis and an additional identity

for E and E use h f h f for I use h f h id f

0 0

for I use h f h f for E use h f h f

P P

For the rules involving disjoint contexts we consider I E and E are

similar In the following we will content ourselves with skimming over the

details of some of the long syntactic constructions involved The basic idea

will b e to p ostp one certain Contractions until the end so that we can apply

the induction hyp othesis to disjoint terms and conclude the desired result

using the coherence of structural extensions

Supp ose the last rule in each of is I ie

0 0 0 0

j p j q j p j q

0 0 0 0

j p q j p q

0 0 0

We have structural extensions and to consider where proves

OHearn et al

j p q Since identiers in p and q are disjoint there are

i i

other structural extensions p ossessing the following prop erties

0 0 0 0 0 0

proves a sequent j p q for i where p and q have

i i

no free identiers in common and

proves j p q for i

i i

That is we are p erforming just enough Contractions to identify p and p

and q and q p ostp oning the identication of identiers in b oth ps and q s

until the stage The reader may wish to use the following picture where

the contexts have b een omitted

0 0

p q p q p q

0 0

p q

Next from we can obtain pro ofs and such that

i pi q i pi q i i

0 0

j p j q

i i i i i i

i i

pi q i

0 0

j p j q

pi pi q i q i

0 0 0 0

j p q

These are obtained by copying instances of rules that concern p or q as ap

propriate Finally we may apply the induction hyp othesis to conclude the

middle equality in the following

p q

where we have suppressed some symmetry isos The outer two equalities follow

0 0

from the identity h h f g h f h g and the indicated construction

0 0

of and The desired result then follows immediately

pi q i

from the coherence of structural extensions using 2

The Coherence theorem then follows directly by taking

and P P P

Having established that the semantics is welldened we can note that it

satises the reductions listed in Table

Prop osition The reductions in Table preserve equality in any bire

ective model of SCIR 2

For instance the equivalence derelictpromote M M follows from the

identity f f where f JP A which is true by virtue of J a S

and equation A fuller treatment of equivalences will not b e given here

However it is worth noting that many additional equations b eyond these

laws are valid in bireective mo dels As one example one can synthesize an

OHearn et al

equivalence from the law of monoidal functors

SA SB S A B

S AS B

SB SA S B A

B A

by replacing S by C where C is a passive typ e For instance the

map m would b e replaced by the term

f C A C B

P P

let f f b e f in

promotex C derelict f x derelict f x

See for discussion

Verifying coherence proved to b e quite a lot of detailed work even with cer

tain isomorphisms left implicit and with the skimming over of some syntactic

constructions We wonder whether typ e theoretic coherence could b e b etter

approached in a more general setting see for discussion and references

Discussion NonBireective Models

We have included the qualication bireective in Denition b ecause

there are mo dels of the SCIR typ e system in which the left and right adjoints

to the inclusion do not coincide The rst and foremost examples are given

by the mo dels in Others are given for example by arrow categories

C The mo dels that we know of have the form of two categories and three

functors b etween them like so

P C

with I fully faithful and L a I a R Additional conditions that a more gen

eral not necessarily bireective mo del of SCIR should satisfy have not b een

formulated Coherence is the minimal requirement for any general notion of

mo del of SCIR and is particularly subtle b ecause of the intricate interactions

b etween the p ermeability rules and other rules

A FunctorCategory Mo del

In this section we present a concrete mo del of the illustrative Algollike pro

gramming language of Section This conrms that the categorical analysis

using bireectivity is consistent with a more concrete reading of passivity in

terms of readonly access to the computer store

We emphasize that the aim of the mo del is not simply to characterize b e

haviour of complete programs ie closed terms of typ e comm Such a mo del

could b e obtained using a standard marked stores mo del in the cate

gory of cp os and continuous functions with a trivial bireective sub category

OHearn et al

structure given by the identity functor on the category To see why this is

so consider rst that if we map to and to any term in SCIR

is typable in simplytyp ed calculus Then a standard mo del for Idealized

Algol can b e used allowing for side eects in expressions to account for the

blo ck expression do and interpreting parallel comp osition as if it were sequen

tial But while such a mo del would correctly predict observable b ehaviour and

would satisfy an adequacy corresp ondence with a suitable op erational seman

tics it would not make manifest the principle that distinct identiers dont

interfere Furthermore the passive function typ e would b e semantically

equivalent to and the mo del would not show the sense in which expres

sions and in particular the blo ck expression are free from side eects That

is the semantics would fail to elucidate the most imp ortant asp ects of the

language

We desire a semantics that makes the consequences of the syntactic restric

tions clear For instance if the principle that distinct identiers dont interfere

is built into the semantics so the only environments are ones adhering to the

principle then it will b e evident that C k C is deterministic It will then turn

out that x y and y k x are equivalent but this fact which could in hindsight

b e assumed by a semantics is not so interesting as the reason for it namely

that x and y dont interfere Similarly we desire a semantics in which freedom

from side eects is built into passive typ es so that the sideeect freeness of

the blo ck expression is a constraint imp osed by the typ es themselves rather

than a prop erty to b e proven ab out valuations

The main challenge is to dene noninterference and passivity for entities

such as commands expressions and pro cedures which are conventionally mo d

elled as inputtooutput functions In the similar problems that arise

in treating the noninterference predicates in sp ecication logic are addressed

by using a categorytheoretic form of possibleworld semantics Each

phrase typ e is interpreted as a functor from a suitable small category

of p ossible worlds to a category of domains and any phrase P is interpreted

as a natural transformation P of such functors We will show that the same

category of functors and natural transformations can b e used to provide a

satisfactory mo del of the SCIRbased programming language

The Category of Worlds

A category of p ossible worlds appropriate to treating noninterference and

passivity in Algollike languages is dened as follows

The ob jects are sets we require a small collection thought of as sets of

states The set of all worlds is assumed to b e closed under the following

if V is the set of values appropriate to a data typ e V is a world

if X and Y are worlds so is their set pro duct X Y and

if X is a world so is any Y X

A map from X to Y is a pair f Q where Q is an equivalence relation on

X and f is a function from X to Y whose restriction to each Qequivalence

class is an injection Intuitively X is a world derived from Y f maps

OHearn et al

states in X back into Y and Q is an equivalence relation on states which

must b e preserved by execution in world X

The comp osition of maps f Q X Y and g R Y Z is the map

0 0 0

h P X Z such that h f g and x P x i x Q x and f x R f x The

identity map id on world X is I T where I is the identity function on

X X X X

set X and T is the everywheretrue binary relation on X We will designate

this category as X however it is the opposite of the category of worlds used

Any oneelement set is a terminal ob ject in X the unique map from X

to say fg is x We can also dene a tensor pro duct as follows

for ob jects X and Y X Y X Y the usual cartesian pro duct of sets

and f Q g R f g Q R where f g hx y i hf x g y i and

0 0 0 0

hx y iQ R hx y i if and only if x Q x and y R y This is the basis for a

symmetric monoidal structure on X with the designated terminal ob ject as

the unit for example the symmetry map from X Y to Y X consists of

the exchange function and the total relation on X Y

Pro jection maps X Y X and X Y Y can b e dened to

consist of the usual pro jection functions on X Y and equivalence rela

tions that relate hx y i pairs having the same y or x comp onents resp ectively

These maps are termed expansions in where the opp osite category

is considered and similar maps are treated in

We can also dene a natural family of diagonal maps X X X

whose comp onents are the diagonal function on X and the total relation on

X Note however that id and is not a categorical pro duct

X i X

Semantic Category and Basic Functors

of contravariant The semantic category for our mo del is the category D

functors from the category of p ossible worlds to D where D is the category

of cp os ie p ossibly b ottomless complete p osets and continuous func

tions with all natural transformations as the maps This is essentially the

same semantic category used in Finite pro ducts in D can b e ob

tained p ointwise from the familiar pro ducts in D

We now consider interpretations in D for the basic typ es expressions

and commands in the programming language First we dene the domain

ofstates functor St to b e the covariant functor from X to D such that

St X X discretelyordered and St f Q f Contravariant functors for

expression typ es can then b e dened p ointwise as follows

X St X V and f e St f e

where V is the set of values asso ciated with ie V is the set of integers

int

and V is the twoelement set of truth values

b o ol

For the command typ e if X is a world then c commX is a fam

ily of partial functions indexed by all Xmaps with codomain X so that

cf Y X is a partial function on St Y The uniformity condition on the

family is the following semicommutativity requirement for all f Y X

OHearn et al

and g Z Y

cg f St g St g cf

where the relation is graph inclusion of partial functions

Y Y

St g St g

Z Z

cg f

The semicommutativity allows command meanings to b ecome lessdened in

morerestricted worlds however the family must also satisfy the following

commutativity requirement arising from the equivalenceclass comp onent of

Xmaps For any Xmap f Q Y X and y St Y let

0 0 0

fy St Y j y Q y g Y

ie the set of states Qreachable from y then

cf Q

Y Y

0 0

St dY St dY

0 0

Y Y

c Y f Q

0 0

must commute and not just semicommute where dY Y Y is the Xmap

with comp onents the insertion function from Y to Y and the total relation

on Y This requirement is imp osed to ensure that when cf Q has a dened

result it preserves the Qequivalence class of its argument

The morphism part of comm is dened as follows for any Xmap

f Y X command meaning c commX and Xmap g Z Y

commf c g cg f

This makes comm a contravariant functor from X to D as required

We now discuss some examples to show how these functors interact with

the Xmaps dened in the preceding section

Because of maps from subsets of state sets expression meanings in the

semantics cannot have side eects not even temp orary ones For any world

W and w W we can restrict to the singleton set of states fw g using the re

striction map dfw g fw g W whose comp onents are the insertion function

and the total relation on fw g Then for any expression meaning e W

the value of e in state w is completely determined by the meaning dfw ge

at world fw g

OHearn et al

W V

St d fw g

d fw ge

fw g

where the vertical arrow is the insertion of fw g into W There can b e no side

eects during evaluation of ew b ecause in world fw g there are no other

states to change to

The b ehaviour of commands under restrictions is quite dierent Consider

the command meaning c commW Z corresp onding to an assign

ment statement z z where z accesses the Z valued comp onent in

X Z The partial function for cid maps hw ni to maps hw n i

W Z

But we also need to dene cf for all other Xmaps f into W Z including

restriction maps In particular if we consider cdfhw nig then this comp o

nent of c cannot pro duce an output state b ecause hw n i is not an element

of the world fhw nig More generally cf s can b e dened only if hw n i

is in the range of St f In contrast to the previous example command mean

ings are not completely determined at singleton worlds just b ecause they may

change the state

Supp ose now that we restrict to the world

Y fhw ni W Z j n is even g

and consider the comp osite z z z z and its semantic counterpart

c c Sequential comp osition is interpreted comp onentwise so for command

meanings c and c c c f is just the comp osition c f c f of the partial

functions for the comp onents Thus we get that c cid hw ni hw ni

W Z

However c cdY hw ni is undened b ecause cdY hw ni is undened The

attempt to stray out of Y even at an intermediate state leads to divergence

NonInterference

Tensor Product

Intuitively meanings a AW and b B W are noninterfering if neither

makes active use of any memory used by the other We formalize this intuition

as follows a b i there exist worlds X and Y an Xmap f W X Y and

0 0 0 0

meanings a AX b B Y such that Af a a and B f b b

0 0

a AX X X Y Y b B Y

f Af B f

a AW W b B W

The idea is that a and b come from disjoint worlds X and Y resp ectively

The archetypical example of this arises in the declaration of a new lo cal vari

able the new variable and nonlo cal entities are noninterfering b ecause they

can b e viewed as coming from the factors of a pro duct world Section

OHearn et al

The map f in the denition of a b allows for sharing of passivelyused

memory as in

X Z X Z Z Y Z Y

id id

X Z Y

The comp osite maps from X Z Y to X Z and Z Y have the equality

relation as the equivalencerelation comp onent on Z this ensures that the

shared memory Z can only b e used passively An example is discussed b elow

We can now dene a bifunctor on D to interpret typ e assignments and

the noninterfering pro duct typ e constructor in the syntax For any functors

A B X D and world W

o n

a b A B W ha bi A B W

and the morphism part is dened as follows for any f W Y

D E

A B f ha bi Af a B f b

0 0

If A A and B B then

D E

W ha bi W a W b

we dene the unit to b e a To complete the monoidal structure on D

sp ecied terminal ob ject which can b e dened p ointwise These denitions

make D a symmetric monoidal category

Sharing and Contraction

To illustrate the interaction b etween sharing and disjointness in the denition

of we consider a map

k comm comm comm

for interpreting the deterministic parallel comp osition of noninterfering com

0 0

mands Given hc c i comm comm W there exist c and c as

follows

0 0

c commX X X Y Y c commY

commf commf f

c commW W c comm W

0 0

Dene c c commX Y to b e the comp onentwise pro duct map

0 0 0 0

ie c c g c g c g using the morphism part of the cartesian

pro duct in the category of sets and partial functions To get a meaning at

world W we use map f as follows

0 0

k W hc c i commf c c

0 0

Here X Y c and c are not uniquely determined but the functoriality re

quirements on comm are sucient to ensure that this is a go o d denition

OHearn et al

The f map is what allows for a limited amount of sharing To illustrate

0 0

this supp ose X Y Z Z c idhn n i hn n i and c idhn n i

0 0

hn n i Then we can form a comp osite command in which c and c

op erate on disjoint p ortions of the state

0 0

c c commZ Z Z Z

Sharing can b e achieved via a diagonal map

Z Z Z Z

id id

Z Z Z

yielding the meaning

0 0

c comm id id c c

Z Z Z

We nd that cidhn n n i hn n n i the two middle comp onents

in the pro duct Z Z Z Z get identied which is to say shared by the

diagonal map Intuitively

c corresp onds to a command x y

0 0

c corresp onds to a command z y and

c corresp onds to the command x y k z y obtained by parallel

comp osition followed by Contraction of y and y

where the identiers corresp ond to evident comp onents in Z and Z

Thus the semantics of k is given by combining functions on disjoint state

sets followed by sharing This corresp onds closely to how parallel commands

are typ ed rst commands with no identiers in common are combined and

then sharing is intro duced using the Contraction rule

Exponential

a closed cate An exponential construction right adjoint to makes D

gory A B W is dened to b e the set ordered p ointwise of families

q X AX B W X of continuous functions indexed by worlds X such

that for all Xmaps f Y X the following naturality diagram commutes

q X

AX B W X

Af B id f

q Y

AY B W Y

A B W A B W is simply the p ointwiseordered homset D

Note that the argument of q X is an element of AX ie W is not involved

corresp onding to the principle that a pro cedure and its argument are disjoint

B is dened as follows for any Xmap f X W The morphism part of A

0 0

B f q Y q Y B f id If A A and B B then A

OHearn et al

0 0

A B A B is given by

W p A B W X X pX W X

B A B is dened by The application map app A B A

D E

0 0

app A B W q A B W a AW B f q Y a

0 0

where f W X Y Af a a and A B f q q Here

0 0

f W X Y a AX and q A B Y are not uniquely determined

but the naturality condition on pro cedure meanings is sucient to ensure that

C this is a go o d denition If A B C the curried map A B

is dened by

E D

0 0 0 0

W a AW X b B X W X A a B b

Prop osition D is a symmetric monoidal closed category

Pro of The structure describ ed is an instance of an abstract construction

presented in 2

Passivity

Intuitively a AW is passive if it do esnt interfere with anything This can

b e dened rigorously using statechange constraint endomaps W W

in X whose comp onents are the identity function on W and the equality

relation on W It is easily veried that the are idempotent maps and

furthermore that they constitute a natural family of maps ie is a natural

idemp otent on the identity functor

The imp ortance of the for treating passivity is that b ecause of the

denition of comm they preclude any state changes hence A applied

to any a AW pacies it so that it cannot interfere with anything For

example supp ose that c commW is the denotation of w w the

second uniformity condition on command meanings ensures that c s can

b e dened only if cid s s and so for this c we obtain that comm c

W W

is everywhereundened

The eect of statechange constraints on expression meanings is quite dif

ferent For each world W and e W e e Statechange con

straints have no eect here b ecause expressions cannot cause side eects

These examples suggest the following denition a AW is passive if and

only if A a a For example skipW a family of identity functions and

divergeW a family of everywhere undened functions are passive elements

of commW

The following results establish the connections b etween passivity and non

interference

Prop osition If p P W and q QW are passive p q

Pro of If p and q are passive P p p and Q q q but

W W W

for i and so p q 2

W i

Prop osition a AW is passive i a a

OHearn et al

Pro of The only if part follows from the preceding Prop osition

In the other direction supp ose that a a then there exist worlds X

and Y a AX a AY and an Xmap f W X Y such that

X Y

Af a a Af a Let Q for i b e the equivalence

X Y i

relation comp onents of f then I Q f f and so we

i W i i i

get by functoriality of A that AI Q a a for i This gives us

W i

that A I Q I Q a a but I Q I Q and so a is

W W W W W

passive 2

An object A of D is passive i for every world W every a AW is

passive For example a terminal ob ject is passive b ecause it is a constant

functor and is a passive ob ject b ecause for any world W and e W

e St e morphism part of

W W

e St is the identity function

Let P b e the full sub category of passive ob jects of D This determines

a mo del of SCIR which follows in fact as a sp ecial case of the abstract results

together with subcategory P comprise a Theorem Category D

bireective model of SCIR 2

The following data are thus obtained allowing us to interpret the SCIR typing

rules

P which takes AX to the subcp o of passive the bireector S D

elements S AX fa AX j a is passive g and S Af a Af a

the unit A SA of S a J given by W a A a and

A A W

the counit SA A of J a S given by the inclusion S AW AW

Interpretation of the Constants

We now present interpretations of selected constants The interpretation of k

has already b een given in Section

Sequential comp osition is given by a map

sequence comm comm comm

The denition is sequenceW hc c if c f c f using comp osition of

partial functions One can show that the following diagram commutes

exchange

comm comm comm comm

i k

comm comm comm

sequence

OHearn et al

where k is the interpretation of parallel comp osition from Section i

is the evident inclusion and exchange is the twist map exchanging the two

comp onents of As a consequence if commands C and C dont share any

identiers we have the equivalences C C C C C k C C k C

which wouold not hold in the absence of interference constraints

For assignment we dene a map

assign comm comm

Because of the presence of instead of on the left we cannot simply use the

app map to apply the pro cedure To deal with this we supply the acceptor

comp onent of a variable with a constantfunction argument Given v V

dene k to b e the constant meaning such that k f w v for all

v v

f W and w W We can then dene the assignment map as follows

E D

iak hw i if e w v

w assignW ha ei e

undened if e w

where i W W is the unity isomap

The blo ckexpression combinator do is treated by dening

do S var comm

First let ha ei var V b e the standard lo cal variable meaning at world

V Then

v if pV ha eihw v i hw v i

do W p w

if pV ha eihw v i is undened

where v is a standard initial value for typ ed variables The passivity of p

0 0 0

guarantees that w w whenever pX ehw xi hw x i so there is no need

for a snapback eect

Finally we show how the xedp oint combinator can b e interpreted by

dening a map

A Y S

If p S Z then we can obtain a function p Z Z by

comp osing pZ Z Z Z with the map Z Z Z

Y Z sends p to the least xedp oint of p

Other constants can b e treated as in

An Alternative Presentation

J C Reynolds has suggested private communication that an interference

controlled Algollike language should b e interpreted by families of continuous

functions indexed by assignments of statesets to identiers with each iden

tier in the context interpreted by a meaning relative to its own stateset In

our framework this would mean that a syntax judgement j P would

W indexed by assignments W of b e interpreted by a family of functions

OHearn et al

worlds to identiers with the functionality of W b eing

Y Y Y

W W W S

2dom 2dom

2dom

W are cpo pro ducts whereas the Note that the pro ducts in the domain of

pro duct in the codomain is a set pro duct This form of semantic interpreta

tion seems intuitively app ealing b ecause it makes the disjointness of distinct

identiers very explicit but it is highly nonstandard

In this section we show that we can dene a bijection b etween the standard

form of semantics discussed in earlier sections and this nonstandard form To

simplify the treatment we will consider natural transformations

A B C

and families of functions

X Y AX B Y C X Y

natural in Xob jects X and Y From a natural transformation we can

dene a family X Y of functions as follows

E D

0 0 0 0

X Y a b X Y A a B b

In the other direction

0 0

W ha bi C f X Y a b

0 0 0

where f W X Y a AX and b B Y such that Af a a

and B f b b must exist b ecause ha bi A B W the naturality

requirement for X Y ensures that W ha bi is uniquely determined It is

a routine exercise to verify that the mappings and just given

are mutual inverses

Uday Reddy has launched a criticism at semantics based on global states

and develop ed an alternate approach in which dierent identiers denote

indep endent ob jects where the state is implicitly represented in histories

of observations We would claim that functorcategory mo dels though they

are not stateless also represent a move away from the viewp oint of a common

global store that programs act up on For example in the presentation

sketched in this section and implicitly in the standard presentation each

identier is asso ciated with its own state set separate from the statesets

asso ciated with other identiers intuitively each identier denotes an ob ject

acting up on a piece of lo cal state

Concluding Remarks

Syntactic control of interference is an imp ortant step toward the ideal of a

clean form of imp erative programming It retains basic principles of Algol

like and functional programming including equational laws such as the

law this it has in common with recent work emanating from the functional

programming community see eg But interference control also

b egins to address some of the problems of state such as aliasing Functional

OHearn et al

principles alone do not make state signicantly easier to reason ab out as is

abundantly clear for example from sp ecication logic Controlling interfer

ence addresses some of the most prominent diculties

At present syntactic control of interference has develop ed to the p oint

where it p ossesses quite satisfactory typ e systems and mo dels Nevertheless

there are many issues that need to b e addressed b efore the ideal of a clean

and practical form of imp erative programming can b e realized The following

is a partial list of immediately relevant issues

i Our example programming language do es not have facilities for program

ming dynamicallyrecongurable data structures of the kind often imple

mented using p ointers or references Simple languages of this form can

serve as a useful testb ed for ideas on integrating imp erative and func

tional programming but extending the basic approach of SCI to supp ort

co ding of dynamic data is clearly crucial It is not obvious what the b est

way to do this might b e

ii A callbyvalue version of SCI could have some interest A challenge for

such a design is to maintain a controlled form of side eects

iii One motivation for interference control is that it should simplify reasoning

ab out programs To nd evidence for this p osition one might investigate

a version of sp ecication logic stripp ed of the p ervasive assumptions

A more ambitious program would b e to set down axioms characterizing

indep endence of identiers p ossibly using the parametricity ideas of

and to investigate the thesis that such a characterization simplies the

logical form of sp ecications needed for familiar ob jects or pro cedures

iv The complexity of typ e checking and the p ossibility of typ e inference need

to b e investigated for the typ e system presented here

v The semantic mo del presented here p ossesses two kinds of exp onentials

one for the monoidal closed structure and another adjoint to for

cartesian closed structure This raises the question of whether inter

ference control and uncontrolled Algol can co exist harmoniously in one

system which might b e useful in addressing diculties with jumps and

recursive denitions having active free identiers Various unied log

ics have similar aims combining intuitionistic linear and classical

logics we would want to combine intuitionistic and ane systems An

interesting p oint to note is that here the two kinds of closed structure

co exist in the same category so there is no need to pass to a separate

category such as a Kleisli category to interpret the intuitionistic ie

Algols function typ es

vi The hop e for a linear logicbased functional language that can express

state manipulation remains unrealized or certainly not adequately real

ized but the similarities with interference control b oth in aims and in

technical details are alluring Rather than taking functional program

ming as the starting p oint a reasonable approach might b e to mo dify

syntactic control of interference so that it provides a range of typ es for

expressing manipulation of state instead of a single typ e comm

OHearn et al

References

N Benton G Bierman V de Paiva and M Hyland A term calculus for

intuitionistic linear logic In M Bezen and J F Gro ote editors Typed Lambda

Calculi and Applications volume of Lecture Notes in Computer Science

pages Utrecht The Netherlands March SpringerVerlag Berlin

P N Benton A mixed linear and nonlinear logic pro ofs terms and mo dels

preliminary rep ort Technical Rep ort University of Cambridge Computer

Lab oratory Octob er

GM Bierman What is a categorical mo del of intuitionistic linear logic

In Proceedings of Second International Conference on Typed calculi and

Applications volume of Lecture Notes in Computer Science pages

Edinburgh Scotland April SpringerVerlag Berlin

R Bird and P Wadler Introduction to Functional Programming PrenticeHall

International London

P Brinch Hansen Structured multiprogramming Comm ACM

F Brown editor The Frame Problem in Articial Intel ligence Proceedings of

the workshop Morgan Kaufmann

M Copp o and M Dezani A new typ e assignment for terms Archiv Math

Logik

B J Day On closed categories of functors In S Mac Lane editor Reports of

the Midwest Category Seminar volume of Lecture Notes in Mathematics

pages SpringerVerlag BerlinNew York

S Eilenb erg and G M Kelly Closed categories In S Eilenb erg et al editors

Proceedings of the Conference on Categorical Algebra pages La Jolla

California SpringerVerlag New York

P Freyd P W OHearn A J Power M Takeyama and R D Tennent

Bireectivity In these pro ceedings

JY Girard Linear logic Theoretical Computer Science pages

JY Girard On the unity of logic Annals of Pure and Applied Logic

C A R Hoare An axiomatic basis for computer programming Comm ACM

and

C A R Hoare Hints on programminglanguage design In C Bunyan editor

Computer Systems Reliability volume of State of the Art Report pages

PergamonInfotech Also pages of

C A R Hoare and C B Jones editors Essays in Computing Science Prentice

Hall International

OHearn et al

P Hudak Conception evolution and application of functional programming

languages Computing Surveys

J Hughes Why functional programming matters The Computer Journal

G M Kelly Do ctrinal adjunctions In G M Kelly editor Category Seminar

Proceedings Sydney Category Theory Seminar volume of Lecture

Notes in Mathematics pages SpringerVerlag New York

J Launchbury and S Peyton Jones State in Haskell Lisp and Symbolic

Computation Decemb er

S Mac Lane Categories for the Working Mathematician SpringerVerlag New

York

A R Meyer and K Sieb er Towards fully abstract semantics for lo cal

variables preliminary rep ort In Conference Record of the Fifteenth Annual

ACM Symposium on Principles of Programming Languages pages San

Diego California ACM New York

M Odersky D Rabin and P Hudak Call by name assignment and the

lamb da calculus In POPL pages

P W OHearn The Semantics of NonInterference A Natural Approach

PhD thesis Queens University Kingston Canada

P W OHearn Linear logic and interference control In D H Pitt et al

editors Category Theory and Computer Science volume of Lecture Notes

in Computer Science pages Paris France Septemb er Springer

Verlag Berlin

P W OHearn A mo del for syntactic control of interference Mathematical

Structures in Computer Science

P W OHearn A J Power M Takeyama and R D Tennent Syntactic

control of interference revisited In S Bro okes M Main A Melton and

M Mislove editors Mathematical Foundations of Programming Semantics

Eleventh Annual Conference volume of Electronic Notes in Theoretical

Computer Science Tulane University New Orleans Louisiana March April

Elsevier Science Also in pages

P W OHearn and R D Tennent Semantical analysis of sp ecication logic

Information and Computation Also in

P W OHearn and R D Tennent Parametricity and lo cal variables J ACM

May Also in pages

P W OHearn and R D Tennent editors Algollike Languages volume

Birkhauser Boston

P W OHearn and R D Tennent editors Algollike Languages volume

Birkhauser Boston

F J Oles A CategoryTheoretic Approach to the Semantics of Programming

Languages PhD thesis Syracuse University Syracuse NY

OHearn et al

S PeytonJones and P Wadler Imp erative functional programming In POPL

pages

Conference Record of the Twentieth Annual ACM SIGPLANSIGACT

Symposium on Principles of Programming Languages Charleston South

Carolina ACM New York

A J Power Why tricategories To app ear in Information and Computation

U S Reddy Passivity and indep endence In Proceedings th Annual IEEE

Symposium on Logic in Computer Science pages Paris IEEE

Computer So ciety Press Los Alamitos California

U S Reddy Global states considered unnecessary intro duction to ob jectbased

semantics Lisp and Symbolic Computation February Sp ecial issue on

State in Programming Languages Also in pages

J C Reynolds Syntactic control of interference In Conference Record of the

Fifth Annual ACM Symposium on Principles of Programming Languages pages

Tucson Arizona January ACM New York Also in pages

J C Reynolds The Craft of Programming PrenticeHall International

London

J C Reynolds The essence of Algol In J W de Bakker and J C van

Vliet editors Algorithmic Languages pages Amsterdam Octob er

NorthHolland Amsterdam Also in pages

J C Reynolds Idealized Algol and its sp ecication logic In D Neel editor

Tools and Notions for Program Construction pages Nice France

Decemb er Cambridge University Press Cambridge Also in

pages

J C Reynolds Syntactic control of interference part In G Ausiello

M DezaniCiancaglini and S Ronchi Della Ro cca editors Automata

Languages and Programming th International Col loquium volume of

Lecture Notes in Computer Science pages Stresa Italy July

SpringerVerlag Berlin

R D Tennent Semantics of interference control Theoretical Computer

Science

R D Tennent Semantical analysis of sp ecication logic Information and

Computation Also in

P Wadler A syntax for linear logic In S Bro okes et al editors Mathematical

Foundations of Programming Semantics volume of Lecture Notes in

Computer Science pages New Orleans SpringerVerlag Berlin

N Wirth On the design of programming languages In J L Rosenfeld editor

Proceedings ifip Congress pages Sto ckholm NorthHolland

Amsterdam