Fully Abstract Compilation from System F to λσ Dominique Devriese1 , Marco Patrignani2 , Frank Piessens1 1 2
iMinds-DistriNet, KU Leuven, MPI-SWS
Paris, 2016
System F and λσ
Compiling System F to λσ
Proving Full Abstraction
Constructing a back-translation
Fully Abstract Compilation from System F to λσ
The source language: System F
3/18
τ ::= Unit | Bool | τ → τ | τ × τ | τ ] τ | ∀α. τ | ∃α. τ | µα. τ | α t ::= unit | true | false | λx : τ. t | x | t t | t.1 | t.2 | ht, ti | Λα. t | t τ | inl t | inr t | case t of inl x1 7→ t | inr x2 7→ t | t; t | if t then t else t | pack hτ , ti as ∃α. τ | unpack t as hα, xi in t | roll t | unroll t
Fully Abstract Compilation from System F to λσ
λσ : Untyped Lambda Calculus with Sealing
4/18
t ::= unit | true | false | λx. t | x | t t | t.1 | t.2 | ht, ti | inl t | inr t | case t of inl x1 7→ t | inr x2 7→ t | t; t | if t then t else t | wrong | νx.t | {t}t | σ | let {x}t = t in t else t σ∈ / dom(h) (h, νx.t) ,→(h; σ, t[σ/x]) σ ≡ σ0 let {x}σ = {v}σ0 in t else t0 ,→ t[v/x] σ 6≡ σ 0 let {x}σ = {v}σ0 in t else t0 ,→ t0 Fully Abstract Compilation from System F to λσ
Compiling STLC to λ
5/18
λx : Unit. x compiler
λx. x
'ctx
λx : Unit. unit
6'ctx
λx. unit
Fully Abstract Compilation from System F to λσ
compiler
Compiling STLC to λ
fully abstract compiler
5/18
fully abstract compiler
λx : Unit. x
'ctx
λx : Unit. unit
λx. x
6'ctx
λx. unit
protectUnit→Unit; (λx. x)
'ctx
protectUnit→Unit; (λx. unit)
Fully Abstract Compilation from System F to λσ
Compiling STLC to λ
fully abstract compiler
5/18
fully abstract compiler
λx : Unit. x
'ctx
λx : Unit. unit
λx. x
6'ctx
λx. unit
protectUnit→Unit; (λx. x)
'ctx
protectUnit→Unit; (λx. unit)
λx. (λx. x) (confineUnit; x)
'ctx
λx. (λx. unit) (confineUnit; x)
Fully Abstract Compilation from System F to λσ
Compiling STLC to λ
fully abstract compiler
5/18
fully abstract compiler
λx : Unit. x
'ctx
λx : Unit. unit
λx. x
6'ctx
λx. unit
protectUnit→Unit; (λx. x)
'ctx
protectUnit→Unit; (λx. unit)
λx. (λx. x) (confineUnit; x)
'ctx
λx. (λx. unit) (confineUnit; x)
λx. (λx. x) (x; unit)
'ctx
λx. (λx. unit) (x; unit)
Fully Abstract Compilation from System F to λσ
Compiling System F to λσ
pack hUnit, uniti as ∃α. α compiler
unit
6/18
'ctx
pack hBool, truei as ∃α. α
6'ctx
true
Fully Abstract Compilation from System F to λσ
compiler
Compiling System F to λσ
6/18
pack hUnit, uniti as ∃α. α
'ctx
pack hBool, truei as ∃α. α
unit
6'ctx
true
protect∃α.α unit
'ctx
protect∃α.α true
fully abstract compiler
Fully Abstract Compilation from System F to λσ
fully abstract compiler
Compiling System F to λσ
6/18
pack hUnit, uniti as ∃α. α
'ctx
pack hBool, truei as ∃α. α
unit
6'ctx
true
protect∃α.α unit
'ctx
protect∃α.α true
νs. {unit}s
'ctx
νs. {true}s
fully abstract compiler
Fully Abstract Compilation from System F to λσ
fully abstract compiler
Compiling System F to λσ
7/18
More interesting examples: def
t=
pack hUnit, hunit, λx : Unit. xii as ∃α. α × (α → Unit)
erase(t) = hunit, λx. xi protect∃α.α×(α→Unit) = νs. h{unit}s , λx. unseals xi erase(t)
def
t = λf : ∀α. α → α. f Bool true erase(t) = λf. f unit true protect(∀α.α→α)→Bool = λf. νs. unseals (f unit {true}s ) erase(t) Fully Abstract Compilation from System F to λσ
Proving Full Abstraction
t1 'ctx t2 iff Jt1 K 'ctx Jt2 K
8/18
Two directions: Contextual equivalence reflection and preservation Preservation is hardest to prove
Fully Abstract Compilation from System F to λσ
Proving Full Abstraction using Logical Relations
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
9/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2 C t1 ⇓
⇒
C t2 ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
9/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2 C t1 ⇓ C ≈ JCK t1 ≈ Jt1 K
⇒
C t2 ⇓
1
h i JCK Jt1 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
9/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2 C t1 ⇓
⇒
C t2 ⇓
1 h
i
JCK Jt1 K ⇓
2 ⇒
h i JCK Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
9/18
Proving Full Abstraction using Logical Relations
9/18
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2 C t1 ⇓ 1 h
i
C t2 ⇓
⇒
JCK Jt1 K ⇓
3 2 ⇒
C ≈ JCK t2 ≈ Jt2 K
h i JCK Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Proving Full Abstraction using Logical Relations
Contextual Equivalence Reflection (1/2). Prove using cross-language logical relations. t1 'ctx t2 C t1 ⇓ 1 h
i
C t2 ⇓
⇒
JCK Jt1 K ⇓
3 2 ⇒
h i JCK Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
9/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2).
t1 'ctx t2
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2).
t1 'ctx t2
h i C Jt1 K ⇓
⇒
h i C Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2
h i C Jt1 K ⇓
⇒
h i C Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2 hhCii t1 ⇓ hhCii ≈ C t1 ≈ Jt1 K
1 h
i
C Jt1 K ⇓
⇒
h i C Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2 hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 1 h
i
C Jt1 K ⇓
⇒
h i C Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2 hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 hhCii ≈ C t2 ≈ Jt2 K 1 3 h i h i ⇒ C Jt1 K ⇓ C Jt2 K ⇓ Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Proving Full Abstraction using Logical Relations
Contextual Equivalence Preservation (2/2). Back-translation of target contexts: hhCii ≈ C t1 'ctx t2 hhCii t1 ⇓ ⇒ hhCii t2 ⇓ 2 1 h
i
C Jt1 K ⇓
3 ⇒
h i C Jt2 K ⇓
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
10/18
Constructing a back-translation
def
UVal =
11/18
Bool
Booleans
] Unit
Unit value
] (UVal × UVal)
Pairs
] (UVal ] UVal)
Sums
] (UVal → UVal) hhCiiτ = hhCii[injectτ ·] injectτ : τ → UVal hhCii : ∅, UVal → ∅, UVal Problem: how to define inject∃α.··· ?
Fully Abstract Compilation from System F to λσ
Functions
Constructing a back-translation def
UVal =
12/18
Bool
Booleans
] Unit
Unit value
] (UVal × UVal )
Pairs
] (UVal ] UVal )
Sums
](
UVal
→ UVal )
Fully Abstract Compilation from System F to λσ
Functions
Constructing a back-translation def
UValτ =
12/18
Bool
Booleans
] Unit
Unit value
] (UValτ × UValτ )
Pairs
] (UValτ ] UValτ )
Sums
](
UVal
τ
→ UValτ )
] τ
Fully Abstract Compilation from System F to λσ
Functions Type Vars
Constructing a back-translation def
UValτ =
12/18
Bool
Booleans
] Unit
Unit value
] (UValτ × UValτ )
Pairs
] (UValτ ] UValτ )
Sums
0
] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )
Functions
] τ
Type Vars
UExprτ = ∃δ 0 . UValδ0 ]τ def
Fully Abstract Compilation from System F to λσ
Constructing a back-translation def
UValτ =
12/18
Bool
Booleans
] Unit
Unit value
] (UValτ × UValτ )
Pairs
] (UValτ ] UValτ )
Sums
0
] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )
Functions
] τ
Type Vars
] (τ × (τ → Bool)) ] (τ × UValτ ) UExprτ = ∃δ 0 . UValδ0 ]τ def
Fully Abstract Compilation from System F to λσ
Seal Sealed value
Constructing a back-translation def
UValτ =
12/18
Bool
Booleans
] Unit
Unit value
] (UValτ × UValτ )
Pairs
] (UValτ ] UValτ )
Sums
0
] (∀δ .UValδ0 ]τ → UExprδ0 ]τ )
Functions
] τ
Type Vars
] (τ × (τ → Bool)) ] (τ × UValτ )
Seal Sealed value
UExprτ = ∃δ 0 . UValδ0 ]τ def
Problem: we have µα. · · ·, but this needs µ(α :: ∗ → ∗). · · ·. Solution: Approximate! Fully Abstract Compilation from System F to λσ
Approximate Back-Translation
Full back-translation is not needed for full abstraction Approximate back-translation is sufficient Fully accurate up to arbitrary n Conservative beyond n Prove using directed, step-indexed logical relations
see Devriese, Patrignani, Piessens (POPL 2016)
Fully Abstract Compilation from System F to λσ
13/18
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). Approximate back-translation:
hhCiin &n C t1 'ctx t2
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
∀m. hhCiin .m C
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). hhCiin &n C
Approximate back-translation:
∀m. hhCiin .m C
t1 'ctx t2
h i C Jt1 K ⇓n
⇒
h i C Jt2 K ⇓_
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). hhCiin &n C
Approximate back-translation:
∀m. hhCiin .m C
t1 'ctx t2 hhCiin t1 ⇓_ hhCiin &n C t1 &_ Jt1 K 1 h i ⇒ C Jt1 K ⇓n
h i C Jt2 K ⇓_
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). hhCiin &n C
Approximate back-translation:
∀m. hhCiin .m C
t1 'ctx t2 hhCiin t1 ⇓_
⇒ 2
hhCiin t2 ⇓_
⇒
h i C Jt2 K ⇓_
1 h
i
C Jt1 K ⇓n
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). hhCiin &n C
Approximate back-translation:
∀m. hhCiin .m C
t1 'ctx t2 hhCiin t1 ⇓_ 1 h i C Jt1 K ⇓n
hhCiin t2 ⇓_
⇒ 2 3 ⇒
hhCiin ._ C t2 ._ Jt2 K h i C Jt2 K ⇓_
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Approximate Back-Translation
14/18
Contextual Equivalence Preservation (2/2). hhCiin &n C
Approximate back-translation:
∀m. hhCiin .m C
t1 'ctx t2 hhCiin t1 ⇓_ 1 h
i
C Jt1 K ⇓n
hhCiin t2 ⇓_
⇒ 2 3 ⇒
h i C Jt2 K ⇓_
Jt1 K 'ctx Jt2 K
Fully Abstract Compilation from System F to λσ
Putting it into practice...
Fully Abstract Compilation from System F to λσ
15/18
Putting it into practice...
... 300 pages of tech report later...
Fully Abstract Compilation from System F to λσ
15/18
Putting it into practice...
... 300 pages of tech report later... a week before the POPL deadline ...
Fully Abstract Compilation from System F to λσ
15/18
Putting it into practice...
... 300 pages of tech report later... a week before the POPL deadline ...
It doesn’t quite work...
Fully Abstract Compilation from System F to λσ
15/18
Enforcing quantifier scope?
16/18
What type variables can an existential quantification close over? Difference between the following types? ∃α. ∀β. β → (β → Bool) → α × (α → Bool)
(1)
∀β. ∃α. β → (β → Bool) → α × (α → Bool)
(2)
Our dynamic enforcement treats them identically! Back-translate a context λ_. λx. λf. hx, fi? Should only work for (2) but not (1)?
Fully Abstract Compilation from System F to λσ
Enforcing quantifier scope?
17/18
∃α. ∀β. β → (β → Bool) → α × (α → Bool)
(1)
∀β. ∃α. β → (β → Bool) → α × (α → Bool)
(2)
vs.
What to do? More complex back-translation possible? Construct closures somehow? What if existential variable appears less conveniently? Does full abstraction even hold for (1)? What if quantifier scope enforces some property (like in the ST monad)? The plan for now: prove full abstraction for a subset of types: no ∀s inside ∃s (2) is fine, but (1) isn’t
Fully Abstract Compilation from System F to λσ
Thanks
18/18
Questions? Feedback, suggestions?
Fully Abstract Compilation from System F to λσ
Backup slide: the need for a type-indexed UVal
def
How to back-translate t = λx. x.1 x.2 at type (∃α.(α → Bool) × α) → Bool? When applied to pack hBool, hλx : Bool. x, trueii as ∃α.(α → Bool) × α, back-translation should behave as t applied to hλx. x, truei Only way to do that is to open up the pair: λx : ∃α.(α → Bool) × α. unpack x as hα, x0 i in x0 .1 x0 .2 What is the type of x0 .2 here? UValn ? Must mention α!
Fully Abstract Compilation from System F to λσ
1/2
Back-translation Proof Structure This statement
2/2
expands to this hhCiiτ ;n
hhCiiτ ;n [t] On C[JtK]
emulaten (C)[ On C[
injectτ ;n
t
]
erase(t)
]
On
On protectτ
Erasure Correctness (at type τ )
JtK
Protect/Confine ≈ Inject/Extract (at EmulValˆτ ;n;p ) Emulation Correctness (at EmulValEmpty;n;p ) Fully Abstract Compilation from System F to λσ