Decorated proofs for computational effects: States
Jean-Guillaume Dumas, Dominique Duval, Laurent Fousse, Jean-Claude Reynaud
UU. Golas, T. Soboll (Eds.): Proceedings of ACCAT 2012EPTCS 93, 2012, pp. 45–59, doi:10.4204/EPTCS.93.3 c (cid:13)
J.-G. Dumas, D. Duval, L. Fousse & J.-C. ReynaudThis work is licensed under the Creative CommonsAttribution-No Derivative Works License.
Decorated proofs for computational effects: States
Jean-Guillaume Dumas ∗ Dominique Duval † Laurent Fousse Jean-Claude Reynaud
LJK, Universit´e de Grenoble, France. { Jean-Guillaume.Dumas, Dominique.Duval, Laurent.Fousse, Jean-Claude Reynaud } @imag.fr Abstract.
The syntax of an imperative language does not mention explicitly the state, while itsdenotational semantics has to mention it. In this paper we show that the equational proofs about animperative language may hide the state, in the same way as the syntax does.
Introduction
The evolution of the state of the memory in an imperative program is a computational effect: the state isnever mentioned as an argument or a result of a command, whereas in general it is used and modified dur-ing the execution of commands. Thus, the syntax of an imperative language does not mention explicitlythe state, while its denotational semantics has to mention it. This means that the state is encapsulated : itsinterface, which is made of the functions for looking up and updating the values of the locations, is sep-arated from its implementation; the state cannot be accessed in any other way than through his interface.In this paper we show that equational proofs in an imperative language may also encapsulate the state:proofs can be performed without any knowledge of the implementation of the state. We will see thata naive approach (called “apparent”) cannot deal with the updating of states, while this becomes possi-ble with a slightly more sophisticated approach (called “decorated”). This is expressed in an algebraicframework relying on category theory. To our knowledge, the first categorical treatment of computa-tional effects, using monads, is due to Moggi [Moggi 1991]. The examples proposed by Moggi includethe side-effects monad T ( A ) = ( A × St ) St where St is the set of states. Later on, Plotkin and Power usedLawvere theories for dealing with the operations and equations related to computational effects. TheLawvere theory for the side-effects monad involves seven equations [Plotkin & Power 2002]. In Sec-tion 1 we describe the intended denotational semantics of states. Then in Section 2 we introduce threevariants of the equational logic for formalizing the computational effects due to the states: the apparent , decorated an explicit logics. This approach is illustrated in Section 3 by proving some of the equationsfrom [Plotkin & Power 2002], using rules which do not mention any type of states. This section is made of three independent parts. Section 1.1 is devoted to the semantics of states, anexample is presented in Section 1.2, and our logical framework is described in Section 1.3. ∗ This work is partly funded by the project HPAC of the French Agence Nationale de la Recherche (ANR 11 BS02 013). † This work is partly funded by the project CLIMT of the French Agence Nationale de la Recherche (ANR 11 BS02 016).
This section deals with the denotational semantics of states, by providing a set-valued interpretation ofthe lookup and update operations. Let St denote the set of states . Let Loc denote the set of locations (also called variables or identifiers ). For each location i , let Val i denote the set of possible values for i .For each location i there is a lookup function for reading the value of location i in the given state, withoutmodifying this state: this corresponds to a function lookup i , : St → Val i or equivalently to a function lookup i : St → Val i × St such that lookup i ( s ) = h lookup i , ( s ) , s i for each state s . In addition, for eachlocation i there is an update function update i : Val i × St → St for setting the value of location i to thegiven value, without modifying the values of the other locations in the given state. This is summarizedas follows, for each i ∈ Loc : a set
Val i , two functions lookup i , : St → Val i and update i : Val i × St → St ,and equations ( ) :(1.1) ∀ a ∈ Val i , ∀ s ∈ St , lookup i , ( update i ( a , s )) = a , (1.2) ∀ a ∈ Val i , ∀ s ∈ St , lookup j , ( update i ( a , s )) = lookup j , ( s ) for every j ∈ Loc , j = i . The state can be observed thanks to the lookup functions. We may consider the tuple h lookup i , i i ∈ Loc : St → (cid:213) i ∈ Loc
Val i . If this function is an isomorphism, then Equations (1) provide a definition of the updatefunctions. In [Plotkin & Power 2002] an equational presentation of states is given, with seven equations:in Remark 1.1 these equations are expressed according to [Melli`es 2010] and they are translated in ourframework. We use the notations l i = lookup i : St → Val i × St , l i , = lookup i , : St → Val i and u i = update i : Val i × St → St , and in addition id i : Val i → Val i and q i : Val i × St → St respectively denote the identity of Val i and the projection, while perm i , j : Val j × Val i × St → Val i × Val j × St permutes its first and secondarguments. Remark 1.1.
The equations in [Plotkin & Power 2002] can be expressed as the following Equations (2):(2.1) Annihilation lookup-update.
Reading the value of a location i and then updating the location iwith the obtained value is just like doing nothing. ∀ i ∈ Loc , ∀ s ∈ St , u i ( l i ( s )) = s ∈ St (2.2) Interaction lookup-lookup. Reading twice the same location loc is the same as reading it once. ∀ i ∈ Loc , ∀ s ∈ St , l i ( q i ( l i ( s ))) = l i ( s ) ∈ Val i × St (2.3) Interaction update-update. Storing a value a and then a value a ′ at the same location i is just likestoring the value a ′ in the location. ∀ i ∈ Loc , ∀ s ∈ St , ∀ a , a ′ ∈ Val i , u i ( a ′ , u i ( a , s )) = u i ( a ′ , s ) ∈ St (2.4) Interaction update-lookup. When one stores a value a in a location i and then reads the location i,one gets the value a. ∀ i ∈ Loc , ∀ s ∈ St , ∀ a ∈ Val i , l i , ( u i ( a , s )) = a ∈ Val i (2.5) Commutation lookup-lookup. The order of reading two different locations i and j does not matter. ∀ i = j ∈ Loc , ∀ s ∈ St , ( id i × l j )( l i ( s )) = perm i , j (( id j × l i )( l j ( s ))) ∈ Val i × Val j × St (2.6) Commutation update-update. The order of storing in two different locations i and j does not matter. ∀ i = j ∈ Loc , ∀ s ∈ St , ∀ a ∈ Val i , ∀ b ∈ Val j , u j ( b , u i ( a , s )) = u i ( a , u j ( b , s )) ∈ St (2.7) Commutation update-lookup. The order of storing in a location i and reading in another location jdoes not matter. ∀ i = j ∈ Loc , ∀ s ∈ St , ∀ a ∈ Val i , l j ( u i ( a , s )) = ( id j × u i )( perm j , i ( a , l j ( s ))) ∈ Val j × St Proposition 1.2.
Let us assume that h l i , i i ∈ Loc : St → (cid:213) i ∈ Loc
Val i is invertible. Then Equations (1) areequivalent to Equations (2). .-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 47 Proof.
It may be observed that (2.4) is exactly (1.1). In addition, (2.7) is equivalent to (1.2) : indeed,(2.7) is equivalent to the conjunction of its projection on
Val j and its projection on St ; the first one is l j , ( u i ( a , s )) = l j , ( s ) , which is (1.2), and the second one is u i ( a , s ) = u i ( a , s ) . Equations (2.2) and (2.5)follow from q i ( l i ( s )) = s . For the remaining equations (2.1), (2.3) and (2.6), which return states, it iseasy to check that for each location k , by applying l k to both members and using equation (1.1) or (1.2)according to k , we get the same value in Val k for both hand-sides. Then equations (2.1), (2.3) and (2.6)follow from the fact that h l i , i i ∈ Loc : St → (cid:213) i ∈ Loc
Val i is invertible.Proposition 1.2 will be revisited in Section 3, where it will be proved that equations (1) imply equa-tions (2) without ever mentioning explicitly the state in the proof. In an informal way, we consider that a computational effect occurs when there is an apparent mismatch,i.e., some lack of soundness, between the syntax and the denotational semantics of a language. Forinstance in an object-oriented language, the state of an object does not appear explicitly as an argumentnor as a result of any of its methods. In this section, as a toy example, we build a class
BankAccount for managing (very simple!) bank accounts. We use the types int and void , and we assume that int is interpreted by the set of integers Z and void by a singleton { ⋆ } . In the class BankAccount , there isa method balance() which returns the current balance of the account and a method deposit(x) forthe deposit of x Euros on the account. The deposit method is a modifier , which means that it can useand modify the state of the current account. The balance method is an inspector , or an accessor , whichmeans that it can use the state of the current account but it is not allowed to modify this state. In theobject-oriented language
C++ , a method is called a member function ; by default a member function is amodifier, when it is an accessor it is called a constant member function and the keyword const is used.So, the
C++ syntax for declaring the member functions of the class
BankAccount looks like: int balance ( ) const ; void deposit ( int ) ; • Forgetting the keyword const , this piece of
C++ syntax can be translated as a signature
Bank app ,which we call the apparent signature (we use the word “apparent” in the sense of “seeming” i.e.,“appearing as such but not necessarily so”).
Bank app : ( balance : void → intdeposit : int → void In a model (or algebra) of the signature
Bank app , the operations would be interpreted as functions: ( [[ balance ]] : { ⋆ } → Z [[ deposit ]] : Z → { ⋆ } which clearly is not the intended interpretation. • In order to get the right semantics, we may use another signature
Bank expl , which we call the explicit signature , with a new symbol state for the “type of states”:
Bank expl : ( balance : state → intdeposit : int × state → state Bank expl , with St denoting the setof states of a bank account: ( [[ balance ]] : St → Z [[ deposit ]] : Z × St → St So far, in this example, we have considered two different signatures. On the one hand, the apparentsignature
Bank app is simple and quite close to the
C++ code, but the intended semantics is not a model of
Bank app . On the other hand, the semantics is a model of the explicit signature
Bank expl , but
Bank expl isfar from the
C++ syntax: actually, the very nature of the object-oriented language is lost by introducinga “type of states”. Let us now define a decorated signature Bank deco , which is still closer to the
C++ code than the apparent signature and which has a model corresponding to the intended semantics. Thedecorated signature is not exactly a signature in the classical sense, because there is a classification of itsoperations. This classification is provided by superscripts called decorations : the decorations (1) and (2) correspond respectively to the object-oriented notions of accessor and modifier . Bank deco : ( balance (1) : void → intdeposit (2) : int → void The decorated signature is similar to the
C++ code, with the decoration (1) corresponding to the keyword const . The apparent specification
Bank app may be recovered from
Bank deco by dropping the decorations.In addition, we claim that the intended semantics can be seen as a decorated model of this decoratedsignature: this will become clear in Section 2.3. In order to add to the signature constants of type int like , , , . . . and the usual operations on integers, a third decoration is used: the decoration (0) for pure functions, which means, for functions which neither inspect nor modify the state of thebank account. So, we add to the apparent and explicit signatures the constants , , . . . : void → int and the operations + , - , ∗ : int × int → int , and we add to the decorated signature the pure constants (0) , (0) , . . . : void → int and the pure operations + (0) , - (0) , ∗ (0) : int × int → int . For instance the C++ expressions deposit(7); balance() and can be seen as the decorated terms: balance (1) ◦ deposit (2) ◦ (0) and + (0) ◦ h (0) , balance (1) i which may be illustrated as: void (0) / / int deposit (2) / / void balance (1) / / int and void h (0) , balance (1) i / / int × int + (0) / / int These two decorated terms have different effects: the first one does modify the state while the secondone is an accessor; however, both return the same integer. Let us introduce the symbol ∼ for the relation“same result, maybe distinct effects”. Then: balance (1) ◦ deposit (2) ◦ (0) ∼ + (0) ◦ h (0) , balance (1) i In this paper, in order to deal with a relevant notion of morphisms between logics, we define a logic asa diagrammatic logic , in the sense of [Dom´ınguez & Duval 2010]. For the purpose of this paper let ussimply say that a logic L determines a category of theories T which is cocomplete, and that a morphism.-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 49of logics is a left adjoint functor, so that it preserves the colimits. The objects of T are called the a theories of the logic L . Quite often, T is a category of structured categories. The inference rules of thelogic L describe the structure of its theories. When a theory F is generated by some presentation or specification S , a model of S with values in a theory Q is a morphism M : F → Q in T . The monadic equational logic.
For instance, and for future use in the paper, here is the way wedescribe the monadic equational logic L meqn . In order to focus on the syntactic aspect of the theories,we use a congruence symbol “ ≡ ” rather than the equality symbol “ = ”. Roughly speaking, a monadicequational theory is a sort of category where the axioms hold only up to congruence (in fact, it is a 2-category). Precisely, a monadic equational theory is a directed graph (its vertices are called objects or types and its edges are called morphisms or terms ) with an identity term id X : X → X for each type X anda composed term g ◦ f : X → Z for each pair of consecutive terms ( f : X → Y , g : Y → Z ) ; in additionit is endowed with equations f ≡ g : X → Y which form a congruence , which means, an equivalencerelation on parallel terms compatible with the composition; this compatibility can be split in two parts: substitution and replacement . In addition, the associativity and identity axioms hold up to congruence.These properties of the monadic equational theories can be described by a set of inference rules , as inFigure 1. (id) Xid X : X → X (comp) f : X → Y g : Y → Zg ◦ f : X → Z (id-src) f : X → Yf ◦ id X ≡ f (id-tgt) f : X → Yid Y ◦ f ≡ f (assoc) f : X → Y g : Y → Z h : Z → Wh ◦ ( g ◦ f ) ≡ ( h ◦ g ) ◦ f ( ≡ -refl) f ≡ f ( ≡ -sym) f ≡ gg ≡ f ( ≡ -trans) f ≡ g g ≡ hf ≡ h ( ≡ -subs) f : X → Y g ≡ g : Y → Zg ◦ f ≡ g ◦ f : X → Z ( ≡ -repl) f ≡ f : X → Y g : Y → Zg ◦ f ≡ g ◦ f : X → Z Figure 1: Rules of the monadic equational logic
Adding products to the monadic equational logic.
In contrast with equational theories, the existenceof products is not required in a monadic equational theory. However some specific products may exist.A product in a monadic equational theory T is “up to congruence”, in the following sense. Let ( Y i ) i ∈ I be a family of objects in T , indexed by some set I . A product with base ( Y i ) i ∈ I is a cone ( q i : Y → Y i ) i ∈ I such that for every cone ( f i : X → Y i ) i ∈ I on the same base there is a term f = h f i i i ∈ I : X → Y such that q i ◦ f ≡ f i for each i , and in addition this term is unique up to congruence, in the sense that if g : X → Y is such that q i ◦ g ≡ f i for each i then g ≡ f . When I is empty, we get a terminal object , such that forevery X there is an arrow h i X : X → which is unique up to congruence. The corresponding inferencerules are given in Figure 2. The quantification “ ∀ i ”, or “ ∀ i ∈ I ”, is a kind of “syntactic sugar”: whenoccuring in the premisses of a rule, it stands for a conjunction of premisses.0 Decorated proofs forcomputational effects: StatesWhen ( q i : Y → Y i ) i ∈ I is a product:(tuple) ( f i : X → Y i ) i h f i i i : X → Y (tuple-proj- i ) ( f i : X → Y i ) i q i ◦ h f j i j ≡ f i (tuple-unique) g : X → Y ∀ i q i ◦ g ≡ f i g ≡ h f j i j When is a terminal type (“empty product”):(final) X h i X : X → (final-unique) g : X → g ≡ h i X Figure 2: Rules for products
In this section we introduce three logics for dealing with states as computational effects. This generalizesthe example of the bank account in Section 1.2. We present first the explicit logic (close to the semantics),then the apparent logic (close to the syntax), and finally the decorated logic and the morphisms from thedecorated logic to the apparent and the explicit ones. In the syntax of an imperative language there is notype of states (the state is “hidden”) while the interpretation of this language involves a set of states St .More precisely, if the types X and Y are interpreted as the sets [[ X ]] and [[ Y ]] , then each term f : X → Y is interpreted as a function [[ f ]] : [[ X ]] × St → [[ Y ]] × St . In Moggi’s paper introducing monads for effects[Moggi 1991] such a term f : X → Y is called a computation , and whenever the function [[ f ]] is [[ f ]] × id St for some [[ f ]] : [[ X ]] → [[ Y ]] then f is called a value . We keep this distinction, using modifier and pure term instead of computation and value , respectively. In addition, an accessor (or inspector ) is a term f : X → Y that is interpreted by a function [[ f ]] = h [[ f ]] , q X i , for some [[ f ]] : [[ X ]] × St → [[ Y ]] , where q X : [[ X ]] × St → St is the projection. It follows that every pure term is an accessor and every accessor is amodifier. We will respectively use the decorations ( ) , ( ) and ( ) , written as superscripts, for pure terms,accessors and modifiers. Moreover, we distinguish two kinds of equations: when f , g : X → Y are parallelterms, then a strong equation f ≡ g is interpreted as the equality [[ f ]] = [[ g ]] : [[ X ]] × St → [[ Y ]] × St ,while a weak equation f ∼ g is interpreted as the equality p Y ◦ [[ f ]] = p Y ◦ [[ g ]] : [[ X ]] × St → [[ Y ]] , where p Y : [[ Y ]] × St → [[ Y ]] is the projection. Clearly, strong and weak equations coincide on accessors and onpure terms, while they differ on modifiers. As in Section 1.1, we consider some given set of locations Loc and for each location i a set Val i of possible values for i . The set of states is defined as St = (cid:213) i ∈ Loc
Val i ,and the projections are denoted by lookup i , : St → Val i . For each location i , let update i : Val i × St → St be defined by Equations (1) as in Section 1.1. In order to focus on the fundamental properties of statesas effects, the three logics for states are based on the “poor” monadic equational logic (as described inSection 1.3). The explicit logic for states L expl is a kind of “pointed” monadic equational logic: a theory Q expl for L expl is a monadic equational theory with a distinguished object S , called the type of states , and with aproduct-with- S functor X × S . As in Section 1.2, the explicit logic provides the relevant semantics, but itis far from the syntax. The explicit theory for states State expl is generated by a type V i and an operation l i , : S → V i for each location i , which form a product ( l i , : S → V i ) i ∈ Loc . Thus, for each location i there.-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 51is an operation u i : V i × S → S , unique up to congruence, which satisfies the equations below (where p i : V i × S → V i and q i : V i × S → S are the projections): State expl : operations l i , : S → V i , u i : V i × S → S product ( l i , : S → V i ) i ∈ Loc equations l i , ◦ u i ≡ p i : V i × S → V i , l j , ◦ u i ≡ l j , ◦ q i : V i × S → V j for each j = i Let us define the explicit theory
Set expl as the category of sets with the equality as congruence and with theset of states St = (cid:213) j ∈ Loc
Val j as its distinguished set. The semantics of states, as described in Section 1.1,is the model M expl : State expl → Set expl which maps the type V i to the set Val i for each i ∈ Loc , the type S to the set St , and the operations l i , and u i to the functions lookup i , and update i , respectively. The apparent logic for states L app is the monadic equational logic (Section 1.3). As in Section 1.2, theapparent logic is close to the syntax but it does not provide the relevant semantics. The apparent theoryfor states State app can be obtained from the explicit theory State expl by identifying the type of states S with the unit type . So, there is in State app a terminal type and for each location i a type V i for thepossible values of i and an operation l i : → V i for observing the value of i . A set-valued model for thispart of State app , with the constraint that for each i the interpretation of V i is the given set Val i , is made ofan element a i ∈ Val i for each i (it is the image of the interpretation of l i ). Thus, such a model correspondsto a state, made of a value for each location; this is known as the states-as-models or states-as-algebras point of view [Gaudel et al. 1996]. In addition, it is assumed that in State app the operations l i ’s form aproduct ( l i : → V i ) i ∈ Loc . This assumption implies that each l i is an isomorphism, so that each V i mustbe interpreted as a singleton: this does not fit with the semantics of states. However, we will see inSection 2.3 that this assumption becomes meaningful when decorations are added, in a similar way as inthe bank example in Section 1.2. Formally, the assumption that ( l i : → V i ) i ∈ Loc is a product providesfor each location i an operation u i : V i → , unique up to congruence, which satisfies the equations below(where id i : V i → V i is the identity and h i i = h i V i : V i → ) : State app : operations l i : → V i , u i : V i → product ( l i : → V i ) i ∈ Loc with terminal type equations l i ◦ u i ≡ id i : V i → V i , l j ◦ u i ≡ l j ◦ h i i : V i → V j for each j = i At first view, these equations mean that after u i ( a ) is executed, the value of i is put to a and the value of j (for j = i ) is unchanged. However, as noted above, this intuition is not supported by the semantics in theapparent logic. However, the apparent logic can be used for checking the validity of a decorated proof,as explained in Section 2.4. Now, as in Section 1.2, we introduce a third logic for states, which is close to the syntax and whichprovides the relevant semantics. It is defined by adding “decorations” to the apparent logic. A theory Q deco for the decorated logic for states L deco is made of: • A monadic equational theory Q ( ) . The terms in Q ( ) may be called the modifiers and the equations f ≡ g may be called the strong equations .2 Decorated proofs forcomputational effects: States • Two additional monadic equational theories Q ( ) and Q ( ) , with the same types as Q ( ) , and suchthat Q ( ) ⊆ Q ( ) ⊆ Q ( ) and the congruence on Q ( ) and on Q ( ) is the restriction of the congruenceon Q ( ) . The terms in Q ( ) may be called the accessors , and if they are in Q ( ) they may be calledthe pure terms . • A second equivalence relation ∼ between parallel terms in Q ( ) , which is only “weakly” compati-ble with the composition; the relation ∼ satisfies the substitution property but only a weak versionof the replacement property, called the pure replacement : if f ∼ f : X → Y and g : Y → Z then ingeneral g ◦ f g ◦ f , except when g is pure. The relations f ∼ g are called the weak equations .It is assumed that every strong equation is a weak equation and that every weak equation betweenaccessors is a strong equation, so that the relations ≡ and ∼ coincide on Q ( ) and on Q ( ) .We use the following notations, called decorations : a pure term f is denoted f ( ) , an accessor f isdenoted f ( ) , and a modifier f is denoted f ( ) ; this last decoration is unnecessary since every term is amodifier, however it may be used for emphasizing. Figure 3 provides the decorated rules , which describethe properties of the decorated theories. For readability, the decoration properties may be grouped withother properties: for instance, “ f ( ) ∼ g ( ) ” means “ f ( ) and g ( ) and f ∼ g ”.Rules of the monadic equational logic, and:(0-id) Xid ( ) X : X → X (0-comp) f ( ) g ( ) ( g ◦ f ) ( ) (0-to-1) f ( ) f ( ) (1-comp) f ( ) g ( ) ( g ◦ f ) ( ) (1- ∼ -to- ≡ ) f ( ) ∼ g ( ) f ≡ g ( ≡ -to- ∼ ) f ≡ gf ∼ g ( ∼ -refl) f ∼ f ( ∼ -sym) f ∼ gg ∼ f ( ∼ -trans) f ∼ g g ∼ hf ∼ h ( ∼ -subs) f : X → Y g ∼ g : Y → Zg ◦ f ∼ g ◦ f : X → Z (0- ∼ -repl) f ∼ f : X → Y g ( ) : Y → Zg ◦ f ∼ g ◦ f : X → Z Figure 3: Rules of the decorated logic for statesSome specific kinds of products may be used in a decorated theory, for instance: • A distinguished type with the following decorated terminality property: for each type X there isa pure term h i X : X → such that every modifier g : X → satisfies g ∼ h i X . It follows from theproperties of weak equations that is a terminal type in Q ( ) and in Q ( ) . • An observational product with base ( Y i ) i ∈ I is a cone of accessors ( q i : Y → Y i ) i ∈ I such that for everycone of accessors ( f i : X → Y i ) i ∈ I on the same base there is a modifier f = h f i i i ∈ I : X → Y such that q i ◦ f ∼ f i for each i , and in addition this modifier is unique up to strong equations, in the sensethat if g : X → Y is a modifier such that q i ◦ g ∼ f i for each i then g ≡ f . An observational productallows to prove strong equations from weak ones: by looking at the results of some observations,thanks to the properties of the observational product, we get information on the state..-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 53When is a decorated terminal type:(0-final) X h i ( ) X : X → ( ∼ -final-unique) g : X → g ∼ h i X When ( q ( ) i : Y → Y i ) i is an observational product: (obs-tuple) ( f ( ) i : X → Y i ) i h f i i ( ) i : X → Y (obs-tuple-proj- i ) ( f ( ) i : X → Y i ) i q i ◦ h f j i j ∼ f i (obs-tuple-unique) g ( ) : X → Y ∀ i q i ◦ g ∼ f ( ) i g ≡ h f j i j Figure 4: Rules for some decorated products for statesThe decorated theory of states
State deco is generated by a type V i and an accessor l ( ) i : → V i foreach i ∈ Loc , which form an observational product ( l ( ) i : → V i ) i ∈ Loc . The modifiers u i ’s are defined (upto strong equations), using the property of the observational product, by the weak equations below: State deco : operations l ( ) i : → V i , u ( ) i : V i → observational product ( l ( ) i : → V i ) i ∈ Loc with decorated terminal type equations l i ◦ u i ∼ id i : V i → V i , l j ◦ u i ∼ l j ◦ h i i : V i → V j for each j = i The decorated theory of sets
Set deco is built from the category of sets, as follows. There is in
Set deco a type for each set, a modifier f ( ) : X → Y for each function f : X × St → Y × St , an accessor f ( ) : X → Y for each function f : X × St → Y , and a pure term f ( ) : X → Y for each function f : X → Y ,with the straightforward conversions. Let f ( ) , g ( ) : X → Y corresponding to f , g : X × St → Y × St .A strong equation f ≡ g is an equality f = g : X × St → Y × St , while a weak equation f ∼ g is anequality p ◦ f = p ◦ g : X × St → Y , where p : Y × St → Y is the projection. For each location i theprojection lookup i : St → Val i corresponds to an accessor lookup ( ) i : → Val i in Set deco , so that thefamily ( lookup ( ) i ) i ∈ Loc forms an observational product in
Set deco . We get a model M deco of State deco withvalues in
Set deco by mapping the type V i to the set Val i and the accessor l ( ) i to the accessor lookup ( ) i , foreach i ∈ Loc . Then for each i the modifier u ( ) i is mapped to the modifier update ( ) i . Every decorated theory Q deco gives rise to an apparent theory Q app by dropping the decorations, whichmeans that the apparent theory Q app is made of a type X for each type X in Q deco , a term f : X → Y foreach modifier f : X → Y in Q deco (which includes the accessors and the pure terms), and an equation f ≡ g for each weak equation f ∼ g in Q deco (which includes the strong equations). Thus, the distinctionbetween modifiers, accessors and pure terms disappears, as well as the distinction between weak andstrong equations. Equivalently, the apparent theory Q app can be defined as the apparent theory Q ( ) together with an equation f ≡ g for each weak equation f ∼ g in Q deco which is not associated to astrong equation in Q deco (otherwise, it is yet in Q ( ) ). Thus, a decorated terminal type in Q deco becomes aterminal type in Q app and an observational product ( q ( ) i : Y → Y i ) i in Q deco becomes a product ( q i : Y → Y i ) i in Q app . In the same way, each rule of the decorated logic is mapped to a rule of the apparent logicby dropping the decorations. This property can be used for checking a decorated proof in two steps, bychecking on one side the undecorated proof and on the other side the decorations. This construction of Q app from Q deco , by dropping the decorations, is a morphism from L deco to L app , denoted F app . Every decorated theory Q deco gives rise to an explicit theory Q expl by expanding the decorations, whichmeans that the explicit theory Q expl is made of: • A type X for each type X in Q deco ; projections are denoted by p X : X × S → X and q X : X × S → S . • A term f : X × S → Y × S for each modifier f : X → Y in Q deco , such that: – if f is an accessor then there is a term f : X × S → Y in Q expl such that f = h f , q X i , – if moreover f is a pure term then there is a term f : X → Y in Q expl such that f = f ◦ p X : X × S → Y , hence f = h f ◦ p X , q X i = f × id S in Q expl . • An equation f ≡ g : X × S → Y × S for each strong equation f ≡ g : X → Y in Q deco . • An equation p Y ◦ f ≡ p Y ◦ g : X × S → Y for each weak equation f ∼ g : X → Y in Q deco . • A product ( q i , : Y × S → Y i ) i for each observational product ( q ( ) i : Y → Y i ) i in Q deco .This construction of Q expl from Q deco is a morphism from L deco to L expl , denoted F expl and called the expansion . The expansion morphism makes explicit the meaning of the decorations, by introducing a“type of states” S . Thus, each modifier f ( ) gives rise to a term f which may use and modify the state,while whenever f ( ) is an accessor then f may use the state but is not allowed to modify it, and whenmoreover f ( ) is a pure term then f may neither use nor modify the state. When f ( ) ≡ g ( ) then f and g must return the same result and the same state; when f ( ) ∼ g ( ) then f and g must return the sameresult but maybe not the same state. We have seen that the semantics of states cannot be described inthe apparent logic, but can be described both in the decorated logic and in the explicit logic. It shouldbe reminded that every morphism of logics is a left adjoint functor. This is the case for the expansionmorphism F expl : L deco → L expl : it is a left adjoint functor F expl : T deco → T expl , its right adjoint is denoted G expl . In fact, it is easy to check that Set deco = G expl ( Set expl ) , and since State expl = F expl ( State deco ) itfollows that the decorated model M deco : State deco → Set deco and the explicit model M expl : State expl → Set expl are related by the adjunction F expl ⊣ G expl . This means that the models M deco and M expl are twodifferent ways to formalize the semantics of states from Section 1.1. In order to conclude Section 2, themorphims of logic F app and F expl are summarized in Figure 5. The inference rules of the decorated logic L deco are now used for proving some of the Equations (2) (inRemark 1.1). All proofs in this section are performed in the decorated logic; for readability the identityand associativity rules (id-src) , (id-tgt) and (assoc) are omitted. Some derived rules are proved inSection 3.1, then Equation (2.1) is proved in Section 3.2. In order to deal with the equations with twovalues as argument or as result, we use the semi-pure products introduced in [Dumas et al. 2011]; therules for semi-pure products are reminded in Section 3.3, then all seven Equations (2) are expressed inthe decorated logic and Equation (2.6) is proved in Section 3.4. Proving the other equations would besimilar. We use as axioms the fact that l i is an accessor and the weak equations in State deco (Section 2.3)..-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 55 Q app Q deco F app o o F expl / / Q expl f : X → Y modifier f : X → Y f : X × S → Y × Sf : X → Y accessor f ( ) : X → Y f : X × S → Yf : X → Y pure term f ( ) : X → Y f : X → Yf ≡ g : X → Y strong equation f ≡ g : X → Y f ≡ g : X × S → Y × Sf ≡ g : X → Y weak equation f ∼ g : X → Y p Y ◦ f ≡ p Y ◦ g : X × S → Y Figure 5: A span of logics for states
Let us now derive some rules from the rules of the decorated logic (Figures 3 and 4). ( E ( ) ) f ( ) : X → f ≡ h i X ( E ( ) ) f ( ) : X → f ≡ h i X ( E ( ) ) f ( ) : X → g ( ) : X → f ≡ g ( E ( ) ) f ( ) : X → g ( ) : X → f ≡ g ( E ( ) ) f ( ) : X → Y g ( ) : Y → h ( ) : X → g ◦ f ≡ h ( E ( ) ) f ( ) : X → Y g ( ) : Y → h ( ) : X → g ◦ f ≡ h ( E ( ) ) f ( ) : → X h i X ◦ f ≡ id ( E ( ) ) f ( ) : → X h i X ◦ f ≡ id Figure 6: Some derived rules in the decorated logic for states
Proof.
The derived rules in the left part of Figure 6 can be proved as follows. The proof of the rules inthe right part are left to the reader. f ( ) X (0-final) h i ( ) X (0-to-1) h i ( ) X f : X → ( ∼ -final-unique) f ∼ h i X (1- ∼ -to- ≡ ) f ≡ h i X ( E ( ) ) f ( ) : → X ( E ( ) ) f ≡ h i g ( ) : → X ( E ( ) ) g ≡ h i ( ≡ -sym) h i ≡ g ( ≡ -trans) f ≡ g ( E ( ) ) f ( ) : X → Y g ( ) : Y → (1-comp) ( g ◦ f ) ( ) : X → h ( ) : X → ( E ( ) ) g ◦ f ≡ h ( E ( ) ) f ( ) : → X X (0-final) h i ( ) X : X → (0-to-1) h i ( ) X : X → (0-id) id ( ) : → (0-to-1) id ( ) : → ( E ( ) ) h i X ◦ f ≡ id ( E ( ) ) It is easy to check that the decorated equation u ( ) i ◦ l ( ) i ≡ id ( ) gets expanded as u i ◦ l i ≡ id S , whichclearly gets interpreted as Equation (2.1) in Remark 1.1. Let us prove this decorated equation, using theaxioms (for each location i ), from State deco in Section 2.3: ( A ) l ( ) i , ( A ) l i ◦ u i ∼ id i , ( A ) l j ◦ u i ∼ l j ◦ h i i for each j = i . Proposition 3.1.
For each location i , reading the value of a location i and then updating the location iwith the obtained value is just like doing nothing.u ( ) i ◦ l ( ) i ≡ id ( ) : → . Proof.
Let i be a location. Using the unicity property of the observational product, we have to prove that l k ◦ u i ◦ l i ∼ l k : → V k for each location k . • When k = i , the substitution rule for ∼ yields: ( A ) l i ◦ u i ∼ id i ( ∼ -subs) l i ◦ u i ◦ l i ∼ l i • When k = i , using the substitution rule for ∼ and the replacement rule for ≡ we get: ( A ) l k ◦ u i ∼ l k ◦ h i i ( ∼ -subs) l k ◦ u i ◦ l i ∼ l k ◦ h i i ◦ l i ( A ) l ( ) i ( E ( ) ) h i i ◦ l i ≡ id ( ≡ -repl) l k ◦ h i i ◦ l i ≡ l k ( ≡ -to- ∼ ) l k ◦ h i i ◦ l i ∼ l k ( ∼ -trans) l k ◦ u i ◦ l i ∼ l k Remark 3.2.
At the top of the right branch in the proof above, the decoration ( ) for l i could not bereplaced by ( ) . Indeed, from l ( ) i we can derive the weak equation h i i ◦ l i ∼ id , but this is not sufficientfor deriving l k ◦ h i i ◦ l i ∼ l k by replacement since l k is not pure. Let Q deco be a theory with respect to the decorated logic for states and let Q ( ) be its pure part, sothat Q ( ) is a monadic equational theory. The product of two types X and X in Q deco is defined astheir product in Q ( ) (it is a product up to strong equations, as in Section 1.1). The projections from X × X to X and X are respectively denoted by p ( ) and p ( ) when the types X and X are clearfrom the context. The product of two pure morphisms f ( ) : X → Y and f ( ) : X → Y is a puremorphism ( f × f ) ( ) : X × X → Y × Y subject to the rules in Figure 7, which are the usual rulesfor products up to strong equations. Moreover when X or X is it can be proved in the usual waythat the projections p ( ) : X × → X and p ( ) : × X → X are isomorphisms. The permutation perm ( ) X , X : X × X → X × X is defined as usual by p ◦ perm X , X ≡ p and p ◦ perm X , X ≡ p .The rules in Figure 7, which are symmetric in f and f , cannot be applied to modifiers: in-deed, the effect of building a pair of modifiers depends on the evaluation strategy. However, following.-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 57(0-prod) f ( ) : X → Y f ( ) : X → Y ( f × f ) ( ) : X × X → Y × Y (0-proj-1) f ( ) : X → Y f ( ) : X → Y p ◦ ( f × f ) ≡ f ◦ p (0-proj-2) f ( ) : X → Y f ( ) : X → Y p ◦ ( f × f ) ≡ f ◦ p (0-prod-unique) g ( ) : X × X → Y × Y p ◦ g ≡ f ◦ p p ◦ g ≡ f ◦ p g ≡ f × f Figure 7: Rules for products of pure morphisms[Dumas et al. 2011], we define the left semi-pure product of an identity id X and a modifier f : X → Y ,as a modifier id X ⋉ f : X × X → X × Y subject to the rules in Figure 8, which form a decorated versionof the rules for products. Symmetrically, the right semi-pure product of a modifier f : X → Y and anidentity id X is a modifier f ⋊ id X : X × X → Y × X subject to the rules symmetric to those in Figure 8.(left-prod) f ( ) : X → Y ( id X ⋉ f ) ( ) : X × X → X × Y (left-proj-1) f ( ) : X → Y p ◦ ( id X ⋉ f ) ∼ p (left-proj-2) f ( ) : X → Y p ◦ ( id X ⋉ f ) ≡ f ◦ p (left-prod-unique) g ( ) : X × X → Y × Y p ◦ g ∼ p p ◦ g ≡ f ◦ p g ≡ id X ⋉ f Figure 8: Rules for left semi-pure productsLet us add the rules for semi-pure products to the decorated logic for states. In the decorated theoryof states
State deco , let us assume that there are products V i × V j and V i × and × V j for all locations i and j . Then it is easy to check that the expansion of the decorated Equations (2) d below gets inter-preted as Equations (2) in Remark 1.1. We use the simplified notations id i = id V i and h i i = h i V i and perm i , j = perm V i , V j . Equation (2.1) d has been proved in Section 3.2 and Equation (2.6) d will be provedin Section 3.4. The other equations can be proved in a similar way.(2.1) d Annihilation lookup-update. ∀ i ∈ Loc , u i ◦ l i ≡ id : → (2.2) d Interaction lookup-lookup. ∀ i ∈ Loc , l i ◦ h i i ◦ l i ≡ l i : → V i (2.3) d Interaction update-update. ∀ i ∈ Loc , u i ◦ p ◦ ( u i ⋊ id i ) ≡ u i ◦ p : V i × V i → (2.4) d Interaction update-lookup. ∀ i ∈ Loc , l i ◦ u i ∼ id i : V i → V i (2.5) d Commutation lookup-lookup. ∀ i = j ∈ Loc , l j ◦ h i i ◦ l i ≡ perm j , i ◦ l i ◦ h i j ◦ l j : → V i × V j (2.6) d Commutation update-update. ∀ i = j ∈ Loc , u j ◦ p ◦ ( u i ⋊ id j ) ≡ u i ◦ p ◦ ( id i ⋉ u j ) : V i × V j → (2.7) d Commutation update-lookup. ∀ i = j ∈ Loc , l j ◦ u i ≡ p ◦ ( id i ⋉ l j ) ◦ ( u i ⋊ id j ) ◦ p − : V i → V j Proposition 3.3.
For each locations i = j , the order of storing in the locations i and j does not matter.u ( ) j ◦ p ( ) ◦ ( u i ⋊ id j ) ( ) ≡ u ( ) i ◦ p ( ) ◦ ( id i ⋉ u j ) ( ) : V i × V j → . Proof.
In order to avoid ambiguity, in this proof the projections from V i × are denoted p , i and p , i andthe projections from × V j are denoted p , j and p , j , while the projections from V i × V j are denoted p , i , j and p , i , j . It follows from Section 3.3 that p , i and p , j are isomorphisms, while the derived rule ( E ( ) ) implies that p , i ≡ h i i and p , j ≡ h i j . Using the unicity property of the observational product, we haveto prove that l k ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ l k ◦ u i ◦ p , i ◦ ( id i ⋉ u j ) for each location k . • When k = i , j , let us prove independently four weak equations ( W ) to ( W ) : ( A ) l k ◦ u j ∼ l k ◦ h i j ( ∼ -subs) l k ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ l k ◦ h i j ◦ p , j ◦ ( u i ⋊ id j ) ( W ) ... ( E ( ) ) h i j ◦ p , j ≡ p , j u i (right-prod) u i ⋊ id j ( ≡ -subs) h i j ◦ p , j ◦ ( u i ⋊ id j ) ≡ p , j ◦ ( u i ⋊ id j ) u i (right-proj-1) p , j ◦ ( u i ⋊ id j ) ≡ u i ◦ p , i , j ( ≡ -trans) h i j ◦ p , j ◦ ( u i ⋊ id j ) ≡ u i ◦ p , i , j ( ≡ -repl) l k ◦ h i j ◦ p , j ◦ ( u i ⋊ id j ) ≡ l k ◦ u i ◦ p , i , j ( ≡ -to- ∼ ) l k ◦ h i j ◦ p , j ◦ ( u i ⋊ id j ) ∼ l k ◦ u i ◦ p , i , j ( W )( A ) l k ◦ u i ∼ l k ◦ h i i ( ∼ -subs) l k ◦ u i ◦ p , i , j ∼ l k ◦ h i i ◦ p , i , j ( W ) ... ( E ( ) ) h i i ◦ p , i , j ≡ h i V i × V j ( ≡ -subs) l k ◦ h i i ◦ p , i , j ≡ l k ◦ h i V i × V j ( ≡ -to- ∼ ) l k ◦ h i i ◦ p , i , j ∼ l k ◦ h i V i × V j ( W ) Equations ( W ) to ( W ) together with the transitivity rule for ∼ give rise to the weak equation l k ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ l k ◦ h i V i × V j . A symmetric proof shows that l k ◦ u i ◦ p , i ◦ ( id i ⋉ u j ) ∼ l k ◦ h i V i × V j . With the symmetry and transitivity rules for ∼ , this concludes the proof when k = i , j . • When k = i , it is easy to prove that l i ◦ u i ◦ p , i ◦ ( id i ⋉ u j ) ∼ p , i , j , as follows. ( A ) l i ◦ u i ∼ id i ( ∼ -subs) l i ◦ u i ◦ p , i ◦ ( id i ⋉ u j ) ∼ p , i ◦ ( id i ⋉ u j ) u j (left-proj-1) p , i ◦ ( id i ⋉ u j ) ∼ p , i , j ( ∼ -trans) l i ◦ u i ◦ p , i ◦ ( id i ⋉ u j ) ∼ p , i , j Now let us prove that l i ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ p , i , j , as follows. ( A ) l i ◦ u j ∼ l i ◦ h i j ( ∼ -subs) l i ◦ u j ◦ p , j ∼ l i ◦ h i j ◦ p , j ... ( E ( ) ) h i j ◦ p , j ≡ h i × V j ( ≡ -repl) l i ◦ h i j ◦ p , j ≡ l i ◦ h i × V j ( ≡ -to- ∼ ) l i ◦ h i j ◦ p , j ∼ l i ◦ h i × V j ( ∼ -trans) l i ◦ u j ◦ p , j ∼ l i ◦ h i × V j ( ∼ -subs) l i ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ l i ◦ h i × V j ◦ ( u i ⋊ id j ) ( W ′ ) .-G.Dumas,D.Duval,L.Fousse &J.-C.Reynaud 59 ... ( E ( ) ) h i × V j ≡ p , j ( ≡ -subs) h i × V j ◦ ( u i ⋊ id j ) ≡ p , j ◦ ( u i ⋊ id j ) u i (right-proj-1) p , j ◦ ( u i ⋊ id j ) ≡ u i ◦ p , i , j ( ≡ -trans) h i × V j ◦ ( u i ⋊ id j ) ≡ u i ◦ p , i , j ( ≡ -repl) l i ◦ h i × V j ◦ ( u i ⋊ id j ) ≡ l i ◦ u i ◦ p , i , j ( ≡ -to- ∼ ) l i ◦ h i × V j ◦ ( u i ⋊ id j ) ∼ l i ◦ u i ◦ p , i , j ( W ′ )( A ) l i ◦ u i ∼ id i ( ∼ -subs) l i ◦ u i ◦ p , i , j ∼ p , i , j ( W ′ ) Equations ( W ′ ) to ( W ′ ) and the transitivity rule for ∼ give rise to l i ◦ u j ◦ p , j ◦ ( u i ⋊ id j ) ∼ p , i , j .With the symmetry and transitivity rules for ∼ , this concludes the proof when k = i . • The proof when k = j is symmetric to the proof when k = i . Conclusion
In this paper, decorated proofs are used for proving properties of states. To our knowkedge, such proofsare new. They can be expanded in order to get the usual proofs, however decorated proofs are moreconcise and closer to the syntax; in the expanded proof the notion of effect is lost. This approach can beapplied to other computational effects, like exceptions [Dumas et al. 2012a, Dumas et al. 2012b].
References [Dom´ınguez & Duval 2010] C´esar Dom´ınguez, Dominique Duval. Diagrammatic logic applied to a parame-terization process Mathematical Structures in Computer Science 20, p. 639-654 (2010). doi: .[Dumas et al. 2011] Jean-Guillaume Dumas, Dominique Duval, Jean-Claude Reynaud. Cartesian effect categoriesare Freyd-categories. Journal of Symbolic Computation 46, p. 272-293 (2011). doi: .[Dumas et al. 2012a] Jean-Guillaume Dumas, Dominique Duval, Laurent Fousse, Jean-Claude Reynaud. A du-ality between exceptions and states. Mathematical Structures for Computer Science 22, p. 719-722 (2012).doi: .[Dumas et al. 2012b] Jean-Guillaume Dumas, Dominique Duval, Laurent Fousse, Jean-Claude Reynaud. Adjunc-tions for exceptions. Submitted for publication (2012). arXiv: .[Gaudel et al. 1996] Marie-Claude Gaudel, Pierre Dauchy, Carole Khoury. A Formal Specification of the Steam-Boiler Control Problem by Algebraic Specifications with Implicit State. Formal Methods for Industrial Ap-plications 1995. Springer-Verlag Lecture Notes in Computer Science 1165, p. 233-264 (1996). doi: .[Melli`es 2010] Paul-Andr´e Melli`es. Segal condition meets computational effects. LICS 2010. IEEE ComputerSociety, p. 150-159 (2010). doi: .[Moggi 1991] Eugenio Moggi. Notions of Computation and Monads. Information and Computation 93(1), p. 55-92 (1991). doi: .[Plotkin & Power 2002] Gordon D. Plotkin, John Power. Notions of Computation Determine Monads. FoS-SaCS 2002. Springer-Verlag Lecture Notes in Computer Science 2303, p. 342-356 (2002). doi:10.1007/3-540-45931-6_24