Proof-Relevant Logical Relations for Name Generation

# Proof-Relevant Logical Relations for Name Generation

## Abstract

Pitts and Stark’s -calculus is a paradigmatic total language for studying the problem of contextual equivalence in higher-order languages with name generation. Models for the -calculus that validate basic equivalences concerning names may be constructed using functor categories or nominal sets, with a dynamic allocation monad used to model computations that may allocate fresh names. If recursion is added to the language and one attempts to adapt the models from (nominal) sets to (nominal) domains, however, the direct-style construction of the allocation monad no longer works. This issue has previously been addressed by using a monad that combines dynamic allocation with continuations, at some cost to abstraction.

This paper presents a direct-style model of a -calculus-like language with recursion using the novel framework of proof-relevant logical relations, in which logical relations also contain objects (or proofs) demonstrating the equivalence of (the semantic counterparts of) programs. Apart from providing a fresh solution to an old problem, this work provides an accessible setting in which to introduce the use of proof-relevant logical relations, free of the additional complexities associated with their use for more sophisticated languages.

nick.benton@gmail.com

hofmann@ifi.lmu.de

vivek.nigam@gmail.com

## Introduction

Reasoning about contextual equivalence in higher-order languages that feature dynamic allocation of names, references, objects or keys is challenging. Pitts and Stark’s -calculus boils the problem down to its purest form, being a total, simply-typed lambda calculus with just names and booleans as base types, an operation that generates fresh names, and equality testing on names. The full equational theory of the -calculus is surprisingly complex and has been studied both operationally and denotationally, using logical relations [20], environmental bisimulations [7] and nominal game semantics [1].

Even before one considers the ‘exotic’ equivalences that arise from the (partial) encapsulation of names within closures, there are two basic equivalences that hold for essentially all forms of generativity:

The (Drop) equivalence says that removing the generation of unused names preserves behaviour; this is sometimes called the ‘garbage collection’ rule. The (Swap) equivalence says that the order in which names are generated is immaterial. These two equations also appear as structural congruences for name restriction in the -calculus.

Denotational models for the -calculus validating (Drop) and (Swap) may be constructed using (pullback-preserving) functors in , where is the category of finite sets and injections [20], or in FM-sets [12]. These models use a dynamic allocation monad to interpret possibly-allocating computations. One might expect that moving to or FM-cpos would allow such models to adapt straightforwardly to a language with recursion, and indeed Shinwell, Pitts and Gabbay originally proposed [19] a dynamic allocation monad over FM-cpos. However, it turned out that the underlying FM-cppo of the proposed monad does not actually have least upper bounds for all finitely-supported chains. A counter-example is given in Shinwell’s thesis [16]. To avoid the problem, Shinwell and Pitts [16] moved to an indirect-style model, using a continuation monad [15]: to interpret computations. In particular, one shows that two programs are equivalent by proving that they co-terminate when supplied with the same (or equivalent) continuations. The CPS approach was also adopted by Benton and Leperchey [10], and by Bohr and Birkedal [2], for modelling languages with references.

In the context of our on-going research on the semantics of effect-based program transformations [9], we have been led to develop proof-relevant logical relations [6]. These interpret types not merely as partial equivalence relations, as is commonly done, but as a proof-relevant generalization thereof: setoids. A setoid is like a category all of whose morphisms are isomorphisms (a groupoid) with the difference that no equations between these morphisms are imposed. The objects of a setoid establish that values inhabit semantic types, whilst its morphisms are understood as explicit proofs of semantic equivalence. This paper shows how we can use proof-relevant logical relations to give a direct-style model of a language with name generation and recursion, validating (Drop) and (Swap). Apart from providing a fresh approach to an old problem, our aim in doing this is to provide a comparatively accessible presentation of proof-relevant logical relations in a simple setting, free of the extra complexities associated with specialising them to abstract regions and effects [6].

Although our model validates the two most basic equations for name generation, it is – like simple functor categories in the total case – still far from fully abstract. Many of the subtler contextual equivalences of the -calculus still hold in the presence of recursion; one naturally wonders whether the more sophisticated methods used to prove those equivalences carry over to the proof-relevant setting. We will show one such method, Stark’s parametric functors, which are a categorical version of Kripke logical relations, does indeed generalize smoothly, and can be used to establish a non-trivial equivalence involving encapsulation of fresh names. Moreover, the proof-relevant version is naturally transitive, which is, somewhat notoriously, not generally true of ordinary logical relations.

Section ? sketches the language with which we will be working, and a naive ‘raw’ domain-theoretic semantics for it. This semantics does not validate interesting equivalences, but is adequate. By constructing a realizability relation between it and the more abstract semantics we subsequently introduce, we will be able to show adequacy of the more abstract semantics. In Section 3 we introduce our category of setoids; these are predomains where there is a (possibly-empty) set of ‘proofs’ witnessing the equality of each pair of elements. We then describe pullback-preserving functors from the category of worlds into the category of setoids. Such functors will interpret types of our language in the more abstract semantics, with morphisms between them interpreting terms. The interesting construction here is that of a dynamic allocation monad over the category of pullback-preserving functors. Section 8 shows how the abstract semantics is defined and related to the more concrete one. Section ? then shows how the semantics may be used to establish basic equivalences involving name generation. Section 10 describes how proof-relevant parametric functors can validate a more subtle equivalence involving encapsulation of new names.

## 2Syntax and Semantics

We work with an entirely conventional CBV language, featuring recursive functions and base types that include names, equipped with equality testing and fresh name generation (here is just a representative operation on integers):

The expression stands for an anonymous function which satisfies the recursive equation where both and may occur in . In the special case where does not occur in , the construct degenerates to function abstraction. We thus introduce the abbreviation:

There are typing judgements for values, , and computations, , defined in an unsurprising way; these are shown in Figure ?. We will often elide the subscript on turnstiles.

We define a simple-minded concrete denotational semantics for this language using predomains (-cpos) and continuous maps. For types we take

and there are then conventional clauses defining

Note that this semantics just uses naturals to interpret names, and a state monad over names to interpret possibly-allocating computations. For allocation we take

returning the next free name and incrementing the name supply. This semantics validates no interesting equivalences involving names, but is adequate for the obvious operational semantics. Our more abstract semantics, , will be related to in order to establish its adequacy.

## 3Setoids

We define the category of setoids, , to be the exact completion of the category of predomains, see [11]. We give here an elementary description of this category using the language of dependent types. A setoid consists of a predomain and for any two a set of “proofs” (that and are equal). The set of triples must itself be a predomain, i.e., there has to be an order relation such that is a predomain. The first and second projections out of the set of triples must be continuous. Furthermore, there are continuous functions and and , witnessing reflexivity, symmetry and transitivity; note that, unlike the case of groupoids, no equations involving , and are imposed.

We should explain what continuity of a dependent function like is: if and and are ascending chains in with suprema and and are proofs such that and are ascending chains, too, with suprema and then is an ascending chain of proofs (by monotonicity of ) and its supremum is . Formally, such dependent functions can be reduced to non-dependent ones using pullbacks, that is would be a function defined on the pullback of the second and first projections from to , but we find the dependent notation to be much more readable. If we may write or simply . We also omit wherever appropriate. We remark that “setoids” also appear in constructive mathematics and formal proof, see e.g., [3], but the proof-relevant nature of equality proofs is not exploited there and everything is based on sets (types) rather than predomains. A morphism from setoid to setoid is an equivalence class of pairs of continuous functions where and . Two such pairs are identified if there exists a continuous function .

The following is folklore, see also [4].

The evaluation morphism sends and to . If is a morphism represented by then the morphism may be represented by where and and . Likewise, where . The remaining verifications are left to the reader.

To define the morphism suppose we are given . For each we define by and . We then put .

Now suppose that and , i.e., . Let be defined analogously to so that . By induction on we define proofs . We put (the least proof) and, inductively, (transitivity). Notice that and . Now let be the supremum of the chain . By continuity of the projections we have that and and thus . The passage from to witnesses that is indeed a (representative of a) morphism.

Equations “Diagonal” and “Dinaturality” follow directly from the validity of these properties for the least fixpoint combinator for cpos. For the sake of completeness we prove the second one. Assume and let and . We have and . It follows that and are actually equal. Equation “Fixpoint” is a direct consequence of dinaturality (take ).

Amalgamation and uniformity are also valid for the least fixpoint combinator, but cannot be directly inherited since the equational premises only holds up to . As a representative example we show amalgamation. So assume elements and and proofs . Consider and . By induction on and using the we construct proofs . The desired proof of is obtained as the supremum of these proofs as in the definition of the witness that is a morphism above.

Equation “Power”, finally, can be deduced from amalgamation and dinaturality or alternatively inherited directly from the least fixpoint combinator.

The above equational axioms for the fixpoint combinator are taken from Simpson and Plotkin [17], who show that they imply certain completeness properties. In particular, it follows that the category of setoids is an “iteration theory” in the sense of Bloom and Ésik [5]. For us they are important since the category of setoids is not cpo-enriched in any reasonable way, so that the usual order-theoretic characterisation of is not available. Concretely, the equations help, for example, to justify various loop optimisations when loops are expressed using the fixpoint combinator.

Thus, in a discrete setoid proof-relevant equality and actual equality coincide and moreover any two equality proofs are actually equal (i.e. we have proof irrelevance).

## 4Finite sets and injections

Pullback squares

are a central notion in our framework. As it will become clear later, they are the “proof-relevant” component of logical relations. Recall that a morphism in a category is a monomorphism if implies for all morphisms . Two morphisms with common co-domain are called a co-span and two morphisms with common domain are called span. A commuting square of morphisms is a pullback if whenever there is unique such that and . This can be visualized as follows:

We write or (when ) for such a pullback square. We call the common codomain of and the apex of the pullback, written , while the common domain of is the low point of the square, written . A pullback square with apex is minimal if whenever there is another pullback over the same span and with apex , then there is a unique morphism such that and .

A category has pullbacks if every co-span can be completed to a pullback, which is necessarily unique up to isomorphism.

First we show that any morphism is a monomorphism. Let be a completion of the span to a (minimal) pullback. If , then . So, the pullback property furnishes a unique map such that . Thus , so is a monomorphism.

Now suppose that is a minimal pullback and and . Then we claim that is a pullback: if , then since are monomorphisms by the above, we have , so we can appeal to the pullback property of the original square.

Minimality of furnishes a unique map such that and . But since and also have that property ( and and similarly for ), we conclude .

Given and forming a co-span in , we form their pullback as . This is minimal when . Conversely, given a span , we can complete to a minimal pullback by

where is case analysis on the disjoint union . Thus a minimal pullback square in is of the form:

The factorization property is straightforward.

An object of models a set of generated/allocated names, with injective maps corresponding to renamings and extensions with newly generated names.

In , a minimal pullback corresponds to a partial bijection between and , as used in other work on logical relations for generativity [14]. We write to mean that is a subset inclusion and also use the notation to denote the subset inclusion map from to . Of course, the use of this notation implies that . Note that if we have a span then we can choose so that is a minimal pullback and one of and is an inclusion. To do that, we simply replace the apex of any minimal pullback completion with an isomorphic one. The analogous property holds for completion of co-spans to pullbacks.

In this paper, we fix the category of worlds to be . The general definitions, in particular that of setoid-valued functors that we are going to give, also make sense in other settings. For example, in our treatment of proof-relevant logical relations for reasoning about stateful computation [6], we build a category of worlds from partial equivalence relations on heaps.

## 5Setoid-valued functors

A functor from the category of worlds to the category of setoids comprises, as usual, for each a setoid , and for each a morphism of setoids preserving identities and composition. This means that there exist continuous functions of type ; and for any two morphisms and a continuous function of type .

If and we may write or even for and likewise for proofs in . Note that there is a proof of equality of and . In the sequel, we shall abbreviate ‘setoid-valued functor(s)’ as ‘SVF(s)’.

Intuitively, SVFs will become the denotations of types. Thus, an element of is a value involving at most the names in . If then represents renaming and possible weakening by names not “actually” occurring in . Note that due to the restriction to injective functions identification of names (“contraction”) is precluded. This is in line with Stark’s use [20] of set-valued functors on the category to model fresh names.

Thus, if two values and are equal in a common world then this can only be the case because there is a value in the “intersection world” from which both arise.

Note that the ordering on worlds and world morphisms is discrete, so continuity only involves the argument.

The following proposition is proved using a pullback of the form .

All the SVFs that we define in this paper will turn out to be pullback-preserving. However, for the results described in this paper pullback preservation is not needed. Thus, we will not use it any further, but note that there is always the option to require that property should the need arise subsequently.

Morphisms between functors are natural transformations in the usual sense; they serve to interpret terms with variables and functions. In more explicit terms, a morphism from SVF to SVF is an equivalence class of pairs where and are continuous functions of the following types:

Again, the requirements for continuity are simplified by the discrete ordering on worlds.

Two morphisms are identified if there is a continuous function:

where as in the case of setoids, we omit subscripts where appropriate. These morphisms compose in the obvious way and so the SVFs and morphisms between them form a category.

## 6Instances of setoid-valued functors

We now describe some concrete functors that will allow us to interpret types of the -calculus as SVFs. The simplest one endows any predomain with the structure of an SVF where the equality is proof-irrelevant and coincides with standard equality. The second one generalises the function space of setoids and is used to interpret function types. The third one is used to model dynamic allocation and is the only one that introduces proper proof-relevance.

### 6.1Base types

For each predomain we can define a constant SVF, denoted as well, with defined as the discrete setoid over and as the identity. These constant SVFs serve as denotations for base types like booleans or integers.

The SVF of names is given by where on the right hand side stands for the discrete setoid over the discrete predomain of names in , and for . Thus, e.g. .

### 6.2Cartesian closure

The category of SVFs is cartesian closed, which follows from well-known properties of functor categories. The construction of product and function space follows the usual pattern, but we give it here explicitly.

Let and be SVFs. The product is given by taking a pointwise product of setoids. For the sake of completeness, we note that (product predomain) and . This defines a cartesian product on the category of SVFs. More generally, we can define the indexed product of a family of SVFs. We write for the empty indexed product and for the only element of . Note that is the terminal object in the category of SVFs.

The function space is the SVF given as follows. contains pairs where for each and . If and then

where

are the obvious composition morphisms.

A proof in is a function that for each yields a proof .

The order on objects and proofs is pointwise as usual. The following is now clear from the definitions.

We remark that cartesian closure of the category of SVFs is an instance of the general results (see [13]) that if is cartesian closed and complete, then so is for any category . Here be is the category of setoids described in Section 3.

The fixpoint combinator on the level of SVFs is defined pointwise. Given world and we define

where is the setoid fixpoint combinator from Theorem ?. The translation of proofs is obvious. We need to show that this defines a natural transformation. So, let and . Put and . We need to construct a proof that . Now, furnishes a proof of and is strict by assumption on so that “Uniformity” furnishes the desired proof.

The laws from Theorem ? can be directly inherited.

The constructions presented so far only yield discrete SVFs, i.e., proof relevance is merely propagated, but never actually created. This is not so for the next operator on SVFs, which is to model dynamic allocation.

## 7Dynamic Allocation Monad

Before we define the dynamic allocation monad we recall Stark’s [20] definition of a dynamic allocation monad for the category of set-valued functors on the category of worlds. For set-valued functor , Stark defines a set-valued functor by where iff there exist maps , for some satisfying and where and are the inclusion maps.

Our dynamic allocation monad for SVFs essentially mimics this definition, the difference being that the maps witnessing equivalence of elements now become proofs of -equality. Additionally, our definition is based on predomains and involves a bottom element for recursion.

### 7.1Definition of the monad

Let be an SVF. We put

Thus, a non-bottom element of consists of an extension of together with an element of taken at that extension. Note that the extension is not existentially quantified, but an inherent part of the element.

The ordering is given by if and in and of course, is the least element of .

The proofs are defined as follows. First, and second, the elements of are triples where complete the inclusions and to a commuting square

with . The third component then is a proof that and are equal when transported to , formally, . The ordering is again discrete in and inherited from in . Formally, when in and of course is the least element. No -relation exists between triples with different mediating co-span. In particular, in an ascending chain of proofs the witnessing spans are always the same, which is the intuitive reason why they can be patched together to form a supremum.

Consider, for example, that , , . Then, both and are elements of , and is a proof that the two are equal where sends , , and sends , , . The proof is the canonical proof by reflexivity. Note that, in this case, the order relation is trivial. It becomes more interesting when the type of values is a function space.

Next, we define the morphism part. Assume that is a morphism in . We want to construct a morphism in . So let and be the inclusion. We complete the span to a minimal pullback

with an inclusion as indicated. We then define . We assume a function that returns such completions to minimal pullbacks in some chosen way. The particular choice is unimportant.

Picking up the previous example and letting be then a possible completion to a minimal pullback would be

Note that the following square where the additional name in is identified with a name already existing in is not a pullback

Adding extra garbage into like so would result in a pullback that is not minimal.

If is a proof of then we obtain a proof, , that as follows. We first complete the span to a minimal pullback with apex and upper arrow . Now minimality of the pullbacks apexed at and furnishes morphisms and so that (where ). We then have as required. This shows that the passage actually does define a morphism of setoids.

The functor laws amount to similar constructions of -witnesses and are left to the reader. The following is direct from the definitions.

### 7.2Comparison with cpo-valued functors

The flawed attempt at defining a dynamic allocation monad for FM-domains discussed by Shinwell [16] and mentioned in the introduction can be reformulated in terms of cpo-valued functors and further highlights the importance of proof-relevant equality.

Given a cpo-valued functor one may construct a poset-valued functor which has for underlying set equivalence classes of pairs with and . As in Stark’s definition above, we have a if there are morphisms such that and where , are the inclusions. As for the ordering, the only reasonable choice is to decree that on representatives if for some co-span with where are the inclusions as above. However, while this defines a partial order it is not clear why it should have suprema of ascending chains because the witnessing spans might not match up so that they can be pasted to a witnessing span for the limit of the chain. Indeed, Shinwell’s thesis [16] contains a concrete counterexample, which is due to Pitts.

In our notation, Pitts’s counterexample takes the following form. Define the cpo-valued functor by . So the elements of are subsets of ordered by inclusion, hence a finite cpo. Let us now examine . An element of is an -equivalence class of pairs where , . Furthermore, whenever and the ordering on is whenever . Let be the equivalence class of . We have for all and . From this it is clear that the ascending chain does not have a least upper bound in for if were such an upper bound then would have to hold for all .

The transition to proof relevance that we have made allows us to define the order on representatives as we have done and thus to bypass these difficulties. We view above as an SVF with underlying cpo and, trivial, i.e., discrete equality. Now applying our dynamic allocation monad to yields the SVF whose underlying cpo contains in addition to , pairs where with ordering if and . A proof that an element is equal to the element is given by a triple such that and and moreover . The ordering in these proofs is the discrete one. Now the sequence shown above is not an ascending chain and thus is no longer a counter-example to completeness.

## 8Observational Equivalence and Fundamental Lemma

We now construct the machinery that connects the concrete language with the denotational machinery introduced in Section 2. The semantics of types, written using , as SVFs is defined inductively as follows:

• For basic types is the corresponding discrete SVF.

• is defined as the function space , where is the dynamic allocation monad.

• For typing context we define as the indexed product of SVFs .

To each term in context we can associate a morphism from to by interpreting the syntax in the category of SVFs using cartesian closure, the fixpoint combinator, and the fact that is a strong monad. We omit most of the straightforward but perhaps slightly tedious definition and only give the clauses for “new” and “let” here:

where and , i.e., the greatest number in the world .

If and are the denotations of and then the interpretation of is the morphism given by

where is the monad multiplication, is the monad strength and where we have made the simplifying assumption that . Assuming that and now stand for the first components of concrete representatives of these morphisms, one particular concrete representative of this morphism (now also denoted ) satisfies:

Our aim is now to relate these morphisms to the computational interpretation .

Notice that is not part of the syntax, but is a marker to distinguish the two relations defined above.

The following lemma states that the realizability relation is stable with respect to enlargement of worlds. It is needed for the “fundamental lemma” ?.

The proof is by a straightforward induction on types. Note, however, that the restriction to inclusions is important for the cases of function type and the type . We extend to typing contexts by putting

for and .

By induction on typing rules. We always chose for the representative the one given as witness in the definition of . Most of the cases are straightforward. For illustration we show and : As for , we pick the representative that at world returns . Now, with , we have and holds, since .

Next, assume that , where and . Choose, according to the induction hypothesis appropriate representatives of and of . If for some initial world then we have (H1) . If then , too, and the same goes for the interpretation of the entire let-construct. So suppose that . By (H1), we must then have where and and .

By Lemma ? we then have where . Thus, by the induction hypothesis, we get (H2)