The Theory of Interacting Deductions and its Application to Operational Semantics Andrew Wilson Doctor of Philosophy University of Edinburgh 1996 Ti In memory of my father who died after a courageous struggle with a long illness, and to my mother who struggled with him. You taught me faith, hope, love and perseverence, thank you. 11 Not a single truth has ever been discovered without people first talking utter rot a hundred times or perhaps a hundred thousand times. - Razumikhin, in Dostoyevsky's "Crime and Punishment". 111 Abstract This thesis concerns the problem of complexity in operational semantics def- initions. The appeal of modern operational semantics is the simplicity of their metatheories, which can be regarded as theories of deduction about certain shapes of operational judgments. However, when applied to real programming languages they produce bulky definitions that are cumbersome to reason about. The the- ory of interacting deductions is a richer metatheory which simplifies operational judgments and admits new proof techniques. An interacting deduction is a pair (F, I), where F is a forest of inference trees and I is a set of interaction links (a symmetric set of pairs of formula occurrences of F), which has been built from interacting inference rules (sequences of standard inference rules, or rule atoms). This setting allows one to decompose operational judgments. For instance, for a simple imperative language, one rule atom might concern a program transition, and another a store transition. Program judgments only interact with store judgments when necessary: so stores do not have to be propagated by every inference rule. A deduction in such a semantics would have two inference trees: one for programs and one for stores. This introduces a natural notion of modularity in proofs about semantics The proof fragmentation theorem shows that one need only consider the rule atoms relevant to the property being proved. To illustrate, I give the semantics for a simple process calculus, compare it with standard semantics and prove three simple properties: nondivergence, store correctness and an equivalence between the two semantics. Typically evaluation semantics provide simpler definitions and proofs than transition semantics. However, it turns out that evaluation semantics cannot be easily expressed using interacting deductions: they require a notion of sequential- ity. The sequential deductions contain this extra structure. I compare the utility lv of evaluation and transition semantics in the interacting case by proving a simple translation correctness example. This proof in turn depends on proof-theoretic concerns which can be abstracted using dangling interactions. This gives rise to the techniques of breaking and assembling interaction links. Again I get the proof fragmentation theorem, and also the proof assembly theorem, which allow respec- tively both the isolation and composition of modules in proofs about semantics. For illustration, I prove a simple type-checking result (in evaluation semantics) and another nondivergence result (in transition semantics). I apply these results to a bigger language, CSP, to show how the results scale up. Introducing a special scoping side-condition permits a number of linguistic extensions including nested parallelism, mutual exclusion, dynamic process cre- ation and recursive procedures. Then, as an experiment I apply the theory of interacting deductions to present and prove sound a compositional proof system for the partial correctness of CSP programs. Finally, I show that a deduction corresponds to CCS-like process evaluation, justifying philosophically my use of the theory to give operational semantics. A simple corollary is the undecidability of interacting-deducibility. Practically, the result also indicates how one can build prototype interpreters for definitions. V Acknowledgments First and foremost, a big thank you to my supervisor Kevin Mitchell for his painstaking help and advice. Thanks are also due to Gordon Plotkin, Bob Tennant, Robin Milner and Cohn Stirling who have variously belonged to my supervision committee, and given helpful suggestions. Thanks are also due to my officemates Pietro Cenciarelli and Alex Simpson, and to my flatmate Julyan Elbro for their friendship and their comments on early drafts. Thanks also to Saif, Pietro and Alex for making my office days very pleasant, and similarly to Dave Aspinall and all my friends in the LFCS. Thanks to the Science and Engineering Research Council (now EPSRC) for funding the first three years of my thesis. Thanks also to my mum and the Department of Computer Science which allowed me to scrape a living teaching after the three years had expired. Finally, I could not have survived a project of this magnitude without the support and care of my family and my friends, of which I have too many to acknowledge by name individually. You know who you are. But especial thanks to my closest friends, Andrew, Douglas and David, and to my flatmates Dave, Julyan, Doug and Dan who put up with the bad times. Thanks also to the members of Mayfield- Salisbury church, and especially the three families who over the years all but adopted me: the Jamiesons, the Simpsons and the Vandersteens. Thanks also to Lt. Heather Chambers and the boys of the 3rd Edinburgh Company, The Boys' Brigade who boosted my flagging spirits during those long depressing months. Finally, thanks to my TEAM co-leader Helen Hopwood who made running TEAM much less stressful than it should have been. LI Table of Contents Definining Programming Languages 1 Interacting Deductions 18 2.1 Preliminaries ..............................20 2.2 Interacting deductions .........................22 2.2.1 Examples ............................24 2.2.2 I-deductions have no dependency loops ............25 2.2.3 DLF helps characterize the I-deductions ............27 2.3 An Example ...............................31 2.3.1 Comparative Semantics .....................32 2.3.2 Extending the semantics ....................35 2.3.3 Reasoning about semantics ...................37 2.4 Fragments of deductions ........................38 2.5 Examples .................................41 2.5.1 Extending a nondivergence proof ...............42 2.5.2 A modular proof about stores .................45 2.5.3 An equivalence theorem ....................47 2.6 Chapter summary ............................52 vii Table of Contents Evaluation Semantics and Sequential Deductions 53 3.1 Sequential composition in evaluation semantics ............56 3.1.1 Cutting intermediate states ..................56 3.1.2 Control stacks (or continuations) ...............59 3.1.3 Coding ..............................63 3.1.4 Conventions ...........................63 3.1.5 Solution .............................64 3.2 Sequential deductions ..........................66 3.2.1 Examples ............................69 3.2.2 QI-deductions have no sequencing loops ...........70 3.2.3 SLF helps characterize the QI-deductions ...........72 3.2.4 Coding QI-deduction into I-deduction .............74 3.3 An evaluation QI-semantics for P(;) .................75 3.4 An example: translation correctness ... 78 3.4.1 The translation .........................79 3.4.2 The transition semantics proof of correctness .........80 3.4.3 Tree Pruning and partial deductions .............83 3.4.4 The evaluation semantics proof of correctness ........84 3.4.5 Appraisal (equivalence, nondeterminism, nontermination) . 89 3.5 Chapter Summary ...........................93 The content of interaction 94 4.1 DQI-deduction .............................98 4.1.1 Structures, Histories and Binary Assemblies .........98 4.1.2 Deduction ............................103 Table of Contents 4.1.3 Coding QI-deduction into DQI-deduction ...........108 4.2 Proof Fragmentation ..........................111 4.2.1 The interaction reflection theorem ...............112 4.2.2 The Proof Fragmentation Theorem ..............114 4.2.3 An example: Type checked processes do not fail .......115 4.2.4 Proof fragmentation is not always enough ..........118 4.3 Proof Assembly .............................119 4.3.1 Example: Terminating processes type-check .........124 4.3.2 Example: Another nondivergence proof ............125 4.4 Chapter summary ............................128 5. A Semantics and Logic for CSP 129 5.1 A Definition of CSP ..........................130 5.1.1 Syntax and informal semantics .................130 5.1.2 Static Semantics ........................132 5.1.3 Auxiliary Definitions: Stores ..................133 5.1.4 Dynamic semantics ........................133 5.2 Some alternative features ........................140 5.2.1 Nested Parallelism .......................140 5.2.2 Shared Variables ........................141 5.2.3 Dynamic process creation ...................142 5.2.4 Pre-emption ...........................143 5.2.5 Multicasting ...........................143 5.2.6 Procedures ............................144 5.3 An Application: Program Verification .................148 Table of Contents x 5.3.1 A Hoare Logic for the partial correctness of CSP .......152 5.3.2 An example partial correctness proof .............157 5.3.3 Soundness of the Hoare Logic .................160 5.3.4 Appraisal ............................169 5.4 Chapter Summary ...........................173 The process calculus interpretation 175 6.1 Preliminaries ..............................176 6.1.1 On formula occurrences ....................176 6.1.2 The process calculus ......................177 6.1.3