A Hybrid Linear Logic for Constrained Transition Systems

A Hybrid Linear Logic for Constrained Transition Systems

Kaustuv Chaudhuri, Joëlle Despeyroux

INRIA, France

Abstract

Linear implication can represent state transitions, but real transition systems operateunder temporal, stochastic or probabilistic constraints that are not directly representablein ordinary linear logic. We propose a general modal extension of intuitionistic linearlogic where logical truth is indexed by constraints and hybrid connectives combineconstraint reasoning with logical reasoning. The logic hasa focused cut-free sequentcalculus that can be used to internalize the rules of particular constrained transitionsystems; we illustrate this with an adequate encoding of thesynchronous stochasticpi-calculus.

1. Introduction

To reason about state transition systems, we need a logic of state. Linear logic [20]is such a logic and has been successfully used to model such diverse systems as: plan-ning [39], Petri nets, CCS, theπ-calculus [8, 27], concurrent ML [8], security proto-cols [5], multi-set rewriting, graph traversal algorithms[40], and games. Linear logicachieves this versatility by representing propositions asresourcesthat are composedinto elements of state using⊗, which can then be transformed using the linear im-plication (⊸). However, linear implication is timeless: there is no way to correlatetwo concurrent transitions. If resources have lifetimes and state changes have tem-poral, probabilistic or stochasticconstraints, then the logic will allow inferences thatmay not be realizable in the system being modelized. The needfor formal reasoningin constrained systems has led to the creation of specialized logistic systems such asContinuous Stochastic Logic (CSL) [2] or Probabilistic CTL[21], that pay a consid-erable encoding overhead for the states and transitions in exchange for the constraintreasoning not provided by linear logic.

A prominent alternative to the logical approach is to use a suitably enriched pro-cess algebra; a short list of examples includes reversible CCS [13], bioambients [36],brane calculi [7], stochastic and probabilisticπ-calculi, the PEPA algebra [22], andthe κ-calculus [14]. Each process algebra comes equipped with anunderlying alge-braic semantics which is used to justify mechanistic abstractions of observed reality as

Email addresses:kaustuv. haudhuriinria.fr (Kaustuv Chaudhuri),joelle.despeyrouxinria.fr (Joëlle Despeyroux)

Preprint submitted to Elsevier July 16, 2010

processes. These abstractions are then animated by means ofsimulation and then com-pared with the observations. Process calculi do not howevercompletely fill the needfor formal logical reasoning for constrained transition systems. For example, there isno uniform process calculus to encode different stochastic process algebras1.

Note that logics like CSL or CTL are not such uniform languages either. Theseformalisms are notlogical frameworks2: Encoding the stochasticπ calculus in CSL,for example, would be inordinately complex because CSL doesnot provide any directmeans of encodingπ-calculus dynamics such as the linear production and consump-tion of messages in a synchronous interaction. Actually CSLand CTL mainly aim atspecifying properties of behaviors of constrained transition systems, not the systemsthemselves.

Fortunately, there is a simple yet general method to add constraint reasoning tolinear logic that reunites linguistic need (a uniform language/ a logical framework)with ability (constraint reasoning). It is an old idea—labelled deduction[41] withhybridconnectives [6]—applied to a new domain. Precisely, we parameterize ordinarylogical truth on aconstraint domain: A@w stands for the truth ofA under constraintw.We then use the hybrid connectives ofsatisfactionandlocalisationto perform genericsymbolic reasoning on the constraints at the propositionallevel. We call the resulthybrid linear logic (HyLL). No properties—except a basic monoidal structure—areassumed about the constraints from a proof-theoretic standpoint. Indeed, HyLL hasa generic cut-free (but cut admitting) sequent calculus that can be strengthened witha focusing restriction [1] to obtain a normal form for proofs. Any instance of HyLLthat gives a semantic interpretation to the constraints continues to enjoy these proof-theoretic properties.

Focusing allows us to treat HyLL as alogical framework[? ] for constrainedtransition systems - the main motivation for the present work. Logical frameworkswith hybrid connectives have been considered before; hybrid LF (HLF), for example,is a generic mechanism to add many different kinds of resource-awareness, includinglinearity, to ordinary LF [35]. However, HLF follows the usual LF methodology bykeeping the logic of the framework minimal. Its proof objects are canonical (β-normalη-long) natural deduction terms, where canonicity is known to be brittle because ofpermutative equivalences [42]. With focusing we have more direct access to canonicalproofs in the sequent calculus, so we can enrich the framework with any connectivesthat obey the focusing discipline [11]. This reduces the overhead of encodings; indeed,representational adequacy3 of an encoding in terms of (partial) focused derivations isroutine. We illustrate this style of obtaining adequate encodings by encoding of thesynchronous stochasticπ-calculus (Sπ) in HyLL with the constraint domain of rates.

In addition to the novel stochastic component, our encodingof Sπ is a conceptualimprovement over other encodings ofπ calculi in linear logic [8, 27]: Our encoding

1Stochastic process algebras are typical examples of the constrained transition systems we aim at formal-izing.

2Logical frameworks are uniform languages that allow to formally not only specify and analyse, but alsocompare, or translate from one to the other, different systems, through their (adequate) encodings.

3Encodings -of a system or of a property of a system- in a logical framework are always required to beadequatein a strong sense sometimes calledrepresentational adequacyand illustrated here in sec. 4.1.

2

performs a full propositional reflection of processes as in [27], but is first-order andadequate as in [8]. Being a logical framework, HyLL does not itself prescribe an op-erational semantics for the encoding of processes; thus, bisimilarity in continuous timeMarkov chains (CTMCs) is not the same as logical equivalencein stochastic HyLL,unlike in CSL [15]. This is not a deficiency; thecombinationof focused HyLL proofsand a proof search strategy tailored to a particular encoding is necessary to producefaithful symbolic executions. This is exactly analogous toSπwhere it is the simulationrather than the transitions in the process calculus that is shown to be faithful to theCTMC semantics [31].

The contribution of the present work are threefold. First, we propose a new logicalframework (HyLL) to represent constrained transition systems. In those systems, con-straints, typically probabilities, do not have a logical content per se, but are elementsthat are interpreted in some extra-logical context. In our proposal those constraints areencoded in the worlds of a modal (hybrid) linear logic that wepresent in the Martin-Löf’s style. The core logic is defined independently of the domain of constraints, whichis defined algebraically as a minimal (monoid) structure. Each particular definition ofa domain of constraints (time or probabilities, for example) gives rise to a particularinstance of the logic; Providing a modular approach that canpotentially be applied toother domains that those we tryed so far. Second, advocatingthe fact that focusing isthe right, modern, way to define adequate encodings of systems in a logic (enabling,in particular, flexibility and short proofs of adequacy), wegive a system of focusedrules for HyLL. Finally, we demonstrate the usefulness of HyLL by giving an originaladequate encoding of theSπ-calculus in it. Our encoding appears to improve on pre-vious related proposals (given for various simplerπ-calculi), thanks to focusing. Ourencoding is also “fully adequate” (i.e. partial proofs are in bijection with partial traces).

The sections of this paper are organized as follows: in sec. 2, we present the in-ference system for HyLL as a sequent calculus, and describe the two main semanticinstances: temporal and stochastic constraints. In sec. 3 we sketch the general focusingrestriction on HyLL sequent proofs. In sec. 4 we give the encoding ofSπ in stochasticHyLL, and show that the encoding is representationally adequate for focused proofs(theorems 16 and 18). We end with an overview of related (sec.5) and future work(sec. 6).

2. Hybrid linear logic

In this section we define HyLL, a conservative extension of intuitionistic first-orderlinear logic (ILL) [20] where the truth judgements are labelled by worlds represent-ing constraints. Like in ILL, propositions are interpretedasresourceswhich may becomposed into astateusing the usual linear connectives, and the linear implication(⊸) denotes a transition between states. The world label of a judgement representsa constraint on states and state transitions; particular choices for the worlds produceparticular instances of HyLL. The common component in all the instances of HyLLis the proof theory, which we fix once and for all. We impose thefollowing minimalrequirement on the kinds of constraints that HyLL can deal with.

3

Definition 1. A constraint domainW is a monoid structure〈W, ·, ι〉. The elements ofW are calledworlds, and the partial order : W×W—defined as u w if there existsv ∈W such that u· v = w—is thereachability relationinW.

The identity worldι is-initial and is intended to represent the lack of any constraints.Thus, the ordinary ILL is embeddable into any instance of HyLL by setting all worldlabels to the identity. When needed to disambiguate, the instance of HyLL for theconstraint domainW will be written HyLL(W).

The reader may wonder why we require worlds to be monoids, instead of lattices,for example. The answer is to give a more general definition, suitable for rates con-straints. One may then ask why we don’t ask the worlds to be commutative. Theanswer is to allow lattices.

Atomic propositions are written using minuscule letters (a, b, . . .) applied to a se-quence ofterms(s, t, . . .), which are drawn from an untyped term language containingterm variables (x, y, . . .) and function symbols (f , g, . . .) applied to a list of terms.. Non-atomic propositions are constructed from the connectives of first-order intuitionisticlinear logic and the two hybrid connectivessatisfaction(at), which states that a propo-sition is true at a given world (w, u, v, . . .), andlocalization(↓), which binds a name forthe (current) world the proposition is true at. The following grammar summarizes thesyntax of HyLL propositions.

A, B, . . .F a~t∣

∣

∣ A⊗ B∣

∣

∣ 1∣

∣

∣ A ⊸ B∣

∣

∣ A & B∣

∣

∣ ⊤∣

∣

∣ A⊕ B∣

∣

∣ 0∣

∣

∣ ! A∣

∣

∣ ∀x.A∣

∣

∣ ∃x.A| (Aat w)

∣

∣

∣ ↓u.A∣

∣

∣ ∀u.A∣

∣

∣ ∃u.A

Note that in the propositions↓u.A, ∀u.A and∃u.A, the scope of the world variableuis all the worlds occurring inA. World variables cannot be used in terms, and neithercan term variables occur in worlds; this restriction is important for the modular designof HyLL because it keeps purely logical truth separate from constraint truth. We letαrange over variables of either kind.

The unrestricted connectives∧, ∨, ⊃, etc. of intuitionistic (non-linear) logic canalso be defined in terms of the linear connectives and the exponential ! using any of theavailable embeddings of intuitionistic logic into linear logic, such as Girard’s embed-ding [20].

2.1. Sequent calculus for HyLL

In this section, we give a sequent calculus presentation of HyLL and prove a cut-admissibility theorem. The sequent formulation in turn will lead to an analysis of thepolarities of the connectives in order to get a focused sequent calculus that can be usedto compile a logical theory into a system of derived inference rules with nice properties(sec. 3). For instance, if a given theory defines a transitionsystem, then the derivedrules of the focused calculus will exactly exhibit the same transitions. This is key toobtain the necessary representational adequacy theorems,as we shall see for theSπ-calculus example chosen in this paper (sec. 4.1).

We start with the judgements from linear logic and enrich them with a modal sit-uated truth. We present the syntax of hybrid linear logic in asequent style, usingMartin-Löf’s principle of separating judgements and logical connectives. Instead ofthe ordinary mathematical judgement “A is true”, for a propositionA, judgements of

4

HyLL are of the form “A is true at worldw”, abbreviated asA@w. We use dyadicderivations of the formΓ ; ∆ =⇒ C@w whereΓ and∆ are sets of judgements of theform A@w, with ∆ being moreover amultiset, i.e., weakening and contraction are dis-allowed for∆. Γ is called theunrestricted contextand∆ the linear context.

The full collection of rules of the HyLL sequent calculus is in fig. 1. There areonly two structural rules: the init rule infers an atomic initial sequent, and the copyrule introduces a contracted copy of an unrestricted assumption into the linear context(reading from conclusion to premise). Weakening and contraction are admissible rules:

Theorem 2(structural properties).1. If Γ ; ∆ =⇒ C@w, thenΓ, Γ′ ; ∆ =⇒ C@w. (weakening)2. If Γ,A@u,A@u ; ∆ =⇒ C@w, thenΓ,A@u ; ∆ =⇒ C@w. (contraction)

Proof. By straightforward structural induction on the given derivations.

The most important structural properties are the admissibility of the identity andthe cut principles. The identity theorem is the general caseof the init rule and servesas a global syntactic completeness theorem for the logic. Dually, the cut theorem be-low establishes the syntactic soundness of the calculus; moreover there is no cut-freederivation of· ; · =⇒ 0@w, so the logic is also globally consistent.

Theorem 3(identity). Γ ; A@w =⇒ A@w.

Proof. By induction on the structure ofA.

Theorem 4(cut).1. If Γ ; ∆ =⇒ A@u andΓ ; ∆′,A@u =⇒ C@w, thenΓ ; ∆,∆′ =⇒ [email protected]. If Γ ; · =⇒ A@u andΓ,A@u ; ∆ =⇒ C@w, thenΓ ; ∆ =⇒ C@w.

Proof. By lexicographic structural induction on the given derivations, with cuts of kind2 additionally allowed to justify cuts of kind 1. The style ofproof sometimes goes bythe name ofstructural cut-elimination[10].

We can use the admissible cut rules to show that the followingrules are invertible:⊗L, 1L, ⊕L, 0L, ∃L, ⊸ R, &R, ⊤R, and∀R. In addition, the four hybrid rules,atR,atL, ↓R and↓L are invertible. In fact,↓ andat commute freely with all non-hybridconnectives.

An example of derived statements, true in every semantics for worlds, is the fol-lowing:

Γ ; A1@w1 · · ·Ak@wk ⊢ B@vΓ ; A1@u · w1 · · ·Ak@u · wk ⊢ B@u · v

In the rest of this paper we use the following derived connectives:

Definition 5 (modal connectives).

A , ↓u.∀w. (A at u · w) ♦ A , ↓u.∃w. (Aat u · w)

ρv A , ↓u. (Aat u · v) †A , ∀u. (Aat u)

5

Judgemental rules.

Γ ; a~t @u =⇒ a~t @uinit Γ,A@u ; ∆,A@u =⇒ C@w

Γ,A@u ; ∆ =⇒ C@wcopy

Multiplicatives.

Γ ; ∆ =⇒ A@w Γ ; ∆′ =⇒ B@wΓ ; ∆,∆′ =⇒ A⊗ B@w

⊗RΓ ; ∆,A@u, B@u =⇒ C@wΓ ; ∆,A⊗ B@u =⇒ C@w

⊗L

Γ ; · =⇒ 1@w1R

Γ ; ∆ =⇒ C@wΓ ; ∆,1@u =⇒ C@w

1LΓ ; ∆,A@w =⇒ B@wΓ ; ∆ =⇒ A ⊸ B@w

⊸R

Γ ; ∆ =⇒ A@u Γ ; ∆′, B@u =⇒ C@wΓ ; ∆,∆′,A ⊸ B@u =⇒ C@w

⊸L

Additives.

Γ ; ∆ =⇒ ⊤@w⊤R

Γ ; ∆ =⇒ A@w Γ ; ∆ =⇒ B@wΓ ; ∆ =⇒ A & B@w

&R

Γ ; ∆,Ai @u =⇒ C@wΓ ; ∆,∆′,A1 & A2@u =⇒ C@w

&Li

Γ ; ∆ =⇒ Ai @wΓ ; ∆ =⇒ A1 ⊕ A2@w

⊕RiΓ ; ∆,0@u =⇒ C@w

0L

Γ ; ∆,A@u =⇒ C@w Γ ; ∆, B@u =⇒ C@wΓ ; ∆,A⊕ B@u =⇒ C@w

⊕L

Quantifiers.

Γ ; ∆ =⇒ A@wΓ ; ∆ =⇒ ∀α. A@w

∀RαΓ ; ∆, [τ/α]A@u =⇒ C@wΓ ; ∆,∀α. A@u =⇒ C@w

∀L

Γ ; ∆ =⇒ [τ/α]A@wΓ ; ∆ =⇒ ∃α. A@w

∃RΓ ; ∆,A@u =⇒ C@wΓ ; ∆,∃α. A@u =⇒ C@w

∃Lα

For∀Rα and∃Lα, α is assumed to be fresh with respect to the conclusion. For∃R and∀L, τ stands for a term or world, as appropriate.Exponentials.

Γ ; · =⇒ A@wΓ ; · =⇒ ! A@w

!RΓ,A@u ; ∆ =⇒ C@wΓ ; ∆, ! A@u =⇒ C@w

!L

Hybrid connectives.

Γ ; ∆ =⇒ A@uΓ ; ∆ =⇒ (A at u)@v

atRΓ ; ∆,A@u =⇒ C@w

Γ ; ∆, (A at u)@v =⇒ C@watL

Γ ; ∆ =⇒ [w/u]A@wΓ ; ∆ =⇒ ↓u.A@w

↓RΓ ; ∆, [v/u]A@v =⇒ C@wΓ ; ∆, ↓u. A@v =⇒ C@w

↓L

Figure 1: The sequent calculus for HyLL

.

6

The connectiveρ represents a form of delay. Note its derived right rule:

Γ ; ∆ ⊢ A@w · vΓ ; ∆ ⊢ ρv A@w

ρR

The propositionρv A thus stands for anintermediate statein a transition toA. Infor-mally it can be thought to be “v beforeA”; thus, ∀v. ρv A representsall intermediatestates in the path toA, and∃v. ρv A representssomesuch state. The modally unre-stricted proposition†A represents a resource that is consumable in any world; it ismainly used to make transition rules applicable at all worlds.

It is worth remarking that HyLL proof theory can be seen as at least as powerfulas (the linear restriction of) intuitionistic S5 [41],i.e., the proposition♦ A ⊸ ♦ Ais provable at any world for anyA. (We leave the easy proof as an exercise [24].)Obviously HyLL is more expressive as it allows direct manipulation of the worldsusing the hybrid connectives: for example, theρ connective is not definable in S5.

Let us elaborate a little bit on this point, together with thenatural concerns ofallowing predicates on worlds in the propositions.

First of all, let us note that allowing predicates on worlds anywhere in the proposi-tions would yield the following false rule:

Γ ; ∆ ⊢ (w , w)@w Γ ; ∆′ ⊢ A@wΓ ; ∆,∆′ 0 (↓u. (u , w) ⊗ A)@w

It seems that allowing predicates on worlds in the propositions is only possiblein a restricted form, by adding constrained conjunction andimplication as done inCILL [39] or η [16]. Following these works, we could allow the following expressionsin the propositions:

A, B, . . .F . . .∣

∣

∣ (! wp) ⊗ A∣

∣

∣ (! wp) ⊸ Bwherewp is any predicate on worlds such asw , w′ or w ≤ w′, for example.We might have chosen to define a modal connectiveat′, instead ofat, with the

following rules:

Γ ; ∆ =⇒ A@u (w , u)Γ ; ∆ =⇒ (A at′ u)@v at′R Γ ; ∆,A@u =⇒ C@w (w , u)

Γ ; ∆, (A at′ u)@v =⇒ C@w at′LRemarks:1. If worlds are just monoid (not group), then S4 can be encoded in HyLL extended

with constrained implication as above.2. If worlds are groups (i.e.... · admits an inverse, i.e.... W is a right cumulative

magma), then S5 can be encoded in HyLL with the modal connective at′ definedabove, instead ofat.

3. If worlds are Kripke frames (i.e. total and symetric) thenthe relation≤ on worldscan be internalized by aatR rule.

As Alex Simpson proved in his PhD thesis the cut elimination theorem for anyintuitionistic modal logic, we can be confident that the cut elimination theorem can beproven for HyLL with the modal connectiveat′ instead ofat.

7

2.2. Temporal constraints

As a pedagogical example, consider the constraint domainT = 〈R+,+, 0〉 repre-senting instants of time. This domain can be used to define thelifetime of resources,such as keys, sessions, or delegations of authority. Delay (defn. 5) in HyLL(T ) rep-resents intervals of time;ρd A means “A will become available after delayd”, similarto metric tense logic [34]. This domain is very permissive because addition is com-mutative, resulting in the equivalence ofρu ρv A andρv ρu A. The “forward-looking”connectivesG andF of ordinary tense logic are precisely and♦ of defn. 5.

One can write proofs of mathematical statements like the followings: A means “A true at every future”. A= “∀w.A true at w from now”. A = ↓u.∀w. (A at u · w).For all w′ andw, A@w′ ⊣⊢ A@w′ · w.In particular: for allw, A@ι ⊣⊢ [email protected] addition to the future connectives, the domainT also admits past connectives if

we add saturating subtraction (i.e., a− b = 0 if b ≥ a) to the language of worlds. Wecan then define the dualsH andP of G andF as:

H A , ↓u.∀w. (A at u− w)

P A , ↓u.∃w. (Aat u− w)

While this domain does not have any branching structure likeCTL, it is expressiveenough for many common idioms because of the branching structure of derivationsinvolving ⊕. CTL reachability (“in some path in some future”), for instance, is thesame as our♦; similarly, CTL stability (“in all paths in all futures”) isthe same as.There is some loss of expressive power, however; for instance, in CTL steadiness (“insome path for all futures”) is distinct from stability, whereas the best approximation inHyLL is ∃w. (A at u · w).

On the other hand, the availability of linear reasoning makes certain kinds of rea-soning in HyLL much more natural than in ordinary temporal logics. One impor-tant example is ofoscillation between states in systems with kinetic feedback. In atemporal specification language such as BIOCHAM [9], only finite oscillations arerepresentable using a nested syntax, while in HyLL we use a simple bi-implication;for example, the oscillation betweenA andB with delayd is represented by the rule†(A ⊸ ρd B) & ( B ⊸ ρd A) (or †(A ⊸ ♦ B) & ( B ⊸ ♦ A) if the oscillation is aperi-odic). If HyLL(T ) were extended with constrained implication and conjunction in thestyle of CILL [39] orη [16], then we can define localized versions of and♦, such as“A is true everywhere/somewhere in an interval”. They would also allow us to definethe “until” and “since” operators of linear temporal logic [23].

2.3. Stochastic constraints

The material in this section requires some background in probability and measuretheory, and can be skipped at a first reading: The definitions stated here will only beused in the encoding of theSπ-calculus (sec. 4).

8

Transitions in practice rarely have precise delays. Phenomenological and exper-imental evidence is used to construct a probabilistic modelof the transition systemwhere the delays are specified as probability distributionsof continuous variables.

Fact 6 (see [18, 38]). If X and Y are independent random variables inR, with distri-butionµX andµY, respectively, then the distributionµX+Y of the random variable X+Yis given by

µX+Y(A) = µX ∗ µY(A) =∫

x+y∈AµX(dx) ⊗ µY(dy)

for all Borel 4 subset A ofR.

The space of probability distributions of random variables, together with the con-volution operator∗ and the Dirac mass at 0δ0 as neutral element, forms a monoid.More precisely:

Definition 7. The rates domainR is the monoid〈M1(R), ∗, δ0〉 whereM1(R) is theset of the Borel probability measures overR andδ0 is Dirac mass at 0. The instanceHyLL(R) will sometimes be called “stochastic hybrid linear logic”.

The standard model of stochastic transition systems is continuous time Markovchains (CTMCs) where the delays of transitions between states are distributed accord-ing to the Markov assumption of memorylessness,i.e., the distributions are exponentialdistributions.

Fact 8(see [17, 38]). Given a continuous-time Markov process(Xt, t ≥ 0) taking valuesin a measurable space(E,E), the family(P(t), t ≥ 0) of linear operators on the set ofbounded Borel functionsB(E) defined by: for all f∈ B(E) and for all x∈ E,

(P(t) f )(x) = E[ f (Xt) | X0 = x],

is a semigroup for the convolution: for all s, t ≥ 0,

P(t + s) = P(t) ∗ P(s)

with neutral element P(0), the identity operator. When the process X is a Feller pro-cess (see [38], chapter 3, section 2),(P(t), t ≥ 0) is a Feller semigroup, i.e. stronglycontinuous and conservative.

For a given continuous-time Markov process (Xt, t ≥ 0), the associated monoid isthe set (P(t), t ≥ 0) defined above. More precisely, we can define the Markov ratesdomain as follows:

Definition 9. For a given continuous-time Markov process(Xt, t ≥ 0), taking values ina measurable space(E,E), theMarkov rates domainRMarkov is the monoid〈(P(t), t ≥0), ∗,P(0)〉 where(P(t), t ≥ 0) is the sub-markov semigroup of linear operators on theset of bounded Borel functionsB(E) defined by for all f∈ B(E) and for all x ∈ E,(P(t) f )(x) = E[ f (Xt) | X0 = x]. The instance HyLL(RMarkov) will sometimes be called“Markov hybrid linear logic”.

4The set of Borel events is the set of the Lebesgue measurable functions.

9

3. Focusing

As HyLL is intended to represent transition systems adequately, it is crucial thatHyLL derivations in the image of an encoding have corresponding transitions. How-ever, transition systems are generally specified as rewritealgebras over an underlyingcongruence relation. These congruences have to be encoded propositionally in HyLL,so a HyLL derivation will generally require several inference rules to implement asingle transition; moreover, several trivially different reorderings of these “micro” in-ferences would correspond to the same transition. It is therefore futile to attempt todefine an operational semantics directly on HyLL inferences.

We restrict the syntax to focused derivations [1], which ignores many irrelevant rulepermutations in a sequent proof and divides the proof into clearphasesthat define thegrain of atomicity. The logical connectives are divided into two classes,negativeandpositive, and rule permutations for connectives of like polarity areconfined tophases.A focused derivationis one in which the positive and negative rules are applied inalternate maximal phases in the following way: in theactivephase, all negative rulesare applied (in irrelevant order) until no further negativerule can apply; the phase thenswitches and one positive proposition is selected forfocus; this focused propositionis decomposed under focus (i.e., the focus persists unto its sub-propositions) until itbecomes negative, and the phase switches again.

As noted before, the logical rules of the hybrid connectivesat and↓ are invertible,so they can be considered to have both polarities. It would bevalid to decide a po-larity for each occurrence of each hybrid connective independently; however, as theyare mainly intended for book-keeping during logical reasoning, we define the polarityof these connectives in the followingparasitic form: if its immediate subformula ispositive (resp. negative) connective, then it is itself positive (resp. negative). Theseconnectives therefore become invisible to focusing. This choice of polarity can be seenas a particular instance of a general scheme that divides the↓ andat connectives intotwo polarized forms each. To complete the picture, we also assign a polarity for theatomic propositions; this restricts the shape of focusing phases further [12]. The fullsyntax of positive (P,Q, . . .) and negative (M,N, . . .) propositions is as follows:

P,Q, . . . F p~t∣

∣

∣ P⊗ Q∣

∣

∣ 1∣

∣

∣ P⊕ Q∣

∣

∣ 0∣

∣

∣ ! N∣

∣

∣ ∃α. P∣

∣

∣ ↓u.P∣

∣

∣ (P at w)∣

∣

∣ ⇓NN,M, . . .F n~t

∣

∣

∣ N & N∣

∣

∣ ⊤∣

∣

∣ P ⊸ N∣

∣

∣ ∀α. N∣

∣

∣ ↓u.N∣

∣

∣ (N at w)∣

∣

∣ ⇑P

The two syntactic classes refer to each other via the new connectives⇑ and⇓. Sequentsin the focusing calculus are of the following forms.

Γ ; ∆ ; Ω =⇒ · ; P@wΓ ; ∆ ; Ω =⇒ N@w ; ·

activeΓ ; ∆ ;

[

N@u]

=⇒ P@wΓ ; ∆ =⇒

[

P@w]

focused

In each case,Γ and∆ contain only negative propositions (i.e., of the formN@u) andΩ only positive propositions (i.e., of the formP@u). The full collection of inferencerules are in fig. 2. The sequent formΓ ; ∆ ; · =⇒ · ; P@w is called aneutral sequent;from such a sequent, a left or right focused sequent is produced with the rules lf, cplfor rf. Focused logical rules are applied (non-deterministically) and focus persists untothe subformulas of the focused proposition as long as they are of the same polarity;when the polarity switches, the result is an active sequent,where the propositions in

10

Focused logical rules.

Γ ;[

n~t@w]

=⇒ ⇓n~t@wliΓ ; ∆ ; P@u =⇒ · ; Q@w

Γ ; ∆ ;[

⇑P@u]

=⇒ Q@w⇑L

Γ ; ∆ ;[

Ni @u]

=⇒ Q@w

Γ ; ∆ ;[

N1 & N2@u]

=⇒ Q@w&Li

Γ ; ∆ =⇒[

P@u]

Γ ; Ξ ;[

N@u]

=⇒ Q@w

Γ ; ∆,Ξ ;[

P ⊸ N@u]

=⇒ Q@w⊸L

Γ ; ∆ ;[

[τ/α]N@u]

=⇒ Q@w

Γ ; ∆ ;[

∀α. N@u]

=⇒ Q@w∀L

Γ ; ∆ ;[

[v/u]N@v]

=⇒ Q@w

Γ ; ∆ ;[

↓u.N@v]

=⇒ Q@w↓LF

Γ ; ∆ ;[

N@u]

=⇒ Q@w

Γ ; ∆ ;[

(N at u)@v]

=⇒ Q@watLF

Γ ; ⇑p~t@w =⇒[

p~t@w] ri

Γ ; ∆ ; · =⇒ N@w ; ·

Γ ; ∆ =⇒[

⇓N@w] ⇓R

Γ ; ∆ =⇒[

P@w]

Γ ; Ξ =⇒[

Q@w]

Γ ; ∆,Ξ =⇒[

P⊗ Q@w] ⊗R

Γ ; · =⇒[

1@w] 1R

Γ ; ∆ =⇒[

Pi @w]

Γ ; ∆ =⇒[

P1 ⊕ P2@w] ⊕Ri

Γ ; · ; · =⇒ N@w ; ·Γ ; · =⇒

[

!N]

@w!R

Γ ; ∆ =⇒[

[τ/α]P@w]

Γ ; ∆ =⇒[

∃α. P@w] ∃R

Γ ; ∆ =⇒[

[w/u]P@w]

Γ ; ∆ =⇒[

↓u. P@w] ↓RF

Γ ; ∆ =⇒[

P@u]

Γ ; ∆ =⇒[

(P at u)@w] atRF

Active logical rules. (R of the form· ; Q@w or N@w ; ·, andL of the formΓ ; ∆ ; Ω)

L, P@u,Q@u =⇒ RL,P⊗ Q@u =⇒ R

⊗LL =⇒ R

L,1@u =⇒ R1L

L, P@u =⇒ R L,Q@u =⇒ RL, P⊕ Q@u =⇒ R

⊕LL, 0@u =⇒ R

0L

L, [v/u]P@v =⇒ RL, ↓u. P@v =⇒ R

↓LAL, P@u =⇒ R

L, (P at u)@v =⇒ RatLA

L, P@u =⇒ RL, ∃α. P@u =⇒ R

∃Lα

Γ,N@u ; ∆ ; Ω =⇒ RΓ ; ∆ ; Ω, !N@u =⇒ R

!LΓ ; ∆,N@w ; Ω =⇒ RΓ ; ∆ ; Ω,⇓N@w =⇒ R

⇓LΓ ; ∆,⇑p~t ; Ω =⇒ R

Γ ; ∆ ; Ω, p~t@w =⇒ Rlp

L =⇒ M@w ; · L =⇒ N@w ; ·L =⇒ M & N@w ; ·

&RL =⇒ ⊤@w ; ·

⊤RL, P@w =⇒ N@w ; ·L =⇒ P ⊸ N@w ; ·

⊸R

L =⇒ [w/u]N@w ; ·L =⇒ ↓u.N@w ; ·

↓RA L =⇒ N@uL =⇒ (N at u)@w

atRAL =⇒ N@u ; ·

L =⇒ ∀α. N@u ; ·∀Rα

L =⇒ · ; P@wL =⇒ ⇑P@w ; ·

⇑RL =⇒ · ; ⇓n~t@w

L =⇒ n~t@w ; ·rp

Focusing decisions.(L of the formΓ ; ∆)

Γ ; ∆ ;[

N@u]

=⇒ Q@w N not⇑p~t

Γ ; ∆,N@u ; · =⇒ · ; Q@wlfΓ,N@u ; ∆ ;

[

N@u]

=⇒ Q@w

Γ,N@u ; ∆ ; · =⇒ · ; Q@wcplf

Γ ; ∆ =⇒[

P@w]

P not⇓n~t

Γ ; ∆ ; · =⇒ · ; P@wrf

Figure 2: Focusing rules for HyLL.

11

the innermost zones are decomposed in an irrelevant order until once again a neutralsequent results.

Soundness of the focusing calculus with respect to the ordinary sequent calculusis immediate by simple structural induction. In each case, if we forget the additionalstructure in the focused derivations, then we obtain simplyan unfocused proof. Weomit the obvious theorem. Completeness, on the other hand, is a hard result. We omitthe proof because focusing is by now well known for linear logic, with a number ofdistinct proofs via focused cut-elimination (seee.g. the detailed proof in [12]). Thehybrid connectives pose no problems because they allow all cut-permutations.

Theorem 10(focusing completeness). LetΓ− and C−@w be negative polarizations ofΓ and C@w (that is, adding⇑ and⇓ to make C and each proposition inΓ negative) and∆+ be a positive polarization of∆. If Γ ; ∆ =⇒ C@w, then· ; · ; ! Γ−,∆+ =⇒ C−@w ; ·.

4. Encoding the synchronous stochasticπ-calculus

In this section, we shall illustrate the use of HyLL(R) as a logical framework forconstrained transition systems by encoding the syntax and the operational semanticsof the synchronous stochasticπ-calculus (Sπ), which extends the ordinaryπ-calculusby assigning to every channel and internal action aninherentrate of synchronization.HyLL(R) can therefore be seen as a formal language for expressingSπ executions(traces). For the rest of this section we shall user, s, t, . . . instead ofu, v,w, . . . to high-light the fact that the worlds represent rates, with the understanding that· is convolution(defn.??) andι isΘ. We don’t directly use rates because the syntax and transitions ofSπ are given generically for aπ-calculus with labelled actions, and it is only the inter-pretation of the labels that involves probabilities.

We first summarize the syntax ofSπ, which is a minor variant of a number ofsimilar presentations such as [33]. For hygienic reasons wedivide entities into thesyntactic categories ofprocesses(P,Q, . . .) andsums(M,N, . . .), defined as follows.We also include environments of recursive definitions (E) for constants.

(Processes) P,Q, . . . F νr P∣

∣

∣ P | Q∣

∣

∣ 0∣

∣

∣ Xn x1 · · · xn

∣

∣

∣ M(Sums) M,N, . . .F !x(y). P

∣

∣

∣ ?x. P∣

∣

∣ τr . P∣

∣

∣ M + N(Environments) E F E,Xn , P

∣

∣

∣ ·

P | Q is the parallel composition ofP and Q, with unit 0. The restrictionνr Pabstracts over a free channelx in the processP x. We write the process using higher-order abstract syntax [30],i.e., P in νr P is (syntactically) a function from channelsto processes. This style lets us avoid cumbersome binding rules in the interactionsbecause we reuse the well-understood binding structure of theλ-calculus. A similarapproach was taken in the earliest encoding of (ordinary)π-calculus in (unfocused)linear logic [27], and is also present in the encoding in CLF [8].

A sum is a non-empty choice (+) over terms withaction prefixes: the output action!x(y) sendsy along channelx, the input action ?x reads a value fromx (which is appliedto its continuation process), and the internal actionτr has no observable I/O behaviour.Replication of processes happens via guarded recursive definitions [28]; in [37] it is ar-gued that they are more practical for programming than the replication operator !. In a

12

Interactions

!x(y). P+ M | ?x. Q+ M′rate(x)−−−−−→ P | Q y

τr . Pr−→ P

Pr−→ P′

P | Qr−→ P′ | Q

∀xs.(

P xr−→ Q x

)

νs Pr−→ νs Q

Pr−→ Q P≡ P′ Q ≡ Q′

P′r−→ Q′

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Congruence

P | 0 ≡ P P | Q ≡ Q | P P | (Q | R) ≡ (P | Q) | R νr 0 ≡ 0Xn , P ∈ E

E ⊢ Xn x1 · · · xn ≡ P x1 · · · xn

νr (λx. νs(λy.P)) ≡ νs(λy. νr (λx.P))∀xr . (P x≡ Q x)νr P ≡ νr Q νr (λx.P | Q(x)) ≡ P | νr Q

P ≡ P′

P | Q ≡ P′ | QP ≡ P′

!x(m). P ≡ !x(m). P′∀n. (P n≡ Q n)?x. P ≡ ?x. Q

P ≡ P′

τr . P ≡ τr . P′

M + N ≡ N + M M + (N + K) ≡ (M + N) + KM ≡ M′

M + N ≡ M′ + NM ≡ N

M + N ≡ M

Figure 3: Interactions and congruence inSπ. The environmentE is elided in most rules.

definitionXn , P, Xn denotes a (higher-order) defined constant of arityn; given chan-nels x1, . . . , xn, the processXn x1 · · · xn is synonymous withP x1 · · · xn. The constantXn may occur on the right hand side of any definition inE, including in its bodyP, aslong as it is prefixed by an action; this prevents infinite recursion without progress.

Interactions are of the formE ⊢ Pr−→ Q denoting a transition from the processP

to the processQ, in a global environmentE, by performing an action at rater. Eachchannelx is associated with an inherent rate specific to the channel, and internal actionsτr have rater. The restrictionνr P defines the rate of the abstracted channel asr.

The full set of interactions and congruences are in fig. 3. We generally omit theglobal environmentE in the rules as it never changes. It is possible to use the congru-ences to compute a normal form for processes that are a parallel composition of sumsand each reaction selects two suitable sums to synchronise on a channel until there areno further reactions possible; this refinement of the operational semantics is used inSπsimulators such as SPiM [32].

Definition 11 (syntax encoding).1. The encoding of the processP as a positive proposition, written~Pp, is as follows

(sel is a positive atom andrt a negative atom).

~P | Qp = ~Pp ⊗ ~Qp ~νr Pp = ∃x. !(rt x at r) ⊗ ~P xp

~0p = 1 ~Xn x1 · · · xnp = Xn x1 · · · xn

~Mp = ⇓(sel⊸ ~Ms)

2. The encoding of the sumM as a negative proposition, written~Ms, is as follows(out, in andtau are positive atoms).

~M + Ns = ~Ms & ~Ns ~!x(m). Ps = ⇑(out x m⊗ ~Pp)

13

~?x. Ps = ∀n. ⇑(in x n⊗ ~P np) ~τr . Ps = ⇑(tau r ⊗ ~Pp)

3. The encoding of the definitionsE as a context, written~Ee, is as follows.

E,Xn , P

e= ~Ee , †∀x1, . . . , xn. Xn x1 · · · xn ~P x1 · · · xnp

~·e = ·

where P Q is defined as(P ⊸ ⇑Q) & ( Q ⊸ ⇑P).

The encoding of processes is positive, so they will be decomposed in the activephase when they occur on the left of the sequent arrow, leaving a collection of sums.The encoding of restrictions will introduce a fresh unrestricted assumption about therate of the restricted channel. Each sum encoded as a processes undergoes a polar-ity switch because⊸ is negative; the antecedent of this implication is aguard sel.This pattern of guarded switching of polarities prevents unsound congruences such as!x(m). !y(n). P ≡ !y(n). !x(m). P that do not hold for the synchronousπ calculus.5 Thisguard alsolocksthe sums in the context: theSπ interaction rules and discard thenon-interacting terms of the sum, so the environment will contain the requisite numberof sels only when an interaction is in progress. The action prefixesthemselves are alsosynchronous, which causes another polarity switch. Each action releases a token of itsrespective kind—out, in or tau—into the context. These tokens must be consumedby the interaction before the next interaction occurs. For each action, the (encoding ofthe) continuation process is also released into the context.

The proof of the following congruence lemma is omitted. Because the encoding is(essentially) a⊗/& structure, there are no distributive laws in linear logic that wouldbreak the process/sum structure.

Theorem 12 (congruence). E ⊢ P ≡ Q iff both ~Ee@ι ; · ; ~Pp@ι =⇒ · ; ~Qp@ι

and~Ee@ι ; · ; ~Qp@ι =⇒ · ; ~Pp@ι.

Now we encode the interactions. Because processes were lifted into propositions,we can be parsimonious with our encoding of interactions by limiting ourselves tothe atomic interactions and (below); the, and interactions will beambiently implemented by the logic. Because there are no concurrent interactions—only one interaction can trigger at a time in a trace—the interaction rules must obey alocking discipline. We represent this lock as the proposition act that is consumed atthe start of an interaction and produced again at the end. This lock also carries the net

rate of the prefix of the trace so far: that is, an interactionPr−→ Q will update the lock

from act@s to act@s · r. The encoding of individual atomic interactions must alsoremove thein, out andtau tokens introduced in context by the interacting processes.

Definition 13 (interaction). Letinter , †(act⊸ ⇑int & ⇑syn) whereact is a pos-itive atom andint andsyn are as follows:

int , (sel at ι) ⊗ ⇓∀r. ((tau r at ι) ⊸ ρr ⇑act)

syn , (sel ⊗ sel at ι) ⊗ ⇓∀x, r,m. ((out x m⊗ in x mat ι) ⊸ ⇓(rt x at r) ⊸ ρr ⇑act)

.

5Note: (x ⊸ a⊗ (x ⊸ b⊗ c)) ⊸ (x ⊸ b⊗ (x ⊸ a⊗ c)) is not provable in linear logic.

14

The number of interactions that are allowed depend on the number of instances ofinter in the linear context: each focus oninter implements a single interaction. Ifwe are interested in all finite traces, we will addinter to the unrestricted context so itmay be reused as many times as needed.

4.1. Representational adequacy.

Adequacy consists of two components: completeness and soundness. Complete-ness is the property that everySπ execution is obtainable as a HyLL derivation usingthis encoding, and is the comparatively simpler direction (see thm. 16). Soundnessis the reverse property, and is false for unfocused HyLL as such. However, itdoeshold for focused proofs (see thm. 18). In both cases, we reason about the followingcanonical sequents of HyLL.

Definition 14. Thecanonical context ofP, writtenNPO, is given by:

NXn x1 · · · xnO = ⇑Xn x1 · · · xn NP | QO = NPO, NQO N0O = · Nνr PO = NP aO

NMO = sel⊸ ~Ms

For Nνr PO, the right hand side uses afreshchannel a that is not free in the rest of thesequent it occurs in.

As an illustration, takeP , !x(a). Q | ?x. R. We have:

NPO = sel⊸ ⇑(out x a⊗ ~Qp), sel⊸ ∀y. ⇑(in x y⊗

R y

p)

Obviously, the canonical context is what would be emitted tothe linear zone at the endof the active phase if~Pp were to be present in the left active zone.

Definition 15. A neutral sequent iscanonicaliff it has the shape

~Ee , rates, inter@ι ; ⇑act@s, NP1 | · · · | PkO@ι ; · =⇒ · ; (~Qp at ι) ⊗ act@t

whererates contains elements of the formrt x@r defining the rate of the channel xas r, and all free channels in~Ee , NP1 | · · · | Pk | QO have a single such entry inrates.

Figure 4 contains an example of a derivation for a canonical sequent involvingP.Focusing on any (encoding of a) sum inNPO@ι will fail because there is nosel inthe context, so onlyinter can be given focus; this will consume theact and releasetwo copies of (sel at ι) and the continuation into the context. Focusing on the latterwill fail now (becauseout x mandin x m (for somem) are not yet available), so theonly applicable foci are the two sums that can now be “unlocked” using thesels.The output and input can be unlocked in an irrelevant order, producing two tokensin x a andout x a. Note in particular that the witnessa was chosen for the universalquantifier in the encoding of?x. Q because the subsequent consumption of these twotokens requires the messages to be identical. (Any other choice will not lead to asuccessful proof.) After both tokens are consumed, we get the final formact@s · r,

15

SupposeL = rtx@r,inter@ι andR = (~Sp at ι) ⊗ act@t. (All judgements@ι omitted.)

L ; NQO , NR aO ,⇑act@s · r ; · =⇒ · ; R

L ; NQO,⇑ out x a,⇑ in x a, NR aO,∀x, r,m. ((out x m⊗ in x mat ι) ⊸ ⇓(rtx at r) ⊸ ρr act)@s ; · =⇒ · ; R

5

L ; ⇑ out x a, NQO, sel⊸ ∀y. ⇑(in x y⊗

R y

p),⇑sel,∀x, r,m. ((out x m⊗ in x mat ι) ⊸ ⇓(rtx at r) ⊸ ρr act)@s ; · =⇒ · ; R

4

L ; sel⊸ ⇑(out x a⊗ ~Qp), sel⊸ ∀y. (in x y⊗

R y

p),⇑sel,⇑sel,∀x, r,m. ((out x m⊗ in x mat ι) ⊸ ⇓(rtx at r) ⊸ ρr act)@s ; · =⇒ · ; R

3

L ; ⇑act@s, sel⊸ ⇑(out x a⊗ ~Qp), sel⊸ ∀y. ⇑(in x y⊗

R y

p) ;[

inter]

=⇒ R2

L ; ⇑act@s, sel⊸ ⇑(out x a⊗ ~Qp), sel⊸ ∀y. ⇑(in x y⊗

R y

p) ; · =⇒ · ; R1

L ; ⇑act@s, N!x(a). Q | ?x. RO ; · =⇒ · ; R

Steps1: focus oninter ∈ L 3: sel for output+ full phases 5: cleanup2: selectsyn from inter, active rules 4:sel for input+ full phases

Figure 4: Example interaction in theSπ-encoding.

wherer is the inherent rate ofx (found from therates component of the unrestrictedzone). This sequent is canonical and containsNQ | R aO.

Our encoding therefore represents everySπ action in terms of “micro” actions inthe following rigid order: one micro action to determine what kind of action (internalor synchronization), one micro action per sum to select the term(s) that will interact,and finally one micro action to establish the contract of the action. Thus we see thatfocusing is crucial to maintain the semantic interpretation of (neutral) sequents. In anunfocused calculus, several of these steps could have partial overlaps, making such asemantic interpretation inordinately complicated. We do not know of any encodingof theπ calculus that can provide such interpretations in unfocused sequents withoutchanging the underlying logic. In CLF [8] the logic is extended with explicit monadicstaging, and this enables a form of adequacy [8]; however, the encoding is considerablymore complex because processes and sums cannot be fully lifted and must instead bespecified in terms of a lifting computation. Adequacy is thenobtained via a permutativeequivalence over the lifting operation. Other encodings ofπ calculi in linear logic, suchas [19] and [3], concentrate on the easier asynchronous fragment and lack adequacyproofs anyhow.

Theorem 16(completeness). If E ⊢ Pr−→ Q, then the following canonical sequent is

derivable.

~Ee , rates, inter@ι ; ⇑act@s, NPO@ι ; · =⇒ · ; (~Qp at ι) ⊗ act@s · r .

Proof. By structural induction of the derivation ofE ⊢ Pr−→ Q. Every interaction rule

of Sπ is implementable as an admissible inference rule for canonical sequents. For, we appeal to thm. 12.

16

Completeness is a testament to the expressivity of the logic– all executions ofSπ are also expressible in HyLL. However, we also require the opposite (soundness)direction: that every canonical sequent encodes a possibleSπ trace. The proof hingeson the following canonicity lemma.

Lemma 17 (canonical derivations). In a derivation for a canonical sequent, the de-rived inference rules forinter are of one of the two following forms (conclusions andpremises canonical).

~Ee , rates, inter@ι ; ⇑act@s, NPO@ι ; · =⇒ · ; (~Pp at ι) ⊗ act@s

~Ee , rates, inter@ι ; ⇑act@s · r , NQO@ι ; · =⇒ · ; (~Rp at ι) ⊗ act@t

~Ee , rates, inter@ι ; ⇑act@s, NPO@ι ; · =⇒ · ; (~Rp at ι) ⊗ act@t

where: eitherE ⊢ Pr−→ Q, or E ⊢ P ≡ Q with r = ι.

Proof. This is a formal statement of the phenomenon observed earlier in the example(fig. 4): ~Rp ⊗ act cannot be focused on the right unlessP ≡ R, in which case thederivation ends with no more foci oninter. If not, the only elements available forfocus areinter and one of the congruence rules~Ee in the unrestricted context.In the former case, the derived rule consumes the⇑act@s, and by the timeact isproduced again, its world has advanced tos · r. In the latter case, the definition of atop levelXn in NPO is (un)folded (without advancing the world). The proof proceeds byinduction on the structure ofP.

Lemma 17 is a strong statement about HyLL derivations using this encoding: everypartial derivation using the derived inference rules represents a prefix of anSπ trace.This is sometimes referred to asfull adequacy, to distinguish it from adequacy proofsthat require complete derivations [29]. The structure of focused derivations is crucialbecause it allows us to close branches early (using init). Itis impossible to performa similar analysis on unfocused proofs for this encoding; both the encoding and theframework will need further features to implement a form of staging [8, Chapter 3].

Corollary 18 (soundness).If ~Ee , rates, inter@ι ; ⇑act@ι, NPO@ι ; · =⇒ · ; (~Qp at ι) ⊗ act@r is derivable,

thenE ⊢ Pr−→∗Q.

Proof. Directly from lem. 17.

4.2. Stochastic correctness with respect to simulation

So far the HyLL(R) encoding ofSπ represents anySπ trace symbolically. How-ever, not every symbolic trace of anSπ process can be produced according to the op-erational semantics ofSπ, which is traditionally given by a simulator. This is the maindifference between HyLL (andSπ) and the approach of CSL [2], where the truth of aproposition is evaluated against a CTMC, which is why equivalence in CSL is identicalto CTMC bisimulation [15]. In this section we sketch how the execution could be useddirectly on the canonical sequents to produce only correct traces (proofs). The proposal

17

in this section should be seen by analogy to the execution model of Sπ simulators suchas SPiM [31], although we do not use the Gillespie algorithm.

The main problem of simulation is determining which of several competing enabledactions in a canonical sequent to select as the “next” actionfrom therace conditionofthe actions enabled in the sequent. Because of the focusing restriction, these enabledactions are easy to compute. Each element ofNPO is of the formsel⊸ ~Ms, so theenabled actions in that element are given precisely by the topmost occurrences of⇑ in~Ms. Because none of the sums can have any restricted channels (they have all beenremoved in the active decomposition of the process earlier), the rates of all the channelswill be found in therates component of the canonical sequent.

The effective rate of a channelx is related to its inherent rate by scaling by a factorproportional to theactivity on the channel, as defined in [31]. Note that this defini-tion is on therate constantsof exponential distributions, not the rates themselves. Thedistribution of the minimum of a list of random variables with exponential distribu-tion is itself an exponential distribution whose rate constant is the sum of those of theindividual variables. Each individual transition on a channel is then weighted by thecontribution of its rate to this sum. The choice of the transition to select is just the or-dinary logical non-determinism. Note that the rounds of thealgorithm do not have anassociateddelayelement as in [31]; instead, we compute (symbolically) a distributionover the delays of a sequence of actions.

Because stochastic correctness is not necessary for the main adequacy result in theprevious subsection, we leave the details of simulation to future work.

5. Related work

Logically, the HyLL sequent calculus is a variant of labelled deduction, a verybroad topic not elaborated on here. The combination of linear logic with labelled de-duction isn’t new to this work. In theη-logic [16] the constraint domain is intervals oftime, and the rules of the logic generate constraint inequalities as a side-effect; howeverits sole aim is the representation of proof-carrying authentication, and it does not dealwith genericity or focusing. The main feature ofη not in HyLL is a separate constraintcontext that gives new constrained propositions. HyLL is also related to the HybridLogical Framework (HLF) [35] which captures linear logic itself as a labelled form ofintuitionistic logic. Encoding constrainedπ calculi directly in HLF would be an inter-esting exercise: we would combine the encoding of linear logic with the constraintsof the process calculus. Because HLF is a very weak logic witha proof theory basedon natural deduction, it is not clear whether (and in what forms) an adequacy result inHyLL can be transferred to HLF.

Constrained temporal logics such as CSL and PCTL [21] are popular for logicalreasoning in constrained domains. In such logics, truth is defined in terms of correct-ness with respect to a constrained forcing relation on the constraint algebra. Whilesuch logics have been very successful in practice with efficient tools, the proof theoryof these logics is very complex. Indeed, such modal logics generally cannot be for-mulated in the sequent calculus, and therefore lack cut-elimination and focusing. Incontrast, HyLL has a very traditional proof theoretic pedigree, but lacks such a closecorrespondence between logical and algebraic equivalence. Probably the most well

18

known and relevant stochastic formalism not already discussed is that of stochasticPetri-nets [26], which have a number of sophisticated modelchecking tools, includingthe PRISM framework [25]. Recent advances in proof theory suggest that the benefitsof model checking can be obtained without sacrificing proofsand proof search [4].

6. Conclusion and future work

We have presented HyLL, a hybrid extension of intuitionistic linear logic with asimple notion of situated truth, a traditional sequent calculus with cut-elimination andfocusing, and a modular and instantiable constraint systemthat can be directly manip-ulated using hybrid connectives. We have shown how to obtainrepresentationally ade-quate encodings of constrained transition systems, such asthe synchronous stochasticπ-calculus in a suitable instance of HyLL.

Several instantiations of HyLL besides the one in this paperseem interesting. Forexample, we can already use disjunction (⊕) to explain disjunctive states, but it is alsopossible to obtain a more extensional branching by treatingthe worlds as points in anarbitrary partially-ordered set instead of a monoid. Another possibility is to considerlists of worlds instead of individual worlds – this would allow defining periodic avail-ability of a resource, such as one being produced by an oscillating process. The mostinteresting domain is that of discrete probabilities: herethe underlying semantics isgiven by discrete time Markov chains instead of CTMCs, whichare often better suitedfor symbolic evaluation [43].

The logic we have provided so far is a logical framework well suited *to represent*constrained transition systems. The design of a logical framework *for* (i.e. to reasonabout) constrained transition systems is left for future work -and might be envisionedby using a two-levels logical framework such as the Abella system.

An important open question is whether a general logic such asHyLL can serveas a framework for specialized logics such as CSL and PCTL. A related question iswhat benefit linearity truly provides for such logics – linearity is obviously crucial forencoding process calculi that are inherently stateful, butCSL requires no such notionof single consumption of resources.

Although we did not mentioned systems biology in this paper,it was our initial areaof interest. All existing methods for modelling biology have algebraic foundations andnone treats logic as the primary inferential device. Bioambients, brane calculi, and theκ-calculus, for example, are specially designed languages dedicated to the modellingof biochemical reactions (in molecular biology), viewed asconstrained transition sys-tems. Sπ has also been used to model a number of such systems; since we have anadequate encoding ofSπ, we can use these models via the encoding. However, bio-logical systems can also be encoded directly in HyLL. We sketches in [24], on simpleexamples, a mode of use of HyLL that lets one represent the biological elements di-rectly in the logic. HyLL is used there as a uniform language to encode biologicalsystems: its first intended use, which remains to be further investigated.

Acknowledgements.This work was partially supported by INRIA through the “EquipesAssociées” Slimmer, by the MSR-INRIA joint project “Tools for Specifications and

19

Proofs”, by the Information Society Technologies programme of theEuropean Com-mission, Future and Emerging Technologies under the IST-2005-015905 MOBIUSproject, and by the European TYPES project. We thank François Fages, Sylvain Soli-man, Alessandra Carbone, Vincent Danos and Jean Krivine forfruitful discussions onvarious preliminary versions of the work presented here. Thanks also go to NicolasChampagnat who helped us understand the algebraic nature ofstochastic constraints.

References

[1] Jean-Marc Andreoli. Logic programming with focusing proofs in linear logic.J. of Logicand Computation, 2(3):297–347, 1992.

[2] A. Aziz, K. Sanwal, V. Singhal, and R. Brayton. Model checking continuous time Markovchains.ACM Transactions on Computational Logic, 1(1):162–170, 2000.

[3] David Baelde. Logique linéaire et algèbre de processus.Technical report, INRIA Futurs,LIX and ENS, 2005.

[4] David Baelde, Andrew Gacek, Dale Miller, Gopalan Nadathur, and Alwen Tiu. The Bed-wyr system for model checking over syntactic expressions. In Frank Pfenning, editor,21th Conference on Automated Deduction (CADE), number 4603 in LNAI, pages 391–397. Springer, 2007.

[5] Marco Bozzano. A Logic-Based Approach to Model Check ing of Parameterized andInfinite-State Systems. PhD thesis, DISI, Università di Genova, 2002.

[6] Torben Braüner and Valeria de Paiva. Intuitionistic hybrid logic. Journal of Applied Logic,4:231–255, 2006.

[7] Luca Cardelli. Brane calculi. InProceedings of BIO-CONCUR’03, volume 180. ElsevierENTCS, 2003.

[8] Iliano Cervesato, Frank Pfenning, David Walker, and Kevin Watkins. A concurrent logicalframework II: Examples and applications. Technical ReportCMU-CS-02-102, CarnegieMellon University, 2003. Revised, May 2003.

[9] Nathalie Chabrier-Rivier, François Fages, and SylvainSoliman. The biochemical abstractmachine BIOCHAM. InInternational Workshop on Computational Methods in SystemsBiology (CMSB-2). Springer-Verlag LNCS, 2004.

[10] Bor-Yuh Evan Chang, Kaustuv Chaudhuri, and Frank Pfenning. A judgmental analysis oflinear logic. Technical Report CMU-CS-03-131R, Carnegie Mellon University, December2003.

[11] Kaustuv Chaudhuri, Dale Miller, and Alexis Saurin. Canonical sequent proofs via multi-focusing. In G. Ausiello, J. Karhumäki, G. Mauri, and L. Ong,editors,Fifth Interna-tional Conference on Theoretical Computer Science, volume 273 ofIFIP, pages 383–396.Springer, September 2008.

[12] Kaustuv Chaudhuri, Frank Pfenning, and Greg Price. A logical characterization of forwardand backward chaining in the inverse method.J. of Automated Reasoning, 40(2-3):133–177, March 2008.

20

[13] Vincent Danos and Jean Krivine. Formal molecular biology done in CCS. InProceedingsof BIO-CONCUR’03, volume 180, pages 31–49. Elsevier ENTCS, 2003.

[14] Vincent Danos and Cosimo Laneve. Formal molecular biology. Theor. Comput. Sci.,325(1):69–110, 2004.

[15] Josée Desharmais and Prakash Panangaden. Continuous stochastic logic characterizesbisimulation of continuous-time Markov processes.Journal of Logic and Algebraic Pro-gramming, 56:99–115, 2003.

[16] Henry DeYoung, Deepak Garg, and Frank Pfenning. An authorization logic with explicittime. InComputer Security Foundations Symposium (CSF-21), pages 133–145. IEEE Com-puter Society, 2008.

[17] Stewart N. Ethier and Thomas G. Kurtz.Markov Processes; Characterization and Conver-gence. Wiley series in Probability and Mathematical Statistics.Wiley-interscience, 1986.

[18] Dominique Foata and Aimé Fuchs.Calcul des probabilités, cours exercices et problèmescorrigés. Dunod, 2e edition.

[19] Deepak Garg and Frank Pfenning. Type-directed concurrency. In Martín Abadi and Lucade Alfaro, editors,16th International Conference on Concurrency Theory (CONCUR), vol-ume 3653 ofLNCS, pages 6–20. Springer, 2005.

[20] Jean-Yves Girard. Linear logic.Theoretical Computer Science, 50:1–102, 1987.

[21] H. Hansson and B. Jonsson. A logic for reasoning about time and probability.FormalAspects of Computing, (6), 1994.

[22] Jane Hillston.A compositional approach to performance modelling. Cambridge UniversityPress, 1996.

[23] Johan Anthony Willem Kamp.Tense Logic and the Theory of Linear Order. PhD thesis,University of California, Los Angeles, 1968.

[24] Kaustuv Chaudhuri and Joelle Despeyroux. A Hybrid Linear Logic for Constrained Tran-sition Systems with Applications to Molecular Biology. Research Report, INRIA, 2009.

[25] M. Kwiatkowska, G. Norman, and D. Parker. Probabilistic symbolic model checking us-ing PRISM: a hybrid approach.International Journal of Software Tools for TechnologyTransfer, 6(2), 2004.

[26] M. Ajmone Marsan, G. Balbo, G. Conte, S. Donatelli, and G. Francenschinis.Modellingwith Generalised Stochastic Petri Nets. Wiley Series in Parallel Computing. Wiley andSons, 1995.

[27] Dale Miller. Theπ-calculus as a theory in linear logic: Preliminary results.In E. Lammaand P. Mello, editors,3rd Workshop on Extensions to Logic Programming, number 660 inLNCS, pages 242–265, Bologna, Italy, 1993. Springer-Verlag.

[28] Robin Milner. Communicating and Mobile Systems : Theπ-calculus. Cambridge Univer-sity Press, New York, NY, USA, 1999.

21

[29] Vivek Nigam and Dale Miller. Focusing in linear meta-logic. In Proceedings of IJCAR:International Joint Conference on Automated Reasoning, volume 5195 ofLNAI, pages507–522. Springer, 2008.

[30] Frank Pfenning and Conal Elliott. Higher-order abstract syntax. InProceedings ofthe ACM-SIGPLAN Conference on Programming Language Designand Implementation,pages 199–208. ACM Press, June 1988.

[31] Andrew Phillips and Luca Cardelli. A correct abstract machine for the stochastic pi-calculus.Concurrent Models in Molecular Biology, August 2004.

[32] Andrew Phillips and Luca Cardelli. A correct abstract machine for the stochastic pi-calculus. InProceedings of BioConcur’04, ENTCS, 2004.

[33] Andrew Phillips, Luca Cardelli, and Giuseppe Castagna. A graphical representation forbiological processes in the stochastic pi-calculus.Transactions on Computational SystemsBiology VII, pages 123–152, 2006.

[34] Arthur Prior. Past, Present and Future. Oxford University Press, 1967.

[35] Jason Reed. Hybridizing a logical framework. InInternational Workshop on Hybrid Logic(HyLo), Seattle, USA, August 2006.

[36] A. Regev, E. M. Panina, W. Silverman, L. Cardelli, and E.Shapiro. Bioambients: anabstraction for biological compartments.Theoretical Computer Science, 325(1):141–167,2004.

[37] A. Regev, W. Silverman, and E. Shapiro. Representationand simulation of biochemicalprocesses using theπ-calculus and process algebra. In L. Hunter R. B. Altman, A. K.Dunker and T. E. Klein, editors,Pacific Symposium on Biocomputing, volume 6, pages459–470, Singapore, 2001. World Scientific Press.

[38] L. C. G. Rogers and D. Williams.Diffusions, Markov Processes and Martingales, volume1: Foundations. Cambridge Mathematical Library.

[39] Uluç Saranli and Frank Pfenning. Using constrained intuitionistic linear logic for hybridrobotic planning problems. InIEEE International Conference on Robotics and Automation(ICRA), pages 3705–3710. IEEE, 2007.

[40] Robert J. Simmons and Frank Pfenning. Linear logical algorithms. In Luca Aceto, IvanDamgård, Leslie Ann Goldberg, Magnús M. Halldórsson, Anna Ingólfsdóttir, and IgorWalukiewicz, editors,ICALP 2008: 35th International Colloquium Automata, Languagesand Programming, Reykjavik, Iceland, volume 5126 ofLNCS, pages 336–347. Springer,July 2008.

[41] Alex Simpson.The Proof Theory and Semantics of Intuitionistic Modal Logic. PhD thesis,University of Edinburgh, 1994.

[42] Kevin Watkins, Iliano Cervesato, Frank Pfenning, and David Walker. A concurrent logi-cal framework I: Judgments and properties. Technical Report CMU-CS-02-101, CarnegieMellon University, 2003. Revised, May 2003.

[43] Peng Wu, Catuscia Palamidessi, and Huimin Lin. Symbolic bisimulations for probabilisticsystems. InQEST’07, pages 179–188. IEEE Computer Society, 2007.

22

A Hybrid Linear Logic for Constrained Transition Systems

Documents

Transcript of A Hybrid Linear Logic for Constrained Transition Systems