DeepAI

# Quantitative Logics for Equivalence of Effectful Programs

In order to reason about effects, we can define quantitative formulas to describe behavioural aspects of effectful programs. These formulas can for example express probabilities that (or sets of correct starting states for which) a program satisfies a property. Fundamental to this approach is the notion of quantitative modality, which is used to lift a property on values to a property on computations. Taking all formulas together, we say that two terms are equivalent if they satisfy all formulas to the same quantitative degree. Under sufficient conditions on the quantitative modalities, this equivalence is equal to a notion of Abramsky's applicative bisimilarity, and is moreover a congruence. We investigate these results in the context of Levy's call-by-push-value with general recursion and algebraic effects. In particular, the results apply to (combinations of) nondeterministic choice, probabilistic choice, and global store.

04/18/2019

### Behavioural Equivalence via Modalities for Algebraic Effects

The paper investigates behavioural equivalence between programs in a cal...
02/12/2019

### Program Equivalence for Algebraic Effects via Modalities

This dissertation is concerned with the study of program equivalence and...
05/01/2020

### From Equations to Distinctions: Two Interpretations of Effectful Computations

There are several ways to define program equivalence for functional prog...
10/10/2018

### A van Benthem Theorem for Quantitative Probabilistic Modal Logic

In probabilistic transition systems, behavioural metrics provide a more ...
01/27/2018

### Quantitative Behavioural Reasoning for Higher-order Effectful Programs: Applicative Distances (Extended Version)

This paper studies the quantitative refinements of Absramsky's applicati...
07/02/2020

### Characteristic Logics for Behavioural Metrics via Fuzzy Lax Extensions

Behavioural distances provide a fine-grained measure of equivalence in s...
10/11/2018

### A Constraint Propagation Algorithm for Sums-of-Squares Formulas over the Integers

Sums-of-squares formulas over the integers have been studied extensively...

## 1 Introduction

There are many notions of program equivalence for languages with effects. In this paper, we explore the notion of behavioural equivalence, which states that programs may be considered behaviourally equivalent if they satisfy the same behavioural properties. This can be made rigorous by defining a logic, where each formula denotes a certain behavioural property. We write to express the satisfaction of formula by term , which is usually given by a Boolean truth value (true or false). Two terms and are said to be behaviourally equivalent if they satisfy the same formulas. Such an approach is taken in for example [9].

In particular, we use this method to define equivalence for a language with algebraic effects in the sense of Plotkin and Power [26]. Effects can be seen as aspects of computation which involves interaction with the world ‘outside’ the environment in which the program runs. They include: exceptions, nondeterminism, probabilistic choice, global store, input/output, cost, etc. The examples given have common ground in the work of Moggi [21], and can moreover be expressed by specific effect triggering operations making them ‘algebraic’ in nature. In the presence of such algebraic effects, computation terms need not simply reduce to a single terminal term (that is a value), they may also invoke effects on the way. Following [26, 13], we consider a computation term to evaluate to an effect tree, whose nodes are effect operators and leaves are terminal terms. The paper [28] introduced modalities that lift boolean properties of values to boolean properties of the trees modelling their computations. See [23, 22, 27] for alternative ways in which logics can be used to describe properties of effects.

The use of a Boolean logic does however not readily adapt to several examples of effects, for example the combination of probability and nondeterminism. The literature on compositional program verification shows the usefulness of quantitative (e.g. real-number valued) program logics for verifying programs with probabilistic behaviour, possibly in combination with nondeterminism [14, 20]. The paper [28] develops a general Boolean-valued framework which, although featuring many examples, does not apply to the combination of probability and nondeterminism.

This paper provides a general framework for quantitative logics for expressing behavioural properties of programs with effects, generalising the Boolean-valued framework from [28]. We consider a quantitative (quantity-valued) satisfaction relation ‘’, where is given by an element from a quantitative truth space (a degree of satisfaction). This allows us to ask open questions about programs, like “What is the probability that …” or “What are the correct global starting states for …”. We define equivalence by stating that programs and are equivalent, if for any formula we have ( satisfies precisely as much as does). A key feature of the logic is the use of quantitative modalities to lift quantitative properties on value types to quantitative properties on computation types.

As in [28], we are able to establish that the behavioural equivalence defined as above is a congruence, as long as suitable properties on the quantitative modalities are satisfied. These properties require notions of monotonicity, continuity, and a notion of preservation over sequencing called decomposability. As in [28], the congruence is established by proving that given one of the properties (leaf-monotonicity), our behavioural equivalence is equal to an effect-sensitive notion of Abramsky’s applicative bisimilarity [1, 3]. Given further properties on the modalities, this relation can be proven to be compatible using Howe’s method [11].

The main contribution of this paper is the generalisation of [28], and the corresponding generalised results. This goes through smoothly, though there are some subtleties like what to take as primitive in a quantitative setting. In particular, we will see the necessity of a threshold operation. The other main contributions are the examples illustrating the quantitative approach. Some examples such as the combination of nondeterminism with probabilistic choice, or with global store, do not fit into the Boolean-valued framework of [28], but do work here333The combination of global store and nondeterminism is possible in the framework of [28], of one only considers angelic (helpful) nondeterminism. The problem is with general (neutral) or demonic (antagonistic) nondeterminism, combined with global store.. But there are also examples, such as probability, global store, and cost, whose treatment is more natural in our quantitative setting, even though they also fit in the framework of [28].

As a vehicle of our investigation we use Levy’s call-by-push-value (CBPV) [17, 16], together with general recursion and the aforementioned algebraic effects. As such, it generalises [28] in a second way by using call-by-push-value to incorporate both call-by-name (CBN) and call-by-value (CBV) evaluation strategies. This is significant, since once either divergence or effects are present, the distinction between the reduction strategies becomes vital. For example, if we take some probabilistic choice por signifying a fair coin flip, we have that ‘’ holds in CBN, but not in CBV. So it is interesting to consider CBPV, as it expresses both these behaviours. The distinction is expressed in the difference between production-types where one explicitly observes effects, and types like

where the observation of effects is postponed to a later moment. As such, this language is an ideal backdrop for studying effects.

In Section 2 we give the operational semantics of the language, starting with the effect-free version and working towards our treatment of algebraic effects. In Section 3 we present our quantitative logic, introducing quantitative modalities to deal with the observation of effects. In Section 4 we look at the resulting behavioural equivalence and the properties that establish the congruence property (or compatibility in its technical form). In Section 5 we relate this equivalence to applicative (bi)similarities by defining a relator using our modalities. This then allows us to adapt a Howe’s method proof of compatibility from [3, 28] for this equivalence. We finish in Section 6 with some discussions.

## 2 Operational semantics

We use a simply-typed call-by-push-value functional language as in [16, 17], together with general recursion and a ground type for natural numbers, making it a call-by-push-value variant of PCF [24]. To this, we add algebraic-effect-triggering operators in the sense of Plotkin and Power [26]. We first focus on the effect-free part of the language, as we want to consider effects independently of the underlying language.

### 2.1 The language

We give a brief overview of the language and its semantics. The types are divided into two flavours, Value types and Computation types. Value types contain value terms that are passive, they don’t compute anything on their own. Computation types contain computation terms which are active, which means they either return something to or ask something of the environment.

Value types and computation types are given by:

 A,B::=UC––∣1∣N∣Σi∈IAi∣A×AC––,D––::=FA∣A→C––∣Πi∈IC––i

where is any finite indexing set. By asserting finiteness of in the case of product types, the number of program terms is kept countable (a property which will have benefits later on in the formulation of the logic). The type is a thunk type, which consists of terms which are frozen. These terms were initially computation terms but are made inactive by packaging them into a thunk. The type is the type of natural numbers, containing the non-negative integers. With this type, we can program any computable function on the natural numbers as in PCF [24]. The type is a producer type, which actively evaluates and returns values of type to the current environment. As was stated, this is the type at which we can observe effects. The type is a type of functions, which is a computation type since its terms are actively awaiting input.

We have a countably-infinite collection of term variables , and term contexts:  .

Note that contexts only contain Value types, meaning that like in call-by-value, we can only ever substitute value terms. This is no loss of generality, as we can simulate substituting computation terms by packaging them into a thunk. The terms of the language are as follows:

 Value terms: V,W::=∗∣Z∣S(V)∣x∣thunk(M–––)∣(i,V)∣(V,W) Computation terms: M–––,N––::=caseVin{M–––,S(x)⇒N––}∣letxbeV.M–––∣return(V)∣xtoM–––.N––∣force(V) ∣λx:A.M––– ∣M–––⋅V∣pmVas{…,(i.x).M–––i,…}∣pmVas(x,y).M–––∣⟨M–––i∣i∈I⟩∣M–––⋅i∣fix(M–––)

We underline terms () and types () when they are computation terms and computation types respectively. We will also use and to denote general types and their terms, e.g. they could be either value or computation types/terms. Following [16], their typing rules are given in Fig. 1. We distinguish two typing judgements, and , for value and computation terms respectively. We write for the set of closed terms of type . Note the addition of the fixpoint operator which has been added to allow for general recursion and hence divergence. We write for the numeral representing the -th natural number.

### 2.2 Semantics

We give the semantics of this language by specifying a reduction strategy for computation terms in the style of a CK-machine [5]. We distinguish a special class of computation terms, called terminal terms, which will not reduce further. They consist of: , , and .

We first give the rules for terms we can directly reduce. We denote these using relation symbol :

1. .

2. .

3. .

4. .

5. .

6. .

7. .

The behaviour of the other non-terminal computation terms; , and , is implemented using a system of stacks defined recursively:  .

We write for the computation resulting from applying to , which can be seen as evaluating the program within the environment .

Whenever one encounters a computation of which one needs to first evaluate a subterm, one unfolds the continuation into the Stack and focusses on evaluating that subterm. This method is given by the stack reduction relation in the following way:

1. If , then .

2. .

3. .

4. .

5. .

6. .

7. .

### 2.3 Adding algebraic effect operators

We add algebraic effects in the style of [13], given by specific effect operators. We use a type variable for computation types. Effects are given by operators of the following arities (like in [13, 25]):

.

For each effect under consideration, we bundle together effect operators pertaining that effect in a set called an effect signature . Given such a signature, new computation terms can be constructed according to the typing rules in Fig. 2.

We look at the running examples of this paper.

###### Example 1 (Probabilistic choice).

The effect of probability is implemented by the signature , where we have a single binary operator for fair probabilistic choice. The computation will have a probability of evaluating , and probability of evaluating .

###### Example 2 (Global store).

In the case of global variables for natural numbers, we define a signature , where we have a set of locations for storing natural numbers. The computation looks up the number at location and substitutes it for in . The computation stores at and then continues with the computation .

###### Example 3 (Probabilistic choice and global store).

We will also consider the combination of the previous two examples, probabilistic choice with global store, given by effect signature .

###### Example 4 (Cost).

If we want to keep track of costs of an evaluation, we take the signature , where we have a countable set of real-valued costs . The computation assigns a cost of to the evaluation of . This cost can represent a time delay or some other resource.

###### Example 5 (Combinations with nondeterminism).

We consider a binary operator for nondeterministic choice, which contrary to probabilistic choice is entirely unpredictable. One interpretation is to consider it under the control of some external agent or scheduler (e.g. a compiler), which one may wish to model as being cooperative (angelic), antagonistic (demonic), or neutral. We will consider nondeterminism and it’s operator in combination with any one of the previous three examples. The resulting signatures are named , , , and respectively.

###### Example 6 (Combinations with error).

Lastly, given some set of error messages , we consider adding error raising effect operations to the language, where stops the evaluation of a term, and displays message . There is no continuation possible afterwards.

In the presence of such effects, the evaluation of a computation term might halt when encountering an algebraic effect operator. We broaden the semantics, where a computation term now evaluates to an effect tree, a coinductively generated term using operations from our effect signature together with terminal terms and a symbol for divergence . This idea appears in [26], but here we adapt the formulation from [13] to call-by-push-value.

We define the notion of an effect tree over any set , where can be thought of as a set of terminal terms.

###### Definition 2.1.

An effect tree (henceforth tree) over a set , determined by a signature of effect operations, is a labelled and possibly infinite depth tree whose nodes have the possible forms given below.

1. A leaf node labelled (the symbol for nontermination/divergence).

2. A leaf node labelled where .

3. A node labelled ‘’ with children , when has arity .

4. A node labelled ‘’ with children , when has arity .

5. A node labelled ‘’ where with children , when has arity .

The set of trees over set and signature is denoted . We can equip this set with a partial order , where if can be constructed from by pruning (possibly infinitely many) subtrees and labelling the pruning points with . Moreover, the preorder is -complete, so each ascending chain of trees has a least upper bound .

For any , we denote for the tree which only consists of one leaf labelled . We also have a map which flattens a tree of trees into one tree, by transforming the leaves (which are trees) into subtrees.

For each computation type we define the evaluation map , which returns a tree, whose leaves are either labelled with or labelled with a terminal term of type . We define this inductively by constructing for each the -th approximation of the tree.

1. if is a terminal computation term.

2. if .

3. if .

4. if .

5. if .

Using this, we define . We view as an operational semantics of in which is reduced to its (possibly) observable computational behaviours, namely the tree of effect operations potentially performed in the evaluation of . See Figure 3 for two examples of effect trees.

These trees are still quite syntactic, and may contain lots of unobservable information irrelevant to the real-world behaviour of programs. In the next section, we will set up the quantitative logic which will extract from such trees only the relevant information, using quantitative modalities.

## 3 Quantitative Logic

We define a quantitative logic expressing behavioural properties of terms. Each type has a set of formulas, which can be satisfied by terms of that type to varying degrees of satisfaction. These degrees of satisfaction are given by truth values from a complete lattice.

A countably complete lattice is a set with a partial order , where for each subset there is a least upper bound and a greatest lower bound . In particular, we define as the completely true value, and as the completely false value.

We also equip this space with a notion of negation or involution, which is a bijective map such that and . We will use the words involution and negation interchangeably. Given the conditions of an involution, it holds that and . 444Results about the positive behavioural equivalence, and the positive logic, do not need negation. So a subset of results in this paper are still valid without it. Examples of complete lattices with involution/negation used in this paper are:

1. The Booleans , where . Negation swaps the elements.

2. The real number interval , with the usual order. Here , , and .

3. The powerset over some set , whose order is given by inclusion , so and . Negation is given by the complement, where .

4. For a complete lattice and a set, the function space with point-wise order is a complete lattice.

5. The infinite interval with reversed order. Here, , , and .

We construct a logic for our language in order to define a behavioural preorder. For each type , value or computation, we have a set of formulas . Greek letters are used for formulas over value types, underlined Greek letters for formulas over computation types, and underdotted Greek letters for formulas over any type. We are aiming to define a quantitative relation to denote the element of which describes the degree to which the term satisfies the formula (e.g. this may describe the probability of satisfaction or the amount of time needed for satisfaction). We choose the formulas according to the following two design criteria, as in [28].

Firstly, we design our logic to only contain behaviourally meaningful formulas. This means we only want to test properties that are in some sense observable by users and/or other programs. For example, for the natural numbers type we have a formula which checks whether a term is equal to the numeral . For function types we have formulas of the form which tests a program on a specific input , and checks how much the resulting term satisfies .

Secondly, we desire our logic to be as expressive as possible. To this end, we add countable disjunction (suprema) and conjunction (infima) over formulas, together with negation . Moreover, we add two natural quantity-specific primitives: a threshold operation and constants. Both such operations are used frequently (albeit implicitly) in practical examples of quantitative verification, e.g. in [20].

### 3.1 Quantitative modalities

Fundamental to the design of the logic is how we interpret algebraic effects. In CBPV, effects are observed in producer types . In order to formulate observable properties of -terms in our logic, we include a set of quantitative modalities which lift formulas on to formulas on . We bundle our a selection of quantitative modalities together in a set .

Each modality denotes a function , which is used to translate a tree of truths into a singular truth value. Given a quantitative predicate on a set , we can use a modality to lift it to a quantitative predicate as follows. For , we write for the tree in where each non- leaf is replaced by the value . Then .

In the examples, we will define the denotation of a modality by giving for each an approximation . These will follow the rules: , , and , and effect specific rules given in the examples below. Given these approximations, the denotation is given by .

###### Example 1 (Probabilistic choice).

We use as quantitative truth space the real number interval with , which denote probabilities555One could alternatively consider as the value set.. We take a single modality for expectation, where gives the expected value of given the probabilistic distribution induces on its return values . This is achieved by giving the denotation which sends a tree of real numbers to the expected real number, where the approximation of the denotation is given by: .

###### Example 2 (Global store).

Given a set of locations , we have a set of states . Our set of truth values is given by the powerset with . We have a single modality , where gives the set of starting states for which terminates with a value such that the end state is contained in . We define this formally with the following rules: and .

###### Example 3 (Probabilistic choice and global store).

For this combination of effects, we take as truth space the functions with point-wise order, where is the set of global states and the lattice of probabilities with standard order. Intuitively, this space assigns to each starting state a probability that a property is satisfied. We define a single modality which, for each state , is given by the following rules: , , and .

###### Example 4 (Cost).

We use the infinite real number interval with denoting an abstract notion of cost (e.g. time). Trees are just branches in this example. We have a single modality , where is the cost it takes for to evaluate plus the cost given by , where is the value evaluates to. The definition of is such that . Note that for any tree either infinite or with leaf , we have . This reflects the idea that a diverging computation will exceed any possible finite cost.

###### Example 5 (Combinations with nondeterminism).

To add nondeterminism to any of the previous examples, we keep their truth space , and extend the definition of their modality in two ways, creating an optimistic modality and a pessimistic modality such that:

.

For the combination with probability, we can see the nondeterministic choice as being controlled by some external agent, which chooses a strategy

for resolving the nondeterministic choice nodes, like in a Markov decision processes.

finds the optimal strategy to get the best expectation, whereas finds the worst strategy. Similarly, will search for the minimum possible execution cost, while will look for the maximum cost.

For instance, if the denotation of a term of type is given by the first tree in Fig. 3, then and . If is given by the second tree from Fig. 3, then and .

###### Example 6 (Combinations with error).

There are two ways of defining combinations with error messages, akin to the sum and tensor approach of combining effects from e.g.

[12]. Let , and be the signature, truth space, and quantitative modalities of the effects to which we want to add error messages from a set . Given a modality and some function , assigning to each message a value, we define a new modality which, besides inheriting the rules from , follows the rule . We define two new sets of modalities for this combination, and , each giving a different interpretation of error.

E.g. in the presence of global store (Example 2), the modalities from are not able to observe the final global state when an error message has been raised, whereas some modalities from can. For instance, for and such that , it holds that is in but not in . Moreover, whereas . Those two terms are however not distinguishable by any modality from .

All the Boolean-valued examples of modalities for effects in [28], can also be accommodated in our quantitative setting by taking . These include for instance Input/Output.

### 3.2 Formulation of the logic

We write for the set of formulas over type , which is defined by induction on the structure of . Fig. 4 gives the inductive rules for generating these formulas. We have modality formulas , constant formulas , and step formulas . Note that conjunctions and disjunctions (i.e., meets and joins) are taken over countable sets of formulas only.