Proving Soundness of Extensional Normal-Form Bisimilarities

# Proving Soundness of Extensional Normal-Form Bisimilarities

Dariusz Biernacki University of Wrocław, Wrocław, Poland Sergueï Lenglet Université de Lorraine, Nancy, France  and  Piotr Polesiuk University of Wrocław, Wrocław, Poland
###### Abstract.

Normal-form bisimilarity is a simple, easy-to-use behavioral equivalence that relates terms in -calculi by decomposing their normal forms into bisimilar subterms. Besides, they allow for powerful up-to techniques, such as bisimulation up to context, which simplify bisimulation proofs even further. However, proving soundness of these relations becomes complicated in the presence of -expansion and usually relies on ad hoc proof methods which depend on the language. In this paper we propose a more systematic proof method to show that an extensional normal-form bisimilarity along with its corresponding bisimulation up to context are sound. We illustrate our technique with three calculi: the call-by-value -calculus, the call-by-value -calculus with the delimited-control operators shift and reset, and the call-by-value -calculus with the abortive control operators call/cc and abort. In the first two cases, there was previously no sound bisimulation up to context validating the -law, whereas no theory of normal-form bisimulations for the calculus of abortive control has been presented before. Our results have been fully formalized in the Coq proof assistant.

###### Key words and phrases:
delimited continuation, contextual equivalence, normal-form bisimulation, up-to technique
Revised and extended version of [Biernacki-al:MFPS17]. This work was partially supported by PHC Polonium and by National Science Centre, Poland, grant no. 2014/15/B/ST6/00619.

\@sect

section1[Introduction]Introduction

In formal languages inspired by the -calculus, the behavioral equivalence of choice is usually formulated as a Morris-style contextual equivalence [JHMorris:PhD]: two terms are equivalent if they behave the same in any context. This criterion captures quite naturally the idea that replacing a term by an equivalent one in a bigger program should not affect the behavior of the whole program. However, the quantification over contexts makes contextual equivalence hard to use in practice to prove the equivalence of two given terms. Therefore, it is common to look for easier-to-use, sound alternatives that are at least included in contextual equivalence, such as coinductively defined bisimilarities.

Different styles of bisimilarities have been defined for the -calculus, including applicative bisimilarity [Abramsky-Ong:IaC93], normal-form bisimilarity [Lassen:LICS05] (originally called open bisimilarity in [Sangiorgi:LICS92]), and environmental bisimilarity [Sangiorgi-al:TOPLAS11]. Applicative and environmental bisimilarities compare terms by applying them to function arguments, while normal-form bisimilarity reduces terms to normal forms, which are then decomposed into bisimilar subterms. As we can see, applicative and environmental bisimilarities still rely on some form of quantification over arguments, which is not the case of normal-form bisimilarity. As a drawback, the latter is usually not complete w.r.t. contextual equivalence—there exist contextually equivalent terms that are not normal-form bisimilar—while the former are. Like environmental bisimilarity, normal-form bisimilarity usually allows for up-to techniques [Sangiorgi-Pous:11], relations which simplify equivalence proofs of terms by having less requirements than regular bisimilarities. For example, bisimulation up to context allows to forget about a common context: to equate and , it is enough to relate and with a bisimulation up to context.

In the call-by-value -calculus, the simplest definition of normal-form bisimilarity compares values by equating a variable only with itself, and a -abstraction only with a -abstraction such that their bodies are bisimilar. Such a definition does not respect call-by-value -expansion, since it distinguishes from . A less discriminating definition instead compares values by applying them to a fresh variable, thus relating and for any value  such that is not free in : given a fresh , reduces to . Such a bisimilarity, that we call extensional bisimilarity,111Lassen uses the term bisimilarity up to  [Lassen:MFPS99] for a normal-form bisimilarity that validates the -law, but we prefer the term extensional bisimilarity so that there is no confusion with notions referring to up-to techniques such as bisimulation up to context. relates more contextually equivalent terms, but proving its soundness as well as proving the soundness of its up-to techniques is more difficult, and usually requires ad hoc proof methods, as we detail in the related work section (Section Proving Soundness of Extensional Normal-Form Bisimilarities).

Madiot et al. [Madiot-al:CONCUR14] propose a framework where proving the soundness of up-to techniques is quite uniform and simpler. It also allows to factorize proofs, since showing that bisimulation up to context is sound directly implies that the corresponding bisimilarity is a congruence, which is the main property needed for proving its soundness. Madiot et al. apply the method to environmental bisimilarities for the plain call-by-name -calculus and for a call-by-value -calculus with references, as well as to a bisimilarity for the -calculus. In a subsequent work [Aristizabal-al:FSCD16], we extend this framework to define environmental bisimilarities for a call-by-value -calculus with multi-prompted delimited-control operators. We propose a distinction between strong and regular up-to techniques, where regular up-to techniques cannot be used in certain bisimilarity tests, while strong ones can always be used. This distinction allows to prove sound more powerful up-to techniques, by forbidding their use in cases where it would be unsound to apply them.

So far, the method developed in [Madiot-al:CONCUR14, Aristizabal-al:FSCD16] have been used in the -calculus only for environmental bisimilarities. In this paper, we show that our extended framework [Aristizabal-al:FSCD16] can also be used to prove the soundness of extensional normal-form bisimilarities and their corresponding bisimulation up to context. We first apply it to the plain call-by-value -calculus, in which an extensional normal-form bisimilarity, albeit without a corresponding bisimulation up to context, have already been proved sound [Lassen:LICS05], to show how our framework allows to prove soundness for both proof techniques at once. We then consider a call-by-value -calculus with the delimited-control operators shift and reset [Danvy-Filinski:LFP90], for which there has been no sound bisimulation up to context validating the -law either, and we show that our method applies seamlessly in that setting as well. Finally, we address a calculus of abortive control, i.e., the call-by-value -calculus with call/cc and abort [Felleisen-Friedman:FDPC3, Felleisen-Hieb:TCS92], for which there has been no theory of normal-form bisimulations before. Regarding this last result, not only does it confirm robustness of the proof method we advocate in this article, but it also provides a new operational technique for reasoning about classical calculi of abortive continuations introduced by Felleisen et al.

Our results have been fully formalized in the Coq proof assistant, thus increasing the confidence in proofs that can be quite meticulous. The Coq developments, available at https://bitbucket.org/pl-uwr/diacritical, use a de Bruijn representation for -terms, where the de Bruijn indices are encoded using nested datatypes [Bird-Paterson:JFP99].

The paper is organized as follows: in Section Proving Soundness of Extensional Normal-Form Bisimilarities, we discuss the previous proofs of soundness of extensional normal-form bisimilarities. In Section Proving Soundness of Extensional Normal-Form Bisimilarities, we present the proof method for the call-by-value -calculus, that we then apply to the -calculus with delimited control in Section LABEL:s:delcon, and to the -calculus with abortive control in Section LABEL:s:abortcon. We conclude in Section LABEL:s:conclusion. Compared to the conference article [Biernacki-al:MFPS17], Section LABEL:s:abortcon is entirely new, whereas the remaining sections have been revised.

\@sect

section1[Related Work]Related Work

Normal-form bisimilarity has been first introduced by Sangiorgi [Sangiorgi:LICS92] and has then been defined for many variants of the -calculus, considering -expansion [Lassen:MFPS99, Lassen:LICS05, Lassen:LICS06, Stoevring-Lassen:POPL07, Lassen-Levy:CSL07, Lassen-Levy:LICS08, Biernacki-Lenglet:FLOPS12, Biernacki-al:HAL15] or not [Lassen:99, Lassen:MFPS05]. In this section we focus on the articles treating the -law, and in particular on the congruence and soundness proofs presented therein.

In [Lassen:MFPS99], Lassen defines several equivalences for the call-by-name -calculus, depending on the chosen semantics. He defines head-normal-form (hnf) bisimulation and hnf bisimulation up to  for the semantics based on reduction to head normal form (where -expansion applies to any term , not only to a value as in the call-by-value -calculus), and weak-head-normal-form (whnf) bisimulation based on reduction to weak head normal form. (It does not make sense to consider a whnf bisimulation up to , since it would be unsound, e.g., it would relate a non-terminating term with a normal form .) The paper also defines a bisimulation up to context for each bisimilarity.

The congruence proofs for the three bisimilarities follow from the main lemma stating that if a relation is a bisimulation, then so is its substitutive and context closure. The lemma is proved by nested induction on the definition of the closure and on the number of steps in the evaluation of terms to normal forms. It can be easily strengthened to prove the soundness of a bisimulation up to context: if a relation is a bisimulation up to context, then its substitutive and context closure is a bisimulation. The nested induction proof method has been then applied to prove congruence for a whnf bisimilarity for the call-by-name -calculus [Lassen:99] (a calculus with continuations), an extensional hnf bisimilarity for the call-by-name -calculus with pairs [Lassen:LICS06], and a whnf bisimilarity for a call-by-name -calculus with McCarthy’s ambiguous choice (amb) operator [Lassen:MFPS05]. These papers do not define any corresponding bisimulation up to context.

Lassen uses another proof technique in [Lassen:LICS05], where he defines an eager normal form (enf) bisimilarity and an enf bisimilarity up to .222While weak head normal forms are normal forms under call-by-name evaluation, eager normal forms are normal forms under call-by-value evaluation of -terms. Lassen shows that the bisimilarities correspond to Böhm trees equivalence (up to ) after a continuation-passing style (CPS) translation, and then he deduces congruence of the enf bisimilarities from the congruence of the Böhm trees equivalence. A CPS-translation based technique has also been used in [Lassen:LICS06] to prove congruence of the extensional bisimilarity for the call-by-name -calculus (also with surjective pairing), the -calculus, and the -calculus. Unlike the nested induction proof method, this technique does not extend to a soundness proof of a bisimulation up to context.

In [Lassen:LICS05], Lassen claims that “It is also possible to prove congruence of enf bisimilarity and enf bisimilarity up to directly like the congruence proofs for other normal form bisimilarities (tree equivalences) in [Lassen:MFPS99], although the congruence proofs (…) require non-trivial changes to the relational substitutive context closure operation in op.cit. (…) Moreover, from the direct congruence proofs, we can derive bisimulation “up to context” proof principles like those for other normal form bisimilarities in op.cit.” To our knowledge, such a proof is not published anywhere; we tried to carry out the congruence proof by following this comment, but we do not know how to conclude in the case of enf bisimilarity up to . We discuss what the problem is at the end of the proof of Lemma LABEL:l:app-lambda.

Støvring and Lassen [Stoevring-Lassen:POPL07] define extensional enf bisimilarities for three calculi: (continuations), (mutable state), and (continuations and mutable state). The congruence proof is rather convoluted and is done in two stages: first, prove congruence of a non-extensional bisimilarity using the nested induction of [Lassen:MFPS99], then extend the result to the extensional bisimilarity by a syntactic translation that takes advantage of an infinite -expansion combinator. The paper does not mention bisimulation up to context.

Lassen and Levy [Lassen-Levy:CSL07, Lassen-Levy:LICS08] define a normal-form bisimilarity for a CPS calculus called JWA equipped with a rich type system (including product, sum, recursive types; [Lassen-Levy:LICS08] adds existential types). The bisimilarity respects the -law, and the congruence proof is done in terms of game semantics notions. Again, these papers do not mention bisimulation up to context.

In a previous work [Biernacki-Lenglet:FLOPS12], we define extensional enf bisimilarities and bisimulations up to context for a call-by-value -calculus with delimited-control operators. The (unpublished) congruence and soundness proofs follow Lassen [Lassen:MFPS99], but are incorrect: one case in the induction, that turns out to be problematic, has been forgotten. In [Biernacki-al:HAL15] we fix the congruence proof of the extensional bisimilarity, by doing a nested induction on a different notion of closure than Lassen. This approach fails when proving soundness of a bisimulation up to context, and therefore bisimulation up to context does not respect the -law in [Biernacki-al:HAL15].

To summarize:

• The soundness proofs for extensional hnf bisimilarities are uniformly done using a nested induction proof method [Lassen:MFPS99, Lassen:LICS06]. The proof can then be turned into a soundness proof for bisimulation up to context.

• The soundness proofs of extensional enf bisimilarities either follow from a CPS translation [Lassen:LICS05, Lassen:LICS06], or other ad hoc arguments [Stoevring-Lassen:POPL07, Lassen-Levy:CSL07, Lassen-Levy:LICS08, Biernacki-al:HAL15] which do not carry over to a soundness proof for a bisimulation up to context.

• The only claims about congruence of an extensional enf bisimilarity as well as soundness of the corresponding bisimulation up to context using a nested induction proof are either wrong [Biernacki-Lenglet:FLOPS12] or are not substantiated by a presentation of the actual proof [Lassen:LICS05]. The reason the nested induction proof works for extensional hnf bisimilarities and not for extensional enf bisimilarities stems from the difference in the requirements on the shape of -abstractions the two normal forms impose: whereas the body of a -abstraction in hnf is also a hnf, the body of a -abstraction in enf is an arbitrary term.

In this paper, we consider an extensional enf bisimilarity for three calculi: the plain -calculus and its extensions with delimited and abortive continuations, and in each case we present a soundness proof of the corresponding enf bisimulation up to context from which congruence of the bisimilarity follows.

\@sect

section1[Call-by-value -calculus]Call-by-value -calculus

We introduce a new approach to normal-form bisimulations that is based on the framework we developed previously [Aristizabal-al:FSCD16]. The calculus of discourse is the plain call-by-value -calculus.

\@sect

subsection2[Syntax, semantics, and normal-form bisimulations]Syntax, semantics, and normal-form bisimulations

We let , , range over variables. The syntax of terms (, ), values (, ), and call-by-value evaluation contexts () is given as follows:

 t,s::=v | tsv,w::=x | λx.tE::=□ | Et | vE

An abstraction binds in ; a variable that is not bound is called free. The set of free variables in a term is written . We work modulo -conversion of bound variables, and a variable is called fresh if it does not occur in the terms under consideration. Contexts are represented outside-in, and we write for plugging a term in a context. We write for the capture-avoiding substitution of for  in . We write successive -abstractions as .

We consider a call-by-value reduction semantics for the language

 E[(λx.t)v]→E[t{v/x}]

We write for the reflexive and transitive closure of , and if and cannot reduce; we say that evaluates to .

Eager normal forms are either values or open stuck terms of the form . Normal-form bisimilarity relates terms by comparing their normal forms (if they exist). For values, a first possibility is to relate separately variables and -abstractions: a variable can be equated only to , and is bisimilar to if is bisimilar to . As explained in the introduction, this does not respect -expansion: the -respecting definition compares values by applying them to a fresh variable. Given a relation on terms, we reflect how values and open stuck terms are tested by the relations , , and , defined as follows:

 %                                           \vbox{\hbox{\hbox{\hbox{vxRwx}      \hbox{\hbox{x fresh}}}}\vbox{}} \vbox{\vbox{}\hbox{\hbox{\hbox{vRvw}}}}\penalty50plus0.5filminus5.0pt%                                                    \vbox{\hbox{\hbox{\hbox{E[x]RE′[x]}      \hbox{\hbox{x fresh}}}}\vbox{}} \vbox{\vbox{}% \hbox{\hbox{\hbox{ERctxE′}}}}\penalty50plus0.5filminus5.0pt \vbox{\hbox{\hbox{\hbox{% ERctxE′}%       \hbox{\hbox{vRvw}}}}\vbox{}} \vbox{\vbox{}\hbox{% \hbox{\hbox{E[xv]RoE′[xw]}}}}
###### Remark 0.1.

Traditionally, normal-form bisimulations are construed as an open version of applicative bisimulations in that they test values by applying them to a free variable [Lassen:LICS05], rather than to all possible closed values [Abramsky-Ong:IaC93]. However, a connection with Böhm or Lévy-Longo trees [Lassen:MFPS99] aside, one could introduce a separate category of variables that would represent abstract values, and use these for the purpose of testing functional values. In such an approach, the reduction relation would cater for closed terms only, as far as the term variables are concerned, and the notion of an open stuck term could be replaced with a notion of a value-stuck term. In this work we stick to the traditional approach to testing functional values (witness the definition of ), but in Section LABEL:s:abortcon we propose an extension which is analogous to the one sketched in this remark, and we introduce a separate category of variables representing abstract contexts, a notion dual to that of abstract values.

We can now define (extensional) normal-form bisimulation and bisimilarity, using a notion of progress.

###### Definition 0.2.

A relation progresses to if implies:

• if , then there exists such that and ;

• if , then there exists such that , and ;

• if , then there exist , such that and ;

• the converse of the above conditions on .

A bisimulation is then defined as a relation which progresses to itself, and bisimilarity as the union of all bisimulations. Our definition is in a small-step style, unlike Lassen’s [Lassen:LICS05], as we believe small-step is more flexible, since we can recover a big-step reasoning with bisimulation up to reduction (Section Proving Soundness of Extensional Normal-Form Bisimilarities). In usual definitions [Lassen:LICS05, Stoevring-Lassen:POPL07, Biernacki-al:HAL15], the -reduction is directly performed when a -abstraction is applied to a fresh variable, whereas we construct an application in order to uniformly treat all kinds of values, and hence account for -expansion. However, with this approach a naive definition of bisimulation up to context would be unsound because it would equate any two values: if and are related, then and are related up to context. In our framework, we prevent this issue as explained after Definition 0.3.

We now recast the definition of normal-form bisimilarity in the framework of our previous work [Aristizabal-al:FSCD16], which is itself an extension of a work by Madiot et al. [Madiot-al:CONCUR14, Madiot:PhD]. The goal is to factorize the congruence proof of the bisimilarity with the soundness proofs of the up-to techniques. The novelty in [Aristizabal-al:FSCD16] is that we distinguish between active and passive clauses, and we forbid some up-to techniques to be applied in a passive clause. Whereas this distinction does not change the notions of bisimulation or bisimilarity, it has an impact on the bisimilarity congruence proof.

###### Definition 0.3.

A relation diacritically progresses to , written , if , , and implies:

• if , then there exists such that and ;

• if , then there exists such that , and ;

• if , then there exist , such that and ;

• the converse of the above conditions on .

An normal-form bisimulation is a relation such that , and normal-form bisimilarity is the union of all normal-form bisimulations.

The difference between Definitions 0.3 and 0.2 is only in the clause for values, where we progress towards a different relation than in the other clauses of Definition 0.3. We say that the clause for values is passive, while the others are active. A bisimulation progresses towards in passive and active clauses, so the two definitions generate the same bisimilarity. However, we prevent some up-to techniques from being applied in a passive clause. In particular, up to context is not allowed, as explained in Section Proving Soundness of Extensional Normal-Form Bisimilarities, meaning that we cannot deduce that and are related up to context just because and are related. In contrast, we allow any up-to techniques when we test a value in the open stuck term case, since we cannot deduce from related to that and are related up to context.

###### Example 0.4.

Let and for a given ; note that . Wadsworth’s infinite -expansion combinator [Barendregt:84] can be defined as . Let be the identity bisimulation. We prove that , by showing that

 R\lx@stackreldef=I∪{(λx.x,J)} ∪{(t,s)∣(λx.x)y→∗t,Jy→∗s | y fresh} ∪{(yz,t)∣(λx.y(Jx))z→∗t | y,z fresh}

is a bisimulation. Indeed, to compare and , we have to relate and , but . We then have to equate and , the latter evaluating to . To relate these open stuck terms, we have to equate  and (with ), and with , but these terms are already in . As usual, the quite lengthy definition of  can be simplified with up-to techniques (see Example LABEL:ex:wads-upto).

\@sect

subsection2[Up-to techniques, general definitions]Up-to techniques, general definitions

We recall here the main definitions we use from our previous work [Aristizabal-al:FSCD16]. The goal of up-to techniques is to simplify bisimulation proofs: instead of proving that a relation is a bisimulation, we show that respects some looser constraints which still imply bisimilarity. In our setting, we distinguish the up-to techniques which can be used in passive clauses (called strong up-to techniques), from the ones which cannot. An up-to technique (resp. strong up-to technique) is a function such that (resp. ) implies . Proving that a given  is an up-to technique is difficult with this definition, so following [Sangiorgi-Pous:11, Madiot-al:CONCUR14], we rely on a notion of compatibility instead, which gives sufficient conditions for to be an up-to technique.

We first define some auxiliary notions and notations. We write if for all . We define argument-wise, i.e., , and given a set of functions, we also write  for the function defined as . We define as . We write for the identity function on relations, and for . A function  is monotone if implies . We write for the set of finite subsets of , and we say is continuous if it can be defined by its image on these finite subsets, i.e., if . The up-to techniques of the present paper are defined by inference rules with a finite number of premises, so they are trivially continuous. Continuous functions are interesting because of their properties:333Our formalization revealed an error in previous works [Aristizabal-al:FSCD16, Madiot:PhD] which use instead of in the last property of Lemma 0.5 (expressing idempotence of )— has to be factored in for the property to hold.

###### Lemma 0.5.

If and are continuous, then and are continuous.

If is continuous, then is monotone, and .

###### Definition 0.6.

A function evolves to , written , if for all , we have . A function strongly evolves to , written , if for all , we have .

Evolution can be seen as a notion of progress for functions on relations. Note that strong evolution does not put any condition on how progresses, while regular evolution is more restricted, as it requires a relation such that .

###### Definition 0.7.

A set of continuous functions is diacritically compatible if there exists  such that and

• for all , we have ;

• for all , we have .

In words, a function is in a compatible set if it evolves towards a combination of functions in . The (possibly empty) subset intuitively represents the strong up-to techniques of . Any combination of functions can be used in an active clause. In a passive one, only strong functions can be used, except in the second case, where we progress from , with not strong. In that case, it is expected to progress towards a combination that includes ; it is safe to do so, as long as (or in fact, any non-strong function in ) is used at most once. If and  are subsets of  which verify the conditions of the definition, then also does, so there exists the largest subset of which satisfies the conditions, written .

###### Lemma 0.8.

Let be a diacritically compatible set.

• If , then is a bisimulation.

• If , then is an up-to technique. If , then is a strong up-to technique.

• For all , we have .

The proof takes advantage of Lemma 0.5. In practice, proving that is in a compatible set  is easier than proving it is an up-to technique. Besides, if we prove that a bisimulation up to context is compatible, then we get for free that  is preserved by contexts thanks to the last property of Lemma 0.8.

\@sect

subsection2[Up-to techniques for normal-form bisimilarity]Up-to techniques for normal-form bisimilarity

Figure 1 presents the up-to techniques we define for the -calculus. Combined altogether, they define a closure as in the nested induction proof method [Lassen:MFPS99, Lassen:LICS06]; we use a more fine-grained approach to distinguish between strong and regular up-to techniques. The substitutive closure is already used in previous works [Lassen:MFPS99, Lassen:LICS06, Biernacki-al:HAL15]. The technique , used in the compatibility proofs, is the classic bisimulation up to reduction, which allows terms to reduce before being related.

The closure by evaluation contexts is more unconventional, although we define it in a previous work [Biernacki-al:HAL15]. It is not the same as bisimulation up to context, since we can factor out different contexts, as long as they are related when we plug a fresh variable inside them. It is reminiscent of -bisimilarity [Aristizabal-al:FSCD16] which can also factor out different contexts in its up-to techniques, except that -bisimilarity compares contexts with values and not simply variables.

Closure w.r.t. -abstraction is achieved through , and closure w.r.t. variables is a consequence of , as we have for all . Closure w.r.t. application is a consequence of and .

###### Lemma 0.9.

If and , then .

Let be a fresh variable; then . Combined with , it implies , i.e., . This combined with using gives the result of Lemma 0.9.

###### Theorem 0.10.

The set is diacritically compatible, with .

The complete proof of Theorem 0.10 can be found in the Coq formalization. We sketch some of the compatibility proofs to show how proofs are done in our framework, in particular the crucial case of , where we need the distinction between active and passive tests. We compare ourselves to Lassen’s proof [Lassen:MFPS99], which proceeds by induction on the definition of the closure using Definition 0.2. We do not need an induction on the number of evaluation steps for our small-step definition, but a nested induction proof for a big-step relation would exhibit the same issues. The strong up-to techniques , , and are easy to deal with; we detail the proof for .

.

###### Sketch.

Let ; we want to prove that . The inclusions and hold because , (by definition of ) and the functions are monotone. Next, let such that . The only clause to check is the one for values: we have and , i.e., , which implies because and is monotone.

We now sketch the proof for , which is by case analysis on the related terms.

###### Lemma 0.12.

You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters