An Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction
aa r X i v : . [ c s . P L ] J a n An Equational Theory for Weak Bisimulation viaGeneralized Parameterized Coinduction
Yannick Zakowski
University of PennsylvaniaPhiladelphia, PA, USA
Paul He
University of PennsylvaniaPhiladelphia, PA, USA
Chung-Kil Hur
Seoul National UniversitySeoul, Republic of Korea
Steve Zdancewic
University of PennsylvaniaPhiladelphia, PA, USA
Abstract
Coinductive reasoning about infinitary structures such asstreams is widely applicable. However, practical frameworksfor developing coinductive proofs and finding reasoning prin-ciples that help structure such proofs remain a challenge,especially in the context of machine-checked formalization.This paper gives a novel presentation of an equationaltheory for reasoning about structures up to weak bisimula-tion. The theory is both compositional, making it suitablefor defining general-purpose lemmas, and also incremental,meaning that the bisimulation can be created interactively.To prove the theory’s soundness, this paper also introduces generalized parameterized coinduction , which addresses ex-pressivity problems of earlier works and provides a practicalframework for coinductive reasoning. The paper presentsthe resulting equational theory for streams, but the tech-nique applies to other structures too.All of the results in this paper have been proved in Coq,and the generalized parameterized coinduction frameworkis available as a Coq library.
CCS Concepts • Software and its engineering → For-mal software verification ; •
Theory of computation → Program verification ; Logic and verification ; Equational logicand rewriting . Keywords
Coq, coinduction, up-to techniques, weak bisim-ulation, equational theory
ACM Reference Format:
Yannick Zakowski, Paul He, Chung-Kil Hur, and Steve Zdancewic.2020. An Equational Theory for Weak Bisimulation via General-ized Parameterized Coinduction. In
Proceedings of the 9th ACMSIGPLAN International Conference on Certified Programs and Proofs
Permission to make digital or hard copies of part or all of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contactthe owner/author(s).
CPP ’20, January 20–21, 2020, New Orleans, LA, USA © 2020 Copyright held by the owner/author(s).ACM ISBN 978-1-4503-7097-4/20/01. https://doi.org/10.1145/3372885.3373813 (CPP ’20), January 20–21, 2020, New Orleans, LA, USA.
ACM, NewYork, NY, USA, 15 pages. https://doi.org/10.1145/3372885.3373813
Coinduction is a powerful technique for reasoning aboutstreams, computation trees, and other infinitary structuresthat are used widely in semantics and systems modeling. Assuch, coinductive proofs play a significant role in Coq devel-opments like CompCert [Leroy 2009], FreeSpec [Letan et al.2018], or Interaction Trees [Xia et al. 2020].In such contexts, working with weak bisimulation (equiv-alence modulo hidden “internal” computation steps) is of-ten desirable. However, naïve ways of applying coinduction,including its use for establishing weak bisimulations, suf-fer from lack of compositionality or incrementality.
Com-positionality allows the proof developer to create modularproofs using generic lemmas, while still ensuring sound coin-ductive reasoning.
Incrementality lets them construct thebisimulation relation by accumulating parts of it during theproof, rather than having to posit the entire relation up frontat the proof’s outset. Both of these properties are particu-larly useful in the context of mechanized formal proof.The situation was improved by the introduction of the pa-rameterized coinduction approach by Hur et al. [2013], andits implementation in the paco library for Coq. The crux ofthe approach is to move away from specifying the greatestfixed point up front and instead to work with a predicate pa-rameterized by “accumulated knowledge” that one can useduring the construction of the proof to incrementally buildthe postfixed point. Hur et al. show that paco supports rea-soning up-to closures too, and they hinted that it might bepragmatic to systematically work with the greatest compat-ible closure (that is, the most general closure among a classsatisfying good closure properties). This idea has been stud-ied in greater length by Pous [2016], leading to the so-called companion approach, to which we compare ourselves in Sec-tion 7.Despite these advances, there are still several difficultieswith developing coinductive proofs in interactive theoremprovers. Firstly, the paco reasoning principles are still too
PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic weak, resulting in cumbersome proofs. The limitation is par-ticularly apparent when a proof nests two cofixed points:the inner cofixed point forgets all available accumulated knowl-edge, leading to redundant reasoning. Secondly, the supportfor up-to reasoning remains either ad hoc or difficult to ma-nipulate in existing approaches: here we advocate for in-ternalizing and manipulating concretely defined closures,as opposed to the greatest compatible one. Finally, it stillremains to package coinductive reasoning principles into“proof patterns” for weak bisimulation that are expressiveand easy to work with in practice.This paper addresses the above problems by making twotechnical contributions: • We present an equational theory over streams thatgives a novel axiomatic interface for working withweak bisimulations. This yields an “API,” realized by aset of lemmas, that helps users structure their coinduc-tive proofs of weak bisimulation. This equational the-ory is a simplified (and self-contained) presentation ofa formalization of the equational theory of interactiontrees [Xia et al. 2020]. • To prove the soundness of the equational theory, weintroduce
Generalized Parameterized Coinduction , gpaco ,a backwards-compatible generalization of the paco frame-work. This new construction provides the ability torecord previously available knowledge that has beenaccumulated during a coinductive proof, which solves paco ’s issue with nested cofixed points. Additionally,it has intrinsic support for up-to reasoning, which, incontrast to the companion approach, allows for thecreation of generic lemmas that aid in developing mod-ular proof. We show that gpaco supports novel coin-ductive principles.The rest of the paper explains these contributions in de-tail, working from gpaco to the equational theory. We firstbriefly review paco in Section 2 and highlight, by way of ex-ample, the shortcomings that motivate our generalized defi-nition. Section 3 presents generalized parameterized coin-duction, establishes its basic properties, and explains thereasoning principles that it justifies. We then incorporate“up-to closures” into the definition, again establishing theappropriate metatheory. Sections 4 and 5 apply gpaco todevelop an equational theory for reasoning about (weak)bisimulations of streams with τ (internal) events. Here wealso present our novel proof rules for working with thosebisimulations. We also show the problem with working withthe companion when trying to define these rules. Section 6details the implementation of our reasoning principles inCoq. Finally, Section 7 provides a comparison with relatedwork.The reasoning principles presented in this paper are ap-plicable with little-to-no overhead in the Coq proof assistant through an extension of the paco library. All of the defini-tions, metatheory and examples presented here have beenverified in Coq. However, none of it is specific to this proofassistant, and all results should be transferable to any othersystem providing support for coinduction. paco and a MotivatingExample In this and the following sections, we consider a completelattice ( C , ⊑ , ⊔) and f ∈ C mon −−−−→ C , a monotone function over C that we refer to as a functor. The typical use case in ourcontext will instantiate C with P( T × T ) for some type T ( i.e. the lattice of binary relations over T ), but the theory appliesto any such lattice. In our Coq formalization, the main latticeis the one of propositional relations over C : C → C → Prop .Write X f for the set of postfixed points of f , i.e. x suchthat x ⊑ f ( x ) . Tarski’s theorem implies that X f admits anupper bound. We write ν . f for this upper bound. Addition-ally, this upper bound is the greatest fixed point of f , i.e. inparticular ν . f = f ( ν . f ) . We briefly recall the central idea behind parameterized coin-duction and its reasoning principles. Intuitively, it consistsin moving away from using ν . f itself and instead conduct-ing a proof toward some G f ∈ C mon −−−−→ C that is parameterizedby some accumulated knowledge: Definition 2.1 (Parameterized greatest fixed point) . Define G ∈ ( C mon −−−−→ C ) mon −−−−→ ( C mon −−−−→ C ) to be: G f r def = ν . ( λy . f ( r ⊔ y )) Here, we think of r as the “knowledge” accumulated dur-ing a proof. The intuition and usefulness behind this def-inition is best illustrated by the equations it satisfies. Thesoundness of the approach comes from the fact that it coin-cides with the greatest fixed point when no knowledge hasbeen accumulated. Lemma 2.2 ( Init ) . ν . f ≡ G f ⊥ The central coinduction principle, mapping to a strongvariant of Tarski’s principle, is expressed as an unfoldinglemma. It intuitively states that the coinduction hypothesisas well as the accumulated knowledge are accessible behindthe guard, i.e. an iteration of the functor f . Lemma 2.3 ( Unfold ) . G f r ≡ f ( r ⊔ G f r ) Finally, the accumulation principle is the key to allowfor incremental coinductive proofs: one can enrich the cur-rently accumulated knowledge at any point.
Lemma 2.4 ( Acc ) . y ⊑ G f r ⇐⇒ y ⊑ G f ( r ⊔ y ) n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA The technique has been a wild success, most notably inthe context of the Coq proof assistant in which it has beenimplemented. It at once enabled both incremental and com-positional reasoning principles, two improvements that areof particular value when conducting mechanized proofs. No-tably, parameterized coinduction is also entirely compatiblewith automation, something that the native reasoning prin-ciples provided by Coq for coinduction prohibited in prac-tice. paco ’s Shortcomings
The typical coinductive proof using paco aims to prove agoal of the form y ⊑ ν . f . One starts by using Init to ob-tain y ⊑ G f ⊥ , after which the proof proceeds by using Unfold and
Acc interleaved with other steps of equationalreasoning. Such incremental proofs are considerably sim-pler to construct in an interactive theorem prover. However,the paco lemmas falter in the presence of nested cofixedpoints: they lose too much information about the accumu-lated knowledge, leading to redundant and more awkwardto construct proofs, a deficiency that becomes more prob-lematic as the technique scales to reason about more com-plex systems.To illustrate this phenomenon, consider the coinductivestream (or lazy list, since these streams can also be finite)data type that might be used for instance to represent thetrace of a transition system. Such an object is a potentiallyinfinite sequence of internal events , τ , and external (or visi-ble ) events β ( n ) , terminated (if finite) by the ϵ marker. Here,for simplicity, we assume that visible events carry a naturalnumber. We will sometimes omit the β constructor and justwrite n (especially in examples) to save space.Here are some example streams: s = ϵ finite stream s = τ ττ ϵ finite stream s = . . . n ( n + ) . . . infinite increasing stream s = τ τ . . . nτ ( n + ) . . . infinite increasing stream s = . . . infinite alternating stream s = τττττττ . . . silent divergenceIt is well-known that strong bisimulation is often too tighta relation to be relevant when studying such systems. Oneshould instead work “up-to-tau,” which means that, whenconsidering whether two streams are “the same,” we candisregard any finite number of τ steps on either side. This weak bisimulation matches terminal constructors and iden-tical external events one-to-one, but also allows for a finitenumber of τ steps to be stripped away from either stream atany given point. We write s ≈ t to mean that s is equivalentto t up-to-tau (which we often abbreviate to eutt ). For theexamples shown above, we have s ≈ s and s ≈ s , but noother distinct pairs of streams are weakly bisimilar.We delay the full exposition of a formal definition of thisrelation to Section 4. Here, we simply observe that we can s s ′ s s ′ τ t t ′ t t ′ = s = s ′ s ′ = τ s s = s ′ s ′ = s ′ t = t ′ t ′ = t t = t ′ t ′ = t ′ Figure 1.
Two weakly bisimilar transition systems: illustrat-ing the shortcoming of paco ’s reasoning principlesdefine ≈ as the greatest fixed point of a functor, euttF : euttF : P( stream × stream ) → P( stream × stream )≈ ≡ ν . euttF We can think of euttF as acting on a set of pairs of streams Y , which behaves as the “coinductive hypothesis” in this def-inition. euttF is defined so that it satisfies several propertiesthat characterize weak bisimulation. Among them, we have: Lemma 2.5 ( euttF Tau Left) . X ⊆ euttF ( Y ) = ⇒ {( τs , t ) | ( s , t ) ∈ X } ⊆ euttF ( Y ) Lemma 2.6 ( euttF Vis) . X ⊆ Y = ⇒ {( ns , nt ) | ( s , t ) ∈ X } ⊆ euttF ( Y ) The first lemma states that, when reasoning backwards us-ing goal-directed proof search, if we want to show that τ · s isrelated to t by euttF ( Y ) , it suffices to show that s is relatedto t by euttF ( Y ) —we can drop a τ from the left stream. Thesecond lemma states that if two streams begin with the samevisible event n , we can directly appeal to the coinductive hy-pothesis Y to establish the relation.With this setup, we can give an example proof using paco -style reasoning and see where it can be improved upon.Consider the two transition systems s and t depicted inFigure 1. They each visually encode the different states twostreams can be in. A stream can change state through eitheran internal step or by emitting an event. We also consideradditional equations we know over the states of the streams:the edge labeled by an equality sign represents definitionalequality – we assume we have such an equation in our con-text. The bottom half of Figure 1 characterizes the same twostreams, but as a system of equations.Their behaviors can therefore be described as follows. Bothstreams consist of an infinite cycle alternating between thevisible events 1 and 2. In the left stream, each iteration ofthese two events is separated by a silent step, while the rightstream starts the new cycle immediately—embodied by thedefinitional equality between t ′ and t . Finally, both streamshave an initial state stepping into the cycle by emitting 0.We wish to build a weak bisimulation between both corre-sponding upper states of s and t , that is to prove that s ≈ t PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic
Let X = {( s , t ) , ( s , t )} and X = {( s ′ , t ′ ) , ( s ′ , t ′ )} X ⊆ ν . euttF Init ⇐⇒ X ⊆ G euttF ∅ Acc (a) ⇐⇒ X ⊆ G euttF X Unfold ⇐⇒ X ⊆ euttF ( X ∪ G euttF X ) lem. 2.6 (b) ⇐ = X ⊆ X ∪ G euttF X ⇐ = X ⊆ G euttF X Acc (c) ⇐⇒ X ⊆ G euttF ( X ∪ X ) We now handle both cases in X separately: rhs: ( s ′ , t ′ ) ∈ G euttF ( X ∪ X ) Unfold ⇐⇒ ( s ′ , t ′ ) ∈ euttF ( X ∪ X ∪ G euttF ( X ∪ X )) lem. 2.6 ⇐ = ( s ′ , t ′ ) ∈ ( X ∪ X ∪ G euttF ( X ∪ X )) (cid:3) lhs: ( s ′ , t ′ ) ∈ G euttF ( X ∪ X ) Solution with redundancy (d) : Unfold ⇐⇒ ( s ′ , t ′ ) ∈ euttF ( X ∪ X ∪ G euttF ( X ∪ X )) lem. 2.5; 2.6 ⇐ = ( s ′ , t ′ ) ∈ ( X ∪ X ∪ G euttF X ∪ X ) (cid:3) Failed attempt without redundancy (e) : lem. 2.7 ⇐ = ( s , t ) ∈ G euttF ( X ∪ X ) : we cannot conclude. Figure 2.
Shortcoming of paco : an illustrating proofand s ≈ t . The paco library is the perfect tool for such atask: we would like to build our proof incrementally as weexplore the underlying transition systems. Let us venturestep by step into this task, depicted in Figure 2.This minimal example highlights a deep problem in theexisting reasoning principles: unused accumulated knowl-edge is always guarded again, i.e. sent back behind the guard.We see this in the proof at the point where we use Acc forthe second time (marked (c) ). We had already used
Acc once,at point (a) , putting X into the accumulated knowledge. In-tuitively, this means that after we step under a guard weshould be able to use X , which is what happens at point (b) , where we have X directly available on the right handside. The problem is that even though the knowledge X isavailable at point (b) , we have to discard it to use Acc atpoint (c) , which forgets the fact that X was available.The impact of this loss of information shows up later,when trying to conclude for the pair of states ( s ′ , t ′ ) . A nat-ural solution, depicted at point (d) , is to simply blindly gothrough a new round of unfolding and stepping under thefunctor, using Lemmas 2.5 and 2.6 successively. Note thatLemma 2.5 alone is not enough to go under the functor, itdoes not act as a guard. However, by taking this step, weare repeating a part of the proof we already did: taking thetransition that emits a 1 for both streams. This may seem in-nocuous on such a toy example, but may in general requirereiterating an arbitrarily complex proof.Performing the case analysis earlier (or proving the equiv-alence of different states) would have avoided the issue with repeated reasoning in this case. However, this solution isboth cumbersome and not always possible. For example, themore complex data type described in Section 6.1 has a branch-ing structure that renders such solutions ineffective.Intuitively however, we would like to simply ignore this τ on s and conclude by using X , knowledge that we madeavailable earlier in the proof. The first part of this intuition,the innocuousness of the τ guard, is a particular case ofa more general reasoning principle: reasoning up-to silentsteps. We can indeed formalize this idea using paco , by prov-ing the following lemma: Lemma 2.7 ( G euttF Tau Left) . X ⊆ G euttF ( Y ) = ⇒ {( τs , t ) | ( s , t ) ∈ X } ⊆ G euttF ( Y ) It precisely states that one can strip a τ from the left handside under a call to G euttF . Using this lemma at point (e) inFigure 2, we can therefore reduce our goal to relating thedesired pair, ( s , t ) . However this is useless in this case dueto paco ’s inability to remember previously available knowl-edge in the presence of nested accumulation lemmas: weknow that the pair of states are in X , knowledge that wasmade available before, and yet we cannot access it to con-clude.To alleviate these difficulties, we introduce a new con-struction that still supports up-to reasoning, but cruciallyoffers a finer grained management of available knowledge. In this paper, we introduce a new construct, dubbed the gen-eralized parameterized greatest fixed point (and succinctlyreferred to as gpaco ), that we show satisfies new princi-ples that greatly ease reasoning in cases such as the one de-picted in Figure 1. Our new construct builds on the so-calledparameterized greatest fixed point introduced by Hur et al.[2013], and implemented in Coq through the paco library.We extend the parameterized greatest fixed point in twoways. First, we refine its treatment of available knowledgeby making a distinction between knowledge that is avail-able, or “already unlocked,” and knowledge that is guarded,or “must be unlocked.” Maintaining this distinction dramat-ically simplifies incremental coinductive proofs. Second, webuild in support for “up-to” reasoning, another powerfultechnique that lets us construct coinductive relations usingclosure operators.
Recall our unsatisfactory proof in Figure 2. One core issuecomes from the fact that while the accumulated knowledgeis safely released after a guard, it does not internalize thefact that this knowledge became available. The first exten-sion we introduce is to precisely take this observation into n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA account: the parameterized greatest fixed point is now pa-rameterized by two elements representing accumulated knowl-edge.The generalized parameterized greatest fixed point ˆ G f r д ,also shortened to gpaco , therefore intuitively represents thegreatest fixed point of the functor f with available accumu-lated knowledge r and guarded accumulated knowledge д ,which becomes available only after making progress by ap-plying f . We express this distinction in the following defi-nition, which uses G f − . Definition 3.1 (Generalized parameterized greatest fixedpoint (first definition)) . Define ˆ G ∈ ( C mon −−−−→ C ) mon −−−−→ ( C mon −−−−→ C mon −−−−→ C ) to be:ˆ G f r д def = r ⊔ G f ( r ⊔ д ) Note that if we pick r = ⊥ , this definition degenerates to G f д , which gives us the following soundness property. Asbefore, we call it Init because it lets us begin a coinductiveproof by moving into the gpaco realm. Lemma 3.2 ( Init ) . ˆ G f ⊥ ⊥ ≡ G f ⊥ ≡ ν . f We can also return to vanilla parameterized coinductionfrom the generalized version:
Lemma 3.3 ( Final ) . r ⊔ G f д ⊑ ˆ G f r д These two lemmas mean in particular that gpaco is fullybackwards compatible with paco : no changes in previousdefinitions or statements written with paco are required,and the new reasoning principles are available for proper-ties defined in terms of G .The Base equation below embodies the fact that availableknowledge is stored in gpaco . By definition, it is indeed triv-ial to see that r is immediately available for use: Lemma 3.4 ( Base ) . r ⊑ ˆ G f r д Naturally, in order for
Base to be sound, the incrementalprinciple extends only the guarded knowledge:
Lemma 3.5 ( Acc ) . x ⊑ ˆ G f r ( д ⊔ x ) ⇐⇒ x ⊑ ˆ G f r д Finally, stepping under the guard makes the guarded knowl-edge available. Note that the pattern of accumulation en-sures that we always have the invariant that r ⊑ д , which iswhy erasing r here does not lose information. Lemma 3.6 ( Step ) . f ( ˆ G f д д ) ⊑ ˆ G f r д We overload the lemma names like
Init and
Acc which are defined bothfor G f − and ˆ G f − − . Which one is meant can easily be distinguishedfrom the context. X ⊆ ν . euttF Init ⇐⇒ X ⊆ ˆ G euttF ∅ ∅ Acc (a) ⇐⇒ X ⊆ ˆ G euttF ∅ X Step (b) ⇐ = X ⊆ euttF ( ˆ G euttF X X ) lem. 2.6 ⇐ = X ⊆ ˆ G euttF X X Acc (c) ⇐⇒ X ⊆ ˆ G euttF X ( X ∪ X ) rhs: ( s ′ , t ′ ) ∈ ˆ G euttF X ( X ∪ X ) Step ⇐ = ( s ′ , t ′ ) ∈ euttF ( ˆ G euttF ( X ∪ X ) ( X ∪ X )) lem. 2.6 ⇐ = ( s ′ , t ′ ) ∈ ˆ G euttF ( X ∪ X ) ( X ∪ X ) Base ⇐ = ( s ′ , t ′ ) ∈ X ∪ X (cid:3) lhs: ( s ′ , t ′ ) ∈ ˆ G euttF X ( X ∪ X ) lem. 3.7 ⇐ = ( s , t ) ∈ ˆ G euttF X ( X ∪ X ) Base (d) ⇐ = ( s , t ) ∈ X (cid:3) Figure 3.
Improved proof for Figure 1With the addition of the available knowledge parameterto gpaco and its new reasoning principles, we are closer toa more succinct proof for Figure 1 without the extraneoussteps required in the previous proof. However, we still needa statement analogous to Lemma 2.7, in order to strip off a τ without having to continue to go under guards. Lemma 3.7 ( ˆ G euttF Tau Left, idealized) . X ⊆ ˆ G euttF r д = ⇒ {( τs , t ) | ( s , t ) ∈ X } ⊆ ˆ G euttF r д Note that this lemma does not hold with the definition of gpaco introduced in this subsection. We will get back to itsproper statement, as well as its soundness, in Section 3.2,once we have extended gpaco with intrinsic support for up-to reasoning. Accepting temporarily this slight idealization,we showcase in Figure 3 a proof of the example from Sec-tion 2 which eliminates the undesired repetition.This proof illustrates how the extra parameter providesjust the right degree of freedom to remember knowledge col-lected across nested calls to
Acc . Here, the first use of
Acc atpoint (a) doesn’t yet provide any more flexibility comparedto the old proof. At point (b) , however, the
Step operationcopies X from the “guarded knowledge” parameter to the“available immediately” parameter. Later, at the second useof Acc at point (c) , X remains available, even as X is placedunder the guard. The payoff comes at point (d) , where wecan immediately use X .This example shows how the additional parameter allowsfor smoother reasoning and less redundancy in the proofs.One might wonder: are two parameters enough? Might weneed an even more general version with three or four pa-rameters to use in some other proof? The answer is that no,two are sufficient. Intuitively, any particular fact is eitheravailable or still guarded. The two parameters partition the PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic knowledge into those categories, and the lemmas manipu-late the knowledge precisely. paco with Closure
The ability to construct coinductive proofs incrementally,as considered above, is one technique that is invaluable forworking with coinduction in an automated theorem prover.Another crucial technique is the use of “up-to” reasoningprinciples, which enable more scalable and modular proofs.The basic idea is to define a closure operator clo ∈ C → C that, given a relation X , extends it to a larger relation clo ( X ) .Then such an up-to technique clo allows us to work withsmaller relations when proving, for example, bisimilarity,reducing the effort required in the proof. The power of anup-to technique lies in the fact that the smaller relation X may not be a bisimulation at all. However, for reasoningup-to clo to be sound, X must be contained in a bisimula-tion. For a more in-depth description of up-to techniques,see [Pous and Sangiorgi 2011].For example, the closure operator used for Lemma 3.7 is: τ L ( R ) = {( τ ∗ s , t ) | ( s , t ) ∈ R } where τ ∗ means any finite number of τ s. Using this up-totechnique frees the user from having to manually step throughthe functor and build the bisimulation relation by manipu-lating τ s one by one on the left side. In this section, we de-velop the enhancements to gpaco necessary to reason usingthese closure operators.Before we proceed, we briefly review the state-of-the-artup-to techniques. Pous [2016] characterizes valid closuresas any function bounded by the greatest compatible closure,called the companion . Specifically, an up-to function clo ∈ C mon −−−−→ C is compatible with f if clo ◦ f ⊑ f ◦ clo . Compati-ble functions are a class of up-to techniques that are nice towork with because they are compositional, so different com-patible up-to techniques can be used in a single proof. Thecompanion cpn f ∈ C mon −−−−→ C is the join of all such compatiblefunctions, which is again compatible with f . Then, cpn f ad-mits nice incremental and up-to principles for coinduction:in particular, clo ( cpn f ( r )) ⊑ cpn f ( r ) for any (not necessar-ily compatible) function clo ⊑ cpn f . In practice, most usefulup-to functions are bounded by the companion.In our approach, instead of using the companion, we pa-rameterize our construct with the upper bound of valid clo-sures, which we call a base closure , in order to allow a moreexplicit construction of the fixed point. This generalizationis essential in the development of our equational theory forweak bisimulation in Section 5. Definition 3.8 (Generalized parameterized greatest fixedpoint) . We redefine the previous ˆ G , adding the base closure bclo ∈ C mon −−−−→ C as the second argument:ˆ G bclo f r д def = bclo ∗ ( r ⊔ G f ◦ bclo ∗ ( r ⊔ д )) s ∼ s ′ s ′ ∼ r ++ s s ∼ s ′ s ′ ∼ s ′ t ∼ t ′ t ′ ∼ r ′ ++ t t ∼ t ′ t ′ ∼ t ′ Figure 4.
Two weakly bisimilar streams when r ≈ r ′ where bclo ∗ is the transitive closure of bclo .Note that by choosing the companion as a base closure,we get the equality ˆ G cpn f f r д = cpn f ( r ⊔ f ( cpn f ( r ⊔ д ))) . Definition 3.9.
We introduce the following useful notation: ¯ G bclo f д def = ˆ G bclo f д д Then we can use any up-to function clo bounded by bclo ,and in fact even larger ones bounded by ¯ G bclo f . Lemma 3.10 ( Closure ) . If clo ⊑ ¯ G bclo f , thenclo ( ˆ G bclo f r д ) ⊑ ˆ G bclo f r д Since bclo ⊑ ¯ G bclo f , in the case clo = bclo , it is always validto use Closure , which will be marked as
Closure* .Using this rule, we can now amend Lemma 3.7: it holds,provided we instantiate bclo with τ L or another closure thatcontains it (in the sense of Lemma 3.10). For the overall ap-proach to be sound, the usual criterion required of such abase closure is a notion of compatibility. We work with arelaxed condition, weak compatibility, that can be seen asan instance of a compatible up-to-function function [Pous2016]: Definition 3.11 (Weakly compatible closure) . bclo ∈ C mon −−−−→ C is weakly compatible for f if bclo ◦ f ⊑ f ◦ ¯ G bclo f We can begin using generalized parameterized coinduc-tion from usual parameterized coinduction:
Lemma 3.12 ( Init ) . If bclo is weakly compatible for f , then ˆ G bclo f ⊥ ⊥ ⊑ G f ⊥ For a more involved example showing how reasoning up-to closures can help, consider the streams in Figure 4, whichare a modified version of the example we saw earlier inFigure 1. Here, rather than s taking an extra τ step, bothstreams go through intermediate transitions r and r ′ respec-tively. Moreover, rather than defining the streams using def-initional equality “ = ”, we instead specify them via strongbisimilarity “ ∼ ”. In the case that r and r ′ are known to beweakly bisimilar to each other, the resulting streams remainweakly bisimilar. However, in order to prove that this is thecase, the weak bisimulation relation would have to containall of the internal bisimilar states of r and r ′ , and moreover,it would have to somehow incorporate the states related bythe underlying strong bisimilarity relation too. n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA bclo weakly compatible for f ˆ G bclo f ⊥ ⊥ ⊑ G f ⊥ Init r ⊑ ˆ G bclo f r д Base r ⊔ G f д ⊑ ˆ G bclo f r д Final f ( ˆ G bclo f д д ) ⊑ ˆ G bclo f r д Step x ⊑ ˆ G bclo f r ( д ⊔ x ) x ⊑ ˆ G bclo f r д Acc clo ⊑ ¯ G bclo f clo ( ˆ G bclo f r д ) ⊑ ˆ G bclo f r д Closure bclo ( ˆ G bclo f r д ) ⊑ ˆ G bclo f r д Closure*
Figure 5.
Proof rules for generalized parameterized coinductionSimilarly, when proving equivalence up-to-tau, it is intu-itively the case that if r ≈ r ′ and we want to coinductivelyrelate the concatenated streams r ++ s ≈ r ′ ++ t , it suffices torelate s and t —we can ignore the weakly bisimilar prefixesand focus on proving the tails of the streams equivalent.Up-to reasoning formalizes these intuitions. First, we de-fine two closure operators, up-to prefix and up-to (strong)bisimilarity: prefix ( R ) = {( h ++ t , h ++ t ) | h ≈ h ∧ ( t , t ) ∈ R } bisim ( R ) = {( a , b ) | ∃ a ′ , b ′ , a ∼ a ′ ∧ b ∼ b ′ ∧ ( a ′ , b ′ ) ∈ R } Being able to prove s ≈ t and s ≈ t up-to bisim and prefix allows for a proof conducted parametrically in the assump-tion r ≈ r ′ , leading to a proof with complexity similar tothe one for Figure 1. Note that up-to prefix is an instance ofthe standard up-to context technique [Pous and Sangiorgi2011].Using the resulting set of reasoning principles providedby gpaco , summarized in Figure 5, we can proceed with theproof of weak bisimilarity for Figure 4, that is s ≈ t and s ≈ t . We use bisim as our base closure, a choice that willbe grounded in Section 4.By leveraging the reasoning principles of up-to bisim and prefix , we can derive a proof extremely similar to the pre-vious examples. The difference lies in the application of the Closure rules at five points in the proof. We first apply
Clo-sure* twice with bisim to rewrite s , t , s , and t . Next weapply Closure* again to replace s ′ and t ′ with r ++ s and r ′ n ++ t respectively. We then apply Closure with prefix toremove the weakly bisimilar prefixes r and r ′ . Finally weapply Closure* with bisim again to rewrite s ′ and t ′ . Theremainder of the proof follows as before. In the previous section we introduced gpaco , a greatest fixedpoint predicate recording both the accumulated knowledgeguarded by a constructor and its already accessible counter-part. We additionally extended the construction to internal-ize the support for up-to closure.We have described the novel, richer reasoning principlesderived from gpaco . We now illustrate its practical use con-cretely by establishing a rich equational theory to reasonabout weak bisimilarity of interactive systems. We developthis case study using the data type of potentially infinite streams of internal and external events, and study their equiv-alence up to internal steps.The approach and the results being general, we presentthem in lattice theoretic notations, but all results are formal-ized in Coq.
The data type considered is the same type of potentially fi-nite streams of internal and external events introduced ear-lier in the paper. Formally, we define stream def = ν . streamF where: streamF X def = { ϵ } ∪ { τ · s | s ∈ X }∪ { β ( n ) · s | s ∈ X , n ∈ N } An element of the resulting type stream is hence a poten-tially infinite trace consisting of internal steps, representedas τ constructors, and visible events, emitting natural num-bers, represented as β constructors. Such a data type can forinstance be thought of as the observable trace of an interac-tive program’s execution.We fix the lattice of interest to P( stream × stream ) in therest of the paper.Defining a concatenation operation over streams, concat ,is straightforward: let concat def = ν . concatF where concatF concat _ def = λs k . case s of | ϵ ⇒ k | τ · s ⇒ τ · ( concat _ s k )| β ( n ) · s ⇒ β ( n ) · ( concat _ s k ) We write s ++ t for concat s t .Reasoning about these streams naturally requires to provethat concat respects an equivalence relation over streams,which justifies reasoning principles such as: s ≈ t = ⇒ s ++ k ≈ t ++ k . The usual notion of Leibniz equality is inad-equate when manipulating coinductive types. Instead, thestandard equivalences used to reason about such streamsare the notions of strong and weak bisimulations. A natural equivalence relation over stream is to require theshape of both streams to match exactly, systematically pair-ing the head constructors. This coinductive relation, knownas strong bisimulation , is convenient to work with, but too
PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic fix bisimF ( b L b R : bool ) clo β X def = {( ϵ , ϵ )} ∪{( τ · s , τ · t ) | ( s , t ) ∈ X } ∪{( β ( n ) · s , β ( n ) · t ) | ( s , t ) ∈ clo β ( X ) , n ∈ N } ∪{( τ · s , t ) | b L = true ∧ ( s , t ) ∈ bisimF b L b R clo β X } ∪{( s , τ · t ) | b R = true ∧ ( s , t ) ∈ bisimF b L b R clo β X } bisim b L b R def = G bisimF b L b R id ⊥ Figure 6.
Definition of a family of bisimulations overstreamsrestrictive in practice. Indeed, it not only observes the visi-ble events two systems emit when comparing them, but alsoensures that their internal steps match as well: in a sense, itis a timing-sensitive equivalence of processes.
Equivalence up-to-tau is a form of weak bisimulation, acoarser relation than strong bisimulation. It ignores any fi-nite amount of internal steps a process may take before reach-ing its next external event. This relation is much more use-ful in practice, and is notably the de facto standard used inverified compilation to express the semantic preservationcriterion [Leroy 2009; Tan et al. 2016].Equivalence up-to-tau has to be careful not to relate theinfinite sequence of τ with all streams. This is achieved byan inductive-coinductive definition: the functor bisimF whosegreatest fixed point we take is itself defined recursively, butas a smallest fixed point. This nested structure makes it par-ticularly delicate to work with without a carefully craftedmetatheory. Moreover, because strong and weak bisimilar-ity have some common structure, it is beneficial for proofengineering purposes to share as much of their commonmetatheory as possible.We demonstrate in this section how introducing a param-eterized version of the weak bisimulation relation allows usto derive a rich equational theory that alleviates the pain ofworking with nested inductive-coinductive definitions. Ournew construction, gpaco , is instrumental to the proofs inthis theory. While weak bisimulation is the core relation we care about,several related relations are relevant to prove our equationaltheory. As a way to factor work, we start by defining in Fig-ure 6 bisim , a family of relations over streams. Let us fornow ignore its three parameters and focus at a high level onthe functor bisimF _ _ _ X . We use the fix keyword asa notation to express bisimF itself is defined as a smallestfixed point.There are five ways we may relate two streams: 1. bymatching ϵ constructs, 2. by matching τ and co-recursing, 3. by matching identical β and co-recursing, 4. by stripping a τ from the left and recursing or 5. by stripping a τ from theright and recursing. Note the use of a recursive call whenstripping τ in the asymmetric cases (4) and (5): if we wereto iterate co-recursively, then an infinite co-recursive chainof application of rule (4) would relate the silently divergingstream to any stream.The three parameters to bisimF refine the way these rulescan be used to derive different relations. The boolean b L , b R flags enable or disable rules (4) and (5) respectively. The clo β parameter, of type P( stream × stream ) → P( stream × stream ) is slightly more subtle. When matching two exter-nal events by rule (3), one does not have to relate the re-maining of the streams with respect to just a co-recursivecall, but instead can first apply clo β to it.The practical use of the closure parameter will be delayedto Section 5 where it will be instrumental in deriving thenecessary reasoning principles. For now, we set the clo β pa-rameter to the identity closure id in order to define the highlevel relations we are interested in. It is straightforward tocheck that bisimF b L b R clo β is monotone for any mono-tone clo β , in particular for id . We therefore can define thegreatest fixed point bisim b L b R using paco .We are now ready to derive concrete relations. First, ifboth asymmetric rules are disabled, we have to exactly matchall constructors: this corresponds to strong bisimulation. Definition 4.1 (Strong bisimulation) . s ∼ t def = bisim false false s t At the opposite side, equivalence up-to-tau is defined byallowing both rules: it is always fine to strip away finiteamounts of τ ’s on either side: Definition 4.2 (Equivalence up-to-tau) . s ≈ t def = bisim true true s t Finally, a third relation is often useful. By allowing onlyone of the rules, we get an asymmetric relation expressingthat a stream is up-to-tau bisimilar to another, but containsmore τ : Definition 4.3 (Over-approximation up-to-tau) . s & t def = bisim true false s t Notice the following subrelation inclusions: ∼ ⊆ & ⊆ ≈ .Unfortunately, the inductive-coinductive nature of weakbisimulation in particular makes a property as elementaryas transitivity already a challenge to prove. The standardapproach is to seek stronger reasoning principle by intro-ducing up-to techniques. We first consider reasoning up totransitive closure. n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA The native reasoning principle on bisimilarity only allowsus to step through the functor bisimF , forcing us systemat-ically to nest an induction to account for possible boundedstripping of τ s, which often requires a clever generalizationof the statement for it to hold inductively. Reasoning up-totransitive closure enables a new reasoning principle: whenattempting to prove that two streams ( s , s ) belong to a re-lation r , it may be sound in appropriate contexts to simplysubstitute s or s for other bisimilar streams.This intuition is formalized by introducing a family oftransitive closures parameterized by four booleans flags: Definition 4.4 (Transitive closure up to bisimilarity) . ( s , s ′ ) ∈ bisim b L b R ( s ′ , s ′ ) ∈ r ( s , s ′ ) ∈ bisim b ′ L b ′ R ( s , s ) ∈ bisim _ trans _ clo b L b R b ′ L b ′ R r Each pair of flags defines the instances of bisim that areallowed to be used to substitute for the left and right streams.These closures are not all safe to use in arbitrary contexts. In-deed, by setting all flags to true , we allow arbitrary rewrit-ing up-to-tau: Definition 4.5 (Undirected transitive closure) . U def = bisim _ trans _ clo true true true true Let us emphasize why such arbitrary, undirected , up-to-tau rewriting provided by U is an unsound principle in gen-eral, which was first shown by Sangiorgi and Milner [1992].Recall that a coinductive proof is in essence constructing acycle by being only allowed to invoke the coinduction hy-pothesis once below a guard. In our case, U could hencebe misused to introduce a τ constructor that could then beused as a guard, allowing for unsound circular reasoning.To illustrate the problem concretely, let us assume for a mo-ment that the precondition of the Closure principle fromFigure 5 is available for U . The following proof would thenbe valid: ϵ ≈ ϵ Init ⇐⇒ ( ϵ , ϵ ) ∈ ˆ G euttF ∅ ∅ Acc ⇐⇒ ( ϵ , ϵ ) ∈ ˆ G euttF ∅ {( ϵ , ϵ )} Closure( U ) ⇐ = ( τ ϵ , τ ϵ ) ∈ ˆ G euttF ∅ {( ϵ , ϵ )} Step ⇐ = ( ϵ , ϵ ) ∈ ˆ G euttF {( ϵ , ϵ )} {( ϵ , ϵ )} Base ⇐ = ( ϵ , ϵ ) ∈ {( ϵ , ϵ )} (cid:3) This minimal example show-cases how this unrestrictedup-to closure principle could introduce τ constructors thatwould then be used as guards to wrongly justify the use ofthe coinductive hypothesis. Thankfully, applying Closure( U ) is prohibited. Note however that had we justified the useof the coinductive hypothesis by a β guard, the rewritingwould have been harmless. We will come back to U in more detail by consideringa context-sensitive up-to technique in Section 5. But let usfocus for now on a better behaved instance: Definition 4.6 (Directed transitive closure) . D def = bisim _ trans _ clo true false true false The D closure disables the second flag used in the settingof each bisimulation considered. This means that a streammay be substituted by a bisimilar one, only if the new onecontains no more τ s than the previous one. It is intuitivelyclear that this substitution is always sound since it cannotintroduce a guard. Note that this is the up-to expansion tech-nique presented by Sangiorgi and Milner [1992] to solve theproblem of up-to weak bisimularity above. This transitivityprinciple is in practice the most general one that we shallconsider. It will be the instance of the base closure that wewill provide to gpaco in the construction we introduce inSection 5.This soundness and generality are expressed by provingthat D provides a sound up-to reasoning principle with re-spect to ≈ . This soundness holds in the sense that D satis-fies the precondition from Lemma 3.12 with respect to thefunctor euttF def = bisimF true true . Lemma 3.12 allows us to move from a proof of a paco predicate, ≈ being the one of concern, to a gpaco counter-part setup with D as the base closure. Lemma 4.7 (Initialization for D with respect to euttF ) . Forany monotone clo β such that D◦ clo β ⊆ clo β ◦D , D is weaklycompatible for euttF clo β . We can at this stage already establish a certain numberof facts about our instances of bisim . By picking in partic-ular clo β = id , the closure used in the definition of euttF ,we can derive the following reasoning principle by applying Closure* . Theorem 4.8 ( ≈ is a congruence for & ) . s ′ & s s ′ ≈ t ′ t ′ & ts ≈ t We then prove that bisim defines equivalence relations:
Lemma 4.9. ∼ and ≈ are equivalence relations. & is reflexiveand transitive. And finally show that bisim b L b R is a congruence for eachconstructor of euttF . Proving the monoidal laws and congruence rules relating concat to weak bisimulation is greatly simplified by a sec-ond reasoning principle: the ability to reason up-to prefix.When attempting to relate two streams defined as concate-nations, it should be possible to discharge their prefixes byproving they are bisimilar. The following closure capturesthis reasoning principle:
PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic
Definition 4.10 (Concat closure) . h ≈ h ( t , t ) ∈ r ( h ++ t , h ++ t ) ∈ C r The soundness of the closure is embodied by showingthat Lemma 3.10 can be instantiated for C with respect to euttF , with D for the base closure: Lemma 4.11 (Compatibility of C with respect to euttF ) . For any clo β monotone such that C ◦ clo β ⊆ clo β ◦ C and id ⊆ clo β , we have C ⊆ ¯ G D euttF clo β . Lemma 4.11 essentially states that all instances of bisim are congruences for concat in the first argument. In partic-ular we can prove that ∼ is a congruence for concat : Theorem 4.12 ( ∼ is a congruence for concat ) . h ∼ h t ∼ t h ++ t ∼ h ++ t With these tools in hand, we can prove the expected monoidallaws. In particular, Theorem 4.12 greatly simplifies the proofof associativity.
Theorem 4.13 (( stream , ++ ) forms a monoid) . ϵ ++ s ∼ s s ++ ϵ ∼ s ( r ++ s ) ++ t ∼ r ++ ( s ++ t ) Section 4 introduced the stream data type and two equiva-lence relations upon it: a strong bisimulation that constrainsthem to be structurally identical, and a weak bisimulationthat quotient them up-to finite amount of internal steps. Wehave shown that two reasoning principles may be provedsound when reasoning about weak bisimulations: up-to tran-sitivity with respect to addition of taus, D , and up-to concatclosures, C .However, even with the support from gpaco , reasoningabout streams remains a technical challenge. In particular,we noticed that up-to transitivity with respect to generalequivalence up-to-tau, U , is sound in contexts guarded bya β , but not when guarded by a τ .In order to alleviate these difficulties, we abstract awayfrom the low-level use of gpaco and define in this sectiona new context-sensitive weak bisimulation relation, euttG .We prove that this relation satisfies a rich equational the-ory, notably supporting context-sensitive up-to techniques,and is sound with respect to weak bisimulation. By doingso, we hence internalize much of the complexity inherent tocoinductive reasoning over weak bisimulation and providean interface exposing the higher level reasoning principlesspecific to weak bisimulations of streams. We leverage the expressivity of gpaco to define the parame-terized weak bisimulation euttG r β r τ д β д τ . Before gettingto its formal definition, we sketch the intuition it carries.The relation takes four parameters, each of type P( stream × stream ) , which correspond respectively to information thathas been unlocked by a visible step or an internal step, orthat remains guarded behind a visible step or an internalstep.The key idea in distinguishing the kind of constructorthat has released or still guards the information is to allowfor context-sensitive up-to techniques. Indeed, an incremen-tal coinductive proof can be thought as a game of explo-ration whose goal is to close all paths explored by comingback to a previously explored state. By substituting a streamfor a weakly bisimilar one, we may compromise all statesreached by taking τ steps, but we remain certain that a cy-cle is found if we get back to a state reached under a β step.As such, β guards are stronger than τ guards when reason-ing up-to-tau.The main tool we will use to enable more reasoning prin-ciples under β guards than τ guards is the clo β argument in-troduced in the definition of bisim , Figure 6, and which hasbeen left unexploited through Section 4. Recall that this pa-rameter is a closure up-to which is applied to the co-recursivecall under a β constructor. The closure we consider is de-fined as follows: Definition 5.1 (Closure for external events) . V д β r def = ¯ G D euttF id U( r ∪ д β ) . The closure V д β is best understood right to left. At itscore, it simply extends the relation r with the β guardedknowledge д β . Since it will only be accessible under β guards,it is also sound to close this knowledge up to undirected tran-sitivity, U , to allow for arbitrary rewriting by weak bisim-ilarity. Finally, by definition of bisimF , using V д β in placeof the clo β argument permits its use right as we strip off apair of β constructors. Specifically, if the goal is of the form β ( n ) · s ≈ β ( n ) · t , then V д β can be used to relate s and t .However, we sometimes want to delay the use of this clo-sure: say the goal is of the form β ( n ) · p ++ s ≈ β ( n ) · p ++ t , we need to first reason up-to concatenation and only thenuse V д β to relate s and t . Wrapping the whole closure intoa call to gpaco is a convenient way to make this possible.We now turn to the definition of euttG itself: Definition 5.2 (Parameterized weak bisimulation) . euttG r β r τ д β д τ def = ˆ G D euttF (V дβ ) (U( r β ) ∪ r τ )) д τ The definition of euttG is a slightly intimidating instanceof gpaco . Let us walk through each of its arguments. First,the base closure provided is D : in any context, it is soundto work up to directed transitivity. Now since both r β and n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA r τ are information that has been unlocked previously, theirunion is provided as accessible, except that, as in the caseof д β under V , the β unlocked knowledge is additionallyclosed by U – undirected transitivity. The functor whosegreatest fixed point we take is naturally euttF ; going underthe functor hence guarantees that we go either under a τ ora β guard. We therefore set д τ to be always unlocked underthe functor, as expressed by its position as last parameter of gpaco . Finally, the additional knowledge д β is ensured to be only unlocked when the functor is applied by going under β guards by being provided as a parameter to V in the closurepassed to euttF .Having motivated the definition of euttG by the intuitivereasoning principles it should satisfy, we formalize theseprinciples in the following subsection. euttG The interface provided by our theory is summarized by theset of rules described in Figure 7. They are split into fourcategories. The soundness rules relate equivalence up-to-tauand euttG . The knowledge manipulation rules provide thecore coinductive principles specialized to weak bisimulation.The stream processing rules give specialized principles tostep under euttF constructors. Finally, we provide supportfor three up-to reasoning principles. All rules maintain thefollowing implicit invariant for euttG : r β ⊆ r τ ⊆ д τ ⊆ д β . Soundness
The relation between euttG and ≈ is similarto the one between paco and gpaco : it is an intermediaryconstruct one transits to in order to conduct a proof.The soundness of the overall approach is hence encapsu-lated into two rules. First, the Init rule states that one canalways move during a proof of weak bisimulation into the euttG realm by assuming no initial knowledge.
Theorem 5.3 ( Init ) . ( s , t ) ∈ euttG ∅ ∅ ∅ ∅ = ⇒ s ≈ t Using
Init , we can hence start a euttG -based proof. Con-versely, since euttG is purely an intermediary to conductproofs about weak bisimulation,
Final is key to invoke anypre-established ≈ -equation: for any state of accumulated knowl-edge, euttG always contains ≈ . Theorem 5.4 ( Final ) . s ≈ t = ⇒ ( s , t ) ∈ euttG r β r τ д β д τ Knowledge manipulation
The euttG relation shields theuser from its internals as much as possible by providing itsown reasoning principles with respect to the four knowl-edge arguments it carries. First, the
Base case echoes its gpaco counterpart by giving access to all unlocked knowl-edge.
Theorem 5.5 ( Base ) . ( s , t ) ∈ r β ∪ r τ = ⇒ ( s , t ) ∈ euttG r β r τ д β д τ The accumulation theorem is once again key to make pa-rameterized coinductive reasoning possible. It states that inorder to prove that a set x of pairs of streams belongs to euttG , one can extend the guarded knowledge by assumingthat x is contained in this knowledge: Theorem 5.6 ( Acc ) . x ⊆ euttG r β r τ д β д τ ⇐⇒ x ⊆ euttG r β r τ ( д β ∪ x ) ( д τ ∪ x ) Stream processing
Three principles allow us to processeach of the stream constructors. Naturally, it is trivial toshow that terminating streams can be matched.
Theorem 5.7 ( Ret ) . ( ϵ , ϵ ) ∈ euttG r β r τ д β д τ Internal events can be consumed on each side, which grantaccess to the τ guarded knowledge. Theorem 5.8 ( τ step ) . ( t , s ) ∈ euttG r β д τ д β д τ = ⇒ ( τ · s , τ · t ) ∈ euttG r β r τ д β д τ Finally, visible steps propagate the guarded knowledge toall parameters.
Theorem 5.9 ( β step ) . ( t , s ) ∈ euttG д β д β д β д β = ⇒ ( β ( n ) · s , β ( n ) · t ) ∈ euttG r β r τ д β д τ Up-to reasoning
Finally, three up-to reasoning principlesare supported. As developed in Section 4, directed transitiveclosure and concatenation closure are sound in all contexts.This gets reflected in the simplicity of rules transD and concatC : one can simply make a call to the correspondingclosure at any time.
Theorem 5.10 (Directed transitive closure) . ( s , t ) ∈ D( euttG r β r τ д β д τ ) = ⇒ ( s , t ) ∈ euttG r β r τ д β д τ Theorem 5.11 (Concat closure) . ( s , t ) ∈ C( euttG r β r τ д β д τ ) = ⇒ ( s , t ) ∈ euttG r β r τ д β д τ The third principle, undirected transitive closure, is moreinteresting. We internalize the intuition that it is only soundwhile guarded by β guards by overwriting all weakly avail-able and guarded knowledge by the strongly available one: Theorem 5.12 (Undirected transitive closure) . ( s , t ) ∈ U( euttG r β r β д β r β ) = ⇒ ( s , t ) ∈ euttG r β r τ д β д τ We now illustrate a use of this interface.
PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic
Soundness ( s , t ) ∈ euttG ∅ ∅ ∅ ∅ s ≈ t Init s ≈ t ( s , t ) ∈ euttG r β r τ д β д τ Final
Knowledge manipulation ( s , t ) ∈ r β ∪ r τ ( s , t ) ∈ euttG r β r τ д β д τ Base x ⊆ euttG r β r τ ( д β ∪ x ) ( д τ ∪ x ) x ⊆ euttG r β r τ д β д τ Acc
Stream processing ( ϵ , ϵ ) ∈ euttG r β r τ д β д τ Ret ( s , t ) ∈ euttG r β д τ д β д τ ( τ · s , τ · t ) ∈ euttG r β r τ д β д τ τ _ Step ( s , t ) ∈ euttG д β д β д β д β ( β ( n ) · s , β ( n ) · t ) ∈ euttG r β r τ д β д τ β _ Step
Up to reasoning ( s , t ) ∈ D( euttG r β r τ д β д τ )( s , t ) ∈ euttG r β r τ д β д τ TransD ( s , t ) ∈ U( euttG r β r β д β r β )( s , t ) ∈ euttG r β r τ д β д τ TransU ( s , t ) ∈ C( euttG r β r τ д β д τ )( s , t ) ∈ euttG r β r τ д β д τ ConcatC
Figure 7.
Equational theory for parameterized equivalence up-to-tau. D , U and C are the closures for which up-to reasoningis possible: directed and undirected transitivity, and concatenation. X ⊆ ν . euttF Init ⇐ = X ⊆ euttG ∅ ∅ ∅ ∅ Acc ⇐ = X ⊆ euttG ∅ ∅ X X TransU ⇐ = {( s ′ , t ′ ) , ( s ′ , t ′ )} ⊆ euttG ∅ ∅ X ∅ β _ Step ⇐ = X ⊆ euttG X X X X Acc ⇐ = X ⊆ euttG X X ( X ∪ X ) ( X ∪ X ) lhs: ( s ′ , t ′ ) ∈ euttG X X ( X ∪ X ) ( X ∪ X ) TransU ⇐ = ( r ++ s , r ′ ++ t ) ∈ euttG X X ( X ∪ X ) X ConcatC ⇐ = ( s , t ) ∈ euttG X X ( X ∪ X ) X Base ⇐ = ( s , t ) ∈ X (cid:3) rhs: ( s ′ , t ′ ) ∈ euttG X X ( X ∪ X ) ( X ∪ X ) TransU ⇐ = ( s ′ , t ′ ) ∈ euttG X X ( X ∪ X ) X β _ Step ⇐ = ( s ′ , t ′ ) ∈ euttG ( X ∪ X ) ( X ∪ X ) ( X ∪ X ) ( X ∪ X ) Base ⇐ = ( s ′ , t ′ ) ∈ X ∪ X (cid:3) Figure 8.
Practical use of euttG : a proof example euttG
Consider the following two streams: s ≈ s ′ s ′ ≈ r ++ s s ≈ s ′ s ′ ≈ s ′ t ≈ t ′ t ′ ≈ r ′ ++ t t ≈ t ′ t ′ ≈ t ′ This example differs from Figure 4 in that each of the statesare related to one another by weak bisimilarity. To provethat s ≈ t and s ≈ t , the same proof as before usingjust gpaco will not work, since we need to use U , a context-sensitive closure. However, the proof remains straightfor-ward using euttG , assuming still that we know r ≈ r ′ , asdepicted in Figure 8.Notice in particular how TransU allows us to rewrite up-to-tau equations, at the cost each time of losing the knowl-edge locked behind a τ guard. X ⊆ ν . F Init ⇐ = X ⊆ euttG ∅ ∅ ∅ ∅ Acc ⇐ = X ⊆ euttG ∅ ∅ X X
TransU ⇐ = X ⊆ U( euttG ∅ ∅ X ∅) by ( ) ⇐ = X ⊆ U( cpn F ( euttG ∅ ∅ X ∅)) by ( ) ⇐ = X ⊆ U( cpn F ( Y )) by ( ) ⇐⇒ X ⊆ U( F (⊤))⇐ = X ⊆ U( F ( X )) (since ( τ ϵ , τ ϵ ) ∈ F ( X ) ) (cid:3) Figure 9.
A contradiction when the companion is used asthe base closure
We show that the companion closure is inconsistent withthe rules of euttG , so that it cannot be used as a base closure.To this end, for any definition of euttG satisfying the rulesin Figure 7, suppose that it is closed under the companion cpn F for F = bisimF b L b R clo β with arbitrary b L , b R , clo β : cpn F ( euttG r β r τ д β д τ ) ⊆ euttG r β r τ д β д τ (1)Let X = {( ϵ , ϵ )} and Y = {( ϵ , ϵ )} . For ⊤ : stream × stream , we have: cpn F ( Y ) = F (⊤) (2) Y ⊆ euttG ∅ ∅ X ∅ (3)The proof of (2) is given in Appendix A.1. (3) follows byapplying β _ Step then
Base .Then, as shown in Figure 9, we can derive a contradic-tion, that ϵ ≈ ϵ . The root of the issue is that the com-panion construction contains non-structural “junk” whenprovided a false assumption like Y above. Where we wouldwant cpn F ( Y ) to contain exactly the pairs of streams equiv-alent modulo Y , it also ends up containing nonsensical pairssuch as ( τ ϵ , τ ϵ ) . n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA We implemented gpaco and its theory as described throughSection 3 in the Coq proof assistant. The formalization isbuilt as an extension of the paco library and available at https://github.com/snu-sf/paco .Since the implementation builds directly on top of paco ,it is fully backward compatible: the new gpaco reasoningprinciples are applicable to any coinductive object definedvia paco , with no change in the definitions. As was the casewith the original library, we provide high level tactics map-ping to each reasoning principle described in Figure 5.
For sake of exposition and self-containment, we have pre-sented here a case-study built on streams and their monoidalstructure. The motivation for the development of this tech-nique however stemmed from a more complex application:interaction trees [Xia et al. 2020] are a coinductive structuresimilar to streams, but branching in the sense that the vis-ible events are followed by a continuation over the type ofthe emitted event. Interaction trees can be equipped with a bind operation similar to the concat operation, and provedto form a monad.We have applied the techniques described in this paperto derive an axiomatic interface to reason up-to-tau aboutinteraction trees. This layer of abstraction has then beenheavily used to reason about this structure, and proved in-strumental in alleviating the induced difficulty.The corresponding formal development can be browsedat https://github.com/DeepSpec/InteractionTrees/ . In partic-ular, the equational theory is developed in the /theories/Eq directory.
Paco and Companion
We start by discussing how ourcontribution builds on existing works, namely parameter-ized coinduction (Paco) [Hur et al. 2013] and the compan-ion [Pous 2016], and how we improve on them.As we reviewed in Section 2, Paco provides incrementalreasoning by the parameterized fixed point G f . It also pro-vides up-to reasoning by combining f with its greatest re-spectful closure gres f ( i.e. , using G f ◦ gres f ). Pous [2016]shows that the greatest compatible closure cpn f , called the companion , coincides with gres f and directly admits the in-cremental and up-to reasoning principles of G f ◦ gres f . More-over, the companion admits second-order reasoning, whichprovides incremental and up-to principles for reasoning about clo ⊑ cpn f .In our work, we generalize the constructions in two di-rections. First, we use two parameters to track both the un-locked and guarded knowledge. As briefly discussed in Sec-tion 3.2, the companion construction with two parameters r and д can be given by cpn f ( r ⊔ f ( cpn f ( r ⊔ д )) . Second,we parameterize the upper-bound of closures instead of us-ing the greatest compatible/respectful closure. The need forsuch parameterization was shown in Section 5.4. Distinguishing Internal and Visible Steps [Sangiorgi and Walker2001, Exercise 2.4.64] and [Pous 2007] present up-to tech-niques allowing different up-to closures for internal and vis-ible steps. Among them, [Pous 2007] gives a more formalframework, where two notions of monotonicity (in a morerecent terminology, respectfulness) are defined. If a relation R is τ -simulated ( i.e. , for internal steps) up-to a monotonicclosure and v -simulated ( i.e., for visible steps) up-to a weaklymonotonic closure, then R is contained in the weak (bi)similarity.Notably, up-to weak bisimulation is only weakly monotonic.Similarly, our work also presents an equational theory forweak bisimulation where internal and visible steps admitdifferent up-to closures. The main challenge we are address-ing is to combine such up-to closures with incremental rea-soning using four different kinds of knowledge: unlocked/-guarded knowledge for internal/visible steps.Aristizabal et al. [2016] have developed a general frame-work to reason about notions of weak steps vs. strong steps(passive vs. active in their terminology) when establishing abisimulation. Simulations can generally be phrased in termof a relation R that progresses to itself: R R . Under thisformulation, an up-to technique is a function f on relationssuch that when R f (R) , then R is included in the bisim-ilarity relation. In order to account for a distinction of thestepping relation between a passive part and an active part,they introduce the notion of diacritical progress: R ։ Q , S expresses that R progresses toward Q in the passive case,toward S in the active case. With this tool, an up-to tech-nique in the usual sense (called strong) is a function f suchthat R ։ f (R) , f (R) implies that R is in the bisimilarityrelation. This definition also extends to functions f suchthat R ։ R , f (R) implies the same. These up-to techniquesmake explicit the fact that up-to reasoning is only enabledwhen performing active steps. In [Aristizabal et al. 2016],they develop sufficient conditions for using strong and reg-ular up-to techniques in terms of the notions of evolutionand compatibility of functions, adapted to the diacritical set-ting. [Biernacki et al. 2019] goes further by generalizing thisview to the lattice-theoretic setting. This generalization al-lows them to introduce a notion of diacritical companiondefined as the greatest diacritically compatible function, ex-tending on both their and Pous’ work.This approach, whose contribution is orthogonal to thatof this paper, we conjecture could be defined in gpaco . Thedevelopment of euttG , and of the soundness of the transU rule in particular, might then fit nicely into this framework,potentially benefiting from this more principled approach inbeing easier to define. Investigating this conjecture formallywould be an interesting approach for future work. PP ’20, January 20–21, 2020, New Orleans, LA, USA Y. Zakowski, P. He, C. Hur, and S. Zdancewic
Other Related Works
In [Pous 2016], Pous introduced thecompanion of a function f by characterizing it as the great-est compatible function for f . Parrow and Weber [2016] givea more explicit, ordinal-based construction of the compan-ion in classical set theory. Analogously, it turns out that thecompanion can be obtained in constructive type theory withan inductive tower construction as studied by SchÃďfer etal. [Schäfer 2019; Smolka et al. 2015].[Danielsson 2017] presents a class of up-to techniquesusing size-preserving functions, which use sized types toprove the soundness of the techniques. This class of tech-niques is shown to be related to Pous’ companion, but doesnot include some useful up-to techniques. Namely, Daniels-son shows that techniques related to transitivity, such asthose discussed in this paper, do not easily fit into the frame-work of size-preserving functions.We have chosen to build our approach on top of paco , butother incremental coinductive techniques exist: incrementalpattern-based coinduction [Popescu and Gunter 2010], cir-cular coinduction [Hausmann et al. 2005], parametric coin-duction [Moss 2001]. We refer to Hur et al.’s related work [Hur et al.2013] for a thorough comparison.Finally, we introduced through this paper the use of threeup-to techniques relevant to our domain of application. Nu-merous others can be found in Pous [Pous 2016], both de-rived from the companion and as part of the related work. A Appendix
A.1 A Property about the Companion
Let X = {( ϵ , ϵ )} and Y = {( ϵ , ϵ )} . We prove that cpn F ( Y ) = F (⊤) for F = bisimF b L b R clo β with arbitrary b L , b R , clo β .We first define a function clo as follows: clo ( r ) = ⊤ if X ⊆ rF (⊤) else if Y ⊆ r ∅ otherwiseThen clo is trivially monotone and compatible as follows.For any r , we show clo ( F ( r )) ⊆ F ( clo ( r )) by case analysison r . First, when X ⊆ r , we have clo ( r ) = ⊤ . We also have Y ⊆ F ( X ) ⊆ F ( r ) and X * F ( r ) by definition of F . Therefore,we have clo ( F ( r )) = F (⊤) = F ( clo ( r )) . Second, when X * r ,we have X * F ( r ) and Y * F ( r ) by definition of F . Therefore,we have clo ( F ( r )) = ∅ ⊆ F ( clo ( r )) .Now, we have the following inequality: F (⊤) = clo ( Y ) (by definition of clo ) ⊆ cpn F ( Y ) ( cpn F includes every compatible func.) ⊆ cpn F ( F ( X )) (by definition of F ) ⊆ F ( cpn F ( X )) ( cpn F itself is compatible) ⊆ F (⊤) Therefore, we have cpn F ( Y ) = F (⊤) . Acknowledgments
This work was funded by the National Science Foundation’sExpedition in Computing
The Science of Deep Specification under award 1521539 (Weirich, Zdancewic, Pierce) with ad-ditional support by the ONR grant
REVOLVER award N00014-17-1-2930, and by the Basic Science Research Program throughthe National Research Foundation of Korea (NRF) funded bythe Ministry of Science and ICT (2017R1A2B2007512). Weare grateful to all the members of the DeepSpec project fortheir collaboration and feedback, and we greatly appreciatethe reviewers’ comments and suggestions.
References
Andres Aristizabal, Dariusz Biernacki, Sergueï Lenglet, and Piotr Polesiuk.2016. Environmental Bisimulations for Delimited-Control Operatorswith Dynamic Prompt Generation.
Logical Methods in Computer Science
13 (11 2016). https://doi.org/10.23638/LMCS-13(3:27)2017
Dariusz Biernacki, Sergueï Lenglet, and Piotr Polesiuk. 2019. Di-acritical Companions. In
MFPS 2019-Mathematical Foundationsof Programming Semantics XXXV . London, United Kingdom. https://doi.org/10.1016/j.entcs.2019.09.003
Nils Anders Danielsson. 2017. Up-to Techniques Using Sized Types.
Proc. ACM Program. Lang.
2, POPL, Article 43 (Dec. 2017), 28 pages. https://doi.org/10.1145/3158131
Daniel Hausmann, Till Mossakowski, and Lutz Schröder. 2005. IterativeCircular Coinduction for CoCasl in Isabelle/HOL. In
Fundamental Ap-proaches to Software Engineering , Maura Cerioli (Ed.). Springer BerlinHeidelberg, Berlin, Heidelberg, 341–356.Chung-Kil Hur, Georg Neis, Derek Dreyer, and Viktor Vafeiadis. 2013. ThePower of Parameterization in Coinductive Proof. In
Proceedings of the40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Pro-gramming Languages (POPL ’13) . ACM, New York, NY, USA, 193–206. https://doi.org/10.1145/2429069.2429093
Xavier Leroy. 2009. Formal verification of a realistic compiler.
Commun.ACM
52, 7 (2009), 107–115. https://doi.org/10.1145/1538788.1538814
Thomas Letan, Yann Régis-Gianas, Pierre Chifflier, and GuillaumeHiet. 2018. Modular Verification of Programs with Effects andEffect Handlers in Coq. In
Formal Methods - 22nd InternationalSymposium, FM 2018, Held as Part of the Federated Logic Confer-ence, FloC 2018, Oxford, UK, July 15-17, 2018, Proceedings . 338–354. https://doi.org/10.1007/978-3-319-95582-7_20
Lawrence S. Moss. 2001. Parametric Corecursion.
Theor. Comput. Sci. https://doi.org/10.1016/S0304-3975(00)00126-2
Joachim Parrow and Tjark Weber. 2016. The Largest Respectful Function.
Logical Methods in Computer Science
Volume 12, Issue 2 (June 2016). https://doi.org/10.2168/LMCS-12(2:11)2016
Andrei Popescu and Elsa L. Gunter. 2010. Incremental Pattern-based Coinduction for Process Algebra and Its Isabelle For-malization. In
Proceedings of the 13th International Conferenceon Foundations of Software Science and Computational Struc-tures (FOSSACS’10) . Springer-Verlag, Berlin, Heidelberg, 109–127. https://doi.org/10.1007/978-3-642-12032-9_9
Damien Pous. 2007. New up-to techniques for weak bisimula-tion.
Theoretical Computer Science https://doi.org/10.1016/j.tcs.2007.02.060
Automata, Languages and Pro-gramming.Damien Pous. 2016. Coinduction All the Way Up. In
Proceed-ings of the 31st Annual ACM/IEEE Symposium on Logic in Com-puter Science (LICS ’16) . ACM, New York, NY, USA, 307–316. https://doi.org/10.1145/2933575.2934564n Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction CPP ’20, January 20–21, 2020, New Orleans, LA, USA
Damien Pous and Davide Sangiorgi. 2011.
Enhancements of the bisim-ulation proof method . Cambridge University Press, 233âĂŞ289. https://doi.org/10.1017/CBO9780511792588.007
Davide Sangiorgi and Robin Milner. 1992. The Problem of “Weak Bisim-ulation Up to”. In
Proceedings of the Third International Conference onConcurrency Theory (CONCUR ’92) . Springer-Verlag, London, UK, UK,32–46. http://dl.acm.org/citation.cfm?id=646727.703207
Davide Sangiorgi and David Walker. 2001.
PI-Calculus: A Theory of MobileProcesses . Cambridge University Press, New York, NY, USA.Steven Schäfer. 2019.
Engineering Formal Systems in Constructive Type The-ory . Ph.D. Dissertation. Saarland University. Gert Smolka, Steven Schäfer, and Christian Doczkal. 2015. TransfiniteConstructions in Classical Type Theory. In
Interactive Theorem Prov-ing , Christian Urban and Xingyuan Zhang (Eds.). Springer InternationalPublishing, Cham, 391–404.Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony C. J. Fox,Scott Owens, and Michael Norrish. 2016. A new verified compiler back-end for CakeML. In
ICFP .Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory Malecha,Benjamin C. Pierce, and Steve Zdancewic. 2020. Interaction Trees. In