lec1.tex

\section*{Lecture 1, Logical Predicates and Relations}
\subsection*{Simply Typed Lambda Calculus (STLC)}
The language used to present logical predicates and relations is the simply typed lambda calculus. In the first couple lectures it will be used as it is presented here. In the later sections simply typed lambda calculus will be used as a base language so if it later on says that we extend with some construct, then it is the simply typed lambda calculus that we are extending. The simply typed lambda calculus is defined as follows:\\
\begin{tabular}{ r | l }
  Types: & $\tau ::=  bool \vbar \tarrow{\tau}{\tau}$ \\
  \hline
  Terms: & $e    ::= x \vbar \true
                       \vbar \false
                       \vbar \eif{e}{e}{e}
                       \vbar \tlabs{x}{\tau }{e}
                       \vbar e \; e$ \\
  \hline
  Values: & $v    ::= \true \vbar \false \vbar \tlabs{x}{\tau}{e}$ \\
  \hline
  Evaluation  & \multirow{2}{*}{$E    ::= [] \vbar \eif{E}{e}{e} \vbar E \; e \vbar v \; E$}\\
  contexts: & \\
  \hline
  \multirow{4}{*}{Evaluations:}
                                   & $\eif{\true}{e_1}{e_2} \evalto e_1$ \\
                                   & $\eif{\false}{e_1}{e_2} \evalto e_2$ \\
                                   & $(\tlabs{x}{\tau}{e}) \; v \evalto \subst{e}{v}{x}$ \\
                                   & $\inferrule*[]{e \evalto e'}
                                                   {E[e] \evalto E[e']}$ \\
  \hline
  Typing & \multirow{2}{*}{$ \Gamma ::= \mtenv \vbar \Gamma , x : \tau$} \\
  Contexts: & \\
  \hline
  \multirow{8}{*}{Typing rules:} & \\
                                 & $\TFalse \hspace{1.2cm} \TTrue$ \\
                                 & \\
                                 & $\TVar \hspace{1.2cm} \TIf$ \\
                                 & \\
                                 & $\TAbs \hspace{1.2cm} \TApp$\\
                                 & \\
\end{tabular}\\
For the typing contexts it is assumed that the binders are distinct. So if $x \in \dom(\Gamma)$, then $\Gamma , x : \tau$ is not a legal context.
\subsection*{Logical Relations}
Logical relations are used to prove properties about programs in a language. Logical relations are proof methods and can be used as an alternative to proving properties directly. Examples of properties one can show using logical relations are:
\begin{itemize}
\item Termination (Strong normalization)
\item Type safety
\item Equivalence of programs
  \begin{itemize}
  \item Correctness of programs
  \item Representation independence
  \item Parametricity and free theorems, e.g.,
    \[
    f: \forall \alpha. \; \tarrow{\alpha}{\alpha}
    \]
    The program cannot inspect $\alpha$ as it has no idea which type it will be, therefore $f$ must be identity function.
    \[
    \forall \alpha. \; \tarrow{int}{\alpha}
    \]
    A function with this type cannot exist (the function would need to return something of type $\alpha$, but it only has something of type $int$ to work with so it cannot possibly return a value of the proper type).
  \item Security-Typed Languages (for Information Flow Control (IFC))\\
        Example: All types in the code snippet below are labeled with their security level. A type can be labeled with either $L$ for \emph{low} or $H$ for \emph{high}. We do not want any flow from variables with a \emph{high} labeled type to a variable with a \emph{low} labeled type. The following is an example of an insecure \emph{explicit flow} of information:
        \begin{lstlisting}[escapeinside={@}{@}]
  x : int@$^L$@
  y : int@$^H$@
  x = y    //This assignment is insecure.
        \end{lstlisting}
Further, information may leak through a \emph{side channel}. That is the value denoted by a variable with a \emph{low} labeled type depends on the value of a variable with a \emph{high} labeled type. If this is the case we may not have learned the secret value, but we may have learned some information about it. An example of a side channel:
        \begin{lstlisting}[escapeinside={@}{@}]
  x : int@$^L$@
  y : int@$^H$@
  if y > 0 then x = 0 else x = 1
        \end{lstlisting}
The above examples show undesired programs or parts of programs, but if we want to generally state behavior we do not want a program to show, then we state it as non-interference:
\begin{align*}
  & \vdash P : \tarrow{int^L \times int^H}{int^L} \\
  & P(v_L,v_{1H}) \approx_L P(v_L,v_{2H})
\end{align*}
If we run $P$ with the same \emph{low} value and with two different \emph{high} values, then the \emph{low} result of the two runs of the program should be equal. That is the \emph{low} result does not depend on \emph{high} values.
  \end{itemize}
\end{itemize}
\subsection*{Categories of Logical Relations}
We can split logical relations into two: logical relations and logical predicates. Logical predicates are unary and used usually used to show properties of a program. Logical relations are binary and are usually used to show equivalences:\\
\begin{tabular}{l | l}
  Logical Predicates     & Logical Relations    \\
\hline
  (Unary)                & (Binary)             \\
  $P_\tau(e)$             & $R_\tau(e_1,e_2)$     \\
  - One property         & - Program Equivalence\\ %\footnote{Was not in my notes.}
  - Strong normalization & \\
  - Type safety          & \\
\end{tabular}
\subsection*{Strong Normalization of STLC}
In this section we wish to show that the simply typed lambda calculus
has strong normalization which means that every term is strongly
normalizing. Normalization of a term is the process of reducing a term into its normal form. If a term is strongly normalizing, then it reduces to its normal form. In our case we define the normal forms of the language to be the values of the language.
\subsubsection*{A first try on normalization of STLC}
We start with a couple of abbreviations:
\begin{align*}
  e \Downarrow v & \eqdef e \evaltos v \\
  e \Downarrow   & \eqdef \exists v. \; e \Downarrow v
\end{align*}
Where $v$ is a value.
What we want to prove is:
\begin{strnorm}[Strong Normalization]~\\
  If $\mtenv \vdash e : \tau$ then $e \Downarrow$
\end{strnorm}
\begin{proof}
\warning{This proof gets stuck and is not complete. It is included to motivate the use of a logical predicate.}
Induction on the structure of the typing derivation.
\case{$\mtenv \vdash \true : bool$} this term has already terminated.
\case{$\mtenv \vdash \false : bool$} same as for \true.
\case{$\mtenv \vdash \eif{e}{e_1}{e_2} : \tau$} simple, but requires
the use of canonical forms of bool.
% Perhaps a brief note on what canonical forms is?
\case{$\mtenv \vdash \tlabs{x}{\tau_1}{e}$ : \tarrow{\tau_1}{\tau_2}} it is a value already and it has terminated.
\case{$ \TApp $} \\
By the induction hypothesis we get $e_1 \Downarrow v_1$ and $e_2 \Downarrow v_2$. By the type of $e_1$ we conclude $e_1 \Downarrow \tlabs{x}{\tau_2}{e'}$. What we need to show is $e_1 \; e_2 \Downarrow$. We know $e_1 \; e_2$ takes the following steps:
\begin{align*}
  e_1 \; e_2 & \evaltos (\tlabs{x}{\tau_2}{e'}) \; e_2 \\
            & \evaltos (\tlabs{x}{\tau_2}{e'}) \; v_2 \\
            & \evalto e'[v_2/x]
\end{align*}
Here we run into an issue as we do not know anything about $e'$. Our induction hypothesis is not strong enough.\footnote{:(}
\end{proof}
\subsubsection*{A logical predicate for strongly normalizing expressions}
We want to define a logical predicate, \SN{\tau}{e}. We want $\SNPred_\tau$ to accept the expressions of type $\tau$ that are strongly normalizing, but let us first consider what properties we in general want a logical predicate to have.

In general for a logical predicate, $P_\tau(e)$, we want an expression, $e$, accepted by this predicate to satisfy the following properties\footnote{Note: when we later want to prove type safety we do not want well-typedness to be a property of the predicate.}:
\begin{enumerate}
\item $\mtenv \vdash e : \tau$
\item The property we wish $e$ to have. In this case it would be: $e$ is strongly normalizing.
\item The condition is preserved by eliminating forms.
\end{enumerate}
With the above in mind we define the strongly normalizing predicate as follows:
\begin{align*}
  \SN{bool}{e} & \Leftrightarrow \mtenv \vdash e : bool \pand e \Downarrow \\
  \SN{\tarrow{\tau_1}{\tau_2}}{e} & \Leftrightarrow \mtenv \vdash e : \tarrow{\tau_1}{\tau_2} \pand e \Downarrow \pand (\forall e'. \; \SN{\tau_1}{e'} \implies \SN{\tau_2}{e \; e'})\\
\end{align*}
It is here important to consider whether the logical predicate is well-founded. \SN{\tau}{e} is defined over the structure of $\tau$, so it is indeed well-founded.
\subsubsection*{Strongly normalizing using a logical predicate}
We are now ready to show strong normalization using \SN{\tau}{e}. The proof is done in two steps:
\[
\circled{a} \quad \mtenv \vdash e : \tau \implies \SN{\tau}{e}
\]
\[
\circled{b} \quad \SN{\tau}{e} \implies e \Downarrow
\]
The structure of this proof is common to proofs that use logical relations. We first prove that well-typed terms are in the relation. Then we prove that terms in the relation actually have the property we want to show (in this case strong normalization).

The proof of \circled{b} is by induction on $\tau$.\footnote{This should not be difficult, as we baked the property we want into the relation. That was the second property we in general wanted a logical relation to satisfy.}

We could try to prove \circled{a} by induction over $\mtenv \vdash e : \tau$, but the case
\[
  \TAbs
\]
gives issues. Instead we prove a generalization of \circled{a}
\begin{astrnorm}[\circled{a} Generalized]
  If $\Gamma \vdash e : \tau$ and $\gamma \models \Gamma$ then $\SN{\tau}{\gamma(e)}$
\end{astrnorm}
Here $\gamma$ is a substitution, $\gamma = \{x_1 \mapsto v_1, \dots , x_n \mapsto v_n\}$. We define the substitution to work as follows:
\begin{align*}
  & \emptyset (e) = e \\
  & \extsub{\gamma}{x}{v}(e) = \gamma(\subst{e}{x}{v})
\end{align*}

In English the theorem reads: If $e$ is well-typed with respect to some type $\tau$ and we have some closing substitution that satisfy the typing environment, then if we close of $e$ with $\gamma$, then this closed expression is in $\SNPred_\tau$.

$\gamma \models \Gamma$ is read ``the substitution $\gamma$ satisfies the type environment, $\Gamma$.'' It is defined as follows:
\[
  \gamma \models \Gamma \eqdef \dom(\gamma) = \dom(\Gamma) \pand
                 \forall x \in \dom(\Gamma). \; \SN{\Gamma(x)}{\gamma(x)}
\]
To prove the generalized theorem we need further two lemmas
\begin{substlem}[Substitution lemma]
  If $\Gamma \vdash e : \tau$ and $\gamma \models \Gamma$ then $\mtenv \vdash \gamma (e) : \tau$
\end{substlem}
\begin{forback}[$\SNPred$ preserved by forward/backward reduction]
  Suppose $\mtenv \vdash e : \tau$ and $e \evalto e'$
  \begin{enumerate}
  \item if $\SN{\tau}{e'}$ then $\SN{\tau}{e}$
  \item if $\SN{\tau}{e}$ then $\SN{\tau}{e'}$
  \end{enumerate}
\end{forback}
\begin{proof}
  Probably also left as an exercise (not proved during the lecture).
\end{proof}
\begin{proof}[Proof. (Substitution lemma)]
  Left as an exercise.
\end{proof}
\begin{proof}[Proof. (\circled{a} Generalized)] Proof by induction on $\Gamma \vdash e : \tau$.
\case{$\Gamma \vdash \true : bool$} \\
We have:
\begin{description}
  \item $\gamma \models \Gamma$
\end{description}
We need to show:
\begin{description}
  \item $\SN{bool}{\gamma(\true)}$
\end{description}
If we do the substitution we just need to show $\SN{bool}{\true}$ which is true by definition of $\SN{bool}{\true}$.
\case{$\Gamma \vdash \false : bool$} similar to the \true{} case.
\case{\TVar}\\
We have:
\begin{description}
  \item $\gamma \models \Gamma$
\end{description}
We need to show:
\begin{description}
  \item $\SN{\tau}{\gamma(x)}$
\end{description}
This case follows from the definition of $\Gamma \models \gamma$. We know that $x$ is well-typed, so it is in the domain of $\Gamma$. From the definition of $\Gamma \models \gamma$ we then get $\SN{\Gamma(x)}{\gamma(x)}$. From well-typedness of $x$ we have $\Gamma(x) = \tau$ which then gives us what we needed to show.
\case{$\Gamma \vdash \eif{e}{e_1}{e_2} : \tau$} left as an exercise.
\case{\TApp}\\
We have:
\begin{description}
  \item $\gamma \models \Gamma$
\end{description}
We need to show:
\begin{description}
  \item $\SN{\tau}{\gamma(e_1 \; e_2)} \equiv \SN{\tau}{\gamma(e_1) \; \gamma(e_2)}$
\end{description}
By the induction hypothesis we have
\begin{align}
  &\SN{\tarrow{\tau_2}{\tau}}{\gamma(e_1)} \\
  &\SN{\tau_2}{\gamma(e_2)}
\end{align}
If we use the 3rd property of (1), $\forall e'. \; \SN{\tau_2}{e'} \implies \SN{\tau}{\gamma(e_1) \; e'}$, instantiated with (2), then we get $\SN{\tau}{\gamma(e_1) \; \gamma(e_2)}$ which is the result we need.
\case{\TAbs} \\
We have:
\begin{description}
  \item $\gamma \models \Gamma$
\end{description}
We need to show:
\begin{description}
  \item $\SN{\tarrow{\tau_1}{\tau_2}}{\gamma(\tlabs{x}{\tau_1}{e})} \equiv \SN{\tarrow{\tau_1}{\tau_2}}{\tlabs{x}{\tau_1}{\gamma(e)}}$
\end{description}
Our induction hypothesis in this case reads:
\[
  \Gamma,x:\tau_1 \vdash e : \tau_2 \pand \gamma' \models \Gamma, x : \tau_1 \quad \implies \quad \SN{\tau_2}{\gamma'(e)}
\]
It suffices to show the following three things:
\begin{enumerate}
\item $\mtenv \vdash \tlabs{x}{\tau_1}{\gamma(e)} : \tarrow{\tau_1}{\tau_2}$
\item $\tlabs{x}{\tau_1}{\gamma(e)} \Downarrow$
\item $\forall e'. \SN{\tau_1}{e'} \implies \SN{\tau_2}{(\tlabs{x}{\tau_1}{\gamma(e)}) \; e'}$
\end{enumerate}
If we use the substitution lemma and push the $\gamma$ in under the $\lambda$-abstraction, then we get 1\footnote{Substitution has not been formally defined here, but one can find a sound definition in Pierce's Types and Programming Languages.}. 2 is okay as the lambda-abstraction is a value.

It only remains to show 3. To do this we want to somehow apply the induction hypothesis for which we need a $\gamma'$ such that $\gamma' \models \Gamma, x:\tau_1$. We already have $\gamma$ and $\gamma \models \Gamma$, so our $\gamma'$ should probably have have the form $\gamma' = \gamma[x \mapsto v_?]$ for some $v_?$ of type $\tau_1$. Let us move on and see if any good candidates for $v_?$ present themselves.

Let $e'$ be given and assume $\SN{\tau_1}{e'}$. We then need to show $\SN{\tau_2}{(\tlabs{x}{\tau_1}{\gamma(e)}) \; e'}$. From $\SN{\tau_1}{e'}$ it follows that $e' \Downarrow v'$ for some $v'$. $v'$ is a good candidate for $v_?$ so let $v_? = v'$. From the forward part of the preservation lemma we can further conclude $\SN{\tau_1}{v'}$. We use this to conclude $\gamma[x\mapsto v'] \models \Gamma, x:\tau_1$ which we use with the assumption $\Gamma,x:\tau_1 \vdash e : \tau_2$ to instantiate the induction hypothesis and get $\SN{\tau_2}{\gamma[x\mapsto v'](e)}$.

Now consider the following evaluation:
\begin{align*}
  (\tlabs{x}{\tau_1}{\gamma(e)}) \; e' & \evaltos (\tlabs{x}{\tau_1}{\gamma(e)}) \; v' \\
                                       & \evalto \gamma(e)[v'/x] \equiv
                                                   \gamma[x \mapsto v'](e)
\end{align*}
We already concluded that $e' \evaltos v'$, which corresponds to the first series of steps. We can then do a $\beta$-reduction to take the next step and finally we get something that is equivalent to $\gamma[x \mapsto v'](e)$. That is we have the evaluation
\[
(\tlabs{x}{\tau_1}{\gamma(e)}) \; e' \evaltos \gamma[x \mapsto v'](e)
\]
From \SN{\tau_1}{e'} we have $\mtenv \vdash e' : \tau_1$ and we already argued that $\mtenv \vdash \tlabs{x}{\tau_1}{\gamma(e)} : \tarrow{\tau_1}{\tau_2}$ so from the application typing rule we get $\mtenv \vdash (\tlabs{x}{\tau_1}{\gamma(e)}) \; e' : \tau_2$. We can use this with the above evaluation and the forward part of the preservation lemma to argue that every intermediate expressions in the steps down to $\gamma[x \mapsto v'](e)$ are closed and well typed.

If we use \SN{\tau_2}{\gamma[x\mapsto v'](e)} with $(\tlabs{x}{\tau_1}{\gamma(e)}) \; e' \evaltos \gamma[x \mapsto v'](e)$ and the fact that every intermediate step in the evaluation is closed and well typed, then we can use the backward reduction part of the $\SNPred$ preservation lemma to get \SN{\tau_2}{(\tlabs{x}{\tau_1}{\gamma(e)}) \; e'} which is the result we wanted.

\end{proof}
\subsection*{Exercises}
\begin{enumerate}
\item Prove $\SNPred$ preserved by forward/backward reduction.
\item Prove the substitution lemma.
\item Go through the cases of ``\circled{a} Generalized'' shown here by yourself.
\item Prove the if-case of ``\circled{a} Generalized''.
\item Extend the language with pairs and adjust the proofs.
  \begin{enumerate}
  \item See how the clauses we generally wanted our logical predicate to have play out when we extend the logical predicate. Do we need to add anything for the third clause or does it work out without putting anything there, like we did with the $bool$ case?
  \end{enumerate}
\end{enumerate}
\clearpage