A Bunched Logic for Conditional Independence
AA Logic to Reason about Dependence and Independence
Bunched Implications for Conditional Independence and Join Dependency
JIALU BAO,
University of Wisconsin–Madison, USA
SIMON DOCHERTY,
University College London, UK
JUSTIN HSU,
University of Wisconsin–Madison, USA
ALEXANDRA SILVA,
University College London, UKIndependence and conditional independence are fundamental concepts for reasoning about groups of randomvariables in probabilistic programs. Verification methods for independence are still nascent, and existingmethods cannot handle conditional independence. We extend the logic of bunched implications (BI) with anon-commutative conjunction and provide a model based on Markov kernels; conditional independence canbe naturally expressed as a logical formula in this model. Noting that Markov kernels are Kleisli arrows forthe distribution monad, we then introduce a second model based on the powerset monad and show how itcan capture join dependency , a non-probabilistic analogue of conditional independence from database theory.Finally, we develop a program logic for verifying conditional independence in probabilistic programs.Additional Key Words and Phrases: Bunched logics, conditional independence, join dependency
The study of probabilistic programming languages, and their denotational and operational semanticsin particular, goes back to the 80’s to the seminal work by Kozen [1981]. The last decade has seen asurge of richer probabilistic languages [Goodman et al. 2012; Gordon et al. 2014; Wood et al. 2014],motivated by applications in machine learning, and accompanying research into their semantics[Dahlqvist and Kozen 2020; Ehrhard et al. 2018; Staton et al. 2016]. The proliferation of applicationshas also created new opportunities and challenges for formal verification.A class of fundamental properties that are still poorly handled by existing verification techniquesis independence. There are two types of independence: probabilistic independence and conditionalindependence. Intuitively, two random variables are probabilistically independent if they are notcorrelated: information about one gives none about the other or, equivalently, they representseparate sources of randomness (for example, the results of two coin flips).
Conditional independence is more subtle: random variables X and Y are independent conditioned on a third one Z . Intuitively, X and Y may be correlated but only through Z : at every fixed value of Z , X and Y are uncorrelated.Both forms of independence are useful from a modelling and verification point of view. Proba-bilistic independence enables compositional reasoning about groups of random variables: if a groupof random variables are independent, then their joint distribution is precisely described by thedistribution of each variable in isolation. It also captures the semantics of random sampling con-structs in probabilistic languages, which generate a fresh random quantity that is independent fromthe rest of the program state.
Conditional independence arises in the analysis of programs runningunder probabilistic control flow, as conditioning models probabilistic branching. In the theoryof Bayesian networks, inference based on conditional independence is paramount and methodsenabling reasoning in that domain would have a wide range of applications. In algorithmic fairness,
Authors’ addresses: Jialu Bao, University of Wisconsin–Madison, USA; Simon Docherty, University College London, UK;Justin Hsu, University of Wisconsin–Madison, USA; Alexandra Silva, University College London, UK.2020. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. The definitiveVersion of Record was published in , https://doi.org/10.1145/nnnnnnn.nnnnnnn., Vol. 1, No. 1, Article . Publication date: August 2020. a r X i v : . [ c s . L O ] A ug Jialu Bao, Simon Docherty, Justin Hsu, and Alexandra Silva for instance, conditional independence is used to formalise criteria ensuring that algorithms do notdiscriminate based on sensitive characteristics, such as gender or race [Barocas et al. 2019].Aiming to prove independence in probabilistic programs, Barthe et al. [2019] recently introducedProbabilistic Separation Logic (PSL). The core ingredient of PSL is a new model of the logic ofbunched implications (BI) in which separation is interpreted as probabilistic independence. PSL wasused to formalize the security of several well-known constructions from cryptography, including asimple oblivious RAM. While PSL was a step forward in the development of program logics forindependence, it does not support conditional independence and there does not seem to be an easyway to extend it to do so. The core issue is that the model of BI provided in PSL provides no meansto track dependencies between non-independent variables. As such, one cannot formalize the basicstatement of conditional independence— X and Y are independent random variables conditionedon Z . This limitation results in overly restrictive proof rules for probabilistic control flow—toprove anything non-trivial, all variables in pre- and post-conditions must be independent of theguard—and makes the logic incapable of proving conditional independence.In this paper, we develop a logical framework supporting formal, language-based reasoning aboutdifferent notions of dependence and independence . Our approach is inspired by PSL, but the frameworkis more sophisticated: in order to express both probabilistic and conditional independence, wedevelop an assertion logic extending BI with new connectives. The key intuition guiding ourdesign is that conditional independence can be naturally expressed as regular independence, pluscomposition of Markov kernels ; as our leading example, we give a kernels model of our logic.Then, we show how to adapt our probabilistic model to other settings. Markov kernels have beenstudied extensively in category theory: they are the arrows in the Kleisli category of the distributionmonad. An interesting feature of our approach is that by varying the monad, our logic smoothlyhandles analogues of independence and conditional independence in other areas. To demonstrate,we show how replacing the distribution monad by the powerset monad gives a model where we cancapture join/multivalued dependencies in relational algebra and database theory. We also show thatthe semi-graphoid laws , introduced by Pearl and Paz [1985] in their work axiomatizing conditionalindependence, can be translated into formulas that are valid in both of our models.The rest of the paper is organized as follows. We give a bird’s-eye view in Section 2, providingintuitions on our design choices and highlighting differences with existing work. Section 3 presentsthe main contribution: the design of DIBI, a new bunched logic to reason about dependence andindependence. We present two concrete models in Section 4, based on probability distributions andrelations. In Section 5, we consider how to express dependencies in DIBI: we show that a singlelogical formula captures conditional independence and join dependency in our two models, andour models validate the semi-graphoid laws. In Section 6, we design a program logic with DIBIassertions, and use it to verify conditional independence in two example probabilistic programs.Finally we return to the metatheory of DIBI in Section 7, proving that the proof system of DIBI issound and complete with respect to its Kripke semantics.
In this section, we will provide a high-level summary of the paper’s main contributions.
The starting point of our work is the logic of bunched implications (BI) [O’Hearn and Pym 1999].BI extends intuitionistic propositional logic with substructural connectives to facilitate reasoningabout sharing and separation of resources, an idea most prominently realised in Separation Logic’shandling of heap-manipulating programs. BI also forms the basis of probabilistic separation logic(PSL), recently proposed to reason about probabilistic independence. The novel connectives in BI are , Vol. 1, No. 1, Article . Publication date: August 2020. a separating conjunction P ∗ Q , meant to capture properties P and Q holding in separate resources,and its adjoint −∗ , called magic wand. We will extend BI with a non-commutative conjunction,written as P (cid:35) Q . Intuitively, (cid:35) expresses a possible dependency of Q on P . The end result is a logicwith two conjunctive connectives— ∗ and (cid:35) —capturing notions of independence and dependence . Wecall the logic Dependence and Independence Bunched Implications (DIBI) .The simplest BI models are partial resource monoids : these are Kripke structures ( M , ⊑ , ◦ , e ) inwhich ◦ is an order-preserving, partial, commutative monoid operation with unit e . The monoidoperation ◦ allows interpreting the separating conjunction P ∗ Q and magic wand P −∗ Q . Theprobabilistic model of BI uses as a partial resource monoid: by taking M to be the set of distributionsover program memories and ◦ to be the independent product of distributions, the interpretation of P ∗ Q gives rise to the desired notion of probabilistic independence .This is the first point where we fundamentally differ from PSL. To capture both dependence andindependence, we change the structure in which formulas are interpreted. In Section 3.1, we willintroduce a structure X = ( X , ⊑ , ⊕ , ⊙ , E ) , a DIBI frame , with two operations ⊕ : X → P( X ) and ⊙ : X → P( X ) , and a set of units E ⊆ X . Three remarks are in order. First, the pre-order ⊑ makesDIBI an intuitionistic logic. There are many design tradeoffs between intuitionistic and classical,but the most important consideration is that intuitionistic formulas can describe proper subsets ofstates (e.g., random variables), leaving the rest of the state implicit. Second, our frames contain anadditional monoidal operation ⊙ for interpreting (cid:35) ( ⊕ will be used in interpreting ∗ ). Third, as thecompleteness of BI for its simple models is an open problem [Galmiche et al. 2019], our models areexamples of a broader notion of BI model admitting structures with non-deterministic operations(following [Docherty 2019; Galmiche and Larchey-Wendling 2006]). These models subsume partialresource monoids, and enable the completeness proof of DIBI (Section 7). While the conditions thatDIBI frames must satisfy are somewhat cryptic at first sight, they can be naturally understood asaxioms defining monoidal operations in a partial, non-deterministic setting. E.g., we will require: ( ⊕ Commutativity) z ∈ x ⊕ y → z ∈ y ⊕ x ;( ⊕ Associativity) w ∈ t ⊕ z ∧ t ∈ x ⊕ y → ∃ s ( s ∈ y ⊕ z ∧ w ∈ x ⊕ s ) ;( ⊙ Unit Existence L ) ∃ e ∈ E . ( x ∈ e ⊙ x ) where unbound variables are implicitly universally quantified. Crucially, the operation ⊙ need notbe commutative: this operation interprets the dependence conjunction (cid:35) , where commutativity isnot desirable. In a DIBI frame, ∗ and (cid:35) can be interpreted as follows: x | = P ∗ Q iff there exist x ′ , y , z s.t. x ⊒ x ′ ∈ y ⊕ z , y | = P , and z | = Qx | = P (cid:35) Q iff there exist y , z s.t. x ∈ y ⊙ z , y | = P , and z | = Q In DIBI, ∗ has a similar reading as in PSL: it states that two parts of a distribution can be combinedbecause they are independent . This interpretation has a clear meaning in a probabilistic model but aswe will see, it captures more general notions of independence than just probabilistic independence.In contrast, the new conjunction P (cid:35) Q asserts that the Q part of a distribution may depend onthe P part. Combined this with the usual separating conjunction, (cid:35) allows the expression of morecomplex dependencies: e.g. P (cid:35) ( Q ∗ R ) asserts that Q and R both depend on P , and are independentotherwise. These intuitions will become clearer when we see the concrete models. To reason about DIBI validity, in Section 3.2 we will provide a simple, Hilbert-style proof systemfor DIBI, and in Section 7 prove soundness and completeness. The proof rules of DIBI extend thosefor BI with rules for (cid:35) , as the one below on the left, and for the interaction between (cid:35) and ∗ : P ⊢ R Q ⊢ SP (cid:35) Q ⊢ R (cid:35) S (cid:35) Conj ( P (cid:35) Q ) ∗ ( R (cid:35) S ) ⊢ ( P ∗ R ) (cid:35) ( Q ∗ S ) RevEx , Vol. 1, No. 1, Article . Publication date: August 2020.
Jialu Bao, Simon Docherty, Justin Hsu, and Alexandra Silva
The rule on the right— reverse-exchange —captures the fundamental interaction between the connec-tives. Computations T = P (cid:35) Q and U = R (cid:35) S are built from dependent components, yet T and U areindependent and hence can be combined with ∗ . We can then infer that the building blocks of T and U must also be pair-wise independent, and can be combined yielding formulas P ∗ R and Q ∗ S .These can then be combined with (cid:35) and they retain the dependency of the original building blocks. Separation Logics are based on concrete BI models over program states, together with an appropriatelanguage of assertions. Before explaining the new models we introduce in Section 4, we recall twomodels of BI and their interpretations of ∗ . wxyz heap : | = P ∗ Q ⇐⇒ | = P | = Q In the standard heap model, states are partial maps from memory ad-dresses to values, and assertions of the form x (cid:55)→ v indicate that thelocation to which x points to has value v . The separating conjunction oftwo assertions x (cid:55)→ v ∗ y (cid:55)→ u states that the addresses pointed to by x and y do not alias. In general, P ∗ Q states that the heap can be split intotwo disjoint parts satisfying formulas P and Q , respectively. In PSL, states are distributions overprogram memories, basic assertions D [ x ] indicate that x is a random variable, and P ∗ Q states thata distribution µ can be factored into two independent distributions µ and µ satisfying P and Q ,respectively. For instance, consider the following simple program: x $ ← flip; y $ ← flip; z ← x ∨ y (2.1)Here, x and y are Boolean variables storing the result of two fair coin flips and z stores the result of x ∨ y . The output distribution µ is a distribution over a memory with variables x , y and z (depictedbelow on the right). The variables x and y are independent in µ , and D [ x ] ∗ D [ y ] holds in µ : µ is aproduct of two marginal distributions µ and µ , where D [ x ] and D [ y ] are satisfied: µ
14 14 14 | = D [ x ] ∗ D [ y ]
000 011 101 xyzx x y y µ | = D [ x ] µ | = D [ y ] In Section 4, we develop two concrete models for DIBI: one based on probability distribu-tions, and one based on relations. Here, we just outline the basics of the probabilistic model,as it generalizes the above model of PSL. Let
Val be a finite set of values and S a finite set ofmemory locations. We use Mem [ S ] to denote functions S → Val , representing program memories. dom ( f ) range ( f ) The states in the DIBI probabilistic model, over which the formulas will beinterpreted, are Markov kernels on program memories. More precisely, givensets of memory locations S ⊆ U , these are functions f : Mem [ S ] → D( Mem [ U ]) that preserve their input. We depict such kernels as trapezoids, where the smallerside represents the domain and the larger side the range; our basic assertions will track dom ( f ) and range ( f ) , justifying this somewhat simplistic representation. Finally, we can lift distributionsto Markov kernels—the distribution µ : D( Mem [ U ]) corresponds to the kernel f µ : Mem [∅] →D(
Mem [ U ]) that assigns µ to the only element in Mem [∅] . ⊕ (cid:55)→ f f f ⊕ f ⊙ (cid:55)→ д д д ⊙ д Separating and dependent conjunction will be interpreted via ⊕ and ⊙ onMarkov kernels, respectively. Intuitively, ⊕ will take union on both domainand ranges, whereas ⊙ will compose the kernels using Kleisli composition.On the left, we depict these operations schematically.To show how these operations work, recall the simple program inEq. (2.1). In the output distribution µ , the variable z depends on x and , Vol. 1, No. 1, Article . Publication date: August 2020. y since z stores x ∨ y , and x and y are independent. (However, it turns outthat x and y are not independent if we condition on any fixed value of z .)In our setting, this dependency structure can be seen in the following decomposition of f µ : f z | = Q z and f µ ⊕ f µ | = P x ∗ y and ( f µ ⊕ f µ ) ⊙ f z = f µ ⇒ f µ | = P x ∗ y (cid:35) Q z (2.2)where f z : Mem [{ x , y }] → D( Mem [{ x , y , z }]) is a kernel capturing the relation between thecontents of program variables z and x , y : ab xy f z (cid:55)−−−−−−→ δ (cid:32) (cid:33) z a ∨ b yx ba δ : X → D( X ) is the Dirac distribution δ ( x )( y ) = x = y , 0 otherwise. When analyzing composition of Markov kernels, the domains and ranges provide key information:the domain determines which variables a kernel may depend on, and the range which variables akernel describes. Accordingly, we introduce basic assertions of the form ( A ▷ [ B ]) , where A and B are sets of memory locations. A Markov kernel f : Mem [ S ] → D( Mem [ T ]) satisfies the assertion ( A ▷ [ B ]) if there exists a f ′ ⊑ f with the appropriate domain and range defined in the assertion: f | = ( A ▷ [ B ]) iff there exists f ′ ⊑ f such that dom ( f ′ ) = A , and range ( f ′ ) ⊇ B . For instance, the kernel above satisfies ({ x , y } ▷ [ x , y ]) , ({ x , y } ▷ [ x , y , z ]) , and ({ x , y } ▷ [∅]) . Foranother example the formulas Q z and P x ∗ y in 2.2 can be represented as follows: Q z = ({ x , y } ▷ [ x , y , z ]) and P x ∗ y = (∅ ▷ [ x ]) ∗ (∅ ▷ [ y ]) . The reader might wonder how to use such simple atomic propositions, which only talk about thedomain/range of a kernel and do not assert any equality of probabilities, to assert conditionalindependence. The key insight is that conditional independence can be formulated in terms ofsequential and parallel composition of kernels, and the operations ⊙ and ⊕ enable the descriptionof this kind of decomposition. In Section 5.1, we will prove a general result (Theorem 5.4) assertingthat given a distribution µ ∈ D( Mem [ Var ]) , for any X , Y , and Z ⊆ Var , the satisfaction of f µ | = (∅ ▷ [ Z ]) (cid:35) ( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ]) (2.3)is equivalent to conditional independence of X , Y given Z in µ .Moreover, Equation (2.3) smoothly generalizes to other settings. As we will see in Section 5.2,a simple change in the model (corresponding to a switch from the distribution to the powersetmonad) results in the exact same formula above encoding join dependency in the relational modelof DIBI; this is a notion of conditional independence from the databases and relational algebraliterature. We also show in Section 5.3 that the main graphoid axioms of Pearl and Paz [1985] arevalid in these two models; in fact, two of the axioms can be derived in the DIBI proof system. As a further application of our logic, we design a program logic CPSL for a simple imperativeprogramming language, using a fragment of DIBI as the assertion language (Section 6). CPSLincludes novel proof rules for randomized conditionals and inherits PSL’s variant of the frame rule.We illustrate how to apply CPSL to prove conditional independence in two example probabilisticprograms. Here, we show two of the rules and explain how to use them in the simple program inEq. (2.1). CPSL has the following Hoare-style rules for random sampling and assignments:
Samp x (cid:60) FV ( d ) ∪ FV ( P )⊢ { P } x $ ← d { P (cid:35) ( FV ( d ) ▷ [ x ])} Assn x (cid:60) FV ( e ) ∪ FV ( P )⊢ { P } x ← e { P (cid:35) ( FV ( e ) ▷ [ x ])} , Vol. 1, No. 1, Article . Publication date: August 2020. Jialu Bao, Simon Docherty, Justin Hsu, and Alexandra Silva
Using Samp, and the fact that the coin-flip distribution flip has no free variables, we can infer: ⊢ {⊤} x $ ← flip {(∅ ▷ [ x ])} ⊢ {⊤} y $ ← flip {(∅ ▷ [ y ])} From these two triples and a variant of the frame rule, we are able to derive: ⊢ {⊤} x $ ← flip ; y $ ← flip {(∅ ▷ [ x ]) ∗ (∅ ▷ [ y ])} Using Assn on P = (∅ ▷ [ x ]) ∗ (∅ ▷ [ y ]) and the fact that z is not a free variable in either P or x ∨ y : ⊢ { P } z ← x ∨ y { P (cid:35) ({ x , y } ▷ [ z ])} Putting it all together, we get the validity of triple: ⊢ {⊤} x $ ← flip ; y $ ← flip ; z ← x ∨ y {((∅ ▷ [ x ]) ∗ (∅ ▷ [ y ])) (cid:35) ({ x , y } ▷ [ z ])} stating that z depends on the independent random variables x and y . The syntax of DIBI extends the logic of bunched implications (BI) [O’Hearn and Pym 1999] witha non-commutative conjunctive connective (cid:35) and its associated implications. Let AP be a set ofpropositional atoms. The set of DIBI formulas, Form DIBI , is generated by the following grammar: P , Q :: = p ∈ AP | ⊤ | I | ⊥ | P ∧ Q | P ∨ Q | P → Q | P ∗ Q | P −∗ Q | P (cid:35) Q | P ⊸ Q | P (cid:18) Q . DIBI is interpreted on DIBI frames, which are structures extending BI frames.
Definition 3.1 (DIBI Frame). A DIBI frame is a structure X = ( X , ⊑ , ⊕ , ⊙ , E ) such that ⊑ is a preorder, E ⊆ X , and ⊕ : X → P( X ) and ⊙ : X → P( X ) are binary operations, satisfying (with outermostuniversal quantification omitted for readability):( ⊕ Down-Closed) z ∈ x ⊕ y ∧ x ⊒ x ′ ∧ y ⊒ y ′ → ∃ z ′ ( z ⊒ z ′ ∧ z ′ ∈ x ′ ⊕ y ′ ) ( ⊙ Up-Closed) z ∈ x ⊙ y ∧ z ′ ⊒ z → ∃ x ′ , y ′ ( x ′ ⊒ x ∧ y ′ ⊒ y ∧ z ′ ∈ x ′ ⊙ y ′ ) ( ⊕ Commutativity) z ∈ x ⊕ y → z ∈ y ⊕ x ;( ⊕ Associativity) w ∈ t ⊕ z ∧ t ∈ x ⊕ y → ∃ s ( s ∈ y ⊕ z ∧ w ∈ x ⊕ s ) ;( ⊕ Unit Existence) ∃ e ∈ E ( x ∈ e ⊕ x ) ;( ⊕ Unit Coherence) e ∈ E ∧ x ∈ y ⊕ e → x ⊒ y ;( ⊙ Associativity) ∃ t ( w ∈ t ⊙ z ∧ t ∈ x ⊙ y ) ↔ ∃ s ( s ∈ y ⊙ z ∧ w ∈ x ⊙ s ) ;( ⊙ Unit Existence L ) ∃ e ∈ E ( x ∈ e ⊙ x ) ;( ⊙ Unit Existence R ) ∃ e ∈ E ( x ∈ x ⊙ e ) ;( ⊙ Coherence R ) e ∈ E ∧ x ∈ y ⊙ e → x ⊒ y ;(Unit Closure) e ∈ E ∧ e ′ ⊒ e → e ′ ∈ E ;(Reverse Exchange) x ∈ y ⊕ z ∧ y ∈ y ⊙ y ∧ z ∈ z ⊙ z → ∃ u , v ( u ∈ y ⊕ z ∧ v ∈ y ⊕ z ∧ x ∈ u ⊙ v ) . Intuitively, X is a set of states, the pre-order ⊑ describes when a smaller state can be extendedto a larger state, the binary operators ⊙ , ⊕ offer two ways of combining states (e.g., when statesare Markov kernels, these can be composed sequentially or by taking their independent product,respectively), and E is the set of state extensions that act like units with respect to these operations.The binary operators return a set of states instead of a single state, so the operators can be eitherdeterministic (at most one state returned) or non-deterministic, and partial or total. The operatorsin the concrete models below will be deterministic, but the proof of completeness relies on theframe’s admission of non-deterministic models, as is standard for bunched logics [Docherty 2019].The frame conditions define properties that must hold for all models of DIBI. Most of these prop-erties can be viewed as extensions of familiar algebraic properties, generalized to non-deterministic , Vol. 1, No. 1, Article . Publication date: August 2020. x | = V ⊤ always x | = V ⊥ never x | = V I iff x ∈ E x | = V p iff x ∈ V( p ) x | = V P ∧ Q iff x | = V P and x | = V Qx | = V P ∨ Q iff x | = V P or x | = V Qx | = V P → Q iff for all y ⊒ x , y | = V P implies y | = V Qx | = V P ∗ Q iff there exist x ′ , y , z s.t. x ⊒ x ′ ∈ y ⊕ z , y | = V P and z | = V Qx | = V P (cid:35) Q iff there exist y , z s.t. x ∈ y ⊙ z , y | = V P and z | = V Qx | = V P −∗ Q iff for all y , z s.t. z ∈ x ⊕ y : y | = V P implies z | = V Qx | = V P ⊸ Q iff for all x ′ , y , z s.t. x ′ ⊒ x and z ∈ x ′ ⊙ y : y | = V P implies z | = V Qx | = V P (cid:18) Q iff for all x ′ , y , z s.t. x ′ ⊒ x and z ∈ y ⊙ x ′ : y | = V P implies z | = V Q Fig. 1. Satisfaction for DIBI operations and suitably interacting with the pre-order. The “Closed” properties give coherenceconditions between the order and the composition operators. It can be shown that having theAssociativity frame condition together with either the Up- or Down-Closed property for an operatoris sufficient to obtain the soundness of associativity for the associated separating conjunction [Caoet al. 2017; Docherty 2019]. The choices of Closed conditions match the desired interpretationsof ⊕ as independence and ⊙ as dependence: independence should drop down to substates (whichmust necessarily be independent if the superstates were), while dependence should be inheritedby superstates (the source of dependence will still be present in any extensions). Having ⊙ non-commutative also splits the ⊙ analogues of ⊕ axioms into pairs of axioms, although we note thatwe exclude the left version of ( ⊙ Coherence), for reasons we explain in Section 3.2. Finally, the(Reverse Exchange) condition defines the interaction between ⊕ and ⊙ .We will give a Kripke-style semantics for DIBI, much like the semantics for BI [Pym et al. 2004].Given a DIBI frame, the semantics defines which states in the frame satisfy each formula. Since thedefinition is inductive on formulas, we must specify which states satisfy the atomic propositions. Definition 3.2 (Valuation and model). A persistent valuation is an assignment V : AP → P( X ) ofatomic propositions to subsets of states of a DIBI frame satisfying: if x ∈ V( p ) and y ⊒ x then y ∈ V( p ) . A DIBI model (X , V) is a DIBI frame X together with a persistent valuation V .Since DIBI is an intuitionistic logic, persistence is necessary for soundness. We can now give asemantics to DIBI formulas in a DIBI model. Definition 3.3 (DIBI Satisfaction and Validity).
Satisfaction at a state x in a model is inductivelydefined by the clauses in Fig. 1. P is valid in a model , X | = V P , iff x | = V P for all x ∈ X . P is valid , | = P , iff P is valid in all models. P | = Q iff, for all models, x | = V P implies x | = V Q .Where the context is clear, we omit the subscript V on the satisfaction relation. With thesemantics in Fig. 1, persistence on propositional atoms extends to all formulas:Lemma 3.4 (Persistence Lemma). For all P ∈ Form
DIBI , if x | = P and y ⊒ x then y | = P . The reader may note the difference between the semantic clauses for (cid:35) and ∗ , and −∗ and ⊸ : thesatisfaction of the Up-Closed (Down-Closed) frame axiom for ⊙ ( ⊕ ) leads to the persistence (andthus soundness) of the simpler clause for (cid:35) ( −∗ ) [Cao et al. 2017]. Without the other Closed property,we must use a satisfaction clause which explicitly accounts for the order, as in BI. A Hilbert-style proof system for DIBI is given in Fig. 2. This calculus extends a system for BI withadditional rules governing the new connectives (cid:35) , ⊸ and (cid:18) : in Section 7 we will prove this calculusis sound and complete. We briefly comment on two important details in this proof system. , Vol. 1, No. 1, Article . Publication date: August 2020. Jialu Bao, Simon Docherty, Justin Hsu, and Alexandra Silva P ⊢ P Ax P ⊢ ⊤ ⊤ ⊥ ⊢ P ⊥ P ⊢ R Q ⊢ RP ∨ Q ⊢ R ∨ P ⊢ Q i P ⊢ Q ∨ Q ∨ P ⊢ Q P ⊢ RP ⊢ Q ∧ R ∧ Q ⊢ RP ∧ Q ⊢ R ∧ P ⊢ Q ∧ Q P ⊢ Q i ∧ / P ∧ Q ⊢ RP ⊢ Q → R → P ⊢ Q → R P ⊢ QP ⊢ R MP P ∗ Q ⊢ RP ⊢ Q −∗ R −∗ P ⊢ Q −∗ R S ⊢ QP ∗ S ⊢ R −∗ MP P (cid:35) Q ⊢ RP ⊢ Q ⊸ R ⊸ P ⊢ Q ⊸ R S ⊢ QP (cid:35) S ⊢ R ⊸ MP P (cid:35) Q ⊢ RQ ⊢ P (cid:18) R (cid:18) P ⊢ Q (cid:18) R S ⊢ QS (cid:35) P ⊢ R (cid:18) MP P ⊣⊢ P ∗ I ∗ -Unit P ⊢ R Q ⊢ SP ∗ Q ⊢ R ∗ S ∗ -Conj P ∗ Q ⊢ Q ∗ P ∗ -Comm P ⊢ I (cid:35) P (cid:35) -Left Unit P ⊢ R Q ⊢ SP (cid:35) Q ⊢ R (cid:35) S (cid:35) -Conj P ⊣⊢ P (cid:35) I (cid:35) -Right Unit ( P ∗ Q ) ∗ R ⊣⊢ P ∗ ( Q ∗ R ) ∗ -Assoc ( P (cid:35) Q ) (cid:35) R ⊣⊢ P (cid:35) ( Q (cid:35) R ) (cid:35) -Assoc ( P (cid:35) Q ) ∗ ( R (cid:35) S ) ⊢ ( P ∗ R ) (cid:35) ( Q ∗ S ) RevEx
Fig. 2. Hilbert system for DIBI
Reverse exchange.
The proof system of DIBI shares many similarities with Concurrent KleeneBunched Logic (CKBI) [Docherty 2019]. Like DIBI, the logic CKBI also extends BI with a non-commutative conjunction. Inspired by concurrent Kleene algebra (CKA) [Hoare et al. 2011], CKBIsupports the following exchange axiom, derived from CKA’s exchange law: ( P ∗ R ) (cid:35) ( Q ∗ S ) ⊢ CKBI ( P (cid:35) Q ) ∗ ( R (cid:35) S ) In models of CKBI, ∗ describes interleaving concurrent composition, while (cid:35) describes sequentialcomposition. The exchange rule states that the process on the left has fewer behaviors than theprocess on the right—e.g., P (cid:35) Q allows fewer behaviors than P ∗ Q , so P (cid:35) Q ⊢ CKBI P ∗ Q is derivable.In our models, ∗ has a different reading: it states that two computations can be combined becausethey are independent (i.e., non-interfering). Accordingly, DIBI replaces Exch by the reversed versionRevEx—the fact that the process on the left is safe to combine implies that the process on the rightis also safe. P ∗ Q is now stronger than P (cid:35) Q , and P ∗ Q ⊢ P (cid:35) Q is derivable (Lemma A.1). Left unit.
While (cid:35) has a right unit in our logic, it does not have a proper left unit. Semantically, thiscorresponds to the lack of a frame condition for ⊙ -Coherence L in our definition of DIBI frames.This difference can also be seen in the proof rules: while (cid:35) -Right Unit gives entailment in bothdirections, (cid:35) -Left Unit only shows entailment in one direction—there is no axiom stating I (cid:35) P ⊢ P .We make this relaxation to support the models we will see in Section 4. In a nutshell, states in ourmodels are Kleisli arrows that are required to preserve their input through to their output —intuitively,we are not able to change the distribution of variables that we have conditioned on. Our modelstake ⊙ to be Kleisli composition, which exhibits an important asymmetry for these arrows: f canalways be recovered from f ⊙ д , but not from д ⊙ f . As a result, the set of all arrows naturallyserves as the set of right units, but these arrows cannot serve as left units. In this section, we introduce two concrete models of DIBI to facilitate logical reasoning about(in)dependence in probability distributions and relational databases. In both models the operations ⊙ and ⊕ will be deterministic partial functions; we shall write h = f • д instead of { h } = f • д , for • ∈ {⊙ , ⊕} . We start with some preliminaries on basic operations on memories and distributions. , Vol. 1, No. 1, Article . Publication date: August 2020. Operations on Memories.
Let
Val be a fixed set of values (e.g., the Booleans), and let
Mem [ S ] denotethe set of functions of type m : S → Val . Thinking of S as a set of variable names, m assigns a valueto each variable in S ; we call such functions memories , and will refer to S as the domain of memory m . There is exactly one element in Mem [∅] ; we write ⟨⟩ for this (empty) memory.We will define two operations on memories. First, a memory m with domain S can be projectedto a memory m T with domain T if T ⊆ S , defined as m T ( x ) = m ( x ) for all x ∈ T . Second, twomemories can be combined if they agree on the intersection of their domains: given memories m ∈ Mem [ S ] , m ∈ Mem [ T ] such that m S ∩ T = m S ∩ T , we define m ⊗ m : S ∪ T → Val by m ⊗ m ( x ) : = (cid:40) m ( x ) if x ∈ Sm ( x ) if x ∈ T (4.1) Probability distributions and Markov kernels.
We will use the distribution monad to model distribu-tions over memories. Given a set X , let D( X ) denote the set of finite distributions over X , i.e., the setcontaining all finite support functions µ : X → [ , ] satisfying (cid:205) x ∈ X µ ( x ) =
1. This operation onsets can be lifted to functions f : X → Y resulting in a map of distributions D( f ) : D( X ) → D( Y ) given by D( f )( µ )( y ) : = (cid:205) f ( x ) = y µ ( x ) (intuitively, D( f ) takes the sum of the probabilities of allelements in the pre-image of y ). These operations turn D into a functor on sets and, further, D isalso a monad: a categorical structure useful in combining computations [Giry 1982; Moggi 1991]. Definition 4.1 (Distribution Monad).
Define unit : X → D( X ) as unit X ( x ) : = δ x , with δ x denotingthe Dirac distribution on x : for any y ∈ X , we have δ x ( y ) = y = x , otherwise δ x ( y ) =
0. Further,define bind : D( X ) → ( X → D( Y )) → D( Y ) by bind ( µ )( f )( y ) : = (cid:205) p ∈D( Y ) D( f )( µ )( p ) · p ( y ) .Intuitively, unit enables the embedding of a set into distributions and bind enables the combina-tion of probabilistic computations. Both maps are natural transformations and satisfy the followinginteraction laws, which establish that the triple ⟨D , unit , bind ⟩ defines a monad: bind ( unit ( x ))( f ) = f ( x ) , bind ( µ )( unit ) = µ , bind ( bind ( µ )( f ))( д ) = bind ( µ )( λx . bind ( f ( x ))( д )) . (4.2)The distribution monad has an equivalent presentation in which bind is replaced with a multiplica-tion operation DD( X ) → D( X ) , which flattens distributions by averaging.The monad D gives rise to the Kleisli category of D , denoted K ℓ (D) , with sets as objects andarrows f : X → D( Y ) . Arrow composition in K ℓ (D) is defined using bind : given f : X → D( Y ) and д : Y → D( Z ) , the composition f ⊙ д : X → D( Z ) is: ( f ⊙ д )( x ) : = bind ( f ( x ))( д ) (4.3)The arrows in K ℓ (D) are known in the literature as Markov kernels [Panangaden 2009].Markov kernels generalize distributions: given a distribution µ : D( X ) , we can define a Markovkernel f µ : 1 → D( X ) assigning µ to the single element of 1. More generally, kernels are useful toencode conditional distributions, which play a key role in conditional independence. Example 4.2.
Suppose that we have the program p in Figure 3(a), where x , y , and z are Booleanvariables. First, flip a fair coin and store the result in z . If z =
0, flip a fair coin twice, and store theresults in x and y , respectively. Otherwise, if z =
1, flip a coin with bias 1 / x and y . The semantics of this program is the distribution µ shown in Figure 3(b).If we condition µ on z =
0, then the resulting distribution µ resembles two independent faircoin flips: 1 / z = µ will be skewed—there will be a much higher probability that weobserve ( , ) than ( , ) , but x and y are still independent (Figure 3(d)). , Vol. 1, No. 1, Article . Publication date: August 2020. z $ ← flip / ; if z then x $ ← flip / ; y $ ← flip / ; else x $ ← flip / ; y $ ← flip / ; ( a ) x y z µ /
80 0 1 1 /
321 0 0 1 /
81 0 1 3 /
320 1 0 1 /
80 1 1 3 /
321 1 0 1 /
81 1 1 9 / ( b ) x y µ /
41 0 1 /
40 1 1 /
41 1 1 / ( c ) x y µ /
161 0 3 /
160 1 3 /
161 1 9 / ( d ) Fig. 3. ( a ) Prob. program p ; ( b ) Distribution µ generated by p ; ( c ) µ conditioned on z = and ( d ) on z = . To connect µ and µ to the original distribution µ , we “package” the conditional distributions µ and µ into a Markov kernel k : Mem [ z ] → D( Mem [{ x , y , z }]) given by k ( i )( d ) = µ i ( d { x , y } ) .Then, the relation between the conditional distributions and the original distribution µ can becompactly expressed: f µ = f µ z ⊙ k , where µ z is the projection of µ on { z } .Finite distributions of memories over U — D( Mem [ U ]) —will play a central role in our models. Inthe sequel, we will refer to maps of the form f : Mem [ S ] → D( Mem [ U ]) as Markov kernels (eventhough these are a subclass of the arrows of K ℓ (D) ), and define dom ( f ) = S and range ( f ) = U . Definition 4.3 (Composing Markov kernels on memories).
Given f : Mem [ S ] → D( Mem [ T ]) and д : Mem [ U ] → D( Mem [ V ]) , we define their parallel composition , whenever S ∩ U = T ∩ V , as themap f ⊕ д : Mem [ S ∪ U ] → D( Mem [ T ∪ V ]) given by ( f ⊕ д )( d )( m ) : = (cid:40) f ( d S )( m T ) · д ( d U )( m V ) if d ⊗ m is defined0 otherwise.Whenever T = U , we define their sequential composition f ⊙ д : Mem [ S ] → D( Mem [ V ]) using theKleisli composition (Equation (4.3)).Markov kernels can also be projected/marginalized to a smaller range. Definition 4.4 (Marginalization of kernels).
For any Markov kernel f : Mem [ S ] → D( Mem [ U ]) andany V ⊆ U , we define the marginalization of f by V as the map π V f : Mem [ S ] → D( Mem [ V ]) : ( π V f )( d )( r ) : = (cid:213) m ∈ Mem [ U \ V ] f ( d )( r ⊗ m ) for any d ∈ Mem [ S ] , r ∈ Mem [ V ] ; terms that are undefined do not contribute to the sum. Now, we have all the ingredients to define our first concrete model: states will be Markov kernelsthat preserve their input; ⊕ (resp. ⊙ ) will be parallel (resp. sequential) composition. The use of ⊕ to model independence generalizes the approach in Barthe et al. [2019]. Combining both kinds ofcomposition—sequential and parallel—will allow us to capture conditional independence. Definition 4.5 (Probabilistic frame).
We define the frame ( M D , ⊑ , ⊕ , ⊙ , M D ) as follows: • Let M D consist of Markov kernels f : Mem [ S ] → D( Mem [ U ]) that satisfy S ⊆ U and π S f = unit Mem [ S ] , i.e., kernels that preserve their input to their output; • ⊕ and ⊙ are parallel and sequential composition of kernels, respectively; • Given f , д ∈ M D , f ⊑ д if there exist R ⊆ Val , h ∈ M D such that д = ( f ⊕ unit Mem [ R ] ) ⊙ h .We make two remarks. First, f ⊑ д intuitively expresses that д can be obtained from extending f : first compose f in parallel with unit Mem [ R ] and then extend the range via composition with h . , Vol. 1, No. 1, Article . Publication date: August 2020. Also, we can recover f from д by first marginalizing д to range ( f ) ∪ R , and then ignoring the R portion. Second, the definition of f ⊙ д on M D can be simplified. Given f : Mem [ S ] → D( Mem [ T ]) and д : Mem [ T ] → D( Mem [ U ]) , Eq. (4.3) yields the explicit formula: ( f ⊙ д )( d )( m ) : = (cid:213) m ′ ∈ T f ( d )( m ′ ) · д ( m ′ )( m ) . Since f , д ∈ M D preserve input to output, this definition reduces to ( f ⊙ д )( d )( m ) = f ( d )( m T ) · д ( m U )( m V ) . (4.4)Importantly, we can show that our probabilistic frame is indeed a DIBI frame.Theorem 4.6. ( M D , ⊑ , ⊕ , ⊙ , M D ) is a DIBI frame. Proof sketch. First, we show that M D is closed under ⊕ and ⊙ , and ⊑ is transitive and reflexive.The frame axioms are mostly straightforward, but some of the more complex conditions rely ona property of the model that we call reverse exchange equality : if both ( f ⊕ f ) ⊙ ( f ⊕ f ) and ( f ⊙ f ) ⊕ ( f ⊙ f ) are defined, then they are equal. For example: ( ⊕ Unit Coherence):
The unit set in this frame is the entire state space M D : we must show thatfor any f , f ∈ M D , if f ⊕ f is defined, then f ⊑ f ⊕ f . f ⊕ f = ( f ⊙ unit range ( f ) ) ⊕ ( unit dom ( f ) ⊙ f ) = ( f ⊕ unit dom ( f ) ) ⊙ ( unit range ( f ) ⊕ f ) (By Eq. (Exchange equality)) = ( f ⊕ unit dom ( f ) ) ⊙ ( f ⊕ unit range ( f ) ) ( ⊕ Commutativity)We present the complete proof in Appendix B. □ Example 4.7 (Kernel decomposition).
Recall the distribution µ on Mem [{ x , y , z }] from Example 4.2.Let k x : Mem [ z ] → D( Mem [{ x , z }]) encode the conditional distribution of x given z , and let k y : Mem [ z ] → D( Mem [{ y , z }]) encode the conditional distribution of y given z . Explicitly, k v ( z = )( v = , z = ) = / k v ( z = )( v = , z = ) = / k v ( z = )( v = , z = ) = / k v ( z = )( v = , z = ) = / v = x or y , with all other entries equal to zero. Since k x , k y include z in their range, k x ⊕ k y is defined. A small calculation shows that k x ⊕ k y = k , where k : Mem [ z ] → D( Mem [{ x , y , z }]) represents the conditional distribution of ( x , y ) given z . This decomposition intuitively witnessesthat x and y are independent conditioned on z , and we will later formally prove it within oursystem. We developed the probabilistic model in the previous section using operations from the distributionmonad D . Abstracting away from D and instantiating the definitions with operations from othermonads gives rise to other interesting models of DIBI. In this section, we develop a relationalmodel based on the powerset monad P , and show how our logic can be used to reason about joindependency properties of tables from database theory. Before we present our relational model, weintroduce some notation and basic definitions on relations. Operations on relations.
Tables are often viewed as relations : sets of tuples where each componentof the tuple corresponds to an attribute . Formally, a relation R over (a set of) attributes S is a set of tuples that are indexed by S . Each tuple maps an attribute in S to a value in Val and hence can beseen as elements of
Mem [ S ] , as defined in Section 4.1. The projection and ⊗ operations on Mem [ S ] from Equation (4.1) can be lifted to relations. , Vol. 1, No. 1, Article . Publication date: August 2020. Definition 4.8 (Projection and Join).
The projection of a relation R over attributes X to Y ⊆ X isgiven by R Y : = { r Y | r ∈ R } . The natural join of relations R and R over attributes X and X ,respectively, is the relation R ▷◁ R : = { m ⊗ m | m ∈ R and m ∈ R } over attributes X ∪ X .Since tables can often be very large, finding compact representations for them is useful. Fortu-nately, most real-world databases have additional structure; for instance, the value of one attributemight determine the value of another, a so-called functional dependency . Dependency structurescan enable a large relation to be factored as a combination of smaller relations. We focus on joindependency , a relational analog of conditional independence. Definition 4.9 (Join dependency [Abiteboul et al. 1995; Fagin 1977]).
A relation R over attribute set X ∪ X satisfies the join dependency X ▷◁ X if R = ( π X R ) ▷◁ ( π X R ) . Example 4.10 (Decomposition).
Consider the relation R below, with three attributes: Researcher , Field , and
Conference . R contains triple ( a , b , c ) if and only if researcher a works in field b and attendsconference c . If we know that researchers in the same field all have a shared set of conferences theyattend, then we can recover R by joining two relations: one associating researchers to their fields,and another associating fields to conferences. As shown below, R satisfies the join dependency { Researcher , Field } ▷◁ { Conference , Field } . While the factored representation here is only slightlysmaller—12 entries instead of 15—savings can be more significant for larger relations. (cid:169)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:171) Researcher Field Conference
Alice PL POPLAlice PL PLDIBob PL POPLBob PL PLDIAlice DB PODS (cid:170)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:172)(cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) R = (cid:169)(cid:173)(cid:173)(cid:173)(cid:171) Field Conference
PL POPLPL PLDIDB PODS (cid:170)(cid:174)(cid:174)(cid:174)(cid:172)(cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) R ▷◁ (cid:169)(cid:173)(cid:173)(cid:173)(cid:171) Field Researcher
PL AlicePL BobDB Alice (cid:170)(cid:174)(cid:174)(cid:174)(cid:172)(cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) R Powerset monad and kernels.
Relations might look very different from probability distributionsat first sight but there is in fact a close connection as they are both arrows in related categories.Relations are precisely the arrows of the Kleisli category for the powerset monad, K ℓ (P) . Definition 4.11 (Powerset monad).
Let P be the endofunctor Set → Set mapping every set to theset of its subsets P( X ) = { U | U ⊆ X } . We define a unit map unit X : X → P( X ) mappingeach x ∈ X to the singleton { x } , and a bind operation bind : P( X ) → ( X → P( Y )) → P( Y ) by bind ( U )( f ) : = { y | ∃ x ∈ U . f ( x ) = y } .The triple ⟨P , unit , bind ⟩ forms a monad, and obeys the laws in Equation (4.2). We overload theuse of unit and bind as it will be clear from the context which monad, powerset or distribution, weare considering. The Kleisli category K ℓ (P) is defined analogously as for D , with sets as objectsand arrows X → P( Y ) , and composition given as in Equation (4.3).Like before, we will consider maps of type Mem [ S ] → P( Mem [ T ]) , which we will call powersetkernels in analogy to Markov kernels, or simply kernels when the monad is clear from the context.For the model, we will need two composition operations on powerset kernels. Definition 4.12 (Composition of powerset kernels).
Given kernels f : Mem [ S ] → P( Mem [ T ]) and д : Mem [ U ] → P( Mem [ V ]) , we define their parallel composition whenever T ∩ V = S ∩ U as themap f ⊕ д : Mem [ S ∪ U ] → P( Mem [ T ∪ V ]) given by ( f ⊕ д )( d ) : = f ( d S ) ▷◁ д ( d U ) .Whenever T = U we define the sequential composition f ⊙ д : Mem [ S ] → P( Mem [ V ]) using Kleislicomposition. Explicitly: ( f ⊙ д )( s ) = { v | u ∈ f ( s ) and v ∈ д ( u )} . , Vol. 1, No. 1, Article . Publication date: August 2020. Powerset kernels can also be projected/marginalized to a smaller range.
Definition 4.13 (Marginalization).
Suppose that T ⊆ U . A map f of type Mem [ S ] → P( Mem [ U ]) can be marginalized to π T f : Mem [ S ] → P( Mem [ T ]) by defining: ( π T f )( s ) : = f ( s ) T We are now ready to define the second concrete model of DIBI: states will be powerset kernels, andwe will use the parallel and sequential composition operations in a construction similar to M D . Definition 4.14 (Relational frame).
We define the frame ( M P , ⊑ , ⊕ , ⊙ , M P ) as follows: • Let M P consist of powerset kernels f : Mem [ S ] → P( Mem [ S ∪ T ]) such that, given any s ∈ Mem [ S ] , f ( s ) is a relation that agrees with s on Mem [ S ] , i.e., π S f = unit Mem [ S ] ; • ⊕ and ⊙ are parallel and sequential composition of powerset kernels, respectively; • Given f , д ∈ M P , f ⊑ д if there exist R ⊆ Val , h ∈ M P such that д = ( f ⊕ unit Mem [ R ] ) ⊙ h .Like in M D , f ⊑ д iff д can be obtained from f by adding attributes that are preserved fromdomain to range, and then mapping tuples in the range to relations over a larger set of attributes.We can recover f from д by marginalizing to range ( f ) ∪ R , and then ignoring the attributes in R . M P is also a DIBI frame. The proof, similar to the one for M D , is given in Appendix C.Theorem 4.15. ( M P , ⊑ , ⊕ , ⊙ , E ) is a DIBI frame. In our concrete models, distributions and relations can be factored into simpler parts. Here, weshow how conditional independence and join dependency can be captured by DIBI formulas.
Conditional independence (CI) is a well-studied notion in probability theory and statistics [Dawid1979]. While there are many interpretations of CI, a natural reading is in terms of irrelevance : X and Y are independent conditioned on Z if knowing the value of Z renders X irrelevant to Y —observing X gives no further information about Y , and observing Y gives no further information about X .Before defining CI formally, we first introduce some notation. Let µ ∈ D( Mem [ Var ]) be adistribution. For any subset S ⊆ Var and assignment s ∈ Mem [ S ] , we write: µ ( S = s ) : = (cid:213) m ∈ Mem [ Var ] µ ( s ⊗ m ) . Terms with undefined s ⊗ m contribute zero to the sum. We can now define conditional probabilities: µ ( S = s | S ′ = s ′ ) : = µ ( S = s , S ′ = s ′ ) µ ( S ′ = s ′ ) with µ ( S = s , S ′ = s ′ ) : = µ ( S ∪ S ′ = s ⊗ s ′ ) Intuitively, this ratio is the probability of S = s given S ′ = s ′ , and it is only defined when thedenominator is non-zero and s , s ′ are consistent (i.e., s ⊗ s ′ is defined). CI can be defined as follows. Definition 5.1 (Conditional independence).
Let X , Y , Z ⊆ Var . X and Y are independent conditionedon Z , written X ⊥⊥ Y | Z , if for all x ∈ Mem [ X ] , y ∈ Mem [ Y ] , and z ∈ Mem [ Z ] : µ ( X = x | Z = z ) · µ ( Y = y | Z = z ) = µ ( X = x , Y = y | Z = z ) . When Z = ∅ , we say that X and Y are independent , and write X ⊥⊥ Y . Example 5.2.
We present two simple applications of conditional independence. , Vol. 1, No. 1, Article . Publication date: August 2020.
Ice-cream and sunglasses sales.
Suppose we have a distribution over ice-cream sales ( I ), sunglassessales ( S ), and daily average temperature ( T ). We might expect that I and S are correlated—bothtend to increase as the temperature increases—but perhaps I and S are uncorrelated for any fixedtemperature. This situation is modeled by the CI assertion I ⊥⊥ S | T . Algorithmic fairness.
To prevent algorithms from implicitly discriminating on the basis of sensitivefeatures (e.g., gender and race), researchers have developed definitions of algorithmic fairnessbased on conditional independence [Barocas et al. 2019], many of which are based on conditionalindependence. For instance, let Y be the true value of the feature the algorithm aims to predict (e.g.,an individual’s credit score), A be the sensitive features, and (cid:98) Y be the algorithm’s prediction for Y given information about the individual. Considering the joint distribution of ( A , Y , (cid:98) Y ) , an algorithmsatisfies equalized odds if (cid:98) Y ⊥⊥ A | Y ; calibration if Y ⊥⊥ A | (cid:98) Y ; and demographic parity if (cid:98) Y ⊥⊥ A .To capture these kinds of dependencies in our logic, we will define a logical formula P such thata distribution µ satisfies CI if and only if its lifted kernel f µ : = ⟨⟩ (cid:55)→ f satisfies f µ | = P . For this,we will need a basic atomic proposition which describes the domain and range of kernels; we willintroduce richer atomic propositions later in Section 6, when we develop the program logic. Definition 5.3 (Basic atomic proposition).
For sets of variables A , B ⊆ Var , a basic atomic propositionhas the form ( A ▷ [ B ]) . We give the following (evidently persistent) semantics to these formulas: f | = ( A ▷ [ B ]) iff there exists f ′ ⊑ f such that dom ( f ′ ) = A and range ( f ′ ) ⊇ B . For example, f : Mem [ y ] → D( Mem [ y , z ]) defined by f ( y (cid:55)→ v ) : = unit ( y (cid:55)→ v , z (cid:55)→ v ) satisfies ( y ▷ [ y ]) , ( y ▷ [ z ]) , ( y ▷ [∅]) , ( y ▷ [ y , z ]) , (∅ ▷ [∅]) , and no other atomic propositions. These simpleatomic propositions are enough to model CI.Theorem 5.4. Given distribution µ ∈ D( Mem [ Var ]) , then for any X , Y , Z ⊆ Var , f µ | = (∅ ▷ [ Z ]) (cid:35) ( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ]) (5.1) if and only if X ⊥⊥ Y | Z and X ∩ Y ⊆ Z are both satisfied. The restriction X ∩ Y ⊆ Z is harmless since X ⊥⊥ Y | Z iff X ⊥⊥ Y | Z ∪ ( X ∩ Y ) . For simplicity,we abbreviate the formula (∅ ▷ [ Z ]) (cid:35) (( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ])) as [ Z ] (cid:35) ([ X ] ∗ [ Y ]) .Proof. For the forward direction, suppose f µ satisfies 5.1. Then, there exist f , д , and h in M D with f ⊙ ( д ⊕ h ) ⊑ f µ , where f : Mem [∅] → D(
Mem [ Z ]) , д : Mem [ Z ] → D( Mem [ Z ∪ X ]) , and h : Mem [ Z ] → D( Mem [ Z ∪ Y ]) ; we must also have X ∩ Y ⊆ Z . Since dom ( f µ ) = Mem [∅] , we have: f ⊙ ( д ⊕ h ) = π Z ∪ X ∪ Y f µ (marginal distribution of Z ∪ X ∪ Y ) f = π Z f µ (marginal distribution of Z )Further, we can show that f ⊙ ( д ⊕ h ) = f ⊙ д ⊙ ( unit X ⊕ h ) = f ⊙ h ⊙ ( unit Y ⊕ д ) , and thus: f ⊙ д = π Z ∪ X f µ (marginal distribution of Z ∪ X ) f ⊙ h = π Z ∪ Y f µ (marginal distribution of Z ∪ Y )These imply that д and h encode the conditional distributions of X and Y given Z , and д ⊕ h encodesthe conditional distribution of ( X , Y ) given Z . Hence, the conditional distribution of ( X , Y ) given Z is equal to the product distribution of X given Z and Y given Z , and so X ⊥⊥ Y | Z holds in µ .For the reverse direction, suppose that (1) X ⊥⊥ Y | Z holds in µ and (2) X ∩ Y ⊆ Z . Now, considerthe marginal distribution on ( X , Y , Z ) encoded as the kernel π X ∪ Y ∪ Z f µ and observe that we have π X , Y , Z f µ = f ⊙ f ′ , where f encodes the marginal distribution of Z , and f ′ is the conditionaldistribution of ( X , Y ) given values of Z . From (1), the conditional distribution of ( X , Y ) given Z is , Vol. 1, No. 1, Article . Publication date: August 2020. the product of the conditional distributions of X given Z , and Y given Z , that is f ′ = д ⊕ h , where д (resp. h ) encode the conditional distribution of X (resp. Y ) given Z .It is straightforward to see that f ⊙ ( д ⊕ h ) satisfies [ Z ] (cid:35) ([ X ] ∗ [ Y ]) (using assumption ( ) ). Hence,since f ⊙ ( д ⊕ h ) = π X ∪ Y ∪ Z f µ ⊑ f µ , persistence shows that f µ also satisfies [ Z ] (cid:35) ([ X ] ∗ [ Y ]) . □ Recall that a relation R over attributes X ∪ Y satisfies the join dependency X ▷◁ Y if R = R X ▷◁ R Y .As we illustrated through the Researcher - Field - Conference example in Section 4, join dependenciescan enable a relation to be represented more compactly. By interpreting the atomic propositionsidentically in the relational model, join dependency is captured by the same formula we used for CI.Theorem 5.5.
Let R ∈ D( Mem [ Var ]) and X , Y be sets of attributes such that X ∪ Y = Var . The liftedrelation f R = ⟨⟩ (cid:55)→ R satisfies f R | = [ X ∩ Y ] (cid:35) ([ X ] ∗ [ Y ]) iff R satisfies the join dependency X ▷◁ Y . Join Dependency is a special case of Embedded Multivalue Dependency (EMVD), where therelation R may have more attributes than X ∪ Y . It is straightforward to encode EMVD in our logic,but for simplicity we stick with Join Dependency.Proof. For the forward direction, we first show that there exist f , д , and h ∈ M P such that f : Mem [∅] → P(
Mem [ X ∩ Y ]) , д : Mem [ X ∩ Y ] → D( Mem [ X ]) , h : Mem [ X ∩ Y ] → P( Mem [ Y ]) ,and f ⊙ ( д ⊕ h ) ⊑ f R . Since by assumption X ∪ Y = Var , we must have f ⊙ ( д ⊕ h ) = f R .Unfolding ⊕ and ⊙ and using the fact that range ( f ) = dom ( д ) = dom ( h ) , we can show: f ⊙ ( д ⊕ h )(⟨⟩) = { u ▷◁ ( v ▷◁ v ) | u ∈ f (⟨⟩) , v ∈ д ( u ) , v ∈ h ( u )} . Since ▷◁ is idempotent, we have: f ⊙ ( д ⊕ h )(⟨⟩) = {( u ▷◁ v ) ▷◁ ( u ▷◁ v ) | u ∈ f (⟨⟩) , v ∈ д ( u ) , v ∈ h ( u )} = f ⊙ д (⟨⟩) ▷◁ f ⊙ h (⟨⟩) . We can also convert the parallel composition of д , h into sequential composition by padding to makethe respective domain and range match: f ⊙ ( д ⊕ h ) = f ⊙ д ⊙ ( unit X ⊕ h ) = f ⊙ h ⊙ ( unit Y ⊕ д ) .Hence f ⊙ д = π X f R and f ⊙ h = π Y f R , which implies f ⊙ д (⟨⟩) = R X and f ⊙ h (⟨⟩) = R Y . Thus: R = f ⊙ ( д ⊕ h )(⟨⟩) = f ⊙ д (⟨⟩) ▷◁ f ⊙ h (⟨⟩) = R X ▷◁ R Y , so R satisfies the join dependency X ▷◁ Y . The reverse direction is analogous to Theorem 5.4. □ Conditional independence and join dependency are closely related in our models. Indeed, there isa long line of research on generalizing these properties to other independence-like notions, andidentifying suitable axioms.
Graphoids are perhaps the most well-known approach [Pearl and Paz1985]; Dawid [2001] has a similar notion called separoids . Definition 5.6 (Graphoids and semi-graphoids).
Suppose that I ( X , Z , Y ) is a ternary relation onsubsets of Var (i.e., X , Z , Y ⊆ Var ). Then I is a graphoid if it satisfies the following properties: I ( X , Z , Y ) ⇔ I ( Y , Z , X ) (Symmetry) I ( X , Z , Y ∪ W ) ⇒ I ( X , Z , Y ) ∧ I ( X , Z , W ) (Decomposition) I ( X , Z , Y ∪ W ) ⇒ I ( X , Z ∪ W , Y ) (Weak Union) I ( X , Z , Y ) ∧ I ( X , Z ∪ Y , W ) ⇔ I ( X , Z , Y ∪ W ) (Contraction) I ( X , Z ∪ W , Y ) ∧ I ( X , Z ∪ Y , W ) ⇒ I ( X , Z , Y ∪ W ) (Intersection)If I satisfies the first four properties, then it is a semi-graphoid . , Vol. 1, No. 1, Article . Publication date: August 2020. Intuitively, I ( X , Z , Y ) states that knowing Z renders X irrelevant to Y . If we fix a distributionover µ ∈ D( Mem [ Var ]) , then taking I ( X , Z , Y ) to be the set of triples such that X ⊥⊥ Y | Z holds(in µ ) defines a semi-graphoid. Likewise, if we fix a relation R ∈ P( Mem [ Var ]) , then the triplesof sets of attributes such that R satisfies an Embedded Multivalue Dependency (EMVD) forms asemi-graphoid [Fagin 1977; Pearl and Verma 1987].Previously, we showed that the DIBI formula [ Z ] (cid:35) ([ X ] ∗ [ Y ]) asserts conditional independenceof X and Y given Z in M D , and join dependency X ▷◁ Y in M P when Z = X ∩ Y . Here, we show thatthe semi-graphoid axioms can be naturally translated into valid formulas in our concrete models.Theorem 5.7. The following formulas are valid in the probabilistic and relational models: [ Z ] (cid:35) ([ X ] ∗ [ Y ]) ↔ [ Z ] (cid:35) ([ Y ] ∗ [ X ]) (Symmetry) [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) → [ Z ] (cid:35) ([ X ] ∗ [ Y ]) ∧ [ Z ] (cid:35) ([ X ] ∗ [ W ]) (Decomposition) [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) → [ X ] (cid:35) ([ Z ∪ W ] ∗ [ Y ]) (Weak Union) [ Z ] (cid:35) ([ X ] ∗ [ Y ]) ∧ [ Z ∪ Y ] (cid:35) ([ X ] ∗ [ W ]) ↔ [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) (Contraction) Furthermore, Symmetry is derivable in the proof system, and Decomposition is derivable given thefollowing axiom, valid in both models: ( Z ▷ [ Y ∪ W ]) ↔ ( Z ▷ [ Y ]) ∧ ( Z ▷ [ W ]) (Split)Proof sketch. We comment on the derivable axioms. To derive Symmetry, we use the ∗ -Commproof rule to commute the separating conjunction. The proof of Decomposition uses the axiomSplit to split up Y ∪ W , and then uses proof rules ∧ ∧ □ As our final application, we design a separation logic for probabilistic programs. We will workwith a simplified probabilistic imperative language with assignments, sampling, sequencing, andrandomized conditionals; our goal is to show how a DIBI-based program logic could work in thesimplest setting. Following the design of PSL [Barthe et al. 2019], a richer program logic could alsolayer on constructs for deterministic assignment and deterministic control flow (conditionals andloops) at the cost of increasing the complexity of the programming language and semantics. We donot foresee difficulties in implementing these extensions, and we leave them for future work.
Program syntax.
Let
Var be a fixed, finite set of program variables. We will consider the followingprogramming language:
Exp ∋ e :: = x ∈ Var | tt | ff | e ∧ e ′ | e ∨ e ′ | · · · Com ∋ c :: = skip | x ← e | x $ ← B p ( p ∈ [ , ]) | c ; c ′ | if x then c else c ′ We assume that all variables and expressions are Boolean-valued, for simplicity. The only proba-bilistic command is x $ ← B p , which draws from a p -biased coin flip (i.e., probability of tt is p ) andstores the result in x ; for instance, x $ ← B / samples from a fair coin flip. Program semantics.
Following Kozen [1981], we give programs a denotational semantics as distri-bution transformers (cid:74) c (cid:75) : D( Mem [ Var ]) → D(
Mem [ Var ]) , see Figure 4. To define the semantics ofrandomized conditionals, we will use operations for conditioning to split control flow, and convexcombinations to merge control flow. More formally, let µ ∈ D( A ) be a distribution, let S ⊆ A be an , Vol. 1, No. 1, Article . Publication date: August 2020. (cid:74) x ← e (cid:75) µ : = bind ( µ , m (cid:55)→ unit ( m [ x (cid:55)→ (cid:74) e (cid:75) ( m )])) (cid:74) x $ ← B p (cid:75) µ : = bind ( µ , m (cid:55)→ bind ( Bern p , v (cid:55)→ unit ( m [ x (cid:55)→ v ]))) (cid:74) c ; c ′ (cid:75) µ : = (cid:74) c ′ (cid:75) ( (cid:74) c (cid:75) µ ) (cid:74) if b then c else c ′ (cid:75) µ : = ( (cid:74) c (cid:75) µ | (cid:74) b = tt (cid:75) ) ⊕ p ( (cid:74) c ′ (cid:75) µ | (cid:74) b = ff (cid:75) ) where p : = µ ( (cid:74) b = tt (cid:75) ) Fig. 4. Program semantics z $ ← B / ; x $ ← B / ; y $ ← B / ; a ← x ∨ z ; b ← y ∨ z (a) CommonCause z $ ← B / ; if z then x $ ← B p ; y $ ← B p else x $ ← B q ; y $ ← B q (b) CondSamplesFig. 5. Example programs event, and let µ ( S ) be the probability of S in µ . Then the conditional distribution of µ given S is: ( µ | S )( a ) : = (cid:40) µ ( a ) µ ( S ) : a ∈ S , µ ( S ) (cid:44)
00 : a (cid:60) S . For convex combination, let p ∈ [ , ] and µ , µ ∈ D( A ) . We define: ( µ ⊕ p µ )( a ) : = p · µ ( a ) + ( − p ) · µ ( a ) . When p = p =
1, we define ⊕ p lazily: µ ⊕ µ : = µ and µ ⊕ µ : = µ . Conditioning andconvex combination are inverses in the following sense: µ = ( µ | S ) ⊕ µ ( S ) ( µ | S ) . Example 6.1.
Programs in our language can generate independent and conditionally independentrandom variables. Figure 5 introduces two example programs. The program CommonCause (Fig-ure 5a) models a distribution where two random observations share a common cause. Specifically,we consider z , x , and y to be independent random samples, and a and b to be values computed from ( x , z ) and ( y , z ) , respectively. Intuitively, z , x , y could represent independent noisy measurements,while a and b could represent quantities derived from these measurements. Since a and b share acommon source of randomness—namely, z —they are not independent. However, conditioned onthe value of z , a and b are independent; this is a textbook example of conditional independence andwe will show how to use our program logic to establish this fact.The program CondSamples (Figure 5b) is a bit more complex: it branches on a random value z , and then assigns x and y with two independent samples from B p in the true branch, and B q inthe false branch. While we might think that x and y are independent at the end of the programsince they are independent at the end of each branch, this is not true because their distributions aredifferent in the two branches. For example, suppose that p = q =
0. Then at the end of thefirst branch ( x , y ) = ( tt , tt ) with probability 1, while at the end of the second branch ( x , y ) = ( ff , ff ) with probability 1. Thus observing whether x = tt or x = ff determines the value of y —clearly, x and y can’t be independent. However, x and y are independent conditioned on z . This example willdemonstrate our program logic’s proof rules for conditionals. Like all program logics, CPSL is constructed in two layers: the assertion logic describes programstates—here, probability distributions—while the program logic describes probabilistic programs,using the assertion logic to specify pre- and post-conditions. Our starting point for the assertion , Vol. 1, No. 1, Article . Publication date: August 2020. logic is the probabilistic model of DIBI introduced in Section 4, with atomic assertions as in Section 5.However, it turns out that the full logic DIBI is not suitable for a program logic. The main problemis that not all formulas in DIBI satisfy a key technical condition, known as restriction . Definition 6.2 (Restriction).
A formula P satisfies restriction if: a Markov kernel f satisfies P if andonly if there exists f ′ ⊑ f such that range ( f ′ ) ⊆ FV ( P ) and f ′ | = P .The reverse direction is immediate by persistence, but the forward direction is more delicate.Restriction was first considered by Barthe et al. [2019] while developing PSL: formulas satisfyingrestriction are preserved if the program does not modify variables appearing in the formula. Thistechnical property is crucial to supporting Frame-like rules in PSL, which are also used to derivegeneral versions of rules for assignment and sampling, so failure of the restriction property imposessevere limitations on the program logic. In PSL, assertions were drawn from BI with atomicformulas for modeling random variables. Using properties specific to probability distributions, theyshowed that their logic is well-behaved with respect to restriction: all formulas satisfy this property.However, DIBI is richer than BI, and there are simple formulas where restriction fails. Example 6.3 (Failure of restriction).
Consider the formula P : = ⊤ (cid:35) ( x ▷ [ x ]) , and consider the kernel f : Mem [ z ] → D( Mem [ x , z ]) with f ( z (cid:55)→ c ) : = unit ( x (cid:55)→ c , z (cid:55)→ c ) . Letting f : Mem [ z ] →D( Mem [ x , z ]) and f : Mem [ x , z ] → D( Mem [ x , z ]) with f ( z (cid:55)→ c ) : = unit ( x (cid:55)→ c , z (cid:55)→ c ) | = ⊤ and f : = unit Mem [ x ] ⊕ unit Mem [ z ] | = ( x ▷ [ x ]) , we have f = f ⊙ f | = P . Any subkernel f ′ ⊑ f satisfying P and witnessing restriction must be of type f ′ : Mem [ x ] → D( Mem [ x ]) , but it is nothard to check that there is no such subkernel.To address this problem, we will identify a fragment of DIBI that satisfies restriction and issufficiently rich to support interesting program logic. Intuitively, restriction may fail for P whena kernel satisfying P (i) implicitly requires unexpected variables in its domain, or (ii) does notdescribe needed variables in its range. Thus, we employ syntactic conditions to approximate whichvariables may appear in the domain (FV D ), and which variables must appear in the range (FV R ). Definition 6.4 (FV D and FV R ). For the formulas in Form
RDIBI generated by probabilistic atomicpropositions, conjunctions ( ∧ , ∗ , (cid:35) ) and disjunction ( ∨ ), we define two sets of variables: FV D (⊤) = FV D (⊥) : = ∅ FV R (⊤) = FV R (⊥) : = ∅ FV D ( A ▷ B ) : = FV ( A ) FV R ( A ▷ B ) : = FV ( A ) ∪ FV ( B ) FV D ( P ∧ Q ) : = FV D ( P ) ∪ FV D ( Q ) FV R ( P ∧ Q ) : = FV R ( P ) ∪ FV R ( Q ) FV D ( P ∗ Q ) : = FV D ( P ) ∪ FV D ( Q ) FV R ( P ∗ Q ) : = FV R ( P ) ∪ FV R ( Q ) FV D ( P (cid:35) Q ) : = FV D ( P ) ∪ FV D ( Q ) FV R ( P (cid:35) Q ) : = FV R ( P ) ∪ FV R ( Q ) FV D ( P ∨ Q ) : = FV D ( P ) ∪ FV D ( Q ) FV R ( P ∨ Q ) : = FV R ( P ) ∩ FV R ( Q ) Now, we have all the ingredients to introduce our assertions. The logic RDIBI is a fragment ofDIBI with atomic propositions AP , with formulas Form RDIBI defined by the following grammar: P , Q :: = AP | ⊤ | ⊥ | P ∨ Q | P ∗ Q | P (cid:35) Q ( FV D ( Q ) ⊆ FV R ( P ))| P ∧ Q ( FV R ( P ) = FV R ( Q ) = FV ( P ) = FV ( Q )) . The side-condition for P (cid:35) Q ensures that variables used by Q are described by P . The side-conditionfor P ∧ Q is the most restrictive—to understand why we need it, consider the following example. Example 6.5 (Failure of restriction for ∧ ). Consider the formula P : = (∅ ▷ [ x ]) ∧ (∅ ▷ [ y ]) , and kernel f : Mem [ z ] → D( Mem [ x , y , z ]) with f ( z (cid:55)→ tt ) being the distribution with x a fair coin flip, y = x , , Vol. 1, No. 1, Article . Publication date: August 2020. and z = tt , and f ( z (cid:55)→ ff ) being the distribution with x a fair coin flip, y = ¬ x , and z = ff . Then,there exist f : Mem [∅] → D(
Mem [ x ]) and f : Mem [∅] → D(
Mem [ y ]) such that f ⊑ f and f ⊑ f . Since f | = (∅ ▷ [ x ]) and f | = (∅ ▷ [ y ]) , it follows f | = P . But, because z is correlated with ( x , y ) , there is no kernel f ′ : Mem [∅] → D(
Mem [ x , y ]) satisfying P such that f ′ ⊑ f .When we take atomic propositions from Section 5, formulas are pairs of sets of variables: ( A ▷ [ B ]) where A , B ⊆ Var . With these atoms, all formulas in RDIBI satisfy restriction. Before showing thisproperty, however, we will enrich the atomic propositions to describe more fine-grained informationabout the domain and range of kernels:
Domain.
Given a kernel f , the existing atomic propositions can only describe properties that holdfor all (well-typed) inputs m to f . We would like to be able to describe properties that holdfor only certain inputs, e.g., for memories m where a variable z is true. Range.
Given any input m to a kernel f , the existing atomic propositions can only guaranteethe presence of variables in the output distribution f ( m ) . We would like describe moreprecise information about f ( m ) , e.g., that certain variables are independent conditioned on a particular value of m , rather on all values of m .Our strategy will be to extend atomic propositions to all pairs of logical formula ( D ▷ R ) , where D is a logical formula over the kernel domain (i.e., memories), while R is a logical formula over thekernel range (i.e., distributions over memories).To describe memories, we take a simple propositional logic for the domain logic. Definition 6.6 (Domain logic).
The domain logic has formulas D of the form S : p d , where S ⊆ Var isa subset of variables and: p d :: = x = e | ⊤ | ⊥ | p d ∧ p ′ d | p d ∨ p ′ d . A formula S : p d is satisfied in m ∈ Mem [ T ] , written m | = d S : p d , if S = T and p d holds in m .We can read S : p d as “memories over S such that p d ” and abbreviate S : ⊤ as just S . To describedistributions over memories, we adapt probabilistic BI [Barthe et al. 2019] for the range logic. Definition 6.7 (Range logic).
The range logic has the following formulas from probabilistic BI: p r :: = [ S ] ( S ⊆ Var ) | x ∼ d | x = e | ⊤ | ⊥ | p r ∧ p ′ r | p r ∗ p ′ r . We give a semantics where states are distributions over memories: M r = { µ : D( Mem [ S ]) | S ⊆ Var } . We define a pre-order on states via µ ⊑ r µ if and only if dom ( µ ) ⊆ dom ( µ ) and π dom ( µ ) µ = µ , and we define a partial binary operation on states: if dom ( µ ) = S ∪ T and dom ( µ ) = S ∪ T with S , S , T disjoint, and π T µ = π T µ = unit ( m ) for some m ∈ Mem [ T ] , then µ ⊕ r µ : = π S µ ⊗ unit ( m ) ⊗ π S µ where ⊗ takes the independent product of two distributions over disjoint domains; otherwise ⊕ r is not defined. This operation generalizes the monoid from probabilistic BI to allow combiningdistributions with overlapping domains if the distributions over the overlap are deterministic andequal; this mild generalization is useful for our setting, where distributions often have deterministicvariables (e.g., variables corresponding to the input of kernels).Then, we define the semantics of the range logic as: µ | = r ⊤ always µ | = r ⊥ never µ | = r [ S ] iff S ⊆ dom ( µ ) µ | = r x ∼ d iff x ∈ dom ( µ ) and π x µ = (cid:74) d (cid:75) m v , where unit ( m v ) = π FV ( d ) µµ | = r x = e iff { x } , FV ( e ) ⊆ dom ( µ ) and µ ( (cid:74) x = e (cid:75) ) = µ | = r p r ∧ p ′ r iff µ | = r p r and µ | = r p ′ r µ | = r p r ∗ p ′ r iff there exists µ ⊕ r µ ⊑ µ with µ | = r p r and µ | = r p ′ r . Now, we can give a semantics to our enriched atomic propositions. , Vol. 1, No. 1, Article . Publication date: August 2020.
Assn x (cid:60) FV ( e ) ∪ FV ( P )⊢ { P } x ← e { P (cid:35) ( FV ( e ) ▷ x = e )} Samp x (cid:60) FV ( d ) ∪ FV ( P )⊢ { P } x $ ← d { P (cid:35) ( FV ( d ) ▷ x ∼ d )} Skip ⊢ { P } skip { P } Seqn ⊢ { P } c { Q } ⊢ { Q } c ′ { R }⊢ { P } c ; c ′ { R } DCond ⊢ {(∅ ▷ b = tt ) (cid:35) P } c {(∅ ▷ b = tt ) (cid:35) ( b : b = tt ▷ Q )}⊢ {(∅ ▷ b = ff ) (cid:35) P } c ′ {(∅ ▷ b = ff ) (cid:35) ( b : b = ff ▷ Q )}⊢ {(∅ ▷ [ b ]) (cid:35) P } if b then c else c ′ {(∅ ▷ [ b ]) (cid:35) (( b : b = tt ▷ Q ) ∧ ( b : b = ff ▷ Q ))} Weak ⊢ { P } c { Q }| = P ′ → P ∧ Q → Q ′ ⊢ { P ′ } c { Q ′ } Frame ⊢ { P } c { Q } FV ( R ) ∩ MV ( c ) = ∅ FV ( Q ) ⊆ FV R ( P ) ∪ WV ( c ) RV ( c ) ⊆ FV R ( P )⊢ { P ∗ R } c { Q ∗ R } Fig. 6. Proof rules: CPSL
Definition 6.8.
Given a kernel f and atomic proposition ( D ▷ R ) , we define a persistent semantics: f | = ( D ▷ R ) iff there exists f ′ ⊑ f such that m | = d D implies m ∈ dom ( f ′ ) and f ( m ) | = r R . Atomic propositions satisfy the following axiom schemas, inspired by Hoare logic.Proposition 6.9.
The following axiom schemas for atomic propositions are sound. ( S : p d ▷ p r ) ∧ ( S : p ′ d ▷ p ′ r ) → ( S : p d ∧ p ′ d ▷ p r ∧ p ′ r ) if FV ( p r ) = FV ( p ′ r ) (AP-And) ( S : p d ▷ p r ) ∧ ( S : p ′ d ▷ p ′ r ) → ( S : p d ∨ p ′ d ▷ p r ∨ p ′ r ) (AP-Or) ( S : p d ▷ p r ) ∗ ( S ′ : p ′ d ▷ p ′ r ) → ( S ∪ S ′ : p d ∧ p ′ d ▷ p r ∗ p ′ r ) (AP-Par) p ′ d → p d and | = r p r → p ′ r implies | = ( S : p d ▷ p r ) → ( S : p ′ d ▷ p ′ r ) (AP-Imp)Finally, formulas in RDIBI satisfy restriction.Theorem 6.10 (Restriction in RDIBI). Let P ∈ Form
RDIBI with atomic propositions ( D ▷ R ) , asdescribed above. Then f | = P if and only if there exists f ′ ⊑ f such that ranдe ( f ′ ) ⊆ FV ( P ) and f ′ | = P . Proof sketch. By induction on P , proving a stronger statement: f | = P if and only if there exists f ′ ⊑ f such that dom ( f ′ ) ⊆ FV D ( P ) , and FV R ( P ) ⊆ ranдe ( f ′ ) ⊆ FV ( P ) . □ With the assertion logic set, we are now ready to introduce our program logic. Judgments in CPSLhave the form { P } c { Q } , where c ∈ Com is a probabilistic program and P , Q ∈ Form
RDIBI arerestricted assertions. As usual, a program in a judgment maps states satisfying the pre-condition tostates satisfying the post-condition.
Definition 6.11 (CPSL Validity).
A CPSL judgment { P } c { Q } is valid , written | = { P } c { Q } , if forevery input distribution µ ∈ D( Mem [ Var ]) such that the lifted input f µ : Mem [∅] → D(
Mem [ Var ]) satisfies f µ | = P , the lifted output satisfies f (cid:74) c (cid:75) µ | = Q .The proof rules of CPSL are presented in Figure 6. Note that all rules implicitly require thatassertions are from RDIBI, e.g., the rule Assn requires that the post-condition P (cid:35) ( FV ( e ) ▷ x = e ) isa formula in RDIBI, which in turn requires that FV ( e ) = FV D ( FV ( e ) ▷ x = e ) ⊆ FV R ( P ) .The rules Skip, Seqn, are Weak standard, we comment on the other, more interesting rules.Assn and Samp allow forward reasoning across assignments and random sampling commands. In , Vol. 1, No. 1, Article . Publication date: August 2020. both cases, a pre-condition that does not mention the assigned variable x is augmented with newinformation tracking the value or distribution of x , and variables x may depend on.DCond allows reasoning about probabilistic control flow, and the ensuing conditional depen-dence that may result. The main pre-condition P is allowed to depend on the guard variable b —recalling that FV D ( P ) ⊆ FV R (∅ ▷ [ b ]) —and P is preserved as a pre-condition for both branches.The post-conditions allows introducing new facts ( b : b = tt ▷ Q ) and ( b : b = tt ▷ Q ) , whichare then combined in the post-condition of the entire conditional command. As in PSL, the rulefor conditionals does not allow the branches to modify the guard b —this restriction is needed toaccurately associate each post-conditions to each branch.Finally, Frame is the frame rule for CPSL. Much like in PSL, the rule involves three classes ofvariables: MV ( c ) is the set of variables that c may write to, RV ( c ) is the set of variables that c mayread from the input, and WV ( c ) is the set of variables that c must write to; these variable sets aredefined in Appendix H. Then, Frame is essentially the same as in PSL. The first side-conditionFV ( R ) ∩ MV ( c ) ensures that the framing condition is not modified—this condition is fairly standard.The second and third side-conditions are more specialized. First, the variables described by Q in thepost-condition are either already described by P in the pre-condition, or are written by c . Second,the variables read by c must be described by P in the pre-condition. These two side-conditionsensure that variables mentioned by Q that were not already independent of R are freshly written,and freshly written variables are derived from variables that were already independent from R .Theorem 6.12 (CPSL Soundness). CPSL is sound: derivable judgments are valid.
Proof sketch. By induction on the proof derivation. The restriction property is used repeatedlyto constrain the domains and ranges of kernels witnessing different sub-assertions, ensuring thatpre-conditions about unmodified variables continue to hold in the post-condition. □ Now, we show how to use CPSL to verify our two example programs in Figure 5. In both cases, wewill prove a conditional independence assertion as the post-condition. We will need some axiomsfor implications between formulas in RDIBI; these axioms are valid in our probabilistic model M D .Proposition 6.13. (Axioms for RDIBI) The following axioms are sound, assuming both precedentand antecedent are in Form
RDIBI . ( P (cid:35) Q ) (cid:35) R → P (cid:35) ( Q ∗ R ) (Indep-1) P (cid:35) Q → P ∗ Q if FV D ( Q ) = ∅ (Indep-2) P (cid:35) Q → P (cid:35) ( Q ∗ ( S ▷ [ S ])) (Pad) ( P ∗ Q ) (cid:35) ( R ∗ S ) → ( P (cid:35) R ) ∗ ( Q (cid:35) S ) (RestExch)We briefly explain the axioms. Indep-1 holds because P (cid:35) ( Q ∗ R ) ∈ Form
RDIBI implies that R onlymentions variables that are guaranteed to be in P . Indep-2 holds because any kernel witnessing Q depends on no variables and thus independent of any kernel witnessing P . Pad allows conjoining ( S ▷ [ S ]) to the second conjunct; since P (cid:35) ( Q ∗ ( S ▷ [ S ])) is in RDIBI, S can only mention variablesthat are already in P . Finally, RestExch shows that the standard exchange law holds for restrictedassertions. We defer the proof to Appendix I.We also need the following axioms for a particular form of atomic propositions, in addition tothe axioms for general atomic propositions in Proposition 6.9. , Vol. 1, No. 1, Article . Publication date: August 2020. Proposition 6.14. (Axioms for atomic propositions) The following axioms are sound. ( S ▷ [ A ] ∗ [ B ]) → ( S ▷ [ A ]) ∗ ( S ▷ [ B ]) if A ∩ B ⊆ S (RevPar) ( S ▷ [ A ] ∗ [ B ]) → ( S ▷ [ A ∪ B ]) (UnionRan) ( A ▷ [ B ]) (cid:35) ( B ▷ [ C ]) → ( A ▷ [ C ]) (AtomSeq) ( A ▷ [ B ]) → ( A ▷ [ A ]) (cid:35) ( A ▷ [ B ]) (UnitL) ( A ▷ [ B ]) → ( A ▷ [ B ]) (cid:35) ( B ▷ [ B ]) (UnitR)We defer the proof to Appendix I.Now, we will describe how to verify our example programs, CommonCause and CondSamples.Throughout, we must ensure that all formulas used in CPSL rules or RDIBI axioms are in Form RDIBI .The product (cid:35) raises a tricky point: Form
RDIBI is not closed under reassociating (cid:35) , so we addparentheses for formulas that must be in RDIBI. However, we may soundly use the full proof systemof DIBI when proving implications between RDIBI assertions, since RDIBI is a fragment of DIBI.
Verification of CommonCause.
We aim to prove the following judgment: {⊤}
CommonCause {(∅ ▷ [ z ]) (cid:35) (( z ▷ [ a ]) ∗ ( z ▷ [ b ]))} By Theorem 5.4, this shows that a , b are conditionally independent given z at the end of theprogram. Using Samp to handle the sampling for z , x , y , we can prove the assertion: (∅ ▷ [ z ]) (cid:35) (∅ ▷ [ x ]) (cid:35) (∅ ▷ [ y ]) . Using Axioms Pad, UnitL, AP-Par, UnionRan, and (cid:35) Assoc, this assertion implies (∅ ▷ [ z ]) (cid:35) ( z ▷ [ z , x ]) (cid:35) ( z ▷ [ z , y ]) . We take this as the pre-condition before assigning to a andassigning to b . After the assignments, Assn proves: (cid:16)(cid:0) (∅ ▷ z ) (cid:35) ( z ▷ [ z , x ]) (cid:35) ( z ▷ [ z , y ]) (cid:1) (cid:35) ( z , x ▷ [ a ]) (cid:17) (cid:35) ( z , y ▷ [ b ]) . Then, we can apply Indep-1 to derive: (∅ ▷ [ z ]) (cid:35) (cid:0) ( z ▷ [ z , x ]) (cid:35) ( z , x ▷ [ a ]) (cid:1) ∗ (cid:0) ( z ▷ [ z , y ]) (cid:35) ( z , y ▷ [ b ]) (cid:1) .By Axiom AtomSeq, we obtain the desired post-condition: (∅ ▷ [ z ]) (cid:35) (( z ▷ [ a ]) ∗ ( z ▷ [ b ])) . □ Verification of CondSamples.
We aim to show the following judgment: {⊤}
CondSamples {(∅ ▷ [ z ]) (cid:35) (( z ▷ [ x ]) ∗ ( z ▷ [ y ]))} By Theorem 5.4, this shows that x , y are conditionally independent given z at the end of the program.Starting with the sampling statement for z , applying Samp and Axiom Indep-2 gives: ⊢ {⊤} z $ ← B / {(∅ ▷ [ z ]) (cid:35) ⊤} . To reason about the branching, we use DCond. We start with the first branch. By Samp, Weakand Seq, we have ⊢ {(∅ ▷ z = tt ) (cid:35) ⊤} x $ ← B p (cid:35) y $ ← B p {(∅ ▷ z = tt ) (cid:35) (∅ ▷ [ x ]) (cid:35) (∅ ▷ [ y ])} . Asbefore, Axioms Pad, UnitL, AP-Par, UnionRan, together with (cid:35) Assoc give the post-condition (∅ ▷ z = tt ) (cid:35) ( z ▷ [ z , x ]) (cid:35) ( z ▷ [ z , y ]) . Applying Axiom Indep-1, we can show (∅ ▷ z = tt ) (cid:35) (( z ▷ [ z , x ]) ∗ ( z ▷ [ z , y ])) at the end of thebranch. Thus: ⊢ {(∅ ▷ z = tt ) (cid:35) ⊤} x $ ← B p (cid:35) y $ ← B p {(∅ ▷ z = tt ) (cid:35) ( z : z = tt ▷ [ z , x ] ∗ [ z , y ])} . Thesecond branch is similar: ⊢ {(∅ ▷ z = ff ) (cid:35) ⊤} x $ ← B q (cid:35) y $ ← B q {(∅ ▷ z = ff ) (cid:35) ( z : z = ff ▷ [ z , x ] ∗ [ z , y ])} . Applying DCond, we have: ⊢ {(∅ ▷ [ z ])} CondSamples {(∅ ▷ [ z ]) (cid:35) (( z : z = tt ▷ [ z , x ] ∗ [ z , y ]) ∧ ( z = ff ▷ [ z , x ] ∗ [ z , y ]))} . , Vol. 1, No. 1, Article . Publication date: August 2020. By AP-Or, the postcondition implies (∅ ▷ [ z ]) (cid:35) (( z : z = tt ∨ z = ff ) ▷ [ z , x ] ∗ [ z , y ] ∨ [ z , x ] ∗ [ z , y ]) .In the domain and range logic, we have: | = d z : ⊤ → z : ( z = tt ∨ z = ff ) and | = r [ z , x ] ∗ [ z , y ] ∨ [ z , x ] ∗ [ z , y ] → [ z , x ] ∗ [ z , y ] . So AP-Imp implies (∅ ▷ [ z ]) (cid:35) ( z ▷ [ z , x ] ∗ [ z , y ]) . We can then apply RevPar because { z , x }∩{ z , y } = z ,deriving the postcondition (∅ ▷ [ z ]) (cid:35) (( z ▷ [ z , x ]) ∗ ( z ▷ [ z , y ])) . By Axiom Split, we obtain thedesired post-condition: (∅ ▷ [ z ]) (cid:35) (( z ▷ [ x ]) ∗ ( z ▷ [ y ])) . □ We conclude by establishing the soundness and completeness of DIBI. A methodology for provingthe soundness and completeness of bunched logics is given by Docherty [2019], inspired by theduality theoretic approach to modal logic [Goldblatt 1989]. First, DIBI is proved sound and completewith respect to an algebraic semantics obtained by interpreting the rules of the proof system asalgebraic axioms. We then establish a representation theorem: every DIBI algebra A embeds into aDIBI algebra generated by a DIBI frame, that is in turn generated by A . Soundness and completenessof the algebraic semantics can then be transferred to the Kripke semantics. Omitted details can befound in Appendix J. Definition 7.1 (DIBI Algebra). A DIBI algebra is an algebra A = ( A , ∧ , ∨ , → , ⊤ , ⊥ , ∗ , −∗ , (cid:35) , ⊸ , (cid:18) , I ) such that, for all a , b , c , d ∈ A : • ( A , ∧ , ∨ , → , ⊤ , ⊥) is a Heyting algebra; • ( A , ∗ , I ) is a commutative monoid; • (cid:35) is associative, with right unit I and a ≤ I (cid:35) a ; • ( a (cid:35) b ) ∗ ( c (cid:35) d ) ≤ ( a ∗ c ) (cid:35) ( b ∗ d ) ; • a ∗ b ≤ c iff a ≤ b −∗ c ; • a (cid:35) b ≤ c iff a ≤ b ⊸ c iff b ≤ a (cid:18) c . An algebraic interpretation of DIBI is specifed by an assignment (cid:74) − (cid:75) : AP → A . The interpre-tation is obtained as the unique homomorphic extension of this assignment, and so we use thenotation (cid:74) − (cid:75) interchangeably for both assignment and interpretation. Soundness and completenesscan be established by constructing a term DIBI algebra by quotienting formulas by equiderivability.Theorem 7.2. P ⊢ Q is derivable iff (cid:74) P (cid:75) ≤ (cid:74) Q (cid:75) for all algebraic interpretations (cid:74) − (cid:75) . We now connect these algebras to DIBI frames. A filter on a bounded distributive lattice A is anon-empty set F ⊆ A such that, for all x , y ∈ A , (1) x ∈ F and x ≤ y implies y ∈ F ; and (2) x , y ∈ F implies x ∧ y ∈ F . It is a proper filter if it additionally satisfies (3) ⊥ (cid:60) F , and a prime filter if it alsosatisfies (4) x ∨ y ∈ F implies x ∈ F or y ∈ F . We denote the set of prime filters of A by PF A . Definition 7.3 (Prime Filter Frame).
Given a DIBI algebra A , the prime filter frame of A is definedas Pr ( A ) = ( PF A , ⊆ ⊕ A , ⊙ A , E A ) , where F ⊕ A G : = { H ∈ PF A | ∀ a ∈ F , b ∈ G ( a ∗ b ∈ H )} , F ⊙ A G : = { H ∈ PF A | ∀ a ∈ F , b ∈ G ( a (cid:35) b ∈ H )} and E A : = { F ∈ PF A | I ∈ F } .Proposition 7.4. For any DIBI algebra A , the prime filter frame Pr ( A ) is a DIBI frame. In the other direction, it can be seen that DIBI frames generate DIBI algebras.
Definition 7.5 (Complex Algebra).
Given a DIBI frame X = ( X , ⊑ , ⊕ , ⊙ , E ) , the complex algebra of X , Com (X) , is defined
Com (X) = (P ⊑ ( X ) , ∩ , ∪ , ⇒ X , X , ∅ , • X , (cid:20) X , ▷ X , − ▷ X , ▷ − X , E ) , where P ⊑ ( X ) = { A ⊆ X | if a ∈ A and a ⊑ b then b ∈ A } A ⇒ X B = { a | for all b , if b ⊒ a and b ∈ A then b ∈ B } A • X B = { x | there exist x ′ , a , b s.t x ⊒ x ′ ∈ a ⊕ b , a ∈ A and b ∈ B } A (cid:20) X B = { x | for all a , b , if b ∈ x ⊕ a and a ∈ A then b ∈ B } A ▷ X B = { x | there exist a , b s.t x ∈ a ⊙ b , a ∈ A and b ∈ B } A − ▷ X B = { x | for all x ′ , a , b , if x ⊑ x ′ , b ∈ x ′ ⊙ a and a ∈ A then b ∈ B } A ▷ − X B = { x | for all x ′ , a , b , if x ⊑ x ′ , b ∈ a ⊙ x ′ and a ∈ A then b ∈ B } . , Vol. 1, No. 1, Article . Publication date: August 2020. Proposition 7.6.
For any DIBI frame X , the complex algebra Com (X) is a DIBI algebra.
With this in place, the result facilitating transference of soundness and completeness follows.Theorem 7.7 (Representation Theorem for DIBI algebras).
Every DIBI algebra is isomorphic to asubalgebra of a complex algebra. Specifically, given a DIBI algebra A , the map θ A : A → Com ( Pr ( A )) defined θ A ( a ) = { F ∈ PF A | a ∈ F } is an embedding. With the previous propositions relating DIBI algebras and frames, the remaining verificationrequired to establish this is that θ is a monomorphism: the necessary argument is identical tothat for similar bunched logics [Docherty 2019, Theorems 6.11, 6.25]. The representation theoremestablishes, given (cid:74) − (cid:75) on A , the map V (cid:74) − (cid:75) ( p ) : = θ A ( (cid:74) p (cid:75) ) is a persistent valuation on Pr ( A ) with theproperty F | = V (cid:74) − (cid:75) P iff (cid:74) P (cid:75) ∈ F , from which our main theorem can be proved.Theorem 7.8 (Soundness and Completeness). P ⊢ Q is derivable iff P | = Q . Bunched implications and other non-classical logics.
DIBI is an extension of the logic of bunchedimplications (BI) [O’Hearn and Pym 1999], and shares many similarities: DIBI can be given a Kripke-style resource semantics, just like BI, and our completeness proof relies on a general frameworkfor proving completeness for bunched logics [Docherty 2019]. The non-commutative conjunctionand exchange rules are inspired by the logic CKBI [Docherty 2019]. The main difference is thatour exchange rule is reversed, due to our reading of separating conjunction ∗ as “can be combinedindependently”, rather than “interleaved”. In terms of models, the probabilistic model of DIBI canbe seen as a natural extension of the probabilistic model for BI [Barthe et al. 2019]—by liftingdistributions to kernels, DIBI is able to reason about dependencies, while probabilistic BI is not.There are other non-classical logics that aim to model dependencies. Probably the most well-developed instances are independence-friendly (IF) logic [Hintikka and Sandu 1989] and dependencelogic [Väänänen 2007]. These logics introduce new quantifiers and propositional atoms to state thata variable depends, or does not depend, on another variable, and are each equivalent in expressivityto existential second-order logic. Interestingly, the semantics of propositional IF form a model ofBI [Abramsky and Väänänen 2009]. Conditional independence, join dependency, and logic.
There is a long line of research on logicalcharacterizations of conditional independence and join dependency. The literature is too vast tosurvey here. On the CI side, we can point to work by Geiger and Pearl [1993] on graphical models;on the JD side, the survey by Fagin and Vardi [1984] describes the history of the area in databasetheory. There are several broadly similar approaches to axiomatizing the general properties ofconditional dependence, including graphoids [Pearl and Paz 1985] and separoids [Dawid 2001].
Categorical probability.
The view of conditional independence as a factorization of Markov kernelshas previously been explored by Cho and Jacobs [2019] in the context of string diagrams, andFritz [2020] in the context of Markov categories. Taking a different approach, Simpson [2018]has recently introduced category-theoretic structures for modeling conditional independence. Hisframework supports probabilistic and relational notions, as well as a model in nominal sets [Pitts2013]. We speculate that this kind of dependence might be captured with a DIBI model using Kleisliarrows in nominal sets, though it is unclear what the appropriate monad should be.
Program logics.
Bunched logics are well-known for their role in separation logics , program logicsfor reasoning about heap-manipulating [O’Hearn et al. 2001] and concurrent programs [Brookes2007; OâĂŹHearn 2007]. Recently, several variants of separation logic have been developed for , Vol. 1, No. 1, Article . Publication date: August 2020. probabilistic programs. Our work is most related to PSL [Barthe et al. 2019], where separationmodels probabilistic independence. Batz et al. [2019] gives a different, quantitative interpretationto separation in their logic QSL, and use it to verify expected-value properties of probabilisticheap-manipulating programs. Finally, there are more traditional program logics for probabilisticprogram. The Ellora logic by Barthe et al. [2018] has assertions for modeling independence,but works with a classical logic. As a result, basic structural properties of independence must beintroduced as axioms, rather than being built-in to the logical connectives. In this paper, we have presented DIBI, a new bunched logic to reason about dependence andindependence, together with its Kripke semantics and a sound and complete proof system. Weprovided two concrete models, based on Markov kernels and powerset kernels, which form thebasis of a logical characterizaton of conditional independence and join dependency, respectively.Interestingly, these notions are captured by the same logical formula. Further, our models validatethe semi-graphoid laws illustrating the generality of our logic: graphoids are the most well-knownapproach to axiomatically characterize independence-like notions. We used a restricted fragment ofDIBI to build a program logic CPSL for reasoning about conditional independence in probabilisticprograms. We see several directions for further investigation; we describe two of them here.
Generalizing the two models.
The probabilistic and relational models share many similarities: both M D and M P are sets of Kleisli arrows, and use Kleisli composition to interpret ⊙ ; both ⊕ operatorscorrespond to parallel composition, by either combining the outputs of the two arrows via theproduct of distributions (with deterministic overlap), or via the natural join of relations; and bothpreorders are defined identically.Readers familiar with category theory may think of models on Kleisli arrows over commutativestrong monads as a potential unification—Kleisli composition is defined for any monad, and boththe distribution monad and the powerset monad are commutative strong monads [Jacobs 1994;Kock 1970]. These monads come with a double strength bi-functor, st A , B : T ( A ) × T ( B ) → T ( A × B ) ,which seems suitable for defining ⊕ . Indeed, variants of conditional independence could make sensein settings with other commutative monads. For instance, we conjecture that taking the multisetmonad instead of the powerset monad would lead to a model where we can assert join dependencyin bags, rather than relations; the free vector space monad could be connected to linear-subspacemodels of the graphoid axioms [Lauritzen 1996].However, it is not easy to define an operation that subsumes the ⊕ from our concrete models. Itis tempting to take ⊕ as f ⊕ f = ( f ⊗ f ) ; st , but this gives a total operation and ⊕ must be partialsince in our concrete models it is not possible to compose two arrows that disagree on their domainoverlap. For instance in the probabilistic model, there is no sensible way to use ⊕ to combine akernel encoding the normal distribution N ( , ) on x with another encoding the Dirac distributionof x =
1. We do not know how to model these coherence requirements between two Kleisli arrowsin a general categorical model, and we leave this investigation to future work.
Restriction and intuitionistic DIBI.
Given the challenges in ensuring the restriction property, one maywonder if a classical version of DIBI would be more suitable for the program logic—if assertions werenot required to be preserved under kernel extensions, it might be easier to show that they satisfyrestriction. However, using a classical logic would require assertions to specify the dependencestructure of all variables, something that can be quite complicated. Moreover, intuitionistic logicslike probabilistic BI can also satisfy the restriction property, so the relevant design choice is notnecessarily between classical and intuitionistic. , Vol. 1, No. 1, Article . Publication date: August 2020.
Rather, the more important point appears to be whether the pre-order can extend a kernel’sdomain. If this is allowed—as in DIBI—then kernels satisfying an assertion may have unexpectedvariables in the domain. However, this choice also makes the dependent conjunction P (cid:35) Q moreflexible: Q does not need to exactly describe the domain of the second kernel, which is useful sincethe range of the first kernel cannot be constrained by P . This underlying tension—allowing therange to be extended, while restricting the domain—is an interesting subject for future investigation. REFERENCES
Serge Abiteboul, Richard Hull, and Victor Vianu. 1995.
Foundations of databases . Vol. 8. Addison-Wesley Reading, .Samson Abramsky and Jouko A. Väänänen. 2009. From IF to BI.
Synthese
Fairness and Machine Learning
European Symposium on Programming (ESOP), Thessaloniki, Greece .117–144. https://doi.org/10.1007/978-3-319-89884-1_5Gilles Barthe, Justin Hsu, and Kevin Liao. 2019. A probabilistic separation logic.
ACM SIGPLAN–SIGACT Symposium onPrinciples of Programming Languages (POPL), Lisbon, Portugal (2019), 1–30.Kevin Batz, Benjamin Lucien Kaminski, Joost-Pieter Katoen, Christoph Matheja, and Thomas Noll. 2019. Quantitativeseparation logic: a logic for reasoning about probabilistic pointer programs.
ACM SIGPLAN–SIGACT Symposium onPrinciples of Programming Languages (POPL), Lisbon, Portugal (2019), 34:1–34:29. https://doi.org/10.1145/3290347Stephen Brookes. 2007. A semantics for concurrent separation logic.
Theoretical Computer Science
AsianSymposium on Programming Languages and Systems (APLAS), Suzhou, China , Evan Chang (Ed.). Springer, 190–211.Kenta Cho and Bart Jacobs. 2019. Disintegration and Bayesian inversion via string diagrams.
Math. Struct. Comput. Sci.
29, 7(2019), 938–971. https://doi.org/10.1017/S0960129518000488Fredrik Dahlqvist and Dexter Kozen. 2020. Semantics of higher-order probabilistic programs with conditioning.
ACMSIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), New Orleans, Louisiana
POPL (2020),57:1–57:29. https://doi.org/10.1145/3371125A Philip Dawid. 1979. Conditional independence in statistical theory.
Journal of the Royal Statistical Society: Series B(Methodological)
41, 1 (1979), 1–15.A Philip Dawid. 2001. Separoids: A mathematical framework for conditional independence and irrelevance.
Annals ofMathematics and Artificial Intelligence
32, 1-4 (2001), 335–372.Simon Docherty. 2019.
Bunched logics: a uniform approach . Ph.D. Dissertation. UCL (University College London).Thomas Ehrhard, Michele Pagani, and Christine Tasson. 2018. Measurable cones and stable, measurable functions: a modelfor probabilistic higher-order programming.
ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages(POPL), Los Angeles, California
POPL (2018), 59:1–59:28. https://doi.org/10.1145/3158147Ronald Fagin. 1977. Multivalued Dependencies and a New Normal Form for Relational Databases.
ACM Trans. DatabaseSyst.
2, 3 (1977), 262–278. https://doi.org/10.1145/320557.320571Ronald Fagin and Moshe Y. Vardi. 1984. The Theory of Data Dependencies - An Overview. In
International Colloquium onAutomata, Languages and Programming (ICALP), Antwerp, Belgium . 1–22. https://doi.org/10.1007/3-540-13345-3_1Tobias Fritz. 2020. A synthetic approach to Markov kernels, conditional independence and theorems on sufficient statistics.
Advances in Mathematics
370 (2020), 107239. https://doi.org/10.1016/j.aim.2020.107239Didier Galmiche and Dominique Larchey-Wendling. 2006. Expressivity Properties of Boolean BI Through Relational Models.In
Foundations of Software Technology and Theoretical Computer Science (FSTTCS), Kolkata, India , S. Arun-Kumar andNaveen Garg (Eds.). Springer, 357–368.Didier Galmiche, Michel Marti, and Daniel Méry. 2019. Relating Labelled and Label-Free Bunched Calculi in BI Logic. In
Automated Reasoning with Analytic Tableaux and Related Methods , Serenella Cerrito and Andrei Popescu (Eds.). SpringerInternational Publishing, Cham, 130–146.Dan Geiger and Judea Pearl. 1993. Logical and Algorithmic Properties of Conditional Independence and Graphical Models.
The Annals of Statistics
Categorical aspects of topology and analysis (1982), 68–85.Robert Goldblatt. 1989. Varieties of complex algebras.
Annals of Pure and Applied Logic
44, 3 (1989), 173 – 242. https://doi.org/10.1016/0168-0072(89)90032-8Noah D. Goodman, Vikash K. Mansinghka, Daniel M. Roy, Keith Bonawitz, and Joshua B. Tenenbaum. 2012. Church: alanguage for generative models.
CoRR abs/1206.3255 (2012). arXiv:1206.3255 http://arxiv.org/abs/1206.3255, Vol. 1, No. 1, Article . Publication date: August 2020. Andrew D. Gordon, Thore Graepel, Nicolas Rolland, Claudio V. Russo, Johannes Borgström, and John Guiver. 2014. Tabular: aschema-driven probabilistic programming language. In
ACM SIGPLAN–SIGACT Symposium on Principles of ProgrammingLanguages (POPL), San Diego, California , Suresh Jagannathan and Peter Sewell (Eds.). ACM, San Diego, CA, USA, 321–334.https://doi.org/10.1145/2535838.2535850Jaakko Hintikka and Gabriel Sandu. 1989. Informational Independence as a Semantical Phenomenon. In
Logic, Methodologyand Philosophy of Science VIII , Jens Erik Fenstad, Ivan T. Frolov, and Risto Hilpinen (Eds.). Studies in Logic and theFoundations of Mathematics, Vol. 126. Elsevier, 571 – 589. https://doi.org/10.1016/S0049-237X(08)70066-1Tony Hoare, Bernhard Möller, Georg Struth, and Ian Wehrman. 2011. Concurrent Kleene algebra and its foundations.
TheJournal of Logic and Algebraic Programming
80, 6 (2011), 266–296.Bart Jacobs. 1994. Semantics of weakening and contraction.
Annals of pure and applied logic
69, 1 (1994), 73–106.Anders Kock. 1970. Monads on symmetric monoidal closed categories.
Archiv der Mathematik
21, 1 (1970), 1–10.Dexter Kozen. 1981. Semantics of Probabilistic Programs.
J. Comput. System Sci.
22, 3 (1981), 328–350. https://doi.org/10.1016/0022-0000(81)90036-2Steffen L. Lauritzen. 1996.
Graphical Models . Clarendon Press.Eugenio Moggi. 1991. Notions of computation and monads.
Information and Computation
93, 1 (1991), 55 – 92. https://doi.org/10.1016/0890-5401(91)90052-4 Selections from 1989 IEEE Symposium on Logic in Computer Science.Peter W O’Hearn and David J Pym. 1999. The logic of bunched implications.
Bulletin of Symbolic Logic
5, 2 (1999), 215–244.Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local Reasoning about Programs that Alter Data Structures.In
International Workshop on Computer Science Logic (CSL), Paris, France . 1–19. https://doi.org/10.1007/3-540-44802-0_1Peter W. OâĂŹHearn. 2007. Resources, concurrency, and local reasoning.
Theoretical Computer Science
Labelled Markov Processes . Imperial College Press. https://doi.org/10.1142/p595Judea Pearl and Azaria Paz. 1985.
Graphoids: A graph-based logic for reasoning about relevance relations . University ofCalifornia (Los Angeles). Computer Science Department, .Judea Pearl and Thomas Verma. 1987. The Logic of Representing Dependencies by Directed Graphs. In
AAAI Conference onArtificial Intelligence, Seattle, WA
Nominal Sets: Names and Symmetry in Computer Science . Cambridge University Press. https://doi.org/10.1017/CBO9781139084673David J. Pym, Peter W. O’Hearn, and Hongseok Yang. 2004. Possible worlds and resources: the semantics of BI.
TheoreticalComputer Science
Conference on theMathematical Foundations of Programming Semantics (MFPS), Halifax, Canada . 281–297. https://doi.org/10.1016/j.entcs.2018.03.028Sam Staton, Hongseok Yang, Frank D. Wood, Chris Heunen, and Ohad Kammar. 2016. Semantics for probabilistic program-ming: higher-order functions, continuous distributions, and soft constraints. In
IEEE Symposium on Logic in ComputerScience (LICS), New York, New York , Martin Grohe, Eric Koskinen, and Natarajan Shankar (Eds.). ACM, New York, NY,USA, 525–534. https://doi.org/10.1145/2933575.2935313Jouko Väänänen. 2007.
Dependence Logic: A New Approach to Independence Friendly Logic . Cambridge University Press.https://doi.org/10.1017/CBO9780511611193Frank D. Wood, Jan-Willem van de Meent, and Vikash Mansinghka. 2014. A New Approach to Probabilistic ProgrammingInference. In
International Conference on Artificial Intelligence and Statistics (AISTATS), Reykjavik, Iceland . 1024–1032., Vol. 1, No. 1, Article . Publication date: August 2020.
A SECTION 3: OMITTED PROOF
Lemma A.1. P ∗ Q ⊢ P (cid:35) Q Proof. For better readability, we break the proof tree down into two components. (cid:35) -Right Unit P ⊢ P (cid:35) I (cid:35) -Left Unit Q ⊢ I (cid:35) Q ∗ -Conj P ∗ Q ⊢ ( P (cid:35) I ) ∗ ( I (cid:35) Q ) RevEx ( P (cid:35) I ) ∗ ( I (cid:35) Q ) ⊢ ( P ∗ I ) (cid:35) ( I ∗ Q ) Cut P ∗ Q ⊢ ( P ∗ I ) (cid:35) ( I ∗ Q ) With P ∗ Q ⊢ ( P ∗ I ) (cid:35) ( I ∗ Q ) , we construct the following P ∗ Q ⊢ ( P ∗ I ) (cid:35) ( I ∗ Q ) ∗ -Unit P ∗ I ⊢ P ∗ -Comm I ∗ Q ⊢ Q ∗ I ∗ -Unit Q ∗ I ⊢ Q Cut I ∗ Q ⊢ Q (cid:35) -Conj ( P ∗ I ) (cid:35) ( I ∗ Q ) ⊢ P (cid:35) Q Cut P ∗ Q ⊢ P (cid:35) Q This proof uses the admissible rule Cut, which can be derived as follows: Q ⊢ R ∧ P ∧ Q ⊢ R → P ⊢ Q → R P ⊢ Q MP P ⊢ R □ B SECTION 4.2, PROBABILISTIC MODEL: OMITTED PROOFS
Remark.
In the following, we sometimes abbreviate dom ( f i ) as D i and range ( f i ) as R i .Lemma B.1. We prove Equation (4.4) : given f : Mem [ S ] → D( Mem [ T ]) and д : Mem [ T ] → D( Mem [ U ]) ,and d ∈ Mem [ S ] , m ∈ Mem [ U ] such that d ⊗ m is defined, ( f ⊙ д )( d )( m ) = f ( d )( m T ) · д ( m T )( m U ) Proof. For any d ∈ Mem [ S ] , m ∈ Mem [ U ] , note that Equation (4.3) yields the explicit formula: ( f ⊙ д )( d )( m ) : = (cid:213) m ′ ∈ Mem [ T ] f ( d )( m ′ ) · д ( m ′ )( m ) . Now, note that f ( d )( m ′ ) · д ( m ′ )( m ) is zero if either d ⊗ m ′ is undefined or m ′ ⊗ m is undefined.Recall that S ⊆ T ⊆ U . The only m ′ ∈ Mem [ S ] such that m ′ ⊗ m is defined is m ′ = m T . Since d ⊗ m is defined, when m ′ = m T , we have ( m ′ ) S = m S = d and so d ⊗ m ′ is also defined. Thus, ( f ⊙ д )( d )( m ) = (cid:213) m ′ ∈ Mem [ T ] f ( d )( m ′ ) · д ( m ′ )( m ) = f ( d )( m T ) · д ( m T )( m ) □ In the proof of Theorem 4.6 we use that M D is closed under ⊕ and ⊙ , which we prove next.Lemma B.2. M D is closed under ⊕ and ⊙ . Proof. For any f , f ∈ M D , we need to show that , Vol. 1, No. 1, Article . Publication date: August 2020. • If f ⊕ f is defined, then f ⊕ f ∈ M D . Recall that f ⊕ f is defined if and only if R ∩ R = D ∩ D ,which implies that ( R ∪ R ) \ ( D ∪ D ) = ( R \ D ) ∪ ( R \ D ) , and ( R \ D ) ∩ ( R \ D ) = ∅ .So we can split any memory assignment on ( R ∪ R ) \ ( D ∪ D ) into two disjoint parts, one on R \ D , another on R \ D .State f ⊕ f preserves the input because for any d ∈ Mem [ D ∪ D ] , we can obtain ( ⋆ ): ( π D ∪ D ( f ⊕ f ))( d )( d ) = (cid:213) x ( f ⊕ f )( d )( d ▷◁ x ) ( x ∈ Mem [( R ∪ R ) \ ( D ∪ D )] ) † = (cid:213) x , x f ( d D )( d D ▷◁ x ) · f ( d D )( d D ▷◁ x ) ( x ∈ Mem [ R \ D ] , x ∈ Mem [ R \ D ] ) = (cid:169)(cid:173)(cid:171) (cid:213) x ∈ Mem [ R \ D ] f ( d D )( d D ▷◁ x ) (cid:170)(cid:174)(cid:172) · (cid:169)(cid:173)(cid:171) (cid:213) x ∈ Mem [ R \ D ] f ( d D )( d D ▷◁ x ) (cid:170)(cid:174)(cid:172) = · = f , f ∈ M D )Step † follows using ( R ∪ R ) \ ( D ∪ D ) = ( R \ D ) ∪ ( R \ D ) and ( R \ D ) ∩ ( R \ D ) = ∅ .Then, for any d ∈ Mem [ D ∪ D ] , ( f ⊕ f )( d ) is a distribution since: (cid:213) m ∈ Mem [ R ∪ R ] ( f ⊕ f )( d )( m ) = (cid:213) m ∈ Mem [ R ∪ R ] f ( d D )( m R ) · f ( d D )( m R ) ‡ = (cid:213) x , x f ( d D )( d D ▷◁ x ) · f ( d D )( d D ▷◁ x ) ( x ∈ Mem [ R \ D ] , x ∈ Mem [ R \ D ] ) = ⋆ ))Step ‡ follows using ( R \ D ) ∩ ( R \ D ) = ∅ , and the f i term is 0 when d D i (cid:44) m D i .Thus, f ⊕ f is a kernel in M D . • If f ⊙ f is defined, then f ⊙ f ∈ M D . Recall that f ⊙ f : Mem [ D ] → D( Mem [ R ]) is definediff R = D . f ⊙ f preserves the input because for any d ∈ Mem [ D ] , we can obtain (♠)( π D f ⊙ f )( d )( d ) = (cid:213) x ∈ Mem [ R \ D ] ( f ⊙ f )( d )( d ▷◁ x ) = (cid:213) x ∈ Mem [ R \ D ] f ( d )( d ▷◁ x R \ D ) · f ( d ▷◁ x R \ D )( d ▷◁ x ) = (cid:213) x f ( d )( d ▷◁ x ) · (cid:32)(cid:213) x f ( d ▷◁ x )( d ▷◁ x ▷◁ x ) (cid:33) ( x ∈ Mem [ R \ D ] , x ∈ Mem [ R \ R ] ) = (cid:213) x ∈ Mem [ R \ D ] ( f ( d )( d ▷◁ x ) · ) (Using f ∈ M D ) = , Vol. 1, No. 1, Article . Publication date: August 2020. Then, for any d ∈ D , ( f ⊙ f )( d ) is a distribution as (cid:213) m ∈ R ( f ⊙ f )( d )( m ) = (cid:213) m ∈ R f ( d )( m R ) · f ( m R )( m ) (Equation (4.4)) ♥ = (cid:213) x ∈ R \ D f ( d )( d ▷◁ x R \ D ) · f ( d ▷◁ x R \ D )( d ▷◁ x ) = ♠ ))Step ♥ follows since the f i term is 0 when d D i (cid:44) m D i .Thus f ⊙ f is a kernel in M D . □ Lemma B.3.
The probabilistic model M D is a T -model defined in Definition K.1, for T = D . Proof. M D satisfies condition (1)–(4) and (10) by construction, so we only prove (5)–(9).(5) We show that when ( f ⊕ д ) ⊕ h and f ⊕ ( д ⊕ h ) are defined, ( f ⊕ д ) ⊕ h = f ⊕ ( д ⊕ h ) . Consider f : Mem [ S ] → D( Mem [ S ∪ T ]) , д : Mem [ U ] → D( Mem [ U ∪ V ]) , and h : Mem [ W ] →D( Mem [ W ∪ X ]) . For any d ∈ Mem [ S ∪ U ∪ W ] , and m ∈ Mem [ S ∪ T ∪ U ∪ V ∪ W ∪ X ] , (( f ⊕ д ) ⊕ h )( d )( m ) = (cid:0) f ( d S )( m S ∪ T ) · д ( d U )( m U ∪ V ) (cid:1) · h ( d W )( m W ∪ X ) (def. ⊕ ) = f ( d S )( m S ∪ T ) · (cid:0) д ( d U )( m U ∪ V ) · h ( d W )( m W ∪ X ) (cid:1) = ( f ⊕ ( д ⊕ h ))( d )( m ) (6) When f ⊕ f and f ⊕ f defined, f ⊕ f = f ⊕ f .For any d ∈ Mem [ D ∪ D ] , m ∈ D( Mem [ R ∪ R ]) such that d ▷◁ m is defined, ( f ⊕ f )( d )( m ) : = f ( d D )( m R ) · f ( d D )( m R ) = f ( d D )( m R ) · f ( d D )( m R ) = ( f ⊕ f )( d )( m ) Thus, f ⊕ f = f ⊕ f .(7) For any f : Mem [ A ] → D( Mem [ A ∪ X ]) ∈ M , and any S ⊆ A , we must show f ⊕ unit S = f Since S ⊆ A , we have dom ( f ⊕ unit S ) = A ∪ S = A = dom ( f ) and range ( f ⊕ unit S ) = A ∪ X ∪ S = A ∪ X = range ( f ) . For any d ∈ Mem [ A ] , and any r ∈ Mem [ A ∪ X ] such that d ⊗ r is defined, we have ( f ⊕ unit S )( d )( r ) = f ( d )( r ) · unit ( d S )( r S ) = f ( d )( r ) · = f ( d )( r ) Hence, f ⊕ unit S = f .(8) We show that when both ( f ⊕ f ) ⊙ ( f ⊕ f ) and ( f ⊙ f ) ⊕ ( f ⊙ f ) are defined, it hold that ( f ⊕ f ) ⊙ ( f ⊕ f ) = ( f ⊙ f ) ⊕ ( f ⊙ f ) . First note that the well-definedness of both terms we can conclude that D ⊆ R = D ⊆ R , D ⊆ R = D ⊆ R , where D i = dom ( f i ) and R i = range ( f i ) . Moreover, both terms are of , Vol. 1, No. 1, Article . Publication date: August 2020. type Mem [ D ∪ D ] → D( Mem [ R ∪ R ]) , and, for any d ∈ D ∪ D and m ∈ R ∪ R : (cid:0) ( f ⊕ f ) ⊙ ( f ⊕ f ) (cid:1) ( d )( m ) = ( f ⊕ f )( d )( m R ∪ R ) · ( f ⊕ f )( m D ∪ D )( m ) (Equation (4.4)) = (cid:0) f ( d D )( m R ) · f ( d D )( m R ) (cid:1) · (cid:0) f ( m D )( m R ) · f ( m D )( m R ) (cid:1)(cid:0) ( f ⊙ f ) ⊕ ( f ⊙ f ) (cid:1) ( d )( m ) = ( f ⊙ f )( d D )( m R ) · ( f ⊙ f )( d D )( m R ) = (cid:0) f ( d D )( m R ) · f ( d D )( m R ) (cid:1) · (cid:0) f ( d D )( m R ) · f ( d D )( m R ) (cid:1) = (cid:0) f ( d D )( m R ) · f ( d D )( m R ) (cid:1) · (cid:0) f ( m D )( m R ) · f ( m D )( m R ) (cid:1) Thus, ( f ⊙ f ) ⊕ ( f ⊙ f ) = ( f ⊕ f ) ⊙ ( f ⊕ f ) .(9) Proved in Lemma B.2 □ Theorem 4.6. ( M D , ⊑ , ⊕ , ⊙ , M D ) is a DIBI frame. Proof. By Lemma K.8 that all T -models are DIBI frames and by Lemma B.3 that M D is a T -model, M D is a DIBI frame. □ C SECTION 4.4, RELATIONAL MODEL: OMITTED PROOFS
For the proof of Theorem 4.15 we need the following closure property.Lemma C.1. M P is closed under ⊕ and ⊙ . Proof. For any f , f ∈ M P , we need to show that : • If f ⊕ f is defined, then f ⊕ f ∈ M P . Recall that f ⊕ f is defined if and only if R ∩ R = D ∩ D ,which implies that ( D ∪ D ) ∩ R = ( D ∩ R ) ∪ ( D ∩ R ) = D ∪ ( D ∩ D ) = D ( D ∪ D ) ∩ R = ( D ∩ R ) ∪ ( D ∩ R ) = ( D ∩ D ) ∪ D = D We show f ⊕ f also preserves the input: for any d ∈ Mem [ D ∪ D ] , ( π D ∪ D ( f ⊕ f ))( d ) = π D ∪ D (( f ⊕ f )( d )) = π D ∪ D f ( d D ) ▷◁ f ( d D ) † = π D f ( d D ) ▷◁ π D f ( d D ) = { d D } ▷◁ { d D } (Because f , f ∈ M P ) = { d } . Step † follows because ( D ∪ D ) ∩ R = D and ( D ∪ D ) ∩ R = D . • If f ⊙ f is defined, then f ⊙ f ∈ M P . Recall f ⊙ f is defined iff R = D , and gives a map oftype Mem [ D ] → D( Mem [ R ]) . We show that f ⊙ f preserves the input: for any d ∈ Mem [ D ] , ( π D f ⊙ f )( d ) = ( π D f )( d ) (Because D ⊆ R = D ) = unit D ( d ) Thus, π D f ⊙ f = unit D and hence f ⊙ f preserves the input. □ Lemma C.2.
The relational model M P is a T -model Definition K.1 for the monad T = P . Proof. M P satisfies conditions (1)–(4) and (10) by construction, so we only prove (5)–(9). , Vol. 1, No. 1, Article . Publication date: August 2020. (5) We show that when both ( f ⊕ д ) ⊕ h and f ⊕ ( д ⊕ h ) are defined, ( f ⊕ д ) ⊕ h = f ⊕( д ⊕ h ) . Consider f : Mem [ S ] → P( Mem [ S ∪ T ]) , д : Mem [ U ] → P( Mem [ U ∪ V ]) , and h : Mem [ W ] → P( Mem [ W ∪ X ]) . For any d ∈ Mem [ S ∪ U ∪ W ] , (( f ⊕ д ) ⊕ h )( d ) = (cid:0) f ( d S ) ▷◁ f ( d U ) (cid:1) ▷◁ f ( d V ) = f ( d S ) ▷◁ (cid:0) д ( d U ) ▷◁ h ( d V ) (cid:1) (By associativity of ▷◁ ) = ( f ⊕ ( д ⊕ h ))( d ) (6) When both f ⊕ f and f ⊕ f are defined, they are equal.Analogous to M D , instead of followed from the commutativity of · , it follows from thecommutativity of ▷◁ .(7) For any f : Mem [ A ] → P( Mem [ A ∪ X ]) , and any S ⊆ A , we must show f ⊕ unit S = f Since S ⊆ A , so dom ( f ⊕ unit S ) = A ∪ S = A = dom ( f ) , and range ( f ⊕ unit S ) = A ∪ X ∪ S = A ∪ X = range ( f ) . For any d ∈ Mem [ A ] , we have ( f ⊕ unit S )( d ) = f ( d ) ▷◁ unit S ( d S ) = f ( d ) ▷◁ { d S } = f ( d ) Hence, f ⊕ unit S = f .(8) We show that when both ( f ⊕ f ) ⊙ ( f ⊕ f ) and ( f ⊙ f ) ⊕ ( f ⊙ f ) are defined, it hold that ( f ⊕ f ) ⊙ ( f ⊕ f ) = ( f ⊙ f ) ⊕ ( f ⊙ f ) . Take D i = dom ( f i ) and R i = range ( f i ) and note that well-definedness of the above termsimplies that R = D and R = D . Both terms have type Mem [ D ∪ D ] → P( Mem [ R ∪ R ]) ,and, for any d ∈ D ∪ D : (cid:0) ( f ⊕ f ) ⊙ ( f ⊕ f ) (cid:1) ( d ) = { v | u ∈ ( f ⊕ f )( d ) , v ∈ ( f ⊕ f )( u )} = { v | u ∈ f ( d D ) ▷◁ f ( d D ) , v ∈ f ( u D ) ▷◁ f ( u D )} (Def. ⊕ ) = { v | v ∈ f ( x ) ▷◁ f ( y ) , x ∈ f ( d D ) , y ∈ д ( d D )} ( ⋆ ) = { v ▷◁ v | v ∈ f ( x ) , v ∈ f ( y ) , x ∈ f ( d D ) , y ∈ д ( d D )} (cid:0) ( f ⊙ f ) ⊕ ( f ⊙ f ) (cid:1) ( d ) = ( f ⊙ f )( d D ) ▷◁ ( f ⊙ f )( d D ) (Def. ⊕ ) = { v | u ∈ f ( d D ) , v ∈ f ( u )} ▷◁ { v | u ∈ f ( d D ) , v ∈ f ( u )} (Def. ⊗ ) = { v ▷◁ v | v ∈ f ( u ) , v ∈ f ( u ) , u ∈ f ( d D ) , u ∈ f ( d D )} The step marked with ( ⋆ ) follows from the fact that R = D and R = D implies that forany u ∈ f ( d D ) ▷◁ д ( d D ) , we have u D = x ∈ f ( d D ) and u D = y ∈ f ( d D ) . □ (9) Proved in Lemma C.1.Theorem 4.15. ( M P , ⊑ , ⊕ , ⊙ , E ) is a DIBI frame. Proof. By Lemma K.8 that all T -models are DIBI frames and by Lemma C.2 that M P is a T -model, M P is a DIBI frame. □ D SECTION 5.1, CONDITIONAL INDEPENDENCE: OMITTED DETAILS
First, we prove Lemma D.1 so we can use Lemma K.9 for M D .Lemma D.1 (Disintegration). If f = f ⊙ f and D = R , then π R f = f . Conversely, if π R f = f ,then there exists д such that f = f ⊙ д . , Vol. 1, No. 1, Article . Publication date: August 2020. Proof. For the forwards direction, suppose that f = f ⊙ f and D = R . Then, π R f = π R ( f ⊙ f ) = f ⊙ ( π R f ) = f ⊙ unit Mem [ R ] = f . Thus, π R f = f . For the converse, assume π R f = f . Define д : Mem [ R ] → D( Mem [ range ( f )]) such that for any r ∈ Mem [ R ] , m ∈ Mem [ range ( f )] such that r ▷◁ m is defined, let д ( r )( m ) : = (cid:40) f ( r D )( m )( π R f )( r D )( r ) : ( π R f )( r D )( r ) (cid:44)
00 : ( π R f )( r D )( r ) = д ∈ M D . Fixing any r ∈ Mem [ R ] , denote the distribution Pr f ( r D ) as µ r , then ( π R f )( r D )( r ) = µ r ( range ( f ) = m ) µ r ( R = r ) = µ r ( range ( f ) = m | R = r ) (if ( π R f )( r D )( r ) (cid:44) (cid:213) m ∈ Mem [ range ( д )] д ( r )( m ) = (cid:213) m ∈ Mem [ range ( д )] µ r ( range ( f ) = m | R = r ) = д does map any input to a distribution, and д preserves the input.By their types, f ⊙ д is defined, and for any d ∈ Mem [ D ] , m ∈ Mem [ range ( f )] such that d ▷◁ m is defined. If ( π R f )( d )( m R ) (cid:44)
0, then ( f ⊙ д )( d )( m ) = f ( d )( m R ) · д ( m R )( m ) = f ( d )( m R ) · f ( m D )( m )( π R f )( m D )( m ) = f ( d )( m R ) · f ( m D )( m ) f ( m D )( m R ) = f ( d )( m ) ( d ▷◁ m is defined iff d = m D )If ( π R f )( d )( m R ) (cid:44)
0, then f ( d )( m ) =
0, and ( f ⊙ д )( d )( m ) = f ( d )( m R )· д ( m R )( m ) = = f ( d )( m ) . Thus, f ⊙ д = f . □ Theorem 5.4.
Given distribution µ ∈ D( Mem [ Var ]) , then for any X , Y , Z ⊆ Var , f µ | = (∅ ▷ [ Z ]) (cid:35) ( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ]) (5.1) if and only if X ⊥⊥ Y | Z and X ∩ Y ⊆ Z are both satisfied. Proof. This result follows by combining Lemma D.2 and Lemma K.9. □ Lemma D.2.
For a distribution µ on Var , S , X , Y ⊆ Var , there exist f : Mem [∅] → D(
Mem [ S ]) , f : Mem [ S ] → D( Mem [ S ∪ X ]) , f : Mem [ S ] → D( Mem [ S ∪ Y ]) , such that f ⊙ ( f ⊕ f ) ⊑ f µ , ifand only if X ⊥⊥ Y | S and also X ∩ Y ⊆ S . Proof.
Forward direction : Assume the existence of f , f , f satisfying f ⊙ ( f ⊕ f ) ⊑ f µ . Wemust prove X ⊥⊥ Y | S and X ∩ Y ⊆ S .(1) X ∩ Y ⊆ S : f ⊕ f defined implies R ∩ R = D ∩ D . Thus, X ∩ Y ⊆ ( X ∪ S ) ∩ ( Y ∪ S ) = R ∩ R = D ∩ D = S ∩ S = S (2) X ⊥⊥ Y | S : By assumption, f ⊙( f ⊕ f ) ⊑ f µ . Lemma D.1 gives us f ⊙( f ⊕ f ) = π S ∪ X ∪ Y ( f µ ) , and f = π S ( f µ ) . For any m ∈ Mem [ Z ] , m X , m Y , m S agree with each other, and so m X ▷◁ m Y ▷◁ m S is defined. Thus, µ ( X = m X , Y = m Y , S = m S ) = ( π X ∪ Y ∪ S µ )( m X ▷◁ m Y ▷◁ m S ) (By definition µ ) = π X ∪ Y ∪ S ( f µ )(⟨⟩)( m X ▷◁ m Y ▷◁ m S ) = f ⊙ ( f ⊕ f )(⟨⟩)( m X ▷◁ m Y ▷◁ m S ) , Vol. 1, No. 1, Article . Publication date: August 2020. Similarly, µ ( S = m S ) : = ( π S µ )( m S ) . We have f = π S ( f µ ) , and so µ ( S = m S ) = ( π S µ )( m S ) = (cid:0) π S ( f µ ) (cid:1) (⟨⟩)( m S ) = f (⟨⟩)( m S ) (D.1)By definition of conditional probability, when µ ( S = m S ) (cid:44) µ ( X = m X , Y = m Y | S = m S ) = µ ( X = m X , Y = m Y , S = m S ) µ ( S = m S ) = f ⊙ ( f ⊕ f )(⟨⟩)( m S ▷◁ m X ▷◁ m Y ) f (⟨⟩)( m S ) By Eq. (4.4): f ⊙ ( f ⊕ f )(⟨⟩)( m S ▷◁ m X ▷◁ m Y ) = f (⟨⟩)( m S ) · ( f ⊕ f )( m S )( m S ▷◁ m X ▷◁ m Y ) . Thus, µ ( X = m X , Y = m Y | S = m S ) = f ⊙ ( f ⊕ f )(⟨⟩)( m S ▷◁ m X ▷◁ m Y ) f (⟨⟩)( m S ) = ( f ⊕ f )( m S )( m S ▷◁ m X ▷◁ m Y ) = f ( m S )( m X ∪ S ) · f ( m S )( m Y ∪ S ) (D.2)Let f ′ = f ⊕ unit Mem [ Y ] , f ′ = f ⊕ unit Mem [ X ] . By Lemma K.6, f ⊙ ( f ⊕ f ) = f ⊙ f ⊙ ( f ⊕ unit Mem [ X ] ) = f ⊙ f ⊙ f ′ f ⊙ ( f ⊕ f ) = f ⊙ ( f ⊕ f ) = f ⊙ f ⊙ ( f ⊕ unit Mem [ Y ] ) = f ⊙ f ⊙ f ′ Lemma D.1 gives us: π X ∪ S ( f µ ) = π X ∪ S ( f ⊙ ( f ⊕ f )) = π X ∪ S ( f ⊙ f ⊙ f ′ ) = f ⊙ f (D.3) π Y ∪ S ( f µ ) = π X ∪ S ( f ⊙ ( f ⊕ f )) = π Y ∪ S ( f ⊙ f ⊙ f ′ ) = f ⊙ f (D.4)Therefore, µ ( X = m X , S = m S ) : = ( π X ∪ S µ )( m S ⊗ m X ) = ( π X ∪ S ( f µ ))(⟨⟩)( m S ⊗ m X ) = ( f ⊙ f )(⟨⟩)( m S ⊗ m X ) (By Eq. (D.3)) = f (⟨⟩)( m S ) · f ( m S )( m S ⊗ m X ) µ ( Y = m Y , S = m S ) : = ( π Y ∪ S µ )( m S ⊗ m Y ) = ( π Y ∪ S ( f µ )(⟨⟩)( m S ⊗ m Y ) = ( f ⊙ f )(⟨⟩)( m S ⊗ m Y ) (By Eq. (D.4)) = f (⟨⟩)( m S ) · f ( m S )( m S ⊗ m Y ) , Vol. 1, No. 1, Article . Publication date: August 2020. Thus, by definition of conditional probability. µ ( X = m X | S = m S ) = µ ( X = m X , S = m S ) µ ( S = m S ) = f (⟨⟩)( m S ) · f ( m S )( m S ∪ X ) f (⟨⟩)( m S ) (D.5) = f ( m S )( m S ∪ X ) (D.6) µ ( X = m Y | S = m S ) = µ ( X = m X , S = m S ) µ ( S = m S ) = f (⟨⟩)( m S ) · f ( m S )( m S ∪ Y ) f (⟨⟩)( m S ) (D.7) = f ( m S )( m S ∪ Y ) (D.8)Substituting Eq. (D.6) and Eq. (D.8) into the equation Eq. (D.2), we have µ ( X = m X , Y = m Y | S = m S ) = µ ( X = m X | S = m S ) · µ ( X = m Y | S = m S )) Thus, X , Y are conditionally independent given S . This completes the proof for the first direction. Backward direction:
We want to show that if X ⊥⊥ Y | S and X ∩ Y ⊆ S then f ⊙ ( f ⊕ f ) ⊑ f µ .Given µ , we define f = π S ( f µ ) and construct f , f as follows:Let f : Mem [ S ] → D( Mem [ S ∪ X ]) . For any s ∈ Mem [ S ] , x ∈ Mem [ X ] such that s ⊗ x is defined,when f (⟨⟩)( s ) (cid:44)
0, let f ( s )( s ⊗ x ) : = ( π S ∪ X f µ )(⟨⟩)( s ⊗ x ) f (⟨⟩)( s ) (When f (⟨⟩)( s ) =
0, we can define f ( s )( s ⊗ x ) arbitrarily as long as f ( s ) is a distribution, becausethat distribution will be zeroed out in f ⊙ ( f ⊕ f ) anyway. )Similarly, let f : Mem [ S ] → D( Mem [ S ∪ Y ]) . For any s ∈ Mem [ S ] , x ∈ Mem [ Y ] such that s ⊗ y is defined, when f (⟨⟩)( s ) (cid:44)
0, let f ( s )( s ⊗ y ) : = ( π S ∪ Y f µ )( s ⊗ y ) f (⟨⟩)( s ) By construction, f , f , f each has the type needed for the lemma. We are left to prove that givenany s ∈ Mem [ S ] , f and f are kernels in M D , f ⊙ ( f ⊕ f ) is defined, and f ⊙ ( f ⊕ f ) ⊑ f µ . • State f is in M D .We need to show that for any s ∈ Mem [ S ] , f ( s ) forms a distribution, and also f preservesthe input. For any s ∈ Mem [ S ] , by equation Eq. (D.1), f (⟨⟩)( s ) = µ ( S = s ) .If f (⟨⟩)( s ) =
0, then we define f ( s ) arbitrarily but make sure f ( s ) is a distribution.If f (⟨⟩)( s ) (cid:44)
0: for any x ∈ Mem [ X ] such that s ⊗ x is defined, ( π S ∪ X f µ )(⟨⟩)( s ⊗ x ) = µ ( S = s , X = x ) , so f ( s )( s ⊗ x ) = ( π S ∪ X f µ )(⟨⟩)( s ⊗ x ) f (⟨⟩)( s ) = µ ( S = s , X = x ) µ ( S = s ) = µ ( X = x | S = s ) Thus, f ( s ) is a distribution for any s ∈ Mem [ S ] .Also, f ( s )( s ⊗ x ) is non-zero only when s ⊗ x is defined, i.e., when ( s ⊗ x ) S = s . So ( π S f )( s )( s ) = (cid:205) x ∈ Mem [ X ] f ( s )( s ⊗ x ) =
1, and thus π S f = unit Mem [ S ] . Therefore, f preserves the input. , Vol. 1, No. 1, Article . Publication date: August 2020. Therefore, f ∈ M D . • State f is in M D . Similar as above. • State f ⊙ ( f ⊕ f ) is defined. f ⊕ f is defined because R ∩ R = ( S ∪ X ) ∩ ( S ∪ Y ) = S ∪ ( X ∩ Y ) By assumption, X ∩ Y ⊆ S , so R ∩ R = S ∪( X ∩ Y ) = S . Meanwhile, dom ( f ⊕ f ) = D ∪ D = S ∪ S = S = range ( f ) , so f ⊕ f is also defined, and also f ⊙ ( f ⊕ f ) . • State f ⊙ ( f ⊕ f ) ⊑ f µ .It suffices to show that there exists д such that ( f ⊙ ( f ⊕ f )) ⊙ д = f µ .For any s ∈ Mem [ S ] , x ∈ Mem [ X ] , y ∈ Mem [ Y ] such that s ⊗ x ⊗ y is defined, f ⊙ ( f ⊕ f )(⟨⟩)( s ⊗ x ⊗ y ) = f (⟨⟩)( s ) · f ⊕ f ( s )( s ⊗ x ⊗ y ) = f (⟨⟩)( s ) · ( f ( s )( s ⊗ x ) · f ( s )( s ⊗ y )) = µ ( S = s ) · ( µ ( X = x | S = s ) · µ ( Y = y | S = s )) (D.9)Because X , Y are conditionally independent given S in the distribution q , so µ ( X = x | S = s ) · µ ( Y = y | S = s ) = µ ( X = x , Y = y | S = s ) (D.10)Substituting Eq. (D.10) into Eq. (D.9), we have f ⊙ ( f ⊕ f )(⟨⟩)( s ⊗ x ⊗ y ) = µ ( S = s ) · µ ( X = x , Y = y | S = s ) = µ ( X = x , Y = y , S = s ) Let д : Mem [ X ∪ Y ∪ S ] → D( Mem [ Z ]) such that for any d ∈ Mem [ X ∪ Y ∪ S ] , m ∈ Mem [ Z ] such that d ⊗ m is defined, let д ( d )( m ) = µ ( Z = m | X ∪ Y ∪ S = d ) Then, ( f ⊙ ( f ⊕ f )) ⊙ д is defined, and ( f ⊙ ( f ⊕ f ) ⊙ д )(⟨⟩)( m ) = ( f ⊙ ( f ⊕ f ))(⟨⟩)( m X ∪ Y ∪ S ) · д ( m X ∪ Y ∪ S )( m ) = µ ( Z = m ) Thus, ( f ⊙ ( f ⊕ f )) ⊙ д = f µ , and therefore f ⊙ ( f ⊕ f ) ⊑ f µ .This completes the proof for the backwards direction. □ Lemma D.3.
Let M = X ∩ Y . If X , Y are conditionally independent given S , then values on M isdetermined given values on S . Proof. For any x ∈ Mem [ X ] , y ∈ Mem [ Y ] , s ∈ Mem [ S ] , m ∈ Mem [ M ] , when µ ( X = x , Y = y , M = m | S = s ) (cid:44)
0, it must x ⊗ y ⊗ s ⊗ m is defined. Note that x ⊗ y ⊗ s ⊗ m defined only if m = π M x = π M y , which implies that m ⊗ x = x , m ⊗ y = y , m ⊗ x ⊗ y = x ⊗ y .Thus, for any x ∈ Mem [ X ] , y ∈ Mem [ Y ] , s ∈ Mem [ S ] , m ∈ Mem [ M ] such that x ⊗ y ⊗ s ⊗ m isdefined, we have: µ ( X = x | S = s ) = µ ( X = x , M = m | S = s ) µ ( Y = y | S = s ) = µ ( Y = y , M = m | S = s ) µ ( X = x , Y = y | S = s ) = µ ( X = x , Y = y , M = m | S = s ) By assumption, X , Y are conditionally independent given S , so µ ( X = x | S = s ) · µ ( Y = y | S = s ) = µ ( X = x , Y = y | S = s ) = ⇒ µ ( X = x , M = m | S = s ) · µ ( Y = y , M = m | S = s ) = µ ( X = x , Y = y , M = m | S = s ) (D.11) , Vol. 1, No. 1, Article . Publication date: August 2020. For any probabilistic events E , E , E , µ ( E , E | E ) = µ ( E | E , E ) · µ ( E | E ) . Thus, µ ( X = x , M = m | S = s ) = µ ( X = x | M = m , S = s ) · µ ( M = m | S = s ) (D.12) µ ( Y = y , M = m | S = s ) = µ ( Y = y | M = m , S = s ) · µ ( M = m | S = s ) (D.13) µ ( X = x , Y = y , M = m | S = s ) = µ ( X = x , Y = y | M = m , S = s ) · µ ( M = m | S = m ) (D.14)Therefore, by substituting Eq. (D.12), Eq. (D.13), Eq. (D.14) into Eq. (D.11), and cancelling outrepetitive terms, we have µ ( X = x | M = m , S = s ) · µ ( Y = y | M = m , S = s ) · µ ( M = m | S = s ) = µ ( X = x , Y = y | M = m , S = s ) (D.15)Also, when x ⊗ y ⊗ m ⊗ s is not defined, both sides are 0. So the equation holds for all x , y , s , m ofthe right type. Thus, for any s ∈ Mem [ S ] , m ∈ Mem [ M ] such that m ⊗ s is defined, (cid:213) x ∈ Mem [ X ] , y ∈ Mem [ Y ] µ ( X = x | M = m , S = s ) · µ ( Y = y | M = m , S = s ) · µ ( M = m | S = s ) = (cid:213) x ∈ Mem [ X ] , y ∈ Mem [ Y ] µ ( X = x , Y = y | M = m , S = s ) (Because of Eq. (D.15)) = s ∈ Mem [ S ] , m ∈ Mem [ M ] such that m ⊗ s , (cid:213) x ∈ Mem [ X ] , y ∈ Mem [ Y ] µ ( X = x | M = m , S = s ) · µ ( Y = y | M = m , S = s ) · µ ( M = m | S = s ) = (cid:169)(cid:173)(cid:171) (cid:213) x ∈ Mem [ X ] , y ∈ Mem [ Y ] µ ( X = x | M = m , S = s ) · µ ( Y = y | M = m , S = s ) (cid:170)(cid:174)(cid:172) · µ ( M = m | S = s ) = (cid:169)(cid:173)(cid:171) (cid:213) x ∈ Mem [ X ] µ ( X = x | M = m , S = s ) (cid:170)(cid:174)(cid:172) · (cid:169)(cid:173)(cid:171) (cid:213) y ∈ Mem [ Y ] µ ( Y = y | M = m , S = s ) (cid:170)(cid:174)(cid:172) · µ ( M = m | S = s ) = · µ ( M = m | S = s ) (D.17)Substituting Eq. (D.17) and Eq. (D.16) into Eq. (D.15), we derive µ ( M = m | S = s ) =
1. That is,when X ⊥⊥ Y | S , even if M ⊇ S , x ⊗ y ⊗ m ⊗ s defined implies there is no other m ′ (cid:44) m such that x ⊗ y ⊗ m ⊗ s defined. Thus, X ⊥⊥ Y | S renders values on X ∩ Y deterministic given values on S . □ E SECTION 5.2, JOIN DEPENDENCY: OMITTED DETAILS
We again prove a disintegration lemma for M P Lemma E.1 so that we can use Lemma K.9 on M P .Lemma E.1 (Disintegration). If f = f ⊙ f and D = R , then π R f = f . Conversely, if π R f = f ,then there exists д such that f = f ⊙ д . Proof. Assume f = f ⊙ f and D = R . Then, π R f = π R ( f ⊙ f ) = f ⊙ ( π R f ) = f ⊙ unit Mem [ R ] = f . Conversely, assume π R f = f . Define д : Mem [ R ] → P( Mem [ R ]) by д ( r ) = { s ⊗ r | s ∈ f ( r D )} . ( f ⊙ д )( d ) = { u | u ∈ д ( r ) , r ∈ f ( d )} = { s ⊗ r | s ∈ f ( r D ) , r ∈ π R f ( d )} = { s | s ∈ f ( d )} = f ( d ) . □ , Vol. 1, No. 1, Article . Publication date: August 2020. Theorem 5.5.
Let R ∈ D( Mem [ Var ]) and X , Y be sets of attributes such that X ∪ Y = Var . The liftedrelation f R = ⟨⟩ (cid:55)→ R satisfies f R | = [ X ∩ Y ] (cid:35) ([ X ] ∗ [ Y ]) iff R satisfies the join dependency X ▷◁ Y . Proof. The result follows from combining Lemma E.2 and Lemma K.9. □ Lemma E.2.
For a relation R on Val , X , Y ⊆ Val , there exists f : Mem [∅] → P(
Mem [ X ∩ Y ]) , f : Mem [ X ∩ Y ] → P( Mem [ X ]) , f : Mem [ X ∩ Y ] → P( Mem [ Y ]) , such that f ⊙ ( f ⊕ f ) ⊑ f R , ifand only if R X ∪ Y = R X ▷◁ R Y . Proof.
Forward Direction:
Assuming there exist f , f , f such that f ⊙ ( f ⊕ f ) ⊑ f R , we wantto show that R X ∪ Y = R X ▷◁ R Y .We have f ⊙ ( f ⊕ f ) ⊑ f R and f R with empty domain. Hence, there exists h ∈ M P such that f R = ( f ⊙ ( f ⊕ f )) ⊙ h . Thus, f ⊙ ( f ⊕ f ) = π X ∪ Y f R , and so f ⊙ ( f ⊕ f )(⟨⟩) = R X ∪ Y .Similarly to the reasoning in Lemma D.2, by Lemma K.6, we have f ⊙ f ⊑ f ⊙ ( f ⊕ f ) f ⊙ f ⊑ f ⊙ ( f ⊕ f ) Then, as above, f ⊙ f = π X f R , f ⊙ f = π Y ( f R ) . So, f ⊙ f (⟨⟩) = R X , f ⊙ f (⟨⟩) = R Y .By definition of ⊕ and ⊙ , f ⊙ ( f ⊕ f )(⟨⟩) = { u ▷◁ v | u ∈ f (⟨⟩) and v ∈ f ⊕ f ( u )} = { u ▷◁ v | u ∈ f (⟨⟩) and v ∈ { v ▷◁ v | v ∈ f ( u ) and v ∈ f ( u )}} = { u ▷◁ ( v ▷◁ v ) | u ∈ f (⟨⟩) and v ∈ f ( u ) and v ∈ f ( u )} Since ▷◁ is idempotent, i.e., u ▷◁ u = u , commutative and associative, we have u ▷◁ ( v ▷◁ w ) = ( u ▷◁ u ) ▷◁ ( v ▷◁ w ) = ( u ▷◁ v ) ▷◁ ( u ▷◁ w ) . Therefore, we can convert the previous equality into f ⊙ ( f ⊕ f )(⟨⟩) = {( u ▷◁ v ) ▷◁ ( u ▷◁ v ) | u ∈ f (⟨⟩) and v ∈ f ( u ) and v ∈ f ( u )} = (cid:8) u ▷◁ v | u ∈ f (⟨⟩) and v ∈ f ( u ) (cid:9) ▷◁ (cid:8) u ▷◁ v | u ∈ f (⟨⟩) and v ∈ f ( u ) (cid:9) = ( f ⊙ f )(⟨⟩) ▷◁ ( f ⊙ f )(⟨⟩) Thus, R X ∪ Y = R X ▷◁ R Y .This completes the proof for the first direction. Backward direction: If R X ∪ Y = R X ▷◁ R Y , then we want to show that there exist f : Mem [∅] →P(
Mem [ X ∩ Y ]) , f : Mem [ X ∩ Y ] → P( Mem [ X ]) , f : Mem [ X ∩ Y ] → P( Mem [ Y ]) , such that f ⊙ ( f ⊕ f ) ⊑ f R .Let f = f X ∩ YR and define f : Mem [ X ∩ Y ] → P( Mem [ X ]) by having f ( s ) : = { r ∈ R X | r X ∩ Y = s } for all s ∈ Mem [ X ∩ Y ] . Define f : Mem [ X ∩ Y ] → P( Mem [ Y ]) by having f ( s ) = { r ∈ R Y | r X ∩ Y = s } for all s ∈ Mem [ X ∩ Y ] . • By construction, f , f , f have the desired types. , Vol. 1, No. 1, Article . Publication date: August 2020. • States f , f are both in M P . f preserves the input because for any s ∈ Mem [ X ∩ Y ] , f ( s ) as a relation only includestuples whose projection to X ∩ Y is equals to s . Thus, f is in M P .Similarly, f is in M P . • f ⊙ ( f ⊕ f ) ⊑ f R .First, by their types, f ⊙ ( f ⊕ f ) is defined, and f ⊙ ( f ⊕ f )(⟨⟩) = { u ▷◁ v | u ∈ f (⟨⟩) and v ∈ ( f ⊕ f )( u )} (E.1) = { u ▷◁ v | u ∈ f (⟨⟩) and v ∈ f ( u D ) ▷◁ f ( u D )} = { u ▷◁ v | u ∈ f (⟨⟩) and v ∈ f ( u ) ▷◁ f ( u )} (By D = D = X ∩ Y ) = { u ▷◁ ( v i ▷◁ v j ) | u ∈ f (⟨⟩) and v i ∈ f ( u ) and v j ∈ f ( u )} = {( u ▷◁ v i ) ▷◁ ( u ▷◁ v j ) | u ∈ f (⟨⟩) and v i ∈ f ( u ) and v j ∈ f ( u )} (because ▷◁ is idempotent, associative, commutative) = { u ▷◁ v i | u ∈ f (⟨⟩) and v i ∈ f ( u )} ▷◁ { u ▷◁ v j | u ∈ f (⟨⟩) and v j ∈ f ( u )} (E.2)Recall that we define f such that f (⟨⟩) = R X ∩ Y , and f ( s ) : = { r ∈ R | r X ∩ Y = s } , so { u ▷◁ v i | u ∈ R X ∩ Y and v i ∈ f ( u )} = {( u ▷◁ v i ) | u ∈ R X ∩ Y and v i ∈ { r ∈ R X | r X ∩ Y = u }} = { v i | v i ∈ { r ∈ R X | r X ∩ Y ∈ R X ∩ Y }} = R X (E.3) f ⊙ ( f ⊕ f ) ⊑ f µ Analogously, { u ▷◁ v j | u ∈ f (⟨⟩) and v j ∈ f ( u )} = R Y (E.4)Substituting Eq. (E.3) and Eq. (E.4) into Eq. (E.2), we have f ⊙ ( f ⊕ f )(⟨⟩) = R X ▷◁ R Y By assumption, R X ▷◁ R Y = R X ∪ Y . Thus, f ⊙( f ⊕ f )(⟨⟩) = R X ∪ Y , and f ⊙( f ⊕ f ) = π X ∪ Y f R .By Lemma E.1, this implies that f ⊙ ( f ⊕ f ) ⊑ f R .Thus, the constructed f , f , f satisfy all requirements. □ F SECTION 5.3, GRAPHOID AXIOMS: OMITTED DETAILS
Lemma F.1.
The following judgment is derivable in DIBI: ⊢ P (cid:35) ( Q ∗ R ) → P (cid:35) ( R ∗ Q ) . Proof. We have the derivation: Ax P ⊢ P ∗ -Comm Q ∗ R ⊢ R ∗ Q (cid:35) -Conj P (cid:35) ( Q ∗ R ) ⊢ P (cid:35) ( R ∗ Q ) →⊢ P (cid:35) ( Q ∗ R ) → P (cid:35) ( R ∗ Q ) □ Lemma F.2.
The following judgment is derivable in DIBI: ⊢ P (cid:35) ( Q ∗ ( R ∧ S )) → P (cid:35) ( Q ∗ R ) ∧ P (cid:35) ( Q ∗ S ) . Proof. We have the derivation: , Vol. 1, No. 1, Article . Publication date: August 2020. Ax P ⊢ P Ax Q ⊢ Q Ax R ∧ S ⊢ R ∧ S ∧ R ∧ S ⊢ R ∗ -Conj Q ∗ ( R ∧ S ) ⊢ Q ∗ R (cid:35) -Conj P (cid:35) ( Q ∗ ( R ∧ S )) ⊢ P (cid:35) ( Q ∗ R ) Similar to left P (cid:35) ( Q ∗ ( R ∧ S )) ⊢ P (cid:35) ( Q ∗ S )∧ P (cid:35) ( Q ∗ ( R ∧ S )) ⊢ P (cid:35) ( Q ∗ R ) ∧ P (cid:35) ( Q ∗ S )→ ⊢ P (cid:35) ( Q ∗ ( R ∧ S )) → P (cid:35) ( Q ∗ R ) ∧ P (cid:35) ( Q ∗ S ) □ Lemma F.3 (Weak Union).
The following judgment is valid in any T -model where Disintegrationholds (see Lemma D.1 and Lemma E.1 for Disintegration): | = [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) → [ Z ∪ W ] (cid:35) ([ X ] ∗ [ Y ]) Proof. Let M be a T -model. If f | = [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) , by Lemma K.9, there exist f , f , f ∈ M such that f ⊙ ( f ⊕ f ) ⊑ f , f : Mem [∅] → T (
Mem [ Z ]) , f : Mem [ Z ] → T ( Mem [ Z ∪ X ]) , f : Mem [ Z ] → T ( Mem [ Z ∪ Y ∪ W ]) .Let f = π Z ∪ W f , then by Disintegration there exists f ∈ M such that f = f ⊙ f .Since f ⊙ ( f ⊕ f ) ⊑ f , and f has empty domain, there must exists v ∈ M such that f = f ⊙ ( f ⊕ f ) ⊙ v = f ⊙ f ⊙ ( unit Z ∪ Y ∪ W ⊕ f ) ⊙ v (By Lemma K.6) = f ⊙ f ⊙ ( unit Y ∪ W ⊕ f ) ⊙ v (By dom ( f ) = Z ) = f ⊙ ( f ⊙ f ) ⊙ ( unit Y ∪ W ⊕ f ) ⊙ v = f ⊙ f ⊙ ( f ⊙ ( unit Y ∪ W ⊕ f )) ⊙ v = f ⊙ f ⊙ (( f ⊕ unit W ) ⊕ f ) ⊙ v ( † )where † follows from Lemma K.5 and dom ( f ⊕ unit W ) = Z ∪ W ⊆ range ( f ) .Thus, f ⊙ f ⊙ (( f ⊕ unit W ) ⊕ f ) ⊑ f .Note that f ⊙ f has type Mem [∅] → T
Mem [ Z ∪ W ] , so f ⊙ f | = (∅ ▷ [ Z ∪ W ]) .State f ⊕ unit W has type Mem [ Z ∪ W ] → T ( Mem [ Z ∪ W ∪ X ] , so f ⊕ unit W | = ( Z ∪ W ▷ [ X ]) .State f has type Mem [ Z ∪ W ] → T ( Mem [ Z ∪ W ∪ Y ]) , so f | = ( Z ∪ W ▷ [ Y ]) .Therefore, f ⊙ f ⊙ (( f ⊕ unit W ) ⊕ f ) | = (∅ ▷ [ Z ∪ W ]) (cid:35) ( Z ∪ W ▷ [ X ]) ∗ ( Z ∪ W ▷ [ Y ]) .By persistence, f | = [ Z ∪ W ] (cid:35) ([ X ] ∗ [ Y ]) , and Weak Union is valid. □ Lemma F.4 (Contraction).
The following judgment is valid in any T -model: | = ([ Z ] (cid:35) ([ X ] ∗ [ Y ])) ∧ ([ Z ∪ Y ] (cid:35) ([ X ] ∗ [ W ])) → [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) Proof. Let M be a T -model. If h | = ([ Z ] (cid:35) ([ X ] ∗ [ Y ])) ∧ ([ Z ∪ Y ] (cid:35) ([ X ] ∗ [ W ])) , then • h | = [ Z ] (cid:35) ([ X ] ∗ [ Y ]) . By Lemma K.9, there exists f , f , f such that f : Mem [∅] →T (
Mem [ Z ]) , f : Mem [ Z ] → T ( Mem [ Z ∪ X ]) , f : Mem [ Z ] → T ( Mem [ Z ∪ Y ]) , and f ⊙ ( f ⊕ f ) ⊑ h .Note f ⊙ ( f ⊕ f ) has type Mem [∅] → T (
Mem [ Z ∪ Y ∪ Z ]) . • h | = [ Z ∪ Y ] (cid:35) ([ X ] ∗ [ W ]) . By Lemma K.9, there exists д , д , д such that д : Mem [∅] →T (
Mem [ Z ∪ Y ]) , д : Mem [ Z ∪ Y ] → T ( Mem [ Z ∪ Y ∪ X ]) , д : Mem [ Z ∪ Y ] → T ( Mem [ Z ∪ Y ∪ W ]) , and д ⊙ ( д ⊕ д ) ⊑ h .Note д ⊙ д has type Mem [∅] → T (
Mem [ Z ∪ Y ∪ X ]) . , Vol. 1, No. 1, Article . Publication date: August 2020. By Lemma K.10, f ⊙ ( f ⊕ f ) = д ⊙ д . д ⊙ ( д ⊕ д ) = д ⊙ ( д ⊕ unit Z ∪ Y ) ⊙ ( unit Z ∪ Y ∪ X ⊕ д ) (By!Lemma K.6) = д ⊙ д ⊙ ( unit Z ∪ X ⊕ д ) (Because Z ∪ Y ⊆ dom ( д ) , Y ⊆ dom ( д ) ) = f ⊙ ( f ⊕ f ) ⊙ ( unit Z ∪ X ⊕ д ) ( f ⊙ ( f ⊕ f ) = д ⊙ д ) = f ⊙ (cid:0) ( f ⊙ unit Z ∪ X ) ⊕ ( f ⊙ д ) (cid:1) (By Exchange equality) = f ⊙ (cid:0) f ⊕ ( f ⊙ д ) (cid:1) By their types, it is easy to see that f | = (∅ ▷ [ Z ]) , f | = ( Z ▷ [ X ]) , f ⊙ д | = ( Z ▷ [ Y ∪ W ]) . So, f ⊙ ( f ⊕ ( f ⊙ д )) | = [ Z ] (cid:35) ([ X ] ∗ [ Y ∪ W ]) . Also, note that h ⊒ д ⊙ ( д ⊕ д ) = f ⊙ ( f ⊕ ( f ⊙ д )) , so by persistence, h | = (∅ ▷ [ Z ]) (cid:35) (( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ∪ W ])) . □ G SECTION 6.2, ATOMIC PROPOSITIONS: OMITTED DETAILS
As we described in Section 6.2, atomic formulas for CPSL are of the form ( D ▷ R ) . The domainassertions D are of the form S : ϕ d , where S is a set of variables and ϕ d describes memories, andthe range assertions R are of the form ϕ r , where ϕ r is from a fragment of probabilistic BI.Proposition 6.9. The following axiom schemas for atomic propositions are sound. ( S : p d ▷ p r ) ∧ ( S : p ′ d ▷ p ′ r ) → ( S : p d ∧ p ′ d ▷ p r ∧ p ′ r ) if FV ( p r ) = FV ( p ′ r ) (AP-And) ( S : p d ▷ p r ) ∧ ( S : p ′ d ▷ p ′ r ) → ( S : p d ∨ p ′ d ▷ p r ∨ p ′ r ) (AP-Or) ( S : p d ▷ p r ) ∗ ( S ′ : p ′ d ▷ p ′ r ) → ( S ∪ S ′ : p d ∧ p ′ d ▷ p r ∗ p ′ r ) (AP-Par) p ′ d → p d and | = r p r → p ′ r implies | = ( S : p d ▷ p r ) → ( S : p ′ d ▷ p ′ r ) (AP-Imp)Proof. We check each of the axioms. Case: AP-And.
Suppose that w | = ( S : p d ▷ p r )∧( S : p ′ d ▷ p ′ r ) . By semantics of atomic propositions,there exists w ⊑ k w and w ⊑ k w such that for all m ∈ Mem [ S ] such that m | = d p d ∧ p ′ d ,we have w ( m ) | = r p r and w ( m ) | = r p ′ r . By restriction (Theorem 6.10), we may assume that range ( w ) = FV ( p r ) = FV ( p ′ r ) = range ( w ) . Thus, Proposition G.1 implies that w = w , and so w | = ( S : p d ∧ p ′ d ▷ p r ∧ p ′ r ) . Case: AP-Or.
Immediate, by semantics of ∨ . Case: AP-Par.
Suppose that w | = ( S : p d ▷ p r ) ∗ ( S ′ : p ′ d ▷ p ′ r ) . We will show that w | = ( S ∪ S ′ : p d ∗ p ′ d ▷ p r ∗ p ′ r ) .By semantics of atomic propositions, there exists w ⊑ k w and w ⊑ k w such that w ⊕ w ⊑ w ,and for all m ∈ Mem [ S ] such that m | = d p d , we have w ( m ) | = r p r , and for all m ∈ Mem [ S ′ ] such that m | = d p ′ d , we have w ( m ) | = r p ′ r .Now for any m ∈ Mem [ S ∪ S ′ ] such that m | = d p d ∧ p ′ d , we have m S | = d p d and m S ′ | = d p ′ d . Thus w ( m S ) | = r p r and w ( m S ′ ) | = r p ′ r . Letting T = S ∩ S ′ and T = S \ T ; T = S ′ \ T be disjoint sets,and noting that w , w both preserve inputs on T , we have: w ⊕ w ( m ) = π T w ( m S ) ⊗ unit ( m T ) ⊗ π T w ( m S ′ ) = ( π T w ( m S ) ⊗ unit ( m T )) ⊕ r ( unit ( m T ) ⊗ π T w ( m S ′ )) = w ( m S ) ⊕ r w ( m S ′ )| = r p r ∗ p ′ r Thus, w | = ( S ∪ S ′ : p d ∗ p ′ d ▷ p r ∗ p ′ r ) . , Vol. 1, No. 1, Article . Publication date: August 2020. Case: AP-Imp.
Immediate, by semantics of → . □ For the proof of Theorem 6.10, we need the following characterization of д ⊑ f .Proposition G.1. Let f be a Markov kernel, and let D ⊆ dom ( f ) ⊆ R ⊆ range ( f ) . Then we have π R ( f ( m )) = д ( m ′ ) for all m ′ ∈ Mem [ D ] , m ∈ Mem [ dom ( f )] such that m D = m ′ if and only if д ⊑ f and dom ( д ) = D , range ( д ) = R . Proof. For the reverse direction, suppose that f = ( д ⊕ unit S ) ⊙ v , with S disjoint from dom ( д ) .Since range ( д ) ⊆ dom ( v ) , we have: π R ( f ( m )) = π R (( д ⊕ unit S )( m )) = π R ( д ( m D ) ⊕ unit S ( m S )) = π R ( д ( m D )) ⊗ π R ( unit S ( m S )) = д ( m D ) = д ( m ′ ) . For the forward direction, evidently dom ( д ) = D and range ( д ) = R . Since f preserves input tooutput, we have π dom ( f ) ( д ( m ′ )) = π dom ( f ) ( f ( m )) = unit ( m ′ ) so д preserves input to output and д isa Markov kernel. We claim that д ⊑ f . First, consider д ⊕ unit dom ( f )\ D ; write D ′ = dom ( f ) \ D . Forany m ∈ Mem [ dom ( f )] , we have: π D ′ ∪ R ( f ( m )) = π R ( f ( m )) ⊗ π D ′ ( f ( m )) = д ( m D ) ⊗ unit D ′ ( m D ′ ) = ( д ⊕ unit D ′ )( m ) . So by Lemma D.1, for every m ∈ Mem [ dom ( f )] there exists a family of kernels д ′ m : Mem [ D ′ ∪ R ] →D( Mem [ range ( f )]) such that f ( m ) = bind (( д ⊕ unit D ′ )( m ) , д ′ m ) Defining д ′ ( m ) ≜ д ′ m dom ( f ) ( m ) , we have: f ( m ) = (( д ⊕ unit D ′ ) ⊙ д ′ )( m ) and so д ⊑ f . □ We prove that all assertions in the restricted logic RDIBI satisfy restriction.Theorem 6.10 (Restriction in RDIBI).
Let P ∈ Form
RDIBI with atomic propositions ( D ▷ R ) , asdescribed above. Then f | = P if and only if there exists f ′ ⊑ f such that ranдe ( f ′ ) ⊆ FV ( P ) and f ′ | = P . Proof. The reverse direction is immediate from persistence. For the forward direction, we argueby induction with a stronger hypothesis. If f | = P , we call a state f ′ a witness of f | = P if f ′ ⊑ f ,FV R ( P ) ⊆ range ( f ′ ) ⊆ FV ( P ) , dom ( f ′ ) ⊆ FV D ( P ) , and f ′ | = P . We show that f | = P implies thatthere is a witness f ′ | = P , by induction on P . Case ( D ▷ R ) : We will use two basic facts, both following from the form of the domain and rangeassertions:(1) If m | = d D , then dom ( m ) = FV ( D ) .(2) If µ | = r R , then dom ( µ ) ⊇ FV ( D ) . , Vol. 1, No. 1, Article . Publication date: August 2020. f | = ( D ▷ R ) implies that there exists f ′ ⊑ f such that for any m ∈ M d such that m | = d D , f ′ ( m ) is defined and f ′ ( m ) | = r R .Let T = range ( f ′ ) ∩ ( FV ( D ) ∪ FV ( R )) . We claim that π T f ′ is the desired witness for f | = P . • π T f ′ is defined and π T f ′ ⊑ f because: dom ( f ′ ) = dom ( m ) (for any m ∈ M d such that m | = d D ) = FV ( D )⊆ T . Thus π T f ′ is defined, and π T f ′ ⊑ f ′ ⊑ f . • range ( π T f ′ ) = T ⊆ FV ( D ) ∪ FV ( R ) = FV ( P ) . • π T f ′ | = ( D ▷ R ) : For any m ∈ M d such that m | = d D , f ′ ( m ) is a distribution. Based onthe restriction theorem for probabilistic BI, π FV ( R )∩ range ( f ′ ) ( f ′ ( m )) | = R too. Since T ⊇ FV ( R ) ∩ range ( f ′ ) , persistence in M r , implies π T ( f ′ ( m )) | = R . By definition of marginalization on kernels, ( π T f ′ )( m ) = π T ( f ′ ( m )) . Since ( π T f ′ )( m ) | = R , we have π T f ′ | = ( D ▷ R ) as well. • FV D ( P ) = FV ( D ) , so dom ( π T f ′ ) = dom ( m ) = FV ( D ) = FV D ( P ) . • FV R ( P ) = FV ( D ▷ R ) = FV ( D ) ∪ FV ( R ) , so range ( π T f ′ ) ⊇ dom (( π T f ′ )( m )) (for any m ∈ M d such that m | = d D ) ⊇ FV ( D ) ∪ FV ( R ) (By ( π T f ′ )( m ) | = R ) = FV R ( P ) . so π T f ′ is a desired witness for f | = P . Case Q ∧ R : Assuming FV R ( Q ) = FV ( Q ) = FV R ( R ) = FV ( R ) . By definition, f | = Q ∧ R implies that f | = Q and f | = R . By induction, there exists f ′ ⊑ f such that FV R ( Q ) = range ( f ′ ) = FV ( Q ) , dom ( f ′ ) ⊆ FV D ( Q ) , and f ′ | = Q , and there exists f ′′ ⊑ f such that FV R ( R ) = range ( f ′′ ) = FV ( R ) , dom ( f ′′ ) ⊆ FV D ( R ) and f ′′ | = R . Thus, range ( f ′ ) = range ( f ′′ ) .Note that dom ( f ′ ) = dom ( f ) ∩ range ( f ′ ) because in our models, f ′ ⊑ f implies that there exists S and some v such that f = ( f ′ ⊕ η S ) ⊙ v , and we can make S disjoint of dom ( f ′ ) and range ( f ′ ) wolog. Then, dom ( f ) = dom ( f ′ ⊕ S ) = dom ( f ′ ) ∪ S , and range ( f ′ ) = range ( f ′ ⊕ S ) \ S , so dom ( f ) ∪ range ( f ′ ) ⊆ dom ( f ′ ) . Meanwhile, since dom ( f ′ ) ⊆ dom ( f ) and dom ( f ′ ) ⊆ range ( f ′ ) , dom ( f ′ ) ⊆ dom ( f ) ∩ range ( f ′ ) . So dom ( f ′ ) = dom ( f ) ∩ range ( f ′ ) . Similarly, dom ( f ′′ ) ⊆ dom ( f ) ∩ range ( f ′′ ) , so range ( f ′ ) = range ( f ′′ ) implies that dom ( f ′ ) = dom ( f ′ ) .Since dom ( f ′ ) = dom ( f ′′ ) and range ( f ′ ) = range ( f ′′ ) , Proposition G.1 implies that f ′ = f ′′ .This is the desired witness: f ′ = f ′′ | = Q and f ′ = f ′′ | = R . Case Q ∨ R : f | = Q ∨ R implies that f | = Q or f | = R .Without loss of generality, suppose f | = Q . By induction, there exists f ′ ⊑ f such that FV R ( Q ) ⊆ range ( f ′ ) ⊆ FV ( Q ) , dom ( f ′ ) ⊆ FV D ( Q ) . Then: range ( f ′ ) ⊆ FV ( Q ) ∪ FV ( R ) = FV ( P ) range ( f ′ ) ⊇ FV R ( Q ) ∩ FV R ( R ) = FV R ( P ) dom ( f ′ ) ⊆ FV ( Q ) ∪ FV ( R ) = FV D ( P ) . Thus, f ′ is a desired witness. Case Q (cid:35) R : Assuming FV D ( R ) ⊆ FV R ( Q ) . f | = Q (cid:35) R implies that there exists f , f such that f ⊙ f = f , f | = Q , and f | = R . f ⊙ f is defined so range ( f ) = dom ( f ) . By induction, there exists f ′ ⊑ f such that f ′ | = Q ,FV R ( Q ) ⊆ range ( f ′ ) ⊆ FV ( Q ) and dom ( f ′ ) ⊆ FV D ( Q ) , and there exists f ′ ⊑ f such that f ′ | = Q ,FV R ( R ) ⊆ range ( f ′ ) ⊆ FV ( R ) , and dom ( f ′ ) ⊆ FV D ( R ) . , Vol. 1, No. 1, Article . Publication date: August 2020. Now, (cid:98) f = f ′ ⊙ ( f ′ ⊕ unit range ( f ′ )\ dom ( f ′ ) ) is defined because dom ( f ′ ) ⊆ FV D ( R ) ⊆ FV R ( Q ) ⊆ range ( f ′ ) . Then, we have (cid:98) f | = Q (cid:35) R range ( (cid:98) f ) = range ( f ′ ) ∪ range ( f ′ ) ⊆ FV ( Q ) ∪ FV ( R ) = FV ( P ) range ( (cid:98) f ) = range ( f ′ ) ∪ range ( f ′ ) ⊇ FV R ( Q ) ∪ FV R ( R ) = FV R ( P ) dom ( (cid:98) f ) = dom ( f ′ ) ⊆ FV D ( Q ) = FV D ( P ) . f ′ ⊑ f , f ′ ⊕ unit range ( f ′ )\ dom ( f ′ ) ⊕ ⊑ f , so by Lemma K.7, (cid:98) f = f ′ ⊙ ( f ′ ⊕ unit range ( f ′ )\ dom ( f ′ ) ) ⊑ f ⊙ f = f .Thus, (cid:98) f is a desired witness. Case Q ∗ R : f | = Q ∗ R implies that there exists f , f such that f ⊕ f ⊑ f , f | = Q , and f | = R .By induction, there exists f ′ ⊑ f such that f ′ | = Q , FV R ( Q ) ⊆ range ( f ′ ) ⊆ FV ( Q ) and dom ( f ′ ) ⊆ FV D ( Q ) , and there exists f ′ ⊑ f such that f ′ | = Q , FV R ( R ) ⊆ range ( f ′ ) ⊆ FV ( R ) , and dom ( f ′ ) ⊆ FV D ( R ) . By downwards closure of ⊕ , f ′ ⊕ f ′ is defined and f ′ ⊕ f ′ ⊑ f ⊕ f ⊑ f . We have f ′ ⊕ f ′ | = Q ∗ R , and range ( f ′ ⊕ f ′ ) = range ( f ′ ) ∪ range ( f ′ ) ⊆ FV ( Q ) ∪ FV ( R ) = FV ( P ) range ( f ′ ⊕ f ′ ) = range ( f ′ ) ∪ range ( f ′ ) ⊇ FV R ( Q ) ∪ FV R ( R ) = FV R ( P ) dom ( f ′ ⊕ f ′ ) = dom ( f ′ ) ∪ dom ( f ′ ) ⊆ FV D ( Q ) ∪ FV D ( R ) = FV D ( P ) . Thus, f ′ ⊕ f ′ is a desired witness. □ H SECTION 6.3, CPSL: OMITTED DETAILS
To prove soundness for CPSL (Theorem 6.12), we rely on a few lemmas about program semantics.Lemma H.1.
Suppose that e is an expression not containing x , and let µ ∈ D( Mem [ Var ]) . Then: f (cid:74) x ← e (cid:75) µ = f µ ⊙ ( m (cid:55)→ unit ( m Var \{ x } )) ⊙ (( m (cid:55)→ unit ( m ∪ ( x (cid:55)→ (cid:74) e (cid:75) ( m )))) ⊕ ( m (cid:55)→ unit ( m ))) where m ∈ Mem [ Var \ { x }] and m ∈ Mem [ Var \ { x } \ FV ( e )] . Lemma H.2.
Suppose that d is a distribution expression not containing x , and let µ ∈ D( Mem [ Var ]) .Then: f (cid:74) x $ ← d (cid:75) µ = f µ ⊙( m (cid:55)→ unit ( m Var \{ x } ))⊙(( (cid:74) d (cid:75) ⊙( v (cid:55)→ [ x (cid:55)→ v ]))⊕( m (cid:55)→ unit ( m ))⊕( m (cid:55)→ unit ( m ))) where m ∈ Mem [ Var \ { x }] and m ∈ Mem [ Var \ { x } \ FV ( d )] , and (cid:74) d (cid:75) : Mem [ FV ( d )] → D( Val ) . The rule Frame relies on simple syntactic conditions for approximating which variables may beread, which variables must be written before they are read, and which variables may be modified.
Definition H.3. RV , WV , MV are defined as follows:RV ( x ← e ) : = FV ( e ) RV ( x $ ← d ) : = FV ( d ) RV ( c ; c ′ ) : = RV ( c ) ∪ ( RV ( c ′ ) \ WV ( c )) RV ( if b then c else c ′ ) : = FV ( b ) ∪ RV ( c ) ∪ RV ( c ′ ) WV ( x ← e ) : = { x } \ FV ( e ) WV ( x $ ← d ) : = { x } \ FV ( d ) WV ( c ; c ′ ) : = WV ( c ) ∪ ( WV ( c ′ ) \ RV ( c )) WV ( if b then c else c ′ ) : = ( WV ( c ) ∩ WV ( c ′ )) \ FV ( b ) , Vol. 1, No. 1, Article . Publication date: August 2020. MV ( x ← e ) : = { x } MV ( x $ ← d ) : = { x } MV ( c ; c ′ ) : = MV ( c ) ∪ MV ( c ′ ) MV ( if b then c else c ′ ) : = MV ( c ) ∪ MV ( c ′ ) Other analyses are possible, so long as non-modified variables are preserved from input to output,and output modified variables depend only on input read variables.Lemma H.4 (Soundness for RV, WV, MV [Barthe et al. 2019]).
Let µ ′ = (cid:74) c (cid:75) µ , and let R = RV ( c ) , W = WV ( c ) , C = Var \ MV ( c ) . Then:(1) Variables outside of MV ( c ) are not modified: π C ( µ ′ ) = π C ( µ ) .(2) The sets R and W are disjoint.(3) There exists f : Mem [ R ] → D( Mem [ MV ( c )]) with µ ′ = bind ( µ , m (cid:55)→ f ( π R ( m ))⊗ unit ( π C ( m ))) . We recall the definition of validity in CPSL.
Definition 6.11 (CPSL Validity).
A CPSL judgment { P } c { Q } is valid , written | = { P } c { Q } , if forevery input distribution µ ∈ D( Mem [ Var ]) such that the lifted input f µ : Mem [∅] → D(
Mem [ Var ]) satisfies f µ | = P , the lifted output satisfies f (cid:74) c (cid:75) µ | = Q .Now, we are ready to prove soundness of CPSL.Theorem 6.12 (CPSL Soundness). CPSL is sound: derivable judgments are valid.
Proof. By induction on the derivation. Throughout, we write µ : D( Mem [ Var ]) for the input and f : Mem [∅] → D(
Mem [ Var ]) for the lifted input, and we assume that f satisfies the pre-conditionof the conclusion. Case: Assn.
By restriction (Theorem 6.10), there exists k ⊑ f such that FV ( e ) ⊆ S FV ( P ) ⊆ range ( k ) ⊆ FV ( P ) ; let K = range ( k ) . Since f has empty domain, we have f = k ⊙ k forsome k : Mem [ K ] → D( Mem [ Var ]) . Let f ′ = f (cid:74) x ← e (cid:75) µ be the lifted output. By Lemma H.1 andassociativity, we have: f ′ = f ⊙ ( m (cid:55)→ unit ( m Var \{ x } )) ⊙ (( m (cid:55)→ unit ( m ∪ ( x (cid:55)→ (cid:74) e (cid:75) ( m )))) ⊕ ( m (cid:55)→ unit ( m ))) = k ⊙ k ⊙ ( m (cid:55)→ unit ( m Var \{ x } )) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ⊙( m (cid:55)→ unit ( m ∪ ( x (cid:55)→ (cid:74) e (cid:75) ( m ))) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ⊕ m (cid:55)→ unit ( m ) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ) where m : Mem [ Var ] , m : Mem [ FV ( e )] , and m : Mem [ Var \ FV ( e ) \ { x }] . Note that even thoughthe components of j do not preserve input to output, j itself does preserve input to output; j and j also evidently have this property. Now since k ⊑ j and k | = P , we have j | = P . Since j ⊑ j ⊕ j and j | = ( FV ( e ) ▷ x = e ) , we have j ⊕ j | = ( FV ( e ) ▷ x = e ) as well. Thus, we conclude f ′ | = P (cid:35) ( FV ( e ) ▷ x = e ) . Case: Samp.
By restriction (Theorem 6.10), there exists k ⊑ f such that FV ( d ) ⊆ S FV ( P ) ⊆ range ( k ) ⊆ FV ( P ) ; let K = range ( k ) . Since f has empty domain, we have f = k ⊙ k forsome k : Mem [ K ] → D( Mem [ Var ]) . Let f ′ = f (cid:74) x ← e (cid:75) µ be the lifted output. By Lemma H.2 andassociativity, we have: f ′ = f ⊙ ( m (cid:55)→ unit ( m Var \{ x } )) ⊙ (( (cid:74) d (cid:75) ⊙ ( v (cid:55)→ [ x (cid:55)→ v ])) ⊕ ( m (cid:55)→ unit ( m )) ⊕ ( m (cid:55)→ unit ( m ))) = k ⊙ k ⊙ ( m (cid:55)→ unit ( m Var \{ x } )) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ⊙(( (cid:74) d (cid:75) ⊙ ( v (cid:55)→ [ x (cid:55)→ v ])) ⊕ ( m (cid:55)→ unit ( m )) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ⊕ m (cid:55)→ unit ( m ) (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) j ) where m : Mem [ Var ] , (cid:74) d (cid:75) : Mem [ FV ( d )] → D( Mem [ Val ]) , m : Mem [ FV ( d )] , and m : Mem [ Var \ FV ( d )\{ x }] . Note that even though the components of j do not preserve input to output, j itself does , Vol. 1, No. 1, Article . Publication date: August 2020. preserve input to output; j and j also evidently have this property. Now since k ⊑ j and k | = P ,we have j | = P . Since j ⊑ j ⊕ j and j | = ( FV ( d ) ▷ x ∼ d ) , we have j ⊕ j | = ( FV ( d ) ▷ x ∼ d ) aswell. Thus, we conclude f ′ | = P (cid:35) ( FV ( d ) ▷ x ∼ d ) . Case: Skip.
Trivial.
Case: Seqn.
Trivial.
Case: DCond.
Since all assertions are in RDIBI, we have FV D ( P ) ⊆ FV R (∅ ▷ [ b ]) = { b } . Since f | = (∅ ▷ [ b ]) , there exists k , k such that k ⊙ k = f , with k | = (∅ ▷ [ b ]) and k | = P .By restriction (Theorem 6.10), there exists j such that j ⊑ k and dom ( j ) ⊆ FV D (∅ ▷ [ b ]) = ∅{ b } = FV R (∅ ▷ [ b ]) ⊆ range ( j ) ⊆ FV (∅ ▷ [ b ]) = { b } . By restriction (Theorem 6.10), there exists j such that j ⊑ k and j | = P , and dom ( j ) ⊆ FV D ( P ) ⊆ FV R (∅ ▷ [ b ]) = { b } . Since dom ( k ) = range ( k ) ⊇ { b } , we may assume without loss of generalitythat j | = P , j ⊑ k , and dom ( j ) = { b } . Thus j ⊙ j is defined, and so j ⊙ j ⊑ k ⊙ k ⊑ f byLemma K.7.By Lemma D.1, there exists j : Mem [ range ( j )] → D( Mem [ Var ]) such that j ⊙ ( j ⊙ j ) = ( j ⊙ j ) ⊙ j = f . Since j ⊑ j ⊙ j , we have j ⊙ j | = P . Thus, we may assume without loss ofgenerality that range ( j ) = Var and j ⊙ j = f = µ .Let l tt , l ff : Mem [∅] → D(
Mem [ b ]) be defined by l tt (⟨⟩) = unit [ b = tt ] and l ff (⟨⟩) = unit [ b = ff ] ;evidently, l tt | = (∅ ▷ b = tt ) and l ff | = (∅ ▷ b = ff ) . Now, we have: f µ | (cid:74) b = tt (cid:75) = l tt ⊙ j f µ | (cid:74) b = ff (cid:75) = l ff ⊙ j where each equality holds if the left side is defined. Regardless of whether the conditional distri-butions are defined, we always have: l tt ⊙ j | = (∅ ▷ b = tt ) (cid:35) Pl ff ⊙ j | = (∅ ▷ b = ff ) (cid:35) P . Since both of these kernels have empty domain, we have l tt ⊙ j = ν tt and l ff ⊙ j = ν ff for twodistributions ν tt , ν ff ∈ D( Mem [ Var ]) . By induction, we have: f (cid:74) c (cid:75) ν tt | = (∅ ▷ b = tt ) (cid:35) ( b : b = tt ▷ Q ) f (cid:74) c (cid:75) ν ff | = (∅ ▷ b = ff ) (cid:35) ( b : b = ff ▷ Q ) . By similar reasoning as for the pre-conditions, there exists k ′ , k ′ : Mem [ b ] → D( Mem [ Var ]) suchthat k ′ | = ( b : b = tt ▷ Q ) and k ′ | = ( b : b = ff ▷ Q ) , and: f (cid:74) c (cid:75) ν tt = l tt ⊙ k ′ f (cid:74) c (cid:75) ν ff = l ff ⊙ k ′ . Let k ′ : Mem [ b ] → D( Mem [ Var ]) be the composite kernel defined as follows: k ′ ([ b (cid:55)→ v ]) ≜ (cid:40) k ′ ([ b (cid:55)→ tt ]) : v = tt k ′ ([ b (cid:55)→ ff ]) : v = ff . , Vol. 1, No. 1, Article . Publication date: August 2020. By assumption, k ′ | = (( b : b = tt ▷ Q ) ∧ ( b : b = ff ▷ Q )) . Now, let p ≜ µ ( (cid:74) b = tt (cid:75) ) be theprobability of taking the first branch. Then we can conclude: f (cid:74) if b then c else c ′ (cid:75) µ = f (cid:74) c (cid:75) ( µ | (cid:74) b = tt (cid:75) )⊕ p (cid:74) c ′ (cid:75) ( µ | (cid:74) b = tt (cid:75) ) = f (cid:74) c (cid:75) ν tt ⊕ p (cid:74) c (cid:75) ν ff = f (cid:74) c (cid:75) ν tt ⊕ p f (cid:74) c (cid:75) ν ff = ( l tt ⊙ k ′ ) ⊕ p ( l ff ⊙ k ′ ) = ( l tt ⊙ k ′ ) ⊕ p ( l ff ⊙ k ′ ) = ( l tt ⊕ p l ff ) ⊙ k ′ | = (∅ ▷ [ b ]) (cid:35) (( b : b = tt ▷ Q ) ∧ ( b : b = ff ▷ Q )) . Above, k ⊕ p k lifts the convex combination operator from distributions to kernels from Mem [∅] .We show the last equality in more detail. For any r ∈ Mem [ Var ] : ( l tt ⊙ k ′ ) ⊕ p ( l ff ⊙ k ′ )(⟨⟩)( r ) = p · ( l tt ⊙ k ′ )(⟨⟩)( r ) + ( − p ) · ( l ff ⊙ k ′ )(⟨⟩)( r ) = p · ( l tt ⊙ k ′ )(⟨⟩)( r ) + ( − p ) · ( l ff ⊙ k ′ )(⟨⟩)( r ) = p · l tt (⟨⟩)( b (cid:55)→ tt ) · k ′ ( b (cid:55)→ tt )( r ) + ( − p ) · l ff (⟨⟩)( b (cid:55)→ ff ) · k ′ ( b (cid:55)→ ff )( r ) = (( l tt ⊕ p l ff ) ⊙ k ′ )(⟨⟩)( r ) . where the penultimate equality holds because l tt and l ff are deterministic. Case: Weak.
Trivial.
Case: Frame.
The proof for this case follows the argument for Frame rule in PSL, with a fewminor changes.There exists k , k such that k ⊕ k ⊑ f , and k | = P and k | = R ; let S ≜ range ( k ) , and note thatRV ( c ) ⊆ S by the last side-condition. By restriction (Theorem 6.10), there exists k ′ ⊑ k such that k ′ | = R and range ( k ′ ) ⊆ FV ( R ) ; let S ≜ range ( k ′ ) . Since k and k have empty domains, S and S must be disjoint. Let S = Var \ S \ S . Since WV ( c ) is disjoint from S by the first side-condition,we have WV ( c ) ⊆ S ∪ S .Let f ′ = f (cid:74) c (cid:75) µ be the lifted output. By induction, we have f ′ | = Q ; by restriction (Theorem 6.10),there exists k ′ ⊑ f ′ such that range ( k ′ ) ⊆ FV ( Q ) and k ′ | = Q . By the third side condition,RV ( c ) ⊆ FV R ( P ) ⊆ S .By soundness of RV and WV (Lemma H.4), all variables in WV ( c ) must be written before they areread and there is a function F : Mem [ S ] → D( Mem [ WV ( c ) ∪ S ]) such that: π WV ( c )∪ S (cid:74) c (cid:75) µ = bind ( µ , m (cid:55)→ F ( m S )) . Since S ⊆ FV ( R ) , variables in S are not in MV ( c ) by the first side-condition, and S is disjointfrom WV ( c ) ∪ S . By soundness of MV, we have: π WV ( c )∪ S ∪ S (cid:74) c (cid:75) µ = bind ( π WV ( c )∪ S ∪ S µ , F ⊕ unit ) where unit : Mem [ WV ( c ) ∪ S ] → D( Mem [ WV ( c ) ∪ S ]) .Since S and S are independent in µ , we know that S ∪ WV ( c ) and S are independent in (cid:74) c (cid:75) µ .Hence: f π S ∪ WV ( c ) (cid:74) c (cid:75) µ ⊕ f π S (cid:74) c (cid:75) µ ⊑ f ′ . By induction, f ′ | = Q . Furthermore, FV ( Q ) ⊆ FV R ( P ) ∪ WV ( c ) ⊆ S ∪ WV ( c ) by the secondside-condition. By restriction (Theorem 6.10), f π S ∪ WV ( c ) (cid:74) c (cid:75) µ | = Q . Furthermore, π S (cid:74) c (cid:75) µ = π S µ , so π S (cid:74) c (cid:75) µ | = R as well. Thus, f ′ | = Q ∗ R as desired. , Vol. 1, No. 1, Article . Publication date: August 2020. □ I SECTION 6.4, PROVING CI: OMITTED PROOFS
Proposition 6.13. (Axioms for RDIBI) The following axioms are sound, assuming both precedentand antecedent are in
Form
RDIBI . ( P (cid:35) Q ) (cid:35) R → P (cid:35) ( Q ∗ R ) (Indep-1) P (cid:35) Q → P ∗ Q if FV D ( Q ) = ∅ (Indep-2) P (cid:35) Q → P (cid:35) ( Q ∗ ( S ▷ [ S ])) (Pad) ( P ∗ Q ) (cid:35) ( R ∗ S ) → ( P (cid:35) R ) ∗ ( Q (cid:35) S ) (RestExch)Proof. We prove them one by one. Indep-1
We want to show that when ( P (cid:35) Q ) (cid:35) R , P (cid:35) ( Q ∗ R ) are both formula in RDIBI , f | = ( P (cid:35) Q ) (cid:35) R implies f | = P (cid:35) ( Q ∗ R ) .By proof system of DIBI, f | = ( P (cid:35) Q ) (cid:35) R implies that f | = P (cid:35) (cid:0) Q (cid:35) R (cid:1) . While P (cid:35) (cid:0) Q (cid:35) R (cid:1) may notsatisfy the restriction property, that is okay because we will only used conditions guaranteed bythe fact that ( P (cid:35) Q ) (cid:35) R , P (cid:35) ( Q ∗ R ) ∈ Form
RDIBI . In particular, we rely on P , Q , R each satisfiesrestriction, and FV D ( Q ∗ R ) ⊆ FV R ( P ) , which implies thatFV D ( R ) ⊆ FV D ( Q ∗ R ) ⊆ FV R ( P ) (I.1) f | = P (cid:35) (cid:0) Q (cid:35) R (cid:1) implies there exists f p , f q , f r such that f p | = P , f q | = Q , and f r | = R , and f p ⊙ ( f q ⊙ f r ) = f .By restriction property Theorem 6.10, f q | = Q implies that there exists f ′ q ⊑ f q such that FV R ( Q ) ⊆ range ( f ′ q ) ⊆ FV ( Q ) and dom ( f ′ q ) ⊆ FV D ( Q ) . f ′ q ⊑ f q so there exists v , T such that f q = ( f ′ q ⊕ k unit T ) ⊙ v .Similarly, f r | = R , by Theorem 6.10, there exists f ′ r ⊑ f r such that FV R ( R ) ⊆ range ( f ′ r ) ⊆ FV ( R ) and dom ( f ′ r ) ⊆ FV D ( R ) . f ′ r ⊑ f r so there exists u , S such that f r = ( f ′ r ⊕ k unit S ) ⊙ u .Now, we claim that FV D ( R ) ⊆ dom ( f ′ q ⊕ unit T ) :By Theorem 6.10 f p | = P implies that there exists f ′ p ⊑ f p such that FV R ( P ) ⊆ range ( f ′ p ) ⊆ FV ( P ) , dom ( f ′ p ) ⊆ F FV ( P ) , and f ′ p | = P . Thus, FV R ( P ) ⊆ range ( f p ) = dom ( f q ) . Recall that FV D ( R ) ⊆ FV R ( P ) , so FV D ( R ) ⊆ dom f q = dom f ′ q ⊕ unit T .As a corollary, we have dom ( f ′ r ) ⊆ FV D ( R ) ⊆ dom ( f ′ q ⊕ unit T ) ⊆ dom ( v ) , and dom ( f ′ r ) ⊆ FV D ( R ) ⊆ dom ( f ′ q ⊕ unit T ) . Then, f q ⊙ f r = (cid:0) ( f ′ q ⊕ unit T ) ⊙ v (cid:1) ⊙ (cid:0) ( f ′ r ⊕ unit S ) ⊙ u (cid:1) = ( f ′ q ⊕ unit T ) ⊙ (cid:0) v ⊙ ( f ′ r ⊕ unit S ) (cid:1) ⊙ u (By standard associativity of ⊙ ) = ( f ′ q ⊕ unit T ) ⊙ ( f ′ r ⊕ v ) ⊙ u (By Lemma K.5 and dom ( f ′ r ) ⊆ dom ( v ) ) = ( f ′ q ⊕ unit T ) ⊙ (( f ′ r ⊙ unit range ( f ′ r ) ) ⊕ ( unit dom ( v ) ⊙ v ) ⊙ u = ( f ′ q ⊕ unit T ) ⊙ ( f ′ r ⊕ unit dom ( v ) ) ⊙ ( unit range ( f ′ r ) ⊕ v ) ⊙ u ( ♥ ) = (( f ′ q ⊕ unit T ) ⊕ f ′ r ) ⊙ ( v ⊕ unit range ( f ′ r ) ) ⊙ u ( † ) = (( f ′ q ⊕ unit T ) ⊙ v ) ⊕ ( f ′ r ⊙ unit range ( f ′ r ) ) ⊙ u ( ♥ ) = f q ⊕ f r where † follows from Lemma K.5, dom ( f ′ r ) ⊆ dom ( f ′ q ⊕ unit T ) and exact commutativity, ♥ followsfrom Eq. (Exchange equality) and Proposition K.4. , Vol. 1, No. 1, Article . Publication date: August 2020. Thus, f q ⊙ f r | = Q ∗ R . And by satisfaction rules, f | = P (cid:35) ( Q ∗ R ) Indep-2
We want to show that under the special condition FV D ( Q ) = ∅ , f | = P (cid:35) Q implies that f | = P ∗ Q .If f | = P (cid:35) Q , then there exists f p , f q such that f p ⊙ f q = f and f p | = P , f q | = Q .By restriction property Theorem 6.10, f q | = Q implies that there exists f ′ q ⊑ f q such that FV R ( Q ) ⊆ range ( f ′ q ) ⊆ FV ( Q ) and dom ( f ′ q ) ⊆ FV D ( Q ) . f ′ q ⊑ f q so there exists v , T such that f q = ( f ′ q ⊕ k unit T ) ⊙ v .Since dom ( f ′ q ) ⊆ FV D ( Q ) and FV D ( Q ) = ∅ , it must dom ( f ′ q ) = ∅ , and thus no matter what thedomain of f p is, dom ( f ′ q ) ⊆ dom ( f p ) . Thus, f p ⊙ f q = f p ⊙ ( f ′ q ⊕ unit T ) ⊙ v = ( f p ⊕ f ′ q ) ⊕ v (By Lemma K.5 and dom ( f ′ q ) ⊆ dom ( f p ) )Thus, f p ⊕ f ′ q ⊑ f p ⊙ f q = f . By satisfaction rules, f p | = P and f ′ q | = Q implies that f p ⊕ f ′ q | = P ∗ Q .Thus, by persistence, f | = P ∗ Q Pad
We want to show that when P (cid:35) Q , P (cid:35) ( Q ∗ ( S ▷ [ S ])) are both in Form RDIBI , f | = P (cid:35) Q implies f | = P (cid:35) ( Q ∗ ( S ▷ [ S ])) .One key guarantee we rely on from the grammar of Form RDIBI is thatFV D ( Q ) ∪ S = FV D ( Q ∗ ( S ▷ [ S ])) ⊆ FV R ( P ) . When f | = P (cid:35) Q , there exists f p , f q such that f p ⊙ f q = f and f p | = P , f q | = Q ,By Theorem 6.10, f p | = P implies that there exists f ′ p ⊑ f p such that FV R ( P ) ⊆ range ( f ′ p ) ⊆ FV ( P ) , dom ( f ′ p ) ⊆ F FV ( P ) , and f ′ p | = P . By the fact that f p ⊙ f q is defined, and that the definition ofpreorder in our concrete models, f ′ p ⊑ f p implies dom ( f q ) = range ( f p ) ⊇ range ( f ′ p ) ⊇ FV R ( P ) ⊇ S Since f q preserves input, S ⊆ dom ( f q ) implies that f q = f q ⊕ unit S , and thus f p ⊙ f q = f p ⊙ ( f q ⊕ unit S ) .Note that unit S | = ( S ▷ [ S ]) , and f q | = Q . Thus, f q ⊕ unit S | = Q ∗ ( S ▷ [ S ]) . Since f p | = P , it followsthat f p ⊙ ( f q ⊕ unit S ) | = P (cid:35) ( Q ∗ ( S ▷ [ S ])) Since f = f p ⊙ f q = f p ⊙ ( f q ⊕ unit S ) , f | = P (cid:35) ( Q ∗ ( S ▷ [ S ])) RestExch
We want to show that when ( P ∗ Q ) (cid:35) ( R ∗ S ) and ( P (cid:35) R ) ∗ ( Q (cid:35) S ) are both formula inForm RDIBI , f | = ( P ∗ Q ) (cid:35) ( R ∗ S ) implies f | = ( P ∗ R ) ∗ ( Q ∗ S ) .The key properties that being in Form RDIBI guarantees us are thatFV D ( R ) ⊆ FV R ( P ) FV D ( S ) ⊆ FV R ( Q ) FV D ( R ∗ S ) = FV D ( R ) ∪ FV D ( S ) ⊆ FV R ( P ∗ Q ) = FV R ( P ) ∪ FV R ( Q ) If f | = ( P ∗ Q ) (cid:35) ( R ∗ S ) , then there exists f , f such that f ⊙ f = f , f | = P ∗ Q , f | = R ∗ S .That is, there exist u , v such that u ⊕ v ⊑ f , u | = P , and v | = Q ; there exist u , v such that u ⊕ v ⊑ f , u | = R , v | = S .By Theorem 6.10, • u | = P implies there exists u ′ ⊑ u such that FV R ( P ) ⊆ range ( u ′ ) ⊆ FV ( P ) , dom ( u ′ ) ⊆ FV D ( P ) ,and u ′ | = P . , Vol. 1, No. 1, Article . Publication date: August 2020. • v | = Q implies there exists v ′ ⊑ v such that FV R ( Q ) ⊆ range ( v ′ ) ⊆ FV ( Q ) , dom ( v ′ ) ⊆ FV D ( Q ) ,and v ′ | = Q . • u | = R implies there exists u ′ ⊑ u such that FV R ( R ) ⊆ range ( u ′ ) ⊆ FV ( R ) , dom ( u ′ ) ⊆ FV D ( R ) ,and u ′ | = R . • v | = S implies there exists v ′ ⊑ v such that FV R ( S ) ⊆ range ( v ′ ) ⊆ FV ( S ) , dom ( v ′ ) ⊆ FV D ( S ) ,and v ′ | = S . By Downwards closure property of ⊕ , u ′ ⊕ v ′ is defined and u ′ ⊕ v ′ ⊑ u ⊕ v ⊑ f . Say that f = ( u ⊕ v ⊕ unit S ) ⊙ h , f = ( u ′ ⊕ v ′ ⊕ unit S ) ⊙ h . Also, dom ( u ′ ⊕ v ′ ) = dom ( u ′ ) ∪ dom ( v ′ ) ⊆ FV D ( R ) ∪ FV D ( S ) ⊆ FV R ( P ) ∪ FV D ( Q )⊆ range ( u ′ ) ∪ range ( v ′ ) ⊆ range ( u ) ∪ range ( v ) = range ( u ⊕ v ) Then f ⊙ f = ( u ⊕ v ⊕ unit S ) ⊙ h ⊙ ( u ′ ⊕ v ′ ⊕ unit S ) ⊙ h = ( u ⊕ v ⊕ unit S ) ⊙ (( u ′ ⊕ v ′ ) ⊕ h ) ⊙ h ( ♥ ) = ( u ⊕ v ⊕ unit S ) ⊙ (( u ′ ⊕ v ′ ) ⊙ unit range ( u ′ ⊕ v ′ ) ) ⊕ ( unit dom ( h ) ⊙ h ) ⊙ h = ( u ⊕ v ⊕ unit S ) ⊙ ( u ′ ⊕ v ′ ⊕ unit dom ( h ) ) ⊙ ( unit range ( u ′ ⊕ v ′ ) ⊕ h ) ⊙ h ( † ) = ( u ⊕ v ⊕ unit S ) ⊙ ( u ′ ⊕ v ′ ⊕ unit range ( u ⊕ v ) ⊕ unit S ) ⊙ ( unit range ( u ′ ⊕ v ′ ) ⊕ h ) ⊙ h = (cid:0) (( u ⊕ v ) ⊙ ( u ′ ⊕ v ′ ⊕ unit range ( u ⊕ v ) )) ⊕ unit S (cid:1) ⊙ ( unit range ( u ′ ⊕ v ′ ) ⊕ h ) ⊙ h ( † ) = (cid:0) ( u ⊙ ( u ′ ⊕ unit range ( u ) )) ⊕ ( v ⊙ ( v ′ ⊕ unit range ( v ) )) ⊕ unit S (cid:1) ⊙ ( unit range ( u ′ ⊕ v ′ ) ⊕ h ) ⊙ h ( † and exact commutativity, associativity)where ♥ follows from Lemma K.5, dom ( u ′ ⊕ v ′ ) ⊆ range ( u ⊕ v ) ⊆ dom ( h ) , and † followsfrom Eq. (Exchange equality) and Proposition K.4.Thus, ( u ⊙ ( u ′ ⊕ unit range ( u ) )) ⊕ ( v ⊙ ( v ′ ⊕ unit range ( v ) )) ⊑ f ⊙ f . Recall that u ′ | = R . Bypersistence, u ′ ⊕ unit range ( u ) | = R . Similarly, v ′ | = S , so by persistence, v ′ ⊕ unit range ( v ) | = S .Therefore, ( u ⊙ ( u ′ ⊕ unit range ( u ) )) ⊕ ( v ⊙ ( v ′ ⊕ unit range ( v ) )) | = ( P (cid:35) R ) ∗ ( Q (cid:35) S ) Then, by persistence, f | = ( P (cid:35) R ) ∗ ( Q (cid:35) S ) . □ Proposition 6.14. (Axioms for atomic propositions) The following axioms are sound. ( S ▷ [ A ] ∗ [ B ]) → ( S ▷ [ A ]) ∗ ( S ▷ [ B ]) if A ∩ B ⊆ S (RevPar) ( S ▷ [ A ] ∗ [ B ]) → ( S ▷ [ A ∪ B ]) (UnionRan) ( A ▷ [ B ]) (cid:35) ( B ▷ [ C ]) → ( A ▷ [ C ]) (AtomSeq) ( A ▷ [ B ]) → ( A ▷ [ A ]) (cid:35) ( A ▷ [ B ]) (UnitL) ( A ▷ [ B ]) → ( A ▷ [ B ]) (cid:35) ( B ▷ [ B ]) (UnitR)Proof. We prove it one by one. RevPar
Given any f | = ( S ▷ [ A ] ∗ [ B ]) , by satisfaction rules and semantic of atomic propositions,there exists f ′ ⊑ f such that for all m ∈ M d such that m | = d S , f ′ ( m ) | = r [ A ] ∗ [ B ] .Since f ′ ( m ) is defined and f ′ ( m ) | = r [ A ] ∗ [ B ] , it follows that dom ( f ′ ) = S and range ( f ′ ) ⊇ S ∪ A ∪ B . Thus, we can define f = π S ∪ A f ′ , f = π S ∪ B f ′ . Note that f | = ( S ▷ [ A ]) , f | = ( S ▷ [ B ]) .Also, because A ∩ B ⊆ S , range ( f ) ∩ range ( f ) = ( S ∪ A ) ∩ ( S ∪ B ) = S , , Vol. 1, No. 1, Article . Publication date: August 2020. and thus f ⊕ f is defined. We now want to show that f ⊕ f ⊑ f .Note f ′ ( m ) | = r [ A ] ∗ [ B ] implies that there exists µ , µ such that µ ⊕ r µ ⊑ f ′ ( m ) , and dom ( µ ) ⊇ A , dom ( µ ) ⊇ B . Since f ′ preserves input on its domain S , π S f ′ ( m ) = unit ( m ) , so ( µ ⊕ r unit ( m )) ⊕ r ( µ ⊕ r unit ( m )) ⊑ f ′ ( m ) ⊕ r unit ( m ) ⊕ r unit ( m ) = f ′ ( m ) too. Let µ ′ = π A ∪ S ( µ ⊕ r unit ( m )) and µ ′ = π B ∪ S ( µ ⊕ r unit ( m )) . Then due to Downwards closure in M d , µ ′ ⊕ r µ ′ will also be defined,and µ ′ ⊕ r µ ′ ⊑ ( µ ⊕ r unit ( m )) ⊕ r ( µ ⊕ r unit ( m )) ⊑ f ′ ( m ) , which implies that µ ′ ⊕ r µ ′ = π S ∪ A ∪ B f ′ ( m ) . In the range model, this means that µ ′ = π S ∪ A f ′ ( m ) , µ ′ = π S ∪ B f ′ ( m ) .Then for any m ′ ∈ Mem [ S ] , any r ∈ Mem [ A ∪ B ∪ S ] , ( π S ∪ A ∪ B f ′ )( m ′ )( r ) = ( π S ∪ A ∪ B f ′ ( m ′ ))( r ) = µ ′ ⊕ r µ ′ ( r ) = µ ′ ( r S ∪ A ) · µ ′ ( r S ∪ B )( f ⊕ f )( m ′ )( r ) = f ( m ′ )( r S ∪ A ) · f ( m ′ )( r S ∪ B ) = ( π S ∪ A f ′ )( m ′ )( r S ∪ A ) · ( π S ∪ B f ′ ( m ′ )( r S ∪ B ) = µ ′ ( r S ∪ A ) · µ ′ ( r S ∪ B ) Thus, f ⊕ f = π S ∪ A ∪ B f ′ , which implies that f ⊕ f ⊑ f . By their types, f ⊕ f | = ( S ▷ [ A ]) ∗( S ▷ [ B ]) .By persistence, f | = ( S ▷ [ A ]) ∗ ( S ▷ [ B ]) . UnionRan
Obvious from the semantics of atomic proposition and the range logic.
AtomSeq
Given any f | = ( A ▷ [ B ]) (cid:35) ( B ▷ [ C ]) , by satisfaction rules and semantic of atomicpropositions, there exists • f , f such that f ⊙ f = f ; • f ′ ⊑ f such that for any m ∈ M d such that m | = d A , f ′ ( m ) | = r [ B ] . • f ′ ⊑ f such that for any m ∈ M d such that m | = d B , f ′ ( m ) | = r [ C ] .Note that f ′ ( m ) | = r [ B ] implies that B ⊆ range ( f ′ ) , so π B f ′ is defined. Let f ′′ = π B f ′ .Note that for any m ∈ M d such that m | = d A , f ′′ ( m ) | = r [ B ] too, so f ′′ | = ( A ▷ [ B ]) too. Also, bytransitivity, f ′′ ⊑ f ′ ⊑ f .Say f = ( f ′′ ⊕ η S ) ⊙ v , f = ( f ′ ⊕ η S ) ⊙ v , then since range ( f ′′ ) = B = dom ( f ′ ) , f ⊙ f = ( f ′′ ⊕ η S ) ⊙ v ⊙ ( f ′ ⊕ η S ) ⊙ v = ( f ′′ ⊕ η S ) ⊙ ( f ′ ⊕ v ) ⊙ v (By Lemma K.5 and dom ( f ′ ) = B = range ( f ′′ ) ⊆ dom ( v ) ) = ( f ′′ ⊕ η S ) ⊙ ( f ′ ⊕ η dom ( v ) ) ⊙ ( v ⊕ η range ( f ) ) ⊙ v (By Lemma K.6) = ( f ′′ ⊕ η S ) ⊙ ( f ′ ⊕ η S ) ⊙ ( v ⊕ η range ( f ) ) ⊙ v = (( f ′′ ⊙ f ′ ) ⊕ η S ) ⊙ ( v ⊕ η range ( f ) ) ⊙ v So f ′′ ⊙ f ′ ⊑ f ⊙ f = f . f ′′ : Mem [ A ] → D( Mem [ B ]) , f ′ : Mem [ B ] → D( Mem [ range ( f ′ )]) A , so f ′′ ⊙ f ′ : Mem [ A ] →D( Mem [ range ( f ′ )]) . Since range ( f ′ ) ⊇ C , it follows that f ′′ ⊙ f ′ | = ( A ▷ [ C ]) , and thus f | = ( A ▷ [ C ]) by persistence. UnitL If f | = ( A ▷ [ B ]) , then there must exists f ′ ⊑ f such that for all m ∈ M d such that m | = A , f ′ ( m ) | = r [ B ] .Given any witness f ′ , f ′ = unit Mem [ A ] ⊙ f ′ , and also f ′ | = r ( A ▷ [ B ]) .Note that unit Mem [ A ] | = r ( A ▷ [ A ]) , so f ′ = unit Mem [ A ] ⊙ f ′ | = ( A ▷ [ A ]) (cid:35) ( A ▷ [ B ]) . UnitR
Analogous as the UnitL case, except that now using the fact f ′ = f ′ ⊙ unit Mem [ B ] for any f ′ : Mem [ A ] → D( Mem [ B ]) . , Vol. 1, No. 1, Article . Publication date: August 2020. □ J SECTION 7, SOUNDNESS AND COMPLETENESS: OMITTED DETAILS
Theorem 7.2. P ⊢ Q is derivable iff (cid:74) P (cid:75) ≤ (cid:74) Q (cid:75) for all algebraic interpretations (cid:74) − (cid:75) . Proof. Soundness can be established by a straightforward induction on the proof rules. For com-pleteness, we can define a Lindenbaum-Tarski algebra by quotienting Form
DIBI by the equivalencerelation P ≡ Q iff P ⊢ Q and Q ⊢ P derivable. This yields a DIBI algebra, and moreover, [ P ] ≡ ≤ [ Q ] ≡ iff [ P → Q ] ≡ = [⊤] ≡ iff ⊤ ⊢ P → Q derivable iff P ⊢ Q derivable. Hence for any P , Q such that P ⊢ Q is not derivable, in the Lindenbaum-Tarski algebra (with the canonical interpretation sendingformulas to their equivalence class) [ P ] ≡ ≰ [ Q ] ≡ holds, establishing completeness. □ A filter on a bounded distributive lattice A is a non-empty set F ⊆ A such that, for all x , y ∈ A , (1) x ∈ F and x ≤ y implies y ∈ F ; and (2) x , y ∈ F implies x ∧ y ∈ F . It is a proper filter if it additionallysatisfies (3) ⊥ (cid:60) F , and a prime filter if in addition it also satisfies (4) x ∨ y ∈ F implies x ∈ F or y ∈ F . The order dual version of these definitions gives the notions of ideal, proper ideal and primeideal. We denote the sets of proper and prime filters of A by F A and PF A respectively, and the setsof proper and prime ideals of A by I A and PI A respectively.To prove that prime filter frames are DIBI frames we require an auxiliary lemma that can be usedto establish the existence of prime filters. First some terminology: a ⊆ -chain is a sequence of sets ( X α ) α < λ such that α ≤ α ′ implies X α ⊆ X α ′ . A basic fact about proper filters (ideals) is that theunion of a ⊆ -chain of proper filters (ideals) is itself a proper filter (ideal). We lift the terminology to n -tuples of sets by determining ( X α , . . . , X nα ) α < λ to be a ⊆ -chain if each ( X iα ) α < λ is a ⊆ -chain. Definition J.1 (Prime Predicate). A prime predicate is a map P : F n A × I m A → { , } , where n , m ≥ n + m ≥
1, such thata) Given a ⊆ -chain ( F α , . . . , F nα , I α , . . . , I mα ) α < λ of proper filters/ideals, min { P ( F α , . . . , I mα ) | α < λ } ≤ P ( (cid:216) α F α , . . . , (cid:216) α I mα ) ;b) P ( . . . , H ∩ H , . . . ) ≤ max { P ( . . . , H , . . . ) , P ( . . . , H , . . . )} .Intuitively, a prime predicate is a property of proper filter/ideal sequences whose truth value isinherited by unions of chains, and is witnessed by one of H or H whenever witnessed by H ∩ H .The proof of the next lemma can be found in [Docherty 2019].Lemma J.2 (Prime Extension Lemma [Docherty 2019, Lemma 5.7]). If P is an ( n + m ) -aryprime predicate and F , . . . , F n , I , . . . , I m an ( n + m ) -tuple of proper filters and ideals such that P ( F , . . . , F n , I , . . . , I m ) = then there exists a ( n + m ) -tuple of prime filters and ideals F pr , . . . , F prn , I pr , . . . I prm such that P ( F pr , . . . , F prn , I pr , . . . I prm ) = . □ Now, whenever prime filters are required that satisfy a particular property (for example, anexistentially quantified consequent of a frame axiom), it is sufficient to show that the propertydefines a prime predicate and there exists proper filters satisfying it. We also note the followinguseful properties of DIBI algebras, which are special cases of those found in [Docherty 2019,Proposition 6.2].Lemma J.3.
Given any DIBI algebra A , for all a , b , c ∈ A and ◦ ∈ {∗ , (cid:35) } , the following properties hold: ( a ∨ b ) ◦ c = ( a ◦ c ) ∨ ( b ◦ c ) a ◦ ( b ∨ c ) = ( a ◦ b ) ∨ ( a ◦ c ) a ≤ a ′ and b ≤ b ′ implies a ◦ b ≤ a ′ ◦ b ′ ⊥ ◦ a = ⊥ = a ◦ ⊥ Proposition 7.4.
For any DIBI algebra A , the prime filter frame Pr ( A ) is a DIBI frame. , Vol. 1, No. 1, Article . Publication date: August 2020. Proof. All but one of the frame axioms can be verified in an identical fashion to the analogousproof for BI [Docherty 2019, Lemma 6.24], and ⊕ A and ⊙ A are both Up-Closed and Down-Closed.We focus on the novel frame axiom: Reverse Exchange. For readability we omit the A subscriptson operators. Assume there are prime filters such that F x ⊇ F ′ x ∈ F y ⊕ F z , F y ∈ F y ⊙ F y and F z ∈ F z ⊙ F z . We will prove that P ( F , G ) = (cid:40) F x ∈ F ⊙ G and F ∈ F y ⊕ F z and G ∈ F y ⊕ F z ⊙ and ⊕ to be defined for non-prime filters.For a), suppose ( F α , G α ) α ≤ λ is a ⊆ -chain such that for all α , P ( F α , G α ) =
1. Call F = (cid:208) α F α and G = (cid:208) α G α . We must show that P ( F , G ) =
1. Let a ∈ F , b ∈ G . Then a ∈ F α , b ∈ G β for some α , β .Wolog, we may assume α ≤ β . Then since F x ∈ F β ⊙ G β , we have that a (cid:35) b ∈ F x as required, so F x ∈ F ⊙ G . F ∈ F y ⊕ F z and G ∈ F y ⊕ F z hold trivially.For b), suppose for contradiction that P ( F ∩ F ′ , G ) = , P ( F , G ) = P ( F ′ , G ) =
0. From P ( F ∩ F ′ , G ) = F , F ′ ∈ F y ⊕ F y : for all a ∈ F y , b ∈ F y , a ∗ b ∈ F ∩ F ′ ⊆ F , F ′ . So theonly way this can be the case is if F x (cid:60) F ⊙ G and F x (cid:60) F ′ ⊙ G . Hence there exists a ∈ F , b ∈ G such that a (cid:35) b (cid:60) F x , and a ′ ∈ F ′ , b ′ ∈ G such that a ′ (cid:35) b ′ (cid:60) F x . It follows by properties offilters that a ∨ a ′ ∈ F ∩ F ′ and b ′′ = b ∧ b ′ ∈ G . Hence ( a ∨ a ′ ) ∗ b ′′ ∈ F x by assumption, and ( a ∨ a ′ ) ∗ b ′′ = ( a ∗ b ′′ ) ∨ ( a ′ ∗ b ′′ ) . Since F x is prime, this means either a ∗ b ′′ ∈ F x or a ′ ∗ b ′′ ∈ F x .But that’s not possible: a ∗ b ′′ ≤ a ∗ b and a ′ ∗ b ′′ ≤ a ′ ∗ b ′ , so whichever holds results in acontradiction. Hence either P ( F , G ) = P ( F ′ , G ) = F = { c | ∃ a ∈ F y , b ∈ F z ( c ≥ a ∗ b )} and G = { c | ∃ a ∈ F y , b ∈ F z ( c ≥ a ∗ b )} .These are both proper filters. Focusing on F (both arguments are essentially identical), it is clearlyupwards-closed. Further, it is closed under ∧ : if c , c ′ ∈ F because c ≥ a ∗ b and c ′ ≥ a ′ ∗ b ′ for a , a ′ ∈ F y and b , b ′ ∈ F z then c ∧ c ′ ≥ ( a ∗ b ) ∧ ( a ′ ∗ b ′ ) ≥ ( a ∧ a ′ ) ∗ ( b ∧ b ′ ) , with a ∧ a ′ ∈ F y and b ∧ b ′ ∈ F z . It is proper, because if ⊥ ∈ F , then there exists a ∈ F y and b ∈ F z such that a ∗ b = ⊥ . Let c ∈ F y and d ∈ F z be arbitrary. Then by our initial assumption, a (cid:35) c ∈ F y and b (cid:35) d ∈ Fz . Hence ( a (cid:35) c ) ∗ ( b (cid:35) d ) ∈ F x ′ ⊆ F x . However, by the Reverse Exchange algebraic axiom, ( a (cid:35) c ) ∗ ( b (cid:35) d ) ≤ ( a ∗ b ) (cid:35) ( c ∗ d ) = ⊥ (cid:35) ( c ∗ d ) = ⊥ . By upwards-closure, ⊥ ∈ F x , which is supposedto be a prime, and therefore proper, filter, which gives a contradiction.By definition, F ∈ F y ⊕ F z and G ∈ F y ⊕ F z . To see that F x ∈ F ⊙ G , let c ∈ F (with c ≥ a ∗ b for some a ∈ F y and b ∈ F z ) and c ′ ∈ G (with c ′ ≥ a ′ ∗ b ′ for some a ′ ∈ F y and b ∈ F z ). Byassumption a (cid:35) a ′ ∈ F y and b (cid:35) b ′ ∈ F z , and so ( a (cid:35) a ′ ) ∗ ( b (cid:35) b ′ ) ∈ F x ′ ⊆ F x . By the algebraic ReverseExchange axiom, we obtain ( a ∗ b ) (cid:35) ( a ′ ∗ b ′ ) ∈ F x , and by monotonicity of (cid:35) and upwards-closure of F x we obtain c (cid:35) c ′ ∈ F x . Hence P ( F , G ) = F , G with P ( F , G ) = □ Proposition 7.6.
For any DIBI frame X , the complex algebra Com (X) is a DIBI algebra.
Proof. We focus on the Reverse Exchange algebraic axiom (the other DIBI algebra propertiescan be proven in identical fashion to the analogous proof for BI [Docherty 2019, Lemma 6.22]).Suppose x ∈ ( A ▷ B ) • ( C ▷ D ) . Then there exists x ′ , y , z such that x ⊒ x ′ ∈ y ⊕ z , with y ∈ A ▷ B and z ∈ C ▷ D . In turn, there thus exists y , y , z , z such that y ∈ y ⊙ y and z ∈ z ⊙ z with y ∈ A , y ∈ B , z ∈ C and z ∈ D . By the Reverse Exchange frame axiom, there exist u , v such that u ∈ y ⊕ z , v ∈ y ⊕ z and x ′ ∈ u ⊙ v . Hence u ∈ A • C , v ∈ B • D and x ′ ∈ ( A • C ) ▷ ( B • D ) . Since x ′ ⊑ x and ( A • C ) ▷ ( B • D ) is an upwards-closed set, x ∈ ( A • C ) ▷ ( B • D ) as required. □ , Vol. 1, No. 1, Article . Publication date: August 2020. Now clearly every persistent valuation V on a Kripke frame X generates an algebraic inter-pretation (cid:74) − (cid:75) V on Com (X) with the property that x | = V P iff x ∈ (cid:74) P (cid:75) (note that the complexalgebra operations are defined precisely as the corresponding semantic clauses). Similarly, by theRepresentation Theorem, given an algebraic interpretation (cid:74) − (cid:75) on A , a persistent valuation V (cid:74) − (cid:75) on Pr ( A ) can be defined by V (cid:74) − (cid:75) ( p ) = { F ∈ PF A | (cid:74) p (cid:75) ∈ F } = θ A ( (cid:74) p (cid:75) ) . That θ is a monomorphisminto Com ( Pr ( A )) establishes that, for all P ∈ Form
DIBI , F | = V (cid:74) − (cid:75) P iff (cid:74) P (cid:75) ∈ F .Theorem 7.8 (Soundness and Completeness). P ⊢ Q is derivable iff P | = Q . Proof. Assume P ̸| = Q . Then there exists a DIBI model (X , V) and a state x ∈ X such that x | = P but x ̸| = Q . Hence (cid:74) P (cid:75) V ⊈ (cid:74) Q (cid:75) V in Com (X) , so, by Theorem 7.2, P ⊢ Q is not derivable. Nowassume P ⊢ Q is not derivable. By Theorem 7.2 there exists a DIBI algebra A and an interpretation (cid:74) − (cid:75) such that (cid:74) P (cid:75) ≰ (cid:74) Q (cid:75) . From this it can be established that there is a prime filter F on A suchthat (cid:74) P (cid:75) ∈ F and (cid:74) Q (cid:75) (cid:60) F . Hence F | = V (cid:74) − (cid:75) P but F ̸| = V (cid:74) − (cid:75) Q , so P ̸| = Q . □ K COMMON PROPERTIES OF MODELS M D AND M P We define a more general class of models, parametric on a monad T , which encompasses bothour concrete models M P and M D . We will call them T -models and use their properties to simplifyproofs of certain properties of M D and M P . Definition K.1 ( T -models). We say that ( M , ⊑ , ⊕ , ⊙ , M ) is a T -model if it satisfies the followingconditions.(1) M consists of all maps of the type Mem [ S ] → T ( Mem [ S ∪ U ]) , where S , U are finite subsetsof Var .(2) All m ∈ M preserve the input m : Mem [ S ] → T ( Mem [ S ∪ U ]) is in M only if π S m = unit S ;(3) ⊙ is defined to be the Kleisli composition associated with T ;(4) ⊕ is deterministic and partial: f ⊕ д is defined when range ( f ) ∩ range ( д ) = dom ( f ) ∩ dom ( д ) ;(5) ⊕ satisfies standard associativity: when both ( f ⊕ д )⊕ h and f ⊕( д ⊕ h ) are defined, ( f ⊕ д )⊕ h = f ⊕ ( д ⊕ h ) ;(6) When f ⊕ д are д ⊕ f are both defined, f ⊕ д = д ⊕ f .(7) For any f : Mem [ A ] → T ( Mem [ A ∪ X ]) ∈ M , and any S ⊆ A , f ⊕ unit S = f . (Padding equality)(8) When both ( f ⊕ f ) ⊙ ( f ⊕ f ) and ( f ⊙ f ) ⊕ ( f ⊙ f ) are defined, ( f ⊕ f ) ⊙ ( f ⊕ f ) = ( f ⊙ f ) ⊕ ( f ⊙ f ) (Exchange equality)(9) M is closed under ⊕ and ⊙ ;(10) For f , д ∈ M , f ⊑ д if and only if there exist v ∈ M and some finite set S such that, д = ( f ⊕ unit S ) ⊙ v (K.1)Below, we prove properties T -models, which would be common properties of M D and M P . Twomain results are that all T -models are DIBI frames (Lemma K.8).Lemma K.2 (Standard associativity of ⊕ ). For any f , f , f ∈ M , ( f ⊕ f ) ⊕ f is defined if andonly if f ⊕ ( f ⊕ f ) is defined and they are equal. Proof. ( f ⊕ f ) ⊕ f is defined if and only if R ∩ R = D ∩ D and ( R ∪ R ) ∩ R = ( D ∪ D ) ∩ D . f ⊕ ( f ⊕ f ) is defined if and only if R ∩ R = D ∩ D and R ∩ ( R ∪ R ) = D ∩ ( D ∪ D ) .Thus, to show that ( f ⊕ f ) ⊕ f is defined if and only if f ⊕ ( f ⊕ f ) is defined, it suffices to show , Vol. 1, No. 1, Article . Publication date: August 2020. that R ∩ R = D ∩ D (K.2) ( R ∪ R ) ∩ R = ( D ∪ D ) ∩ D (K.3)if and only if R ∩ R = D ∩ D (K.4) R ∩ ( R ∪ R ) = D ∩ ( D ∪ D ) (K.5)We show that Eq. (K.4) and Eq. (K.5) follows from Eq. (K.2) and Eq. (K.3):Recall that D ⊆ R , D ⊆ R , D ⊆ R , so • Eq. (K.4) follows from D ∩ D ⊆ R ∩ R and D ∩ D ⊇ R ∩ R , which holds because R ∩ R = R ∩ ( R ∩ R ) ⊆ R ∩ (( R ∪ R ) ∩ R ) = R ∩ (( D ∪ D ) ∩ D ) = R ∩ ( D ∩ D ) (By Eq. (K.3)) ⊆ ( R ∩ D ) ∩ D ⊆ ( R ∩ R ) ∩ D (By D ⊆ R ) = ( D ∩ D ) ∩ D ⊆ D ∩ D (By Eq. (K.2)) • Eq. (K.5) follows from ( D ∪ D ) ∩ D ⊆ ( R ∪ R ) ∩ R and ( D ∪ D ) ∩ D ⊇ ( R ∪ R ) ∩ R ,which holds because R ∩ ( R ∪ R ) = ( R ∩ R ) ∪ ( R ∩ R ) ⊆ ( R ∩ R ) ∪ ( R ∩ ( R ∪ R ) ∩ R ) = ( D ∩ D ) ∪ ( R ∩ ( D ∪ D ) ∩ D ) (By Eq. (K.2) and Eq. (K.3)) = ( D ∩ D ) ∪ (( R ∩ D ∩ D ) ∪ ( R ∩ D ∩ D ))⊆ ( D ∩ D ) ∪ (( D ∩ D ) ∪ ( R ∩ R ∩ D )) (By D ⊆ R ) ⊆ ( D ∩ D ) ∪ (( D ∩ D ) ∪ ( D ∩ D ∩ D )) (By Eq. (K.2)) ⊆ ( D ∩ D ) ∪ ( D ∩ D ) = D ∩ ( D ∪ D ) We show that Eq. (K.2) and Eq. (K.3) follows from Eq. (K.4) and Eq. (K.5): • Eq. (K.2) follows from D ∩ D ⊆ R ∩ R and D ∩ D ⊇ R ∩ R , which holds because R ∩ R = R ∩ ( R ∪ R ) ∩ R = D ∩ ( D ∪ D ) ∩ R (By Eq. (K.4)) = D ∩ (( D ∩ R ) ∪ ( D ∩ R )) = D ∩ ( D ∪ ( D ∩ R ))⊆ D ∩ ( D ∪ ( R ∩ R )) (By D ⊆ R ) = D ∩ ( D ∪ ( D ∩ D )) (By Eq. (K.4)) = D ∩ D • Eq. (K.3) follows from ( D ∪ D ) ∩ D ⊆ ( R ∪ R ) ∩ R and ( D ∪ D ) ∩ D ⊇ ( R ∪ R ) ∩ R ,which holds because ( R ∪ R ) ∩ R = ( R ∩ R ) ∪ ( R ∩ R ) = ( R ∩ ( R ∪ R ) ∩ R ) ∪ ( R ∩ R ) = ( D ∩ ( D ∪ D ) ∩ R ) ∪ ( D ∩ D ) (By Eq. (K.5)) = ( D ∩ (( D ∩ R ) ∪ ( D ∩ R ))) ∪ ( D ∩ D )⊆ ( D ∩ (( R ∩ R ) ∪ D )) ∪ ( D ∩ D ) (By D ⊆ R , D ⊆ R ) = ( D ∩ (( D ∩ D ) ∪ D )) ∪ ( D ∩ D ) (By Eq. (K.4)) = ( D ∩ D ) ∪ ( D ∩ D ) = ( D ∪ D ) ∩ D , Vol. 1, No. 1, Article . Publication date: August 2020. Thus, Eq. (K.2) and Eq. (K.3) hold if and only if Eq. (K.4) and Eq. (K.5) hold. Therefore, ( f ⊕ f ) ⊕ f is defined if and only if f ⊕ ( f ⊕ f ) is defined and by Definition K.1(5) they are equal. □ Lemma K.3 (Reflexivity and transitivity of order).
For any T -model M , the order ⊑ defined in M is transitive and reflexive. Proof. Let x : Mem [ A ] → T ( Mem [ X ]) ∈ M , S = ∅ , v = unit X . Then ( x ⊕ unit S ) ⊙ v = ( x ⊕ unit ∅ ) ⊙ unit X = x ⊙ unit X (By Eq. (Padding equality)) = x (By Definition K.1(3))Thus, by Equation (K.1) we have x ⊑ x , and the order is reflexive.For any x , y , z ∈ M , if x ⊑ y and y ⊑ z , then by definition of ⊑ , there exist S and v such that y = ( x ⊕ unit S ) ⊙ v , and there exist S and v such that z = ( y ⊕ unit S ) ⊙ v .We can now calculate: z = ( y ⊕ unit S ) ⊙ v = ((( x ⊕ unit S ) ⊙ v ) ⊕ unit S ) ⊙ v = ((( x ⊕ unit S ) ⊙ v ) ⊕ ( unit S ⊙ unit S )) ⊙ v = ( x ⊕ unit S ⊕ unit S ) ⊙ ( v ⊕ unit S ) ⊙ v (By Exchange equality and Proposition K.4) = ( x ⊕ unit S ∪ S ) ⊙ (( v ⊕ unit S ) ⊙ v ) M is closed under ⊕ , ⊙ , so ( v ⊕ unit S ) ⊙ v ∈ M . Thus, we can instantiate Equation (K.1) with S = S ∪ S and v = ( v ⊕ unit S ) ⊙ v obtaining x ⊑ z . So the order is transitive. □ Proposition K.4.
For any T -model M, states f , f , f , f in M , ( f ⊙ f ) ⊕ ( f ⊙ f ) is defined implies ( f ⊕ f ) ⊙ ( f ⊕ f ) is also defined. The converse does not always hold, but if f ⊙ f and f ⊙ f aredefined, then ( f ⊕ f ) ⊙ ( f ⊕ f ) is defined implies ( f ⊙ f ) ⊕ ( f ⊙ f ) is defined too. Proof. We prove each direction individually: • Given ( f ⊙ f ) ⊕ ( f ⊙ f ) is defined, it must that R = D , R = D , and R ∩ R = D ∩ D .Thus, R ∩ R = D ∩ D ⊆ R ∩ R = D ∩ D , ensuring that f ⊕ f is defined; R ∩ R = D ∩ D ⊆ R ∩ R = D ∩ D , ensuring that f ⊕ f is defined; range ( f ⊕ f ) = R ∪ R = D ∪ D = dom ( f ⊕ f ) , ensuring ( f ⊕ f ) ⊙ ( f ⊕ f ) is defined. • Given f ⊙ f and f ⊙ f are defined, ( f ⊙ f ) ⊕ ( f ⊙ f ) is defined if R ∩ R = D ∩ D .When ( f ⊕ f ) ⊙ ( f ⊕ f ) is defined, R ∩ R = D ∩ D (Because f ⊕ f is defined) = R ∩ R (Because f ⊙ f and f ⊙ f are defined) = D ∩ D (Because f ⊕ f is defined)So ( f ⊙ f ) ⊕ ( f ⊙ f ) is also defined. □ Lemma K.5 ( ⊙ elimination). For any T -model M, and f , д ∈ M , if f ⊙ ( д ⊕ unit X ) is defined and dom ( д ) ⊆ dom ( f ) , then f ⊙ ( д ⊕ unit X ) = д ⊕ f . , Vol. 1, No. 1, Article . Publication date: August 2020. Proof. Let f : Mem [ S ] → T ( Mem [ S ∪ T ]) and д : Mem [ U ] → T ( Mem [ U ∪ V ]) be in M . When U ⊆ S , f ⊙ ( д ⊕ unit X ) = ( f ⊕ unit U ) ⊙ ( д ⊕ unit X ⊕ unit S ∪ T ) (By Padding equality) = ( unit U ⊕ f ) ⊙ ( д ⊕ unit X ⊕ unit S ∪ T ) (By commutativity) = ( unit U ⊕ f ) ⊙ ( д ⊕ unit S ∪ T ) ( † ) = ( unit U ⊙ д ) ⊕ ( f ⊙ unit S ∪ T ) (By Proposition K.4 and Exchange equality) = д ⊕ f □ where † follows from X ⊆ S ∪ T , which holds as f ⊙ ( д ⊕ unit X ) defined implies S ∪ T = X ∪ U .Lemma K.6 (Converting ⊕ to ⊙ ). For any T -model M, let f : Mem [ S ] → T ( Mem [ S ∪ T ]) and д : Mem [ U ] → T ( Mem [ U ∪ V ]) be in M . If f ⊕ д is defined, then f ⊕ д = ( f ⊕ unit U ) ⊙ ( unit S ∪ T ⊕ д ) . Proof. f ⊕ д = ( f ⊙ unit S ∪ T ) ⊕ ( unit U ⊙ д ) = ( f ⊕ unit U ) ⊙ ( unit S ∪ T ⊕ д ) (By Proposition K.4 and Exchange equality) □ Lemma K.7 (Quasi-Downwards-closure of ⊙ ). For any T -model M, and f , д , h , i ∈ M , if f ⊑ h , д ⊑ i , and f ⊙ д , h ⊙ i are all defined, then f ⊙ д ⊑ h ⊙ i . Proof. Since f ⊑ h , д ⊑ i , there must exist sets S , S and v , v ∈ M such that h = ( f ⊕ unit S ) ⊙ v , i = ( д ⊕ unit S ) ⊙ v . f ⊙ д is defined, so dom ( д ) = range ( f ) ⊆ range ( f ⊕ unit S ) = dom ( v ) . Thus, h ⊙ i = ( f ⊕ unit S ) ⊙ v ⊙ ( д ⊕ unit S ) ⊙ v = ( f ⊕ unit S ) ⊙ ( д ⊕ v ) ⊙ v (By Lemma K.5 and dom ( д ) ⊆ dom ( v ) ) = ( f ⊕ unit S ) ⊙ ( д ⊕ unit dom ( v ) ) ⊙ ( unit range ( д ) ⊕ v ) ⊙ v (By Lemma K.6) = ( f ⊕ unit S ) ⊙ ( д ⊕ unit S ) ⊙ ( unit range ( д ) ⊕ v ) ⊙ v ( † ) = (( f ⊙ д ) ⊕ ( unit S ⊙ unit S )) ⊙ ( unit range ( д ) ⊕ v ) ⊙ v ( ♥ ) = (( f ⊙ д ) ⊕ unit S ) ⊙ ( unit range ( д ) ⊕ v ) ⊙ v where † follows from dom ( д ) = range ( f ) and Eq. (Padding equality), and ♥ follows from Proposi-tion K.4 and Exchange equality.Therefore, f ⊙ д ⊑ h ⊙ i . □ Lemma K.8.
Any T -model M is in DIBI . Proof. The axioms that we need to check are the follows. ⊕ Down-Closed
We want to show that for any x ′ , x , y ′ , y ∈ M , if x ′ ⊑ x and y ′ ⊑ y and x ⊕ y = z ,then x ′ ⊕ y ′ is defined, and x ′ ⊕ y ′ = z ′ ⊑ z .Since x ′ ⊑ x and y ′ ⊑ y , there exist sets S , S , and v , v ∈ M such that x = ( x ′ ⊕ unit S ) ⊙ v ,and y = ( y ′ ⊕ unit S ) ⊙ v . Thus, x ⊕ y = (( x ′ ⊕ unit S ) ⊙ v ) ⊕ (( y ′ ⊕ unit S ) ⊙ v ) = (cid:0) ( x ′ ⊕ unit S ) ⊕ ( y ′ ⊕ unit S ) (cid:1) ⊙ ( v ⊕ v ) (By Proposition K.4 and Exchange equality) = (cid:0) ( x ′ ⊕ y ′ ) ⊕ ( unit S ⊕ unit S ) (cid:1) ⊙ ( v ⊕ v ) (By commutativity and associativity) = (cid:0) ( x ′ ⊕ y ′ ) ⊕ ( unit S ∪ S ) (cid:1) ⊙ ( v ⊕ v ) , Vol. 1, No. 1, Article . Publication date: August 2020. This derivation proved that x ′ ⊕ y ′ is defined, and x ′ ⊕ y ′ ⊑ x ⊕ y = z . ( ⊙ Up-Closed)
We want to show that for any z ′ , z , x , y ∈ M , if z = x ⊙ y and z ′ ⊒ z , then thereexists x ′ , y ′ such that x ′ ⊒ x , y ′ ⊒ y , and z ′ = x ′ ⊙ y ′ .Since z ′ ⊒ z , there exist set S , and v ∈ M such that z ′ = ( z ⊕ unit S ) ⊙ v . Thus, z ′ = ( z ⊕ unit S ) ⊙ v = (( x ⊙ y ) ⊕ unit S ) ⊙ v = (( x ⊙ y ) ⊕ ( unit S ⊙ unit S )) ⊙ v = (( x ⊕ unit S ) ⊙ ( y ⊕ unit S )) ⊙ v (By Proposition K.4 and Exchange equality) = ( x ⊕ unit S ) ⊙ (( y ⊕ unit S ) ⊙ v ) (By standard associativity of ⊙ )Thus, for x ′ = x ⊕ unit S and y ′ = ( y ⊕ unit S ) ⊙ v , z ′ = x ′ ⊙ y ′ . ( ⊕ Commutativity)
We want to show that z = x ⊕ y implies that z = y ⊕ x . By definition of T -models: first, x ⊕ y is defined iff range ( x ) ∩ range ( y ) = dom ( x ) ∩ dom ( y ) iff y ⊕ x is defined;second, when x ⊕ y and y ⊕ x are both defined, they are equal. Thus, ⊕ commutativity framecondition is satisfied. ( ⊕ Associativity)
Since ⊕ is deterministic and partial,the associativity of ⊕ frame axiom reducesto Lemma K.2. ( ⊕ Unit existence)
We want to show that for any x ∈ M , there exists e ∈ E such that x = e ⊕ x .For any x : Mem [ A ] → D( Mem [ B ]) , x ⊕ unit Mem [∅] is defined because B ∩ ∅ = ∅ = A ∩ ∅ , andby Eq. (Padding equality), ( x ⊕ unit Mem [∅] ) = x . Also, unit Mem [∅] ∈ E = M . So e = unit Mem [∅] serves as the unit under ⊕ for any x . ( ⊕ Unit Coherence)
We want to show that for any y ∈ M , e ∈ E = M , if x = y ⊕ e , then x ⊒ y . x = y ⊕ e = ( y ⊙ unit range ( y ) ) ⊕ ( unit dom ( e ) ⊙ e ) = ( y ⊕ unit dom ( e ) ) ⊙ ( unit range ( y ) ⊕ e ) (By Eq. (Exchange equality)) = ( y ⊕ unit dom ( e ) ) ⊙ ( e ⊕ unit range ( y ) ) ( ⊕ Commutativity)Thus, x ⊒ y . ( ⊙ Associativity)
Since ⊙ is deterministic and partial, the associativity of ⊙ frame axiom reducesto the standard associativity. Kleisli composition satisfies standard associativity, so ⊙ alsosatisfies standard associativity. ( ⊙ Unit Existence
L and R ) Since ⊙ is the Kleisli composition, for any morphism x : Mem [ A ] →D( Mem [ B ]) , unit Mem [ A ] is the left unit, and unit Mem [ B ] is the right unit. For all S , unit Mem [ S ] ∈ M = E . Thus, for any x ∈ M , there exists e ∈ E such that e ⊙ x = x , and there exists e ′ ∈ E such that x ⊙ e ′ = x . ( ⊙ Coherence R ) For any y ∈ M , e ∈ E = M such that x = y ⊙ e , we want to show that x ⊒ y . Wejust proved that ( y ⊕ unit Mem [∅] ) = y for any y , so x = y ⊙ e = ( y ⊕ unit Mem [∅] ) ⊙ e , and x ⊑ y as desired. (Unit closure) We want to show that for any e ∈ E and e ′ ⊒ e , e ′ ∈ E . This is evident because E = M and M is closed under ⊕ and ⊙ . (Reverse exchange) Given x = y ⊕ z and y = y ⊙ y , z = z ⊙ z , we want to show that thereexists u = y ⊕ z , v = y ⊕ z , and x = u ⊙ v .After substitution, we get ( y ⊙ y ) ⊕ ( z ⊙ z ) = y ⊕ z = x . By Exchange equality and Propo-sition K.4, when ( y ⊙ y ) ⊕ ( z ⊙ z ) is defined, ( y ⊕ z ) ⊙ ( y ⊙ z ) is also defined, and ( y ⊙ y ) ⊕ ( z ⊙ z ) = ( y ⊕ z ) ⊙ ( y ⊕ z ) . Thus ( y ⊕ z ) ⊙ ( y ⊕ z ) = y ⊕ z = x , and thus u = y ⊕ z , v = y ⊕ z completes the proof. □ , Vol. 1, No. 1, Article . Publication date: August 2020. Lemma K.9 (Classical flavor in intuitionistic model).
For any T -model M such that Disinte-gration holds (see Lemma D.1 and Lemma E.1), and f ∈ M , f | = (∅ ▷ [ Z ]) (cid:35) (( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ])) if and only if there exist д , h , i ∈ M , such that д : Mem [∅] → T (
Mem [ Z ]) , h : Mem [ Z ] → T ( Mem [ Z ∪ X ]) , i : Mem [ Z ] → T ( Mem [ Z ∪ Y ]) , and д ⊙ ( h ⊕ i ) ⊑ f . Proof. The backwards direction trivially follows from persistence. We detail the proof for theforward direction here. Suppose f | = (∅ ▷ [ Z ]) (cid:35) (( Z ▷ [ X ]) ∗ ( Z ▷ [ Y ])) . Then, there exist f , f , f , f such that f ⊙ f = f , f ⊕ f ⊑ f , f | = (∅ ▷ [ Z ]) , f | = ( Z ▷ [ X ]) and f | = ( Z ▷ [ Y ]) . • f | = (∅ ▷ [ Z ]) implies that there exists f ′′ ⊑ f such that dom ( f ′′ ) = ∅ , and range ( f ′′ ) ⊇ Z .Let f ′ = π Z f ′′ . Note that f ′ : Mem [∅] → T (
Mem [ Z ]) and f ′ ⊑ f ′′ ⊑ f . Hence, there existssome set S and v ∈ M such that f = ( f ′ ⊕ unit S ) ⊙ v . • f | = ( Z ▷ [ X ]) implies that there exists f ′′ ⊑ f such that dom ( f ′′ ) = Z , and range ( f ′′ ) ⊇ X .Define f ′ = π Z ∪ X f ′′ . Then f ′ ⊑ f ′′ ⊑ f , and f ′ : Mem [ Z ] → T ( Mem [ X ∪ Z ]) . • f | = ( Z ▷ [ Y ]) implies that there exists f ′′ ⊑ f such that dom ( f ′′ ) = Z , and range ( f ′′ ) ⊇ Y .Define f ′ = π Z ∪ Y f ′′ and note that f ′ : Mem [ Z ] → T ( Mem [ Y ∪ Z ]) . • By Downwards closure of ⊕ (Appendix K), having f ⊕ f defined implies that f ′ ⊕ f ′ is alsodefined and f ′ ⊕ f ′ ⊑ f ⊕ f ⊑ f . Thus, there exists some v ∈ M and finite set S such that f = ( f ′ ⊕ f ′ ⊕ unit S ) ⊙ v .Using these observations, we can now calculate and show that f ′ ⊙ ( f ′ ⊕ f ′ ⊕ unit Z ) ⊑ f ⊕ f : f ⊙ f = ( f ′ ⊕ unit S ) ⊙ v ⊙ ( f ′ ⊕ f ′ ⊕ unit S ) ⊙ v = ( f ′ ⊕ unit S ) ⊙ (cid:0) f ′ ⊕ f ′ ⊕ v (cid:1) ⊙ v (By Lemma K.5 and dom ( f ′ ⊕ f ′ ) = Z ⊆ range ( f ′ ⊕ unit S ) ) = ( f ′ ⊕ unit S ) ⊙ (cid:0) ( f ′ ⊕ f ′ ⊕ unit dom ( v ) ) ⊙ ( unit X ∪ Y ∪ Z ⊕ v ) (cid:1) ⊙ v (By Lemma K.6) = ( f ′ ⊕ unit S ) ⊙ ( f ′ ⊕ f ′ ⊕ unit Z ⊕ unit S ) ⊙ ( unit X ∪ Y ∪ Z ⊕ v ) ⊙ v (By dom ( v ) = Z ∪ S ) = (cid:0) ( f ′ ⊙ ( f ′ ⊕ f ′ ⊕ unit Z )) ⊕ ( unit S ⊙ unit S ) (cid:1) ⊙ ( unit X ∪ Y ∪ Z ⊕ v ) ⊙ v (By Eq. (Exchange equality) and Proposition K.4) = (cid:0) ( f ′ ⊙ ( f ′ ⊕ f ′ ⊕ unit Z )) ⊕ unit S (cid:1) ⊙ ( unit X ∪ Y ∪ Z ⊕ v ) ⊙ v = (cid:0) ( f ′ ⊙ ( f ′ ⊕ f ′ )) ⊕ unit S (cid:1) ⊙ ( unit X ∪ Y ∪ Z ⊕ v ) ⊙ v (Because f ′ , f ′ preserves input on Z ) To finish, take д = f ′ : Mem [∅] → T (
Mem [ Z ]) , h = f ′ : Mem [ Z ] → T ( Mem [ Z ∪ X ]) , i = f ′ : Mem [ Z ] → T ( Mem [ Z ∪ Y ]) , and note that д ⊙ ( h ⊕ i ) = f ′ ⊙ ( f ′ ⊕ f ′ ) ⊑ f ⊕ f ⊑ f . □ Lemma K.10 (Uniqeness).
For any T -model M , f , д : Mem [ X ] → T ( Mem [ X ∪ Y ]) in M , andarbitrary h ∈ M , if f ⊑ h and д ⊑ h , then f = д . Proof. f ⊑ h implies that there exists v , S such that ( f ⊕ unit S ) ⊙ v = h ; д ⊑ h implies thatthere exists v , S such that ( д ⊕ unit S ) ⊙ v = h . Take h : Mem [ W ] → T ( Mem [ Z ∪ W ]) , and then f ⊕ unit S = π range ( f ⊕ unit S ) h = π X ∪ Y ∪ dom ( h ) hд ⊕ unit S = π range ( д ⊕ unit S ) h = π X ∪ Y ∪ dom ( h ) h Thus, f ⊕ unit S = д ⊕ unit S . Now, suppose f (cid:44) д . This would imply f ⊕ unit S (cid:44) д ⊕ unit S whichis a contradiction. Thus, f = д . □□