evaluations of its arguments. To illustrate this, let us consider the context C ]. ( v:vv) ]I and the values. V. Ik(K + O), V 0. IkK and V 00. IkO, where K xy:x and O xy:y.
A FILTER MODEL FOR CONCURRENT �-CALCULUS� MARIANGIOLA DEZANI-CIANCAGLINI AND UGO DE'LIGUORO DIPARTIMENTO DI INFORMATICA UNIVERSITA� DI TORINO CORSO SVIZZERA 185 10149 TORINO (ITALY) ADOLFO PIPERNO DIPARTIMENTO DI SCIENZE DELL'INFORMAZIONE UNIVERSITA� DI ROMA \LA SAPIENZA" VIA SALARIA 113 00198 ROMA (ITALY)
Abstract. Type free lazy �-calculus is enriched with angelic parallelism and demonic nondeterminism. Call-by-name and call-by-value abstractions are considered and the operational semantics is stated in terms of a must convergence predicate. We introduce a type assignment system with intersection and union types and we prove that the induced logical semantics is fully abstract. Key words. Lambda-calculus, parallelism, non-determinism, full abstraction, functional programming, concurrency. AMS subject classi cations. 03B15 (Higher-order logic and type theory), 03B40 (Combinatory logic and lambda-calculus), 03G10 (Lattices and related structures), 68N15 (Programming languages), 68Q10 (Models of computation (concurrent, parallel, non-deterministic, etc.)), 68Q42 (Rewriting systems), 68Q55 (Semantics).
1. Introduction. Powerful computer architectures make parallelism and concurrency feasible. To exploit these features in existing high-level programming languages, while retaining abstraction and logical clarity in writing programs, it is natural to extend those languages by new concepts and constructs. In particular much work has been done to accommodate parallel and concurrency primitives inside functional programming languages like CML [60] and FACILE [28] (see [29] for further work in the area and for references). This extension gives rise to the problem of introducing non-functional features in the functional framework. To illustrate this, let us consider parallelism rst. If the parallel construct is a control primitive which allows the programmer to force the parallel evaluation of two or more arguments to be passed to a function, then the treatment of divergence (and the value passing mechanism) becomes much more complex. For example, a binary function may be unde ned if both its arguments are unde ned, without being strict neither in the rst nor in the second argument. A typical example is Scott's parallel-or function (see [62], p. 437), the binary partial function of booleans that returns true if at least one of its arguments is de ned and equal to true, and returns false if both arguments are de ned and equal to false. The parallel-or can be further analyzed as an example of parallel composition of compatible sequential functions. Indeed, let Lor � �xy: if x then true else y ; Ror � �xy: if y then true else x This work has been partially supported by grants from ESPRIT-BRA 7232 GENTZEN and from CNR-GNASAGA. 1 �
2
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
be the left-sequential and the right-sequential or, respectively. Then these functions are compatible, since, in the pointwise ordering induced by the at domain of booleans, they have an upper bound (actually a join) which is the parallel-or function itself. On the other hand, if they can be computed in parallel, returning as soon as either the computation of Lor or the computation of Ror stops, then we have an implementation of the parallel-or function. If parallel composition is a binary operator that can be applied to any pair of functions - not necessarily compatible - then the same evaluation mechanism is a nondeterministic device, that can be modeled as a multivalued function. An example is McCarthy's amb function [47]. This kind of multivalued functions have been widely considered in the literature. In the folklore this form of non-determinism is called angelic non-determinism (and credited to Hoare) because of its behavior with respect to divergence: a parallel composition is convergent if at least one of its operands converges. In terms of Dijkstra's correctness criteria, this corresponds to partial correctness. Concurrency has been added to functional languages using CCS or CSP-like synchronization and communication primitives. In both cases the interaction with the environment introduces a di�erent form of non-determinism, as unpredictable events may a�ect the behavior of the system. In particular, non-determinism comes in when a choice occurs among guarded commands having the same guard (see [38]). This non-determinism has been modeled using internal choice operators, which are correctly considered as abstraction or speci cation tools. Indeed no programmer may wish to use internal choice to control the evaluation of a program; it has to be thought of instead as a declaration, saying that, whatever the actual alternative will be, the program still satis es the correctness requirements. Of course the criterion is that of total correctness, so that, with respect to divergence, an internal choice is divergent as soon as one of its operands diverges. In folklore terms, this is demonic non-determinism. A survey about non-determinism in functional languages can be found in [65]. When facing these theoretical problems a primary point is to choose the abstraction level of the investigation. One may take a very abstract view and consider them as multifunctions, or, equivalently, functions over powerdomains. This study has been pioneered by Plotkin in [58] and pursued by several authors (see [66] and, for a survey, [46]). Here continuity is the only aspect of computations which is retained in the theory, the main point being the treatment of divergence. An alternative and quite concrete approach is to model functionality, concurrency and parallelism by syntactical tools. This amounts to design theoretical languages that formalize essentially all aspects of the computation and interaction, so that actual programming languages can be seen as sugared syntax of the former ones. In this case the languages and the related calculi are inspired on one hand by the �-calculus, both typed and type free, and on the other hand by the process calculi (CCS, CSP, ACP, etc.). In exploiting the \concrete" approach, there are at least two main streams. Following the rst, functions and processes are rst class objects. The resulting calculus can either be seen as a �-calculus with processes as possible arguments of functions (as in Nielson's TPL [53]) or as a process algebra with a special form of communication, generalizing the -reduction of the �-calculus (as in Thomsen's CHOCS [67, 34, 35]).
CONCURRENT LAMBDA-CALCULUS
3
The second stream does not allow processes as arguments of functions: instead channels (or port names) have a rst class status and can be sent as values (see e.g. [11]). The most radical step in this direction is to think of processes just as agents that communicate each others channel names as values. In this way processes are virtually passed by sending the name of a (private) channel to the receiver, thus giving access to the \passed" process: this is Milner's � -calculus [51]. In the latter case, functions and functional application disappear from the calculus syntax, and they are simulated in a rather complex way. In this paper we advocate a third approach to the problem of the mathematical study of relevant aspects of concurrent functional languages, which, in some sense, sits in between the abstract denotational method and the concrete, direct description of interaction and communication. In this case one still considers a formal language together with its operational semantics. The latter gives an essential (and e�ective) description of the evaluation of expressions in the language. The main departure from the concrete approach, however, is the abstraction from communication, concentrating on a syntax which represents di�erent kinds of non-determinism by means of di�erent operators, whose behavior is axiomatically described by the rules of the operational semantics. In this perspective the interaction between functionality and non-determinism has been studied both in the algebraic framework of rewriting [18, 31, 32, 2], where no abstraction operator is present, and in the �-calculus framework, either typed [9, 10, 64], or type free [25, 56, 8, 19, 45].
1.1. Angelic non-determinism. Our study confronts various problems that
had their origin in the theory of functional languages and �-calculus. In [59] Plotkin showed that Scott continuous functions over domains are overabounding to give meaning to the sequential functional language that has been called PCF (a simply typed �-calculus with arithmetical constants, booleans, if-then-else and xed-point operator). To be precise, he considered the following notion of operational equivalence. Two terms M and N of the same type are operationally equivalent if and only if, for all contexts C [ ] of ground type such that both C [M ] and C [N ] are well-typed closed terms, either the evaluations of C [M ] and C [N ] do not terminate (converge), or both terminate and give the same result. It comes out that, if two terms have the same denotation in the standard model (in which ground types are at cpos and arrow types are interpreted as spaces of Scott continuous functions) then they are operationally equivalent (adequacy theorem); but the converse (full abstraction) does not hold. In the same paper Plotkin proved that syntax can be reasonably enriched to get full abstraction, and that this can be achieved by using a suitable kind of parallel operators or combinators. Milner proved in [49] that this is also a necessary condition: any model of PCF is fully abstract if and only if all \ nite" objects in the model are de nable. Conversely, the standard model becomes fully abstract if we endow the calculus with operators that reinforce its expressive power such that it satis es Milner de nability requirement. The same incompleteness phenomenon with respect to standard continuous semantics has been found for the lazy �-calculus in [6]. This is a type free calculus, having the same syntax of pure �-calculus and a reduction relation over closed terms,
4
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
with just two rules: (�x:M )N ?! M [N=x]
and
M ?! M 0 : MN ?! M 0N
The full abstraction problem can be reformulated in this setting, even if we do not have the notion of ground type. Indeed Abramsky and Ong de ne the set Val of values as the set of abstractions. Then their notion of may convergence is: M may converge to V , written M +may V , if V is a value and M ?!� V . In [6] the operational semantics is given by axiomatizing M +may V , instead of giving the reduction relation as a primitive notion: of course this is equivalent. As a matter of fact, the problem of enriching the calculus so that the standard model is fully abstract can be solved by adding a combinator P testing convergence in parallel. More precisely P satis es [9V: M +may V or N +may V ] ) PMN +may I; where I � �x:x is the identity combinator. This gives a combinator which tests convergence, i.e. a closed term C such that, for any term M , CM reduces to I if M reduces to a value and diverges otherwise: just take C Def = �x:Pxx. In [19] a further step is made by Boudol. The combinator P is split into its two components, namely parallelism and convergence test. The parallelism implicit in P is made explicit by adding a binary operator k such that M kN +may , M +may or N +may ; where M +may abbreviates 9V: M +may V . To have this, with the above de nition of convergence, the following rules su�ce
M ?! M 0 M kN ?! M 0kN
and
N ?! N 0 : M kN ?! M kN 0
As the intended meaning of a parallel composition is a function, Boudol adds the following rule (M kN )L ?! (ML)k(NL): The internal convergence test is achieved using, besides standard call-by-name abstraction, call-by-value abstraction, originally considered by Landin [41] and Plotkin [57]. To see how this works, let us extend the set Val of values inductively so that it includes all terms of the shape V kN or M kV , where V is a value. We use two sorts of variables to distinguish between call-by-value and call-by-name abstraction, namely v; w; ::: for call-by-value variables and x; y; ::: for call-by-name variables. Then we add to the lazy �-calculus and to the rules for k, the following rules
N ?! N 0 (�v:M )N ?! (�v:M )N 0 if N 62 Val. Now P becomes de nable by �xy: (�v:I)(xky ). (�v:M )V ?! M [V=v ] if V 2 Val,
We observe that the combination of parallelism (angelic non-determinism) and call-by-value is much more powerful than the use of combinators directly de ning a parallel convergence test. First, the notion of being a value is no more equivalent to that of being irreducible. Moreover, as remarked in the early paragraphs of this
CONCURRENT LAMBDA-CALCULUS
5
introduction, M kN has to be interpreted as a multivalued function, since M and N are not necessarily interpreted by compatible functions. So the model of [19] is a solution of the domain equation D = P [([D ! D]? ), where [D ! D]? is the lifted space of continuous functions, and P [ is the lower power-domain functor (also called Hoare's power-domain, see [66] for a de nition). Since Boudol works in the category of prime algebraic lattices, he has this solution for free. In fact in that category D ' P [ (KP(D)), where KP(D) is the set of compact coprime elements of D. Let us recall that a complete lattice is a partial order (D; v) such that each subset X ofF D F has a least upperbound X . An element d of a complete lattice is compact if d v X F implies d v Y for some nite subset Y of X . An element d 2 D is coprime if and only if d v x t y implies d v x or d v y . A complete lattice is prime algebraic if any element is the join of the compact coprime elements it dominates. See also the discussion at the beginning of section 4. 1.2. Demonic non-determinism. Serious problems arise when we consider the full language, modeling also the demonic non-determinism (see [55, 56]), which is the central issue of the present paper. Suppose that an internal choice operator + is added, with the obvious reduction rules M + N ?! M and M + N ?! N: Then, following ideas explained above (see also [45]), we expect a convergence predicate + such that M + N + , M + and N + : But this is not true with the present de nition of +may . The convergence predicate considered above (and in [19]) is a may convergence predicate, to be related to may testing equivalence if convergence is the only observable property (see [3, 33, 6]). A solution would be to consider a must convergence predicate as in [45] (see also [35]). An informal de nition is the following: M +must if and only if there is an n such that every reduction out of M reaches a value within a number of steps bounded by n. Otherwise we write M *must . Of course, if we have to avoid the collapse of k and + with respect to the predicate +must, something has to be changed in the operational semantics of k. In fact, with the old de nition of k-reduction rules, if we put for example � � �x:xx and we take the typical divergent combinator � ��, then we have that (II)k *must . The problem is that nothing prevents the reduction of a parallel composition from being unfair: there exists a reduction out of (II)k that contracts in nitely many times and never reaches the value Ik . Really, we want to identify Ik with I, since k is intended to take the best of its arguments; notice that the mentioned terms are not equivalent in a standard must semantics (see [24]), when the parallel operator is asynchronous. There are many possibilities of changing the reduction rules for k in such a way that we cannot reduce in nitely many times on one side of a parallel composition, when the other one is reducible. We take the simplest way to get this kind of fair reduction and we introduce the rules
M ?! M 0 N ?! N 0 M kN ?! M 0 kN 0
M ?! M 0 N 6?! M kN ?! M 0kN; N kM ?! N kM 0
6
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
as our actual choice (see [25]), where N 6?! means that N is irreducible. This implies that, as in [19], a value of the shape V kM is not necessarily a normal form, as M can be reduced. This fact, together with the presence of the choice operator, makes the -rule for call-by-value sensible to the relative speed of parallel evaluations of its arguments. To illustrate this, let us consider the context C [ ] � (�v:vv )[ ] I and the values V � Ik(K + O), V 0 � IkK and V 00 � IkO , where K � �xy:x and O � �xy:y . Then n for n > 1 reduction steps) V ?! V 0 and V ?! V 00. Now (writing ?!
C [V 0] ?! 3 ?! ?! ?! ?! ?! ?!
(IkK)(IkK) I (I(IkK) I)k(K(IkK) I) ((IkK) I)k((�y:(IkK)) I) ((I kK )I)k((IkK)I) (I I)k(K I)k(II)k(KI) ( I)k((�y: )I)kIk(�y:I) ( I)k kIk(�y:I)
which is a value, and it is not hard to see that this is the only reduction out of C [V 0] according to the rules de ned in 2.2. Similarly,
C [V 00] ?! (IkO)(IkO) I ?!� ( I)kIk( I) and again this is the only reduction out of C [V 00]. But now consider the following reduction of C [V ] C [V ] ?! (Ik(K + O))(Ik(K + O)) I 3 (I(Ik(K + O)) I)k((K + O)(Ik(K + O)) I) ?! ?! ((Ik(K + O)) I)k(O(Ik(K + O)) I) choosing O ... 2 ?! (I I)k((K + O) I)k( I) ?! ( I)k(K I)k( I) ... choosing K ?! ( I)k k( I) and from ( I)k k( I) we will never reach a value. This example also shows that there are values V0; V1 and V2 such that V0k(V1 + V2) and (V0kV1) + (V0kV2) would have di�erent behaviors in some context, although this would be unexpected under any reasonable operational semantics. Indeed, (�v:vv )(V0k(V1+ V2)) can reduce to (V0k(V1 + V2 ))(V0k(V1 + V2)), while (�v:vv)((V0kV1) + (V0kV2)) can reduce either to (V0kV1)(V0kV1) or to (V0kV2)(V0kV2), but never to (V0k(V1 + V2))(V0k(V1 + V2)). Note that in the present context call-by-name and call-by-value implement run-time-choice and call-time-choice respectively (see [45]). The problem of correcting the -contraction rule for call-by-value is that, given a value V , we cannot decide whether it has been computed enough to perform the reduction step (�v:M )V ?! M [V=v ], or if it is necessary to reduce V further, before
CONCURRENT LAMBDA-CALCULUS
7
contracting the outermost -redex. We cannot reduce V as long as possible, since this could not terminate. In the meantime, M [V=v ] can diverge while M [V 0 =v ] can converge for all V 0 which are reducts of V , as shown by the previous example. On the other hand, any e�ective description of the operational semantics calls for a de nition of a recursive one step reduction relation. Now the solution we propose is to distinguish two cases: if V is an irreducible value (namely a �-abstraction or the parallel composition of irreducible values), then the standard call-by-value -contraction rule applies. If, instead, V can be reduced further, to compute (�v:M )V we want \take the best" between the terms M [V 0=v ], for all V 0 such that V ?!� V 0 . We realize this by evaluating in parallel M [V=v ] and (�v:M )V 0 for all V 0 such that V ?!V 0 . Using the operator k, this can be formalized in our calculus as follows V 6?! V 2 Val V ?! V 0 V 2 Val (�v:M )V ?! M [V=v ] (�v:M )V ?! M [V=v ]k(�v:M )V 0 : In other words, the solution we propose is to distinguish between total and partial values. A total value is an irreducible value, while a partial value is of the form M kN in which either M or N is not a total value. So we split the call-by-value -contraction in two rules. To conclude this part of our discussion, let us spend a few words to emphasize the e�ectiveness of the evaluation mechanism as a distinguishing feature of our calculus. As it is clear from the previous exposition, the papers closest to the present one are [19] and [55]1. While our treatment improves on the former because of the presence in the same calculus of both angelic and demonic non-determinism, it improves on the second since the operational semantics on which we base our theory is e�ective. Indeed, the reduction relation is (as usual) presented by means of a formal system in the sense of Post, and the convergence predicate is (up to coding) recursively enumerable. This is mandatory when one expects to capture the intentional aspects of evaluation, and justi es our reduction relation as it will be de ned in the technical development of the paper. 1.3. Intersection and Union Types. The complex operational semantics of the concurrent �-calculus asks for an abstract treatment not involving direct reasoning on possible reducts of a given term. The approach taken in this paper is to use a type assignment system that su�ciently expresses the operational equivalence of terms. We expect that M and N have the same types exactly when they have the same behavior in any context: this is a fully abstract \logical" semantics in the sense of [63], [16] and [5]. To this aim, we use a system with intersection and union types, dually re ecting the disjunctive and conjunctive operational semantics of k and +. Types are viewed as properties of terms concerning their behavior with respect to the convergence predicate, and type inclusion as the logical implication. The system has a universal type !, the property which trivially holds of everything; therefore, any type will be less than ! . As usual with type assignment systems for polymorphic �-calculi, the arrow type expresses functionality: M has type � ! � if, for all N having type � , MN has type � . With respect to the order, the arrow is co-variant in the second argument and 1
Following Ong's paper we named our calculus concurrent �-calculus.
8
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
contra-variant in the rst argument. Finally � ^ � and � _ � have a conjunctive and disjunctive meaning, respectively. The lazy semantics distinguishes between functions (even the everywhere unde ned function) and the unde ned object, representing divergence. This means that the interpretation of the term �x: is better than the interpretation of . These terms, instead, are equated in the theory of solvability of the classical �-calculus [15]. On the side of types, this distinction is modeled by making the inclusion ! ! ! � ! proper. As a matter of fact, among the axioms in [16] concerning the arrow, we save � ! ! � ! ! ! , which makes ! ! ! the type of all functions, but we reject ! � ! ! !, which would equate the interpretations of the terms and �x: (see Corollary 5.6(ii)). We now turn to the typing rules for non-deterministic and parallel operators. We know that the term M + N can be reduced to both M and N , so that to ensure correctness we have to prove that both M and N have the same type � before we can conclude that M + N has type � (this is also the choice of [1]). Extending the disjunctive semantics of the parallel composition from convergence to arbitrary properties, it follows that one is entitled to type M kN with � as soon as M or N (or both) can be typed with � (see [19] for further explanations). This suggests the following typing rules ?`M :� ?`N :� ?`M :� ?`N :� : ?`M +N :� ? ` M kN : � ? ` M kN : � The inclusion relation � among types makes ^ into the meet and _ into the join, and we have both a subtyping and an intersection rule, namely ?`M :� ��� ?`M :� ?`M :�: ?`M :� ?`M :�^� Therefore the rules for + and k above are equivalent to ?`M :� ?`N :� ; ?`M :� ?`N :� ? `M +N :�_� ? ` M kN : � ^ � which is our actual choice. If M has type � _ � then it can be that M evaluates both to some P and Q such that P has type � , Q hat type � , but neither P has type � nor Q has type � . In this case, M has an essentially disjunctive type, which is possible even if M is a partial value. But all is determined in case of total values. So we expect the system to have the \disjunction property" for total values: if a total value has the type � _ � , then either � or � can be assigned to it (hence to all its reducts). Consequently, we distinguish between call-by-name and call-by-value abstraction making a substantial use of disjunction. This intuitively explains why the following rule ? ` �v:M : (� ! �) ^ (� ! �) ? ` �v:M : � _ � ! � is correct for call-by-value but not for call-by-name abstraction. Observe that this means that call-by-value abstraction yields a co-additive function (namely, meet preserving), which is the expected semantics of call-by-value in our setting.
CONCURRENT LAMBDA-CALCULUS
9
As an example, if M � (xI )k(x I), � � ! ! ! , � � � ! ! ! �, � � ! ! � ! �, then we have that ` �x:M :(� ! �) ^ (� ! �). Moreover, ` K: � and ` O: � , so that allowing the rule above for call-by-name abstraction one could deduce (�x:M )(K+ O): �, using the rules for + introduction and ! elimination, too. But this would destroy the subject-reduction property, since (�x:M )(K + O) reduces to k , for which only types equivalent to ! can be deduced (see Corollary 5.6(ii)). The type assignment system implicitly suggests a notion of interpretation in which each term can be seen as denoting the set of types it can be assigned. Then one can think of extending the notion of lter models such that they encompass the present calculus and union types. Filter models were introduced in [16] for the classical �-calculus and they were based on the intersection type discipline. In that case, however, discovering that lters of types do actually form a structure (a �-model) was based on the pre-existing and independent de nition of this kind of mathematical structures (see [37, 48]). Here the problem is the opposite: given the logical interpretation induced by our system, we look for a reasonable de nition of what is a model of our calculus. In the extended view of Curry types (see [16, 21]), type theories are an instance of information systems (see [63, 23]). Taking lters of types we have a domain that, seen topologically, is the Stone space generated by the theory of type inclusion (see [40, 5]). In the present case the domain that is determined by the type theory we consider is isomorphic to the initial solution of the domain equation D = P ]([D ! D]? ) in the category of continuous lattices, where P ] is the upper powerdomain functor (also called Smyth's powerdomain, see [66]). This is sound with respect to the operational semantics since this powerdomain constructor is needed to model demonic non-determinism, as angelic non-determinism is built in, by the fact that we work with prime algebraic lattices (as remarked at the end of subsection 1.1). This domain equation, and their relations to Abramsky and Boudol equations [5, 19], will be discussed further at the beginning of section 4. We do not carry out the details of the isomorphism between the lter model and the initial solution of the given domain equation, for which we refer to [7]. Instead, we analyze compositionally the interpretation of terms de ned by [M ] = f� j ` M : � g (where M is closed), and devise a category of objects that embodies the minimum needed structure to interpret the calculus. We then get a notion of environment model for the present calculus, in the sense of [37]. The lter model induced by our type assignment turns out to t into this notion, a fact that will be used to prove completeness of type inference. Our study culminates in the full abstraction theorem, that we will prove by means of characteristic terms extending [19]. A preliminary version of this paper appeared in Proceedings of TACS'94, LNCS 789, 1994, 16-35. 1.4. Summary. In Section 2 we formally de ne the concurrent �-calculus and its reduction rules. We consider the reduction trees of terms to introduce convergence. Moreover, we consider another reduction relation, whose main feature is to characterize convergent terms as those which reduce to a sum of values. Section 3 deals with types and the type assignment system. Crucial is the choice of the preorder on types, which will determine the topological structure of the lter
10
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
model. The type assignment system turns out to enjoy structural properties which allow to prove preservation of type under subject reduction. The main result of this section is that all convergent terms can be typed by ! ! ! . Section 4 presents the lter model as the initial solution of a suitable domain equation. Then we introduce the notion of environment model for concurrent �calculus and we prove that the lter model is in fact an environment model. This allows to have the completeness of type assignment. Finally, we prove in section 5 the full abstraction of the lter model. First we de ne for each type a test term and a characteristic term. The application of the test term to an argument M converges only if M has the corresponding type. By means of a realizability interpretation of types we show that all terms typed by ! ! ! converge. This, together with the main result of section 3, implies that ! ! ! completely characterizes convergence. Then the full abstraction of the model follows easily. 2. The Calculus and its Operational Semantics. We extend the syntax of pure �-calculus with a non-deterministic choice operator + and a parallel operator k. We use two sorts of variables, namely the set Vn of call-by-name variables, ranged over by x; y; z and the set Vv of call-by-value variables, ranged over by v; w. The symbol � will range over the set Vn [ Vv. The terms of the concurrent �-calculus are de ned by the following grammar M ::= x j v j (�x:M ) j (�v:M ) j (MM ) j (M + M ) j (M kM ): We call �+k the set of terms. For any M 2 �+k , FV (M ) denotes the set of free variables of M ; �0+k is the set of terms M such that FV (M ) = ;. Moreover, we shall refer to the following set Par = f(M kN ) j M; N 2 �+k g: Notation. We use � for syntactical equality up to renaming of bound variables. As usual for pure �-calculus, we assume that application associates to the left and we write e.g. MNP instead of ((MN )P ). If L~ � L1 � � � Ln is any (possibly empty) vector of terms, then M L~ � ML1 : : :Ln . The expression ��1 : : :�n :M is short for (��1:(: : : (��n :M ) : : :)). We will abbreviate some �-terms as follows I Def = �x:x K Def = �xy:x O Def = �xy:y � Def = �x:xx Def = �� Y Def = �y:(�x:y (xx))(�x:y (xx)): Application and abstraction have precedence over + and k, e.g. MN + P stands for ((MN ) + P ) and �x:M + N for ((�x:M )+ N ). The operator k takes precedence over +: for example M kP + Q is short for ((M kP ) + Q). External parentheses are always omitted. The operators + and k will be written up to associativity. We shall also make use of the following abbreviation n X
Moreover, if
Mi � M1 + � � � + Mn :
i=1 M = fM1; : : :; Mng is
any nite multiset of terms then
X
M�
n X i=1
Mi :
CONCURRENT LAMBDA-CALCULUS
11
Observe that, being M a multiset, it can be the case that Mi � Mj for di�erent i and j. As discussed in the introduction, we need to distinguish between partial and total values; the main di�erence concerns the parallel operator. In fact we require both M and N to be total values to ensure that M kN is a total value, while in general it su�ces that either M or N is a value to have that M kN is a value. As it is clear from the next de nition, a value is either a total or a partial value. Definition 2.1. We de ne the set Val of values according to the grammar V ::= v j �x:M j �v:M j V kM j M kV and the set TVal of total values as the subset of Val W ::= v j �x:M j �v:M j W kW : A value V is partial i� V 62 TVal. We now introduce a reduction relation which is intended to formalize the expected behavior of a machine which evaluates in a synchronous way parallel compositions, until a value is produced. Partial values can be further evaluated, and this is essential in case of an application of a call-by-value abstraction. Therefore, in some cases an asynchronous evaluation of parallel composition is permitted. It follows that the convergence predicate will not be any more coincident with the property of being (strongly) normalizable (see [19] for a similar proposal, even if in a may perspective) with respect to the given reduction relation. Observe that in the lazy �-calculus of [6], as well as in the present calculus, ��:M is a normal form, no matter whether M is reducible or not. Definition 2.2.
(i) The reduction relation ?! is the least binary relation over �0+k such that W 2 TVal ( ) (�x:M )N ?! M [N=x] ( v ) (�v:M )W ?! M [W=v ]
V 0 V 2 Val ( v k) (�v:MV)V?! ?! M [V=v]k(�v:M )V 0 S Par 0 M ?! M M 2 6 Val (� ) MN ?! M 0N M 0 N ?! N 0 (ks) MM?! kN ?! M 0kN 0
N ?! N 0 N 62 Val (�v ) (�v:M )N ?! (�v:M )N 0 (kapp) (M kN )L ?! MLkNL
M ?! M 0 W 2 TVal (ka) M kW ?! M 0kW; W kM ?! W kM 0
(+) M + N ?! M ; M + N ?! N . (ii) We denote by ?!� the re exive and transitive closure of ?!. Lemma 2.3.
(i) W 2 �0+k is irreducible wrt ?! i� W 2 TVal; (ii) If V 2 �0+k \ Val, then either V 2 TVal or V ?! V 0 for some V 0 2 Val; (iii) If W; W1; : : :; Wn 2 TVal; N1; : : :; Nm 2 �+k , then W [N1=x1; : : :; Nm=xm; W1=v1; : : :; Wn=vn ] 2 TVal:
12
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
Proof. Easy by de nitions. It is useful to consider reduction trees of terms and their bars. Definition 2.4. Let M 2 �0+k. (i) tree(M ) is the (unordered) reduction tree of M ; (ii) A bar of tree(M ) is a subset of the nodes of tree(M ) s.t. each maximal path intersects the bar at exactly one node; (iii) bar(M ) is the set of bars of tree(M ); (iv) For b 2 bar(M ) the height of b (notation: height(b)) is the maximum of the heights of its nodes. Inspecting the reduction rules, we see that tree(M ) is a nitely branching tree for all M 2 �0+k . This implies by Konig's Lemma that if we cut tree(M ) at a xed height we obtain a nite tree. Since all nodes belonging to a bar b are in the subtree of tree(M ) obtained by cutting tree(M ) at height(b), we have that b 2 bar(M ) is always a nite set of nodes (see also [17]). This does not contradict the fact that a term may have in nite reduction paths. For example, let us consider the in nite reduction tree of YM , where M � �x:(I + x), which is shown in Figure 1. Admittedly, the set of nodes in tree(YM ) which are labeled by I is in nite, but it is not a bar. Indeed the in nite path in this tree does not have any node in such set and every b 2 bar(YM ) must contain exactly one node of this path. Whichever node we choose on the in nite path we will exclude all nodes with greater height, so that b comes out to be nite.
YM ! N ! MN ! I + N
% I &
N ! MN ! I + N
Fig. 1. Reduction tree of YM , where N
% I &
N ! ���
� (�x:M (xx))(�x:M (xx)).
A bar is always relative to a tree and cannot be identi ed with the set of the labels of its nodes. For example tree(M + IM ) has the shape shown in Figure 2. Now the indicated set of nodes b is a bar whose set of labels is the singleton fM g. But the set containing a single node labeled by M is not a bar of this tree. Moreover the height of the bar b is two, but if b would be identi ed with fM g, then height(b) would be ambiguously one or two. However, if b 2 bar(M ), then two subtrees rooted in two nodes of b are equal if and only if their labels are the same. Hence we abuse notation and we write b = fM1; : : :; Mng (if M1 ; : : :; Mn is the multiset of labels of nodes belonging to b). The abbreviations M 2 b and b � Val will have the obvious meanings. We now de ne the convergence predicate. A term is convergent if and only if all reduction paths will eventually reach a value. In other words, a term M converges if and only if there is a bar in tree(M ) which is a subset of Val. To formalize this,
CONCURRENT LAMBDA-CALCULUS
13
M + IM
b
M
� �
�A � A
IM
L
L L : : :LL L
A A
L
L
M L L : : :L
Fig. 2. Reduction tree of M + IM .
it is useful to introduce the bar R(M; k) whose labels are those terms which can be reached starting from a term M by performing k steps of reduction. Definition 2.5. Let M 2 �0+k, then (i) R(M; k) 2 bar(M ) is the cut of tree(M ) at height k, namely it is the unique bar such that (a) height(R(M; k)) � k; (b) 8M 0 2 R(M; k): height(M 0 ) < k ) M 0 2 TVal. (ii) M +k , R(M; k) � Val; (iii) M + , 9k: M +k . Note that (M + N ) + if and only if both M + and N +. On the other hand (M kN ) + if and only if either M + or N + (or both). So + coincides with +must as informally de ned in subsection 1.2. In general, if for some b 2 bar(M ) we have M 0 + for all M 0 2 b, then M +. The vice-versa is obviously true. We depart from the standard way of de ning must semantics using in nite paths (see [24]). This gives us a di�erent theory of terms, for example we equate I and Ik . To study the operational semantics of our calculus it is useful to introduce a binary relation > whose main features are � to satisfy the Church-Rosser property; � to simulate the choices performed by rule (+) without losing information about the discarded parts; � to characterize the convergent terms as those which reduce to a sum of values. Moreover we will consider the equivalence relation ./ generated by >. Definition 2.6.
(i) De ne > as the least binary relation over �0+k such that ( )0 (�x:M )N > M [N=x], ( v )0 (�v:M )W > M [W=v ], if W 2 TVal, P ( v k)0 (�v:M )V > ni=1 (M [V=v ]k(�v:M )Vi) if V 2 Val?TVal and R(V; 1) =
14
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
fV1; : : :; Vng, P (�v )0 (�v:M )N > ni=1 (�v:M )Ni if N 62 Val and R(N; 1) = fN1; : : :; Nng, (+app)0 (M + N )L > ML + NL, (kapp)0 (M kN )L > MLkNL, (k+)0 (M + N )kL > M kL + N kL, (� )0 M > M 0 ) MN > M 0 N , (+)0 M > M 0 ) M + N > M 0 + N , (k)0 M > M 0 ) M kN > M 0 kN , (+c )0 M + N > N + M , (kc )0 M kN > N kM , (+ass )0 (M + N ) + L > M + (N + L) and M + (N + L) > (M + N ) + L, (kass )0 (M kN )kL > M k(N kL) and M k(N kL) > (M kN )kL. (ii) >� is the re exive and transitive closure of >. (iii) ./ is the symmetric closure of >�, up to associativity and commutativity of + and k. Proposition 2.7. The relation > is Church-Rosser, namely 8M; M1; M2 2 �0+k: M >� M1 & M >� M2 ) 9M3: M1 >� M3 & M2 >� M3: Proof. The proof is a variant of the Tait-Martin Lof proof for classical �-calculus
(see [15]). We de ne the following relation on closed terms � M ; M; � if M > M 0 by any clause among ( )0, ( v )0, ( v k)0 and (�v )0 then M ; M 0; � if M ; M 0, N ; N 0 and L ; L0 then { (M kN )L ; M 0LkN 0L, { (M + N )L ; M 0L + N 0L, { (M + N )kL ; M 0kL0 + N 0kL0, { MN ; M 0N , { M + N ; M 0 + N 0, { M kN ; M 0kN 0, { M + N ; N 0 + M 0, { M kN ; N 0kM 0, { (M + N ) + L ; M 0 + (N 0 + L0) and M 0 + (N 0 + L0) ; (M 0 + N 0) + L0, { (M kN )kL ; M 0k(N 0kL0) and M 0k(N 0kL0) ; (M 0kN 0)kL0. By induction on the de nition of ; it is routine to check that it satis es the diamond property, namely 8M; M1; M2 2 �0+k: M ; M1 & M ; M2 ) 9M3: M1 ; M3 & M2 ; M3; hence it is Church-Rosser. Now it is easy to see that ;� = >� , from which the thesis follows. The relation ./ is weaker than the congruence generated by > but stronger than its re exive, symmetric and transitive closure. For example II ./ I, but (�v:v )(IIkI) 6./ (�v:v )(IkI). Lemma 2.8.
CONCURRENT LAMBDA-CALCULUS
15
(i) If M ./ N then for all L, ML ./ NL and M kL ./ N kL. (ii) If M + N ./ P + Q then one of the following alternatives is true � M ./ P & N ./ Q or � M ./ Q & N ./ P or � 9M0; M1; N0; N1: M ./ M0 + M1 & N ./ N0 + N1 & P ./ M0 + N0 & Q ./ M1 + N 1 . Proof. Part (i) is straightforward by induction on M ./ N . Part (ii) is a consequence of the Church-Rosser property. Indeed if M + N ./ P + Q then there are L and L0 such that M + N >� L, P + Q >� L0 and L and L0 are equal up to commutativity and associativity of + and k. But any sum of the shape M + N can be reduced only to a sum M 0 + N 0 where M >� M 0 and N >� N 0, and similarly for P + Q. The thesis then follows. The next Lemma connects the relation > to the reduction trees of terms and hence to the reduction relation ?!. Notation. From now on we abuse notation writing just > instead of >� (unless otherwise stated).
2 �0+k, then P (i) R(M; 1) = fM1 ; : : :; Mng ) M > ni=1 Mi , P (ii) 8b 2 bar(M ): b = fM1 ; : : :; Mn g ) M > ni=1 Mi . Proof. (i) The proof is by induction on M 2 �0+k . - If M � ��:M 0 2 �0+k (that is FV (M 0 ) � f�g) then M 2 TVal and R(M; 1) = fM g. - If M � PQ then P; Q 2 �0+k. We have some subcases. If P � ��:P 0 and either � � x or both � � v and Q 2 TVal, then R(PQ; 1) = fP 0[Q=�]g and PQ > P 0[Q=�] by ( )0 or by ( v )0. Suppose that R(Q; 1) = fQ1 ; : : :; Qk g. If P � �v:P 0 and Q 2 Val ? TVal then R((�v:P 0)Q; 1) = fP 0[Q=v]k(�v:P 0)Qi j i � kg k X and (�v:P 0)Q > P 0 [Q=v ]k(�v:P 0)Qi i=1 by ( v k)0. Otherwise if Q 62 Val then k X R((�v:P 0)Q; 1) = f(�v:P 0)Qi j i � kg and (�v:P 0)Q > (�v:P 0)Qi i=1 by (�v )0. If P � P0kP1 then R(PQ; 1) = fP0QkP1Qg and PQ > P0QkP1Q by (kapp)0. In all other subcases P 62 Val [ Par. Now let R(P; 1) = fP1; : : :; Ph g; hence P h we have P > i=1 Pi by induction hypothesis and h ! h X X PQ > Pi Q > (PiQ): Lemma 2.9. Let M
i=1
i=1
From this the thesis follows since in these cases R(PQ; 1) = fPi Q j i � hg.
16
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
- If M � P + Q then P; Q 2 �0+k and the case is trivial since R(P + Q; 1) = fP; Qg. - If M � P kQ then P; Q 2 �0+k . Again suppose that R(P; 1) = fP1 ; : : :; Ph g, and R(Q; 1) = fQ1; : : :; Qk g. Then we have
0k 1 h k h ! X X XX P kQ > Pi k @ Qj A > (Pi kQj ) i=1
j =1
i=1 j =1 0 by induction hypothesis and clauses (k+) and (k)0. So we are done since R(PQ; 1) = fPikQj j i � h; j � kg:
(ii) By induction on the height h of the bar b. If h = 0 then the thesis is trivial. Otherwise tree(M ) has the root node labeled by M and tree(M1 ); : : :; tree(Mn ) as its immediate subtrees, where fM1 ; : : :; Mn g = R(M; 1). Because of h 6= 0 we have that the root is not in b (recall that a bar intersects each maximal path of tree(M ) in exactly one node). It follows that for all i � n there exists bi 2 bar(Mi) such that b = b1 [ � � �[ bn. But the height of each bi wrt tree(Mi ) has to be less than h, so that Mi > PfMi0 j Mi0 2 big by induction hypothesis. So the thesis follows by (i) of this lemma. P Part (ii) of Lemma 2.9 implies M > R(M; k) for all k. Moreover it implies that if M ?!� N then either M > N or M > N + L for some L. Observe that the implications in Lemma 2.9 cannot be reversed. This is due to the more permissive clause (k)0 of 2.6. Indeed if e.g. M � (�x:xxx)(�x:xxx) then there exists an in nite reduction M � M0 ?! M1 ?! � � � where each Mi is an application and Mi 6� Mi+1 for all i. Now the unique branch of tree(M0 kM1) is the in nite one: M0 kM1 ?! M1kM2 ?! � � �. But M0kM1 > Mi kMi for all i � 1, while for all b 2 bar(M ), b 6= fMi kMig. Corollary 2.10. If N 2 �0+k and N +, then there exist V1; : : :; Vn 2 Val such that P (i) N > ni=1 Vi; P (ii) 8(�v:M ) 2 �0+k : (�v:M )N > ni=1 (�v:M )Vi. Proof. If N + then there exists a bar of values fV1; : : :; Vng 2 bar(N ) such that each Vi is the rst value that is met starting from the root through a maximal path in tree (N ). I.e., no value occurs in the path from N to Vi . By (ii) of Lemma 2.9 P N > ni=1 Vi. On the other hand f(�v:M )Vi j i � ng 2 bar((�v:M )N ) because of rule (�v ). Then the thesis follows by (ii) of Lemma 2.9.
2 �0+k. P (i) (�v:M )V + & V 2 Val ) 9V1 ; : : :; Vn 2 Val: V > ni=1 Vi & 8i � n: M [Vi=v] +. P (ii) (�v:M )N + ) 9V1 ; : : :; Vn 2 Val: N > ni=1 Vi & 8i � n: M [Vi =v ] +. Proof. (i) If V 2 TVal then R((�v:M )V; 1) = fM [V=v ]g, so that the hypothesis implies that M [V=v ] +. Otherwise V 2 Val ? TVal. By de nition (�v:M )V +k for some k > 0 and we make induction on k. Suppose that R(V; 1) = fV1; : : :; Vng, so that R((�v:M )V; 1) = fM [V=v]k(�v:M )Vi j i � ng: If k = 1 then, since for all i (�v:M )Vi is an application, that is it is not a value, we have M [V=v ] 2 Val, so that M [V=v ] +. If k > 1 and M [V=v ] * (otherwise the Lemma 2.11. Let M; N; V
CONCURRENT LAMBDA-CALCULUS
17
thesis is immediate), then for allPi � n, (�v:M )Vi +k?1 . By induction there are Vi;1; : : :; Vi;n 2 Val suchPthat Vi > nj=1 Vi;j and M [Vi;j =v] + for all i and j . The thesis now follows since V > ni=1 Vi by (i) of Lemma 2.9. (ii) If N * then for all k � 0 there exists N 0 2 R(N; k) s.t. (�v:M )N 02R((�v:M )N; k) and rules ( v ) and ( v k) cannot be applied to (�v:M )N 0. This implies that (�v:M )N *. By hypothesis and by contraposition P we have that N +. ByPCorollary 2.10 there exist values V1; : : :; Vn such that N > ni=1 Vi and (�v:M )N > ni=1 (�v:M )Vi. Moreover, by the proof of the same corollary, f(�v:M )Vi j i � ng 2 bar((�v:M )N ), so that by hypothesis (�v:M )Vi + for all i � n. Now, by part (i) of this lemma, for each i P n there are Vi;1; : : :; Vi;n 2 Val such that Vi > j =1 Vi;j and M [Vi;j =v ] +, and the thesis follows. i
i
i
i
Theorem 2.12. Let M; N 2 �0+k , then
(i) [M > N & N +] ) M +. (ii) M ./ N ) [M + , N +]. Proof. (i) In this proof we must distinguish between > and >� . Clearly, if we can prove the statement for >, the same thesis holds for >� . As a matter of fact we prove, by induction on the de nition of >, the stronger statement
M > N ) 8L~ : [N L~ + ) M L~ +]
from which the thesis follows taking the empty vector. - If M > N thanks to ( )0, ( v )0 , ( v k)0, (�v )0 , (+appP)0 or (kapp)0 (see De nition 2.6), then M is always an application and N � ni=1 Mi where R(M; 1) = fM1; : : :; Mng (where the multiset R(M; 1) is ordered in such a way that it matches the shape of N ). By this fact and rules (� ) and (+) we have that
-
-
-
fMiL~ j 1 � i � ng 2 bar(N L~ ) \ bar(M L~ ): Now N L~ + implies that Mi L~ + for all i (1 � i � n), so that M L~ + follows. Clause (k+)0. Then M � (P + Q)kR and N � P kR + QkR. Now (P kR + QkR)L~ + ) (P L~ + & QL~ +) or RL~ + ) (P L~ + or RL~ +) & (QL~ + or RL~ +) ) ((P + Q)kR)L~ + by rule (� ) and the remark after De nition 2.5. Clause (� )0 . Then M � PQ, N � P 0 Q and P > P 0 . In this case P 0 QL~ + implies PQL~ + immediately by induction, taking the vector QL~ . Clause (+)0. Then M � P + Q, N � P 0 + Q and P > P 0 . Now (P 0 + Q)L~ + ) P 0 L~ + & QL~ + ) P L~ + & QL~ + by induction ) (P + Q)L~ + : Clause (k)0. Similar to the case of clause (+)0 where \or" replaces \&". For clauses (+c )0 , (kc )0, (+ass )0 and (kass )0 the proofs are similar to those of (+)0 and (k)0.
18
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
P
(ii) M converges impliesPthat there are values V1 ; : : :; Vn such that M > ni=1 Vi by n V . By the Church Rosser property of > there is an L 2.10(i). Therefore N ./ i=1 i P P such that N > L and ni=1 Vi > L. But ni=1 Vi > L implies that L is a sum of values and therefore L must converge. We conclude that N converges by (i). Based on the convergence predicate the following de nition adapts to the present setting the notion of contextual theories. This notion stems from [52] and it is widely used e.g. in [15] for the classical theory of solvability and in [6], [19] and [55], where it is shown to be equivalent to applicative bisimulation. The idea is that two terms are operationally equivalent if and only if in all contexts they exhibit the same behavior with respect to some observable properties. Here convergence is the only observable, hence we can put Definition 2.13. Let M; N 2 �+k . Then (i) M vO N , 8C [ ]: C [M ] + ) C [N ] +, where C [M ]; C [N ] 2 �0+k . (ii) 'O = vO \ wO .
3. A Logical Presentation. To obtain a logical presentation of the semantics of the calculus we follow the paradigm of Leibniz which identi es objects with sets of their properties. This received an elegant mathematical treatment thanks to works like [63] and [5] and, especially in the case of type-free calculi, it is naturally formalized in suitable extensions of Curry type assignment system like the intersection type discipline considered in [16]. In the present case we use a more expressive system which allows for disjunctive types. We call them union types since they di�er from coproducts in Church typed �-calculi much in the same way as intersection di�ers from cartesian product. See [14] for a study of this discipline in case of classical �-calculus. 3.1. The set of types and its preorder. The type syntax is as follows � ::= ! j � ! � j � ^ � j � _ � and we call Type the resulting set. In writing types, we assume that ^ and _ take precedence over !. The choice of the preorder on types is crucial, since it will be used in a subtyping rule in subsection 3.2 and it will determine the structure of the set of lters in section 4. Definition 3.1. Let � � � be the smallest preorder over types such that (i) hType; �i is a distributive lattice, in which ^ is the meet, _ is the join and ! is the top; (ii) the arrow satis es (a) � ! ! � ! ! ! ; (b) (� ! �) ^ (� ! � ) � � ! � ^ � ; (c) � � � 0; � � � 0 ) � ! � � � 0 ! � 0 . Following [30] by lattice we mean a poset in which every nite non empty subset has a meet and a join. According to this de nition, there are lattices without bottom (like the present one). We write � = � for \� � � and � � � ". Note that, if � 6= ! then � � ! ! ! .
19
CONCURRENT LAMBDA-CALCULUS
Notation 3.2. Let ! 0 ! ! = !; ! n+1 ! ! = ! ! ! n ! ! .
The types ! n ! ! for suitable n are \better than" all other types, as shown in the following Proposition. Proposition 3.3. For all � , there exists n such that ! n ! ! � � . Proof. By induction on the structure of � . � � !. Trivial. � � �1 ! �2. By induction hypothesis 9n: ! n ! ! � �2 , hence ! n+1 ! ! � �, by De nition 3.1.(ii.c), using �1 � ! . � � �1 ^ �2. By induction hypothesis 9ni : !n ! ! � �i (i = 1; 2). Let n = max(n1; n2). Then ! n ! ! � � , since ! n ! ! � ! n ! ! (i = 1; 2) and �1 ^ �2 is the meet of �1 and �2 . � � �1 _ �2. Recall that �1 ^ �2 � �1 _ �2 , and then proceed as in the previous case. i
i
We need some properties of the � relation, whose proof requires a strati cation of Type. Definition 3.4. (Strati cation of Type) Let us de ne three subsets T0; T1; T2 of Type recursively ! ! ! 2 T0 ; ! 2 T2 ; � 2 T2 ; � 2 T 1 ) � ! � 2 T 0 ; n � 1; �1; : : :; �n 2 T0 ) �1 _ : : : _ �n 2 T1; n � 1; �1; : : :; �n 2 T1 ) �1 ^ : : : ^ �n 2 T2: To rephrase the previous de nition, we consider types in conjunctive normal form, that is conjunctions of disjunctions of arrows, ! being the empty conjunction. Remark 3.5. Notice that the set T2, when restricted to types without _ occurrences, is similar to the set of normal type schemes of [36] and to the set of strict types of [12]. The di�erence is that in those papers types were constructed out of type variables and the type ! ! ! was not allowed. Normal type schemes were introduced in [36] as a technical tool to prove properties analogous to those stated in Lemma 3.9. Instead, strict types have been introduced with a di�erent preorder to obtain a syntax directed type assignment system [12] [13]. Taking n = 1 in the clauses above, one sees that T0 � T1 � T2, and such inclusions are clearly proper. Over each of these sets we introduce a preorder. Definition 3.6. �i � Ti � Ti is the least preorder such that (�0 ) : � �0 � , � � ! ! ! or � � � 0 ! � 00; � � � 0 ! � 00 and � 0 �2 � 0 and � 00 �1 � 00; (�1 ) : �1 _ : : : _ �n �1 �1 _ : : : _ �m , 8i � n 9j � m: �i �0 �j ; (�2 ) : � �2 � , � � ! or � � �1 ^ : : : ^ �n , � � �1 ^ : : : ^ �m and 8j � m 9i � n: �i �1 �j .
20
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
Really, for each type in Type, we can nd an equivalent type in T2 ; therefore we introduce a map which associates to each type its equivalent type in T2. Definition 3.7. Let � : Type ! T2 be de ned by !� = ! 8V � < i2I (� ! �i) if � � � Vi2I �i and � � 6� ! � (� ! � ) = : !!! otherwise 8V V < i2I j2J (�i _ �j ) if �� � Vi2I �i, �� 6� ! and � � � Vj2J �j , � � 6� ! � (� _� ) = : ! otherwise 8 � > � if � � � ! > < (� ^ � )� = > � � if � � � ! > : �� ^ � � otherwise. Proposition 3.8. For all �; � 2 Type (i) � = � �;
(ii) �; � 2 Ti ; � �i � ) � � � for i = 0; 1; 2; (iii) � � � ) � � �2 � � . Proof. (i) is proved by induction on the de nition of the map (�)�. To see (ii), use an induction on the de nition of �i . Finally to prove (iii) it su�ces (by (i)) to show that � � � � � implies � � �2 � � , which can be proved by induction on any standard axiomatic presentation of �. Lemma 3.9.
(i) � ^ � � � ! � & � 6= ! & � 6= ! ) 9�1 ; �2: � = �1 ^ �2 & � � � ! �1 & � � � V! �2 ; V V (ii) i2I (�i ! �i ) � � ! � & � 6= ! ) 9J � I: � � j 2J �j & j 2J �j � � . Proof. (i): let ^ ^ ^ (� ^ � )� = �i ^ �j and (� ! � )� = (� � ! �k ); i2I
j 2J
k2K
V V V assuming �� = i2I �i ; � � = j 2J �j and � � = k2K �k . Using 3.8(i), (ii), (iii) and the de nition of �2 , we have that 8k: (9i: �i �1 �� ! �k ) or (9j: �j �1 �� ! �k ):
Therefore we can choose �1 as the intersection of the �k which satisfy the rst inequality and �2 as the intersection of the remaining �k . If one of these intersections is empty, we choose ! for V the corresponding �i (i = 1; 2). V (ii): let �i� = l2L �i;l (where L depends on i) and � � = k2K �k . Then ^ ^ ^^ � (�i ! �i ) � � ! � ) (�i ! �i;l ) �2 (� � ! �k ): i2I
It follows that
i2I l2L
8k 9i; l: ��i ! �i;l �1 �� ! �k ;
which in this case is equivalent to
8k 9i; l: ��i ! �i;l �0 �� ! �k ;
k2K
CONCURRENT LAMBDA-CALCULUS
and hence So we can conclude
21
8k 9i; l: �� �2 ��i & �i;l �1 �k : 8k 9i: � � �i &
^ l2L
�i;l � �k :
Taking J as the set of all i which satisfy these inequalities for some k 2 K , we are done. Remark 3.10. Notice that Lemma 3.9 cannot be trivially satis ed by choosing
�1 = �2 = � . In fact in general � ^ � � � ! � does not imply � � � ! � . For a counter-example take � = � = � = ! ! ! and � = � ! � . A type � is join irreducible or coprime if and only if � � � _ � ) � � � or � � � for any �; �. Let CType be the set of coprime types di�erent from ! . Observe that, because of distributivity, coprime types are closed under ^. Being hType; �i the
free distributive lattice satisfying the arrow axioms, each type is the join of a nite number of coprime types. To see this, it su�ces to de ne the following mapping � : Type ! P (CType)
�(! ) = f! g �(� ! � ) = f� ! � g �(� ^ � ) = f� 0 ^ � 0 j � 0 2 �(� ) & � 0 2 �(� )g �(� _ � ) = �(� ) [ �(� ): If �(� ) = f�1; : : :; �n g, it is easy to verify that �i is join irreducible for each i and � = �1 _ � � � _ � n . 3.2. The type assignment system. In this subsection we introduce our type assignment system L. We start with the notion of basis. We state that only coprime types di�erent from ! can be assumed for call-by-value variables. This restriction is justi ed by the correspondence between total values and coprime types (see Theorem 3.15(ii)). Definition 3.11. A basis ? : (Vn ! Type) \ (Vv ! CType) is a mapping such that ?(x) = ! for all x but a nite subset of Vn and ?(v ) = ! ! ! for all v but a nite subset of Vv. To each basis ? we associate the nite set Dom(?) = fx 2 Vn j ?(x) 6= !g [ fv 2 Vv j ?(v) 6= ! ! !g: The notation ?; � : � is a shorthand for the function ?0 (�0 ) = � if �0 � �, ?(�0 ) otherwise. To meet a common practice we shall sometime identify ? with the ( nite) set of judgments f�:� j � 2 Dom(?) & ?(�) = � g and write �:� 2 ?. Definition 3.12. The axioms and rules of the assignment system L are the following
22
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
(Ax) ? ` � : ?(�) (! ) ? ` M : ! :�`M :� ?; v : � 0 ` M : � 8� 0 2 �(� ) (! In ) ??`; x�x:M ( ! I ) v :�!� ? ` �v:M : � ! � � ?`N :� (! E) ? ` M :?�`!MN :� :� ��� (�) ? ` M (^ I) ? ` M? :`�M : �?^`�M : � ?`M :� :� ?`N :� ?`M :� ?`N :�. (+ I) ? `?M` M ( k I) +N : �_� ? ` M kN : � ^ � ? `L M : � abbreviates \ ? ` M : � is derivable in L". To help the understanding of rule (! Iv ), we consider the following example. Let W1 ; W2 be total values such that `L Wi:�i (i = 1; 2) for some coprime types �1; �2. Clearly this implies `L W1 + W2 :�1 _ �2 by rule (+ I). Consider (�v:M )(W1 + W2 ): it reduces to M [W1 =v ] and M [W2=v ]. Therefore v :�i `L M :� for i = 1; 2 su�ces to assure that (�v:M ) has type �1 _ �2 ! � . The real justi cation of this rule is that it implies the completeness of the type assignment (Theorem 4.11) and the full abstraction of the lter model (Theorem 5.11). We shall write ? � ?0 if 8�: ?(�) � ?0 (�): in this case it is easy to verify that, if 0 ? `L M : � , then ? `L M : � for any M and � . The system L enjoys structural properties which can be shown by simple inductions on derivations.
Theorem 3.13 (Derivability properties of system L). (i) ? `L � : � , ?(�) � � ; (ii) ? `L ��:M : � , 9n; �1; : : :; �n; �1; : : :�n :(8i � n: ? `L ��:M : �i ! �i) & Vni=1(�i ! �i) � �; (iii) ? `L �x:M : � ! � , ?; x : � `L M : � ; (iv) ? `L �v:M : � ! � & � 6= ! , 8� 0 2 �(� ): ?; v : � 0 `L M : � ; (v) ? `L �v:M : � ! � & � = ! ) � = ! ; (vi) ? `L MN : � & � 6= ! , 9�: ? `L M : � ! � & ? `L N : � ; (vii) ? `L M + N : � , ? `L M : � & ? `L N : � ; (viii) ? `L M kN : � , 9�; � 0: ? `L M : � & ? `L N : � 0 & � ^ � 0 � � .
Proof. We consider only the interesting cases. (ii) Given a derivation of ? ` ��:M : �, let ? ` ��:M : �1 ! �1; : : :; ? ` ��:M : �n ! �n be all the statements in this deduction on which ? ` ��:M : � depends and which are conclusions of rule (! In ) or of rule (! Iv ). Then (�1 ! �1 ) ^ � � � ^ (�n ! �n ) � �: (iii) If � = ! it is trivial. Otherwise let �1; : : :; �n ; �1; : : :; �n be as in the proof of (ii) where � has been replaced by � ! � . Then (�1 ! �1 ) ^ � � � ^ (�n ! �n ) � � ! �
CONCURRENT LAMBDA-CALCULUS
23
which implies, by Lemma 3.9(ii), ^ ^ 9J � f1; � � � ; ng: � � �j & �j � �: j 2J
j 2J
j 2J
j 2J
Moreover ?; x: �i `L M : �i for 1 � i � n, so that one can conclude ?; x: � `L M: �. (iv) Let �1 ; : : :; �n; �1; : : :; �n be as in the proof of (ii) where � has been replaced by � ! � . Similarly to case (iii) we have ^ ^ 9J � f1; � � � ; ng: � � �j & �j � �: Moreover ?; v : �i0 `L M : �i for all �i0 2 �(�i ) and for 1 � i � n. � � �j implies 8�0 2 �(�) 9�j0 2 �(�j ) such that �0 � �j0 by de nition of coprimality. So we can conclude 8� 0 2 �(� ): ?; x: � 0 `L M : � . (v) We assume ad absurdum that � 6= ! . Then, if �1 ; : : :; �n; �1; : : :; �n and J are as in (iv), we would have �j = ! for all j 2 J , and this is impossible according to our de nition of basis. (vii) Again, given a deduction of ? ` M + N : � , let ? ` M + N : �1 ; : : :; ? ` M + N : �n be all the statements in this deduction on which ? ` M + N : � depends and which are conclusions of rule (+I). Then �1 ^� � �^ �n � � and there are �i ; �i such that �i = �i _ �i ; ? `L M : �i ; ? `L N : �i ; for 1 � i � n. So we can deduce ? ` M : � and ? ` N : � using (^ I) and (�). (viii) Finally, given a deduction of ? ` M kN : � , let ? ` M kN : �1 ; : : :; ? ` M kN : �n be all the statements in this deduction on which ? ` M kN : � depends and which are conclusions of rule (kI). Then �1 ^ � � �^ �n � � and there are �i ; �i such that �iV= �i ^ �i ; ? `L MV: �i ; ? `L N : �i ; for 1 � i � n. Then we can choose � = i�n �i , and � 0 = i�n �i . In fact � ^ � 0 � � and we can derive ? `L M : � and ? ` N : � 0 using (^ I). As immediate consequence of 3.13(iv) we have the co-additivity of call-by-value abstraction (i.e. nite meets are preserved). Corollary 3.14. ? `L �v:M : (� ! �) ^ (� ! �) ) ? `L �v:M : � _ � ! �. We show how types characterize partial values and total values. Theorem 3.15 (Characterization of values). (i) V 2 Val ) `L V : ! ! ! ; (ii) W 2 TVal & ? `L W : � ) 9� 0 2 �(� ): ? `L W : � 0 .
Proof. (i) By induction on the de nition of values. If V � v 2 Vv then ?(v ) = ! ! !, since Dom(?) = ;, and the thesis follows by (Ax). If V � �x:M then ?; x : ! ` M : ! is derivable, by rule (! ); hence the thesis using (! In ). If V � �v:M we do the same as before but assuming v : ! ! ! . The thesis follows using (! Iv ) and (�). Finally if V � V 0 kM or M kV 0 the thesis follows by induction using (k) and
24
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
(�). (ii) By induction on the de nition of total values. If W � v then the thesis follows by 3.13(i) and the de nition of basis. If W � ��:M then, noting that each arrow type is coprime, the thesis follows from 3.13(ii) and the closure of coprime types under ^. Finally if W � W 0 kW 00, by 3.13(viii) there exist � and � such that ? `L W 0 : �, ? `L W 00 : � and � ^ � � � ; now by induction there are �0 2 �(�); � 0 2 �(� ) such that ? `L W 0 : �0 and ? `L W 00 : � 0 . Since coprime types are closed under ^, �0 ^ � 0 � � implies that there is � 0 2 �(� ) such that �0 ^ � 0 � � 0. The following Lemma states the substitution properties of terms. Lemma 3.16. (i) ? `L M [N=x] : � , 9�: ?; x : � `L M : � & ? `L N : � ; (ii) ? `L M [V=v ] : � & V 2 Val ) 9� 8� 0 2 �(� ): ?; v : � 0 `L M : � & ? `L V :
�;
(iii) ? `L M [W=�] : � & W 2 TVal , 9� 2 CType: ?; � : � `L M : � & ? `L W : �. Proof. (i) ()). If x does not occur in M we can choose � � ! . Otherwise let � be the intersection of all predicates of statements with subject N which occur in a given deduction of ? `L M [N=x] : � . The proof of ( is standard. (ii). If v does not occur in M we can choose � � ! ! ! . Otherwise let � be the intersection of all predicates of statements with subject V which occur in a given deduction of ? `L M [V=v ] : � . If � 6= ! we can choose � � �, otherwise � � ! ! ! . (iii)()). If � does not occur in M we can choose � � ! ! ! . Otherwise let � be the intersection of all predicates of statements with subject W which occur in a given deduction of ? `L M [W=�] : � . By 3.15(ii) there is �0 2 �(�) such that ? `L W : �0. If �0 6= ! we can choose � � �0, otherwise � � ! ! ! . The proof of ( is standard. Notice that in 3.16(ii) the \)" cannot be replaced by \,". An easy proof of this uses the characterization of divergent terms by types which will be given in 5.6(ii). So we will prove it in Corollary 5.7(i). As an immediate consequence of 3.15(ii) and 3.16(iii) the following rule (_ E) is admissible 0 0 W 2 TVal . (_ E) 8� 2 �(� ) ?; � : � `?M` :M� [W=�] ?: �` W : �
Therefore, the restriction over the basis can be relaxed, allowing ?(v ) to be any type di�erent from ! . This would have the advantage of having a unique rule for abstraction, i.e. the standard one, avoiding (! Iv ) which is a rule schema. Of course rule (_ E) should be added in this case. The reason why we choose the present less elegant version is that it greatly simpli es proofs. 3.3. The logic congruence relation. We introduce now the logical equivalence 'L ; thereafter we shall use the properties stated in Theorem 3.13 to establish the basic (in)-equalities holding under this notion of equivalence. The invariance of types with respect to ./ and to the reduction relation studied in section 2 will follow. Definition 3.17. Let M; N 2 �+k , then (i) M vL N , 8?; �: ? `L M : � ) ? `L N : � ;
CONCURRENT LAMBDA-CALCULUS
25
(ii) 'L = vL \ wL . As a rst step in the study of the relation 'L we x some basic properties of it with respect to the various kinds of -contraction present in our calculus. These can be easily proved using 3.16. Lemma 3.18.
(i) (�x:M )N 'L M [N=x]; (ii) M [V=v ] vL (�v:M )V if V 2 Val; (iii) (�v:M )W 'L M [W=v ] if W 2 TVal. Proof. The most interesting case is the inclusion from left to right of (iii) when � 6= !. ? `L (�v:M )W : � ) 9�: ? `L �v:M : � ! � & ? `L W : � by 3.13(vi) ) 9�: 8�0 2 �(�): ?; v : �0 `L M : � & ? `L W : � by 3.13(iv) ) 9�0 2 CType: ?; v : �0 `L M : � & ? `L W : �0 by 3.15(ii) since W 2 TVal ) ? `L M [W=v] : � by 3.16(iii)(():
Notice that the opposite of Lemma 3.18(ii) does not hold. This will be proved in Corollary 5.7(ii), since it follows immediately from point (i) of the same Corollary. The following three lemmas are easy consequences of 3.13. The second and third lemmas state that non-deterministic choice and parallel composition are the meet and the join respectively. Moreover they illustrate the behaviors of these operators with respect to application and abstraction. Lemma 3.19. The relation 'L is a congruence over �+k . Lemma 3.20.
(i) M + N vL M; N ; (ii) L vL M; N ) L vL M + N ; (iii) (M + N )L 'L ML + NL; (iv) L(M + N ) vL LM + LN ; (v) (�v:M )(N + L) 'L (�v:M )N + (�v:M )L; (vi) ��:(M + N ) vL ��:M + ��:N . Proof. All inclusions are immediate. The converse of (vi) does not hold. Indeed, let � � (� ! �) _ (� ! ! 2 ! ! ) where � � ! 3 ! ! and � � (! ! ! ) ! ! 2 ! ! . Then we have `L I : � ! � and `L � : � ! ! 2 ! ! , which imply `L I + � : � , but 6`L �x:(x + xx) : � . In fact, by Theorem 3.13(iii) and (vii), if we could derive �x:(x + xx) : �, then we would also have x : � `L x : � and x : � `L xx : � for some �; � such that � ! � � � . This implies either � ! � � � ! � or � ! � � � ! ! 2 ! ! by De nition 3.6 and Proposition 3.8. But it is easy to verify, using Theorem 3.13(i) and (vi), that x : � 6`L xx : � and x : � 6`L x : ! 2 ! ! . Lemma 3.21. (i) M; N vL M kN ; (ii) M; N vL L ) M kN vL L;
26
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
(iii) (M kN )L 'L MLkNL; (iv) LM kLN vL L(M kN ); (v) ��:(M kN ) 'L ��:M k��:N ; (vi) (M + N )kL 'L M kL + N kL. The inequalities 3.20(iv) and 3.21(iv) are proper, and this can be proved using the structural properties of deductions (Theorem 3.13). But an easier proof will be done in Corollary 5.7(iii) and (iv) using 5.6(ii). The following Theorem provides a rst evidence of the matching between operational and logic semantics. Theorem 3.22 (Type invariance). (i) ? `L M : � & M ./ N ) ? `L N : � ; (ii) ? `L M : � & M ?!� N ) ? `L N : � .
Proof. (i) is an easy consequence of Lemmas 3.18, 3.19, 3.20 and 3.21. (ii) IfPM ?!� N then for some b 2 bar(M ) it is the case that N 2 b. By 2.9 (ii) M > fM 0 j M 0 2 bg. Being > �./, by part (i) of the present theorem and 3.13(vii) we have ? `L M 0 : � for all M 0 2 b, from which the thesis follows. � . For example ` I : ! ! ! but, as The subject expansion property fails for ?! L we shall be able to derive from Corollary 5.6(ii), 6`L I + : ! ! ! . The main result of the present section is that convergence implies typability by ! ! !. We will see in section 5 that also the converse is true. Therefore this type will completely characterize terms whose meaning is to be eventually a function, even if not a unique one. Theorem 3.23. Let M be a closed term. M+ ) `L M : ! ! !: Proof. M+ ) 9V1; : : :; Vn 2 Val: M > Pni=1 Vi by 2.10(i) ) `L Pni=1 Vi : ! ! ! by 3.15(i) and rule (+ I) ) `L M : ! ! ! by 3.22(i):
4. Models and Completeness. If we want to devise a domain equation for our concurrent �-calculus, it is natural to start from the equations in the literature for similar languages. Abramsky in [4] interprets the lazy �-calculus by means of a Scott domain D solving the equation D = [D ! D]? where [D ! D] is the space of continuous functions and (�)? is the lifting operator. Boudol in [19] gives the semantics of the lazy, call-by-name and call-by-value �calculus enriched with a parallel operator using the same equation, but in a di�erent category. It is easy to see from the asynchronous reduction rules of Boudol's parallel operator (shown at page 4) that in a \may" perspective k can be interpreted using the lower powerdomain. Boudol recalls that each prime algebraic lattice D is isomorphic to
CONCURRENT LAMBDA-CALCULUS
27
the lower powerdomain of the posets of the compact coprime elements of D. Therefore it su�ces to nd a solution of Abramsky's equation in this category to have a domain suitable for Boudol's language. Notice that Boudol interprets M kN as the join of the interpretations of M and N . The reduction rules of the present parallel operator di�er from those given in [19]. Really, our k is synchronous. But we are in a di�erent perspective: we consider \must" convergence instead of \may" convergence. Therefore our parallel operator behaves exactly like Boudol's one from the viewpoint of convergence. In fact both operators converge whenever one of the two arguments does. This is clear when we think to the correspondence between asynchronicity in a \may" perspective and synchronicity in a \must" perspective. So we could have used Abramsky's domain equation again, if we would not have to interpret also the non-deterministic choice. The reduction rules of + in a \must" perspective clearly suggests the upper powerdomain for its interpretation. The whole discussion leads to the following domain equation D = P ]([D ! D]?); where P ] is the upper powerdomain functor, in the category of prime algebraic lattices. It is well known that each prime algebraic lattice can be described by an information system ([42]) and also by means of intersection types ([22]). Really we have developed in previous sections a system of intersection and union types; we will use this system now to build a model, which actually is the initial solution of our domain equation. Because of rules (! ); (�) and (^ I), the set of types assigned in L to any term is a lter over Type: let F be the set of all lters. F is a distributive lattice under subset ordering (distributivity comes as a consequence of the distributivity of Type itself), with intersection as meet and F [� F 0 = "f� ^ � j � 2 F; � 2 F 0 g as join (" stands as usual for upper closure). The bottom and the top of this lattice are respectively " ! and Type, where in general " � is the principal lter generated by �. The compact elements are the principal lters. Moreover this lattice is prime algebraic, since each lter is the join of the compact coprime lters it dominates. Notice that a lter F 2 F is compact coprime if and only if it is a principal lter generated by a meet irreducible type 2 . We refer to [7] for the whole proof that F is the initial solution of our domain equation. Among lters assigned as meanings of terms, Theorem 3.15(ii) indicates that prime lters are the interpretations of terms that are total values. We recall that a lter F 2 F is prime if and only if for all � and � � _ � 2 F ) � 2 F or � 2 F: 2
A type � is meet irreducible or prime if and only if � ^�� � ) �
for any �; �.
� � or � � �
28
M.DEZANI-CIANCAGLINI, U.DE'LIGUORO, A.PIPERNO
We write FP to denote the set of prime lters. In any distributive lattice D the set Pr(D) of prime elements is de ned as follows d 2 Pr(D) , 8x; y 2 D: x u y v d ) x v d or y v d: We write Pr(x) =" x \ Pr(D) for x 2 D. Let us de ne, for any lter F the set Pr(F ) = fP 2 FP j F � P g which is called the prime decomposition of F . It is straightforward to see that Pr(F ) = FP and consequently that the previous de nition of Pr(F ) is consistent with the notation Pr(x). From Priestley's Theorem we know that the structure of a distributive lattice is recoverable from its prime lters (or dually from its prime ideals). The following fact is at the basis of this result (see e.g. [23] Theorem 10.3) (DPI) Let D be a distributive lattice, F a lter and I an ideal in D, such that F \ I = ;. Then there exists a prime lter P and a prime ideal J (actually J is the complement of P in D) such that F � P , I � J and P \ J = ;. The principle (DPI) implies that each lter is completely determined by its prime decomposition. T Lemma 4.1. 8F 2 F : F = P 2Pr(F ) P: Proof. The left to right inclusion is immediate. ToTsee the inverse inclusion let us suppose to a contradiction that there exists some � 2 P 2Pr(F ) P such that � 62 F . This implies that # � \ F = ;, where # � is the principal ideal generated by � ; it follows by (DPI) that for some P 2 FP we have F � P and # � \ P = ;. The last Lemma is an instance of a more general fact: let D be a lattice, then X � D is order generating if and only if for all x 2 D, x = u(" x \ X ) (see [30], Ch.1, De nition 3.8). If D is continuous (i.e. complete and each element is the sup of its way below elements) then it is distributive if and only if Pr(D) is order generating (see [30], Ch.1, Theorem 3.14). But F is a distributive lattice which is prime algebraic, so it is a fortiori continuous. Therefore FP is order generating. To interprete functional application we turn F into an applicative structure as follows F � F 0 = f� j 9� 2 F 0 : � ! � 2 F g [ f" !g: Observe that the de nition of application is slightly di�erent from that one given in [16]. Indeed we have to add explicitly the principal lter of ! since in our setting ! 6= ! ! !; otherwise " ! � " ! would be the empty set. Lemma 4.2. The operation of application over F is monotonic in both its arguments; moreover (F \ F 0 ) � G � (F � G) \ (F 0 � G) and (F [� F 0 ) � G � (F � G)[� (F 0 � G) for all F; F 0 ; G 2 F . The proof is straightforward. Just note that these inclusions are actually equalities, since the opposite inclusions follow from the monotonicity of the application. The properties of F which have been seen so far suggest the following de nition
CONCURRENT LAMBDA-CALCULUS
29
Definition 4.3. A pre-model of �+k is a structure D = hD; v; �; u; ti where hD; vi is a distributive continuous lattice and � is a monotonic binary operation on D such that, for all d; d0; e 2 D (a) (d u d0 ) � e w (d � e) u (d0 � e); (b) (d t d0 ) � e v (d � e) t (d0 � e). Total values are associated by system L to prime lters di�erent from " ! . A call-by-value variable is a total value, hence a correct notion of environment for F is a mapping � : Vn [ Vv ! F such that � (Vv) � FP ?f" ! g. In general, given a pre-model D, if P = Pr(D) ? f?g, we de ne EnvD as the set of mappings � : Vn [ Vv ! D such that � (Vv) � P . Now, for any environment � 2 EnvF and for any basis ?, we de ne ? j= � , 8� 2 Vn [ Vv: ?(�) 2 � (�): We are now in place of de ning the map [ �] F : �+k ! EnvF ! F as follows [ M ] F� = f� j 9?: ? j= � & ? `L M : � g:
This de nition is consistent with the logical inclusion, which is equivalent to subset inclusion of interpretations. Proposition 4.4. For all M; N 2 �+k
M vL N , 8�: [ M ] F� � [ N ] F� : Proof. ()) Immediate. (() Let us de ne, for any basis ?, �?(�) = " ?(�) for all variable �; then �? 2 EnvF since ?(v ) is coprime for all call-by-value variable v , hence " ?(v ) is a prime lter. Now ? j= �? so that ? `L M : � implies � 2 [ M ] F�? . By hypothesis � 2 [ N ] F�? , hence ?0 `L N : � for some ?0 such that ?0 j= �? . We conclude that ? `L N : � since ?0 j= �? implies ? � ?0 . Corollary 4.5. For all M; N 2 �+k and � 2 EnvF [ M + N ] F� = [ M ] F� \ [ N ] F� and [ M kN ] F� = [ M ] F� [� [ N ] F� :
Proof. Immediate from 4.4 and from Lemmas 3.20(i), (ii) and 3.21(i), (ii). Elaborating on the de nition of �-model, and also on the notion of �-lattice proposed in [25], we x the following. Definition 4.6. The structure hD; [ �] D i is a model if D = hD; v; �; u; ti is a pre-model and [ �] D : �+k ! EnvD ! D satis es the following conditions (i) [ �] D� = � (�); (ii) [ MN ] D� = [ M ] D� � [ N ] D� ; (iii) [ �x:M ] D� � d = [ M ] D�[x7!d] ;
8
