A tier-based typed programming language characterizing Feasible Functionals
Emmanuel Hainry, Bruce M. Kapron, Jean-Yves Marion, Romain Péchoux
aa r X i v : . [ c s . L O ] F e b A TIER-BASED TYPED PROGRAMMING LANGUAGECHARACTERIZING FEASIBLE FUNCTIONALS
EMMANUEL HAINRY, BRUCE M. KAPRON, JEAN-YVES MARION, AND ROMAIN P´ECHOUXUniversit´e de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy e-mail address : [email protected] of Victoria, Victoria, BC e-mail address : [email protected]´e de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy e-mail address : [email protected]´e de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy e-mail address : [email protected]
Abstract.
The class of Basic Feasible Functionals BFF is the type-2 counterpart of theclass FP of type-1 functions computable in polynomial time. Several characterizationshave been suggested in the literature, but none of these present a programming languagewith a type system guaranteeing this complexity bound. We give a characterization ofBFF based on an imperative language with oracle calls using a tier-based type systemwhose inference is decidable. Such a characterization should make it possible to linkhigher-order complexity with programming theory. The low complexity (cubic in thesize of the program) of the type inference algorithm contrasts with the intractability ofthe aforementioned methods and does not overly constrain the expressive power of thelanguage. Introduction
Type-2 computational complexity aims to study classes of functions that take type-1 ar-guments. The notion of feasibility for type-2 functionals was first studied in [Con73] andin [Meh76] using subrecursive formalisms. Later, [CK89, CU93] provided characterizationsof polynomial time complexity at all finite types based on programming languages withexplicit bounds and applied typed lambda-calculi, respectively. The class characterized inthese works was christened the Basic Feasible Functionals, BFF for short.It was shown in [KC91, KC96] that, similarly to type-1, feasible type-2 functions cor-respond to the programs computed in time polynomial in the size of their input. In thissetting, the polynomial bound is a type-2 function as the size of a type-1 input is itself atype-1 object. This characterization lent support to the notion that at type level 2, theBasic Feasible Functionals (BFF ) are the correct generalization of FP to type-2. Key words and phrases:
Feasible Functionals, BFF, implicit computational complexity, tiering, type-2,type system.
Preprint submitted toLogical Methods in Computer Science © E. Hainry, B. Kapron, J-Y. Marion, and J-Y. Marion CC (cid:13) Creative Commons
E. HAINRY, B. KAPRON, J-Y. MARION, AND J-Y. MARION
Nevertheless, these characterizations are faced by at least two problems:(1) Characterizations using a general model of computation (whether machine- or program-based) require externally imposed and explicit resource bounding, either by a type-2polynomial [KC91, KC96, FHHP15] or a bounding function within the class of [Con73,Meh76]. This is analogous to a shortcoming in Cobham’s characterization of the classof (type 1) polynomial time computable functions FP [Cob65]. Such bounding requireseither a prior knowledge of program complexity or a check on type-2 polynomial timeconstraints, which is highly intractable;(2) There is no natural programming language for these characterizations as they rely onmachines or function algebras and cannot be adapted directly to programs. Some at-tempts have been made to provide programming languages for characterizing BFF .These languages are problematic either due to a need to provide some form of explicitexternal bounding [CK89] or from including unnatural constructs or type-2 recursionpatterns [CU93, IRK01, DR06] which severely constrain the way in which type-2 pro-grams may be written. All these distinct approaches would make it difficult for anon-expert programmer to use these formalisms as programming languages.A solution to Problem (1) was suggested in [KS17] by constraining Cook’s definition ofOracle Polynomial Time (OPT) [Coo92], which allows type-1 polynomials to be substitutedfor type-2 polynomials. To achieve this, oracle Turing machines are required to have a polynomial step count : on any input, the length of their computations is bounded by atype-1 polynomial in the size of their input and the maximal size of any answer returnedby the oracle. However BFF is known to be strictly included in OPT. In [KS17], OPTis constrained by only allowing computations in which oracle return values increase in sizea constant number of times, resulting in a class they called SPT ( strong polynomial time ).This class is strictly contained in BFF . BFF is recovered in [KS18] by putting a dualrestriction, called finite lookahead revision , on machines: on any input, the number oforacle calls on input of increasing size is bounded by a constant. The class of functionscomputed by machines having polynomial step count and finite lookahead revision is calledMPT. The type-2 restriction of the simply-typed lambda closure of functions in MPT (andSPT) characterizes exactly BFF .Problem (2) has been extensively tackled by the Implicit Computational Complexitycommunity for type-1 complexity. This line of work provides machine independent char-acterizations that eliminate the external explicit bound and was initiated by the seminalworks [BC92] and [LM93]. However, none of these works has been adapted to the case oftype-2 complexity in a tractable approach. To this day, tractable implicit characterizationsof type-2 complexity classes are still missing.Our contribution. We provide the first tractable characterization of type-2 polynomial timeusing a typed imperative language with oracle calls. Each oracle call comes with an asso-ciated input bound which aims at bounding the size of the oracle input. However the sizeof the oracle answer, which is unpredictable, remains unbounded and, consequently, thelanguage can be used in practice.The characterization is inspired by the tier-based type system of [Mar11] characterizingFP. Consequently, it relies on a non-interference principle and is also inspired by the typesystem of [VIS96] guaranteeing confidentiality and integrity policies by ensuring that valuesof high level variables do not depend on values of low level variables during a programexecution. In our context, the level is called a tier. TIER-BASED TYPED PL CHARACTERIZING BFF 3
Let J ST K be the set of functions computed by typable (also called safe , see Definition 6)and terminating programs and let λ ( X ) be the type-2 restriction of the simply-typedlambda closure of terms with constants in X . The characterization of BFF is as follows: Theorem 1 . λ ( J ST K ) = BFF . Soundness ( λ ( J ST K ) ⊆ BFF , Theorem 33) is demonstrated by showing that eachfunction of J ST K is in Kapron-Steinberg’s MPT class [KS18]. The type system makes useof several tiers and is designed to enforce a tier-based non-interference result (Theorem 17)and generalizes the operator type discipline of [Mar11] to ensure the polynomial step countproperty (Corollary 22) and the finite lookahead revision property (Theorem 25), two non-trivial semantic properties. Two important points to stress are that: i) these propertiesare enforced statically on programs as consequences of being typable (whereas they wereintroduced in [KS18] as pure semantic requirements on machines); ii) the enforcement offinite lookahead revision through the use of tiering is a new non-trivial result.Completeness (BFF ⊆ λ ( J ST K ) , Theorem 41) is shown using an alternative charac-terization: λ (FP ∪ {I ′ } ) = BFF , where I ′ is a bounded iterator that is polynomiallyequivalent to the recursor R of [CU93], as demonstrated in [KS19]. The simulation of FPis performed by showing that our type system strictly embeds the tier-based type systemof [MP14]. Consequently, our type system also provides a characterization of FP (Theo-rem 39) with strictly more expressive power when restricted to type-1 programs. Finally,a typable and terminating program computing the bounded iterator functional I ′ is exhib-ited. As in [KS18], the simply-typed lambda-closure is mandatory to achieve completenessas oracle composition is not allowed by the syntax of the language.The tractability of the type system is proved in Theorem 44, where type inference isshown to be to be solvable in cubic time in the size of the program. As a consequence of thedecidability of type inference for simply typed lambda-calculus [Mit91], we obtain the firstdecidable (up to a termination assumption) programming language based characterizationof type-2 polynomial. While the termination assumption is obviously not decidable, it isthe most general condition for the result to hold. However, it can be replaced withoutloss of completeness by combining our type system with automatic termination provers forimperative programs, for example [CPR06, LJB01]. The price to pay is a loss of expressivepower. Hence this paper provides a new approach for reasoning about type-2 feasibilityautomatically, in contrast to related works.The characterization of Theorem 1 is extensionally complete: all functions of BFF arecomputed by a typable and terminating program. It is not intensionally complete: thereare false negatives as discussed in Example 11. This incompleteness is a consequence of thedecidability of type inference as providing intensionally complete descriptions of polynomialtime is known to be a Σ -complete problem in the arithmetical hierarchy [H´aj79]. Outline. § § § § §
8, respectively. The decidability of type inference is shownin §
9. Future work is discussed in § E. HAINRY, B. KAPRON, J-Y. MARION, AND J-Y. MARION
Expressions e , e , . . . ::= x | op ( e ) | φ ( e ↾ e ) Commands c , c , c ::= skip | x := e | c ; c | if ( e ) { c } else { c }| while ( e ) { c } Programs p φ ::= c return x Figure 1.
Syntax of imperative programs with oracles2.
Related work
Implicit Computational Complexity (ICC). has lead to the development of several tech-niques such as interpretations [BMM11], light logics [Gir98], mwp-bounds [BAJK08, JK09],and tiering [Mar11, LM13, HP15]. These tools are restricted to type-1 complexity. Whereasthe light logic approach can deal with programs at higher types, its applications are re-stricted to type-1 complexity classes such as FP [BT04, BM10] or polynomial space [GMR08].Interpretations were extended to higher-order polynomials in [BL16] to study FP andadapted in [FHHP15, HP17] to BFF . However, by essence, all these characterizationsuse (at least) type-2 polynomials and cannot be considered as tractable.Other characterizations of BFF . The characterizations of [CK89, IRK01] are based on a sim-ple imperative programming language that enforces an explicit external bound on the size oforacle outputs within loops. This restriction is impractical from a programming perspectiveas the size of oracle outputs cannot be predicted. In this paper, the bound is programmerfriendly by its implicit nature and because it only constraints the size of the oracle input.Function algebra characterizations were developed in [KS19, CU93]: the recursion schemesare not natural and cannot be used in practice. Several characterizations [KC91, KC96]using type-2 polynomials were also developed but they focus on machines rather than pro-grams. 3. Imperative programming language with oracles
Syntax and semantics.
Consider a set V of variables and a set O of operators op offixed arity ar ( op ). For notational convenience, operators are used both in infix and prefixnotations. Let t denote a tuple of n elements (variables, expressions, words, ...) t , . . . , t n ,where n is given by the context.Expressions and commands are defined by the grammar of Figure 1, where x , y ∈ V , op , ↾ ∈ O , and φ is a single oracle symbol. Let V ( p φ ) be the set of variables occurring inthe program p φ . An expression of the shape φ ( e ↾ e ) is called an oracle call . e is calledthe input data , e is called the input bound and e ↾ e is called the input . We write φ / ∈ p φ in the special case where no oracle call appears in p φ .Let W = Σ ∗ be the set of words over a finite alphabet Σ such that { , } ⊆ Σ. Thesymbol ǫ denotes the empty word. The length of a word w (tuple t ) is denoted | w | ( | t | ,respectively). Given two words w and v in W let v . w denote the concatenation of v and w .For a given symbol a ∈ Σ, let a n be defined inductively by a = ǫ and a n +1 = a.a n . Let E TIER-BASED TYPED PL CHARACTERIZING BFF 5 be the sub-word relation over W , which is defined by v E w , if there are u and u ′ such that w = u . v . u ′ .A total function J op K : W ar ( op ) → W is associated to each operator. Constants may beviewed as operators of arity zero.For a given word w ∈ W and an integer n , let w ↾ n be the word obtained by truncating w to its first min( n, | w | ) symbols and then padding with a word of the form 10 k to obtaina word of size exactly n + 1. For example, 1001 ↾ = 1, 1001 ↾ = 11, 1001 ↾ = 101, and1001 ↾ = 1001100. Define ∀ v , w ∈ W , J ↾ K ( v, w ) = v ↾ | w | . Padding ensures that | J ↾ K ( v, w ) | = | w | + 1. The syntax of programs enforces that oracle calls are always performed on inputdata padded by the input bound. Combined with the above property, this ensures thatoracle calls are always performed on input data whose size does not exceed the size of theinput bound plus one.The oracle symbol φ computes a total function from W to W , called an oracle function.In order to lighten notations, we will make no distinction between the oracle symbol φ andthe oracle function it represents.A store µ is a partial map from V to W . Let dom ( µ ) be the domain of µ . Let µ [ x ← w , . . . , x n ← w n ] be a notation for the store µ ′ satisfying ∀ x ∈ dom ( µ ) −{ x , . . . , x n } , µ ′ ( x ) = µ ( x ) and ∀ x i ∈ { x , . . . , x n } , µ ′ ( x i ) = w i . Let µ be the store defined by ∀ x ∈ dom ( µ ) , µ ( x ) = ǫ . The size of a store µ is defined by | µ | = Σ x ∈ dom ( µ ) | µ ( x ) | . The operational semantics of the language is deterministic and is given in Figure 2. Thejudgment µ (cid:15) e → w means that the expression e is evaluated to the word w ∈ W withrespect to the store µ The judgment µ (cid:15) c → µ ′ expresses that, under the input store µ , thecommand c terminates and outputs the store µ ′ . In rule (Seq) of Figure 2, it is implicitlyassumed that c is not a sequence.Given a derivation π φ : µ (cid:15) p φ → w , let | π φ | denote the size of the derivation, that is thenumber of nodes in the derivation tree rooted at µ (cid:15) p φ → w . Note that | π φ | correspondsto the number of steps in a sequential execution of p φ , initialized with store µ . On theother hand, with no restriction on operators this measure is too coarse to correspond, evenasymptotically, to running time. With suitable restriction, there is a correspondence, givenin Proposition 30 below.A program p φ such that V ( p φ ) = { x } computes the partial function J p φ K ∈ W | x | → W ,defined by J p φ K ( w ) = w if ∃ π φ , π φ : µ [ x ← w , . . . , x | x | ← w | x | ] (cid:15) p φ → w . In thespecial case where, for any oracle φ , J p φ K is a total function, the program p φ is said to beterminating.A second order function f : ( W → W ) → ( W → W ) is computed by a program p φ if forany oracle function φ ∈ W → W and word w ∈ W , f ( φ )( w ) = J p φ K ( w ).3.2. Neutral and positive operators.
We define two classes of operators called neutraland positive. This categorization of operators will be used in § Definition 2 (Neutral and positive operators) . • An operator op is neutral if: (1) either J op K : W ar ( op ) → { , } is a predicate; (2) or ∀ w ∈ W ar ( op ) , ∃ i ≤ ar ( op ) , J op K ( w ) E w i ; • An operator op is positive if there is a constant c op such that: ∀ w ar ( op ) ∈ W , | J op K ( w ) | ≤ max i | w i | + c op . E. HAINRY, B. KAPRON, J-Y. MARION, AND J-Y. MARION (Var) µ (cid:15) x → µ ( x ) ∀ i ≤ ar ( op ) , µ (cid:15) e i → w i (Op) µ (cid:15) op ( e ) → J op K ( w ) µ (cid:15) e → v µ (cid:15) e → w φ ( J ↾ K ( v , w )) = u (Orc) µ (cid:15) φ ( e ↾ e ) → u (Skip) µ (cid:15) skip → µ µ (cid:15) c → µ µ (cid:15) c → µ (Seq) µ (cid:15) c ; c → µ µ (cid:15) e → w (Asg) µ (cid:15) x := e → µ [ x ← w ] µ (cid:15) e → w µ (cid:15) c w → µ ′ w ∈ { , } (Cond) µ (cid:15) if ( e ) { c } else { c } → µ ′ µ (cid:15) e → ) µ (cid:15) while ( e ) { c } → µµ (cid:15) e → µ (cid:15) c ; while ( e ) { c } → µ ′ (Wh ) µ (cid:15) while ( e ) { c } → µ ′ µ (cid:15) c → µ ′ (Prg) µ (cid:15) c return x → µ ′ ( x ) Figure 2.
Big step operational semanticsA neutral operator is always a positive operator but the converse is not true. In theremainder, we name positive operators those operators that are positive but not neutral.
Example 3.
The operator == tests whether or not its arguments are equal and the operator pred computes the predecessor. J == K ( w , v ) = ( if v = w otherwise J pred K ( v ) = ( ǫ if v = ǫ u if v = a. u , a ∈ Σ Both operators are neutral. J suc i K ( v ) = i. v , for i ∈ { , } , is a positive operator since | J suc i K ( v ) | = | i. v | = | v | + 1 . Type system
In this section, we introduce a tier based type system, the main contribution of the paper,that allows to provide a characterization of type-2 polynomial time complexity ([Meh76,KC91, KC96]).
TIER-BASED TYPED PL CHARACTERIZING BFF 7
Tiers and typing judgments.
Atomic types are elements of the totally orderedset ( N , (cid:22) , , ∨ , ∧ ) where N = { , , , . . . } is the set of natural numbers, called tiers , inaccordance with the data ramification principle of [Lei95], (cid:22) is the usual ordering on integersand ∨ and ∧ are the max and min operators over integers. Let ≺ be defined by ≺ := (cid:22) ∩ 6 =.We use the symbols k , k ′ , . . . , k , k , . . . to denote tier variables. For a finite set of tiers, { k , . . . , k n } , let ∨ ni =1 k i ( ∧ ni =1 k i , respectively) denote k ∨ . . . ∨ k n ( k ∧ . . . ∧ k n , respectively).A variable typing environment Γ is a finite mapping from V to N , which assigns a singletier to each variable.An operator typing environment ∆ is a mapping that associates to each operator op and each tier k ∈ N a set of admissible operator types ∆( op )( k ), where the operator typescorresponding to the operator op are of the shape k → . . . k ar ( op ) → k ′ , with k i , k ′ ∈ N .Let dom (Γ) (resp. dom (∆)) denote the set of variables typed by Γ (resp. operatorstyped by ∆).Typing judgments are either command typing judgments of the shape Γ , ∆ ⊢ c :( k , k in , k out ) or expression typing judgments of the shape Γ , ∆ ⊢ e : ( k , k in , k out ). Themeaning of such a typing judgment is that the expression tier or command tier is k , the innermost tier is k in , and the outermost tier is k out . The innermost (resp. outermost) tieris the tier of the innermost (resp. outermost) while loop guard where the expression orcommand is located.The type system preventing flows from k to k , whenever k ≺ k holds, is presentedin Figure 3.A typing derivation ρ Γ , ∆ ⊢ c : ( k , k in , k out ) is a tree whose root is the typing judg-ment Γ , ∆ ⊢ c : ( k , k in , k out ) and whose children are obtained by applications of the typingrules. Due to the rule (OP) of Figure 3, that allows several admissible types for operators,typing derivations are, in general, not unique. However the two typing rules for while loops(W) and (W ) are mutually exclusive because of the non-overlapping requirements for k out in Figure 3. The notation ρ will be used whenever mentioning the root of a typing derivationis not explicitly needed. We use the notation ρ Γ , ∆ ⊢ c : ( k , k in , k out ) (R) to denote thetyping derivation ρ Γ , ∆ ⊢ c : ( k , k in , k out ) whose children are obtained by application ofa typing rule labelled by (R)Given two typing derivations ρ and ρ ′ , we write ρ ′ ≤ ρ (respectively ρ ′ < ρ ) if ρ ′ is a(strict) subtree of ρ . Let D ( ρ ) be defined by D ( ρ ) = { ρ ′ | ρ ′ ≤ ρ } and let ˚ D ( ρ ) be definedby ˚ D ( ρ ) = D ( ρ ) − { ρ } .4.2. Safe environments and programs.
The typing rules of Figure 3 are not restrictiveenough in themselves to guarantee polynomial time computation, even for type-1. Indeedoperators need to be restricted to prevent exponential programs from being typable (seecounter-Example 9). The current subsection introduces such a restriction, called safe . Definition 4 (Safe operator typing environment) . An operator typing environment ∆ is safe if for each op ∈ dom (∆) , op is neutral or positive and J op K is a polynomial timecomputable function, and for each k in ∈ N , and for each k → . . . k ar ( op ) → k ∈ ∆( op )( k in ) ,the two conditions below hold: (1) k (cid:22) ∧ ar ( op ) i =1 k i (cid:22) ∨ ar ( op ) i =1 k i (cid:22) k in , (2) if the operator op is positive then k ≺ k in . Example 5.
Consider the operators == , pred and suc i of Example 3. For a safe typingenvironment ∆ , it holds that ∆(==)( ) = { → → } ∪ { k → k ′ → | k , k ′ (cid:22) } , as E. HAINRY, B. KAPRON, J-Y. MARION, AND J-Y. MARION Γ( x ) = k (V)Γ , ∆ ⊢ x : ( k , k in , k out ) k → · · · → k ar ( op ) → k ∈ ∆( op )( k in ) ∀ i ≤ ar ( op ) , Γ , ∆ ⊢ e i : ( k i , k in , k out ) (OP)Γ , ∆ ⊢ op ( e ) : ( k , k in , k out )Γ , ∆ ⊢ e : ( k , k in , k out ) Γ , ∆ ⊢ e : ( k out , k in , k out ) k ≺ k in ∧ k (cid:22) k out (OR)Γ , ∆ ⊢ φ ( e ↾ e ) : ( k , k in , k out )(SK)Γ , ∆ ⊢ skip : ( , k in , k out )Γ , ∆ ⊢ c : ( k , k in , k out ) Γ , ∆ ⊢ c : ( k , k in , k out ) (S)Γ , ∆ ⊢ c ; c : ( k , k in , k out )Γ , ∆ ⊢ x : ( k , k in , k out ) Γ , ∆ ⊢ e : ( k , k in , k out ) k (cid:22) k (A)Γ , ∆ ⊢ x := e : ( k , k in , k out )Γ , ∆ ⊢ c : ( k , k in , k out ) (SUB)Γ , ∆ ⊢ c : ( k + , k in , k out )Γ , ∆ ⊢ e : ( k , k in , k out ) Γ , ∆ ⊢ c : ( k , k in , k out ) Γ , ∆ ⊢ c : ( k , k in , k out ) (C)Γ , ∆ ⊢ if ( e ) { c } else { c } : ( k , k in , k out )Γ , ∆ ⊢ e : ( k , k in , k out ) Γ , ∆ ⊢ c : ( k , k , k out ) (cid:22) k (cid:22) k out (W)Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out )Γ , ∆ ⊢ e : ( k , k in , k ) Γ , ∆ ⊢ c : ( k , k , k ) (cid:22) k (W )Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , ) Figure 3.
Tier-based type system== is neutral. However → → / ∈ ∆(==)( ) as it breaks Condition (1) of Definition 4since the operator output tier has to be smaller than each of its operand tier ( i.e. , ∧ ).It also holds that ∆( pred )( ) = { → k | k (cid:22) } ∪ { → k | k (cid:22) } ∪ { → } . For the positive operator suc i , we have ∆( suc i )( ) = { → , → } . → / ∈ ∆( suc i )( ) as the operator output tier has to be strictly smaller than , due to Condition(2) of Definition 4. Applying the same restriction, it holds that ∆( suc i )( ) = { → , → , → , → , → } . Definition 6 (Safe program) . Given Γ a variable typing environment and ∆ a safe operatortyping environment, the program p φ = c return x is a safe program if there are k , k in , k out such that ρ Γ , ∆ ⊢ c : ( k , k in , k out ) . TIER-BASED TYPED PL CHARACTERIZING BFF 9
Definition 7.
Let ST be the set of safe and terminating programs and J ST K be the set offunctionals computed by programs in ST : J ST K = { λφ.λ w . · · · λw n J p φ K ( w , . . . , w n ) | p φ ∈ ST } . Some intuitions.
Before providing a formal treatment of the type system main prop-erties in §
6, we provide the reader with a brief intuition of types, that are triplets of tiers( k , k in , k out ), in a typing derivation obtained by applying the typing rules of Figure 3: • k is the tier of the expression or command under consideration. It is used to prevent dataflows from lower tiers to higher tiers in control flow statements and assignments. By safetyand by rules (OP) and (OR), expression tiers are structurally decreasing. Consequently,rule (A) ensures that data can only flow from higher tiers to lower tiers. Command tiersare structurally increasing and, consequently, an assignment of a higher tier variable cannever be controlled by a lower tier in a conditional or while statement. • k in is the tier of the innermost while loop containing the expression or command underconsideration, provided it exists. It is used to allow declassification ( i.e. , a release ofsome information at a lower tier to a higher tier) to occur in the program by allowing anoperator to have types depending on the context. Moreover, the innermost tier restrictsthe return types of operators and oracle calls: – in rule (OR), the return type k is strictly smaller than k in , – in rule (OP), for a positive operator, the return type k is strictly smaller than k in .This forbids programs from iterating on a data whose size can increase during the itera-tion. • k out is the tier of the outermost while loop containing the expression or command underconsideration, provided it exists. Its purpose is to bound by a constant the number oflookahead revisions (that is the number of times a query to the oracle may increase insize) allowed in oracle calls. By rule (OR), all oracle input bounds have a tier equal tothe tier of the outermost while loop where they are called. Hence, the size of the datastored in the input bound cannot increase in a fixed while loop and it can increase atmost a constant number of times.There are two rules (W) and (W ) for while loops. (W) is the standard rule and updatesthe innermost tier with the tier of the while loop guard under consideration. (W ) is aninitialization rule that allows the programmer to instantiate by default the main commandwith outermost tier as it has no outermost while. It could be sacrificed for simplicity butat the price of a worst expressive power.5. Examples
In this section, we provide several examples and counter-examples, starting with programswith no oracle calls in order to illustrate how the type system works. Some of its restrictionsin terms of expressive power are also discussed in Example 11. In the typing derivations,we sometimes omit the environments, writing ⊢ instead of Γ , ∆ ⊢ in order to lighten thenotations. Moreover, for notational convenience, we will use labels for expression tiers. Forexample, e k means that e is of tier k . Also, to make the presentation of the examples lighter,we will work over the unary integers rather than all of W . In particular, a value v denotes1 v , and in particular 0 denotes ǫ . Also, with this convention, J pred K ( v ) = max { , v − } and J suc K ( v ) = v + 1. Example 8 (Addition) . Consider the simple program below, with no oracle, computing theunary addition. while ( x > { x := pred ( x ) ; y := suc ( y ) } return y This program is safe with respect to the following typing derivation: Γ( x ) = (V) ⊢ x : ( , , ) (OP) ⊢ x > , , ) ... ρ ⊢ x := pred ( x ) : ( , , ) ... ρ ⊢ y := suc ( y ) : ( , , ) (S) ⊢ x := pred ( x ); y := suc ( y ) : ( , , ) (W ) ⊢ while ( x > { x := pred ( x ); y := suc ( y ) } : ( , , ) The while loop is guarded by x > . If the main command is typed by ( , , ) then theexpression x > is of tier by the typing rule (W ). Consequently, the variable x is forcedto be of tier using the type → for the operator > in the (OP) rule. → ∈ ∆( > ) holds as the operator > is neutral. One application of the subtyping rule (SUB) isperformed for the sequence to be typed as the subcommands are required to have homogeneoustypes.The subderivation ρ is as follows: Γ( x ) = (V) ⊢ x : ( , , ) (OP) ⊢ pred ( x ) : ( , , ) Γ( x ) = (V) ⊢ x : ( , , ) (A) ρ ⊢ x := pred ( x ) : ( , , ) In ρ , the pred operator is used with the type → in the (OP) rule. This use isauthorized as, pred is neutral and, consequently, → ∈ ∆( pred )( ) . As a consequence,the rule (A) in ρ can be derived as the tier of the assigned variable x (equal to ) is smallerthan the tier of the expression pred ( x ) (also equal to ).The second typing derivation ρ is as follows: Γ( y ) = (V) ⊢ y : ( , , ) Γ( y ) = (V) ⊢ y : ( , , ) (OP) ⊢ suc ( y ) : ( , , ) (A) ⊢ y := suc ( y ) : ( , , ) The only distinction between ρ and ρ is that the operator suc is positive. Conse-quently, with an innermost tier of , the type → is not authorized for such an operator(since → / ∈ ∆( suc )( ) ). Indeed, by Example 5, ∆( suc )( ) = { → , → } . Thetype → is ruled out as it would require a non-homogeneous type for y . Consequently,the rule (OP) is applied on type → and the variable y must be of tier . Notice that theprogram could also be typed by assigning higher tiers k and k ′ such that k ′ ≺ k , to x and y ,respectively. TIER-BASED TYPED PL CHARACTERIZING BFF 11
Example 9 (Exponential) . The program below, computing the exponential, is not safe. while ( x > { z := y ; while ( z > { z := pred ( z ); y := suc ( y ) } ; x := pred ( x ) } return y By contradiction, suppose that it can be typed with respect to the typing environments Γ and ∆ . Let Γ( x ) , Γ( y ) and Γ( z ) be k x , k y and k z , respectively.The subcommand z := y enforces k z (cid:22) k y to be satisfied for the following typing deriva-tion to hold. Γ( z ) = k z (V) ⊢ z : ( k z , k in , k out ) Γ( y ) = k y (V) ⊢ y : ( k y , k in , k out ) (A) ρ ⊢ z := y : ( k z , k in , k out ) The subcommand y := suc ( y ) enforces the constraint k y ≺ k in , k in being the commandinnermost tier, for the typing derivation to hold. Γ( y ) = k y (V) ⊢ y : ( k y , k in , k out ) k y → k y ∈ ∆( suc )( k in ) Γ( y ) = k y (V) ⊢ y : ( k y , k in , k out ) (OP) ⊢ suc ( y ) : ( k y , k in , k out ) (A) ρ ⊢ y := suc ( y ) : ( k y , k in , k out ) Indeed, as suc is a positive operator, by Condition 2 of Definition 4, k y ≺ k in has tobe satisfied for k y → k y ∈ ∆( suc )( k in ) to hold.The innermost while loop enforces the constraint k in (cid:22) k z in the following typing deriva-tion. Γ( z ) = k z (V) ⊢ z : ( k z , k ′ in , k out ) (OP) ⊢ z > k in , k ′ in , k out ) ... (S) ⊢ z := pred ( z ); y := suc ( y ) : ( k in , k in , k out ) (W) ρ ⊢ while ( z > { z := pred ( z ); y := suc ( y ) } : ( k in , k ′ in , k out ) First, notice that only the rule (W) can be applied to this subderivation as the corre-sponding subcommand is already contained inside a while loop and, consequently, (cid:22) k out is enforced by the outermost while loop using rule (W) or rule (W ). Second, the tier ofthis subcommand is equal to the innermost tier k in of subcommand y := suc ( y ) (in ρ ).Indeed, rules (W) and (W ) are the only typing rules updating the innermost tier and thereis no while loop in between. Finally, in the rule (OP), as > is neutral, Condition 1 ofDefinition 4 enforces that k in (cid:22) k z (cid:22) k ′ in holds for the program to be typed.Putting all the above constraints together, we obtain the contradiction k z (cid:22) k y ≺ k in (cid:22) k z . Consequently, the program cannot be typed. Example 10 (Multiple tiers) . Consider the following program illustrating the use of mul-tiple tiers. c : while ( x > { x := pred ( x ) ; y := suc ( suc ( y )) } ; c : while ( y > { y := pred ( y ) ; z := suc ( suc ( z )) } return z The program is safe with respect to the variable typing environment Γ such that Γ( x ) = , Γ( y ) = and Γ( z ) = . The main command can be typed by ( , , ) as illustrated below,provided that c and c are the commands corresponding to the first while loop and secondwhile loop, respectively. ρ ... (W ) ρ ⊢ c : ( , , ) ρ ... (W ) ρ ⊢ c : ( , , ) (S) ⊢ c ; c : ( , , ) The derivation ρ corresponds to the first while loop c and is described below. Γ( x ) = (V) ⊢ x : ( , , ) (OP) ⊢ x > , , ) ρ ... (A) ⊢ x := pred ( x ) : ( , , ) ρ ... (A) ⊢ y := suc ( suc ( y )) : ( , , ) (SUB) ⊢ y := suc ( suc ( y )) : ( , , ) (S) ⊢ x := pred ( x ); y := suc ( suc ( y )) : ( , , ) (W ) ⊢ c : ( , , ) The subderivation ρ can be built easily using rules (A), (OP), and (V) as pred isneutral and can be given the type → in ∆( pred )( ) (see Example 5). The subderivation ρ can be built using the same rules as suc is positive and can be given the type → in ∆( suc )( ) (see Example 5 again). ρ requires the prior application of subtyping rule(SUB) as the tier of the assignment is equal to Γ( y ) = .The derivation ρ , described below, Γ( y ) = (V) ⊢ y : ( , , ) (OP) ⊢ y > , , ) ρ ... (A) ⊢ y := pred ( y ) : ( , , ) ρ ... (A) ⊢ z := suc ( suc ( z )) : ( , , ) (SUB) ⊢ z := suc ( suc ( z )) : ( , , ) (S) ⊢ y := pred ( y ); z := suc ( suc ( z )) : ( , , ) (W ) ⊢ c : ( , , ) (SUB) ⊢ c : ( , , ) can be obtained in a similar way by taking the type → for the neutral operator pred in ∆( pred )( ) and the type → for the positive operator suc in ∆( suc )( ) . The TIER-BASED TYPED PL CHARACTERIZING BFF 13 initial subtyping rule is required as it is not possible to derive ⊢ y > , , ) with therequirement that Γ( y ) = .It is worth noticing that the above program cannot be typed with only two tiers { , } .Indeed, the first while loop enforces that Γ( y ) ≺ Γ( x ) and the second while loop enforces that Γ( z ) ≺ Γ( y ) . More generally, the program can be typed by ( k + , k + , ) or ( k + , k + , k + ) ,for any tier k . Example 11 (Oracle) . For a given input x and a given oracle φ , the program below com-putes whether there exists a unary integer n of size smaller than | x | such that φ ( n ) = 0 . y := x ; z := 0; while ( x > = 0) { if ( φ ( y ↾ x ) == 0) { z := 1 } else { skip } ; x := pred ( x ) } return z This program is safe and can be typed by ( , , ) under the variable typing environment Γ such that Γ( x ) = and Γ( y ) = Γ( z ) = . The constants and can be considered to beneutral operators of zero arity and, hence, can be given any tier smaller than the innermosttier. It is easy to verify that the commands z := 1 , skip , and x := pred ( x ) can be typed by ( , , ) , ( , , ) , and ( , , ) , respectively, using typing rules (OP), (SK), and (A).The conditional subcommand can be typed as described below. → → ∈ ∆(==)( ) Γ( y ) = (V) ⊢ y : ( , , ) Γ( x ) = (V) ⊢ x : ( , , ) (OR) ⊢ φ ( y ↾ x ) : ( , , ) (OP) ⊢ , , ) (OP) ⊢ φ ( y ↾ x ) == 0 : ( , , ) ... (C) ⊢ if ( φ ( y ↾ x ) == 0) { z := 1 } else { skip } : ( , , ) The while loop will be typed using rule ( W ) . Consequently, the inner command can betyped by ( , , ) after applying subtyping once.Notice that the equivalent program obtained by swapping x and y in the oracle input( i.e. , φ ( x ↾ y ) ) is not typable as the tier of x has to be strictly smaller than the innermosttier in typing rule (OR). Although this requirement restricts the expressive power of the typesystem, it is strongly needed as it prevents uncontrolled loops on oracle outputs to occur. Inparticular, commands of the shape while ( x > { x := φ ( x ↾ x ) } are rejected by the typesystem.Note that the above program is typable as the oracle calls are performed in a decreas-ing order and, hence, does not break the finite lookahead revision property, which will bepresented in § Now consider the equivalent program where oracle calls are performed in increasingorder. x := 0; z := 0; while ( y > = x ) { if ( φ ( y ↾ x ) == 0) { z := 1 } else { skip } ; x := suc ( x ) } return z This program is not a safe program. Suppose, by contradiction, that it can be typedwith respect to a safe operator typing environment. The innermost tier k of the commandsunder the while will be equal to the tier of the guard y > = x , independently of whether rule(W) or rule (W ) is used to type the while command. Moreover, x has a tier k x such that k (cid:22) k x , using rule (OP) on the guard and, by definition of safe typing environments. Now suc is a positive operator and, consequently, by rule (OP) and, by definition of safe typingenvironments again, suc ( x ) has a tier k suc ( x ) strictly smaller than the innermost tier, i.e. , k suc ( x ) ≺ k . By typing rule (A), in order to be typed, the command x := suc ( x ) enforces k x (cid:22) k suc ( x ) . Hence, we obtain a contradiction: k ≺ k . Example 12 (Multiple tiers with oracle) . The following program computes the function Σ max nx =0 φ ( x ) i =0 φ ( i ) . x := n ; y := x ; z := 0; while ( x > = 0) { z := max( φ ( y ↾ x ) , z ); x := pred ( x ) } ; v := z ; u := 0; while ( z > = 0) { w := φ ( v ↾ z ) ; while ( w > = 0) { u := suc ( u ) ; w := pred ( w ) } ; z := pred ( z ) } return u This program can be typed by ( , , ) under the variable type assignment Γ such that Γ( x ) = , Γ( y ) = Γ( z ) = , Γ( v ) = Γ( w ) = , and Γ( u ) = .The first while loop will be typed using rule (W ). Consequently, its inner command istyped by ( , , ) . As the max operator is neutral, it can be given the type → → ∈ ∆(max)( ) . The oracle call is typable as the input data y has a tier strictly small than theinnermost tier ( ) and the input bound has tier equal to the outermost tier ( ).The second while loop can be typed using rule (W ) after applying subtyping rule (SUB).Consequently, its inner command is typed by ( , , ) . The oracle call is performed on inputdata of strictly smaller tier ( ) and on input bound of tier equal to the outermost tier ( ).The inner while loop can be typed using rule (W) and thus updates the innermost tier to .Consequently, suc is enforced to be of tier → in the inner command. TIER-BASED TYPED PL CHARACTERIZING BFF 15 Properties of safe programs
We now show the main properties of safe programs: • a standard non-interference property in § • a polynomial time property in § • a finite lookahead revision property in § Notation.
Let us first introduce some preliminary notation. Let E ( a ) (res. C ( a )) bethe set of expressions (respectively commands) occurring in a , for a ∈ { p φ , c } . Let A ( c ) bethe set of variables that are assigned to in c , e.g. , A ( x := y ; y := z ) = { x , y } . Let Op ( e )and V ( e ) be the set of operators in expression e and the set of variables in expression e ,respectively.6.2. Non-interference.
We now show that the type system provides classical non-interferenceproperties.In a safe program, only variables of tier higher than k can be accessed to evaluate anexpression of tier k . Lemma 13 (Simple security) . Given a safe program p φ with respect to the typing environ-ments Γ , ∆ , for any expression e ∈ E ( p φ ) , if Γ , ∆ ⊢ e : ( k , k in , k out ) , then for all x ∈ V ( e ) , k (cid:22) Γ( x ) .Proof. By structural induction on expressions.There is no equivalent lemma for commands because of the subtyping rule (SUB).
Corollary 14.
Given a safe program p φ with respect to the typing environments Γ , ∆ , forany x := e ∈ C ( p φ ) , Γ( x ) (cid:22) ∧ y ∈V ( e ) Γ( y ) .Proof. Given a command x := e ∈ C ( p φ ) of a safe program with respect to the typingenvironments Γ , ∆, there are k , k , k in , k out such that Γ , ∆ ⊢ x : ( k , k in , k out ), Γ , ∆ ⊢ e :( k , k in , k out ) and k (cid:22) k , by typing rule (A). Applying Lemma 13, ∀ y ∈ V ( e ) , k (cid:22) Γ( y ).By typing rule (V) k = Γ( x ) and, consequently, ∀ y ∈ V ( e ) , Γ( x ) (cid:22) Γ( y ).The following Lemma states that command tiers are monotonic in their subcommandtier in a given typing derivation. Lemma 15.
Let ρ be a type derivation of a safe program with respect to the typing envi-ronments Γ , ∆ . For any type derivations ρ Γ , ∆ ⊢ c : ( k , k in , k out ) and ρ Γ , ∆ ⊢ c :( k , k in , k out ) ∈ D ( ρ ) , k (cid:22) k .Proof. Suppose by contradiction that ρ < ρ and k ≺ k hold. As all typing rules forcommands in Figure 3 are monotonic in the command tier, ρ Γ , ∆ ⊢ c : ( k , k in , k out )cannot be derived from ρ .The confinement Lemma expresses the fact that commands of tier k cannot write invariables of strictly higher tier. Lemma 16 (Confinement) . Given a safe program p φ with respect to the typing environments Γ , ∆ , for any c ∈ C ( p φ ) , if Γ , ∆ ⊢ c : ( k , k in , k out ) , then for all x ∈ A ( c ) , Γ( x ) (cid:22) k .Proof. By contradiction. Suppose that ρ Γ , ∆ ⊢ c : ( k , k in , k out ) holds. Consider avariable x ∈ A ( c ) and suppose that k ≺ Γ( x ). By typing rule (A), there is an expression e and there are tiers k in , k out such that ρ Γ , ∆ ⊢ x := e : (Γ( x ) , k in , k out ) and ρ ∈ D ( ρ ).Consequently, by Lemma 15, Γ( x ) (cid:22) k , which contradicts the assumption.For a given variable typing environment Γ and a given tier k , we define an equivalencerelation on stores by: µ ≈ Γ k µ ′ if dom ( µ ) = dom ( µ ′ ) = dom (Γ) and for each x ∈ dom (Γ), if k (cid:22) Γ( x ) then µ ( x ) = µ ′ ( x ).We introduce a non-interference Theorem ensuring that the values of tier k variablesduring the evaluation of a program do not depend on values of tier k ′ variables for k ′ ≺ k . Theorem 17
Non-interference . Given a safe program c return x with respect to the typingenvironments Γ , ∆ . For any stores µ and µ if µ ≈ Γ k µ , µ (cid:15) c → µ ′ and µ (cid:15) c → µ ′ then µ ′ ≈ Γ k µ ′ .Proof. By structural induction on program derivations. We perform a case analysis oncommands. • if c = x := e then there are two cases to consider. – If k (cid:22) Γ( x ) then, by Corollary 13, ∀ y ∈ V ( e ) , Γ( x ) (cid:22) Γ( y ) and consequently, ∀ y ∈V ( e ) , µ ( y ) = µ ( y ). This implies that there exists w ∈ W such that µ (cid:15) e → w and µ (cid:15) e → w . Consequently µ (cid:15) c → µ [ x ← w ], µ (cid:15) c → µ [ x ← w ] and µ [ x ← w ] ≈ Γ k µ [ x ← w ]. – If Γ( x ) ≺ k then µ (cid:15) c → µ [ x ← w ], µ (cid:15) c → µ [ x ← v ] and µ [ x ← w ] ≈ Γ k µ [ x ← v ]. • if c = while ( e ) { c ′ } and Γ , ∆ ⊢ while ( e ) { c ′ } : ( k , k in , k out ) then Γ , ∆ ⊢ e : ( k , k in , k out )and there are two cases to consider: – If k (cid:22) k then, by Corollary 13, ∀ x ∈ V ( e ) , k (cid:22) Γ( x ). Consequently, ∀ x ∈V ( e ) , µ ( x ) = µ ( x ). It follows that µ (cid:15) e → w and µ (cid:15) e → w . The case where w = 0 is straightforward. In the case where w = 1, we have that µ (cid:15) c ′ ; c → µ ′ , µ (cid:15) c ′ ; c → µ ′ and µ ′ ≈ Γ k µ ′ , by induction on the derivation. Consequently, µ (cid:15) c → µ ′ , µ (cid:15) c → µ ′ and µ ′ ≈ Γ k µ ′ . – If k ≺ k then, by Lemma 16, ∀ x ∈ A ( c ′ ) , Γ( x ) (cid:22) k . Consequently, if µ (cid:15) c → µ ′ and µ (cid:15) c → µ ′ then µ ′ ≈ Γ k µ ′ .All the other cases (while, sequence, conditional . . . ) can be treated in a similar manner.6.3. Polynomial step count.
In this section, we show that terminating and safe programshave a runtime polynomially bounded by the size of the input store and the maximal sizeof answers returned by the oracle in the course of execution.The following Lemma shows that the innermost tier of a while loop subcommand isalways smaller than the tier of this loop.
Lemma 18.
Let ρ be a type derivation of a safe program with respect to the typing environ-ments Γ , ∆ . For any typing derivations ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out ) ∈ D ( ρ ) and ρ Γ , ∆ ⊢ c : ( k , k in , k out ) ∈ ˚ D ( ρ ) , k in (cid:22) k . TIER-BASED TYPED PL CHARACTERIZING BFF 17 Γ( x ) = k (V)Γ , ∆ ⊢ x : ( k , k in , k out ) k → k ∈ ∆( op )( k in ) Γ( y ) = k (V)Γ , ∆ ⊢ y : ( k , k in , k out ) (OP) op ( y ) : ( k , k in , k out ) (A)Γ , ∆ ⊢ x := op ( y ) : ( k , k in , k out ) Figure 4.
Proof of Lemma 19 (1)
Proof.
By a case analysis on typing rules of Figure 3. Given a typing derivation ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out ), we show that the property Inv ρ defined on command typingderivations by: Inv ρ ( ρ Γ , ∆ ⊢ c : ( k , k in , k out )) , ( k in (cid:22) k ) ∧ ( ρ < ρ )is invariant on command typing derivations strictly smaller than ρ . The only typing rulesin Figure 3 that change the innermost tier are rules (W) and (W ). However rule (W )cannot be applied under a while loop as it requires the outermost tier to be equal to .This is impossible under a while loop as, by looking at the constraints in rules (W) and(W ) of Figure 3, one can check that the outermost tier of a while loop strict subcommandis greater than . All the other rules do not change the outermost tier. Consequently, therule (W) is the only rule to consider. Suppose that the derivation ρ is of the shape:Γ , ∆ ⊢ e : . . . ρ Γ , ∆ ⊢ c : ( k , k in , k out ) (W) ρ Γ , ∆ ⊢ c = while ( e ) { c } : ( k , k in , k out )The inequalities ρ < ρ < ρ hold. The equalities k in = k = k are constrained bytyping rule (W). Moreover, k (cid:22) k , by Lemma 15. Consequently, Inv ρ ( ρ ) holds.Consequently, the innermost tier of a while loop provides a lower bound on the tier ofthe loop guard expression.Within a while loop of tier k , if an expression is assigned to a tier k variable then thisexpression does not contain positive operators. Moreover, there are no oracle calls in tier k subcommands of a tier k while loop. Lemma 19.
Let ρ be a type derivation of a safe program with respect to the typing envi-ronments Γ , ∆ . For any ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out ) ∈ D ( ρ ) and ρ Γ , ∆ ⊢ x := e : ( k , k in , k out ) ∈ D ( ρ ) , if k = k then: (1) for any op ∈ Op ( e ) , op is a neutral operator; (2) there is no oracle call in e .Proof. Both (1) and (2) are proved by contradiction using Lemma 18.(1) By contradiction, suppose that there exists an assignment x := e such that k = k and there exists an operator in Op ( e ) that is positive. For simplicity, suppose that ar ( op ) = 1 and that e = op ( y ). We obtain the typing derivation of Figure 4, with theconstraints that k (cid:22) k (cid:22) k (cid:22) k in . k (cid:22) k is enforced by rule (A) and k (cid:22) k (cid:22) k in is enforced by definition of safe typing environment applied to ∆( op )( k in ) in rule (OP).Moreover as op is positive, the constraint k ≺ k in is enforced and, consequently, k ≺ k in .However, by Lemma 18 applied to the sub-derivation tree of root x := op ( y ), k in (cid:22) k and Γ( x ) = k (V)Γ , ∆ ⊢ x : ( k , k in , k out ) ...Γ , ∆ ⊢ e ′ : ( k , k in , k out ) ...Γ , ∆ ⊢ e ′′ : ( k out , k in , k out )Γ , ∆ ⊢ φ ( e ′ ↾ e ′′ ) : ( k , k in , k out ) (A)Γ , ∆ ⊢ x := φ ( e ′ ↾ e ′′ ) : ( k , k in , k out ) Figure 5.
Proof of Lemma 19 (2)we obtain a contradiction. The general case can be treated by a structural induction onexpressions.(2) By contradiction suppose that k = k and that there is an oracle call in e .Suppose for simplicity that e = φ ( e ′ ↾ e ′′ ). We obtain the typing derivation of Figure 5.By the constraint of typing rule (A), k (cid:22) k . By the constraints of typing rule (OR), k ≺ k in and k (cid:22) k out . Consequently, k ≺ k in is enforced. By Lemma 18, k in (cid:22) k and, consequently, we obtain a contradiction. The general case can be treated in a similarmanner by a structural induction on expressions. Definition 20.
Let m p φ µ be the maximum of | µ | and the maximum size of an oracle answerin the derivation π φ : µ (cid:15) p φ → u. Formally, m p φ µ = max ( v , w ) ∈ C ( π φ ) ( | µ | , max {| φ ( J ↾ K ( v , w )) |} ) , where C ( π φ ) is the set of pairs ( v , w ) such that µ (cid:15) e → v µ (cid:15) e → w µ (cid:15) φ ( e ↾ e ) → φ ( J ↾ K ( v , w )) ∈ π φ . A program p φ has a polynomial step count if there is a polynomial P such that for anystore µ and any oracle φ , π φ : µ (cid:15) p φ → w , | π φ | = O ( P ( m p φ µ )) . We show that a safe program has a polynomial step count on terminating computations.
Theorem 21 .
Given a safe program p φ with respect to the typing environments Γ , ∆ , thereis a polynomial P such that for any derivation π φ : µ (cid:15) p φ → w , | π φ | = O ( P ( m p φ µ )) .Proof. By induction on the tier of a command using non-interference Theorem (17) andLemma 19.The case is trivial as there are no while loops (see rules (W) and (W ) of Figure 3).For tier k , consider a safe program. For any variable of tier k , by Lemma 19, only neutraloperators may be applied in assignments to such a variable. Combining Definition 2 and non-interference (Theorem 17), the word computed by a neutral operator is either a subwordof the initial values stored in tier k variables or a constant in { , } . Consequently, thenumber of distinct values in a store for each tier k variable is in O (( m p φ µ ) ) as strict subwordoperations can be iterated at most a quadratic number of time.The evaluation of while loops of tier k unfolds at most a polynomial number of com-mands of tier smaller than k − . The degree of the polynomial depends on the number ofvariables of tier ≥ k , by non-interference (Theorem 17), and on the number of nested tier k while loops and, as a consequence, is bounded by a constant: the size of the program. By TIER-BASED TYPED PL CHARACTERIZING BFF 19 induction, all these commands of tier strictly smaller are evaluated in a polynomial numberof steps in their input. Each of their input is polynomially bounded by m p φ µ as it consistsin oracle calls combined with at most a polynomial number of positive operators.It just remains to observe that we compose a constant number ( k + ) of polynomialsand that polynomials are closed under composition.The proof of the above Theorem is similar to proofs of polynomiality in [Mar11]and [MP14], except for two distinctions: • As strictly more than 2 tiers are allowed, the innermost tier k in is used to ensure thatoperators and oracle calls are stratified (Lemma 19): in a while loop of innermost tier k in the return type of an oracle or positive operator is always strictly smaller than k in .Hence the results of such computations cannot be assigned to variables whose tier is equalto k in . • Oracle calls may return a value whose size is not bounded by the program input. This isthe reason why m p φ µ has to be considered as an input of the time bound. Corollary 22.
Given a program p φ , if p φ ∈ ST then p φ has a polynomial step count. Finite lookahead revision.
In this section, we show that, whereas terminating andsafe programs may perform a polynomial number (in the size of the input and the maximalsize of the oracle answers) of oracle calls during their execution, they may only perform aconstant number of oracle calls on input data of increasing size.We first start to show that the outermost tier of a command of a safe program is anupper bound on the tiers of while loop expressions guarding this command.
Lemma 23.
Let ρ be a type derivation of a safe program with respect to the typing en-vironments Γ , ∆ . For any ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out )( R ) ∈ D ( ρ ) and ρ Γ , ∆ ⊢ c : ( k , k in , k out ) ∈ ˚ D ( ρ ) , if R ∈ { W, W } then k (cid:22) k out .Proof. The typing rule (W ) is the only rule changing the outermost tier. It is straight-forward to observe that this rule can only be applied to an outermost while loop as theoutermost tier of the command is updated from to k , for some k such that (cid:22) k . Thereare two cases to consider depending on R : • if R=W then . . . ρ ′ Γ , ∆ ⊢ c : ( k , k , k out ) (cid:22) k (cid:22) k out (W) ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , k out ) . Clearly, k (cid:22) k out = k out by the guard condition and as ρ ≤ ρ ′ and all the rules undera while preserve the outermost tier. • if R=W then . . . ρ ′ Γ , ∆ ⊢ c : ( k , k , k ) (cid:22) k (W ) ρ Γ , ∆ ⊢ while ( e ) { c } : ( k , k in , ) . Clearly, k = k out as ρ ≤ ρ ′ ( ρ ∈ ˚ D ( ρ )) and all the rules under a while preserve theoutermost tier. The assumption for the last rule of ρ to be in { W,W } is required to ensure that k is exactly the tier of the guard expression e . Otherwise typing rule (SUB) can be appliedarbitrarily and the result does not hold. Definition 24.
Given a program p φ , let ( l π φ n ) be the sequence of oracle input values J ↾ K ( v , w ) in a rule (OR) obtained by a left-to-right depth-first search of the derivation π φ : µ (cid:15) p φ → w .Let lr (( l π φ n )) = { i | | l π φ i | > max j
Theorem 25
Finite lookahead revision . Given a program p φ , if p φ is safe with respect tothe typing environments Γ , ∆ then it has finite lookahead revision.Proof. By Lemma 23, the outermost tier of any command within a while loop k out is anupper bound on any while loop guard tier k . By typing rule (OR), the tier of the inputbound e in any oracle call φ ( e ↾ e ) must be equal to the outermost tier k out . ByLemma 13, only variables of tier greater than k out can occur in e . If k ≺ k out then thesevariables cannot be assigned to in the loop by Lemma 16. If k = k out then the variable oftier k out can only be assigned to by expressions that contain neither oracle calls nor positiveoperators by Lemma 19. For simplicity, we assume that only one variable of tier k out occurs.In a given while loop, the evaluation of the oracle’s input bound returns non-size-increasingvalues. As | J ↾ K ( v, w ) | = | w | +1, the oracle’s input values cannot increase within a while loopand, consequently, the number of lookahead revisions in a sequence ( l π φ n ) is bounded by aconstant.The general case, where several variables of tier k out occur inside a while loop, onlydiffers by a constant factor as only a finite number of different assignments on these variablesmay happen. 7. Soundness
In this section, we show a soundness result: the type-2 simply typed lambda-closure of pro-grams in ST is included in the class of basic feasible functionals BFF [Meh76, KC91, KC96].For that purpose, we use the characterization of [KS18] based on moderately polynomialtime functionals. We show that terminating and safe program can be simulated by oracleTuring machines with a polynomial step count and a finite lookahead revision. We discussbriefly the requirement of the lambda-closure in § Moderately Polynomial Time Functionals.
We consider oracle Turing machines M φ with one query tape and one answer tape for oracle calls. If a query is written on thequery tape and the machine enters a query state , then the oracle’s answer appears on theanswer tape in one step. Definition 26.
Given an oracle TM M φ , computing a total function, and an input a , let m M φ a be the maximum of the size of the input a and of the biggest oracle answer in the runof machine on input a with oracle φ . A machine M φ has: TIER-BASED TYPED PL CHARACTERIZING BFF 21 • a polynomial step count if there is a polynomial P such that for any input a and oracle φ , M runs in time bounded by P ( m M φ a ) . • finite lookahead revision if there exists a natural number r ∈ N such that for any oracleand any input, in the run of the machine, it happens at most r times that a query is posedwhose size exceeds the size of all previous queries. Definition 27 (Moderately Polynomial Time) . MPT is the class of second order functionalscomputable by an oracle TM with a polynomial step count and finite lookahead revision.
The set of functionals over words W is defined to be the set of functions of type τ → . . . → τ n → W , where the each type τ i is defined inductively by τ ::= W | τ → τ .Suppose given a countably infinite number of variables x τ , y τ , . . . , for each type τ . Fora given class of functionals X , let λ ( X ) be the set of closed simply typed lambda-termsgenerated inductively as follows: • for each type τ , variables x τ , y τ , . . . are terms, • each functional F ∈ X of type τ is a term, • for any term t of type τ ′ and variable x τ , λx.t is a term of type τ → τ ′ , • for any terms t of type τ → τ ′ and s of type τ , t s is a term of type τ ′ .Each lambda-term of type τ represents a functional of type τ and terms are consideredup to β and η equivalence. The level of a type is defined inductively by lev ( W ) = 0 and lev ( τ → τ ′ ) = max( lev ( τ ) + 1 , lev ( τ ′ )). For a given class of functionals X , let X be the setof functionals of level 2. Lemma 28 (Monotonicity) . Given two classes
X, Y of functionals,if X ⊆ Y then λ ( X ) ⊆ λ ( Y ) . For a given functional F of type τ → . . . → τ n → W and variables X i of type τ i , wewill use the notation F ( X , . . . , X n ) as a shorthand notation for F ( X ) . . . ( X n ).We are now ready to state the characterization of Basic Feasible Functionals in termsof moderately polynomial time functions. Theorem 29 [KS18] . λ (MPT) = BFF . Proof of soundness.
At this point we are able to give a clearer statement of therelationship between the size of a derivation for a safe program p φ and the running time ofa corresponding sequential execution of p φ . To make this precise, the running time of M φ for a given input a ∈ W is just the number of steps that it takes to terminate on with oracle φ , starting with a on its input tape (or undefined if the computation does not terminate).Given a store µ , this may appropriately be encoded by a single input a µ . We then have Proposition 30.
Suppose that p φ is a safe program. There are an oracle TM M φ and apolynomial P such that for any derivation π φ : µ (cid:15) p φ → w , M φ on input a µ simulates theexecution of p φ with initial store µ in time O ( P ( | π φ | )) .Proof. By induction on the structure of the derivation.An oracle φ ′ is padded if there exists an oracle φ such that for any binary word w andinteger n , φ ′ ( w n ) = φ ( w ). Let ˜ φ denote the padded version of φ .Before showing Theorem 33, we first show that the complexity class MPT is invariantthrough padding. Proposition 31. f ∈ MPT if and only if there exists f ′ ∈ MPT such that for any input a and any oracle φ , f ( φ )( a ) = f ′ ( ˜ φ )( a ) .Proof. Both directions can be proved through simple rewriting of the functions. • It is trivial that if f on φ has finite lookahead revision k , replacing oracle calls φ ( w ) tocalls to the padded oracle ˜ φ ( w
1) does not modify the lookahead revision. • For the other direction, assume f ′ works on padded oracle ˜ φ . Then we can design f working on φ such that each call to ˜ φ ( w n ) is replaced by 2 successive calls: φ ( w n )and φ ( w ), the first being unused. This preserves the lookahead revision. Note that thisconstruction may change the maximum of the lengths of the inputs and oracle answers.However, it may only increase this value, hence, if f ′ has a polynomial step count, thenso has f .Now we can show a soundness result stating that any terminating and safe programcomputes a second order function in MPT. Proposition 32. J ST K ⊆ MPT .Proof.
By Theorem 21, the program has a polynomial step count. By Theorem 25, theprogram has finite lookahead revision and, consequently, it computes a function on paddedoracles in MPT. By Proposition 31, this function is equal to a function of MPT on standardoracles.
Theorem 33
Soundness . λ ( J ST K ) ⊆ BFF .Proof. First, we can show that J ST K ⊆ MPT using Theorem 21 and Theorem 25, andobserving that MPT is stable through oracle padding. By Lemma 28 and Theorem 29, λ ( J ST K ) ⊆ λ (MPT) = BFF .Notice that the lambda-closure of J ST K is mandatory for characterizing BFF as it isknown that MPT is strictly included in BFF . In particular, the following counter-exampletaken from [KS18] and computing a function of BFF cannot be typed as all our oracle callshave input bounds. Example 34.
The functional F defined below is in BFF but not in MPT . F ( φ, ǫ ) = ǫF ( φ, suc ( n )) = φ ◦ φ ( F ( φ, n ) ↾ φ ( ǫ )) Consequently, F is not in J ST K , since J ST K ⊆ MPT . Indeed, the outermost oracle callis performed without any oracle input bound and can clearly not be captured by typableprograms. Completenesses at type-1 and type-2
Completeness is demonstrated in two steps. First, we show that each type 1 polynomialtime computable function FP can be computed by a terminating program in ST, with nooracle calls. For that purpose, we show that the 2-tier sequential version of the type systemof [MP14], characterizing FP, is a strict subsystem of the type system of Figure 3. Second,we show that the bounded iterator functional I ′ of [KS19] can be simulated by a termi-nating and typable program in ST. The completeness follows as the type-2 simply typed TIER-BASED TYPED PL CHARACTERIZING BFF 23 Γ( x ) = α (V )Γ , ∆ ⊢ x : α ∀ i ≤ n, Γ , ∆ ⊢ e i : α i α → α ∈ ∆( op ) (OP )Γ , ∆ ⊢ op ( e , . . . , e ar ( op ) ) : α Γ , ∆ ⊢ x : α Γ , ∆ ⊢ e : β α (cid:22) β (A )Γ , ∆ ⊢ x := e : α (SK )Γ , ∆ ⊢ skip : α Γ , ∆ ⊢ c : α Γ , ∆ ⊢ c ′ : β (S )Γ , ∆ ⊢ c ; c ′ : α ∨ β Γ , ∆ ⊢ e : α Γ , ∆ ⊢ c : α Γ , ∆ ⊢ c ′ : α (C )Γ , ∆ ⊢ if ( e ) { c } else { c ′ } : α Γ , ∆ ⊢ e : Γ , ∆ ⊢ c : α (W )Γ , ∆ ⊢ while ( e ) { c } : Figure 6. I ′ and the functions of FP provides an alternativecharacterization of BFF .8.1. A characterization of FP . For that purpose, we consider the 2-tier based character-ization of FP in [MP14], restricted to one single thread. Let α, β be tier variables rangingover { , } . The type system is provided in Figure 6, where α stands for α → . . . → α ar ( op ) . ... Γ( x ) = (V) ⊢ x : ( , , ) Γ( x ) = (V) ⊢ x : ( , , ) Γ( a ) = (V) ⊢ a : ( , , ) (OP) ⊢ lmin ( x , a ) : ( , , ) Γ( a ) = (V) ⊢ a : ( , , ) (OR) ⊢ ˜ φ ( lmin ( x , a ) ↾ a ) : ( , , ) (A) ⊢ x := ˜ φ ( lmin ( x , a ) ↾ a ) : ( , , ) (SUB) ⊢ x := ˜ φ ( lmin ( x , a ) ↾ a ) : ( , , ) ... (S) ⊢ x := ˜ φ ( lmin ( x , a ) ↾ a ); c := pred ( c ) : ( , , ) (W ) ⊢ while ( c > { x := ˜ φ ( lmin ( x , a ) ↾ a ); c := pred ( c ) } : ( , , ) Figure 7.
Program simulation I ′ In this particular context, the notion of is defined as follows. A2-tier operator typing environment ∆ is a mapping that associates to each operator op aset of operator types ∆( op ), of the shape α → . . . → α ar ( op ) → α , with α i , α ∈ { , } . Definition 35.
A program is 2-tier safe if it can be typed using 2-tier operator typingenvironment ∆ satisfying, for any op ∈ dom (∆) , J op K ∈ FP , op is either positive or neutral,and for each α → . . . → α ar ( op ) → α ∈ ∆( op ) : • α (cid:22) ∧ i =1 ,n α i , • and if op is positive but not neutral then α = Let be the set of 2-tier safe and terminating programs and J K be the set of functionscomputed by these programs. Theorem 36
Theorem 7 of [MP14] . J K = FP . We first show that the set of 2-tier safe programs is (strictly) embedded in the set ofsafe programs. We define a naive translation () ⋆ from 2-tier operator typing environmentsto typing environments as follows: (∆) ⋆ is the operator typing environment defined by ∀ op , (∆) ⋆ ( op )( k ) = ∆( op ), if k = , and ∅ , otherwise. Lemma 37.
For any command or expression b , if Γ , ∆ ⊢ b : α then Γ , (∆) ⋆ ⊢ b : ( α, , ) . Proof.
By an easy induction on the type derivation of Γ , ∆ ⊢ b : α : • If the last rule is (S ), then b = c ; c and Γ , (∆) ⋆ ⊢ c i : ( α i , , ) by the inductionhypothesis, for α i such that α = α ∨ α . Consequently, Γ , (∆) ⋆ ⊢ b : ( α, , ) can bederived applying rule (C) and at most once rule (SUB) (in the case where α = α ). • If the last rule is (W ) then Γ , ∆ ⊢ b : for b = while ( e ) { c ′ } and, by the inductionhypothesis, Γ , (∆) ⋆ ⊢ e : ( , , ) and Γ , (∆) ⋆ ⊢ c ′ : ( α, , ), for some α . Consequently,Γ , (∆) ⋆ ⊢ b : ( , , ) can be derived. • If the last rule is (OP ), then b = op ( e ), for some operator op and expressions e = e , . . . , e ar ( op ) such that Γ , ∆ ⊢ e i : α i and α → . . . α n → α ∈ ∆( op ). By the inductionhypothesis, Γ , (∆) ⋆ ⊢ e i : ( α i , , ). Moreover, α → . . . α n → α ∈ (∆) ⋆ ( op )( ) = ∆( op )and, consequently, Γ , (∆) ⋆ ⊢ b : ( α, , ) can be derived using rule (OP). • the cases where the last rule is (SK ), (C ), (V ) and (A ) can be straightforwardlysimulated by (SK)+(SUB), (C), (V) and (A), respectively. Lemma 38. ( ST .Proof. Consider a tier-2 safe program p φ = c return x in 2ST. There exist typing environ-ments Γ , ∆ such that Γ , ∆ ⊢ c : α . Moreover, for each α → . . . → α n → α ∈ ∆( op ): • α (cid:22) ∧ i =1 ,n α i , • if op is positive but not neutral then α = .By Lemma 37, Γ , (∆) ⋆ ⊢ c : ( α, , ), and ∀ op , (∆) ⋆ ( op )( ) = ∆( op ). Consequently, for all α → α n → α ∈ (∆) ⋆ ( op )( ), the following hold: • α (cid:22) ∧ i =1 ,n α i (cid:22) ∨ i =1 ,n α i (cid:22) as ∀ i, α i ∈ { , } . • if op is positive but not neutral then α ≺ , as α = .Hence (∆) ⋆ is safe and p φ is in ST. The inclusion is strict as 2ST programs have no oraclecall.Let J ST K be defined as the set of type-1 functions computed by safe and terminatingprograms with no oracle calls, J ST K = { λw. J p φ K ( w ) | φ / ∈ p φ and p φ ∈ ST } . Theorem 39 .
FP = J ST K . Proof.
By Theorem 36, for any function f in FP is computable by a 2-tier safe and ter-minating program p φ with no oracle calls, i.e. , f = λw. J p φ K ( w ). By Lemma 38, p φ is inST and, consequently, f ∈ J ST K . Conversely, by Corollary 22, if p φ ∈ ST then p φ has apolynomial step count. More precisely, if φ / ∈ p φ and p φ ∈ ST has a polynomial time step
TIER-BASED TYPED PL CHARACTERIZING BFF 25 x := b ; while ( c = ǫ ) { x := ˜ φ ( lmin ( x , a ) ↾ a ) ; c := pred ( c ) }} return x Figure 8.
Program it φ count and runs in time bounded by P ( | w | ), for some polynomial P , as there is no oraclecall. Consequently, J ST K ⊆ FP.Note that the completeness part of the above Theorem (FP ⊆ J ST K ) can also beproved directly by simulating polynomials over unary numbers and Turing Machines witha program in ST as in the completeness proof of [Mar11].8.2. Type two iteration. [KS19] introduces a bounded iterator functional I ′ of type( W → W ) → W → W → W → W defined by: I ′ ( F, a, b, c ) = ( λx.F ( lmin ( x, a ))) | c | ( b ) , where lmin is a functional of type W → W → W defined by: lmin ( a, b ) = ( a, if | a | < | b | ,b, otherwise.In [KS19], using Cook’s notion [Coo92] of polynomial time reducibility, it is shown thatthis functional is polynomial time-equivalent to the recursor R of [CU93]. As a consequenceof the Cook-Urquhart Theorem, the following characterization is obtained. Theorem 40 [KS19] . λ (FP ∪ {I ′ } ) = BFF . Our proof of type-2 completeness will mostly rely on the use of this latter characteriza-tion of BFF . Theorem 41
Type-2 completeness . BFF ⊆ λ ( J ST K ) .Proof. By Theorem 39, FP = J ST K ⊆ λ ( J ST K ) as any function f ∈ J ST K is of the shape λw. J p φ K ( w ), for p φ ∈ ST, and, consequently f = ( λφ.f ) φ ∈ λ ( J ST K ) .Now we show that I ′ can be computed by a terminating program in ST. For thatpurpose, assume that lmin is an operator of our language. lmin is neutral, by definition.The program it φ , written in Figure 8, computes the functional λφ.λa.λb.λc. I ′ ( φ, a, b, c ) andcan be typed by ( , , ), as described in Figure 7, under the typing environment Γ suchthat Γ( c ) = Γ( a ) = , Γ( x ) = Γ( b ) = and operator typing environment ∆ such that → → ∈ ∆( lmin )( ) and → ∈ ∆( > ) , and → ∈ ∆( pred )( ). Note thatthe simulation uses the padded oracle variant ˜ φ of φ .As FP ⊆ λ ( J ST K ) and I ′ ∈ J ST K . We have that λ (FP ∪ {I ′ } ) ⊆ λ ( J ST K ) and theresult follows by Theorem 40. To illustrate the need of the type-2 lambda closure for achieving completeness, considera variant of Example 34: F ′ ( φ, ǫ ) = ǫF ′ ( φ, suc ( n )) = φ ◦ φ ( lmin ( F ′ ( φ, n ) , φ ( ǫ )))This functional is in BFF but neither in MPT nor in ST as, by essence, it has no finitelookahead revision. Indeed, the outermost oracle call input data is not bounded and iteratedlinearly in the input. However it can be computed by λφ.λn. ( I ′ ( λx.φ ( φ x )) φ ( ǫ ) ǫ n ) andis in λ ( J ST K ) , as I ′ = J it φ K ∈ J ST K , it φ being the program in the proof of Theorem 41, andcomputes the functional λφ.λn.F ′ ( φ, n ).9. Other properties
Intensional and extensional properties of tiers.
The type system of Figure 3enjoys several other properties of interest. First, completeness can be achieved using only2 tiers (at the price of worse expressive power). Second, type inference is decidable inpolynomial time in the size of the program.Let J ST k K be the subset of functionals of J ST K computable by terminating and typableprograms using tiers bounded by k . Formally, p φ ∈ ST k if and only if p φ is terminating andΓ , ∆ ⊢ p φ : ( k ′ , k ′ in , k ′ out ) for a safe operator typing environment ∆ and a variable typingenvironment Γ such that ∀ x ∈ V ( p φ ) , Γ( x ) (cid:22) k .We can show that tiers allow strictly more expressive power in terms of captured pro-grams. However tiers greater than are equivalent from an extensional point of view. Proposition 42.
The following properties hold: (1) ∀ k (cid:23) , ST k ( ST k +1 , (2) ∀ k (cid:23) , λ ( J ST k K ) = BFF .Proof. (1) The inclusion is trivial. For any tier k + 1, it is easy to enforce the tier of onevariable of a safe and terminating program to be k + 1 using k sequential while loops of theshape: while ( x k +1 > { x k +1 := pred ( x k +1 ); x k := suc ( x k ) } ; · · · while ( x > { x := pred ( x ); x := suc ( x ) } Consequently, the inclusion is strict.(2) The proof of Theorem 41, only makes use of programs of tier smaller than .Consequently, λ ( J ST K ) = BFF . By Proposition 42, ST k ( ST k +1 and, consequently, ∀ k , J ST k K ⊆ J ST k +1 K . We obtain that ∀ k , BFF ⊆ λ ( J ST k K ) ⊆ λ ( J ST K ) = BFF and sothe result.Proposition 42 implies that the use of exactly 2 tiers is sufficient to achieve completenessbut weakens the type system expressive power. TIER-BASED TYPED PL CHARACTERIZING BFF 27
Decidability of type inference.Proposition 43.
Given a program p φ of size n and a safe operator typing environment ∆ ,deciding if there exists a variable typing environment Γ such that p φ ∈ ST k can be done intime O ( n × k ) .Proof. The proof follows the type inference proof of [HMP13]: the tier of each variable x is encoded using k + 1 boolean variables x , x , . . . , x k . Each variable is enforced to haveexactly one tier by the following propositional formula V i = j ¬ ( x i ∧ x j ), which is equivalentto V i = j ( ¬ x i ∨ ¬ x j ). This accounts for k clauses for each variable. Each assignment x := y can be encoded by V i ≺ j ( ¬ x i ∨ y j ) ∧ ( ¬ x k ∨ y k ) ∧ ( ¬ y ∨ x ). This means that assignmentrules will account for k × ( k +1)2 + 2 clauses (if (cid:22) k ). As a result, the type inference problemcan be reduced to 2-SAT with O ( n × k ) clauses, which can be solved in time linear in thenumber of clauses [EIS76, APT79]. Theorem 44 .
Given a program p φ and a safe operator typing environment ∆ , deciding ifthere exists a variable typing environment Γ such that p φ ∈ ST can be done in time cubicin the size of the program.Proof. The maximal tier needed to type a program can be bounded by the size of theprogram as the number of strict decrease on tier is fixed by the number of rules (OP) and(OR) needed to type a program. Consequently, with n the size of p φ , we can simply check if p φ ∈ ST n . By Proposition 43, this means that we can decide if p φ ∈ ST in time O ( n ).10. Conclusion and future work
We have presented a first tractable characterization of the class of type-2 polynomial timecomputable functionals BFF based on a simple imperative programming language. Thischaracterization does not require any explicit and external resource bound and its restrictionto type-1 provides an alternative characterization of the class FP.The presented type system can be generalized to programs with a constant numberof oracles (the typing rule for oracles remains unchanged). However the lambda closureis mandatory for completeness as illustrated by Example 34. An open issue of interest isto get rid of this closure in order to obtain a characterization of BFF in terms of a pureimperative programming language. Indeed, in our context, programs can be viewed as asimply typed lambda-terms with typable and terminating imperative procedure calls. Onesuggestion is to study to which extent oracle composition can be added directly to theprogram syntax.Another issue of interest is to study whether this non-interference based approach couldbe extended (or adapted within the context of light logics) to characterize BFF on a purefunctional language. We leave these open issues as future work. References [APT79] Bengt Aspvall, Michael F. Plass, and Robert Endre Tarjan. A linear-time algorithm for testingthe truth of certain quantified boolean formulas.
Information Processing Letters , 8(3):121–123,1979. [BAJK08] Amir M. Ben-Amram, Neil D. Jones, and Lars Kristiansen. Linear, polynomial or exponen-tial? complexity inference in polynomial time. In
Logic and Theory of Algorithms , pages 67–76.Springer, 2008.[BC92] Stephen Bellantoni and Stephen Cook. A new recursion-theoretic characterization of the polytimefunctions.
Computational Complexity , 2:97–110, 1992.[BL16] Patrick Baillot and Ugo Dal Lago. Higher-order interpretations and program complexity.
Inf.Comput. , 248:56–81, 2016.[BM10] Patrick Baillot and Damiano Mazza. Linear logic by levels and bounded time complexity.
Theor.Comput. Sci. , 411(2):470–503, 2010.[BMM11] Guillaume Bonfante, Jean-Yves Marion, and Jean-Yves Moyen. Quasi-interpretations a way tocontrol resources.
Theor. Comput. Sci. , 412(25):2776–2796, 2011.[BT04] Patrick Baillot and Kazushige Terui. Light types for polynomial time computation in lambda-calculus. In
Logic in Computer Science, LICS 2004 , pages 266–275. IEEE, 2004.[CK89] Stephen A. Cook and Bruce M. Kapron. Characterizations of the basic feasible functionals offinite type. In , pages154–159. IEEE, 1989.[Cob65] Alan Cobham. The intrinsic computational difficulty of functions. In Y. Bar-Hillel, editor,
Pro-ceedings of the International Conference on Logic, Methodology, and Philosophy of Science , pages24–30. North-Holland, Amsterdam, 1965.[Con73] Robert L. Constable. Type two computational complexity. In
Proc. 5th annual ACM Symposiumon Theory of Computing , pages 108–121. ACM, 1973.[Coo92] Stephen A Cook. Computability and complexity of higher type functions. In
Logic from ComputerScience , pages 51–72. Springer, 1992.[CPR06] Byron Cook, Andreas Podelski, and Andrey Rybalchenko. Terminator: beyond safety. In
Inter-national Conference on Computer Aided Verification , pages 415–418. Springer, 2006.[CU93] Stephen A. Cook and Alasdair Urquhart. Functional interpretations of feasibly constructivearithmetic.
Ann. Pure Appl. Logic , 63(2):103–200, 1993.[DR06] Norman Danner and James S. Royer. Adventures in time and space. In
Proceedings of the 33rdACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006 ,pages 168–179. ACM, 2006.[EIS76] Shimon Even, Alon Itai, and Adi Shamir. On the complexity of timetable and multicommodityflow problems.
SIAM J. Comput. , 5(4):691–703, 1976.[FHHP15] Hugo F´er´ee, Emmanuel Hainry, Mathieu Hoyrup, and Romain P´echoux. Characterizing polyno-mial time complexity of stream programs using interpretations.
Theor. Comput. Sci. , 585:41–54,2015.[Gir98] Jean-Yves Girard. Light linear logic.
Inf. Comput. , 143(2):175–204, 1998.[GMR08] Marco Gaboardi, Jean-Yves Marion, and Simona Ronchi Della Rocca. A logical account of pspace.In
Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of ProgrammingLanguages, POPL 2008 , pages 121–131. ACM, 2008.[H´aj79] Petr H´ajek. Arithmetical hierarchy and complexity of computation.
Theor. Comput. Sci. , 8:227–237, 1979.[HKMP20] Emmanuel Hainry, Bruce M. Kapron, Jean-Yves Marion, and Romain P´echoux. A tier-basedtyped programming language characterizing feasible functionals. In
LICS ’20: 35th AnnualACM/IEEE Symposium on Logic in Computer Science, Saarbr¨ucken, Germany, July 8-11, 2020 ,pages 535–549, 2020.[HMP13] Emmanuel Hainry, Jean-Yves Marion, and Romain P´echoux. Type-based complexity analysisfor fork processes. In
International Conference on Foundations of Software Science and Compu-tational Structures (FoSSaCS 2013) , pages 305–320. Springer, 2013.[HP15] Emmanuel Hainry and Romain P´echoux. Objects in polynomial time. In
Programming Languagesand Systems - 13th Asian Symposium, APLAS 2015 , Lecture Notes in Computer Science, pages387–404. Springer, 2015.[HP17] Emmanuel Hainry and Romain P´echoux. Higher order interpretation for higher order complexity.In
LPAR-21, 21st International Conference on Logic for Programming, Artificial Intelligence andReasoning , pages 269–285. EasyChair, 2017.
TIER-BASED TYPED PL CHARACTERIZING BFF 29 [IRK01] Robert J. Irwin, James S. Royer, and Bruce M. Kapron. On characterizations of the basic feasiblefunctionals (part I).
J. Funct. Program. , 11(1):117–153, 2001.[JK09] Neil D. Jones and Lars Kristiansen. A flow calculus of mwp-bounds for complexity analysis.
ACM Trans. Comput. Logic , 10(4):28:1–28:41, 2009.[KC91] Bruce M. Kapron and Stephen A. Cook. A new characterization of mehlhorn’s polynomial timefunctionals (extended abstract). In , pages 342–347. IEEE, 1991.[KC96] Bruce M. Kapron and Stephen A. Cook. A new characterization of type-2 feasibility.
SIAM J.Comput. , 25(1):117–132, 1996.[KS17] Akitoshi Kawamura and Florian Steinberg. Polynomial running times for polynomial-time oraclemachines. In , pages 23:1–23:18. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2017.[KS18] Bruce M. Kapron and Florian Steinberg. Type-two polynomial-time and restricted lookahead.In
Logic in Computer Science, LICS 2018 , pages 579–588. ACM, 2018.[KS19] Bruce M. Kapron and Florian Steinberg. Type-two iteration with bounded query revision. In
Proceedings Third Joint Workshop on Developments in Implicit Computational complExity andFoundational & Practical Aspects of Resource Analysis, DICE-FOPARA@ETAPS 2019 , EPTCS,pages 61–73, 2019.[Lei95] Daniel Leivant. Ramified recurrence and computational complexity I: Word recurrence and poly-time. In Peter Clote and Jeffrey B. Remmel, editors,
Feasible Mathematics II , pages 320–343.Birkh¨auser, Boston, MA, 1995.[LJB01] Chin Soon Lee, Neil D. Jones, and Amir M. Ben-Amram. The size-change principle for pro-gram termination. In
Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACTSymposium on Principles of Programming Languages , pages 81–92. ACM, 2001.[LM93] Daniel Leivant and Jean-Yves Marion. Lambda calculus characterizations of poly-time.
Fundam.Inform. , 19(1/2):167–184, 1993.[LM13] Daniel Leivant and Jean-Yves Marion. Evolving graph-structures and their implicit computa-tional complexity. In
Automata, Languages, and Programming - 40th International Colloquium,ICALP 2013, Proceedings, Part II , Lecture Notes in Computer Science, pages 349–360. Springer,2013.[Mar11] Jean-Yves Marion. A type system for complexity flow analysis. In
Logic in Computer Science,LICS 2011 , pages 123–132. IEEE Computer Society, 2011.[Meh76] Kurt Mehlhorn. Polynomial and abstract subrecursive classes.
J. Comp. Sys. Sci. , 12(2):147–178,1976.[Mit91] John C Mitchell. Type inference with simple subtypes.
J. Funct. Program. , 1(3):245–285, 1991.[MP14] Jean-Yves Marion and Romain P´echoux. Complexity information flow in a multi-threaded im-perative language. In
Theory and Applications of Models of Computation, TAMC 2014 , LectureNotes in Computer Science, pages 124–140. Springer, 2014.[VIS96] Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A sound type system for secure flowanalysis.
Journal of computer security , 4(2-3):167–187, 1996.
This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit https://creativecommons.org/licenses/by/4.0/https://creativecommons.org/licenses/by/4.0/