Fully Abstract Compilation from System F to λ σ

Fully Abstract Compilation from System F to λσ Dominique Devriese1 , Marco Patrignani2 , Frank Piessens1 1 2 iMinds-DistriNet, KU Leuven, MPI-SWS Pa...
Author: Donald Hubbard
0 downloads 3 Views 391KB Size
Fully Abstract Compilation from System F to λσ Dominique Devriese1 , Marco Patrignani2 , Frank Piessens1 1 2

iMinds-DistriNet, KU Leuven, MPI-SWS

Paris, 2016

System F and λσ

Compiling System F to λσ

Proving Full Abstraction

Constructing a back-translation

Fully Abstract Compilation from System F to λσ

The source language: System F

3/18

τ ::= Unit | Bool | τ → τ | τ × τ | τ ] τ | ∀α. τ | ∃α. τ | µα. τ | α t ::= unit | true | false | λx : τ. t | x | t t | t.1 | t.2 | ht, ti | Λα. t | t τ | inl t | inr t | case t of inl x1 7→ t | inr x2 7→ t | t; t | if t then t else t | pack hτ , ti as ∃α. τ | unpack t as hα, xi in t | roll t | unroll t

Fully Abstract Compilation from System F to λσ

λσ : Untyped Lambda Calculus with Sealing

4/18

t ::= unit | true | false | λx. t | x | t t | t.1 | t.2 | ht, ti | inl t | inr t | case t of inl x1 7→ t | inr x2 7→ t | t; t | if t then t else t | wrong | νx.t | {t}t | σ | let {x}t = t in t else t σ∈ / dom(h) (h, νx.t) ,→(h; σ, t[σ/x]) σ ≡ σ0 let {x}σ = {v}σ0 in t else t0 ,→ t[v/x] σ 6≡ σ 0 let {x}σ = {v}σ0 in t else t0 ,→ t0 Fully Abstract Compilation from System F to λσ

Compiling STLC to λ

5/18

λx : Unit. x compiler

λx. x

'ctx

λx : Unit. unit

6'ctx

λx. unit

Fully Abstract Compilation from System F to λσ

compiler

Compiling STLC to λ

fully abstract compiler

5/18

fully abstract compiler

λx : Unit. x

'ctx

λx : Unit. unit

λx. x

6'ctx

λx. unit

protectUnit→Unit; (λx. x)

'ctx

protectUnit→Unit; (λx. unit)

Fully Abstract Compilation from System F to λσ

Compiling STLC to λ

fully abstract compiler

5/18

fully abstract compiler

λx : Unit. x

'ctx

λx : Unit. unit

λx. x

6'ctx

λx. unit

protectUnit→Unit; (λx. x)

'ctx

protectUnit→Unit; (λx. unit)

λx. (λx. x) (confineUnit; x)

'ctx

λx. (λx. unit) (confineUnit; x)

Fully Abstract Compilation from System F to λσ

Compiling STLC to λ

fully abstract compiler

5/18

fully abstract compiler

λx : Unit. x

'ctx

λx : Unit. unit

λx. x

6'ctx

λx. unit

protectUnit→Unit; (λx. x)

'ctx

protectUnit→Unit; (λx. unit)

λx. (λx. x) (confineUnit; x)

'ctx

λx. (λx. unit) (confineUnit; x)

λx. (λx. x) (x; unit)

'ctx

λx. (λx. unit) (x; unit)

Fully Abstract Compilation from System F to λσ

Compiling System F to λσ

pack hUnit, uniti as ∃α. α compiler

unit

6/18

'ctx

pack hBool, truei as ∃α. α

6'ctx

true

Fully Abstract Compilation from System F to λσ

compiler

Compiling System F to λσ

6/18

pack hUnit, uniti as ∃α. α

'ctx

pack hBool, truei as ∃α. α

unit

6'ctx

true

protect∃α.α unit

'ctx

protect∃α.α true

fully abstract compiler

Fully Abstract Compilation from System F to λσ

fully abstract compiler

Compiling System F to λσ

6/18

pack hUnit, uniti as ∃α. α

'ctx

pack hBool, truei as ∃α. α

unit

6'ctx

true

protect∃α.α unit

'ctx

protect∃α.α true

νs. {unit}s

'ctx

νs. {true}s

fully abstract compiler

Fully Abstract Compilation from System F to λσ

fully abstract compiler

Compiling System F to λσ

7/18

More interesting examples: def

t=

pack hUnit, hunit, λx : Unit. xii as ∃α. α × (α → Unit)

erase(t) = hunit, λx. xi protect∃α.α×(α→Unit) = νs. h{unit}s , λx. unseals xi erase(t)

def

t = λf : ∀α. α → α. f Bool true erase(t) = λf. f unit true protect(∀α.α→α)→Bool = λf. νs. unseals (f unit {true}s ) erase(t) Fully Abstract Compilation from System F to λσ

Proving Full Abstraction

t1 'ctx t2 iff Jt1 K 'ctx Jt2 K

8/18

Two directions: Contextual equivalence reflection and preservation Preservation is hardest to prove

Fully Abstract Compilation from System F to λσ

Proving Full Abstraction using Logical Relations

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

9/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2   C t1 ⇓



  C t2 ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

9/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2   C t1 ⇓ C ≈ JCK t1 ≈ Jt1 K



  C t2 ⇓

1

h i JCK Jt1 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

9/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2   C t1 ⇓



  C t2 ⇓

1 h

i

JCK Jt1 K ⇓

2 ⇒

h i JCK Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

9/18

Proving Full Abstraction using Logical Relations

9/18

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2   C t1 ⇓ 1 h

i

  C t2 ⇓



JCK Jt1 K ⇓

3 2 ⇒

C ≈ JCK t2 ≈ Jt2 K

h i JCK Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Proving Full Abstraction using Logical Relations

Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2   C t1 ⇓ 1 h

i

  C t2 ⇓



JCK Jt1 K ⇓

3 2 ⇒

h i JCK Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

9/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2).

t1 'ctx t2

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2).

t1 'ctx t2

h i C Jt1 K ⇓



h i C Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2

h i C Jt1 K ⇓



h i C Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2   hhCii t1 ⇓ hhCii ≈ C t1 ≈ Jt1 K

1 h

i

C Jt1 K ⇓



h i C Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2     hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 1 h

i

C Jt1 K ⇓



h i C Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2     hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 hhCii ≈ C t2 ≈ Jt2 K 1 3 h i h i ⇒ C Jt1 K ⇓ C Jt2 K ⇓ Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Proving Full Abstraction using Logical Relations

Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2     hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 1 h

i

C Jt1 K ⇓

3 ⇒

h i C Jt2 K ⇓

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

10/18

Constructing a back-translation

def

UVal =

11/18

Bool

Booleans

] Unit

Unit value

] (UVal × UVal)

Pairs

] (UVal ] UVal)

Sums

] (UVal → UVal) hhCiiτ = hhCii[injectτ ·] injectτ : τ → UVal hhCii : ∅, UVal → ∅, UVal Problem: how to define inject∃α.··· ?

Fully Abstract Compilation from System F to λσ

Functions

Constructing a back-translation def

UVal =

12/18

Bool

Booleans

] Unit

Unit value

] (UVal × UVal )

Pairs

] (UVal ] UVal )

Sums

](

UVal

→ UVal )

Fully Abstract Compilation from System F to λσ

Functions

Constructing a back-translation def

UValτ =

12/18

Bool

Booleans

] Unit

Unit value

] (UValτ × UValτ )

Pairs

] (UValτ ] UValτ )

Sums

](

UVal

τ

→ UValτ )

] τ

Fully Abstract Compilation from System F to λσ

Functions Type Vars

Constructing a back-translation def

UValτ =

12/18

Bool

Booleans

] Unit

Unit value

] (UValτ × UValτ )

Pairs

] (UValτ ] UValτ )

Sums

0

] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )

Functions

] τ

Type Vars

UExprτ = ∃δ 0 . UValδ0 ]τ def

Fully Abstract Compilation from System F to λσ

Constructing a back-translation def

UValτ =

12/18

Bool

Booleans

] Unit

Unit value

] (UValτ × UValτ )

Pairs

] (UValτ ] UValτ )

Sums

0

] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )

Functions

] τ

Type Vars

] (τ × (τ → Bool)) ] (τ × UValτ ) UExprτ = ∃δ 0 . UValδ0 ]τ def

Fully Abstract Compilation from System F to λσ

Seal Sealed value

Constructing a back-translation def

UValτ =

12/18

Bool

Booleans

] Unit

Unit value

] (UValτ × UValτ )

Pairs

] (UValτ ] UValτ )

Sums

0

] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )

Functions

] τ

Type Vars

] (τ × (τ → Bool)) ] (τ × UValτ )

Seal Sealed value

UExprτ = ∃δ 0 . UValδ0 ]τ def

Problem: we have µα. · · ·, but this needs µ(α :: ∗ → ∗). · · ·. Solution: Approximate! Fully Abstract Compilation from System F to λσ

Approximate Back-Translation

Full back-translation is not needed for full abstraction Approximate back-translation is sufficient Fully accurate up to arbitrary n Conservative beyond n Prove using directed, step-indexed logical relations

see Devriese, Patrignani, Piessens (POPL 2016)

Fully Abstract Compilation from System F to λσ

13/18

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). Approximate back-translation:

hhCiin &n C t1 'ctx t2

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

∀m. hhCiin .m C

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). hhCiin &n C

Approximate back-translation:

∀m. hhCiin .m C

t1 'ctx t2

h i C Jt1 K ⇓n



h i C Jt2 K ⇓_

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). hhCiin &n C

Approximate back-translation:

∀m. hhCiin .m C

t1 'ctx t2   hhCiin t1 ⇓_ hhCiin &n C t1 &_ Jt1 K 1 h i ⇒ C Jt1 K ⇓n

h i C Jt2 K ⇓_

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). hhCiin &n C

Approximate back-translation:

∀m. hhCiin .m C

t1 'ctx t2   hhCiin t1 ⇓_

⇒ 2

  hhCiin t2 ⇓_



h i C Jt2 K ⇓_

1 h

i

C Jt1 K ⇓n

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). hhCiin &n C

Approximate back-translation:

∀m. hhCiin .m C

t1 'ctx t2   hhCiin t1 ⇓_ 1 h i C Jt1 K ⇓n

  hhCiin t2 ⇓_

⇒ 2 3 ⇒

hhCiin ._ C t2 ._ Jt2 K h i C Jt2 K ⇓_

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Approximate Back-Translation

14/18

Contextual Equivalence Preservation (2/2). hhCiin &n C

Approximate back-translation:

∀m. hhCiin .m C

t1 'ctx t2   hhCiin t1 ⇓_ 1 h

i

C Jt1 K ⇓n

  hhCiin t2 ⇓_

⇒ 2 3 ⇒

h i C Jt2 K ⇓_

Jt1 K 'ctx Jt2 K

Fully Abstract Compilation from System F to λσ

Putting it into practice...

Fully Abstract Compilation from System F to λσ

15/18

Putting it into practice...

... 300 pages of tech report later...

Fully Abstract Compilation from System F to λσ

15/18

Putting it into practice...

... 300 pages of tech report later... a week before the POPL deadline ...

Fully Abstract Compilation from System F to λσ

15/18

Putting it into practice...

... 300 pages of tech report later... a week before the POPL deadline ...

It doesn’t quite work...

Fully Abstract Compilation from System F to λσ

15/18

Enforcing quantifier scope?

16/18

What type variables can an existential quantification close over? Difference between the following types? ∃α. ∀β. β → (β → Bool) → α × (α → Bool)

(1)

∀β. ∃α. β → (β → Bool) → α × (α → Bool)

(2)

Our dynamic enforcement treats them identically! Back-translate a context λ_. λx. λf. hx, fi? Should only work for (2) but not (1)?

Fully Abstract Compilation from System F to λσ

Enforcing quantifier scope?

17/18

∃α. ∀β. β → (β → Bool) → α × (α → Bool)

(1)

∀β. ∃α. β → (β → Bool) → α × (α → Bool)

(2)

vs.

What to do? More complex back-translation possible? Construct closures somehow? What if existential variable appears less conveniently? Does full abstraction even hold for (1)? What if quantifier scope enforces some property (like in the ST monad)? The plan for now: prove full abstraction for a subset of types: no ∀s inside ∃s (2) is fine, but (1) isn’t

Fully Abstract Compilation from System F to λσ

Thanks

18/18

Questions? Feedback, suggestions?

Fully Abstract Compilation from System F to λσ

Backup slide: the need for a type-indexed UVal

def

How to back-translate t = λx. x.1 x.2 at type (∃α.(α → Bool) × α) → Bool? When applied to pack hBool, hλx : Bool. x, trueii as ∃α.(α → Bool) × α, back-translation should behave as t applied to hλx. x, truei Only way to do that is to open up the pair: λx : ∃α.(α → Bool) × α. unpack x as hα, x0 i in x0 .1 x0 .2 What is the type of x0 .2 here? UValn ? Must mention α!

Fully Abstract Compilation from System F to λσ

1/2

Back-translation Proof Structure This statement

2/2

expands to this hhCiiτ ;n

hhCiiτ ;n [t] On C[JtK]

emulaten (C)[ On C[

injectτ ;n

t

]

erase(t)

]

On

On protectτ

Erasure Correctness (at type τ )

JtK

Protect/Confine ≈ Inject/Extract (at EmulValˆτ ;n;p ) Emulation Correctness (at EmulValEmpty;n;p ) Fully Abstract Compilation from System F to λσ