1 Introduction
There are many notions of program equivalence for languages with effects. In this paper, we explore the notion of behavioural equivalence, which states that programs may be considered behaviourally equivalent if they satisfy the same behavioural properties. This can be made rigorous by defining a logic, where each formula denotes a certain behavioural property. We write to express the satisfaction of formula by term , which is usually given by a Boolean truth value (true or false). Two terms and are said to be behaviourally equivalent if they satisfy the same formulas. Such an approach is taken in for example [9].
In particular, we use this method to define equivalence for a language with algebraic effects in the sense of Plotkin and Power [26]. Effects can be seen as aspects of computation which involves interaction with the world ‘outside’ the environment in which the program runs. They include: exceptions, nondeterminism, probabilistic choice, global store, input/output, cost, etc. The examples given have common ground in the work of Moggi [21], and can moreover be expressed by specific effect triggering operations making them ‘algebraic’ in nature. In the presence of such algebraic effects, computation terms need not simply reduce to a single terminal term (that is a value), they may also invoke effects on the way. Following [26, 13], we consider a computation term to evaluate to an effect tree, whose nodes are effect operators and leaves are terminal terms. The paper [28] introduced modalities that lift boolean properties of values to boolean properties of the trees modelling their computations. See [23, 22, 27] for alternative ways in which logics can be used to describe properties of effects.
The use of a Boolean logic does however not readily adapt to several examples of effects, for example the combination of probability and nondeterminism. The literature on compositional program verification shows the usefulness of quantitative (e.g. realnumber valued) program logics for verifying programs with probabilistic behaviour, possibly in combination with nondeterminism [14, 20]. The paper [28] develops a general Booleanvalued framework which, although featuring many examples, does not apply to the combination of probability and nondeterminism.
This paper provides a general framework for quantitative logics for expressing behavioural properties of programs with effects, generalising the Booleanvalued framework from [28]. We consider a quantitative (quantityvalued) satisfaction relation ‘’, where is given by an element from a quantitative truth space (a degree of satisfaction). This allows us to ask open questions about programs, like “What is the probability that …” or “What are the correct global starting states for …”. We define equivalence by stating that programs and are equivalent, if for any formula we have ( satisfies precisely as much as does). A key feature of the logic is the use of quantitative modalities to lift quantitative properties on value types to quantitative properties on computation types.
As in [28], we are able to establish that the behavioural equivalence defined as above is a congruence, as long as suitable properties on the quantitative modalities are satisfied. These properties require notions of monotonicity, continuity, and a notion of preservation over sequencing called decomposability. As in [28], the congruence is established by proving that given one of the properties (leafmonotonicity), our behavioural equivalence is equal to an effectsensitive notion of Abramsky’s applicative bisimilarity [1, 3]. Given further properties on the modalities, this relation can be proven to be compatible using Howe’s method [11].
The main contribution of this paper is the generalisation of [28], and the corresponding generalised results. This goes through smoothly, though there are some subtleties like what to take as primitive in a quantitative setting. In particular, we will see the necessity of a threshold operation. The other main contributions are the examples illustrating the quantitative approach. Some examples such as the combination of nondeterminism with probabilistic choice, or with global store, do not fit into the Booleanvalued framework of [28], but do work here^{3}^{3}3The combination of global store and nondeterminism is possible in the framework of [28], of one only considers angelic (helpful) nondeterminism. The problem is with general (neutral) or demonic (antagonistic) nondeterminism, combined with global store.. But there are also examples, such as probability, global store, and cost, whose treatment is more natural in our quantitative setting, even though they also fit in the framework of [28].
As a vehicle of our investigation we use Levy’s callbypushvalue (CBPV) [17, 16], together with general recursion and the aforementioned algebraic effects. As such, it generalises [28] in a second way by using callbypushvalue to incorporate both callbyname (CBN) and callbyvalue (CBV) evaluation strategies. This is significant, since once either divergence or effects are present, the distinction between the reduction strategies becomes vital. For example, if we take some probabilistic choice por signifying a fair coin flip, we have that ‘’ holds in CBN, but not in CBV. So it is interesting to consider CBPV, as it expresses both these behaviours. The distinction is expressed in the difference between productiontypes where one explicitly observes effects, and types like
where the observation of effects is postponed to a later moment. As such, this language is an ideal backdrop for studying effects.
In Section 2 we give the operational semantics of the language, starting with the effectfree version and working towards our treatment of algebraic effects. In Section 3 we present our quantitative logic, introducing quantitative modalities to deal with the observation of effects. In Section 4 we look at the resulting behavioural equivalence and the properties that establish the congruence property (or compatibility in its technical form). In Section 5 we relate this equivalence to applicative (bi)similarities by defining a relator using our modalities. This then allows us to adapt a Howe’s method proof of compatibility from [3, 28] for this equivalence. We finish in Section 6 with some discussions.
2 Operational semantics
We use a simplytyped callbypushvalue functional language as in [16, 17], together with general recursion and a ground type for natural numbers, making it a callbypushvalue variant of PCF [24]. To this, we add algebraiceffecttriggering operators in the sense of Plotkin and Power [26]. We first focus on the effectfree part of the language, as we want to consider effects independently of the underlying language.
2.1 The language
We give a brief overview of the language and its semantics. The types are divided into two flavours, Value types and Computation types. Value types contain value terms that are passive, they don’t compute anything on their own. Computation types contain computation terms which are active, which means they either return something to or ask something of the environment.
Value types and computation types are given by:
where is any finite indexing set. By asserting finiteness of in the case of product types, the number of program terms is kept countable (a property which will have benefits later on in the formulation of the logic). The type is a thunk type, which consists of terms which are frozen. These terms were initially computation terms but are made inactive by packaging them into a thunk. The type is the type of natural numbers, containing the nonnegative integers. With this type, we can program any computable function on the natural numbers as in PCF [24]. The type is a producer type, which actively evaluates and returns values of type to the current environment. As was stated, this is the type at which we can observe effects. The type is a type of functions, which is a computation type since its terms are actively awaiting input.
We have a countablyinfinite collection of term variables , and term contexts: .
Note that contexts only contain Value types, meaning that like in callbyvalue, we can only ever substitute value terms. This is no loss of generality, as we can simulate substituting computation terms by packaging them into a thunk. The terms of the language are as follows:
Value  
Computation  
We underline terms () and types () when they are computation terms and computation types respectively. We will also use and to denote general types and their terms, e.g. they could be either value or computation types/terms. Following [16], their typing rules are given in Fig. 1. We distinguish two typing judgements, and , for value and computation terms respectively. We write for the set of closed terms of type . Note the addition of the fixpoint operator which has been added to allow for general recursion and hence divergence. We write for the numeral representing the th natural number.
2.2 Semantics
We give the semantics of this language by specifying a reduction strategy for computation terms in the style of a CKmachine [5]. We distinguish a special class of computation terms, called terminal terms, which will not reduce further. They consist of: , , and .
We first give the rules for terms we can directly reduce. We denote these using relation symbol :

.

.

.

.

.

.

.
The behaviour of the other nonterminal computation terms; , and , is implemented using a system of stacks defined recursively: .
We write for the computation resulting from applying to , which can be seen as evaluating the program within the environment .
Whenever one encounters a computation of which one needs to first evaluate a subterm, one unfolds the continuation into the Stack and focusses on evaluating that subterm. This method is given by the stack reduction relation in the following way:

If , then .

.

.

.

.

.

.
2.3 Adding algebraic effect operators
We add algebraic effects in the style of [13], given by specific effect operators. We use a type variable for computation types. Effects are given by operators of the following arities (like in [13, 25]):
.
For each effect under consideration, we bundle together effect operators pertaining that effect in a set called an effect signature . Given such a signature, new computation terms can be constructed according to the typing rules in Fig. 2.
We look at the running examples of this paper.
Example 1 (Probabilistic choice).
The effect of probability is implemented by the signature , where we have a single binary operator for fair probabilistic choice. The computation will have a probability of evaluating , and probability of evaluating .
Example 2 (Global store).
In the case of global variables for natural numbers, we define a signature , where we have a set of locations for storing natural numbers. The computation looks up the number at location and substitutes it for in . The computation stores at and then continues with the computation .
Example 3 (Probabilistic choice and global store).
We will also consider the combination of the previous two examples, probabilistic choice with global store, given by effect signature .
Example 4 (Cost).
If we want to keep track of costs of an evaluation, we take the signature , where we have a countable set of realvalued costs . The computation assigns a cost of to the evaluation of . This cost can represent a time delay or some other resource.
Example 5 (Combinations with nondeterminism).
We consider a binary operator for nondeterministic choice, which contrary to probabilistic choice is entirely unpredictable. One interpretation is to consider it under the control of some external agent or scheduler (e.g. a compiler), which one may wish to model as being cooperative (angelic), antagonistic (demonic), or neutral. We will consider nondeterminism and it’s operator in combination with any one of the previous three examples. The resulting signatures are named , , , and respectively.
Example 6 (Combinations with error).
Lastly, given some set of error messages , we consider adding error raising effect operations to the language, where stops the evaluation of a term, and displays message . There is no continuation possible afterwards.
In the presence of such effects, the evaluation of a computation term might halt when encountering an algebraic effect operator. We broaden the semantics, where a computation term now evaluates to an effect tree, a coinductively generated term using operations from our effect signature together with terminal terms and a symbol for divergence . This idea appears in [26], but here we adapt the formulation from [13] to callbypushvalue.
We define the notion of an effect tree over any set , where can be thought of as a set of terminal terms.
Definition 2.1.
An effect tree (henceforth tree) over a set , determined by a signature of effect operations, is a labelled and possibly infinite depth tree whose nodes have the possible forms given below.

A leaf node labelled (the symbol for nontermination/divergence).

A leaf node labelled where .

A node labelled ‘’ with children , when has arity .

A node labelled ‘’ with children , when has arity .

A node labelled ‘’ where with children , when has arity .
The set of trees over set and signature is denoted . We can equip this set with a partial order , where if can be constructed from by pruning (possibly infinitely many) subtrees and labelling the pruning points with . Moreover, the preorder is complete, so each ascending chain of trees has a least upper bound .
For any , we denote for the tree which only consists of one leaf labelled . We also have a map which flattens a tree of trees into one tree, by transforming the leaves (which are trees) into subtrees.
For each computation type we define the evaluation map , which returns a tree, whose leaves are either labelled with or labelled with a terminal term of type . We define this inductively by constructing for each the th approximation of the tree.


if is a terminal computation term.

if .

if .

if .

if .
Using this, we define . We view as an operational semantics of in which is reduced to its (possibly) observable computational behaviours, namely the tree of effect operations potentially performed in the evaluation of . See Figure 3 for two examples of effect trees.
These trees are still quite syntactic, and may contain lots of unobservable information irrelevant to the realworld behaviour of programs. In the next section, we will set up the quantitative logic which will extract from such trees only the relevant information, using quantitative modalities.
3 Quantitative Logic
We define a quantitative logic expressing behavioural properties of terms. Each type has a set of formulas, which can be satisfied by terms of that type to varying degrees of satisfaction. These degrees of satisfaction are given by truth values from a complete lattice.
A countably complete lattice is a set with a partial order , where for each subset there is a least upper bound and a greatest lower bound . In particular, we define as the completely true value, and as the completely false value.
We also equip this space with a notion of negation or involution, which is a bijective map such that and . We will use the words involution and negation interchangeably. Given the conditions of an involution, it holds that and . ^{4}^{4}4Results about the positive behavioural equivalence, and the positive logic, do not need negation. So a subset of results in this paper are still valid without it. Examples of complete lattices with involution/negation used in this paper are:

The Booleans , where . Negation swaps the elements.

The real number interval , with the usual order. Here , , and .

The powerset over some set , whose order is given by inclusion , so and . Negation is given by the complement, where .

For a complete lattice and a set, the function space with pointwise order is a complete lattice.

The infinite interval with reversed order. Here, , , and .
We construct a logic for our language in order to define a behavioural preorder. For each type , value or computation, we have a set of formulas . Greek letters are used for formulas over value types, underlined Greek letters for formulas over computation types, and underdotted Greek letters for formulas over any type. We are aiming to define a quantitative relation to denote the element of which describes the degree to which the term satisfies the formula (e.g. this may describe the probability of satisfaction or the amount of time needed for satisfaction). We choose the formulas according to the following two design criteria, as in [28].
Firstly, we design our logic to only contain behaviourally meaningful formulas. This means we only want to test properties that are in some sense observable by users and/or other programs. For example, for the natural numbers type we have a formula which checks whether a term is equal to the numeral . For function types we have formulas of the form which tests a program on a specific input , and checks how much the resulting term satisfies .
Secondly, we desire our logic to be as expressive as possible. To this end, we add countable disjunction (suprema) and conjunction (infima) over formulas, together with negation . Moreover, we add two natural quantityspecific primitives: a threshold operation and constants. Both such operations are used frequently (albeit implicitly) in practical examples of quantitative verification, e.g. in [20].
3.1 Quantitative modalities
Fundamental to the design of the logic is how we interpret algebraic effects. In CBPV, effects are observed in producer types . In order to formulate observable properties of terms in our logic, we include a set of quantitative modalities which lift formulas on to formulas on . We bundle our a selection of quantitative modalities together in a set .
Each modality denotes a function , which is used to translate a tree of truths into a singular truth value. Given a quantitative predicate on a set , we can use a modality to lift it to a quantitative predicate as follows. For , we write for the tree in where each non leaf is replaced by the value . Then .
In the examples, we will define the denotation of a modality by giving for each an approximation . These will follow the rules: , , and , and effect specific rules given in the examples below. Given these approximations, the denotation is given by .
Example 1 (Probabilistic choice).
We use as quantitative truth space the real number interval with , which denote probabilities^{5}^{5}5One could alternatively consider as the value set.. We take a single modality for expectation, where gives the expected value of given the probabilistic distribution induces on its return values . This is achieved by giving the denotation which sends a tree of real numbers to the expected real number, where the approximation of the denotation is given by: .
Example 2 (Global store).
Given a set of locations , we have a set of states . Our set of truth values is given by the powerset with . We have a single modality , where gives the set of starting states for which terminates with a value such that the end state is contained in . We define this formally with the following rules: and .
Example 3 (Probabilistic choice and global store).
For this combination of effects, we take as truth space the functions with pointwise order, where is the set of global states and the lattice of probabilities with standard order. Intuitively, this space assigns to each starting state a probability that a property is satisfied. We define a single modality which, for each state , is given by the following rules: , , and .
Example 4 (Cost).
We use the infinite real number interval with denoting an abstract notion of cost (e.g. time). Trees are just branches in this example. We have a single modality , where is the cost it takes for to evaluate plus the cost given by , where is the value evaluates to. The definition of is such that . Note that for any tree either infinite or with leaf , we have . This reflects the idea that a diverging computation will exceed any possible finite cost.
Example 5 (Combinations with nondeterminism).
To add nondeterminism to any of the previous examples, we keep their truth space , and extend the definition of their modality in two ways, creating an optimistic modality and a pessimistic modality such that:
.
For the combination with probability, we can see the nondeterministic choice as being controlled by some external agent, which chooses a strategy
for resolving the nondeterministic choice nodes, like in a Markov decision processes.
finds the optimal strategy to get the best expectation, whereas finds the worst strategy. Similarly, will search for the minimum possible execution cost, while will look for the maximum cost.Example 6 (Combinations with error).
There are two ways of defining combinations with error messages, akin to the sum and tensor approach of combining effects from e.g.
[12]. Let , and be the signature, truth space, and quantitative modalities of the effects to which we want to add error messages from a set . Given a modality and some function , assigning to each message a value, we define a new modality which, besides inheriting the rules from , follows the rule . We define two new sets of modalities for this combination, and , each giving a different interpretation of error.E.g. in the presence of global store (Example 2), the modalities from are not able to observe the final global state when an error message has been raised, whereas some modalities from can. For instance, for and such that , it holds that is in but not in . Moreover, whereas . Those two terms are however not distinguishable by any modality from .
All the Booleanvalued examples of modalities for effects in [28], can also be accommodated in our quantitative setting by taking . These include for instance Input/Output.
3.2 Formulation of the logic
We write for the set of formulas over type , which is defined by induction on the structure of . Fig. 4 gives the inductive rules for generating these formulas. We have modality formulas , constant formulas , and step formulas . Note that conjunctions and disjunctions (i.e., meets and joins) are taken over countable sets of formulas only.