Local policies for resource usage analysis

Local Policies for Resource Usage Analysis MASSIMO BARTOLETTI Universit`a degli Studi di Cagliari, and Universit`a di Pisa PIERPAOLO DEGANO and GIAN-LUIGI FERRARI Universit`a di Pisa and ROBERTO ZUNINO Universit`a degli Studi di Trento

An extension of the λ-calculus is proposed, to study resource usage analysis and verification. It features usage policies with a possibly nested, local scope, and dynamic creation of resources. We define a type and effect system that, given a program, extracts a history expression, i.e. a sound over-approximation to the set of histories obtainable at run-time. After a suitable transformation, history expressions are model-checked for validity. A program is resource-safe if its history expression is verified valid: if such, no run-time monitor is needed to safely drive its executions. Categories and Subject Descriptors: D.2.4 [Software/program verification]: Formal Methods; D.3.1 [Programming Languages]: Formal Definitions and Theory; D.3.2 [Programming Languages]: Language Classifications—Applicative (functional) languages; F.3.1 [Logics and Meaning of Programs]: Specifying and Verifying and Reasoning about Programs; F.3.2 [Logics and Meaning of Programs]: Semantics of Programming Languages—Program analysis; operational semantics; F.3.2 [Logics and Meaning of Programs]: Studies of Program Constructs— Type structure General Terms: Languages, Security, Theory, Verification Additional Key Words and Phrases: Usage policies, Type and Effect Systems, Model-checking

1.

INTRODUCTION

An important aspect of programming language design and implementation is how to ensure that resources are used correctly. The problem is made even more crucial by the current programming trends, which provide us with mechanisms for reusing code, and exploiting services and components, offered by (possibly untrusted) third Author’s address: Massimo Bartoletti, Dipartimento di Matematica e Informatica, Via Ospedale, 72, I-09124 Cagliari, Italy, e mail: [email protected]; Pierpaolo Degano and Gian-Luigi Ferrari, Dipartimento di Informatica, Largo B. Pontecorvo, 3, I-56127 Pisa, Italy, e mail:{degano, giangi}@di.unipi.it; Roberto Zunino, Dipartimento di Ingegneria e Scienza dell’Informazione, Via Sommarive, 14, I-38100 Povo, Italy, e mail: [email protected]. This work has been partially supported by EU-FETPI Global Computing Project IST-2005-16004 Sensoria (Software Engineering for Service-Oriented Overlay Computers) and by the MIUR-PRIN project SOFT (Tecniche Formali Orientate alla Sicurezza). Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. c 20 ACM 0164-0925/20/0500-0001 $5.00

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20, Pages 1–45.

2

·

Massimo Bartoletti et al.

parties. It is common practice to pick from the Web some scripts, or plugins, or packages, and assemble them into a bigger program, with little or no control about the security of the whole. The typical run-time mechanisms for enforcing resource usage policies are execution monitors, which abort executions whenever they are about to violate the prescribed usage policy. The events observed by these monitors are accesses to sensible resources, e.g. opening socket connections, reading/writing files, allocating/deallocating memory. A main issue is finding a compromise between the expressivity of usage policies and the efficiency of the enforcement mechanism. Static analysis techniques may be applied to improve efficiency, but this often results in an unacceptable restriction of the expressive power of policies. A common mechanism for enforcing usage policies consists in guarding with local checks the program points where critical resources can be accessed [Fournet and Gordon 2003; Skalka and Smith 2004]. Local checks have a main drawback: they must be explicitly inserted into code by the programmer. Since forgetting even a single check might compromise the safety of the whole application, programmers have to inspect very carefully their code. This may be cumbersome even for small programs, and it may easily lead to unnecessary checking. A safer approach is that of global policies, where the execution monitor enforces a global invariant that must hold at any point of the execution. This may involve guarding each resource access, and ad-hoc optimizations are then in order to recover efficiency, e.g. compiling the global policy to local checks [Colcombet and Fradet 2000; Marriott et al. 2003]. Furthermore, a large monolithic policy may be hard to understand, and not very flexible either. Indeed, one has to imagine all the possible resource usage scenarios in advance. If an unexpected situation occurs at run-time (e.g. downloading a piece of mobile code with specific resource usage requirements), the global policy must be dynamically updated, if possible at all. A more flexible approach consists in attaching usage policies to resources, as in [Igarashi and Kobayashi 2002], so to adapt them to the context where a resource is used. For example, one may restrain the capabilities before calling untrusted code. However, a limitation of this approach is that you can only control the usage of resources you have created. In a mobile code scenario, e.g. a browser that runs untrusted applets, it is also important that you can impose constraints on how external programs manage the resources created in your local environment. E.g., an applet may create an unbounded number of resources on the browser site, and never release them. This clearly leads to denial-of-service attacks, that may eventually crash the whole system. We consider here an abstract language that aims at reconciling expressivity of resource usage policies with efficiency of the enforcement mechanism. This language, called λ[ ] (lambda-box), has primitives for creating and accessing resources, and for defining local resource usage policies. Sequences of resource accesses in executions are called histories; a policy is (roughly) a regular property of histories, defined through our usage automata. A program fragment e protected by a policy ϕ is written ϕ[e], called policy framing. Roughly, while evaluating e, the histories must respect the policy ϕ. Of course, policy framings can be nested. Local policies generalise both local checks and global policies. They smoothly ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

3

allow for safe composition of programs with their own private policies, also in mobile code scenarios. Indeed, there is no need to dynamically accommodate the local private policies into a single global one, possibly invalidating syntax-directed optimizations of policy enforcement. Local policies may offer protection also in the web-services scenario [Bartoletti et al. 2006]: there, one has scarce control on the code to run, and thus inserting local checks is infeasible. For example, a browser must obey a usage policy specified by the user. Additionally, the browser can invoke a policy provider to obtain a stricter security policy, used for dynamically sandboxing applets. This rich interplay between policies seems difficult to express in the above-mentioned approaches. In λ[ ], efficiency of resource usage control is obtained through a suitable combination of static techniques. We introduce a type and effect system that overapproximates the run-time usage behaviour of a program. It infers as effect a history expression that denotes all the possible histories resulting from executions. A history expression is valid when all the histories it denotes obey the relevant policies; a program with a valid history expression will never be aborted at runtime by the execution monitor. Constructing the history expression of a program is a basic step in our approach: indeed, checking that a program obeys the usage policies requires knowing all its possible histories in their entirety — validity is not compositional. Validity of history expressions is thus verified subsequently through model-checking, for which we devised a sound and complete algorithm. Indeed, having a complete verification technique like ours is a desirable feature, since e.g. it guarantees termination of the analysis (which is not always the case with incomplete techniques, like [Igarashi and Kobayashi 2002; Chaki et al. 2002]). Also, completeness provides us with a precise characterization of the policies that are statically enforceable. We design the language of effects expressive enough to accurately approximate program behaviour, and at the same time simple enough to allow for complete verification. Our history expressions are Basic Process Algebra processes [Bergstra and Klop 1985], extended with name restriction a ` la π-calculus [Milner et al. 1992]. Note in passing that polynomial-time algorithms are known for model-checking Basic Process Algebras, while for more expressive calculi (like e.g. Petri Nets, Pushdown Systems, etc.) model-checking is typically intractable or undecidable [Mayr 1998]. Further advantages of our two-phases approach (typing + model-checking) are the possibility of independently improving the accuracy of the effects and the efficiency of the verification procedure, as well as the possibility of verifying a variety of policies over the same type. We started our investigation on history-based access control in [Bartoletti et al. 2005c], which we extend here with dynamic creation of resources (a preliminary version is in [Bartoletti et al. 2007]). This apparently little extension demands for addressing the general problem of handling fresh names. In particular, one has to correctly bind the creation of new resources to their usages. The solution to this problem deeply affects the techniques of [Bartoletti et al. 2005c], with respect to the following points: (i) the usage policies and their enforcement mechanism, (ii) the type and effect system, and (iii) the verification technique. For the first point, we introduce our notion of “parametric” usage policies, that constrain the access to resources to obey a regular property. For instance, a file usage policy ϕ(x) might ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

4

·

Massimo Bartoletti et al.

require that “before reading or writing a file x, that file must have been opened, and not closed”. Enforcing a usage policy ϕ(x) is accomplished through the finite state automaton obtained by instantiating the formal parameter x to an actual resource r. For (ii), the problem is to correctly record the binding of fresh names in types and effects. Technically, we explore a novel approach to quantify types over freshly created resources — a sort of polymorphism `a la ML on both types and effects. For (iii), the creation of new resources may give rise to an infinite number of formulae to be inspected while verifying validity. We solve this problem by suitably grouping resources with equivalent usage constraints. This allows us to extract from a history expression a Basic Process Algebra process and a regular formula, to be used in model-checking validity [Esparza 1994]. A key point of our proposal is that we offer a comprehensive framework for safely handling resources, within a linguistic setting. Our calculus offers an expressive and flexible way to protect code with usage policies. Resource usage control is made feasible by suitably extending and integrating techniques from type theory and model-checking. The paper is organized as follows. We first present some local policies at work on securing some small, yet illustrative, case studies. In Section 3 we formally introduce our usage policies, the language λ[ ] , and its operational semantics. Section 4 defines history expressions, their operational semantics, the subeffecting relation, and validity. The type and effect system is presented in Section 5, along with the theorems stating the correctness of effects, and type safety. Our model-checking technique follows in Section 6, together with the main results, i.e. its correctness and completeness. We then discuss some related work, and we conclude by presenting some possible extensions to ours. To relieve the reader from the burden of technicalities, we moved the proofs of our statements, and some additional examples, in the Appendixes. To help intuition, some insights on the proofs are however included in the main text. 2.

SOME EXAMPLES

To illustrate our approach, we consider a simple web browser scenario. A browser B downloads applets from the Web W , and runs them under suitable policies, obtained by a policy provider P on a per-applet basis. For the sake of simplicity, we shall consider some kinds of violations, only. Of course, a real scenario will require to take care of several other violations. We abstractly describe the browser as the following λ[ ] expression: B = λu, x. ϕFile [start; (P u) (W u) x ; stop] The file usage policy ϕFile is defined through the usage automaton ϕFile (x) in Figure 1 (left), and it is always enforced. It guarantees that only open files can be read or written. For each file f , its usage must be accepted by the finite state automaton ϕFile (f ), obtained by instantiating the formal parameter x to the actual file f . To stress the difference between the parametric policy ϕFile (x) and the concrete policy acting on a given file f , ϕFile (f ), we use the symbol −⊸ for edges in the former, and → in the latter. The initial state q0 represents the file being closed, while q1 is for an open file. Reading and writing x in q0 leads to the offending state q2 , ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis ϕFile open(x)

q0

close(x)

Fig. 1.

5

ϕApplet

q1 q0

read(x) write(x)

·

stop

q1

start

q2

File usage policy (left) and Applet policy (right).

modelling policy violation. Instead, in q1 you can read and write x: each state has (non-displayed) self-loops for the events not explicitly mentioned among its outgoing edges. The browser B takes as input the parameter x, a value to be passed to the applet. The parameter u is the URL from which the applet is obtained through the function W that models the Web — a rather partial and pessimistic view of the Web, actually: there are five URLs, three of which (uBonk , uSpam and uDoS ) contain attackers. W = λu. connect(u); if u = uBank then ABank else if u = uBonk then ABonk else if u = uEdit then AEdit else if u = uSpam then ASpam else if u = uDoS then ADoS

The downloaded applet is run under the policy given by the provider P . Since policies are not first class entities in our calculus, the provider returns back a closure λa, x. ϕ[a x], where a will be bound to the applet, x to its parameter, and ϕ will be enforced while executing the applet. P = λu, a, x. if Trusted u then a x else ϕApplet [if u = uEdit then ϕCW [a x] else if u = uSpam then ϕSpam [a x] else if u = uDoS then ϕDoS [a x] ]

Back to the browser B, each applet execution is delimited by the marker events start and stop. The stop marker will be exploited in the policies ϕCW , ϕSpam , ϕDoS (more details below). Since these policies rely on the stop event to represent the actual termination of the applet, untrusted applets must not be allowed to fire stop while they are still running. To this purpose, we use the policy ϕApplet (see Figure 1, right). A stop event leads to a policy violation. A start event instead resets the policy ϕApplet : this is done before entering the ϕApplet policy framing to make the policy “forget” past stop events. Finally, note that the event start, unlike stop, is used in no other policies, and so there is no need to prevent applets from firing it. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

6

·

Massimo Bartoletti et al. ϕPhish

ϕCW newFile (x)

q0 q0

connect(uBink ) connect(uBonk )

q1

read(x )

Fig. 2.

stop

stop

q2

q1

stop

connect

q3

Anti-phishing policy (left) and Chinese Wall policy (right).

We now show how local policies may help in driving secure execution of untrusted applets. Phishing. Consider an attacker that attempts to fraudulently obtain sensitive information from the customers of an online bank. The bank applet ABank allows a customer to obtain a new PIN number for his ATM card. The applet takes as input a username, and returns a freshly generated PIN. To protect against phishing attacks, the bank applet constrains its executions to the policy ϕPhish in Figure 2 (left). This policy implements a black-list of known phishers sites (e.g. uBink and uBonk ). A phisher ABonk attempts a homograph attack by masquerading as the bank to acquire the PIN number. The ABonk applet takes as input a username, forwards it to the Bank so to obtain a PIN, stores it, and eventually returns the PIN to the customer. ABank = λx. ϕPhish [login(x); new pin in · · · ; pin] ABonk = λx. let pin = (W uBank ) x in store(pin); · · · ; pin We now show an execution of the Bonk applet, assuming that the policy provider considers both Bank and Bonk as trusted. The program states are pairs. The first component is the execution history, i.e. the sequence of events occurred so far (ε being the empty one). The second component is the program continuation, to be evaluated according to the call-by-value rule. Additionally, an expression enclosed in a policy framing can be reduced only if the history respects the policy. In case of nested framings, all the enclosing policies must be obeyed. ε, B uBonk “Bob” → ε, ϕFile [ start; (P uBonk ) (W uBonk ) “Bob”; stop] →∗ start, ϕFile [(λa, x. a x) (W uBonk ) “Bob”; stop] →∗ start connect(uBonk ), ϕFile [(λa, x. a x) ABonk “Bob”; stop] →∗ start connect(uBonk ), ϕFile [ABonk “Bob”; stop] →∗ start connect(uBonk ), ϕFile [let pin = (W uBank )“Bob” in · · ·] →∗ start connect(uBonk ) connect(uBank ), ϕFile [let pin = ϕPhish [login(“Bob”); · · · →∗ start connect(uBonk ) connect(uBank ) login(“Bob”), fail ϕPhish ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

7

The execution aborts just before the customer logins, because the active policy ϕPhish is violated. Indeed, the history: start connect(uBonk ) connect(uBank ) login(“Bob”) leads to the offending state q1 in the automaton ϕPhish (recall that we do not display self-loops for the events not mentioned in outgoing edges). Chinese Wall. Consider a simple text editor applet AEdit that takes as input a file x, opens it and then performs some operations. If the file x is not present on the local disk, then it is downloaded into a new, local file f from the same site where AEdit comes. Eventually, f is uploaded to the same site. Assume that the policy provider associates uEdit with a “Chinese Wall” policy ϕCW (Figure 2, right). The policy says that the applet can no longer connect to the network, after having read a file it has not created. The dots below stand for code with no events. AEdit = λx. if Local x then open(x); · · · ; read(x); · · · ; write(x); close(x) else new f : File in (Download f x); read(f ); · · · ; (U pload f x) Download = λf, x. connect(uEdit ); open(f ); get(x); · · · ; write(f ) U pload = λf, x. connect(uEdit ); open(f ); read(f ); · · · ; put(x) The following trace illustrates the behaviour of the editor applet, first invoked on a local file fL , and then on a remote file fR . ε, (B uEdit fL ); (B uEdit fR ) → ε, ϕFile [ start; (P uEdit ) (W uEdit ) fL ; stop]; (B uEdit fR ) →∗ start, ϕFile [(λa, x. ϕApplet [ϕCW [a x]]) (W uEdit ) fL ; stop]; (B uEdit fR ) →∗ start connect(uEdit ), ϕFile [ϕApplet [ϕCW [AEdit fL ]]; stop]; (B uEdit fR ) →∗ start connect(uEdit ) open(fL ) read(fL ) write(fL ) close(fL ), ϕFile [ϕApplet [ϕCW [∗]]; stop]; (B uEdit fR ) →∗ start connect(uEdit ) open(fL ) read(fL ) write(fL ) close(fL ), ϕFile [ stop]; (B uEdit fR ) →∗ start connect(uEdit ) open(fL ) read(fL ) write(fL ) close(fL ) stop, B uEdit fR where ∗ stands for no-operation. This fragment of computation shows the successful execution of the editor on the local file. No security violations occur, because η0 = start connect(uEdit ) open(fL ) read(fL ) write(fL ) close(fL ) stop complies with ϕFile , ϕApplet and ϕCW . In particular, ϕCW is obeyed, because no connect occurs after the read(fL ), within the framing (the automaton ϕCW (fL ) stays in state q2 ). Note that upon completion of (AEdit fL ), the scope of the policies ϕApplet and ϕCW is left, while the scope of ϕFile is left after the stop event. The execution ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

8

·

Massimo Bartoletti et al.

proceeds as follows:

→∗ η0 start, ϕFile [(λa, x. ϕApplet [ϕCW [a x]]) (W uEdit ) fR ; stop] →∗ η0 start connect(uEdit ), ϕFile [ϕApplet [ϕCW [AEdit fR ]]; stop] →∗ η0 start connect(uEdit ) newFile (f ), ϕFile [ϕApplet [ϕCW [(Download f fR ); read(f ); (U pload f fR )]]; stop]

Let η1 = η0 start connect(uEdit ) newFile (f ) open(f ) get(fR ) write(f ). The computation proceeds as follows:

→∗ η1 read(f ), ϕFile [ϕApplet [ϕCW [U pload f fR ]]; stop] →∗ η1 read(f ) connect(uEdit ), ϕFile [ϕApplet [ϕCW [open(f ); read(f ); · · · ; put(fR )]]; stop]

Also this second fragment of computation is successful. Although a connect event happened after a read(f ), the file f was a freshly generated one, thus the execution conforms to ϕCW (the automaton ϕCW (fR ) stays in state q1 , while ϕCW (fL ) is reset). Note that the stop event in η0 resets the policy ϕCW , making it discard the events generated by the previous applet execution (i.e. the events in η0 ). This is crucial, otherwise the last connect in η1 – which comes after the read(fL ) event of η0 – would cause a violation. Spamming. Consider a trojan-horse applet ASpam that maliciously attempts to send spam e-mail through the mail server of the browser site. The applet first connects to the site it was downloaded from, so to implement some apparently useful and harmless activity. Then, the applet inquires the local host to check if relaying of emails is allowed: if so, it connects to the local SMTP server to send unsolicited bulk e-mails.

ASpam = λx. connect(uSpam ); · · · ; if RelayAllowed then connect(uSMTP )

The policy provider associates with uSpam the policy ϕSpam (Figure 3, left) that prevents the applet from connecting to two different URLs. The label connect(¯ x) in the edge from q1 to q2 means that a transition from q1 to q2 is possible for all the events connect performed on any socket x ¯ 6= x. The following computation shows ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

Local Policies for Resource Usage Analysis ϕSpam connect(x )

q0

ϕDoS

q1

qk+1

q0

stop

stop

connect(¯ x)

newFile

stop

stop

q2

Fig. 3.

9

newFile

stop

newFile

newFile

q1

qk

Anti-spam policy (left) and Denial of Service policy (right).

that the applet is blocked just before opening the connection with the SMTP server.

ε, B uSpam ∗ → ε, ϕFile [start; (P uSpam ) (W uSpam ) ∗; stop]; · · · →∗ start, ϕFile [(λa, x. ϕApplet [ϕSpam [a x]]) (W uSpam ) ∗; stop] →∗ start connect(uSpam ), ϕFile [ϕApplet [ϕSpam [ASpam ∗]]; stop] →∗ start connect(uSpam ) connect(uSpam ), ϕFile [ϕApplet [ϕSpam [if RelayAllowed then connect(uSMTP )]]; stop] →∗ start connect(uSpam ) connect(uSpam ), ϕFile [ϕApplet [ϕSpam [connect(uSM T P )]]; stop] ∗

→ start connect(uSpam ) connect(uSpam ), fail ϕSpam

Denial of Service. Consider an applet ADoS that attempts to perform a Denialof-Service attack on the browser site. To do that, it recursively creates local files, and writes some data to exhaust the disk space.

ADoS = new f : File in open(f ); write(f ); ADoS x

The policy provider associates to uDoS the policy ϕDoS (Figure 3, right), that prevents the applet from creating more than k files. Any execution of the ADoS applet is aborted just before it attempts to create the k + 1-th file, as shown by the ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

10

·

Massimo Bartoletti et al.

following computation:

ε, B uDoS ∗ → ε, ϕFile [start; (P uDoS ) (W uDoS ) ∗; stop]; · · · →∗ start, ϕFile [(λa, x. ϕApplet [ϕDoS [a x]]) (W uDoS ) ∗; stop] →∗ start connect(uDoS ), ϕFile [ϕApplet [ϕDoS [ADoS ∗]]); stop] →∗ start connect(uDoS ), ϕFile [ϕApplet [ϕDoS [new f : File in open(f ); write(f ); ADoS ∗]]); stop] →∗ start connect(uDoS ) newFile (f1 ), ϕFile [ϕApplet [ϕDoS [open(f1 ); write(f1 ); ADoS ∗]]); stop] →∗ start connect(uDoS ) newFile (f1 ) open(f1 ) write(f1 ) · · · newFile (fk ), ϕFile [ϕApplet [ϕDoS [open(fk ); write(fk ); ADoS ∗]]); stop] →∗ start connect(uDoS ) newFile (f1 ) · · · newFile (fk ) open(fk ) write(fk ), fail ϕDoS

Note that the applet ADoS cannot reset the policy ϕSpam through a malicious stop event, because otherwise it would violate the outer policy ϕApplet .

3.

PROGRAMMING MODEL

We consider a call-by-value λ-calculus enriched with primitives for creating and accessing resources, and with local usage policies. Resources are system objects that can either be already available in the environment (Ress , a finite set), or be created dynamically (Resd , an infinite denumerable set). Resources can be accessed through a given finite set of actions. This set is partitioned to reflect the kinds of resources (e.g. Act = File ∪ Socket ∪ · · · ), where each element of the partition contains the actions admissible for the given kind (e.g. File = {newFile , open, close, read , write}). The action newActi represents the creation of a new resource of kind Acti . We assume a global capability environment Γs , i.e. a relation between static resources and the actions they admit. An event α(r) abstracts from accessing the resource r through the action α. When working with a real-world language, we expect these events to be extracted through an abstraction phase respecting the side-effects of the language semantics. In case the target resource of an action α is immaterial, we stipulate that α acts on some special (static) resource, and we write just α for the event. When the resource accessed through α is unknown, we write α(?), where the special resource ? will be typically due to approximations made by the type and effect system. A history is a finite sequence of events. In Definition 3.1 we introduce the needed syntactic categories and some notation. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

Local Policies for Resource Usage Analysis

11

Definition 3.1. Syntactic categories r, r′ , . . . ∈ Res = Ress ∪ Res Sd α, α′ , newFile , . . . ∈ Act = i Acti α(r), . . . ∈ Ev = Act × (Res ∪ {?}) ϕ, ϕ′ , . . . ∈ Pol [ϕ , ]ϕ , [ϕ′ , ]ϕ′ , . . . ∈ Frm η, η ′ , . . . ∈ (Ev ∪ Frm)∗ x, x′ , . . . ∈ Var Γ, Γ′ , . . . ⊆ Res × Act Γs ⊆ Ress × Act

3.1

resources (static/dynamic) actions (a finite set) events usage policies framing events histories (ε is the empty history) variables capability environments static capability environment

Usage policies

A usage policy ϕ is a set of histories, specified through a usage automaton ϕ(x). Usage automata can be seen as an extension of finite state automata (FSA), where the labels on the edges may contain a variables x ∈ Var, which represents a universally quantified resource. Variables can also be “complemented”, e.g. x ¯ represents any possible resource different from x. A usage automaton ϕ(x) gives rise to an automaton ϕ(r) with finite states, when the formal parameter x is instantiated to an actual resource r. This instantiation will be exploited to specify the set of histories obeying the usage policy ϕ. Definition 3.2. Usage automata A usage automaton ϕ(x) is a 5-tuple hS, Q, q0 , F, Ei, where: —S ⊂ Act × (Ress ∪ {x, x ¯}) is the input alphabet, —Q is a finite set of states, —q0 ∈ Q \ F is the start state, —F ⊂ Q is the set of final “offending” states, and ϑ

—E ⊆ Q × S × Q is a finite set of edges, written q −⊸ q ′ α(r)

The edges in a usage automaton can be of three kinds: q −⊸ q ′ where r is a static α(x)

α(¯ x)

resource, q −⊸ q ′ and q −⊸ q ′ (where x ¯ means “different from x”). Given a resource r ∈ Res and a set of resources R, a usage automaton ϕ(x) is instantiated into a automaton Aϕ(r,R) with finite states by binding x to r, and, α(x)

accordingly, making x ¯ range over each resource in R \ {r}. Roughly, q −⊸ q ′ will α(r)

α(¯ x)

give rise to a transition q −−−→ q ′ , q −⊸ q ′ will give rise to a set of transitions α(r ′ )

α(rs )

q −−−→ q ′ for all r′ ∈ R \ {r}, and, when rs is a static resource, q −⊸ q ′ will yield ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

12

·

Massimo Bartoletti et al.

α(rs )

q −−−→ q ′ . The above is made precise in Definition 3.3. Definition 3.3. Policy compliance Let ϕ(x) = hS, Q, q0 , F, Ei be a usage policy, let r ∈ Res, and let R ⊆ Res. The usage automaton Aϕ(r,R) = hΣ, Q, q0 , F, δi is defined as follows: Σ = { α(r′ ) | α ∈ Act and r′ ∈ R } α(?) α(ζ) δ = δ˙ ∪ { q −−−→ q ′ | ∃ζ ∈ R : q −−−→ q ′ ∈ δ˙ } α(r ′ )

α(r ′ )

δ˙ = δ¨ ∪ { q −−−→ q | r′ ∈ R, ∄q ′ : q −−−→ q ′ ∈ δ¨ }

(unknown resources) (self-loops)

where the relation δ¨ is defined as follows: α(x)

α(r) δ¨ = { q −−−→ q ′ | q −⊸ q ′ ∈ E } [ α(¯ x) α(r ′ ) ∪ { q −−−→ q ′ | q −⊸ q ′ ∈ E }

(instantiation of x) (instantiation of x ¯)

r ′ ∈(R∪{?})\{r} α(r ′ )

α(r ′ )

∪ { q −−−→ q ′ | q −⊸ q ′ ∈ E }

(static resources)

We write η
Aϕ(r,R) when η is not in the language of the automaton Aϕ(r,R) . We say that η respects ϕ, written η |= ϕ, when η
Aϕ(r,Res) , for all r ∈ Res. Otherwise, we say that η violates ϕ, written η 6|= ϕ. The auxiliary relation δ¨ (i) instantiates x to the given resource r, (ii) instantiates x ¯ with all r′ ∈ R such that r′ 6= r, and (iii) maintains the transitions α(r′ ) for r′ static. The auxiliary relation δ˙ adds self-loops for all the events not explicitly mentioned in the usage automaton. Finally, the relation δ adds to δ˙ the transitions to deal with the unknown resource ?. Intuitively, any transition labelled α(r) in δ˙ can also be played by α(?). Note that usage automata can be non-deterministic, in the sense that for all states q and input symbols α(ρ), the set of states: α(ρ)

{ q ′ | q −⊸ q ′ }

ρ ∈ Ress ∪ {x, x ¯}

is not required to be a singleton. Given a trace η, we want that all the paths of the instances Aϕ(x,R) comply with ϕ, i.e. they lead to a non-final state. Recall that we used final states to represent violations to the policy. An alternative approach would be the “default-deny” one, that allows for specifying the permitted usage patterns, instead of the denied ones. We could deal with this approach be regarding the final states as accepting. Both the default-deny and the default-allow approaches have known advantages and drawbacks. We think this form of demonic non-determinism is particularly convenient when designing usage automata, since one can focus on the sequences of events that lead to violations, while neglecting those that do not affect the compliance to the policy. All the needed self-loops will be added by the relation δ˙ in Definition 3.3. We now show that the compliance of a history with a policy is a decidable propACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

start, stop connect(u0 ) connect(u2 ) connect(?)

connect(u1 ) connect(?)

q0

q1 stop connect(u0 ) connect(u2 ) connect(?)

stop

q2 Fig. 4.

·

13

start connect(u1 ) connect(?)

start connect(u0 ) connect(u1 ) connect(u2 ) connect(?)

Automaton AϕSpam (u1 ,{u0 ,u1 ,u2 }) .

erty. According to Definition 3.3, to check η |= ϕ we should instantiate the formal parameter x of a usage automaton ϕ(x) with infinitely many resources (one for each r ∈ Res). The resulting automata have a finite number of states, yet they may have α(¯ x)

α(r)

infinitely many transitions, e.g. instantiating q −⊸ q ′ originates q −⊸ q ′ for all but one r ∈ Res. A similar situation happens for self-loops. The next lemma shows that checking η |= ϕ can be decided through a finite set of finite state automata. Lemma 3.4. Let η be a history, let ϕ be a usage policy, and let R(η) be the set of resources occurring in η. Then, η |= ϕ if and only if η
Aϕ(r,R(η)) for each r ∈ R(η) ∪ {¯ r}, where r¯ is an arbitrary resource in Res \ R(η). The decidability of |= follows from the fact that resources not occurring in the given history are indistinguishable. Indeed, the actual identity of such resources is immaterial: whenever r′ , r′′ 6∈ R(η), we have that η
Aϕ(r′ ,R) if and only if η
Aϕ(r′′ ,R) , and η
Aϕ(r,R∪{r′ }) if and only if η
Aϕ(r,R∪{r′′ } for all r and R. Therefore, we can safely limit our attention to the resources in R(η), and “collapse” all the resources in Res \ R(η) into a single resource r¯ 6∈ R(η) (see also Example 3.2). Note in passing that this additional resource resembles the additional, fresh name used to check bisimilarity between π-calculus processes [Dam 1997]. Example 3.1. Consider from Section 2 the policy ϕSpam . Let R = {u0 , u1 , u2 }. The automaton AϕSpam (r1 ,R) is in Figure 4 (the self-loops for events other than start, stop and connect are omitted). Note that this automaton is non-deterministic, because of the transitions labelled connect(?). Consider now the history: η = start connect(u0 ) stop start connect(u1 ) connect(u2 ) Since η drives an offending run in the automaton AϕSpam (u1 ,{u0 ,u1 ,u2 }) , then we have η 6|= ϕSpam . This correctly models the fact that the policy ϕSpam prevents applets from connecting to two different sites. Observe that removing the last event connect(u2 ) from η would make the history obey ϕSpam , since the stop event resets the policy ϕSpam to the starting state. Actually, η ′ = start connect(u0 ) stop start connect(u1 ) is not in the language of any instantiations AϕSpam (r,R) (i.e. η ′
AϕSpam (r,R) ), for all r ∈ Res and R ⊆ Res. Example 3.2. Consider the policy ϕ¬α specified by the usage automaton in Figure 5. Actually, ϕ¬α forbids any α actions: when a history η contains some event α(r), the instantiation Aϕ¬α (r′ ,Res) recognizes η as offending, for all r′ 6= r (indeed, ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

14

Massimo Bartoletti et al.

q0

Fig. 5.

α(¯ x)

q1

Usage policy ϕ¬α . α(x)

the same behaviour would have been obtained with the usage automaton q0 −⊸ q1 ). Therefore, η 6|= ϕ¬α . Consider e.g. η = α(r0 ) β(r0 ). Although η
Aϕ(r,R(η)) for all r ∈ R(η) = {r0 }, as noted above η violates ϕ¬α . This motivates Lemma 3.4 checking Aϕ(r′ ,R(η)) also for an extra resource r′ ∈ Res \ R(η). For simplicity, in this paper we only consider monadic usage automata, i.e. automata with a single formal parameter, e.g. ϕ(x). The extension to the polyadic case, e.g. ϕ(x1 , . . . , xn ), is considered in [Bartoletti 2009]. While polyadic usage automata augment the set of expressible usage policies, they only required smooth extensions of the formal machinery presented here. The results of this paper scale to the polyadic case, yet requiring further technicalities in their proofs. 3.2

The language λ[ ]

The syntax of λ[ ] is in Definition 3.5. Variables, applications and conditionals are as expected. The variable z in λz x. e is bound to the whole abstraction, so to allow for an explicit form of recursion. The definition of guards b in conditionals is irrelevant here, and so it is omitted. An event α(r) is an explicit representation of a side effect that occurs in evaluation when accessing the resource r through the action α. The expression new γ evaluates to a fresh resource r with capabilities γ, a finite set of actions that are permitted on this resource. When this happens a new(r) event is fired; we also assume that new events cannot be explicitly written in programs. The primitive ϕ[e] defines the scope of the policy ϕ, that must be enforced while evaluating e. Definition 3.5. Syntax of λ[ ] expressions e, e′

::=

x r α(ξ) new γ if b then e else e′ λz x. e e e′ ϕ[e]

variable resource event resource creation conditional abstraction application policy framing

(x ∈ Var) (r ∈ Res) (α ∈ Act, ξ ∈ Var ∪ Res) (γ ⊂ Act)

(ϕ ∈ Pol)

We specify the behaviour of λ[ ] expressions in Definition 3.6, through a small-step operational semantics. Besides the standard error configurations, e.g. a stuck one where a resource is applied to an expression, we have two different kinds of policy violations. To make them explicit, in configurations we also allow the following special expressions. A failure fail κ occurs when about to access a resource with ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

15

a non-permitted action. A failure fail ϕ[e] is raised when e is about to violate the policy ϕ. A transition η, Γ, e → η ′ , Γ′ , e′ means that, starting from a history η and a capability environment Γ, the expression e may evolve to e′ (possibly a failure), the history η to η ′ and the capability environment Γ to Γ′ . Remark 3.1. Let fail denote both kinds of failures. For all expressions e, policies ϕ, and actions α, we assume that fail = e fail = fail e = ϕ[fail ]. We write ∗ for a fixed, closed, access-free, non-failure value, and use the following abbreviations: if x 6∈ fv (e)

λz . e = λz x. e ′

λx. e = λz x. e

′

if z 6∈ fv (e)

e; e = (λ. e ) e

new x : γ in e = (λx. e) (new γ)

(let x = e in e′ ) = (λx. e′ ) e

α(e) = (let z = e in α(z))

Definition 3.6. Operational semantics of λ[ ] The semantics of λ[ ] is given by a transition system. Values v, v ′ , . . . ∈ Val are variables, resources, abstractions, and failures. Configurations are triples η, Γ, e, where e is closed. Initial configurations have the form ε, Γs , e. The transition relation is the minimal relation defined by the inference rules below. E-App1

η, Γ, e1 → η ′ , Γ′ , e′1

E-App2

η, Γ, e1 e2 → η ′ , Γ′ , e′1 e2 E-Beta

E-If

η, Γ, e2 → η ′ , Γ′ , e′2 η, Γ, v e2 → η ′ , Γ′ , v e′2

η, Γ, (λz x.e)v → η, Γ, e{v/x, λz x.e/z}

η, Γ, if b then ett else eff → η, Γ, eB(b) (r, α) 6∈ Γ

(r, α) ∈ Γ E-Ev1

E-Ev2

η, Γ, α(r) → ηα(r), Γ, ∗ η, Γ, e → η ′ , Γ′ , e′

E-Fr1

′

η, Γ, α(r) → η, Γ, fail κ

η ′ |= ϕ ′

′

η, Γ, ϕ[e] → η , Γ , ϕ[e ]

η |= ϕ E-Fr2

η, Γ, e → η ′ , Γ′ , e′ E-Fr3

η ′ 6|= ϕ

η, Γ, ϕ[e] → η ′ , Γ′ , fail ϕ[e′ ]

κ(γ) 6= ∅ E-New

η, Γ, ϕ[v] → η, Γ, v

r ∈ Resd fresh in η

η, Γ, new γ → η newκ(γ) (r), Γ ∪ (r, γ), r

where (r, γ) = { (r, α) | α ∈ γ }, and κ(γ) =

(

Acti ∅

if ∃i. ∅ ⊂ γ ⊆ Acti otherwise

The rules in Definition 3.6 are mostly standard, except for those governing resource ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

16

·

Massimo Bartoletti et al.

access and creation, and evaluation within policy framings. An access α(r) can be executed if the capabilities associated with r include the action α, otherwise it generates a failure fail κ . A new resource r is created through the primitive new γ, which evaluates to a fresh resource r and extends the capability environment Γ. Note that the creation of a resource is explicitly recorded in the execution history through the event new(r). For conditionals, we assume as given a total function B that evaluates the boolean guards. An expression ϕ[e] can evolve to ϕ[e′ ], provided that the resulting history η ′ complies with ϕ. Otherwise, a failure fail ϕ[e′ ] occurs. The rules for evaluating an expression within the scope of a policy framing (E-Fr1, E-Fr2, E-Fr3) always inspect the whole past history. If needed, we can easily limit the scope from the side of the past, as done in Section 2 for the policies ϕCW , ϕSpam and ϕDoS . Roughly, one has to mark in the history, through a special event β, the point in time from which checking a policy ϕ has to start. The usage automaton for ϕ must be designed to ignore all the events before β. 4.

HISTORY EXPRESSIONS

We statically predict the histories that will be generated by programs at run-time through a type and effect system, building upon [Bartoletti et al. 2005c; Bartoletti et al. 2007; Skalka and Smith 2004]. The types extend those of the simply-typed λ-calculus, and the effects are history expressions, which over-approximate the aspects of the program behaviour that are relevant to resource usage. Before formalising in Section 4.1 the syntax and semantics of history expressions, we give some intuition and auxiliary notions. The intended meaning of a history expression is a set of histories, extended to keep track of the policy framings ϕ[· · · ] through the framing events [ϕ and ]ϕ . These special events have no parameter, and they stand respectively for opening and closing the scope of ϕ. For example, a history α[ϕ α′ ]ϕ represents a computation that (i) generates an event α, (ii) enters the scope of a framing ϕ[· · · ], (iii) generates α′ within the scope of ϕ, and (iv) leaves the scope of ϕ. Note that framing events were not needed in the operational semantics of λ[ ] , because the scope of policies is dictated by policy-framed expressions ϕ[e]. Unlike the histories produced by the operational semantics, here we also consider histories comprising events with unknown resources. We define below some operators on histories. The set of histories η −? is obtained by instantiating the unknown resource ? with all the possible resources r ∈ Res. The history η −[ ] results from erasing all the framing events in η. Definition 4.1. Elimination of framing events and instantiation of ? Elimination of framing events [ϕ , ]ϕ , . . . ∈ Frm. ε−[ ] = ε

([ϕ η)−[ ] = ( ]ϕ η)−[ ] = η −[ ]

Instantiation of ?. ε−? = {ε}

(α(r) η)−? = α(r) η −?

(α(?) η)−? = { α(r) η −? | r ∈ Res }

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

4.1

·

17

History expressions: syntax and semantics

History expressions are the abstract counterpart of, and over-approximate, the behaviour of λ[ ] expressions. Their syntax is in Definition 4.2, where Nam is a denumerable set of names n, n′ , . . ., taken apart from the variables in Var. Definition 4.2. Syntax of history expressions H, H ′

::=

ε h α(ρ) νn.H H · H′ H + H′ ϕ[H] µh.H

empty variable event resource creation sequence choice policy framing recursion

(ρ ∈ Res ∪ Nam ∪ {?})

(ϕ[H] = [ϕ ·H· ]ϕ )

History expressions include ε, representing the empty history, events α(ρ), resource creation νn.H, sequencing H · H ′ , non-deterministic choice H + H ′ , policy framing ϕ[H], and recursion µh.H. In νn. H, the free occurrences of the name n in H are bound by ν; similarly µh binds the free occurrences of the variable h in H. Sequencing · binds more strongly than choice +, that in turn has precedence over resource creation νn and recursion µh. Definition 4.3. Free variables and free names The free variables fv (H) are those h in H not inside the scope of a µh. The free names fn(H) are those n in H not inside the scope of a νn. A history expression H is closed when fv (H) = ∅ = fn(H). A history expression H is initial when it is closed and it has no dynamic resources, i.e. r 6∈ Resd for each α(r) occurring in H. In Definition 4.4 we give semantics to (closed) history expressions, in terms of a Labelled Transition System. Intuitively, the semantics of a history expression H is the set of all the prefixes (including the empty history ε) of the traces of H. As usual, εη = η = ηε. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

18

Massimo Bartoletti et al.

Definition 4.4. Operational semantics of history expressions The semantics JHK of a closed history expression H is the set of histories: a

a

i 1 Hi } · · · −→ { a1 · · · ai | H −→

(i ≥ 0)

a

The auxiliary relation − →, where a ∈ Ev ∪ Frm ∪ {ε}, is inductively defined as: α(ρ)

ε

ε·H − →H

α(ρ) −−−→ ε

ε

νn. H − → H{r/n}

(r ∈ Resd fresh)

a

H− → H ′′ a

ε

H · H′ − → H ′′ · H ′

H + H′ − →H

ε

H + H′ − → H′

ε

µh. H − → H{µh. H/h}

Example 4.1. Consider the following history expressions: H0 = µh. α · h

H1 = µh. h · α

H2 = µh. νn. α(n) · h

Then, JH0 K = α∗ , i.e. H0 generates histories with an arbitrary number of α. Instead, JH1 K = {ε}, i.e. H1 loops forever, without generating any events. The semantics of H2 consists of all the histories of the form α(r1 ) · · · α(rk ) for all k ≥ 0 and pairwise distinct ri . 4.2

Validity

We now define when histories and history expressions are valid. Intuitively, valid histories represent viable computations. Instead, invalid ones happen to violate some resource usage constraints, so they are going to be detected and rejected by our static analysis. For example, consider the history: η = open(r) read(r) [ϕCW connect ]ϕCW where ϕCW is the Chinese Wall policy of Section 2. Then, η is not valid according to our intended meaning, because the connect event occurs within a framing enforcing ϕCW , and open(r) read(r) connect does not obey ϕCW . The formal definition of validity is in Definition 4.5 below. Definition 4.5. Active policies and validity The multiset ap(η) of the active policies of a history η is defined as follows: ap(ε) = {| |} ap(η α(ρ)) = ap(η)

ap(η [ϕ ) = ap(η) ∪ {|ϕ|} ap(η ]ϕ ) = ap(η) \ {|ϕ|}

The validity of a history η (|= η in symbols) is inductively defined as follows: |= ε

|= η ′ β

if |= η ′ and (η ′ β)−[ ] |= ϕ for all ϕ ∈ ap(η ′ β)

A history expression H is valid when |= η for all η ∈ JHK.

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

19

The following lemma, straightforward after Definition 4.5, states that validity is a prefix-closed property.

Lemma 4.6. For all histories η and η ′ , if ηη ′ is valid, then η is valid.

Example 4.2. Consider the history η = [ϕ α1 [ϕ′ α2 ]ϕ′ α3 . The active policies of η are ap(η) = {|ϕ|}. The history η is valid if and only if:

ε |= ϕ

α1 |= ϕ α1 |= ϕ′

α1 α2 |= ϕ α1 α2 |= ϕ′

α1 α2 α3 |= ϕ

Note that validity is not a compositional property: in general, |= η and |= η ′ do not imply |= ηη ′ (see the example below). This is a consequence of our basic assumption that no event can be hidden. Indeed, in the operational semantics of λ[ ] , the policies enforced by policy framings can always inspect the whole history generated so far, at each execution step.

Example 4.3. Consider the history η = α[ϕ α ]ϕ α, where the policy ϕ requires that α is not executed three times. Since α |= ϕ and αα |= ϕ, then η is valid. Note that the first α is checked, even though it is outside of the framing: since it happens in the past, our policies can inspect it. Instead, the third α occurs after the framing has been closed, therefore it is not checked. Note that verifying the validity of the history αβ[ϕ γ ]ϕ δ requires to check αβ |= ϕ and αβγ |= ϕ, only. Now, consider the history η ′ = αη. In spite of both α and η being valid, their composition η ′ is not. To see why, consider the history η¯ = αα[ϕ α, which is a prefix of η ′ . Then, ap(¯ η ) = {|ϕ|}, but η¯−[ ] = ααα 6|= ϕ. This shows that validity is not compositional.

4.3

Subeffecting

In this section we define a preorder H ⊑ H ′ betweeen history expressions. Roughly, when H ⊑ H ′ holds, the traces of H are included in those of H ′ . We first define an equational theory of history expressions. The operation + is associative, commutative and idempotent; · is associative, has identity ε, and distributes over +. The binders µ and ν allow for α-conversion of bound names and variables, and can be rearranged. A µh can be introduced/eliminated when h does not occur free. A νn can be extruded when it does not bind a free occurrence of n. A µh. H can be folded/unfolded as usual. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

20

·

Massimo Bartoletti et al.

Definition 4.7. An equational theory of history expressions The relation = over history expressions is the least congruence including α-conversion such that: (H + H ′ ) + H ′′ = H + (H ′ + H ′′ )

H +H =H

(H · H ′ ) · H ′′ = H · (H ′ · H ′′ ) (H + H ′ ) · H ′′ = H · H ′′ + H ′ · H ′′

νn.ε = ε

ε·H =H =H ·ε

H · (H ′ + H ′′ ) = H · H ′ + H · H ′′

µh.µh′ .H = µh′ .µh.H

µh.H = H{µh. H/h}

H + H′ = H′ + H

νn.νn′ .H = νn′ .νn.H

νn.(H + H ′ ) = (νn.H) + H ′ if n 6∈ fn(H ′ )

( H · (νn.H ′ ) νn.(H · H ) = (νn.H) · H ′ ′

if n 6∈ fn(H) if n ∈ 6 fn(H ′ )

The preorder ⊑ includes equivalence, and it is closed under contexts. A history expression H can be arbitrarily “weakened” to H + H ′ . An event α(ρ) can be weakened to α(?), as ? stands for an unknown resource. Definition 4.8. Subeffects The relation ⊑ over history expressions is the least precongruence such that: H ⊑ H′

if H = H ′

H ⊑ H + H′

α(ρ) ⊑ α(?)

Note that our notion of subeffecting is structural, that is it only depends on the syntax of history expressions. The relation between subeffecting and inclusion of the semantics of the involved history expressions is made precise in Lemma 4.9 below. Alternatively, we could have provided a semantic notion of subeffecting as language inclusion JHK ⊆ JH ′ K, similarly to [Skalka et al. 2008]. We preferred to adopt structural, rather than semantic, subeffecting, because it allowed us to have some further insights on how type and effect judgements could be deduced in a constructive definition of typing. Note also that semantic subeffecting could be harder here than in [Skalka et al. 2008], because of the presence of unknown resources. Actually, an event α(?) with an unknown resource can be concretised, in a subeffecting relation, as α(r) for all resources r. Lemma 4.9. For all closed H, H ′ , if H ⊑ H ′ then JHK

−?

⊆ JH ′ K

−?

The proof of this lemma is in Appendix B, and it requires some intermediate results. First, we introduce there a denotational semantics of history expressions, which allows for a compositional reasoning about the needed properties. Then, we prove that the denotational and the operational semantics are fully abstract. Note that ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

21

having an operational semantics of history expressions is however convenient, for two reasons. First, it is much simpler than the denotational one; second, it is directly comparable to the semantics of BPAs, the structures used in our modelchecking technique. 5.

TYPE AND EFFECT SYSTEM

In this section we define a type and effect system for λ[ ] . The types ζ, formally introduced in Definition 5.1, have the form νN. τ  H, meaning that an expression with pure type τ will produce a history represented by the effect H, i.e. a history expression. The heading νN is used to bind the names n ∈ N in τ and H. Pure types comprise the following. —The unit type 1, inhabited by the value ∗. —Pairs (S, γ), where S is either a non-empty set containing resources and possibly one name, or S = {?}, and γ is a set of capabilities. For instance, a resource r with capabilities α1 and α2 may have the type ({r}, {α1 , α2 }). Hereafter, we shall omit the capabilities when irrelevant. The restriction on pure types to contain at most a single name causes sometimes a less precise typing. This constraint is only needed to keep simple the proof arguments. We conjecture however that it can be safely relaxed, preserving all our results. —Functional types τ → ζ. The type ζ may comprise the latent effect associated with an abstraction. For instance, applying a function with type 1 → (νn.1  α(n)) to a value with type 1, will create a new resource upon which the action α is fired. Example 5.1. We intuitively illustrate how expressions are typed through three simple examples. Their actual typing derivations are in Example 5.2, after the definition of our type and effect system. Since below the capability environments play no role, we shall omit them. —The expression e = if b then r else r′ can be typed as {r, r′ }  ε. The resource set {r, r′ } means that e will evaluate to either r or r′ , while producing an empty history (denoted by ε). —The expression e′ = λy. new x in x can be typed as 1 → (νn. {n}  new(n))  ε. Again, the actual effect is empty. When applied to a value of type 1, e′ will (i) create a fresh resource, (ii) fire the new event, and (iii) return the resource created. This behaviour is predicted by the type νn. {n}  new(n). —The expression e′′ = λz y. new x in if b then x else z y, instead, can be typed as 1 → ({?}  µh. νn. new(n) · (h + ε))  ε. The latent effect µh. νn. new(n) · (h + ε) records that e′′ is a recursive function that creates a fresh resource upon each recursion step. The type {?} says that e′′ will return a resource, the identity of which is unknown, since it cannot be predicted when the guard b will become true. Type environments are finite mappings from variables and resources to types. A typing judgment ∆ ⊢ e : νN. τ  H means that, in a type environment ∆, the expression e evaluates to a value of type νN. τ , and it produces a history represented by νN. H. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

22

·

Massimo Bartoletti et al.

Definition 5.1. Types, type environments, and typing judgements S ::= R | R ∪ {n} | {?} τ ::= 1 | (S, γ) | τ − →ζ

R ⊆ Res, n ∈ Nam, S 6= ∅ γ ⊆ Act

ζ ::= νn. ζ | τ  H ∆ ::= ∅ | ∆; r : ({r}, Γs (r)) | ∆; x : τ

resource sets pure types types type environments

x 6∈ dom(∆)

∆⊢e:ζ

typing judgements

We also introduce the following shorthands: N 6∩ M νN. ζ = νn1 · · · νnk . ζ H · ζ = νN. τ  H · H ′

if N ∩ M = ∅ if N = {n1 , . . . nk } if ζ = νN. τ  H ′ and N 6 ∩ fn(H)

We say νN. τ  H is in ν-normal form (abbreviated νNF) when N ⊆ fn(τ ). We now define the subtyping relation ⊑. It builds over the subeffecting relation between history expressions (Definition 4.8). The first equation is a variant of the usual extrusion. The first two rules for ⊑ allow for weakening a pure type (S, γ) to a wider one, possibly with fewer capabilities, or to the pure type ({?}, γ). The last rule extends to types the relations ⊑ over pure types and effects. The side condition prevents from introducing name captures. For instance, consider ζ = νn. {r}α(n) and ζ ′ = νn. {r, n}  α(n). Since n ∈ fn({r, n}) \ fn({r}), then ζ 6⊑ ζ ′ . Indeed, by the equational theory we have that: ζ = {r}  νn. α(n) = {r}  νn′ . α(n′ ) which permits the subtyping ζ ⊑ ζ ′′ = {r, n}  νn′ . α(n′ ). Indeed, in ζ ′′ the name n′ upon which α acts has nothing to do with name n in the pure type, while in ζ ′ both α and the pure type refer to the same name. Definition 5.2. Subtypes The equational theory of types includes that of history expressions (if H = H ′ then τ  H = τ  H ′ ), α-conversion of names, and the following equation: νn. (τ  H) = τ  (νn. H)

if n 6∈ fn(τ )

The relation ⊑ over pure types is the least preorder including = such that: (S, γ) ⊑ (S ′ , γ ′ ) if {?} 6= S ⊆ S ′ and γ ⊇ γ ′ νN. τ  H ⊑ νN. τ ′  H ′

(S, γ) ⊑ ({?}, γ)

if τ ⊑ τ ′ and H ⊑ H ′ and (fn(τ ′ ) \ fn(τ ))6 ∩ N

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

23

Remark 5.1. Note that it is always possible to rewrite any type νN. τ  H in ˆ = N ∩ fn(τ ), and let N ˇ = N \ fn(τ ). Then, the equational νNF. To do that, let N ˆ . τ  (ν N ˇ .H). theory of types gives: νN. τ  H = ν N

In Definition 5.3 we introduce the type and effect system for λ[ ] . Here we briefly comment on the most peculiar typing rules.

—T-Ev An access α(ξ) has type 1, provided that the type of ξ is a pair (S, γ), and α is a capability belonging to the set γ. The effect of α(ξ) can be any of the accesses α(ρ), for ρ member of the set S.

—T-Abs The actual effect of an abstraction is the empty history expression. Note that the latent effect (included in the type ζ) is equal to the actual effect of the function body.

—T-Wk This rule allows for weakening of types and effects, according to the subtyping relation of Definition 5.2.

—T-App The effects in the rule for application are concatenated according to the evaluation order of the call-by-value semantics (function, argument, latent effect). The side conditions ensure that there is no clash of names. In particular, the last side condition makes sure that the names created by the function are never used by the argument. On the contrary, N ′ can intersect fn(H), so allowing for “name extrusion,” when a new resource is generateed by e′ and then passed to e.

—T-New The type of a new γ is a set {(n, γ)}, and the actual effect is the event new(n). Both occurrences of the name n are bound through a νn. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

24

·

Massimo Bartoletti et al.

Definition 5.3. Type and effects system for λ[ ] Typing judgements ∆ ⊢ e : ζ are inductively defined through the following inference rules, where ξ ∈ Var ∪ Res: T-Unit

∆⊢∗:1ε

T-Var

∆; ξ : τ ⊢ ξ : τ  ε ∆⊢e:ζ

α∈γ T-Ev

∆; ξ : (S, γ) ⊢ α(ξ) : 1 

P

T-AddVar ρ∈S

α(ρ)

∆⊢e:ζ

∆; x : τ ; z : τ − →ζ⊢e:ζ T-Abs

∆ ⊢ λz x.e : (τ − → ζ)  ε

T-Wk

∆ ⊢ e e′ : ν(N ∪ N ′ ). (H · H ′ · ζ) ∆⊢e:ζ

T-If

∆ ⊢ e′ : ζ ′

∆ ⊢ if b then e else e : ζ

ζ ⊑ ζ′

∆ ⊢ e : ζ′

∆ ⊢ e′ : νN ′ .(τ  H ′ )

∆ ⊢ e : νN.(τ → ζ)  H T-App

∆; ξ : τ ⊢ e : ζ

N 6∩ N ′ N 6 ∩ fn(∆)6 ∩ N ′ N 6 ∩ fn(H ′ )

∆ ⊢ e : νN. τ  H T-Fr

∆ ⊢ ϕ[e] : νN. τ  ϕ[H]

κ(γ) 6= ∅ T-New

∆ ⊢ new γ : νn. ({n}, γ)  newκ(γ) (n)

Example 5.2. Below we show the typing derivations for the expressions in Example 5.1. Also here we omit capabilities, because they are irrelevant; the Appendix A has three examples with explicit capabilities. The expression if b then r else r′ can be typed as follows: T-Var T-Wk T-If

∅ ⊢ r : {r}  ε ∅ ⊢ r : {r, r′ }  ε

T-Var T-Wk

∅ ⊢ r′ : {r′ }  ε ∅ ⊢ r′ : {r, r′ }  ε

∅ ⊢ if b then r else r′ : {r, r′ }  ε

Recall that the expression new x in x abbreviates (λx. x)(new). Then, we have the following typing derivation for the expression e′ = λy. new x in x. T-Var T-Abs T-App T-Abs

x : {n} ⊢ x : {n}  ε T-New ∅ ⊢ λx. x : {n} → {n}  ε ∅ ⊢ new : (νn. {n}  new(n)) ∅ ⊢ (λx. x)(new) : (νn. {n}  new(n)) ∅ ⊢ λy. new x in x : 1 → (νn. {n}  new(n))  ε

Consider now the expression λz y. new x in if b then x else z y, and let in the typing ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

25

derivations below H = µh. νn. new(n) · (h + ε) and ∆ = {y : 1; z : 1 → ({?}  H)}, ∆′ = ∆ ∪ {x : {n}}. Then, we have the following typing judgement T-Var T-Wk T-If T-Abs

(T-Var on z, y) ∆′ ⊢ x : {n}  ε T-App ∆′ ⊢ x : {?}  H + ε ∆′ ⊢ zy : {?}  H + ε ′ ∆ ⊢ if b then x else zy : {?}  H + ε

∆ ⊢ λx. if b then x else zy : {n} → ({?}  H + ε)  ε

A

Now we have that H = νn. new(n) · (H + ε), according to Definition 4.7. Also, recall that new x in if b then x else z y abbreviates (λx. if b then x else z y)(new). We can then build the following typing judgement for the expression in hand. A

T-App T-Wk T-Abs

T-New

∆ ⊢ new : νn. {n}  new(n) ∆ ⊢ new x in if b then x else z y : {?}  νn. new(n) · (H + ε) ∆ ⊢ new x in if b then x else z y : {?}  H

∅ ⊢ λz y. new x in if b then x else z y : (1 → {?}  H)  ε Our next example has further illustrative cases of expressions and of their types and effects; the actual typing derivations are in the Appendix A. Example 5.3. Consider the following λ[ ] expressions and their typing judgements, in the (omitted) empty typing environment. Also, in eA.3 we must have α ∈ γ ∩ Γ(r), while in eA.4 − eA.7 , we assume α, α′ ∈ γ. ⊢ eA.1 , if b then λz x. α else λz x. α′ : 1 → (1  α + α′ )  ε ⊢ eA.2 , λg x. if b′ then ∗ else ϕ[g(eA.1 x)] : 1 → (1  µh. ε + ϕ[(α + α′ ) · h])  ε ⊢ eA.3 , α(new x : γ in if b then x else r) : 1  νn. newκ(γ) (n) · (α(n) + α(r)) ⊢ eA.4 , let f = (λx. new y : γ in α(y); y) in α′ (f ∗; f ∗) : 1  (νn. newκ(γ) (n) · α(n)) · (νn′ . newκ(γ) (n′ ) · α(n′ ) · α′ (n′ )) ⊢ eA.5 , let g = (new y : γ in λx. α(y); y) in α′ (g∗; g∗) : 1  νn. newκ(γ) (n) · α(n) · α(n) · α′ (n) ⊢ eA.6 , (λz x. new y : γ in if b then α(y) else α′ (y); zx) ∗ : 1  µh. νn. newκ(γ) (n) · (α(n) + α′ (n) · h) ⊢ eA.7 , α((λz x. new y : γ in if b then y else α′ (y); zx) ∗) : 1  (µh. νn. newκ(γ) (n) · (ε + α′ (n) · h)) · α(?) The effects of eA.4 and eA.5 represent, as expected, the fact that two distinct resources are generated by eA.4 , while the evaluation of eA.5 creates a single fresh resource. The effect of eA.6 is a recursion, at each step of which a fresh resource is generated. The effect of eA.7 is more peculiar: it behaves similarly to eA.6 until the ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

26

·

Massimo Bartoletti et al.

recursion is left, when the last generated resource is exported. Since its identity is lost, the event α is fired on the unknown resource “?”. Theorem 5.4 below guarantees that our type and effect system correctly approximates the dynamic semantics, i.e. the effect of an expression e represents all the actual run-time histories of e. As usual, precision is lost with conditionals and with recursive functions. Also, you may lose the identity of names exported by recursive functions (see the type of eA.7 in Example 5.3). Theorem 5.4 Correctness of effects. Let ∆ ⊢ e : νN. τ  H, and let −[ ] ? ε, Γs , e →∗ η, Γ, e′ . Then, η ∈ JνN. HK . Our type and effect system guarantees the following type safety property. If an expression is typable, then it will not try to access a resource without the needed capabilities. If, additionally, the effect is valid, then the evaluation will respect all the policies within the scope defined by their framings. Note that, in our model, typability is not enough to guarantee policy compliance: a model-checking phase is then performed to verify validity. This design choice (type-checking capabilities and model-checking policies) is mainly motivated by technical reasons, besides obvious separation of concerns. Checking policies directly within a type system would add a significant complexity. Indeed, having a compositional type system for policies conflicts with non-compositionality of validity of history expressions (see Example 4.3). Theorem 5.5 Type Safety. Let ∆ ⊢ e : νN. τ  H. Then: (a) ε, Γs , e 6→∗ η, Γ, fail κ (b) if νN. H is valid, then ε, Γs , e 6→∗ η, Γ, fail ϕ[e′ ]

(e respects capabilities). (e respects policies).

The proofs of the above two theorems are in Appendix C, and they require some auxiliary definitions and technical results. Firstly, it turned out convenient to treat policy framings in λ[ ] expressions as syntactic sugar, and explicitly mark their openings and closing through framing events [ϕ , ]ϕ . This is done by mapping an expression e with policy framings into an expression e♯ without them. Very roughly, the expression (ϕ[e])♯ is [ϕ ; e♯ ; ]ϕ . An auxiliary result is that e♯ mimicks the behaviour of e, and that the two expressions have the same type and effect. Then, we introduce a big-step operational semantics for λ[ ] , and we prove some properties it enjoys, among which that the small-step and the big-step semantics are equivalent. This is a major point, because it permits stating the subject reduction result of our type and effect system in the traditional form, where each step of a computation preserves the type. As a matter of fact, this is not the case with the small-step operational semantics in Definition 3.6, according to which, whenever an expression e reduces to e′ while generating an event, this no longer occurs in the effect of e′ . Then, the proof of the subject reduction lemma, yet long, greatly benefits from the big-step semantics. By exploiting this result, we eventually prove that the run-time histories of an expression are included in the effects deduced by the type system (Theorem 5.4), and that an expression with a valid effect will violate no security policy at run-time (Theorem 5.5). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

6.

·

27

STATIC VERIFICATION

We verify the validity of history expressions by transforming them into Basic Process Algebras (BPAs), then model-checked against a framing-aware version of automata. The standard decision procedure for verifying that a BPA process p satisfies a regular property ϕ amounts to constructing the pushdown automaton for p and the automaton for ¬ϕ. Then, the property is proved by checking the emptiness of the (context-free) language accepted by the conjunction of the above automata, that is still a pushdown automaton. This problem is known to be decidable, and several algorithms and tools show this approach feasible [Esparza 1994]. Note that the arbitrary nesting of framings and the infinite alphabet of resources make validity non-regular, e.g. the history expression: H = ϕ[µh. (ε + νn. new(n) · α(n) · h + h · h + ϕ[h])] has traces with unbounded pairs of balanced [ϕ and ]ϕ and unbounded number of symbols – so it is not a regular language. This prevents us from directly applying the standard decision technique sketched above. To cope with the first source of non-regularity – due to the arbitrary nesting of framings – we define a static transformation of history expressions, called regularization, that removes the redundant framings. For the second source of non-regularity – due to the possibly infinite alphabet of resources – the major challenge for verification is that history expressions may create fresh resources, while BPAs cannot. A na¨ıve solution could lead to the generation of an unbounded set of automata Aϕ(r,R) that must be checked to verify validity. For example, the histories denoted by the history expression H above must satisfy all the policies ϕ(r0 ), ϕ(r1 ), . . . for each freshly created resource. Thus, we would have to intersect an infinite number of finite state automata to verify H valid, which is unfeasible. To cope with that, we shall define a mapping from history expressions to BPAs that preserves validity. Our mapping groups fresh resources in two sets. The intuition is that a policy ϕ(x) can only distinguish between x and all the other resources, represented by x ¯. There is no way for ϕ(x) to further discriminate among the dynamic resources: this is because our policy framings ϕ[e] are not parametrized with dynamically generated resources — instead they cause the policy ϕ to be uniformly applied to every resource. Hence, it is sound to only consider two representatives of dynamic resources: the “witness” resource # that represents ¯. x, and the “don’t care” resource for x The rest of this section is organized as follows. The validity-preserving regularization of history expressions is introduced in Section 6.1. In Section 6.2 we define a transformation of policy automata that makes them able to recognize valid histories. Section 6.3 contains the semantic-preserving mapping from history expressions to Basic Process Algebras. The main result of this section is Theorem 6.13, that states the correctness of our procedure. Together with the type safety result, this implies that, if a λ[ ] expression is well-typed and its effect is checked valid, then it never violates security. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

28

6.1

Massimo Bartoletti et al.

Regularization of history expressions

History expressions can generate histories with redundant framings, i.e. nestings of the same policy framing. For example, the history η = ϕ[α ϕ′ [ϕ[α′ ]]] has an inner redundant ϕ-framing around the event α′ . Since α′ is already under the scope of the outermost ϕ-framing, it happens that η is valid if and only if ϕ[α ϕ′ [α′ ]] is valid. Removing inner redundant framings from a history preserves its validity. However, one needs the expressive power of a pushdown automaton, because open and closed framings are to be matched in pairs. For example, consider the following history: n

m

z }| { z }| { η = α [ϕ · · · [ϕ ]ϕ · · · ]ϕ [ϕ Then, the last [ϕ is redundant if n > m, and is not if n = m. Definition 6.1. We say a history η has redundant framings when η = η0 [ϕ η1 [ϕ η2 for some ϕ, η0 , η1 , η2 with ]ϕ 6∈ η1 . We say a closed history expression H has redundant framings when some η ∈ JHK has redundant framings.

To define regularization, it is convenient to first specify in Definition 6.2 the guards of a history expression. Definition 6.2. Guards ˜ be a history expression with a single hole •, such that H = H{h/•}. ˜ Let H We say that h (more precisely, the occurrence of h replacing •) is guarded by Φ in H ˜ when Φ ⊆ guard (H). ˜ is inductively defined by the following equations. The set guard (H) guard (H0 · H1 ) = guard (Hi )

if • ∈ Hi

guard (H0 + H1 ) = guard (Hi ) if • ∈ Hi guard (ϕ[H]) = {ϕ} ∪ guard (H) guard (νn. H) = guard (H) guard (µh. H) = guard (H) guard (•) = ∅ We say that h is guarded in H when h is guarded by some non-empty Φ in H; otherwise h is unguarded.

˜ = ϕ[α·h0 ·ϕ′ [α′ +•]]·h2 . Example 6.1. Let H = ϕ[α·h0 ·ϕ′ [α′ +h1 ]]·h2 , and let H ˜ ˜ Then, H = H{h1 /•}, and so h1 is guarded by guard (H) = {ϕ, ϕ′ }. Similarly, h0 is guarded by {ϕ}, and h2 is unguarded (i.e. guarded by ∅). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

29

Definition 6.3. Regularization of history expressions Let H be a history expression where all the variables have distinct names. The regularization H ↓ of H is defined as H ↓∅,∅ , where H ↓Φ,Υ , inductively defined by the following rules, is the regularization of H against a set of policies Φ and a substitution Υ of variables into history expressions. ( H ↓Φ,Υ if ϕ ∈ Φ ε ↓Φ,Υ = ε ϕ[H] ↓Φ,Υ = ϕ[H ↓Φ∪{ϕ},Υ ] otherwise α(ρ) ↓Φ,Υ = α(ρ)

(H · H ′ ) ↓Φ,Υ = H ↓Φ,Υ · H ′ ↓Φ,Υ

(νn. H) ↓Φ,Υ = νn. H ↓Φ,Υ

(H + H ′ ) ↓Φ,Υ = H ↓Φ,Υ + H ′ ↓Φ,Υ

h ↓Φ,Υ = h

(µh. H) ↓Φ,Υ = µh. (H ′ σ ′ ↓Φ,Υ{(µh.H)Υ/h} σ) where H = H ′ {h/hi }i , hi fresh, h 6∈ fv (H ′ ), σ(hi ) = (µh.H)Υ ↓Φ∪guard(H ′ {•/hi }),Υ ( h if guard (H ′ {•/hi }) ⊆ Φ σ ′ (hi ) = hi otherwise

Intuitively, H↓Φ,Υ results from H by eliminating all the redundant framings, and all the framings in Φ. The environment Υ is needed to deal with free variables in the case of nested µ-expressions, as shown by Example 6.3 below. We sometimes omit to write the component Υ when unneeded. The rules for framings and recursion will benefit from some explanation. Consider first a history expression of the form ϕ[H] to be regularized against a set of policies Φ. To eliminate the redundant framings, we must ensure that H has neither ϕframings, nor redundant framings itself. This is accomplished by regularizing H against Φ ∪ {ϕ}. Consider now a history expression of the form µh.H. Its regularization against Φ and Υ proceeds as follows. Each free occurrence of h in H guarded by some Φ′ 6⊆ Φ is unfolded and regularized against Φ ∪ Φ′ . The substitution Υ is used to bind the free variables to closed history expressions. Technically, the i-th free occurrence of h in H is picked up by the substitution {h/hi }, for hi fresh. Note also that σ(hi ) is computed only if σ ′ (hi ) = hi . Two examples of regularization follow. In Example 6.2, we regularize a history expression with simple recursion, while in Example 6.3 we deal with the more complex case of mutual recursion. Example 6.2. Let H0 = µh. H, be a history expression where H = α+h·h+ϕ[h]. Then, H can be written as H ′ {h/hi }i∈0..2 , where H ′ = α + h0 · h1 + ϕ[h2 ]. Since guard (H ′ {•/h2 }) = {ϕ} 6⊆ ∅ and guard (H ′ {•/h0 }) = guard (H ′ {•/h1 }) = ∅ we ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

30

·

Massimo Bartoletti et al.

have that: H0 ↓∅ = µh. H ′ {h/h0 , h/h1 } ↓∅ {H0 ↓ϕ /h2 } = µh. α + h · h + ϕ[H0 ↓ϕ ] To compute H0 ↓ϕ , note that no occurrence of h is guarded by Φ 6⊆ {ϕ}. Then: H0 ↓ϕ = µh. (α + h · h + ϕ[h]) ↓ϕ = µh. α + h · h + h
∗ Since JH0 ↓ϕ K = {α}∗ has no ϕ-framings, we have that JH0 ↓K = {α}∗ ϕ[{α}∗ ] has no redundant framings. Example 6.3. Let H0 = µh. H1 , where H1 = µh′ . H2 , and H2 = α + h · ϕ[h′ ]. Since guard (H1′ {•/h}) = ∅, we have that: H0 ↓∅,∅ = µh. (H1 ↓∅,{H0 /h} ) Note that H2 can be written as H2′ {h′ /h0 }, where H2′ = α + h · ϕ[h0 ]. Since guard (H2′ {•/h0 }) = {ϕ} 6⊆ ∅, it follows that: H1 ↓∅,{H0 /h} = µh′ . H2′ ↓∅,{H0 /h,H1 {H0 /h}/h′ } {H1 {H0 /h} ↓ϕ,{H0 /h} /h0 } = µh′ . α + h · ϕ[h0 ] {(µh′ . α + H0 · ϕ[h′ ]) ↓ϕ,{H0 /h} /h0 } = µh′ . α + h · ϕ[H3 ↓ϕ,{H0 /h} ] = α + h · ϕ[H3 ↓ϕ,{H0 /h} ] where H3 = µh′ . α + H0 · ϕ[h′ ], and the last step is possible because the outermost µ binds no variable. Since guard ((α + H0 · ϕ[h′ ]){•/h′ }) = {ϕ} ⊆ {ϕ}: H3 ↓ϕ = µh′ . (α + H0 · ϕ[h′ ]) ↓ϕ = µh′ . α + H0 ↓ϕ · h′ Since {ϕ} contains both guard (H1 {•/h}) = ∅, and guard (H2 {•/h2 }) = {ϕ}, then: H0 ↓ϕ = µh. (µh′ . α + h · ϕ[h′ ]) ↓ϕ = µh. µh′ . (α + h · ϕ[h′ ]) ↓ϕ = µh. µh′ . α + h · h′ Putting together the computations above, we have that: H0 ↓∅ = µh. α + h · ϕ[H3 ↓ϕ ]
H3 ↓ϕ = µh′ . α + µh. µh′ . α + h · h′ · h′ As a matter of fact, regularization is a total function, and its definition can be easily turned into a terminating rewriting system. We now establish the following basic properties of regularization, stating its correctness. Theorem 6.4. For each history expression H: —H ↓ is defined. —H ↓ has no redundant framings. —H ↓ is valid if and only if H is valid. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

31

AϕFile[ ] (r,{r}) read(r) write(r)

open(r) q1 [ϕ

q0

close(r) ]ϕ open(r)

q˙1

Fig. 6.

6.2

q˙0

close(r)

[ϕ

]ϕ

[ϕ

q2

read(r) write(r)

q˙2

The framed automaton AϕFile[ ] (r,{r}) .

Framed Automata

We specify in Definition 6.5 a transformation of automata that makes them able to recognize valid traces. This is done by instrumenting an automaton Aϕ(r,R) with framing events, so obtaining a framed automaton Aϕ[ ] (r,R) that will recognize those traces that are valid with respect to the policy ϕ. Definition 6.5. Instrumenting automata with framing events Let Aϕ(r,R) = hΣ, Q, q0 , F, δi be an automaton. Then, we define Aϕ[ ] (r,R) = hΣ′ , Q′ , q0 , F ′ , δ ′ i as follows: Σ′ = Σ ∪ {[ϕ , ]ϕ , [ϕ′ , ]ϕ′ , . . .}

Q′ = Q ∪ { q˙ | q ∈ Q }

F ′ = { q˙ | q ∈ F }

]ϕ

[ϕ

ϑ

→ q˙ | q˙ ∈ F ′ } δ ′ = δ ∪ { q −→ q˙ | q ∈ Q } ∪ { q˙ −→ q | q ∈ Q \ F } ∪ { q˙ − ϑ

ϑ

[ψ

]ψ

∪ { q˙ − → q˙′ | q − → q ′ ∈ δ and q ∈ Q \ F } ∪ { q −→ q, q −→ q | ψ 6= ϕ } Intuitively, the automaton Aϕ[ ] (r,R) is partitioned into two layers. Both are copies of Aϕ(r,R) , but in the first layer of Aϕ[ ] (r,R) all the states are made non-final. This represents being compliant with ϕ. The second layer is reachable from the first one when opening a framing for ϕ, while closing gets back – unless we are in a final (i.e. offending) state. The transitions in the second layer are a copy of those in Aϕ(r,R) , the only difference being that the final states are sinks. The final states in the second layer are exactly those final in Aϕ(r,R) . Example 6.4. Consider the file usage policy ϕFile (x) of Section 2, requiring that only open files can be read or written. The instrumentation AϕFile[ ] (r,{r}) of AϕFile (r,{r}) is in Figure 6 – the self-loops are omitted. The top (resp. bottom) layer models being outside (resp. inside) the scope of ϕFile . We now relate framed automata with validity. Let η be a history with no redundant framings. Then η is valid if and only if it complies with the framed automata Aϕ[ ] (r,R(η)) for all the policies ϕ spanning over η. Recall that if η is obtained from a regularized history expression, then it is guaranteed free from redundant framings. Lemma 6.6. Let η be a history with no redundant framings, and let r′ be an arbitrary resource in Res \ R(η). Then, η is valid if and only if η
Aϕ[ ] (r,R(η)) , for all ϕ occurring in η, and for all r ∈ R(η) ∪ {r′ }. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

32

6.3

Massimo Bartoletti et al.

Model-checking validity

Basic Process Algebras [Bergstra and Klop 1985] provide a natural characterization of history expressions. BPA processes contain the terminated process 0, events β, that we use for access and framing events, the operators · and + that denote sequential composition and (non-deterministic) choice, and variables X, Y, . . .. To allow for recursion, a BPA is then defined as a process p and a set of definitions ∆ for the variables X that occur therein. Definition 6.7. Syntax of Basic Process Algebras A BPA process is given by the following abstract syntax, where β ∈ Ev ∪ Frm: p, p′ ::= 0 | β | p · p′ | p + p′ | X A BPA definition has the form X , p. A set ∆ of BPA definitions is coherent when X , p ∈ ∆ and X , p′ ∈ ∆ imply p = p′ . A BPA is a pair hp, ∆i such that (i) ∆ is finite and coherent, and (ii) for all X occurring in p or ∆, there exists some q such that X , q ∈ ∆. We write ∆ + ∆′ for ∆ ∪ ∆′ , when coherent (otherwise, ∆ + ∆′ is undefined). Let P = hp, ∆i and P ′ = hp′ , ∆′ i. We write P · P ′ for hp · p′ , ∆ + ∆′ i, and P + P ′ for hp + p′ , ∆ + ∆′ i.

The semantics of BPAs is given by the labelled transition system in Definition 6.8. Note that there is no need to consider infinite computations, because validity is a safety property [Schneider 2000], i.e. nothing bad can happen in any (finite) trace of execution steps. Definition 6.8. Operational Semantics of Basic Process Algebras The semantics JP K of a BPA P = hp0 , ∆i is the set of the histories labelling finite computations: a

a

i 1 pi } · · · −→ { η = a1 · · · ai | p0 −→

a

where a ∈ Ev ∪ {ε}, and the relation − → is inductively defined by the rules: β

ε

0·p− →p

β− →0

ε

p+q − →p

ε

p+q − →q

a

p− → p′ a

′

p·q − →p ·q

ε

→p X−

if X , p ∈ ∆

Our transformation from history expressions to BPAs is formalized in Definition 6.9 through the function B(H). The auxiliary function Φ(H) returns a finite set of automata, to be used in model-checking validity. Without loss of generality, ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

33

we assume that the recursion variables in H are all distinct. Events, variables, concatenation and choice are mapped by B(H) into the corresponding BPA counterparts. Note that an expression ϕ[H] is handled as [ϕ ·H·]ϕ , so B(ϕ[H])Θ = h[ϕ · p · ]ϕ , ∆i, where B(H)Θ = hp, ∆i. A history expression µh.H is mapped to a fresh BPA variable X, bound to the translation of H in the set of definitions ∆. The tricky case is that of new name generation. For each binder νn.H, we generate a choice of two BPA processes: in the first, the name n is replaced by the “don’t care” resource , while in the second, n is replaced by the “witness” resource #. For simplicity, we here consider a single witness. To deal with the general case where resources are partitioned in kinds Acti , it suffices using a #i -witness for each kind (e.g. #File , #Socket , etc.). The set Φ(H) contains, for each policy ϕ and static resource r0 , the framed automaton Aϕ[ ] (r0 ,R(H)) . Also, Φ(H) includes the instantiations Aϕ[ ] (#,R(H)) , to be ready on controlling ϕ on dynamic resources, represented by the witness #. The transformation presented here handles monadic policies ϕ(x), only. However, it can be extended to the case of polyadic policies ϕ(x1 , . . . , xk ) by using k witnesses #1 , . . . , #k (see [Bartoletti et al. 2008; Bartoletti 2009] for additional details). Definition 6.9. Mapping history expressions to BPAs Given a closed history expression H, its associated BPA is: B(H) = B(H)∅ where the transformation B(H)Θ takes as input a history expression and a function Θ from variables h to BPA variables X. The symbols and # are distinguished resources in Resd . B(ε)Θ = h0, ∅i B(h)Θ = hΘ(h), ∅i B(α(ρ))Θ = hα(ρ), ∅i B(H0 · H1 )Θ = B(H0 )Θ · B(H1 )Θ B(H0 + H1 )Θ = B(H0 )Θ + B(H1 )Θ B(νn.H)Θ = B(H{ /n})Θ + B(H{#/n})Θ B(µh.H)Θ = hX, ∆ ∪ {X , p}i, where B(H)Θ{X/h} = hp, ∆i, X fresh Furthermore, the set Φ(H) is defined as follows: Φ(H) = { Aϕ[ ] (r0 ,R(H)) | r0 , ϕ ∈ H } ∪ { Aϕ[ ] (#,R(H)) | ϕ ∈ H } where:

R(H) = { r0 ∈ Ress | r0 ∈ H } ∪ {#, }

We now state the correspondence between history expressions and BPAs. The histories generated by a history expression H are all and only the strings that label the computations of the extracted BPA, where dynamic resources are suitably renamed to permit model-checking. An auxiliary definition follows. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

34

·

Massimo Bartoletti et al. ψ(x)

q0

α(x)

α( ) α(?)

q0

q1 α(x)

[ψ

q2 α( ) α(?)

[ψ

]ψ

q˙0

ψ[ ] (#, {# })

α( ) α(?) α(#) q1 α(?)

α(#) α(?) α( ) α(?)

α(#) α(?)

Fig. 7. The usage automaton ψ(x) and the instantiation Aψ[ ] (#,{ new events are omitted.

α( ) α(?) α(#)

q˙2

α(#) α(?) α( )

[ψ

]ψ

q˙1

q2

α(#) α(?)

,#}) .

The self-loops for the

Definition 6.10. Let σ be a substitution from Res ∪ {?} to Res ∪ {?}. We say that σ is name-collapsing when, for some set of dynamic resources R ⊂ Resd : σ(r) = # if r ∈ R σ(r) = if r ∈ Resd \ R

σ(#) = # σ( ) =

σ(?) = ? σ(r) = r

otherwise

Theorem 6.11. For each history expression H, history η, and name-collapsing σ: ησ

η ∈ JHK =⇒ ∃P. B(H) −−→ P A couple of examples follow. Example 6.5. Let H = µh. (νn. ε + α(n) · h). Then, the BPA extracted from H is hX, ∆i, where ∆ = {X , 0 + α( ) · X + 0 + α(#) · X}. Consider the history η = α(r0 )α(r1 )α(r2 ) ∈ JHK, and let σ = { /r0 , #/r1 , /r2 } be a name-collapsing substitution. Then, ησ = α( )α(#)α( ) is a trace in JhX, ∆iK. Example 6.6. Consider the history expression: H = ψ[(νn. new(n) · α(n)) · (νn′ . new(n′ ) · α(n′ )) · α(?)] where the policy ψ asks that the action α cannot be performed twice on the same resource (left-hand side of Figure 7). Then:

B(H) = [ψ · new( )·α( )+new(#)·α(#) · new( )·α( )+new(#)·α(#) ·α(?) ·]ψ

The BPA B(H) violates Aψ[ ] (#,{ ,#}) ∈ Φ(H), displayed in right-hand side of Figure 7. The violation is consistent with the fact that the wildcard ? represents any resource, e.g. α(r′ )α(r)α(r) ∈ JHK violates ψ. In general, we can prove that, whenever B(H) is valid, then also H is valid. However, this verification technique is not complete. Consider for instance a policy ψ ′ , requiring that α is not executed three times on the same resource. Let: H ′ = ψ ′ [(νn. new(n) · α(n)) · (νn′ . new(n′ ) · α(n′ )) · α(?)] Note that B(H ′ ) violates Aψ[′ ] (#,{ ,#}) , while all the histories denoted by H ′ respect ψ ′ . Theorem 6.13 shows a sound and complete verification technique. As shown in Example 6.6, the validity of H does not imply the validity of B(H), so leading to a sound but incomplete decision procedure. The problem is that B(H) uses the same “witness” resource # for all the resource creations in H. This ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

35

obviously makes B(H) identify (as #) resources that are distinct in H. This leads to violations of policies, e.g. those that prevent some action from being performed twice (or more) on the same resource. To recover a (sound and) complete decision procedure for validity, it suffices to check any history of B(H) only until the second “witness” resource is generated ¯ is a sum of two (i.e. before the second occurrence of new(#)). Recall that B(νn.H) BPAs: the first one instantiating n with #, and the second one using instead. By truncating histories of B(H) before the second new(#) occurs, we ensure that # corresponds to a single resource r ∈ Resd occurring in a history η of H. Note that, while this prevents from abstracting other resources r′ 6= r in η with the witness #, these can still be abstracted by . This abstraction preserves completeness because, as discussed at the beginning of this section, a policy ϕ(x) can only distinguish between the resource to which x is instantiated and the other resources. Truncating the histories of B(H) can be accomplished by composing B(H) with the “unique witness” automaton through a “weak until” operation (Definition 6.12). The weak until W is standard; the unique witness A# is a finite state automaton that reaches an offending state on those traces containing more than one new(#) event.

Example 6.7. Consider again the history expression H ′ in Example 6.6. The maximal histories generated by B(H ′ ) are shown below.

[ψ′ new( )α( ) new(#)α(#) α(?) ]ψ′ [ψ′ new(#)α(#) new( )α( ) α(?) ]ψ′ [ψ′ new( )α( ) new( )α( ) α(?) ]ψ′ [ψ′ new(#)α(#) new(#)α(#) α(?) ]ψ′

Note that the first three histories above are valid with respect to the policies in Φ(H ′ ) = {ψ[′ ] (#)}. Instead, the last history violates ψ[′ ] (#). As said above, we discard this history before model-checking, because considering it would be a source of incompleteness. Indeed, in [ψ′ new(#)α(#) new(#)α(#) α(?) ]ψ′ the two fresh resources are identical, so constrasting with the semantics of history expressions. Note also that the automaton Aψ[′ ] ( ,{ ,#}) is not in Φ(H ′ ). This is sound, because if a violation has to occur, it always occurs on Aψ[′ ] (#,{ ,#}) . ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

36

·

Massimo Bartoletti et al.

Definition 6.12. Weak until and Unique Witness automata Let A0 = hΣ, Q0 , q0 , F0 , ρ0 i and A1 = hΣ, Q1 , q1 , F1 , ρ1 i be automata. Assume that A0 and A1 are complete, i.e. for each state q and β ∈ Σ, there exists a transition from q labelled β. The weak until automaton A0 W A1 = hΣ, Q, q, F, ρi is defined as follows: Q = Q0 × Q1 F = F0 × (Q1 \ F1 ) q = hq0 , q1 i ϑ

ϑ

ϑ

ρ = { hqi , qj i − → hqi′ , qj′ i | qi − → qi′ ∈ ρ0 , qj − → qj′ ∈ ρ1 , qj ∈ Q1 \ F1 } ϑ

∪ { hqi , qj i − → hqi , qj i | qj ∈ F1 , ϑ ∈ Σ } The unique witness automaton A# = hΣ, Q, q0 , F, ρi is defined as follows: Q = {q0 , q1 , q2 } F = {q2 } new(#)

new(#)

ρ = {q0 −−−−−→ q1 , q1 −−−−−→ q2 } ϑ

ϑ

ϑ

∪ { q0 − → q 0 , q1 − → q1 | ϑ ∈ Σ \ {new(#)} } ∪ { q2 − → q2 | ϑ ∈ Σ } The following theorem enables us to verify the validity of a history expression H by (i) regularizing H, (ii) extracting a BPA P = B(H) from H, and (iii) modelchecking P against the finite set of framed policy automata Φ(H). Together with type safety (Theorem 5.5), a λ[ ] expression will never be aborted at run-time by the execution monitor if its effect is checked valid. Theorem 6.13. An initial history expression H is valid if and only if, for all Aϕ[ ] (r,R) ∈ Φ(H): JB(H ↓)K
Aϕ[ ] (r,R) W A# The proof of this theorem and of all the intermediate results are in Appendix D. Proving the correctness of regularization is done by using the denotational semantics of history expressions, proved equivalent to the operational one in Appendix B. We then prove that policy compliance can be established by checking membership in a regular language (Lemma 3.4). The validity of a history amounts then to being (not) accepted by the relevant framed automaton (Lemma 6.6). Comparing the operational semantics of a history expression H to the corresponding BPA B(H) relies on proving their bisimilarity. This however requires to consider execution traces where the dynamic resources are abstracted into the witness # or the “don’t care” . The above results are then used to establish the correctness of our model-checking procedure, as stated by Theorem 6.13. As it is, our model-checking algorithm has exponential complexity in the number of the ν-binders contained in the history expression. The source of the exponential ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

Local Policies for Resource Usage Analysis (a)

q0

q3

α(x)

α(¯ x)

ϕ(x)

(b)

α(x)

α(?) α( )

q0

q1

q3

q2

(c)

ψ(x)

q0

α(x)

(d)

q0

q1 α(x)

α(#) α(?)

α(?) α( )

α(#) α(?)

Aϕ(#,{#,

q1

q2

q1

q2

Fig. 8. The usage policies ϕ(x) and ψ(x) and the automata Aϕ(#,{#, self-loops for the new events are omitted.

})

α(#) α(?) α(#) α( ) α(?)

Aψ(#,{#,

α(?)

37

})

α(?) α(#) α(?)

q2

})

and Aψ(#,{#,

}) .

The

comes from the rule B(νn.H)Θ = B(H{ /n})Θ + B(H{#/n})Θ in Definition 6.9. Our recent paper [Bartoletti et al. 2008] proposes a polynomial algorithm, that is based on a more careful grouping of witnesses. It has been implemented in the prototypical model-checker LocUsT [Bartoletti and Zunino 2008]. We conclude this section with two examples. Example 6.8. Let H = µh. (ε + νn. new(n) · α(n) · h). Consider then Hϕ = ϕ[H], where ϕ(x) asks that, for each resource x, the first occurrence of the event α(x) is necessarily followed by another α(x) (Figure 8a). Then, Hϕ is not valid, because e.g. η = [ϕ new(r)α(r)new(r′ )α(r′ ) is a history of Hϕ , and η 6|= Aϕ[ ] (r,{r,r′ }) (the non-framed automaton is in Figure 8b). This agrees with our model-checking technique. We have that Φ(Hϕ ) = {Aϕ[ ] (#,{#, }) }, and: B(Hϕ ) = h[ϕ ·X·]ϕ , X , ε + (new(#) · α(#) · X) + (new( ) · α( ) · X)i and the history [ϕ new(#)α(#)new( )α( ) ∈ JB(Hϕ )K drives the framed automaton Aϕ[ ] (#,{#, }) to an offending state. Consider now Hψ = ψ[H], where the policy ψ(x) says that the action α cannot be performed twice on the same resource x (Figure 8c). We have that Φ(Hψ ) = {Aψ[ ] (#,{#, }) }, and: B(Hψ ) = h[ψ ·X·]ψ , X , ε + (new(#) · α(#) · X) + (new( ) · α( ) · X)i Although Hψ obeys ψ, the BPA does not, since [ψ new(#)α(#)new(#)α(#)]ψ violates Aψ[ ] (#,{#, }) (the non-framed instantiation Aψ(#,{#, }) is in Figure 8d). Completeness is recovered through the weak until and unique witness automata, that filter the histories, like the one above, where new(#) is fired twice. Example 6.9. Recall from Section 2 the policy ϕFile (only open files can be read or written), and the policy ϕDoS (never create more than k files). Let: H = ϕFile [ϕDoS [µh. ε + νn. newFile (n) · open(n) · read (n) · close(n) · h]] Then, Φ(H) = {AϕFile (#) , AϕDoS (#) }, and B(H) = h[ϕ ·[ϕDoS ·X·]ϕDoS ·]ϕ , ∆i, where ∆ comprises the following definition: ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

38

·

Massimo Bartoletti et al.

X , ε + (newFile ( ) · open( ) · read( ) · close( ) · X) + (newFile (#) · open(#) · read(#) · close(#) · X) Note that each computation of B(H) obeys AϕFile[ ] (#,{#, }) , while there exist computations that violate AϕDoS[ ] (#,{#, }) . 7.

RELATED WORK

A wide variety of languages for expressing policies has been proposed over the years. A typical design compromise is that between expressivity and performance of the enforcement mechanism. The latter can be obtained either through an efficient implementation of the run-time monitor, or by exploiting suitable verification techniques to optimize the monitor (e.g. by removing some or all the dynamic checks). A characterization of the class of policies enforceable through run-time monitoring systems is given in [Schneider 2000]. There, the policy language is that of security automata, a class of B¨ uchi automata that recognize safety properties. To handle the case of parameters ranging over infinite domains (e.g. the formal parameters of a method), security automata resort to a countable set of states and input symbols. While this makes security automata suitable to provide a common semantic framework for policy languages (e.g. the semantics of our usage automata can be given in terms of a mapping into security automata) it also makes security automata hardly usable as an effective formalism for expressing policies. In [Hamlen et al. 2006] a characterization is given of the policies that can be enforced through program rewriting techniques. In [Bauer et al. 2002] a kind of automata that can delete and insert events in the execution trace is considered. Polymer [Bauer et al. 2005] is a language for specifying, composing and enforcing (global) security policies. In the lines of edit automata [Bauer et al. 2002], a policy can intervene in the program trace, to insert or suppress some events. Policy composition can then be unsound, because the events inserted by a policy may interfere with those monitored by another policy. To cope with that, the programmer must explicitly fix the order in which policies are applied. Being Turing-equivalent, Polymer policies are more expressive than ours, but this gain in expressivity has some disadvantages. First, a policy may potentially be unable to decide whether an event is accepted or not (i.e. checking it may not terminate). Second, no static guarantee is given about the compliance of a program with the imposed policy. Run-time monitoring is then necessary to enforce the policy, while our model-checking technique may avoid this overhead. Igarashi and Kobayashi [Igarashi and Kobayashi 2002] extended the λ-calculus with primitives for creating and accessing resources, and for defining their permitted usage patterns. The primitive newΦ () creates a new resource with a trace set Φ, i.e. a set of permitted access sequences, while the primitive accℓ (x) for accessing the resource x (the label ℓ represents the program point where the access is performed). Also abstractions e = λΦ x.e′ can be protected by a trace set Φ, to be satisfied when evaluating a labelled application e@ℓ e′ . To access a resource x with trace set Φ from an expression labelled ℓ, there must exist a valid trace in Φ, i.e. a trace beginning with ℓ. An execution is resource-safe when the possible patterns are within the permitted ones. A type system guarantees well-typed expressions to be resource-safe. Types abstract the usages permitted at run-time, while typing rules ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

39

check that resource accesses respect the deduced permitted usages. Since collecting the usages and checking resource-safety is done within a single phase, the language of usages needs to be quite expressive, which causes type inference to be undecidable in general. Indeed, the authors are focussed on achieving generality – at the cost of a rather complex type system – rather than offering a concrete verification algorithm like ours. Actually, here we provided λ[ ] with a sound and complete verification technique. Separating the analysis of effects from their verification offers a further advantage. It makes it possible to independently improve the accuracy of the analysis (e.g. through more sophisticated type systems or through abstract interpretation techniques) and the efficiency of the verification procedure. Clearly, also [Igarashi and Kobayashi 2002] is amenable to static verification, provided that one either restricts the language of permitted usages to a decidable subset, or one uses a sound but incomplete algorithm. Along the same lines, [Kobayashi 2003] designs even a more general type system, while [Iwama et al. 2006] extends [Igarashi and Kobayashi 2002] to languages with exceptions. We took much inspiration from Skalka and Smith’s [Skalka and Smith 2004; Skalka et al. 2008], who proposed λhist , a λ-calculus with local checks that enforce linear µ-calculus properties [Bradfield 1996; Kozen 1983] on the past history. A type and effect system approximates the possible run-time histories, whose validity can be statically verified by model checking µ-calculus formulae over Basic Process Algebras [Bergstra and Klop 1985; Esparza 1994]. Compared to [Skalka et al. 2008], our calculus features parametric policies, dynamic resource creation, and local policies instead of local checks. As a matter of fact, λhist local checks can be encoded in λ[ ] as local policies that include no events: indeed, a framing ϕ[∗] corresponds to a local check of the regular policy ϕ on the current history. It is not always possible to transform a program in λ[ ] into a program in λhist that obeys the same security properties, provided that the transformation is only allowed to substitute suitable local checks for policy framings. Clearly, unrestricted transformations, (e.g. security-passing style ones that record the set of active framings [Wallach et al. 2000]) can do the job, because λhist is Turing complete. As far as the type systems are concerned, that of [Skalka et al. 2008] also allows for let-polymorphism, subtyping of functional types, and type inference – while ours handles resource creation through the ν-binders in types. In Section 8 we further discuss these issues. On the same lines of [Skalka and Smith 2004], Skalka defines in [Skalka 2005] a type and effect system for an extension of Featherweight Java, featuring histories and security checks. Regions have been used in type and effect systems [Talpin and Jouvelot 1992; Nielson and Nielson 1994] to approximate new names in impure call-by-value λcalculi. Similarly to ours, the static semantics of [Nielson and Nielson 1994] aims at over-approximating the set of run-time traces, while that of [Talpin and Jouvelot 1992] only considers flat sets of events. A main difference from our approach is that, while our ν-types deal with the freshness of names, both [Talpin and Jouvelot 1992] and [Nielson and Nielson 1994] use universal polymorphism for typing resource creations. Since a region n stands for a set of resources, in an effect α(n)·β(n) their static approximation does not ensure that α and β act on the same resource. This property can instead be guaranteed in our system through the effect νn.(α(n)·β(n)). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

40

·

Massimo Bartoletti et al.

This improvement in the precision of approximations is crucial, since it allows us to model-check in [Bartoletti et al. 2008] regular properties of traces (e.g. permit read (file) only after an open(file)) that would otherwise fail with the approximations of [Talpin and Jouvelot 1992; Nielson and Nielson 1994]. Many authors [Colcombet and Fradet 2000; Erlingsson and Schneider 1999; Marriott et al. 2003; Thiemann 2003] mixed static and dynamic techniques to transform programs and make them obey a given global policy. Colcombet and Fradet abstracted a program into a control flow graph, instrumented with annotations that keep track of the state of the global policy [Colcombet and Fradet 2000]. This is expressed by a finite state automaton, which is then minimized to remove the unnecessary tracking. Finally, the optimized control flow graph is converted back to a program, that is guaranteed to abort just before violating the global property. Marriott, Stuckey and Sulzmann over-approximated the run-time behaviour of a program through a context-free grammar [Marriott et al. 2003]. A finite-state automaton models the permitted resource usages. If the language generated by the grammar is not included in the language accepted by automaton, the program is instrumented with the local checks and the tracking operations needed to make it obey the policy. Both [Erlingsson and Schneider 1999] and [Thiemann 2003] specialise security automata to programs by inserting security checks into the object code generated by a compiler. The first paper reports on work on the field, and describes prototypes for the machine architectures Intelx86 and Java JVML. The second article faces the problem in the more abstract framework of the λ-calculus and exploits type specialization to also remove run-time operations on the security state. Unlike [Colcombet and Fradet 2000; Erlingsson and Schneider 1999; Marriott et al. 2003; Thiemann 2003], our λ[ ] also allows for local, parametric policies, and for dynamically created resources. In [Colcombet and Fradet 2000; Marriott et al. 2003] when a program cannot be statically proved to obey the global policy, it is instrumented with run-time checks that will abort its execution before the policy is violated. Although not presented here, we also proposed a similar approach in [Bartoletti et al. 2005a]. In [Walker 2000], static and dynamic techniques are combined with proof-carrying code [Necula 1997]. Security properties are specified by security automata [Bauer et al. 2002; Schneider 2000]. Types encode assertions about program security. When a security-unaware program is compiled, a centralized security policy tells where to insert local checks, in order to obtain provably-secure compiled code. An optimization phase follows: whenever a check is removed, it is replaced by a proof that the optimized code is still safe. Before executing a piece of code, a certified verifier ensures that it respects the centralized security policy. Thus, compilers are no longer required to belong to the trusted computing base. In [Besson et al. 2001; Besson et al. 2005], local checks are related with global policies, in the context of stack-based execution monitors. They developed a static technique to prove that local checks enforce a given global policy, and to characterize when a program can safely call a stack-inspecting method. Fong investigates shallow history automata, that can only record a finite approximation of the actual execution history [Fong 2004]. These automata can keep ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

41

track of the set of past access events, rather than the sequence of events. Although shallow history automata can express some interesting security properties, they are clearly less expressive than our usage policies. Wang, Takata and Seki propose a model for history-based access control [Wang et al. 2006]. They use control-flow graphs enriched with permissions and a primitive to check them, similarly to [Bartoletti et al. 2004]. The run-time permissions are the intersection of the static permissions of all the nodes visited in the past. The model-checking technique can decide in EXPTIME (in the number of permissions) if all the permitted traces of the graph respect a given regular property on its nodes. Unlike our local policies, that can enforce any regular policy on traces, the technique of [Wang et al. 2006] is less general, because there is no way to enforce a policy unless it is encoded as a suitable assignment of permissions to nodes. Our policy framings roughly resemble the scoped methods of Tan, Ou and Walker [Tan et al. 2003]. Their construct extends the Java source language by allowing programmers to limit the sequence of methods that may be applied to an object. A scoped method is annotated with a regular expression that describes the permitted sequences of access events. Methods must explicitly declare the sequence of events they may produce, while in our model these sequences are inferred by a type and effect system. 8.

CONCLUSIONS AND FUTURE WORK

We proposed a novel approach to the resource usage problem, within an extension of the λ-calculus that features access/creation of resources, and regular usage policies with a local scope. To efficiently enforce policies, we have exploited a two-step static analysis, resulting in a mixed approach to resource usage control. We defined a type and effect system that over-approximates the run-time behaviour of a program as a history expression. In spite of the augmented flexibility given by the nesting of policies scopes and by resource creation, we transformed history expressions so that model-checking their validity is decidable. When a history expression is valid, we can safely dispose the execution monitor. Otherwise, the soft-typing approach in [Bartoletti et al. 2005a] allows for substituting local checks for local policies, thus making the dynamic control of accesses efficient. The approach proposed in this paper has been pushed further in [Bartoletti et al. 2009] to design and implement an extension of the security mechanism of Java, based on history-based local policies. While most of the run-time checking and inference of types and effects had to be redesigned to cope with an object-oriented language like Java, the security model and the verification algorithm are exactly those presented here. Our preliminary experiments show our approach scalable to actual programming languages and realworld applications. We outline below some directions for future work. To improve the accuracy of types, we plan to relax the constraint that a single name can appear in pure types S. For instance, this will allow for the following typing judgements: ⊢ e = new x in new y in if b then x else y : νn. νn′ . {n, n′ }  new(n) · new(n′ ) ⊢ α(e) : 1  νn. νn′ . new(n) · new(n′ ) · (α(n) + α(n′ )) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

42

·

Massimo Bartoletti et al.

whereas in the current treatment, we would have the less precise judgements: ⊢ e : {?}  νn. νn′ . new(n) · new(n′ ) ⊢ α(e) : 1  νn. νn′ . new(n) · new(n′ ) · α(?) We conjecture that all the existing results are preserved by this extension, at the price of a more complex proof obligation (see Appendix C). A further improvement of the precision of our system would come from allowing subtyping of functional types. We plan to extend Definition 5.2 with the rule τ → ζ ⊑ τ ′ → ζ ′ if τ ′ ⊑ τ and ζ ⊑ ζ ′ (i.e. controvariant in the argument and covariant in the result). Consider for instance the following λ[ ] function: f = λx. (if b then λ. α else x); x With the current type and effect system, we have, for all pure types τ : ⊢ f (λ. β) : (τ → (1  α + β))  ε Note however that the function λ. α is discarded, and so we would like to have the following, more accurate, typing: ⊢ f (λ. β) : (τ → (1  β))  ε Subtyping of functional types would allow for such a typing, using the weakening: τ → (1  β) ⊑ τ → (1  α + β) within the typing judgement of f . This issue has been considered in [Skalka et al. 2008], and we feel their results can be also carried over our framework. To put our proposal at work, it is mandatory to design and implement a type and effect inference algorithm. We have some preliminary result, obtained by extending the inference algorithm in [Skalka et al. 2008], which however cannot handle creation of fresh resources. The language of history expressions has two simple extensions. The first consists in attaching policies to resources upon creation, similarly to [Igarashi and Kobayashi 2002]. The construct ν(n : ϕ). H is meant to enforce the policy ϕ on the freshly created resource. An encoding into λ[ ] is possible. First, the whole history expression has to be sandboxed with the policy ϕν (x), obtained from ϕ(x) by adding a new initial state qν and an edge labelled check (x ) from qν to the old initial state. The encoding then transforms ν(n : ϕ). H into νn. check(n) · H. The second extension consists in allowing parallel history expressions H|H ′ , which come at hand when modelling multi-threaded programs. Model-checking is still possible by transforming history expressions into Basic Parallel Processes [Christensen 1993] instead of BPAs. However, the time complexity becomes exponential in the number of parallel branches [Mayr 1998]. A further research direction consists in extending λ[ ] to a distributed setting, to study secure discovery and orchestration of services. Some preliminary work on this line has been done in [Bartoletti et al. 2005b; 2006], where services are modelled as computational units that may invoke each others through a call-by-contract ϕ primitive req τ − → τ ′ . To match such a contract, the invoked service must have type τ → τ ′ , and it must also guarantee that all the histories it generates obey the ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

43

policy ϕ. Our previous work needs to be extended by considering resource creation and usage policies with parameters. ELECTRONIC APPENDIX The electronic appendix for this article can be accessed in the ACM Digital Library by visiting the following URL: http://www.acm.org/pubs/citations/ journals/toplas/20--/p1-URLend. Below, we summarise the contents of the four appendixes. The Appendix A contains some typing examples. The Appendix B has some auxiliary definitions and lemmata, along with their proofs, that are needed for proving the main theorems of the paper. The Appendix C establishes that an expression with a valid effect will violate no security policy at run-time. Besides some technical results about types and effects, it translates expressions with security framings into expressions with framing events, preserving the semantics. We then define a big-step operational semantics for λ[ ] , and prove it equivalent to the small-step semantics. Using the big-step semantics we prove subject reduction, the correctenss of effects (Theorem 5.4) and type safety (Theorem 5.5). The Appendix D proves the correctness of our verification method (Theorem 6.13). After a few technical results (correctness of regularization of history expressions in Definition 6.3 and of redundant framings elimination in Theorem 6.4), we prove that validity of histories amounts to acceptance by the relevant framed policy automaton (through Lemmata 3.4 and 6.6). Finally, we show that history expressions are bisimilar to their related BPAs. ACKNOWLEDGMENTS

The authors warmly thank the anonymous referees for their comments and suggestions. REFERENCES Bartoletti, M. 2009. Usage automata. In Workshop on Issues in the Theory of Security, York, UK. Lecture Notes in Computer Science, vol. 5511. Springer, Berlin, 52–69. Bartoletti, M., Costa, G., Degano, P., Martinelli, F., and Zunino, R. 2009. Securing Java with local policies. Journal of Object Technology 8, 4, 5–32. Bartoletti, M., Degano, P., and Ferrari, G.-L. 2004. Stack inspection and secure program transformations. International Journal of Information Security 2, 3-4, 187–217. Bartoletti, M., Degano, P., and Ferrari, G.-L. 2005a. Checking risky events is enough for local policies. In Proceedings of the 9th Italian Conference on Theoretical Computer Science (ICTCS), 2005, Siena, Italy, October 12-14, 2005. Lecture Notes in Computer Science, vol. 3701. Springer, Berlin, 97–112. Bartoletti, M., Degano, P., and Ferrari, G.-L. 2005b. Enforcing secure service composition. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, (CSFW-18), 2022 June 2005, Aix-en-Provence, France. IEEE Computer Society, Los Alamitos, 211–223. Full version to appear in Journal of Computer Security. Bartoletti, M., Degano, P., and Ferrari, G.-L. 2005c. History based access control with local policies. In Proceedings of the 8th Foundations of Software Science and Computational Structures, FOSSACS 2005, Edinburgh, UK, April 4-8, 2005. Lecture Notes in Computer Science, vol. 3441. Springer, Berlin, 316–332. Bartoletti, M., Degano, P., and Ferrari, G.-L. 2006. Types and effects for secure service orchestration. In Proceedings of the 19th IEEE Computer Security Foundations Workshop, (CSFW-19), 5-7 July 2006, Venezia, Italy. IEEE Computer Society, Los Alamitos, 57–69. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

44

·

Massimo Bartoletti et al.

Bartoletti, M., Degano, P., Ferrari, G.-L., and Zunino, R. 2007. Types and effects for resource usage analysis. In Proceedings of the 10th Foundations of Software Science and Computational Structures, FOSSACS 2007, Braga, Portugal, March 24-April 1, 2007. Lecture Notes in Computer Science, vol. 4423. Springer, Berlin, 32–47. Bartoletti, M., Degano, P., Ferrari, G. L., and Zunino, R. 2008. Model checking usage policies. In Proceedings of the 4th Trustworthy Global Computing, Barcelona, Spain. Lecture Notes in Computer Science, vol. 5474. Springer, Berlin, 19–35. Bartoletti, M. and Zunino, R. 2008. LocUsT: a tool for checking usage policies. Tech. Rep. TR-08-07, Dip. Informatica, Univ. Pisa, available at http://compass2.di.unipi.it/TR/Files/TR08-07.pdf.gz. Bauer, L., Ligatti, J., and Walker, D. 2002. More enforceable security policies. In Proceedings of the Workshop on Foundations of Computer Security (FCS). Bauer, L., Ligatti, J., and Walker, D. 2005. Composing security policies with Polymer. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation (PLDI), Chicago, IL, USA, June 12-15, 2005. ACM, New York, 305–314. Bergstra, J. A. and Klop, J. W. 1985. Algebra of communicating processes with abstraction. Theor. Comput. Sci. 37, 77–121. Besson, F., de Grenier de Latour, T., and Jensen, T. P. 2005. Interfaces for stack inspection. Journal of Functional Programming 15, 2, 179–217. ´tayer, D. L., and Thorn, T. 2001. Model checking security Besson, F., Jensen, T. P., Me properties of control flow graphs. Journal of Computer Security 9, 3, 217–250. Bradfield, J. C. 1996. On the expressivity of the modal mu-calculus. In Proceedings of the STACS 96, 13th Annual Symposium on Theoretical Aspects of Computer Science, Grenoble, France, February 22-24. Lecture Notes in Computer Science, vol. 1046. Springer, Berlin, 479– 490. Chaki, S., Rajamani, S. K., and Rehof, J. 2002. Types as models: model checking messagepassing programs. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages, POPL. ACM, New York, 45–57. Christensen, S. 1993. Decidability and decomposition in process algebras. Ph.D. thesis, Edinburgh University. Colcombet, T. and Fradet, P. 2000. Enforcing trace properties by program transformation. In Proceedings of the 27th Annual Symposium on Principles of Programming Languages, POPL. ACM, New York, 54–66. Dam, M. 1997. On the decidability of process equivalences for the pi-calculus. Theor. Comput. Sci. 183, 2, 215–228. Erlingsson, U. and Schneider, F. B. 1999. SASI enforcement of security policies: a retrospective. In Proceedings of the 1999 Workshop on New security paradigms. ACM, New York, 87–95. Esparza, J. 1994. On the decidability of model checking for several µ-calculi and Petri nets. In Proceedings of the 19th Int. Colloquium on Trees in Algebra and Programming (CAAP’94), Edinburgh, U.K., April 11-13, 1994. Lecture Notes in Computer Science, vol. 787. Springer, Berlin, 115–129. Fong, P. W. 2004. Access control by tracking shallow execution history. In Proceedings of the IEEE Symposium on Security and Privacy (S&P 2004), 9-12 May 2004, Berkeley, CA, USA. IEEE Computer Society, Los Alamitos, 43–55. Fournet, C. and Gordon, A. D. 2003. Stack inspection: theory and variants. ACM Transactions on Programming Languages and Systems 25, 3, 360–399. Hamlen, K. W., Morrisett, J. G., and Schneider, F. B. 2006. Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28, 1, 175–205. Igarashi, A. and Kobayashi, N. 2002. Resource usage analysis. In Proceedings of the 29th Annual Symposium on Principles of Programming Languages, POPL. ACM, New York, 331–342. Iwama, F., Igarashi, A., and Kobayashi, N. 2006. Resource usage analysis for a functional language with exceptions. In Proceedings of the ACM SIGPLAN Workshop on Partial EvalACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

45

uation and Semantics-based Program Manipulation, 2006, Charleston, South Carolina, USA, January 9-10, 2006. ACM, New York, 38–47. Kobayashi, N. 2003. Time regions and effects for resource usage analysis. In Proceedings of the ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, (TLDI). ACM, New York, 50–61. Kozen, D. 1983. Results on the propositional µ-calculus. Theoretical Computer Science 27, 333–354. Marriott, K., Stuckey, P. J., and Sulzmann, M. 2003. Resource usage verification. In Proceedings of the First Asian Symposium on Programming Languages and Systems, APLAS 2003, Beijing, China, November 27-29, 2003. Lecture Notes in Computer Science, vol. 2895. Springer, Berlin, 212–229. Mayr, R. 1998. Decidability and complexity of model checking problems for infinite-state systems. Ph.D. thesis, Technischen Universit¨ at M¨ unchen. Milner, R., Parrow, J., and Walker, D. 1992. A Calculus of Mobile Processes, I and II. Information and Computation 100, 1 (September), 1–40,41–77. Necula, G. C. 1997. Proof-carrying code. In Proceedings of the 24th Annual Symposium on Principles of Programming Languages, POPL. ACM, New York, 106–119. Nielson, H. R. and Nielson, F. 1994. Higher-order concurrent programs with finite communication topology. In Proceedings of the 21st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL. ACM, New York. Schneider, F. B. 2000. Enforceable security policies. ACM Transactions on Information and System Security (TISSEC) 3, 1, 30–50. Skalka, C. 2005. Trace effects and object orientation. In Proceedings of the 7th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, PPDP, July 11-13 2005, Lisbon, Portugal. ACM, New York, 139–150. Skalka, C. and Smith, S. 2004. History effects and verification. In Proceedings of the Second Asian Symposium on Programming Languages and Systems, APLAS 2004, Taipei, Taiwan, November 4-6, 2004. Lecture Notes in Computer Science, vol. 3302. Springer, Berlin, 107–128. Skalka, C., Smith, S., and Horn, D. V. 2008. Types and trace effects of higher order programs. Journal of Functional Programming 18, 2, 179–249. Talpin, J.-P. and Jouvelot, P. 1992. Polymorphic type, region and effect inference. Journal of Functional Programming 2, 3, 245–271. Tan, G., Ou, X., and Walker, D. 2003. Resource usage analysis via scoped methods. In Proceedings of the Foundations of Object-Oriented Languages. Thiemann, P. 2003. Program specialization for execution monitoring. Journal of Functional Programming 13, 3, 573–600. Walker, D. 2000. A type system for expressive security policies. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, 254–267. Wallach, D. S., Appel, A. W., and Felten, E. W. 2000. SAFKASI: a security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology 9, 4, 341–378. Wang, J., Takata, Y., and Seki, H. 2006. HBAC: A model for history-based access control and its model checking. In 11th European Symposium on Research in Computer Security – ESORICS 2006, Hamburg, Germany, September 18-20, 2006. Lecture Notes in Computer Science, vol. 4189. Springer, Berlin, 263–278.

Received September 2008; accepted February 2009

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

Local Policies for Resource Usage Analysis

App–1

This document is the online-only appendix to:

Local Policies for Resource Usage Analysis MASSIMO BARTOLETTI Universit`a degli Studi di Cagliari, and Universit`a di Pisa PIERPAOLO DEGANO and GIAN-LUIGI FERRARI Universit`a di Pisa and ROBERTO ZUNINO Universit`a degli Studi di Trento ACM Transactions on Programming Languages and Systems, Vol. , No. , 20, Pages 1–45.

A. TYPING EXAMPLES In the following examples, we will abbreviate newκ(γ) (n) with new(n), when unambiguous. We will sometimes omit the application of T-Var. Also, we will silently weaken H to H ′ when H = H ′ . Example A.1. Let eA.1 = if b then λz x. α else λz x. α′ . Recall that 0-adic events like α are intended to act on a fixed, static resource with the capability α. Let τA.1 = 1 → (1  α + α′ ), and let ∆′ = {x : 1, z : τA.1 }. Then, we have the following typing derivation: T-Ev

∆′ ⊢ α : 1  α ′ ∆ ⊢ α : 1  α + α′ ∅ ⊢ λz x. α : τA.1  ε

T-Ev

T-Wk T-Abs T-If

∆′ ⊢ α′ : 1  α′ ∆ ⊢ α′ : 1  α + α′ ∅ ⊢ λz x. α′ : τA.1  ε

T-Wk T-Abs

′

∅ ⊢ eA.1 : τA.1  ε

A.1A

Example A.2. Let eA.2 = λg x. if b′ then ∗ else ϕ[g(eA.1 x)]. Let H = µh. ε + ϕ[(α + α′ ) · h], and let ∆ = {g : 1 → (1  H), x : 1}. We have the following derivations: A.1A T-Var

T-App T-App T-Fr

∆ ⊢ eA.1 : τA.1  ε ∆⊢x:1ε ∆ ⊢ eA.1 x : 1  α + α′ ∆ ⊢ g(eA.1 x) : 1  (α + α′ ) · H

∆ ⊢ ϕ[g(eA.1 x)] : 1  ϕ[(α + α′ ) · H]

A.2B

Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. c 20 ACM 0164-0925/20/0500-0001 $5.00

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–2

Massimo Bartoletti et al.

A.2B ∆⊢∗:1ε T-If ∆ ⊢ if b′ then ∗ else ϕ[g(eA.1 x)] : 1  ε + ϕ[(α + α′ ) · H] T-Wk ∆ ⊢ if b′ then ∗ else ϕ[g(eA.1 x)] : 1  H T-Unit

T-Abs

∅ ⊢ eA.2 : 1 → (1  H)  ε Example A.3. Let eA.3 = α(new x : γ in if b then x else r), with α ∈ γ ∩ γ ′ , where γ ′ = Γ(r). In the desugared syntax, eA.3 is equivalent to: (λz. α(z)) (λx. if b then x else r)(new γ) Let A.3A be the following typing derivation: ∆; x : ({n}, γ) ⊢ x : ({n}, γ)  ε

∆; x : ({n}, γ) ⊢ r : {(r, γ ′ )}  ε

∆; x : ({n}, γ) ⊢ x : ({n, r}, γ ∩ γ ′ )  ε ∆; x : ({n}, γ) ⊢ r : ({n, r}, γ ∩ γ ′ )  ε ∆; x : ({n}, γ) ⊢ if b then x else r : ({n, r}, γ ∩ γ ′ )  ε ∆ ⊢ (λx. if b then x else r) : ({n}, γ) → (({n, r}, γ ∩ γ ′ )  ε)  ε Let then A.3B be the following typing derivation: A.3A T-App

∆ ⊢ new γ : νn. ({n}, γ)  new(n)

∆ ⊢ (λx. if b then x else r)(new γ) : νn. ({n, r}, γ ∩ γ ′ )  new(n)

Then, we have the following typing derivation: ∆; z : ({n, r}, γ ∩ γ ′ ) ⊢ α(z) : 1  α(n) + α(r) T-Abs T-App

∆ ⊢ λz. α(z) : ({n, r}, γ ∩ γ ′ ) → (1  α(n) + α(r))  ε

A.3B

∆ ⊢ eA.3 : νn. 1  new(n) · (α(n) + α(r)) A.0.0.1

Notation. Hereafter, we shall omit the capabilities in types and effects.

Example A.4. Let eA.4 = let f = (λx. new y : γ in α(y); y) in α′ (f ∗; f ∗). In the desugared syntax, we write eA.4 as follows: eA.4A = λw. f ∗ eA.4B = eA.4A (f ∗) eA.4C = λf. (λz. α′ (z)) eA.4B eA.4D = λy. (λ. y)α(y) eA.4 = eA.4C ((λx. eA.4D ) new γ) Let τf = 1 → νn. ({n}  new(n) · α(n)), and let ∆ = f : τf . Let A.4A be the following typing derivation: ∆; w : {n′ } ⊢ f : τf  ε T-App T-Abs

∆; w : {n′ } ⊢ ∗ : 1  ε

∆; w : {n′ } ⊢ f ∗ : νn. {n}  new(n) · α(n)

∆ ⊢ eA.4A : {n′ } → (νn. {n}  new(n) · α(n))  ε

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–3

Let then A.4B be the following typing derivation: A.4A T-App

∆ ⊢ f : τf  ε T-App

∆⊢∗:1ε

∆ ⊢ f ∗ : νn′ . {n′ }  new(n′ ) · α(n′ )

∆ ⊢ eA.4B : ν{n, n′ }. {n}  new(n′ ) · α(n′ ) · new(n) · α(n)

Let ζA = ν{n, n′ }. {n}  new(n′ ) · α(n′ ) · new(n) · α(n). Then, let A.4C be the following typing derivation: T-Ev

∆; z : {n} ⊢ α′ (z) : 1  α′ (n) A.4B ∆ ⊢ (λz. α′ (z)) : {n}  (1  α′ (n))  ε T-App ∆ ⊢ (λz. α′ (z)) eA.4B : ν{n, n′ }. 1  new(n′ ) · α(n′ ) · new(n) · α(n) · α′ (n) T-Abs

T-Abs

⊢ eA.4C : τf → (ν{n, n′ }. 1  new(n′ ) · α(n′ ) · new(n) · α(n) · α′ (n))  ε

Let ∆xy = x : 1; y : {n}. Then, let A.4D be the following typing derivation: ∆xy ⊢ (λ. y) : 1 → {n}  ε T-App

∆xy ⊢ α(y) : 1  α(n)

∆xy ⊢ (λ. y) α(y) : {n}  α(n)

T-Abs

x : 1 ⊢ eA.4D : {n} → ({n}  α(n))  ε In conclusion, we have that: A.4D

T-New

x : 1 ⊢ new γ : νn.{n}  new(n) x : 1 ⊢ eA.4D (new γ) : νn. {n}  new(n) · α(n) ⊢ λx. eA.4D (new γ) : 1 → (νn. {n}  new(n) · α(n))  ε T-App

A.4C T-App

T-Abs

⊢ eA.4 : 1  ν{n, n′ }. new(n′ ) · α(n′ ) · new(n) · α(n) · α′ (n)

Example A.5. Let eA.5 = let g = (new y : γ in λx. α(y); y) in α′ (g∗; g∗). In the desugared syntax, we write eA.5 as: (λg. (λz.α′ (z)) ((λw. g∗)g∗)) ((λy. λx. ((λ. y)α(y))) new γ) Let τg = 1 → ({n}  α(n)), and let ∆ = g : τg . Then, let A.5A be the following typing derivation: T-Var T-App

∆ ⊢ g : τg  ε

T-Unit

∆⊢∗:1ε

∆ ⊢ g∗ : {n}  α(n) Let then A.5B be the following typing derivation: T-Var T-App T-Abs T-App

T-Unit

∆; w : {n} ⊢ g : τg  ε ∆; w : {n} ⊢ ∗ : 1  ε ∆; w : {n} ⊢ g∗ : {n}  α(n) ∆ ⊢ λw. g∗ : {n} → ({n}  α(n))  ε

A.5A

∆ ⊢ (λw. g∗) g∗ : {n}  α(n) · α(n) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–4

Massimo Bartoletti et al.

Let then A.5C be the following typing derivation:

T-Ev

∆; z : {n} ⊢ α′ (z) : 1  α′ (n) A.5B ∆ ⊢ λz.α′ (z) : {n} → (1  α′ (n))  ε T-App ∆ ⊢ (λz.α′ (z)) ((λw. g∗)g∗) : 1  α(n) · α(n) · α′ (n) T-Abs

T-Abs

⊢ λg. (λz.α′ (z)) ((λw. g∗)g∗) : τg → (1  α(n) · α(n) · α′ (n))  ε

Let A.5D be the following typing derivation:

T-Abs T-App T-Abs T-Abs

T-Ev

y : {n}; x : 1 ⊢ λ. y : 1 → {n}  ε y : {n}; x : 1 ⊢ α(y) : 1  α(n) y : {n}; x : 1 ⊢ (λ. y)α(y) : {n}  α(n) y : {n} ⊢ λx. ((λ. y)α(y)) : 1 → ({n}  α(n))  ε

⊢ λy. λx. ((λ. y)α(y)) : ({n} → (1 → ({n}  α(n))  ε))  ε In conclusion, we have that: A.5D

A.5C T-App

T-App

T-New

⊢ new γ : νn. {n}  new(n) ⊢ (λy. λx. ((λ. y)α(y))) new γ : νn. τg  new(n)

⊢ eA.5 : 1  νn. new(n) · α(n) · α(n) · α′ (n)

Example A.6. Let eA.6 = (λz x. new x : γ in if b then α(x) else α′ (x); zx) ∗, with α, α′ ∈ γ. In the desugared syntax, eA.6 is written as: eA.6A = (λw. zx) α′ (y) eA.6B = λy.if b then α(y) else eA.6A eA.6C = eA.6B (new γ) eA.6 = (λz x. eA.6C ) ∗ Let H = µh. νn. new(n) · (α(n) + α′ (n) · h), and let ∆ = {z : 1 → (1  H); x : 1}, and let ∆′ = ∆; y : {(n, γ)}. Let A.6A be the following typing derivation:

T-App

T-Abs T-App T-Wk

∆′ ; w : 1 ⊢ zx : 1  H T-Ev ∆′ ⊢ λw. zx : 1 → (1  H)  ε ∆′ ⊢ α′ (y) : 1  α′ (n) ′ ′ ′ ∆ ⊢ (λw. zx) α (y) : 1  α (n) · H ∆′ ⊢ eA.6A : 1  α(n) + α′ (n) · H

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–5

Let then A.6B be the following typing derivation: T-Ev

∆′ ⊢ α(y) : 1  α(n) A.6A ∆ ⊢ α(y) : 1  α(n) + α′ (n) · H T-If ∆′ ⊢ if b then α(y) else eA.6A : 1  α(n) + α′ (n) · H T-Wk

T-Abs

′

∆ ⊢ eA.6B : {n} → (1  α(n) + α′ (n) · H)  ε

Let then A.6C be the following typing derivation: A.6B

T-App T-Wk

T-New

∆ ⊢ new γ : νn. {n}  new(n) ∆ ⊢ eA.6B (new γ) : 1  νn. new(n) · (α(n) + α′ (n) · H) ∆ ⊢ eA.6C : 1  H

In conclusion, we have that: A.6C T-Abs T-App

⊢ λz x. eA.6C : 1 → (1  H)  ε

T-Unit

⊢∗:1ε

⊢ eA.6 : 1  H Example A.7. Let eA.7 = α((λz x. new y : γ in if b then y else α′ (y); zx) ∗), with α, α′ ∈ γ. In the desugared syntax, eA.7 is written as follows: eA.7A = (λu. zx) α′ (y) eA.7B = λy. if b then y else eA.7A eA.7C = (λz x. eA.7B (new γ)) ∗ eA.7 = (λw. α(w)) eA.7C Let H = µh. νn. new(n) · (ε + α′ (n) · h), let ∆ = {x : 1; z : 1 → ({?}  H)}, and ∆′ = ∆; y : {n}. Let A.7A be the following typing derivation: T-App

T-Abs T-App T-Wk

∆′ ; u : 1 ⊢ zx : {?}  H T-Ev ∆′ ⊢ λu. zx : 1 → ({?}  H)  ε ∆′ ⊢ α′ (y) : 1  α′ (n) ′ ′ ∆ ⊢ eA.7A : {?}  α (n) · H ∆′ ⊢ eA.7A : {?}  ε + α′ (n) · H

Let then A.7B be the following typing derivation: T-Var

∆′ ⊢ y : {n}  ε A.7A ∆′ ⊢ y : {?}  ε + α′ (n) · H T-If ∆′ ⊢ if b then y else eA.7A : {?}  ε + α′ (n) · H T-Wk

T-Abs

∆ ⊢ eA.7B : {n} → ({?}  ε + α(n) · H)  ε ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–6

·

Massimo Bartoletti et al.

Let A.7C be the following typing derivation (the use of

A.7B

T-App T-Wk T-Abs T-App

T-Unit

is omitted):

T-Ev

∆ ⊢ new γ : νn. {n}  new(n) ∆ ⊢ eA.7B (new γ) : {?}  νn. new(n) · (ε + α(n) · H) ∆ ⊢ eA.7B (new γ) : {?}  H ⊢ λz x. eA.7B (new γ) : 1 → ({?}  H)  ε ⊢ eA.7C : {?}  H

In conclusion, we have that:

T-Ev

T-Abs T-App

w : {?} ⊢ α(w) : 1  α(?) ⊢ λw. α(w) : {?} → (1  α(?))  ε

A.7C

⊢ eA.7 : 1  H · α(?)

B. PROOFS: HISTORY EXPRESSIONS In this appendix we slightly extend the syntax of history expressions, so to observe the finite prefixes of possibly non-terminating recursions. We shall use the special event ! in trailing position to truncate a history. In Definition B.1 we refine the operational semantics of history expressions given in Definition 4.4, so to explicitly account for the ! event. We also use a set R to keep track of the dynamic resources already used in the previous steps of a computation. In Definition B.11 we provide history expressions with a denotational semantics, based on continuous functions on complete partial orders. Two basic semantic operations,  in Definition B.9 and ⊔, are used for concatenating and joining semantics. The semantic domain results to be a semi-ring. As expected, two =-equivalent history expressions have the same semantics. The first main result of this appendix is Theorem B.29, that shows the two semantics fully abstract. The second result is Theorem B.35; it states that the subeffecting relation between two history expressions preserves the inclusion of their semantics. To prove these results, a number of intermediate definitions and lemmata are necessary, the proofs of which are contained herewith. B.1

Operational semantics of history expressions

Remark B.1. To simplify the proof of full abstraction, hereafter we shall extend history expressions with the nullary constructor !, that models a non-terminated computation. We assume that η !η ′ = η !, for all histories η and η ′ . Hereafter, we shall only consider the operational semantics of Definition B.1, instead of Definition 4.4. However, it is easy to see that the two semantics agree on the histories not truncated by !. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–7

Definition B.1. Operational semantics of history expressions The operational semantics JHKop of a history expression H is a function from finite set of resources to sets of histories, and it is defined below. We first inductively a introduce an auxiliary labelled transition relation H, R − → H ′ , R′ . α(ρ)

ε

ε · H, R − → H, R

α(ρ), R −−−→ ε, R

if ρ ∈ Res ∪ {?}

a

H, R − → H ′′ , R′′

ε

νn. H, R − → H{r/n}, R ∪ {r}

a

H · H ′, R − → H ′′ · H ′ , R′′ ε

ε

H + H ′, R − → H, R ε

if r 6∈ R

H + H ′, R − → H ′, R

µh. H, R − → H{µh. H/h}, R

!

H, R − → !, R

The operational semantics JHKop (R) is then defined as follows: η

η!

JHKop (R) = { η | H, R − → ε, R′ } ∪ { η! | H, R −→ H ′ , R′ and ! 6∈ η }

Definition B.2. For all histories η we define R(η) inductively as follows:

R(ε) = {↓}

( R(η) ∪ {r} R(η α(ρ)) = R(η)

if ρ = r and ! 6∈ η if ρ =?

R(η !) = R(η) \ {↓}

We now define the function R(H), that computes the set of resources mentioned in H and reachable in some computations of H. To do that, R(H) performs a sort of reachability analysis, e.g. R(α(r) · (µh. h) · α(r′ )) contains r but not r′ , since the non-terminating loop µh. h makes α(r′ ) unreachable. Having ↓∈ R(H), means that H allows for some terminating computations. The function T(H) defined below exploits this fact to characterize the processes that may terminate. Note that we can safely replace the R(H) in Definition 6.9 with the more precise R(H) defined below (joined with # and ). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–8

·

Massimo Bartoletti et al.

Definition B.3. For all history expression H and for all function Θ from history variables h to Res ∪ {↓}, we define RΘ (H) inductively as follows: RΘ (ε) = {↓} RΘ (h) = Θ(h)   {r, ↓} RΘ (α(ρ)) = ∅   {↓}

if ρ = r if ρ ∈ Nam if ρ = ?

RΘ (νn. H) = RΘ (H) ( (RΘ (H) \ {↓}) ∪ RΘ (H ′ ) if ↓ ∈ RΘ (H) ′ RΘ (H · H ) = RΘ (H) otherwise RΘ (H + H ′ ) = RΘ (H) ∪ RΘ (H ′ ) RΘ (µh. H) = RΘ{TΘ{∅/h} (H)/h} (H) RΘ (!) = ∅ where we define TΘ (H) = {↓} ∩ RΘ (H). Example B.1. Let H = µh. νn. h · α(r) + α(n). Then: R∅ (H) = R{T{∅/h} (νn. h·α+α(n))/h} (νn. h · α(r) + α(n)) since T{∅/h} (νn. h · α(r) + α(n)) = T{∅/h} (h · α(r)) ∪ T{∅/h} (α(n)) = {↓}, then: = R{{↓}/h} (νn. h · α(r) + α(n)) = R{{↓}/h} (h · α(r)) ∪ R{{↓}/h} (α(n)) and, since ↓∈ R{{↓}/h} (h) = {↓}: = R{{↓}/h} (h) ∪ R{{↓}/h} (α(r)) ∪ {↓} = {↓, r} Lemma B.4. For all H and Θ, we have that TΘ (H) equals to: {↓} {↓} ∩ Θ(h)

if H = ε or H = α(ρ) with ρ ∈ Res ∪ {?} if H = h

∅ TΘ (H ′ )

if H = ! or H = α(ρ) with ρ ∈ Nam if H = νn. H ′

TΘ (H0 ) ∩ TΘ (H1 ) TΘ (H0 ) ∪ TΘ (H1 )

if H = H0 · H1 if H = H0 + H1

TΘ{∅/h} (H ′ )

if H = µh. H ′

Proof. Straightforward structural induction. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–9

Lemma B.5. For all H, h, R, R′ , Θ: (5a)

R ⊆ R′ =⇒ TΘ{R/h} (H) ⊆ TΘ{R′ /h} (H)

(5b) (5c)

TΘ (H) = TΘ{TΘ (h)/h} (H) TΘ{TΘ{∅/h} (H)/h} (H) = TΘ{∅/h} (H)

(5d)

R ⊆ R′ =⇒ RΘ{R/h} (H) ⊆ RΘ{R′ /h} (H)

(5e) (5f)

RΘ (H) ⊆ RΘ{TΘ (h)/h} (H) ∪ Θ(h) RΘ (µh. H) = RΘ{RΘ (µh. H)/h} (H)

Proof. The item (5a) is implied by (5d). The item (5b) is a straightforward induction on the size of H. Since TΘ{∅/h} (H) can only take either value ∅ or {↓}, to prove (5c) it suffices to consider these two cases. If TΘ{∅/h} (H) = ∅, then TΘ{TΘ{∅/h} (H)/h} (H) = TΘ{∅/h} (H), which is the thesis. Otherwise TΘ{∅/h} (H) = {↓}, and so TΘ{TΘ{∅/h} (H)/h} (H) = TΘ{{↓}/h} (H) ⊇ TΘ{∅/h} (H) (the last inclusion is by (5a), since {↓} ⊇ ∅). The item (5d) can be easily proved by induction on the size of H. For (5e), we proceed by induction on the size of H. —if H = ε, H = α(ρ) or H = !, trivial. —if H = h′ , there are two subcases. If h′ = h, then: RΘ (h) = Θ(h) ⊆ RΘ{TΘ (h)/h} (h) ∪ Θ(h) ′

If h 6= h, then: RΘ (h′ ) = Θ(h′ ) = RΘ{TΘ (h)/h} (h′ ) ⊆ RΘ{TΘ (h)/h} (h′ ) ∪ Θ(h) —if H = νn. H ′ , then by the induction hypothesis: RΘ (νn. H ′ ) = RΘ (H ′ ) ⊆ RΘ{TΘ (h)/h} (H ′ ) ∪ Θ(h) = RΘ{TΘ (h)/h} (νn. H ′ ) ∪ Θ(h) —if H = H0 · H1 , there are two subcases. If TΘ (H0 ) = {↓}, then: RΘ (H0 · H1 ) = (RΘ (H0 ) \ {↓}) ∪ RΘ (H1 ) and by the induction hypothesis: ⊆ (RΘ{TΘ (h)/h} (H0 ) \ {↓}) ∪ RΘ{TΘ (h)/h} (H1 ) ∪ Θ(h) by (5b), TΘ{TΘ (h)/h} (H0 ) = TΘ (H0 ) = {↓}, thus: = RΘ{TΘ (h)/h} (H0 · H1 ) ∪ Θ(h) If TΘ (H0 ) = ∅, then: RΘ (H0 · H1 ) = RΘ (H0 ) and by the induction hypothesis: ⊆ RΘ{TΘ (h)/h} (H0 ) ∪ Θ(h) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–10

·

Massimo Bartoletti et al.

by (5b), TΘ{TΘ (h)/h} (H0 ) = TΘ (H0 ) = ∅, thus: = RΘ{TΘ (h)/h} (H0 · H1 ) ∪ Θ(h) —if H = H0 + H1 , trivial application of the induction hypothesis. —if H = µh′ . H ′ , there are two subcases. If h′ = h, let Θ′ = Θ{TΘ (h)/h}. Then: RΘ (µh. H ′ ) = RΘ{TΘ{∅/h} (H ′ )/h} (H ′ ) = RΘ′ {TΘ{∅/h} (H ′ )/h} (H ′ ) = RΘ′ {TΘ′ {∅/h} (H ′ )/h} (H ′ ) = RΘ′ (µh. H ′ ) ⊆ RΘ′ (µh. H ′ ) ∪ Θ(h) If h′ 6= h, let Θ′ = Θ{TΘ{∅/h′ } (H ′ )/h′ }. Then: RΘ (µh. H ′ ) = RΘ′ (H ′ ) by the induction hypothesis: ⊆ RΘ′ {TΘ′ (h)/h} (H ′ ) ∪ Θ(h) since Θ′ (h) = Θ(h) then TΘ′ (h) = TΘ (h), and so: = RΘ{TΘ (h)/h}{TΘ{∅/h′ } (H ′ )/h′ } (H ′ ) ∪ Θ(h) let Θ′′ = Θ{TΘ (h)/h}. Then, TΘ′′ {∅/h′ } (H ′ ) = TΘ{TΘ (h)/h}{∅/h′ } (H ′ ) = TΘ{∅/h′ }{TΘ{∅/h′ } (h)/h} (H ′ ) = TΘ{∅/h′ } (H ′ ), and so: = RΘ{TΘ (h)/h}{TΘ′′ {∅/h′ } (H ′ )/h′ } (H ′ ) ∪ Θ(h) = RΘ{TΘ (h)/h} (µh′ . H ′ ) ∪ Θ(h) For (5f), we have that: RΘ (µh. H) = RΘ{TΘ{∅/h} (H)/h} (H) by Lemma 5d: ⊆ RΘ{RΘ{∅/h} (H)/h} (H) again, by Lemma 5d: ⊆ RΘ{RΘ{T

Θ{∅/h} (H)/h}

(H)/h} (H)

= RΘ{RΘ (µh. H)/h} (H) by Lemma 5e: ⊆ RΘ{{↓}∩RΘ (µh. H)/h} (H) ∪ RΘ (µh. H) = RΘ{TΘ (µh. H)/h} (H) ∪ RΘ (µh. H) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–11

by Lemma B.4: = RΘ{TΘ{∅/h} (H)/h} (H) ∪ RΘ (µh. H) = RΘ (µh. H)

Lemma B.6. For all history expressions H, finite set of resources R, R′ , and for all histories η: η ∈ JHKop (R) =⇒ (R \ R∅ (H)) ∩ R(η) = ∅ R ⊆ R′ =⇒ JHKop (R) ⊇ JHKop (R′ )

(6a) (6b)

Proof. The item (a) follows by a simple inspection of the rules in Definition B.1. The item (b) is straightforward by induction on the size of H. The only relevant rule is that for νn. H, for which we have: [ Jνn. HKop (R) = JH{r/n}Kop (R ∪ {r}) r6∈R

⊇

[

JH{r/n}Kop (R′ ∪ {r})

by the induction hypothesis

r6∈R

⊇

[

JH{r/n}Kop (R′ ∪ {r})

r6∈R′

= Jνn. HKop (R′ ) which concludes the proof. Lemma B.7. (7a)

η

if H, R − → H ′ , R′ and r 6∈ R′ , then: η

H, R ∪ {r} − → H ′ , R′ ∪ {r} (7b)

η

if H{r/n}, R − → ε, R′ , and r 6∈ R(η), r′ 6∈ R′ , then: η

H{r′ /n}, R{r′ /r} − → ε, R′ {r′ /r} Proof. The item (7a) is easy by induction on the number of transitions. For (7b), we proceed by induction on the number of transitions. In the base case there are zero transitions and the thesis trivially holds. Otherwise, let σ = {r′ /r}. We consider the following exhaustive cases. —if H = α(ρ), there are the following subcases: —If ρ ∈ Res, there are two subcases. If ρ = r¯ and r¯ = r, then r ∈ R(η), so contradicting the hypothesis. If ρ = r¯ and r¯ 6= r, trivial. —if ρ ∈ Nam, then ρ = n, otherwise H{r/n} 6→ ε, R′ , which contradicts the hypothesis. Thus, η = α(r), so contradicting r 6∈ R(η). —if ρ =?, trivial. —if H = !, contradiction with the hypothesis. ¯ then we consider two further subcases. —if H = νm. H, ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–12

Massimo Bartoletti et al.

—if n 6= m, we have: η

ε

(νm. H){r/n}, R − → H{r/n}{¯ r/m}, R ∪ {¯ r} − → ε, R′ for some r¯ 6∈ R. It is first convenient to state the following result, which can be proven through a straightforward inductive argument: (1)

η

η

H{r/n}, R − → ε, R′ =⇒ H{r′ /n}, R − → ε, R′ if r 6∈ R(η)

Back to the main statement, there are now two further subcases: —if r¯ = r, then by the induction hypothesis: η

H{¯ r/m}{r′ /n}, (R ∪ {¯ r})σ − → ε, R′ σ since r¯ = r: η

H{r′ /n}{¯ r/m}, Rσ ∪ {r′ } − → ε, R′ σ Since r¯ = r 6∈ R(η), then by (1): η

H{r′ /n}{r′ /m}, Rσ ∪ {r′ } − → ε, R′ σ Since r′ 6∈ R′ ⊇ R and r = r¯ 6∈ R, then r′ 6∈ Rσ, so we conclude: ε

(νm. H){r′ /n}, Rσ − → H{r′ /m, r′ /n}, Rσ ∪ {r′ } —if r¯ 6= r, by the induction hypothesis: η

H{¯ r/m}{r′ /n}, (R ∪ {¯ r})σ − → ε, R′ σ and since r¯ 6= r: η

H{¯ r/m}{r′ /n}, Rσ ∪ {¯ r} − → ε, R′ σ Since r¯ 6∈ R and r¯ 6= r then r¯ 6∈ Rσ, so we conclude: ε

(νm. H){r′ /n}, Rσ − → H{r′ /n}{¯ r/m}, Rσ ∪ {¯ r} —If n = m, we have (νm. H){r/n} = νm. H and the proof is similar to (actually, simpler than) that for the case n 6= m. η

—if H = H0 · H1 , then we can easily show by induction that if H{r/n}, R − → ε, R′ , then η = η0 η1 for two shorter derivations: η0

¯ H0 {r/n}, R −→ ε, R

η1

¯ −→ ε, R′ H1 {r/n}, R

Therefore, by the induction hypothesis: η0 ¯ H0 {r′ /n}, Rσ −→ ε, Rσ

η1 ¯ − → ε, R′ σ H1 {r′ /n}, Rσ

which implies the thesis. —if H = H0 + H1 , the induction hypothesis suffices. ¯ then H{r/n} = µh. (H{r/n}), ¯ —if H = µh.H, and thus the thesis follows directly from the induction hypothesis. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–13

Definition B.8. Let D = Ev ∪ Frm, let X ⊆ D∗ ∪ D∗ !, and x ∈ D ∪ { !}. We define x ⊙ X as follows: ( { x η | η ∈ X } if x 6= ! x⊙X = {x} if x = ! We define η ⊙ X as its homomorphic extension, i.e. if η = a1 · · · an , then: η ⊙ X = a1 ⊙ · · · ⊙ an ⊙ X Definition B.9. Let Y0 , Y1 : Pfin (Res) → {X ⊆ (Ev ∪ Frm)∗ ∪ (Ev ∪ Frm)∗ !}. The composition Y0  Y1 is defined as follows: S Y0  Y1 = λR. { η0 ⊙ Y1 (R ∪ R(η0 )) | η0 ∈ Y0 (R) }

Also, we define the following shorthand: η  Y = (λR. {η})  Y

Lemma B.10. For all H, R, H ′ , R′ , a: a

H, R − → H ′ , R′ =⇒ JHKop (R) ⊇ a ⊙ JH ′ Kop (R′ ) Proof. By cases on the form of H. —if H = α(ρ), there are three subcases. If ρ = r, then H ′ = ε, a = α(r) and R′ = R. Then: JHKop (R) = {α(r)} = α(r) ⊙ {ε} = α(r) ⊙ JH ′ Kop (R′ ) If ρ = n, then H ′ = !, a = !, and R′ = R, and the thesis follows by Definition B.8. If ρ =?, the proof is similar to the case ρ = r. —if H = !, then H ′ = ! and R′ = R. Thus: J!Kop (R) = {!} =! ⊙ {!} = ! ⊙ J!Kop (R′ ) ¯ then H ′ = H{r/n}, ¯ —if H = νn. H, for some r 6∈ R, and a = ε, R′ = R ∪ {r}. [ ¯ ′ /n}Kop (R ∪ {r′ }) ⊇ JH ′ Kop (R′ ) = ε ⊙ JH ′ Kop (R′ ) JHKop (R) = JH{r r ′ 6∈R

—if H = H0 · H1 , there are two further subcases. If H0 = ε, then H ′ = H1 , a = ε ′ op ′ op and R′ = R. Thus, JHKop R = JH KR′ = ε ⊙ JH KR′ . Otherwise, if H0 6= ε, then a H0 , R − → H0′ , R′ , and so H ′ = H0′ · H1 . Thus: η η! ¯ } ∪ { η! | H0 · H1 , R − ¯ R ¯} JHKop (R) = { η | H0 · H1 , R − → ε, R → H, η η! ¯ } ∪ { a η ! | H0′ · H1 , R′ − ¯ R ¯} ⊇ { a η | H0′ · H1 , R′ − → ε, R → H,

= a ⊙ JH0′ · H1 Kop (R′ ) = a ⊙ JH ′ Kop (R′ ) —if H = H0 + H1 , straightforward. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–14

·

Massimo Bartoletti et al.

—if H = µh. H ′′ , then H ′ = H ′′ {H/h}, a = ε, and R′ = R. Thus: η η! ¯ } ∪ { ε η ! | H ′, R − ¯ R ¯} JHKop (R) = { ε η | H ′ , R − → ε, R → H, η η! ¯ } ∪ { η ! | H ′, R − ¯ R ¯ }) = ε ⊙ ({ η | H ′ , R − → ε, R → H,

= ε ⊙ JH ′ Kop (R′ )

B.2

Full Abstraction

Definition B.11. Denotational semantics of history expressions Let D0 be the following cpo of sets of histories ordered by set inclusion: D0 = { X ⊆ (Ev ∪ Frm)∗ ∪ (Ev ∪ Frm)∗ ! | ! ∈ X ∧ ∀η ∈ X : η ! ∈ X }. The set { !} is the bottom element of D0 . Let Dden = Pfin (Res) → D0 be the cpo of functions from the finite subsets of Res to D0 . Note that the bottom element ⊥ of Dden is λR. { !}. Let H be a history expression with fn(H) = ∅, and let θ be a mapping from variables h to functions in Dden , such that dom(θ) ⊇ fv (H). Then, the denotational semantics JHKden is a function in Dden , inductively defined θ through the following equations. JεKden = λR. { !, ε} θ Jα(ρ)Kden = λR. { !, α(ρ), α(ρ) !} θ S Jνn. HKden = λR. r6∈R JH{r/n}Kden θ θ (R ∪ {r})

 JH ′ Kden JH · H ′ Kden = JHKden θ θ θ ⊔ JH ′ Kden JH + H ′ Kden = JHKden θ θ θ J!Kden =⊥ θ

= θ(h) JhKden θ G den Jµh.HKθ = f i (⊥) where f (Y ) = JHKden θ{Y /h} i≥0

We first check that the above semantics is well-defined. Lemma B.12 proves that the image of the semantics function is indeed in D0 . Lemma B.15 guarantees that the least upper bound in the last equation exists (since f is monotone). Also, since f is continuous, by the Knaster-Tarski theorem the semantics of µh. H is the least fixed point of f . Lemma B.12. For all H, θ and R: — ! ∈ JHKden θ (R). den —if η ∈ JHKden θ (R), then η ! ∈ JHKθ (R).

Proof. Trivial. Lemma B.13. The structure (Dden , ⊔, , id ⊔ , id  ), where id ⊔ = ⊥ and id  = λR.{ !, ε} is a semi-ring. Furthermore, ⊔ is idempotent. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–15

Proof. It is easy to check that ⊔ and  are associative, id ⊔ , id  are their identities, and that, for all X, Y, Z ∈ Dden , (X ⊔ Y )  Z = X  Z ⊔ Y  Z and Z  (X ⊔ Y ) = (Z  X) ⊔ (Z  Y ). Lemma B.14. Let {Yi }i and {Zi }i be subsets of Dden . Then: G

G

(Yi  Zi ) =

i

i

G

Yi  Zi i

Proof. We prove the following two facts. For all W ∈ Dden : G

W

(2a)

Zi =

i

G

(W  Zi )

i

G G ( Zi )  W = (Zi  W )

(2b)

i

i

For (2a), we have that: W

G

Zi = λR.

i

= λR. = λR.

[

[

G { η0 ⊙ ( Zi )(R ∪ R(η0 )) | η0 ∈ W (R) } i

{ η0 ⊙

[

Zi (R ∪ R(η0 )) | η0 ∈ W (R) }

i

[ [ { η0 ⊙ Zi (R ∪ R(η0 )) | η0 ∈ W (R) } i

= λR.

[[

{ η0 ⊙ Zi (R ∪ R(η0 )) | η0 ∈ W (R) }

i

=

G

λR.

i

=

G

[

{ η0 ⊙ Zi (R ∪ R(η0 )) | η0 ∈ W (R) }

(W  Zi )

i

For (2b), we have that: G [ G ( Zi )  W = λR. { η0 ⊙ W (R ∪ R(η0 )) | η0 ∈ ( Zi )(R) } i

i

= λR.

= λR.

[

{ η0 ⊙ W (R ∪ R(η0 )) | η0 ∈

[

Zi (R) }

i

[[

{ η0 ⊙ W (R ∪ R(η0 )) | η0 ∈ Zi (R) }

i

=

G i

=

G

λR.

[

{ η0 ⊙ W (R ∪ R(η0 )) | η0 ∈ Zi (R) }

(Zi  W )

i

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–16

·

Massimo Bartoletti et al.

Summing up: G i

G
G G

Yi  Zi = Yi  Zj i

=

GG j

=

by (2a)

i

j

(Yi  Zj )

by (2b)

i

G

(Yi  Zi )

i

which concludes the proof. Lemma B.15. For all history expressions H and for all θ such that dom(θ) ∪ {h} ⊇ fv (H), let fH be the function defined as: fH (Y ) = JHKden θ{Y /h} Then, fH is continuous. Proof. By induction on the size of H. Let {Yi }i be a ω-chain of elements in Dden . We have the following cases: —if H = ε, H = α(ρ), or H = !, trivial. —if H = νn. H ′ , then: G [ G fH ( Yi ) = λR. fH ′ {r/n} ( Yi )(R ∪ {r}) i

i

r6∈R

Then, by the induction hypothesis: [ = λR.

r6∈R

= λR.

G i

[[


fH ′ {r/n} (Yi ) (R ∪ {r})

fH ′ {r/n} (Yi )(R ∪ {r})

r6∈R i

= λR.

[[

fH ′ {r/n} (Yi )(R ∪ {r})

i r6∈R

=

G i

=

G

[

λR.

fH ′ {r/n} (Yi )(R ∪ {r})

r6∈R

fH (Yi )

i

—if H = H ′ · H ′′ , then: G F fH ( Yi ) = JH ′ · H ′′ Kden θ{

i

i

Yi /h}

′′ den F F = JH ′ Kden θ{ i Yi /h}  JH Kθ{ i Yi /h} G G = fH ′ ( Yi )  fH ′′ ( Yi ) i

i

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–17

and, by the induction hypothesis: =

G

fH ′ (Yi ) 

i

=

G

G

fH ′′ (Yi )

i

JH ′ Kden θ{Yi /h} 

i

G

JH ′′ Kden θ{Yi /h}

i

by Lemma B.14: =

G

′′ den JH ′ Kden θ{Yi /h}  JH Kθ{Yi /h}

i

=

G

JHKden θ{Yi /h}




i

=

G

fH (Yi )

i

—if H = H ′ + H ′′ , trivial. —if H = µh′ . H ′ , then: G G F fH ( Yi ) = (λY ′ . JH ′ Kden θ{ i

i

n≥0

n Yi /h}{Y ′ /h′ } ) (⊥)

if h = h′ , then: =

G

n (λY ′ . JH ′ Kden θ{Y ′ /h′ } ) (⊥)

n≥0

=

GG

n (λY ′ . JH ′ Kden θ{Y ′ /h′ } ) (⊥)

i n≥0

=

GG

n (λY ′ . JH ′ Kden θ{Yi /h}{Y ′ /h′ } ) (⊥)

i n≥0

=

G

fH (Yi )

i

otherwise, if h 6= h′ , then: =

G

F (λY ′ . JH ′ Kden θ{Y ′ /h′ }{

i

n≥0

n Yi /h} ) (⊥)

and by the induction hypothesis: =

G

(λY ′ .

G

n JH ′ Kden θ{Y ′ /h′ }{Yi /h} ) (⊥)

i

n≥0

G G n = ( λY ′ . JH ′ Kden θ{Y ′ /h′ }{Yi /h} ) (⊥) n≥0

i

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–18

·

Massimo Bartoletti et al.

by the induction hypothesis on H ′ , fH ′ is continuous – and hence monotone – then {λY ′ . JH ′ Kden θ{Yi /h} }i is an ω-chain, and so: =

GG

n (λY ′ . JH ′ Kden θ{Y ′ /h′ }{Yi /h} ) (⊥)

i n≥0

=

GG

n (λY ′ . JH ′ Kden θ{Yi /h}{Y ′ /h′ } ) (⊥)

i n≥0

=

G

fH (Yi )

i

Lemma B.16 Substitution. For all H, H ′ with fn(H) = fn(H ′ ) = ∅, and for all θ such that dom(θ) ⊇ fv (H) ∪ fv (H ′ ): JH{H ′ /h}Kden = JHKden ′ den θ θ{JH Kθ /h} Proof. We proceed by induction on the size of H. Let θ′ = θ{JH ′ Kden θ /h}. —If H = ε, H = α(ρ) or H = !, the thesis follows trivially, because the substitution is vacuous. —If H = h′ , there are two subcases. If h′ = h, then: Jh{H ′ /h}Kden = JH ′ Kden = JhKden θ θ θ′ Otherwise, if h′ 6= h, then H{H ′ /h} = H. ¯ then: —If H = νn. H, [ ′ ′ ¯ ¯ Jνn. H{H /h}Kden = λR. JH{H /h}{r/n}Kden θ θ (R ∪ {r}) r6∈R

since fn(H ′ ) = ∅, then H ′ {r/n} = H ′ , and so: [ ′ ¯ = λR. JH{r/n}{H /h}Kden (R ∪ {r}) θ

r6∈R

and, by the induction hypothesis: = λR.

[

den ¯ JH{r/n}K θ ′ (R ∪ {r})

r6∈R

¯ den = Jνn. HK θ′ —If H = H0 · H1 , then: J(H0 · H1 ){H ′ /h}Kden = JH0 {H ′ /h} · H1 {H ′ /h}Kden θ θ = JH0 {H ′ /h}Kden  JH1 {H ′ /h}Kden θ θ den = JH0 Kden θ ′  JH1 Kθ ′

= JHKden θ′ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–19

—If H = H0 + H1 , then by the induction hypothesis: J(H0 + H1 ){H ′ /h}Kden = JH0 {H ′ /h}Kden ⊔ JH1 {H ′ /h}Kden θ θ θ den = JH0 Kden θ ′ ⊔ JH1 Kθ ′

= JHKden θ′ ¯ there are two subcases. If h′ = h, then H{H ′ /h} = H, and so —If H = µh′ . H, the statement holds trivially. Otherwise h′ 6= h, and so we have: G
n ′ ′ ¯ ¯ (⊥) λY. JH{H /h}Kden Jµh′ . H{H /h}Kden = θ θ{Y /h′ } n≥0

and, by the induction hypothesis: =

G

¯ den λY. JHK θ ′ {Y /h′ }

n≥0

¯ den = Jµh′ . HK θ′


n

(⊥)

which concludes the proof. Lemma B.17 Unfolding. For all H such that fn(H) = ∅, and for all θ: Jµh. HKden = JHKden den θ θ{Jµh. HKθ /h} F Proof. By Definition B.11, Jµh. HKden = i≥0 f i (⊥), where f (Y ) = JHKden θ θ{Y /h} . Since fn(H) = fn(µh. H) = ∅, we have that: JH{µh. H/h}Kden = JHKden den θ θ{Jµh. HKθ /h} = f (Jµh. HKden θ ) G i = f ( f (⊥))

by Lemma B.16 by def. of f

i≥0

=

G

f i (⊥)

i≥0

=

Jµh. HKden θ

G

f i (⊥) is a fixed point of f

i≥0

′ den Lemma B.18. If H = H ′ , then, for all θ and R, JHKden θ (R) = JH Kθ (R).

Proof. The first seven cases of Definition 4.7 follow by Lemma B.13. The eight rule (unfolding), is implied by Lemma B.17. Rearranging µ- and ν-binders and the extrusion laws for ν-binders (last three rules) are straightforward. Definition B.19. We say Y ∈ Dden anti-monotone when R ⊆ R′ implies Y (R) ⊇ Y (R′ ) for all R, R′ . We say θ anti-monotone when θ(h) is such ∀h ∈ dom(θ). Lemma B.20. For all H and anti-monotone θ, JHKden is anti-monotone. θ Proof. Let R′ ⊆ R. By induction on the size of H, there are the following exhaustive cases: ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–20

·

Massimo Bartoletti et al.

—if H = ε, H = !, H = α(ρ), trivial. —if H = h, the thesis is implied by the anti-monotonicity of θ. —if H = H0 · H1 and H = H0 + H1 , straightforward application of the induction hypothesis. —if H = νn. H ′ , we have that: JHKden θ (R) =

[

JH{r/n}Kden θ (R ∪ {r})

r6∈R

⊆

[

JH{r/n}Kden θ (R ∪ {r})

r6∈R′

and by the induction hypothesis, since R′ ∪ {r} ⊆ R ∪ {r}: [ ′ ⊆ JH{r/n}Kden θ (R ∪ {r}) r6∈R′

′ = JHKden θ (R )

—if H = µh. H ′ , we prove that if Y is anti-monotone, then also f (Y ) = JH ′ Kden θ{Y /h} is anti-monotone. Since θ and Y are anti-monotone, then θ{Y /h} is such, so by the induction hypothesis: ′ ′ ′ den f (Y )(R) = JH ′ Kden θ{Y /h} (R) ⊇ JH Kθ{Y /h} (R ) = f (Y )(R )

From here it is simple to check that for all n, f n (⊥) is anti-monotone, then also JHKden is such. θ Definition B.21. For all Y ∈ Dden , we define R(Y ) and T(Y ) as follows: \ R(Y ) = R(Y (R)) R

T(Y ) = {↓} ∩ R(Y ) Lemma B.22. For all Y ∈ Dden : ( ∅ if ∀R : η ∈ Y (R) =⇒ ! ∈ η T(Y ) = {↓} otherwise Proof. First note that, by a straightforward inspection of the rules in Definition B.11, it follows that, for all Y ∈ Dden : (3)

∃R : ∃η ∈ Y (R) : ! 6∈ η

⇐⇒

∀R : ∃η ∈ Y (R) : ! 6∈ η

To prove the main statement, T(Y ) = ∅ ⇐⇒ ↓6∈ R(Y ) ⇐⇒ ∃R :↓6∈ R(Y (R)) ⇐⇒ ∃R : ∀η ∈ Y (R) :↓6∈ R(η) ⇐⇒ ∃R : ∀η ∈ Y (R) : ! ∈ η ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–21

by (3), used right-to-left contrapositively: ⇐⇒ ∀R : ∀η ∈ Y (R) : ! ∈ η which proves the thesis. Remark B.2. The function R of Definition B.21 is not continuous. Let {ri }i∈ω be a set of distinct resources. Let {Yi }i∈ω be a family of functions in Dden , defined as: Yi = λR. { α(rk ) | k > |R| − i } where |R| denotes the cardinality of the finite set R. This family is actually an ω-chain, since: k > |R| − i =⇒ k > |R| − (i + 1) Then, G \[ G R( Yi ) = { R(η) | η ∈ ( Yi )(R) } i

i

R

=

\[

{ R(η) | η ∈

\[[ \[

{ rk | k > |R| − i }

i

R

=

{ R(η) | η ∈ Yi (R) }

i

R

=

Yi (R) }

i

R

=

[

\

{ rk | k ∈ ω }

R

= { rk | k ∈ ω } However, [

R(Yi ) =

i

[\[ i

=

[\ i

=

\

{ R(η) | η ∈ Yi (R) }

R

{ rk | k > |R| − i }

R

∅

R

=∅ F S Therefore R( i Yi ) 6= i R(Yi ), proving that R is not continuous.

LemmaSB.23. For all monotone non-increasing Y , and for all ω-chain {Ri }i such that i Ri = Res: \[ R(Y ) = { R(η) | η ∈ Y (Ri ) } i

Proof. The inclusion ⊆ follows by set theory, while ⊇ is implied by Lemma B.20.

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–22

·

Massimo Bartoletti et al.

Lemma B.24. For all Y ∈ Dden and for all R, T(Y ) = T(Y (R)). Proof. Straightforward. Lemma B.25. For all H, and for all θ such that: ∀h ∈ fv (H). ∀R : R(θ(h)(R)) ⊆ R(θ(h)) ∪ (Res \ R) we have that: R(JHKden θ ) = RR(θ) (H) Proof. We prove the following, stronger statement. For all H and for all θ, R: RR(θ) (H) ⊆ R(JHKden θ (R)) ⊆ RR(θ) (H) ∪ (Res \ R)

(4)

First we show that the statement B.25 is implied by (4). We prove the double inclusion: \ den RR(θ) (H) ⊆ R(JHKden θ (R)) = R(JHKθ ) R

⊆

\ R


RR(θ) (H) ∪ (Res \ R)

⊆ RR(θ) (H) ∪

\

(Res \ R)

R

= RR(θ) (H) ∪ ∅ = RR(θ) (H)

To prove (4), we proceed by induction on the size of H. —if H = ε, then RR(θ) (ε) = {↓} = R({ !, ε}) = R(JεKden θ (R)). —if H = α(ρ), there are two subcases, since fn(H) = ∅ by assumption. If ρ = r, then: R(Jα(r)Kden θ (R)) = R({ !, α(r), α(r) !}) = {r, ↓} = RR(θ) (α(r)) If ρ =?, then: R(Jα(?)Kden θ (R)) = R({ !, α(?), α(?) !}) = {↓} = RR(θ) (α(?)) —if H = h, then: RR(θ) (h) = R(θ)(h) = R(θ(h)) \ = R(θ(h)(R)) R

⊆ R(θ(h)(R))

= R(JhKden θ (R)) = R(θ(h)(R)) and since by assumption R(θ(h)(R)) ⊆ R(θ(h)) ∪ (Res \ R): ⊆ R(θ(h)) ∪ (Res \ R) = RR(θ) (h) ∪ (Res \ R) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–23

—If H = H0 · H1 , there are two subcases. If TR(θ) (H0 ) = ∅, then: RR(θ) (H0 · H1 ) = RR(θ) (H0 ) by the induction hypothesis: ⊆ R(JH0 Kden θ (R)) now, JH1 Kden 6= ∅ by Lemma B.12. Since by the induction hypothesis and by θ den Lemma B.24 TR(θ) (H0 ) = T(JH0 Kden θ ) = T(JH0 Kθ (R)): = R(JH0 · H1 Kden θ (R)) = R(JH0 Kden θ (R)) and by the induction hypothesis: ⊆ RR(θ) (H0 ) ∪ (Res \ R) = RR(θ) (H0 · H1 ) ∪ (Res \ R) If TR(θ) (H0 ) = {↓}, we first prove that:

(5)

den R(JHKden  JH1 Kden θ ) = R(JH0 Kθ θ ) \[ η ∈ JH0 Kden θ (R) = { R(η0 ⊙ η1 ) | 0 } η1 ∈ JH1 Kden θ (R ∪ R(η0 )) R

(6)

den ⊇ R(JH0 Kden θ ) ∪ R(JH1 Kθ )

Let r ∈ (6). We have two further subcases. den —If r ∈ R(JH0 Kden θ ), then for all R, there exists η0 ∈ JH0 Kθ (R) such that den r ∈ R(η0 ). By Lemma B.12, take an η1 ∈ JH1 Kθ (R ∪ R(η0 )) 6= ∅. Then r ∈ R(η0 ) ⊆ R(η0 ⊙ η1 ). This proves r ∈ (5). ′ ′ den —If r ∈ R(JH1 Kden θ ), then for all R there exists η1 ∈ JH1 Kθ (R ) such that r ∈ R(η1 ). To show r ∈ (5), we need to prove that for all R there exists η0 , η1 den such that η0 ∈ JH0 Kden θ (R), η1 ∈ JH1 Kθ (R ∪ R(η0 )), and r ∈ R(η0 ⊙ η1 ). Since den T(JH0 Kθ ) = {↓}, we can choose an η0 ∈ JH0 Kden η (R) with ! 6∈ η0 . Then, by choosing R′ = R ∪ R(η0 ), we obtain that there exists η1 ∈ JH1 Kden θ (R ∪ R(η0 )) such that r ∈ R(η1 ). We conclude the proof by R(η0 ⊙ η1 ) = R(η0 ) ∪ R(η1 ), since ! 6∈ η0 . Therefore: RR(θ) (H0 · H1 ) = RR(θ) (H0 ) ∪ RR(θ) (H1 ) by the induction hypothesis: den = R(JH0 Kden θ ) ∪ R(JH1 Kθ )

since (6) ⊆ (5): ⊆ R(JH0 · H1 Kden θ ) ⊆ R(JH0 · H1 Kden θ (R)) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–24

·

Massimo Bartoletti et al.

For the last inclusion, we have that: [ den R(JH0 · H1 Kden (R)) = { R(η0 ⊙ η1 ) | η0 ∈ JH0 Kden θ θ (R), η1 ∈ JH1 Kθ (R ∪ R(η0 )) } by Lemma B.20:

⊆

[

den { R(η0 ⊙ η1 ) | η0 ∈ JH0 Kden θ (R), η1 ∈ JH1 Kθ (R)) }

den ⊆ R(JH0 Kden θ )(R) ∪ R(JH1 Kθ )(R)

and by the induction hypothesis: ⊆ RR(θ) (H0 ) ∪ RR(θ) (H1 ) ∪ (Res \ R) = RR(θ) (H0 · H1 ) ∪ (Res \ R) —If H = H0 + H1 , we have that: RR(θ) (H0 + H1 ) = RR(θ) (H0 ) ∪ RR(θ) (H1 ) by the induction hypothesis: den ⊆ R(JH0 Kden θ (R)) ∪ R(JH1 Kθ (R)) [ [ = { R(η) | η ∈ JH0 Kden { R(η) | η ∈ JH1 Kden θ (R) } ∪ θ (R) } [ den = { R(η) | η ∈ JH0 Kden θ (R) ∪ JH1 Kθ (R) }

= R(JH0 + H1 Kden θ (R))

den = R(JH0 Kden θ (R)) ∪ R(JH1 Kθ (R))

by the induction hypothesis: ⊆ RR(θ) (H0 ) ∪ RR(θ) (H1 ) ∪ (Res \ R) = RR(θ) (H0 + H1 ) ∪ (Res \ R) —If H = νn. H ′ , we have R(JHKden θ (R)) = R(

[

JH ′ {r/n}Kden θ (R ∪ {r}))

r6∈R

=

(7)

[

R(JH ′ {r/n}Kden θ (R ∪ {r}))

r6∈R

Also, we have that: RR(θ) (H) = RR(θ) (H ′ ) using a simple inductive argument: [ ⊆ RR(θ) (H ′ {r/n}) r6∈R

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–25

by the induction hypothesis: ⊆ (7) [
⊆ RR(θ) (H ′ {r/n}) ∪ (Res \ (R ∪ {r})) r6∈R

by a simple inductive argument on H ′ [
RR(θ) (H ′ ) ∪ {r} ∪ (Res \ (R ∪ {r})) ⊆ r6∈R

= RR(θ) (H ′ ) ∪ (Res \ R) ∪

[

(Res \ (R ∪ {r}))

r6∈R

= RR(θ) (H ′ ) ∪ (Res \ R) ∪ (Res \

\

(R ∪ {r}))

r6∈R

= RR(θ) (H ′ ) ∪ (Res \ R) ∪ (Res \ R) = RR(θ) (H) ∪ (Res \ R) ′

—If H = µh. H , first note that: (8)

R(JHKden θ (R)) = R(

G

f n (⊥)(R)) =

n≥0

[

R(f n (⊥)(R))

n≥0

We now prove the inclusion RR(Θ) (H) ⊆

R(JHKden θ (R)).

We have that:

RR(Θ) (µh. H ′ ) = RR(θ){TR(θ){∅/h} (H ′ )/h} (H ′ ) by Lemma 5d: ⊆ RR(θ){RR(θ){∅/h} (H ′ )/h} (H ′ ) and by the induction hypothesis: =R

R(θ){R(JH

(H ′ den Kθ{⊥/h} )/h}

′

)

by the induction hypothesis again: (R)) ⊆ R(JH ′ Kden ′ den θ{JH Kθ{⊥/h} /h} = R(f 2 (⊥)(R)) [ ⊆ R(f n (⊥)(R)) n≥0

We now show by induction on n ≥ 0 that: R(f n (⊥)(R)) ⊆ RR(θ) (H) ∪ (Res \ R) The base case is trivial, since R(⊥(R)) = R({ !}) = ∅. For the inductive case n > 0, we have that: R(f n (⊥)(R)) = R(JH ′ Kden θ{f n−1 (⊥)/h} (R)) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–26

·

Massimo Bartoletti et al.

by the induction hypothesis on the size of H: ⊆ RR(θ){R(f n−1 (⊥))/h} (H ′ ) ∪ (Res \ R) ⊆ RR(θ){TR R(f n−1 (⊥)(R))/h} (H ′ ) ∪ (Res \ R) by the induction hypothesis on n and Lemma 5d: ⊆R

R(θ){

T

R




RR(θ) (µh. H ′ )(R)∪(Res\R) /h}

(H ′ ) ∪ (Res \ R)

= RR(θ){RR(θ) (µh. H ′ )/h} (H ′ ) ∪ (Res \ R) and so by Lemma 5f: = RR(Θ) (µh. H ′ ) ∪ (Res \ R) Summing up: [ [ R(f n (⊥)(R)) ⊆ RR(Θ) (µh. H ′ ) ∪ (Res \ R) = RR(Θ) (µh. H ′ ) ∪ (Res \ R) n≥0

n≥0

which concludes the proof. Lemma B.26. For all H, θ, R, we have that: η ∈ JHKden θ (R) =⇒ (R \ RR(θ) (H)) ∩ R(η) = ∅ Proof. By induction on the size of H. We have the following cases: —The cases ε, α(n), α(?), ! and h are trivial. —If H = α(r), then R(η) = {r} ⊆ RR(θ) (H), which implies the thesis. —If H = νn. H ′ , then η ∈ JH ′ {r/n}Kden θ (R ∪ {r}) for some r 6∈ R. Then: (R \ RR(θ) (H)) ∩ R(η) = (R \ RR(θ) (H ′ {r/n}) ∩ R(η) ⊆ ((R ∪ {r}) \ RR(θ) (H ′ {r/n}) ∩ R(η) = ∅ where the last equation follows by the induction hypothesis. den —If H = H0 · H1 , then for all η0 ∈ JH0 Kden θ (R) and for all η1 ∈ JH1 Kθ (R ∪ R(η0 )), the induction hypothesis of (a) gives:

(R \ RR(θ) (H0 )) ∩ R(η0 ) = ∅ ((R ∪ R(η0 )) \ RR(θ) (H1 )) ∩ R(η1 ) = ∅ den den Let η ∈ JHKden θ (R), i.e. η ∈ η0 ⊙ JH1 Kθ (R ∪ R(η0 )) for some η0 ∈ JH0 Kθ (R). There are two subcases. If ! ∈ η0 , then η = η0 , and:

(R \ RR(θ) (H)) ∩ R(η) ⊆ (R \ RR(θ) (H0 )) ∩ R(η0 ) = ∅ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–27

Otherwise, if ! 6∈ η0 , then ↓∈ RR(θ) (H0 ) by Lemma B.22, and so: (R \ RR(θ) (H)) ∩ R(η) = (R \ (RR(θ) (H0 ) ∪ RR(θ) (H1 )) ∩ (R(η0 ) ∪ R(η1 )) = (R \ RR(θ) (H0 )) ∩ (R \ RR(θ) (H1 )) ∩ (R(η0 ) ∪ R(η1 ))

⊆ (R \ RR(θ) (H0 )) ∩ R(η0 ) ∪ (R \ RR(θ) (H1 )) ∩ R(η1 ) ⊆ ∅ ∪ ((R ∪ R(η0 )) \ RR(θ) (H1 )) ∩ R(η1 ) =∅ —If H = H0 + H1 , the thesis follows directly from the induction hypothesis. F —If H = µh. H ′ , let η ∈ ( i Yi )(R), where Y0 = ⊥ and Yi+1 = JH ′ Kden θ{Yi /h} . Then, there exists k such that η ∈ Yk (R). If k = 0, then η = ! and the thesis follows trivially. Otherwise, we have that: G (R \ R(JHKden Yi )) ∩ R(η) θ )) ∩ R(η) = (R \ R( i

F S since R is monotone, then R( i Yi ) ⊇ i R(Yi ), and so: [ ⊆ (R \ R(Yi )) ∩ R(η) i

=

\

((R \ R(Yi )) ∩ R(η))

i

⊆ (R \ R(Yk )) ∩ R(η) ⊆ (R \ R(JH ′ Kden θ{Yk−1 /h} )) ∩ R(η) by Lemma B.25: = (R \ RR(θ{Yk−1 /h}) (H ′ )) ∩ R(η) and so, by the induction hypothesis: =∅

Lemma B.27. For all history expression H, let θ be a function such that dom(θ) = ¯ ⊆ JHi Kop (R) ¯ for all i ∈ 1..k and for all R ¯ ⊇ R, {h1 , . . . , hk } ⊇ fv (H) and θ(hi )(R) and let R ⊇ RR(θ) (H) be a finite set of resources. Then: op JHKden θ (R) ⊆ JH{H1 /h1 , · · · , Hk /hk }K (R)

whenever the substitution H{H1 /h1 , · · · , Hk /hk } is capture-avoiding on names. Proof. Let η ∈ JHKden θ (R). If η = !, then by Definition B.1 the thesis follows trivially. Otherwise, by induction on the size of H, there are the following cases: —if H = ε, then η = ε ∈ JεKop (R). —if H = α(r), there are two subcases. α(r)

If η = α(r), since α(r), R −−−→ ε, R, then: α(r) ∈ JHKop (R) = JH{H1 /h1 , · · · , Hk /hk }Kop (R) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–28

·

Massimo Bartoletti et al.

If η = α(r) !, similar to the case above. —if H = α(?), similar to the previous item. —if H = h, then, by the hypothesis dom(θ) ⊇ fv (H), we have that h = hi for some i ∈ 1..k, and JHKden = Jhi Kden = θ(hi ). By assumption, θ(hi )(R) ⊆ JHi Kop (R). θ θ den Thus, JHKθ (R) ⊆ Jhi {H1 /h1 , · · · , Hk /hk }Kop (R) = JHi Kop (R). den ¯ then η ∈ JH{r/n}K ¯ —if H = νn. H, θ (R ∪ {r}) for some r 6∈ R. By the induction hypothesis: den op ¯ ¯ JH{r/n}K θ (R ∪ {r}) ⊆ JH{r/n}{H1 /h1 , · · · , Hk /hk }K (R ∪ {r}) ε ¯ 1 /h1 , · · · , Hk /hk }{r/n}, R ∪ {r} then Since H{H1 /h1 , · · · , Hk /hk }, R − → H{H by Lemma B.10:

¯ 1 /h1 , · · · , Hk /hk }{r/n}Kop (R ∪ {r}) ⊆ JH{H1 /h1 , · · · , Hk /hk }Kop (R) ε ⊙ JH{H Since H{H1 /h1 , · · · , Hk /hk } is capture-avoiding on names, then: ¯ ¯ H{r/n}{H 1 /h1 , · · · , Hk /hk } = H{H1 /h1 , · · · , Hk /hk }{r/n} Summing up, we have proved that η ∈ JH{H1 /h1 , · · · , Hk /hk }Kop (R). —if H = H ′ · H ′′ , then η ∈ (JH ′ Kden  JH ′′ Kden θ θ )(R). By Definition B.9, η = η0 ⊙ η1 ′ den for some η0 ∈ JH Kθ (R) and η1 ∈ JH ′′ Kden θ (R ∪ R(η0 )). By the induction hypothesis, η0 ∈ JH ′ {H1 /h1 , · · · , Hk /hk }Kop (R). We have two cases. —η0 = η0′ ! for some !-free η0′ . In this case η = η0 by Definition B.8. Since η0′ ! ¯ R ¯ for some H ¯ and R, ¯ a simple inductive H ′ {H1 /h1 , · · · , Hk /hk }, R −− → H, argument then yields: η′ !

0 ¯ · (H ′′ {H1 /h1 , · · · , Hk /hk }), R ¯ H{H1 /h1 , · · · , Hk /hk }, R −− →H

—! 6∈ η0 (hence η = η0 η1 ). Since η0 ∈ JH ′ {H1 /h1 , · · · , Hk /hk }Kop (R), then by definition: η0 ¯ H ′ {H1 /h1 , · · · , Hk /hk }, R −→ ε, R

¯ ⊇ R ∪ R(η0 ). Similarly, by the induction hypothesis on H ′′ , we for some R ¯ have that η1 ∈ JH ′′ {H1 /h1 , · · · , Hk /hk }Kop (R ∪ R(η0 )), so for some R′ and H: η1

¯ R′ H ′′ {H1 /h1 , · · · , Hk /hk }, (R ∪ R(η0 )) −→ H, ¯ = ε, or η1 = η ′ ! for some !-free η ′ . By simple set-theoretic where either H 1 1 arguments, we have: ¯ = Ra ∪ Rb = (R ¯ ∩ (R ∪ R(η0 ))) ∪ (R ¯ \ (R ∪ R(η0 ))) R ¯ ⊇ R∪R(η0 ), then Ra = R∪R(η0 ). We shall now construct a derivation: Since R η0

¯′ H ′ {H1 /h1 , · · · , Hk /hk }, R −→ ε, R ¯ ′ = Ra ∪ R′ for some R′ disjoint from R′ . The intuition is that Rb with R b b contains only “garbage” resources, e.g. those vacuously generated by νn. H with n 6∈ H. To construct this derivation, we α-convert the resources in Rb by repeatedly applying Lemma 7b. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–29

¯ ∪ R′ ) = ∅. Let Take the set of resources Rb′ such that |Rb′ | = |Rb | and Rb′ ∩ (R σ be a bijection mapping Rb into Rb′ . Moreover, let n be an arbitrary name: clearly, n is not free in the closed history expression H ′ {H1 /h1 , · · · , Hk /hk }. Take a resource r ∈ Rb : we now use Lemma 7b and α-convert it to rσ ∈ Rb′ . To this purpose, we note that H ′ {H1 /h1 , · · · , Hk /hk } = H ′ {H1 /h1 , · · · , Hk /hk }{r/n}. ¯ \(R ∪ The hypoteses of the lemma are satisfied: r 6∈ R(η0 ) since Rb ∩R(η) = (R ¯ since R′ was suitably chosen. Of course, we can R(η0 )))∩R(η0 ) = ∅, and rσ 6∈ R b return to the original history expression with H ′ {H1 /h1 , · · · , Hk /hk }{rσ/n} = H ′ {H1 /h1 , · · · , Hk /hk }. Therefore: η0

¯ H ′ {H1 /h1 , · · · , Hk /hk }, R{rσ/r} −→ ε, R{rσ/r} A simple inductive argument justifies a similar α-conversion of all the other resources in Rb : the hypotheses of Lemma 7b do not change, except that we ¯ ′ where σ ′ is the result of the α-conversions performed must ensure rσ 6∈ Rσ ¯ and rσ 6∈ ran(σ ′ ). previously. This is however straightforward, since rσ 6∈ R, We have therefore constructed a derivation for η0 ¯′ H ′ {H1 /h1 , · · · , Hk /hk }, Rσ −→ ε, R

Since R ∩ dom(σ) = R ∩ Rb = R ∩ (R ∪ R(η0 )) = R, and by the definition of ¯′, R η0

H ′ {H1 /h1 , · · · , Hk /hk }, R −→ ε, (R ∪ Rη0 ) ∪ Rb′ To prove the thesis, we now exploit Rb′ ∩ R′ = ∅ and apply Lemma 7a to every r ∈ Rb′ , obtaining: η1

¯ R′ ∪ Rb′ H ′′ {H1 /h1 , · · · , Hk /hk }, (R ∪ R(η0 )) ∪ Rb′ −→ H, We then can conclude that: η0 η1 ¯ R′ ∪ R′ (H ′ · H ′′ ){H1 /h1 , · · · , Hk /hk }, R −−−→ H, b

which implies η ∈ JH{H1 /h1 , · · · , Hk /hk }Kop (R). ′′ den —if H = H ′ + H ′′ , then η ∈ JH ′ Kden θ (R) or η ∈ JH Kθ (R). In the first case, by inε ′ duction hypothesis η ∈ JH {H1 /h1 , · · · , Hk /hk }Kop (R). Since H{H1 /h1 , · · · , Hk /hk }, R − → ′ H {H1 /h1 , · · · , Hk /hk }, R so by Lemma B.10: JH ′ {H1 /h1 , · · · , Hk /hk }Kop (R) = ε ⊙ JH ′ {H1 /h1 , · · · , Hk /hk }Kop (R) ⊆ JH{H1 /h1 , · · · , Hk /hk }Kop (R) which is the thesis. The other case is similar. —if H = µh. H ′ , then η ∈ f n (J!Kden θ )(R), for some n ≥ 0. By induction on n, we prove that, for all n ≥ 0: ¯⊇R ∀R

¯ ⊆ JH{H1 /h1 , · · · , Hk /hk }Kop (R) f n (⊥) (R)

The base case n = 0 is trivial, since ! is always included in the right-hand side. For the inductive case, we have that: ¯ = f (f n (⊥))(R) ¯ f n+1 (⊥) (R) ¯ = JH ′ Kden θ{f n (⊥)/h} (R) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–30

·

Massimo Bartoletti et al.

¯ ⊆ JH{H1 /h1 , · · · , Hk /hk }Kop (R) for by the induction hypothesis on n, f n (⊥)(R) ¯ all R ⊆ R. Then, by the induction hypothesis on the size of H: ¯ ⊆ JH ′ {H1 /h1 , · · · , Hk /hk , H{H1 /h1 , · · · , Hk /hk }/h}Kop (R) and by Lemma 6b: ⊆ JH ′ {H1 /h1 , · · · , Hk /hk , H{H1 /h1 , · · · , Hk /hk }/h}Kop (R) = ε ⊙ JH ′ {H1 /h1 , · · · , Hk /hk , H{H1 /h1 , · · · , Hk /hk }/h}Kop (R) ε

since H{H1 /h1 , · · · , Hk /hk } − → H ′ {H1 /h1 , · · · , Hk /hk }{H{H1 /h1 , · · · , Hk /hk }/h}, then by Lemma B.10: ⊆ JH{H1 /h1 , · · · , Hk /hk }Kop (R) which concludes the proof. Lemma B.28. For all history expressions H, H ′ with fv (H) = fv (H ′ ) = ∅, and for all finite sets of resources R, R′ : a

′ ′ den H, R − → H ′ , R′ =⇒ JHKden ∅ (R) ⊇ a ⊙ JH K∅ (R )

Proof. We proceed by induction on the size of H. We first consider the case ! H, R − → !, R, which applies to the cases H = ε, H = !, and H = α(n). In this case, den ! ⊙J !K∅ (R′ ) = { !} ⊆ JHKden ∅ (R). Otherwise, we consider the following exhaustive cases: —If H = α(r), then a = α(r) and H ′ = ε. We have Jα(r)Kden ∅ (R) = { !, α(r), α(r) !} ⊇ α(r) ⊙ {ε, !} = α(r) ⊙ JεKden (R). ∅ —If H = α(?), similar to the previous item. ¯ then a = ε, H ′ = H{r/n} ¯ —If H = νn. H, for some r 6∈ R, and R′ = R ∪ {r}. We S ′ den den den ¯ /n}K (R ∪ {r′ }) ⊇ JH{r/n}K ¯ ¯ JH{r (R ∪ {r}) = have Jνn. HK (R) = ′ r 6∈R

∅

∅

∅

′ ε ⊙ JH ′ Kden ∅ (R ). —If H = H0 + H1 , then H ′ = Hi with i ∈ {0, 1}, R′ = R and a = ε. We have den den ′ den JH0 + H1 Kden ∅ (R) = JH0 K∅ (R) ⊔ JH1 K∅ (R) ⊇ ε ⊙ JH K∅ (R). —If, H = H0 · H1 we have two subcases: —If H0 = ε and a = ε, then H ′ = H1 and R′ = R. We have:
den Jε · H1 Kden  JH1 Kden (R) ∅ (R) = JεK∅ ∅
′ (R) = (λR . {ε, !})  JH1 Kden ∅

= {ε, !} ⊙ JH1 Kden ∅ (R) ⊇ ε ⊙ JH1 Kden ∅ (R)

a

—Otherwise, H0 , R − → H0′ , R′ and H ′ = H0′ · H1 . The induction hypothesis den ′ gives JH0 K∅ (R) ⊇ a ⊙ JH0′ Kden ∅ (R ), from which we obtain: den JH0 · H1 Kden  JH1 Kden ∅ (R) = (JH0 K∅ ∅ )(R) den = { η0 ⊙ JH1 Kden ∅ (R ∪ R(η0 )) | η0 ∈ JH0 K∅ (R) } ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–31

′ den ′ by the induction hypothesis, JH0 Kden ∅ (R) ⊇ a ⊙ JH0 K∅ (R ), thus: ′ ′ den ⊇ { η0 ⊙ JH1 Kden ∅ (R ∪ R(η0 )) | η0 ∈ a ⊙ JH0 K∅ (R ) }

since R ⊆ R′ , then by Lemma B.20: ′ ′ ′ den ⊇ { η0 ⊙ JH1 Kden ∅ (R ∪ R(η0 )) | η0 ∈ a ⊙ JH0 K∅ (R ) } ′ ′ ′ den = a ⊙ { η0 ⊙ JH1 Kden ∅ (R ∪ R(η0 )) | η0 ∈ JH0 K∅ (R ) } ′ = a ⊙ JH0′ · H1 Kden ∅ (R )

¯ then a = ε, R′ = R, and H ′ = H{H/h}. ¯ —If H = µh. H, Therefore: G
JHKden f n (⊥) (R) ∅ (R) = n≥0

since, by Lemma B.15, f is continuous, then by the Knaster-Tarski theorem: G
=f f n (⊥) (R) n≥0

= f (JHKden ∅ )(R) den ¯ (R) = JHK den θ{JHK∅ /h}

and, by Lemma B.16: den ¯ = JH{H/h}K ∅ (R)

= ε ⊙ JH ′ Kden θ (R) which concludes the proof. Theorem B.29 Full abstraction. For all history expression H with fv (H) = ∅, and for all finite set of resources R: JHKop (R) = JHKden ∅ (R) op Proof. We first prove the inclusion JHKop (R) ⊆ JHKden ∅ (R). Let η ∈ JHK (R). Then, η = a1 · · · ak , and there exists a computation: a

a

a

k 2 1 · · · −→ Hk , R k H1 , R1 −→ H, R −→

where ai 6= ! for all i < k, and either Hk = ε, or ak = !. Using Lemma B.28 for k − 1 times, we obtain: den a1 ⊙ a2 ⊙ · · · ⊙ ak ⊙ JHk Kden ∅ (Rk ) ⊆ JHK∅ (R)

Now we consider the two cases Hk = ε and ak = !. If Hk = ε, then JHk Kden ∅ (Rk ) = {ε, !}, and so η ⊙ {ε, !} = {η, η!}. Thus, in both cases we have: den η ∈ η ⊙ JHk Kden ∅ (Rk ) ⊆ JHK∅ (R)

which proves the inclusion JHKop (R) ⊆ JHKden ∅ (R). The other inclusion follows directly from Lemma B.27 (note that fv (H) = ∅ by hypothesis). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–32

B.3

·

Massimo Bartoletti et al.

Monotonicity of subeffecting

Definition B.30. Let η, η ′ be two histories. We say η ′ is a ?-abstraction of η when η ⊆? η ′ , where the preorder ⊆? is defined as follows: ε ⊆? ε

η α(ρ) ⊆? η ′ α(ρ′ ) if η ⊆? η ′ and ρ′ ∈ {ρ, ?}

η ! ⊆? η ′ ! if η ⊆? η ′

The preorder ⊆? on sets of histories is defined as follows: I ⊆? J

if ∀η ∈ I. ∃η ′ ∈ J. η ⊆? η ′

For all Y, Z ∈ Dden , we write Y ⊆? Z whenever Y (R) ⊆? Z(R) for all R. For all θ, θ′ , we write θ ⊆? θ′ when θ(h) ⊆? θ′ (h) for all h ∈ dom(θ′ ). Lemma B.31. For all set of histories X, X ′ , if X ⊆? X ′ and |= X ′ , then |= X. Proof. Let η ∈ X. By Definition B.30, there exists η ′ ∈ X ′ such that η ⊆? η ′ . We prove, by induction on the length of η ′ , that |= η ′ =⇒ |= η. Note first that η and η ′ have the same length, and that ap(η) = ap(η ′ ). If η ′ = ε, trivial. If η ′ = η¯′ β ′ , then η = η¯β, with η¯ ⊆? η¯′ , and β ⊆? β ′ . By the induction hypothesis, |= η¯′ implies |= η¯. We are left to prove that, for all ϕ ∈ ap(η), if η ′−[ ] |= ϕ then η −[ ] |= ϕ. By contradiction, assume η −[ ] 6|= ϕ, i.e. by Lemma 3.4 there exists an instantiation Aϕ(r,R) with an offending run on η −[ ] . Let η −[ ] = α1 (ℓ1 ) · · · αk (ℓk ), αi (ℓi )

and let η ′−[ ] = α1 (ℓ′1 ) · · · αk (ℓ′k ). For any transition qi −−−−→ qi+1 in that run, there are two cases. If ℓi = r ∈ Res, then either ℓ′i = r or ℓ′i =?. If ℓi =?, then ℓ′i =?. In αi (ℓ′ )

both cases, there exists a transition qi −−−−i→ qi+1 in the run for η ′−[ ] , which would then lead to an offending state – contradiction. Lemma B.32. For all Y, Y ′ , Z ∈ Dden : Y ⊆? Y ′ =⇒ Y  Z ⊆? Y ′  Z Proof. For all R ⊆ Res, we have to prove (Y  Z)(R) ⊆? (Y ′  Z)(R). By Definition B.9, we have that: (Y  Z)(R) = { η0 ⊙ η1 | η0 ∈ Y (R), η1 ∈ Z(R ∪ R(η0 )) } Since Y ⊆? Y ′ , by Definition B.30 there exists η0′ ∈ Y ′ (R) such that η0 ⊆? η0′ . Since R(η0 ) ⊇ R(η0′ ), then by Lemma B.20, η1 ∈ Z(R ∪ R(η0′ )). Therefore, η0′ ⊙ η1 ∈ (Y ′  Z)(R). Lemma B.33. For all H, θ, θ′ such that θ ⊆? θ′ , JHKden ⊆? JHKden θ θ′ . Proof. Straightforward structural induction. Lemma B.34. For all history expressions H, and for all n, ρ: H ⊑ H ′ =⇒ H{ρ/n} ⊑ H ′ {ρ/n} Proof. Straightforward structural induction. Theorem B.35 Monotonicity of subeffecting. For all history expressions H, H ′ with fn(H) = fn(H ′ ) = ∅, and for all θ such that dom(θ) ⊇ fv (H) ∪ fv (H ′ ): H ⊑ H ′ =⇒ JHKden ⊆? JH ′ Kden θ θ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–33

Proof. We proceed by induction on the size of the proof of H ⊑ H ′ : —H = H ′ . The thesis follows from Lemma B.18. —H ′ = H + H ′′ . Then, for all R: den ′′ den ′ den JHKden θ (R) ⊆ JHKθ (R) ∪ JH Kθ (R) = JH Kθ (R)

—H = α(r), H ′ = α(?). Then, for all R: ′ den JHKden θ (R) = { !, α(r) !, α(r)} ⊆? { !, α(?) !, α(?)} = JH Kθ (R)

—H ⊑ H ′′ and H ′′ ⊑ H ′ . The thesis follows because the relation ⊆? on histories is a preorder. ¯ ⊑ C(H ¯ ′ ) and H ¯ ⊑H ¯ ′ . There are the following cases: —H = C(H) ¯ den (R). Then, η = η0 ⊙ η1 , with η0 ∈ JH ′′ Kden (R) —C = H ′′ · •. Let η ∈ JH ′′ · HK θ θ den ¯ and η1 ∈ JHK θ (R ∪ R(η0 )). There are two subcases. ¯ ′ Kden (R). If ! ∈ η0 , then η = η0 ∈ JH ′′ · H θ ¯ ⊑H ¯ ′ , by the induction hypothesis there If ! 6∈ η0 , then η = η0 η1 . Since H ′ ′ exists η1 such that η1 ⊆? η1 and: η1′ ∈ JH¯ ′ Kden θ (R ∪ R(η0 )) Since η0 η1 ⊆? η0 η1′ , this implies the thesis: η ⊆? η0 η1′ ∈ JH ′ Kden θ (R) ¯ · H ′′ Kden (R). Then, η = η0 ⊙ η1 , with η0 ∈ JHK ¯ den (R) —C = • · H ′′ . Let η ∈ JH θ θ ′′ den and η1 ∈ JH Kθ (R ∪ R(η0 )). By the induction hypothesis, there exists η0′ ∈ ¯ ′ Kden (R) such that η0 ⊆? η ′ . There are the following two subcases. JH 0 θ If ! ∈ η0 , then ! ∈ η0′ , η0 ⊙ η1 = η0 and η0′ ⊙ η1 = η0′ , which implies the thesis. If ! 6∈ η0 , then ! 6∈ η0′ , η0 ⊙ η1 = η0 η1 and η0′ ⊙ η1 = η0′ η1 . We have that R(η0′ ) ⊆ R(η0 ) ∪ {?}. By Lemma B.20, it follows that: ′ η1 ∈ JH ′′ Kden θ (R ∪ R(η0 ))

Therefore, the thesis follows from η0 η1 ⊆? η0′ η1 , and: η = η0 ⊙ η1 ⊆? η0′ ⊙ η1 ∈ JH ′ Kden θ (R) ¯ ⊑H ¯ ′ , then by Lemma B.34 H{r/n} ¯ ¯ ′ {r/n}, for all r 6∈ —C = νn. •. Since H ⊑H den den ¯ ¯′ R. Then, by the induction hypothesis JH{r/n}K θ (R) ⊆? JH {r/n}Kθ (R). The thesis follows from Definition B.11. F F —C = µh. •. By definition, JHKden = i≥0 f i (⊥) and JH ′ Kden = i≥0 g i (⊥), θ θ ¯ den ¯ ′ den where f (Y ) = JHK θ{Y /h} and g(Y ) = JH Kθ{Y /h} . It suffices proving that, for all i ≥ 0, f i (⊥) ⊆? g i (⊥). The base case i = 0 is trivial. For the inductive ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–34

·

Massimo Bartoletti et al.

case, we have that: f i+1 (⊥) = f (f i (⊥)) ¯ deni = JHK

θ{f (⊥)/h}

¯ deni ⊆? JHK θ{g (⊥)/h}

by the ind. hyp. on i and Lemma B.33

¯ ′ Kdeni ⊆? JH θ{g (⊥)/h}

¯ ⊑H ¯′ by the induction hypothesis on H

= g(g i (⊥)) = g i+1 (⊥) —the other contexts, • + H ′′ and H ′′ + • are trivial. Lemma B.36. For all sets of histories X0 and X1 : X0 ⊆? X1 =⇒ X0−? ⊆ X1−? Proof. By induction on the length of η0 ∈ X0−? . If η0 = ε, trivial. If η0 = η0′ α(r), then there exist η¯0 α(ρ0 ) ∈ X0 such that η0′ ∈ η¯0 −? and α(r) ⊆? α(ρ0 ). Since X0 ⊆? X1 , there exists η¯1 α(ρ1 ) ∈ X1 such that η¯0 α(ρ0 ) ⊆? η¯1 α(ρ1 ). By definition, (η¯1 α(ρ1 ))−? ⊆ X1−? . By the induction hypothesis, η¯0 −? ⊆ η¯1 −? . Thus, η0 = η0′ α(r) ⊆ η¯0 −? α(ρ0 )−? ⊆ η¯1 −? α(ρ1 )−? ⊆ X1−? . Lemma 4.9. For all history expressions H, H ′ , if H ⊑ H ′ then JHK Proof. Straightforward by Theorem B.35 and Lemma B.36. C.

−?

⊆ JH ′ K

−?

PROOFS: TYPE SAFETY

To prove our type and effect system for λ[ ] correct, it is convenient to state subject reduction in the traditional form, where each step of a computation preserves the type. This is not true for the operational semantics → in Definition 3.6, because of the growing histories. Also, when a policy framing is left, it is no longer recorded in the expression. We then use a big-step semantics =⇒ of λ[ ] (Definition C.17), which preserves the types. To prove the two semantics equivalent, we first introduce in Definition C.12 a transformation that substitutes framing events for policy framings in λ[ ] expressions. Lemma C.13 guarantees that this transformation is sound, and Lemma C.14 shows it also preserves types. The relation between the small-step and the big-step semantics is obtained through Lemma C.19. Lemma C.23 establishes subject reduction for the big-step semantics =⇒. Theorem 5.4 exploits subject reduction to guarantee that the run-time histories of an expression are included in the effects inferred by the type system. Finally, type safety is proved by Theorem 5.5. It guarantees that an expression with a valid effect will never fail at run-time. Remark C.1. In this appendix we shall consider a simplified version of λ[ ] that neglects capabilities in expression and types. This is because a full treatment of capabilities would add some degree of verbosity to our proofs, which are already quite long. As a matter of fact, capabilities add no particular issues in the type system, so the definitions and the proofs presented below can be easily accomodated to deal with them, at the cost of more verbosity. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–35

C.1 Basic properties of ν-types and subtyping Lemma C.1. For all pure types τ , and for all n, ρ: τ ⊑ τ ′ =⇒ τ {ρ/n} ⊑ τ ′ {ρ/n} Proof. Follows directly from Definition 5.2. We now state in Lemma C.3 a fundamental result about subtyping of ν-types. Roughly, whenever ζ ⊑ ζ ′ , it is possible to α-convert the names of ζ so to separately obtain subtyping between the pure types of ζ and ζ ′ , and subeffecting between their effects. Note that Remark 5.1 above enables us to use Lemma C.3 on any pair of types, after rewriting them in νNF. Lemma C.2. Let νN.(τ  H) ⊑ νN ′ .(τ ′  H ′ ). —If τ ′ 6= {?}, then: ∃σ : N ∩ fn(τ ) ↔ N ′ ∩ fn(τ ′ ) : τ σ ⊑ τ ′ ∧ (ν(N \ fn(τ )).H)σ ⊑ ν(N ′ \ fn(τ ′ )). H ′ —If τ ′ = {?}, then τ ⊑ τ ′ and νN. H ⊑ νN ′ . H. Proof. Consider the derivation used to deduce νN.(τ  H) ⊑ νN ′ .(τ ′  H ′ ). We proceed by induction on the number of steps in this derivation, without counting the α-conversion steps. If α-conversion was used, then there exist n ∈ N and n′ ∈ N ′ such that N {n′ /n} = N ′ , τ {n′ /n} = τ ′ and H{n′ /n} = H ′ , and thesis follows directly by choosing σ = id(N ∩fn(τ ))\{n} ◦ {n 7→ n′ }. Otherwise, there are the following cases on the last rule used: —if transitivity was used, then there exist νN ′′ .(τ ′′  H ′′ ) such that: νN.(τ  H) ⊑ νN ′′ .(τ ′′  H ′′ ) ⊑ νN ′ .(τ ′  H ′ ) Without loss of generality, we can α-convert N ′′ so to obtain N ′′ 6 ∩ fn(H). There are two subcases, depending on whether τ ′ 6= {?} or not. —case τ ′ 6= {?}. By the induction hypothesis applied on the second inequality, we find: ∃σ ′′ : N ′′ ∩ fn(τ ′′ ) ↔ N ′ ∩ fn(τ ′ ) : τ ′′ σ ′′ ⊑ τ ′ ∧ (ν(N ′′ \ fn(τ ′′ )). H ′′ )σ ′′ ⊑ ν(N ′ \ fn(τ ′ )). H ′ By the induction hypothesis applied on the first inequality, we find: ∃σ ′ : N ∩ fn(τ ) ↔ N ′′ ∩ fn(τ ′′ ) : τ σ ′ ⊑ τ ′′ ∧ (ν(N \ fn(τ )). H)σ ′ ⊑ ν(N ′′ \ fn(τ ′′ )). H ′′ Let σ = σ ′′ ◦ σ ′ . Then, σ is a bijection from N ∩ fn(τ ) into N ′ ∩ fn(τ ′ ), and by Lemma B.34 we have that: τ σ = (τ σ ′ )σ ′′ ⊑ τ ′′ σ ′′ ⊑ τ ′ (ν(N \ fn(τ )). H)σ ⊑ (ν(N ′′ \ fn(τ ′′ )). H ′′ )σ ′′ ⊑ ν(N ′ \ fn(τ ′ )). H ′ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–36

Massimo Bartoletti et al.

—case τ ′ = {?}. By the induction hypothesis applied on the second inequality, we have that: (9)

τ ′′ ⊑ τ ′

νN ′′ . H ′′ ⊑ νN ′ . H ′

There are two subcases, depending on whether τ ′′ 6= {?} or not. —case τ ′′ 6= {?}. By the induction hypothesis on the first inequality, we have that: ∃σ ′ : N ∩ fn(τ ) ↔ N ′′ ∩ fn(τ ′′ ) : τ σ ′ ⊑ τ ′′ ∧ (10)

(ν(N \ fn(τ )). H)σ ′ ⊑ ν(N ′′ \ fn(τ ′′ )). H ′′

For the subtyping relation, we have that: τ = (τ σ ′ )σ ′−1 ⊑ τ ′′ σ ′−1 ′ ′−1

⊑τ σ = τ′

by Lemma C.1 by Lemma C.1 since τ ′ = {?}

For the subeffecting relation, we have that: νN. H ⊑ νN σ ′ . Hσ ′ = ν(N ∩ fn(τ ))σ ′ .ν(N \ fn(τ ))σ ′ . Hσ ′ = ν(N ′′ ∩ fn(τ ′′ )).ν(N \ fn(τ )). Hσ ′ = ν(N ′′ ∩ fn(τ ′′ )).(ν(N \ fn(τ )). H)σ ′

by ran(σ ′ )6 ∩ fn(H) by Definition σ ′ by ran(σ ′ )6 ∩ fn(H)

⊑ ν(N ′′ ∩ fn(τ ′′ )).ν(N ′′ \ fn(τ ′′ )). H ′′ = νN ′′ . H ′′

by (10)

⊑ νN ′ . H ′

by (9)

—case τ ′′ = {?}. By the induction hypothesis on the first inequality, we have τ ⊑ τ ′′ and νN. H ⊑ νN ′′ . H ′′ . The thesis follows from τ ⊑ τ ′′ ⊑ τ ′ and by νN. H ⊑ νN ′′ . H ′′ ⊑ νN ′ . H ′ . —if ν-extrusion was used, then there exists some n 6∈ fn(τ ) such that either N = N ′ ∪ {n} and H ′ = νn. H, or viceversa if the rule is applied from right to left. In both cases we have N ∩ fn(τ ) = N ′ ∩ fn(τ ), and so the thesis follows trivially by choosing σ = idN ∩fn(τ ) . —if the last rule in Definition 5.2 was used, then N = N ′ , τ ⊑ τ ′ and H ⊑ H ′ , with (fn(τ ′ ) \ fn(τ ))6 ∩ N . There are two subcases. —If τ ′ = {?}, then since the relation ⊑ on effects is precongruence, from H ⊑ H ′ it follows that νN.H ⊑ νN.H ′ . —If τ ′ 6= {?}, let σ be the identity. By the condition (fn(τ ′ ) \ fn(τ ))6 ∩ N , it follows that N ∩ fn(τ ) = N ∩ fn(τ ′ ), and so σ : N ∩ fn(τ ) ↔ N ∩ fn(τ ′ ). The item τ σ ⊑ τ ′ is straightforward by τ ⊑ τ ′ . The remaining item is implied by N \ fn(τ ) = N \ fn(τ ′ ) and by H ⊑ H ′ .

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–37

Lemma C.3. Let νN.(τ  H) ⊑ νN ′ .(τ ′  H ′ ), where both types are in νNF. —If τ ′ 6= {?}, then there exists a bijective function σ : N ↔ N ′ such that τ σ ⊑ τ ′ , and Hσ ⊑ H ′ . —If τ ′ = {?}, then τ ⊑ τ ′ and νN.H ⊑ H ′ . Proof. Immediate from Lemma C.2. Lemma C.4. For all ζ, ζ ′ , n, ρ: ζ ⊑ ζ ′ =⇒ ζ{ρ/n} ⊑ ζ ′ {ρ/n} Proof. Let ζ = νN.τ  H and let ζ ′ = νN ′ .τ ′  H ′ . Without loss of generality, we can assume n, ρ 6∈ N ∪ N ′ . By Remark 5.1, we have the following νNFs: ˆ .τ  (ν N ˇ .H) ζ = νN ˆ ′ .τ ′  (ν N ˇ ′ .H ′ ) ζ′ = νN

ˆ = N ∩ fn(τ ) N ˆ ′ = N ′ ∩ fn(τ ′ ) N

ˇ = N \ fn(τ ) N ˇ ′ = N ′ \ fn(τ ′ ) N

By Lemma C.3, there are two cases. If τ ′ 6= {?}, then: ˆ ↔N ˆ ′ : τ σ ⊑ τ ′ ∧ (ν N ˇ .H)σ ⊑ (ν N ˇ ′ .H ′ ) ∃σ : N ˆ ⊆ fn(τ ), then N ˆ σ ⊆ fn(τ )σ, and so N ˆ ′ ⊆ fn(τ σ). Also, n 6∈ N ˆ ′ implies Since N ′ ˆ N ⊆ fn(τ σ{ρ/n}). Therefore, we have that: (11)

ˆ′ = ∅ (fn(τ ′ {ρ/n}) \ fn(τ σ{ρ/n})) ∩ N

ˆ and n 6∈ ran(σ) = N ˆ ′ , then: Since ρ 6∈ dom(σ) = N {ρ/n}σ = σ{ρ/n} We also have that: ˆ . τ {ρ/n}  (ν N ˇ .H){ρ/n} ζ{ρ/n} = ν N ˆ ′ . τ ′ {ρ/n}  (ν N ˇ ′ .H ′ ){ρ/n} ζ ′ {ρ/n} = ν N By α-converting ζ{ρ/n}, we obtain: ˆ σ. τ {ρ/n}σ  (ν N ˇ .H){ρ/n}σ ζ{ρ/n} = ν N ˆ σ. τ σ{ρ/n}  (ν N ˇ .H)σ{ρ/n} = νN ˆ ′ . τ σ{ρ/n}  (ν N ˇ .H)σ{ρ/n} = νN ˆ ′ . τ ′ {ρ/n}  (ν N ˇ ′ .H ′ ){ρ/n} ⊑ νN = ζ ′ {ρ/n} where the ⊑-step follows by (11), and by Lemma C.1. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–38

·

Massimo Bartoletti et al.

ˆ ′ = ∅, and by Lemma C.3, τ ⊑ τ ′ and νN.H ⊑ ν N ˇ ′ .H ′ . Thus: If τ ′ = {?}, then N ˆ . τ {ρ/n}  (ν N ˇ .H){ρ/n} ζ{ρ/n} = ν N ˆ . τ ′ {ρ/n}  (ν N ˇ .H){ρ/n} ⊑ νN ˆ ∪N ˇ ).H){ρ/n} = {?}  (ν(N ′ ′ ˇ .H ){ρ/n} ⊑ {?}  (ν N = ζ ′ {ρ/n} Lemma C.5 Substitution. For all ∆, e, τ, ζ, x, v, ρ, n: (5a)

∆; x : τ ⊢ e : ζ, ∆ ⊢ v : τ  ε =⇒ ∆ ⊢ e{v/x} : ζ

(5b) (5c)

∆ ⊢ e : ζ =⇒ ∆{ρ/n} ⊢ e : ζ{ρ/n} ∆; x : R ∪ {n} ⊢ e : ζ =⇒ ∆{r/n} ⊢ e{r/x} : ζ{r/n}

(5d) (5e)

∆; x : N ∪ R ⊢ e : ζ =⇒ ∆; x : N ⊢ e : ζ ∆; x : {?} ⊢ e : ζ =⇒ ∆ ⊢ e{r/x} : ζ

(5f)

∆; x : {?} ⊢ e : ζ =⇒ ∆; x : S ⊢ e : ζ

Proof. For (5a) we proceed by induction on the typing derivation for ∆′ ⊢ e : ζ, where ∆′ = ∆; x : τ . There are the following cases, according to the last rule used in the derivation (the trivial cases are omitted): —case T-App. Straightforward by the induction hypothesis. —case T-Abs. In this case e = λz y. e′ and ζ = τ ′ → ζ ′ . If x = y, then the thesis trivially holds. Otherwise: ∆′ ; y : τ ′ ; z : τ ′ → ζ ′ ⊢ e′ : ζ ′ ∆′ ⊢ λz y.e′ : τ ′ → ζ ′  ε Let ∆′′ = ∆; y : τ ′ ; z : τ ′ → ζ ′ . By the rule the induction hypothesis:

T-AddVar,

∆′′ ⊢ v : τ  ε. Then, by

∆′′ ⊢ e′ {v/x} : ζ ′ By

T-Abs:

∆ ⊢ λz y. e′ {v/x} : τ ′ → ζ ′  ε The conclusion follows by the fact that e{v/x} = λz y.(e′ {v/x}). —case T-Var. In this case e = ξ ∈ Var ∪ Res, ζ = τ ′  ε, and: ∆′ ; ξ : τ ′ ⊢ ξ : τ ′  ε If ξ 6= x, the substitution is vacuous. Otherwise, e{v/x} = v, and τ = τ ′ . So, the thesis follows directly from the hypothesis. ¯ ξ : τ ′ , and: —case T-AddVar. In this case ∆′ = ∆; ¯ ⊢e:ζ ∆ ¯ ξ : τ′ ⊢ e : ζ ∆; ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–39

¯ = ∆′′ ; x : τ for some ∆′′ , and by the There are two cases. If x 6= ξ, then, ∆ induction hypothesis: ∆′′ ⊢ e{v/x} : ζ Then, by T-AddVar, ∆′′ ; ξ : τ ′ ⊢ e{v/x} : ζ, where ∆ = ∆′′ ; ξ : τ ′ . ¯ A simple inductive argument shows Otherwise, if x = ξ, then τ = τ ′ and ∆ = ∆. that x does not occur free in e, because x = ξ 6∈ dom(∆) and e is typable in the environment ∆. Therefore the substitution is vacuous. For (5b) we proceed by induction on the typing derivation for ∆ ⊢ e : ζ. There are the following cases, according to the last rule used in the derivation: P —case T-Ev. We have that ∆ ⊢ α(ξ) : 1  ρ′ ∈∆(ξ) α(ρ′ ). Thus:
P P ′ ∆{ρ/n} ⊢ α(ξ) : 1  ρ′ ∈∆{ρ/n}(ξ) α(ρ′ ) = ρ′ ∈∆(ξ) α(ρ ) {ρ/n}

—case T-Wk. The thesis follows from the induction hypothesis and Lemma C.4. —The remaining cases are either trivial or directly follow from the induction hypothesis. For (5c) we proceed by induction on the typing derivation for ∆′ ⊢ e : ζ, where ∆′ = ∆; x : R ∪ {n}. There are the following cases, according to the last rule used in the derivation (the trivial cases are omitted): —case

T-Ev.

In this case e = α(y). Let ∆′ = ∆′′ ; y : S. We have that: P ∆′′ ; y : S ⊢ α(y) : 1  ρ∈S α(ρ)

There are two cases. If x 6= y, then the thesis follows from (5b). If x = y, then S = R ∪ {n}, and so: P ∆{r/n} ⊢ α(r) : 1  ρ∈R∪{r} α(ρ)

—case

T-Var.

In this case e = ξ ∈ Var ∪ Res, ζ = τ  ε, and: ∆; ξ : τ ⊢ ξ : τ  ε

If ξ 6= x, the thesis follows from (5b). If ξ = x, τ = R ∪ {n}, and: ∆ ⊢ r : {r}  ε T-Wk

∆ ⊢ r : R ∪ {r}  ε —case

T-Wk.

In this case we have that: ∆; x : R ∪ {n} ⊢ e : ζ ′ ∆; x : R ∪ {n} ⊢ e : ζ

ζ′ ⊑ ζ

By the induction hypothesis, ∆{r/n} ⊢ e{r/x} : ζ ′ {r/n}. The thesis follows from Lemma C.4. —The remaining cases are either trivial or directly follow from the induction hypothesis. For (5e) we proceed by induction on the typing derivation for ∆′ ⊢ e : ζ, where ∆′ = ∆; x : {?}. There are the following cases, according to the last rule used in the derivation (the trivial cases are omitted): ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–40

·

—case

T-Ev.

Massimo Bartoletti et al.

In this case e = α(y). We have that: P ∆′ ⊢ α(y) : 1  ρ∈S α(ρ)

There are two cases. If x 6= y, then ∆′ = ∆′′ ; y : S; x : {?} for some ∆′′ , and so by P ∆′′ ; y : S ⊢ α(y) : 1  ρ∈S α(ρ) If x = y, then ζ = 1  α(?), and the thesis follows from

T-Ev

T-Ev:

and

T-Wk:

∆ ⊢ α(r) : 1  α(r) T-Wk

∆ ⊢ α(r) : 1  α(?) —case

T-Var.

In this case e = ξ ∈ Var ∪ Res, ζ = τ  ε, and: ∆; ξ : τ ⊢ ξ : τ  ε

If ξ 6= x, trivial. If ξ = x, then τ = {?}, and: ∆ ⊢ r : {r}  ε T-Wk

∆ ⊢ r : {?}  ε —The remaining cases are either trivial or directly follow from the induction hypothesis. For (5f) we proceed by induction on the typing derivation for ∆′ ⊢ e : ζ, where ∆′ = ∆; x : {?}. There are the following cases, according to the last rule used in the derivation (the trivial cases are omitted): —case

T-Ev.

In this case e = α(y). We have that: P ∆′ ⊢ α(y) : 1  ρ∈S ′ α(ρ)

There are two cases. If x 6= y, then ∆′ = ∆′′ ; y : S ′ ; x : {?} for some ∆′′ , and so by P ∆′′ ; y : S ′ ; x : S ⊢ α(y) : 1  ρ∈S ′ α(ρ)

T-Ev:

If x = y, then ζ = 1  α(?), and the thesis follows from T-Ev and P ∆; x : S ⊢ α(x) : 1  ρ∈S α(ρ)

T-Wk:

T-Wk

∆; x : S ⊢ α(x) : 1  α(?)

—case

T-Var.

In this case e = ξ ∈ Var ∪ Res, ζ = τ  ε, and: ∆; ξ : τ ⊢ ξ : τ  ε

If ξ 6= x, trivial. If ξ = x, then τ = {?}, and: ∆; x : S ⊢ x : S  ε T-Wk

∆; x : S ⊢ x : {?}  ε —The remaining cases are either trivial or directly follow from the induction hypothesis. Definition C.6. Let ζ = νN. τ  H. Then, we define t(ζ) = τ and fnt (ζ) = fn(τ ). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–41

Lemma C.7. For all H, H ′ , ζ, ζ ′ and N : (7a) (7b)

H ⊑ H ′ =⇒ νN. H · ζ ⊑ νN. H ′ · ζ ζ ⊑ ζ ′ ∧ (fnt (ζ ′ ) \ fnt (ζ))6 ∩ N =⇒ νN. H · ζ ⊑ νN. H · ζ ′

¯ . τ¯  H, ¯ where we choose N ¯ 6 ∩ (N ∪ fn(H) ∪ fn(H ′ )). By Proof. For (7a), let ζ = ν N ¯ ) and H · H ¯ ⊑ H ′ · H, ¯ it follows that: Definition 5.2, since (fn(¯ τ ) \ fn(¯ τ ))6 ∩ (N ∪ N ¯ ). τ¯  H · H ¯ ⊑ ν(N ∪ N ¯ ). τ¯  H ′ · H ¯ = νN. H ′ · ζ (12) νN. H · ζ = ν(N ∪ N ¯ . τ¯  H ¯ and ζ ′ = ν N ¯ ′ . τ¯′  H ¯ ′ be in νNF, where, without loss For (7b), let ζ = ν N ¯ , N¯ ′ such that: of generality, we choose N ¯ , N¯ ′ 6 ∩ (N ∪ fn(H)) N

¯ 6∩ N ¯′ N

¯ 6 ∩ fn(¯ N τ ′)

¯ ′ 6 ∩ fn(¯ N τ)

There are two subcases. If τ¯′ 6= {?}, then by Lemma C.3: ¯ ↔N ¯ ′ : τ¯σ ⊑ τ¯′ ∧ Hσ ¯ ⊑H ¯′ ∃σ : N

(13)

The following inclusion holds: ¯ ′) (fn(¯ τ ′ ) \ fn(¯ τ σ)) ∩ (N ∪ N ′ ¯ ′) ⊆ (fn(¯ τ ) \ (fn(¯ τ ) \ dom(σ))) ∩ (N ∪ N ¯ )) ∩ (N ∪ N ¯ ′) = (fn(¯ τ ′ ) \ (fn(¯ τ) \ N ¯ ′) = (fn(¯ τ ′ ) \ fn(¯ τ )) ∩ (N ∪ N ′

= (fn(¯ τ ) \ fn(¯ τ )) ∩ N

by (12) ¯ ′ ⊆ fn(¯ by N τ ′)

Since by hypothesis fn(¯ τ ′ ) \ fn(¯ τ )6 ∩ N , this proves the following fact: ¯ ′) fn(¯ τ ′ ) \ fn(¯ τ σ)6 ∩ (N ∪ N

(14) Therefore, we have that:

¯ ). τ¯  H · H ¯ νN. H · ζ = ν(N ∪ N ¯ )σ. τ¯σ  (H · Hσ) ¯ = ν(N ∪ N ¯ σ. τ¯σ  H · Hσ ¯ = νN ∪ N ′ ′ ¯ ¯′ ⊑ ν(N ∪ N ). τ¯  H · H = νN. H · ζ

¯ )6 ∩ N ¯′ by (12), fn(¯ τ ) \ (N ∪ N by (14) and (13)

′

′

If τ¯ = {?}, the proof is similar, yet simpler. Definition C.8. For all ζ and M, U ⊂ Nam, we define WM,U (ζ) as follows: ( (S ∪ M ){?/U } if τ = S WM,U (τ ) = τ {?/U } otherwise WM,U (νN. τ  H) = νN. WM,U (τ )  H{?/U }

if M, U 6 ∩ N

where we assume that S ∪ {?} = {?}, for all S. Lemma C.9. For all M, U and ζ = νN. τ  H, if M = ∅ or τ = S 6= {?}, then fn(WM,U (ζ)) = (fn(ζ) ∪ M ) \ U , and fnt (WM,U (ζ)) = (fnt (ζ) ∪ M ) \ U . ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–42

·

Massimo Bartoletti et al.

Proof. Straightforward by Definition C.8. Lemma C.10. For all ζ, ζ ′ , M, U : (10a) (10b)

ζ ⊑ ζ ′ =⇒ WM,U (ζ) ⊑ WM,U (ζ ′ ) M 6 ∩ N =⇒ νN. H · WM,U (ζ) ⊑ WM,U (νN. H · ζ)

Proof. Straightforward by Definition C.8. Lemma C.11. Let ζ ⊑ ζ ′ . Then, there exist M ⊆ fnt (ζ ′ ) \ fnt (ζ) and U ⊆ fn(ζ) \ fn(ζ ′ ) such that: ζ ⊑ WM,U (ζ) ⊑ ζ ′ fn(WM,U (ζ)) ⊆ fn(ζ ′ ) fnt (ζ ′ ) ⊆ fnt (WM,U (ζ)) Proof. Take M = fnt (ζ ′ ) \ fnt (ζ) and U = fn(ζ) \ fn(ζ ′ ). This implies M 6 ∩ U and ζ ′ {?/U } = ζ ′ . We let ζ = νN.τ  H and ζ ′ = νN ′ .τ ′  H ′ with N, N ′ pairwise disjoint from M, U . We now prove the first item. By Lemma C.4 and ζ ⊑ ζ ′ we have ζ{?/U } ⊑ ′ ζ {?/U } = ζ ′ . This implies that νN.τ {?/U }  H{?/U } ⊑ νN ′ .τ ′  H ′ If τ 6= S for all S, this concludes by Definition C.8. Otherwise, τ = S, and τ ′ = S ′ for some S, S ′ . If τ ′ = {?} we can then augment with M the right hand side of the inequality above and have νN.(τ {?/U } ∪ M )  H{?/U } ⊑ νN ′ .τ ′  H ′ So, we conclude by M 6 ∩ U implying τ {?/U } ∪ M = (τ ∪ M ){?/U }. Otherwise, if τ ′ = S ′ 6= {?}, we can still have the inequality above by M ⊆ S ′ = τ ′ . We conclude similarly. For the second item, we note that fn(WM,U (ζ)) ⊆ (fn(ζ) ∪ M ) \ U ⊆ fn(ζ) \ U ⊆ fn(ζ) \ (fn(ζ) \ fn(ζ ′ )) ⊆ fn(ζ ′ ) For the third item, fnt (ζ) = fn(τ ) \ N and fnt (ζ ′ ) = fn(τ ′ ) \ N ′ . If τ ′ = {?}, the thesis trivially holds; otherwise we consider three subcases: —If τ = {?}, then τ ′ = {?}, contradicting the above assumption. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–43

—If τ = S for some S 6= {?}, we have fnt (WM,U (ζ)) = ((fn(τ ) ∪ M ) \ U ) \ N = ((fn(τ ) \ N ) ∪ M ) \ U = (fnt (ζ) ∪ (fnt (ζ ′ ) \ fnt (ζ))) \ U = (fnt (ζ) ∪ fnt (ζ ′ )) \ U ⊇ fnt (ζ ′ ) \ U = fnt (ζ ′ ) where the last step follows from the definition of U . —If τ 6= S for all S, then a simple inductive argument on the derivation of ζ ⊑ ζ ′ shows fnt (ζ) = fnt (ζ ′ ). Hence, fnt (WM,U (ζ)) = (fn(τ ) \ U ) \ N = (fn(τ ) \ N ) \ U ⊇ fnt (ζ) \ (fn(ζ) \ fn(ζ ′ )) = (fnt (ζ) \ fn(ζ)) ∪ (fnt (ζ) ∩ fn(ζ ′ )) = fnt (ζ) ∩ fn(ζ ′ ) = fnt (ζ ′ ) ∩ fn(ζ ′ ) = fnt (ζ ′ ) This concludes the proof. C.2

Encoding of policy framings into framing events

Definition C.12. Translation of policy framings to framing events x♯ = x

r♯ = r

α(ξ)♯ = α(ξ)

(new γ)♯ = new γ

(if b then e0 else e1 )♯ = if b then e♯0 else e♯1 (e0 e1 )♯ = e♯0 e♯1

ϕ[e]♯ = (λx. ]ϕ ; x) ([ϕ ; e♯ )

(λz x. e)♯ = λz x. e♯ fail e♯ = fail e♯

Note that a policy framing ϕ[e] is mapped to the expression (λx. ]ϕ ; x) ([ϕ ; e♯ ). This is justified by looking at the following computation of ϕ[e]♯ : η, (λx. ]ϕ ; x) ([ϕ ; e♯ ) → η[ϕ , (λx. ]ϕ ; x) e♯ →∗ η[ϕ η ′ , (λx. ]ϕ ; x)v → η[ϕ η ′ , ]ϕ ; v → η[ϕ η ′ ]ϕ , v (note that translating ϕ[e] to [ϕ ; e; ]ϕ is incorrect, because the computation of ϕ[e]♯ would have the following form: η, [ϕ ; e♯ ; ]ϕ → η[ϕ , e♯ ; ]ϕ →∗ η[ϕ η ′ , v; ]ϕ → η[ϕ η ′ , ]ϕ and thus the value v would be incorrectly discarded). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–44

·

Massimo Bartoletti et al.

Remark C.2. Without loss of generality, hereafter we assume that the framings in any λ[ ] expression e0 start with a special dummy event ι not affecting security (i.e. ι is never mentioned in policies). Let ι(e0 ) be the expression where each ϕ[e] is rewritten as ϕ[ι; e]. We accordingly modify as follows the definition of the transformation ♯: ( (λx. ]ϕ ; x) ([ϕ ; e♯ ) if e = ι; e′ ♯ ϕ[e] = (λx. ]ϕ ; x) e♯ otherwise The above transformation does not affect any security aspects of λ[ ] computations. Indeed, if ε, e0 →∗ η, e1 , then there exists a computation ε, ι(e0 ) →∗ η, e˜1 , for some e˜1 , and the two computations of e♯0 and ι(e0 )♯ agree, ignoring the ι’s. The following lemma establishes that each computation of e may be mimicked by a computation of e♯ . Lemma C.13. For all λ[ ] expressions e0 , e1 , if ε, e0 →∗ η, e1 then there exists η¯, e¯1 such that ε, e♯0 →∗ η¯, e¯1 , η¯ −[ ] = η, and e1 = fail e =⇒ 6|= η¯. Proof. According to Remark C.2, we shall prove the main statement for ι(e0 )♯ . The active policies ap(e) of an expression e are inductively defined as follows: ap(v) = ap(α(ξ)) = ap(new ) = ap(if b then e0 else e1 ) = ∅ ( ap(e0 ) if e0 6∈ Val ap(e0 e1 ) = ap(e1 ) otherwise

ap(fail e ) = ap(e)

( ap(e) ap(ϕ[e]) = {ϕ} ∪ ap(e)

if e = ι; e′ otherwise

We first prove that, for all λ[ ] expressions e1 , e2 and histories η1 , η2 : (15)

η1 , e1 → η2 , e2 =⇒ ∀η¯1 : η¯1 −[ ] = η1 and ap(e1 ) ⊆ ap(η¯1 ) :

η¯1 , e♯1 →∗ η¯1 β, e♯2

 α(r)    [ ϕ where β =  ] ϕ    ε

if η2 = η1 α(r) if ap(e2 ) \ ap(e1 ) = {ϕ} if ap(e1 ) \ ap(e2 ) = {ϕ} otherwise

Moreover, if β 6∈ Frm then ap(e2 ) ⊆ ap(e1 ).

To prove (15) we proceed by induction on the derivation of η1 , e1 → η2 , e2 . There are the following cases (the omitted ones are straightforward): —case

E-Ev1.

Here η1 , α(r) → η1 α(r), ∗. Straightforward by α(r)♯ = α(r).

—case E-Beta. Here η, (λz x.e)v → η, e{v/x, λz x.e/z}. Since e♯1 = (λz x. e♯ )v ♯ , we have that: η¯1 , (λz x.e♯ )v ♯ → η¯1 , e♯ {v ♯ /x, λz x. e♯ /z} To conclude, observe that ap((λz x.e♯ )v ♯ ) = ∅ = ap(e♯ {v ♯ /x, λz x. e♯ /z}) because of the assumed transformation ι(e). ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

—case

E-Fr1.

·

App–45

Here we have that: η1 , e3 → η2 , e4

η2 |= ϕ

η1 , ϕ[e3 ] → η2 , ϕ[e4 ] where e1 = ϕ[e3 ] and e2 = ϕ[e4 ] 6= fail . There are two subcases. —If e3 = ι; e4 , then η2 = η1 , ϕ[e3 ]♯ = (λx. ]ϕ ; x)([ϕ ; e♯4 ), and ϕ[e4 ]♯ = (λx. ]ϕ ; x)e♯4 . Thus, by E-Ev1: η¯1 , (λx. ]ϕ ; x)([ϕ ; e♯4 ) → η¯1 [ϕ , (λx. ]ϕ ; x)e♯4 The thesis follows because: ap(ϕ[e4 ]) \ ap(ϕ[e3 ]) = (ap(e4 ) ∪ {ϕ}) \ ap(e4 ) = {ϕ} —Otherwise, ϕ[e3 ]♯ = (λx. ]ϕ ; x)e♯3 and ϕ[e4 ]♯ = (λx. ]ϕ ; x)e♯4 . By the induction hypothesis, η¯1 , e♯3 →∗ η¯1 β, e♯4 , where:  α(r) if η2 = η1 α(r)    [ if ap(e4 ) \ ap(e3 ) = {ϕ} ϕ β=  ]ϕ if ap(e3 ) \ ap(e4 ) = {ϕ}    ε otherwise Additionally, if β 6∈ Frm then ap(e4 ) ⊆ ap(e3 ). By repeated applications of E-App2, we obtain: η¯1 , (λx. ]ϕ ; x) e♯3 →∗ η¯1 β, (λx. ]ϕ ; x) e♯4 The thesis follows by ap(ϕ[e4 ]) = ap(e4 ) ∪ {ϕ} and ap(ϕ[e3 ]) = ap(e3 ) ∪ {ϕ}. —case E-Fr2. Here we have that η1 , ϕ[v] → η1 , v, where e1 = ϕ[v] and e2 = v. We have that e♯1 = (λx. ]ϕ ; x)v ♯ , e♯2 = v ♯ , and thus: η¯1 , (λx. ]ϕ ; x)v ♯ → η¯1 , ]ϕ ; v ♯ → η¯1 ]ϕ , v ♯ The thesis follows because ap(e1 ) \ ap(e2 ) = {ϕ}. —case E-Fr3. Here we have η1 , ϕ[e] → η2 , fail ϕ[e′ ] , with η1 , e → η2 , e′ and η2 6|= ϕ. Let η¯1 be such that η¯1 −[ ] = η1 and ap(ϕ[e]) ⊆ ap(η¯1 ). Since this implies ap(e) ⊆ ap(η¯1 ), it follows then by the induction hypothesis that η¯1 , e♯ →∗ η¯1 β, e′ ♯ , where:  α(r) if η2 = η1 α(r)    [ if ap(e′ ) \ ap(e) = {ϕ} ϕ β=  ]ϕ if ap(e) \ ap(e′ ) = {ϕ}    ε otherwise Additionally, if β 6∈ Frm then ap(e′ ) ⊆ ap(e). There are two subcases. —If e = ι; e′ , then η2 = η1 , and we have that:

η¯1 , ϕ[e]♯ = η¯1 , (λx. ]ϕ ; x)([ϕ ; e′ ♯ ) → η¯1 [ϕ , (λx. ]ϕ ; x)e′ ♯ = η¯1 [ϕ , (fail ϕ[e′ ] )♯ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–46

·

Massimo Bartoletti et al.

To conclude, observe that the β given by the induction hypothesis is coherent with the statement, because: ap(fail ϕ[e′ ] ) \ ap(ϕ[ι; e′ ]) = ap(ϕ[e′ ]) \ ap(e′ ) = (ap(e′ ) ∪ {ϕ}) \ ap(e′ ) = {ϕ} —Otherwise, by repeated applications of

E-App2,

we obtain:

η¯1 , ϕ[e]♯ = η¯1 , (λx. ]ϕ ; x) e♯ →∗ η¯1 β, (λx. ]ϕ ; x)e′ ♯ = η¯1 β, (fail ϕ[e′ ] )♯ To conclude, observe that: ap(fail ϕ[e′ ] ) \ ap(ϕ[e]) = ap(ϕ[e′ ]) \ ap(ϕ[e]) = (ap(e′ ) ∪ {ϕ}) \ (ap(e) ∪ {ϕ}) = ap(e′ ) \ ap(e) Similarly, if β 6∈ Frm then by the induction hypothesis it follows that ap(fail ϕ[e′ ] ) ⊆ ap(ϕ[e]). We now exploit (15) to prove the main lemma. It is straightforward to prove that (η¯1 β)−[ ] = η2 and that ap(e2 ) ⊆ ap(η¯1 β). Therefore, we can repeatedly apply (15) to obtain η¯ such that η¯ −[ ] = η and ε, e♯0 →∗ η¯, e♯1 . We are then left to prove that if e1 = fail ϕ[e] then 6|= η¯. The last step of the failing computation has been deduced through E-Fr3: η ′ , e′ → η, e

η 6|= ϕ

η ′ , ϕ[e′ ] → η, fail ϕ[e] By (15), ap(¯ η ) ⊇ ap(fail ϕ[e] ) = {ϕ} ∪ ap(e). Therefore, |= η¯ requires that η¯−[ ] |= ϕ, but η¯−[ ] = η, and η 6|= ϕ by the preconditions of E-Fr3. The next lemma shows that the transformation ♯ preserves types and effects. Lemma C.14. If ∆ ⊢ e : ζ, then ∆ ⊢ e♯ : ζ. Proof. By induction on the depth of the proof of ∆ ⊢ e : ζ. The only interesting case is when the rule T-Fr has been applied. We have: ∆ ⊢ e : νN. τ  H ∆ ⊢ ϕ[e] : νN. τ  ϕ[H] By definition of ♯, ϕ[e]♯ = (λx. ]ϕ ; x)([ϕ ; e♯ ) = (λx. (λy. x) ]ϕ )((λz. e♯ ) [ϕ ). By the induction hypothesis, ∆ ⊢ e♯ : νN. τ H. We have the following typing derivations: ∆; x : τ ; y : 1 ⊢ x : τ  ε T-App T-Abs

∆ ⊢ ]ϕ : 1  ]ϕ

∆; x : τ ⊢ (λy. x) ]ϕ : τ  ]ϕ ∆ ⊢ λx. (λy. x) ]ϕ : τ → (τ  ]ϕ )  ε

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

D1

Local Policies for Resource Usage Analysis

·

App–47

∆ ⊢ e♯ : νN. τ  H T-AddVar

T-Abs T-App

From

T-App

∆; z : 1 ⊢ e♯ : νN. τ  H ∆ ⊢ (λz. e♯ ) : 1 − → (νN. τ  H)  ε

∆ ⊢ [ϕ : 1  [ϕ

∆ ⊢ (λz. e♯ ) [ϕ : νN. τ  [ϕ ·H

D2

with preconditions D1 and D2, we obtain:

∆ ⊢ (λx. (λy. x) ]ϕ )((λz. e♯ ) [ϕ ) : νN. τ  [ϕ ·H·]ϕ

The resulting type fulfils the lemma, because [ϕ ·H·]ϕ = ϕ[H].

C.3

A big-step semantics for λ[ ]

Definition C.15. Hereafter, we assume the operational semantics and the type system of Definition 3.6 and Definition 5.3 be extended with the following rules:

E-Bang

η, e → η !, !

T-Bang

∆⊢! :ζ

where the expression ! stands for an aborted computation. This allows us to prove a strong correspondence between the small-step and the big-step semantics (see Lemma C.19 below).

A history context is a finite representation of an infinite set of histories that only differ for the choice of fresh resources. For instance, the set of histories { α(r) | r ∈ Res } is represented by the context new x in α(x); •. Contexts composition is crucial for obtaining compositionality. Definition C.16. History contexts A history context C is inductively defined as follows: C ::= • | α(ξ); C | new x in C The free and the bound variables fv (C) and bv (C) of C are defined as expected. We write C[C ′ ] for C[C ′ [•]], also assuming the needed α-conversions of variables so to ensure bv (C) ∩ bv (C ′ ) = ∅. We specify in Definition C.17 our operational semantics of terms, in a big-step C style. Transitions have the form e =⇒ v, meaning that the term e evaluates to the value v, while producing a history denoted by C. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–48

·

Massimo Bartoletti et al.

Definition C.17. Big-step semantics of terms C

The big-step semantics of a term e is defined by the relation e =⇒ v, which is the least relation closed under the rules below. C eB(b) =⇒ v • • E-Val v =⇒ v E-Bang e =⇒ ! E-If C if b then ett else eff =⇒ v E-Ev

α(ξ); •

α(ξ) ====⇒ ∗

C

e =⇒ λz x. e′′

C′

E-New

e′ = =⇒ v ′

E-Beta

new x in •

new ======⇒ x C ′′

e′′ {v ′ /x, λz x. e′′ /z} ==⇒ v

C[C ′ [C ′′ ]]

e e′ ======⇒ v E-BetaBang1

C

e e′ =⇒ !

C′

C

C

e′ = =⇒ !

e =⇒ v

e =⇒ ! E-BetaBang2

C[C ′ ]

e e′ ====⇒ !

The rules (E-Val) and (E-Ev) are straightforward. The rule (E-Bang) aborts the evaluation of a term, so allowing us to observe the finite prefixes of its histories. For conditionals, the rule (E-If) assumes as given a total function B that evaluates the boolean guards. The rule (E-New) evaluates a new to a variable x, and records in the context new x in • that x may stand for any (fresh) resource. The last three rules are for β-reduction of an application e e′ . The rule (E-Beta) is used when both the evaluations of e and e′ terminate; (E-BetaBang1) is for when the evaluation of e has been aborted; (E-BetaBang2) is used when the evaluation e terminates while that of e′ has been aborted. Example C.1. Let e = (λy. α(y)) new . We have that: •

new x in •

λy. α(y) =⇒ λy. α(y)

new ======⇒ x

α(x);•

α(x) ====⇒ ∗

new x in α(x);•

e =========⇒ ∗ Consider now the following two recursive functions: f = λz x. (α; zx) g = λz x. new y in if b(x) then y else z∗ The function f fires the event α and recurs. The function g creates a new resource upon each loop; if it ever terminates, it returns the last resource created. For all k ≥ 0 and for all contexts C, let C k be inductively defined as C 0 = • and (α;•)k

C k+1 = C[C k ]. Then, for all k ≥ 0, we have that f ∗ ====⇒ ! , and, assuming b(x) (new w in •)k

(new w in •)k [new y in •]

non-deterministic, g∗ ========⇒ ! and g∗ ===============⇒ y. We now define the set of histories H(e) that a term e can produce at run-time. To this purpose, we exploit the auxiliary operator H(C, R), that constructs the set of histories denoted by the context C under the assumption that R is the set of available resources (Definition C.18). Note that all the histories in H(e) are “truncated” by a !. Looking at H(e), only, gives then no hint about the termination of e. However, this is not an issue, since our goal is not checking termination, but approximating all the possible histories a term can produce. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–49

Definition C.18. Run-time histories For each history context C such that fv (C) = ∅, for all R ⊆ Res, and for all terms e, we define H(C, R) and H(e) inductively as follows: H(•, R) = { !} H(α(r); C, R) = { !} ∪ { α(r)η | η ∈ H(C, R) } S H(new x in C, R) = { !} ∪ r6∈R { new(r)η | η ∈ H(C{r/x}, R ∪ {r}) } C

H(e) = { η ∈ H(C, ∅) | e =⇒ v }

Example C.2. Recall from Example C.1 the term e = (λy. α(y)) new . All the possible observations (i.e. the histories) of the runsSof e are represented by H(e) = S H(new x in α(x); •, ∅) = { !} ∪ r∈Res {new(r) !} ∪ r∈Res {new(r)α(r) !}. Lemma C.19. For all λ[ ] expressions e, e′ , values v, and histories η: ε, e♯ →∗ η, e′

=⇒

C

∃v, C : e♯ =⇒ v ∧ η! ∈ H(C, ∅)

Proof. The main statement is implied by the following inductive statement: η, e♯ →∗ ηη ′ , e′ =⇒ ( e′ ∃v, C : e♯ =⇒ v ∧ η ′ ! ∈ H(C, R(η)) ∧ v = !e′ C

if e′ ∈ Val otherwise

the proof of which is rather standard.The crucial point is proving by induction the following fact. η, e♯0 e♯1 →k η ′ , v =⇒ ∃η1 , η2 , k1 , k2 , k3 : k = k1 + k2 + k3 and η, e♯0 →k1 η1 , v1 ∧ η1 , e♯1 →k2 η2 , v2 ∧ η2 , v1 v2 →k3 η ′ , v the proof of which, again, is standard. Lemma C.20. Let ∆ ⊢ v : ζ, with v 6= ! . Then, there exist τ and H ⊒ ε such that ζ = τ  H and ∆ ⊢ v : τ  ε. Proof. By induction on the derivation of ∆ ⊢ v : ζ = νN.(τ H), written w.l.o.g. in νNF. There are the following cases on the last rule used: —T-Unit, T-Var, T-Abs. By definition. —T-AddVar. By straightforward induction on the derivation. —T-Wk. Here the derivation has the following form: .. . T-Wk

∆ ⊢ v : ζ′ ∆ ⊢ v : νN.(τ  H)

′

′

′

ζ ′ ⊑ νN.(τ  H)

′

Let ζ = νN . τ  H . By the induction hypothesis, N ′ = ∅ and ε ⊑ H ′ . By Lemma C.3, there are two subcases. If τ 6= {?}, it follows that N = ∅ and H ′ ⊑ H, which implies the thesis. If τ = {?}, then νN.H ′ ⊑ H. Remark 5.1 gives N = ∅, which concludes. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–50

·

Massimo Bartoletti et al.

We now establish a fundamental result about typing, upon which the proof of the Subject Reduction lemma is based. Roughly, given a history context C and a term e, it allows for constructing a type for C[e] from a type for e, and viceversa. The information needed to extend/reduce a type is contained in T (C, ∆), that extracts from C a set of binders, a history expression, and a type environment. Definition C.21. For each history context C and typing environment ∆, we inductively define T (C, ∆) as follows: T (•, ∆) = (ε, ∅) P T (α(ξ); C ′ , ∆) = ( ρ∈∆(ξ) α(ρ) · H ′ , ∆′ )

T (new x in C ′ , ∆) = (νn. new(n) · H ′ , ∆′ ; x : {n})

if T (C ′ , ∆) = (H ′ , ∆′ ) if T (C ′ , ∆; x : {n}) = (H ′ , ∆′ ), n 6∈ ∆

Hereafter, when writing T (C, ∆) = (νN. H, ∆′ ) we always assume N = fn(∆′ ). This is always possible by the equational theory of history expressions (Definition 4.7). Lemma C.22. Let T (C, ∆) = (νN. H, ∆′ ). Then, for all e and v 6= ! : (22a) (22b)

∆; ∆′ ⊢ e : ζ ′ =⇒ ∆ ⊢ C[e] : νN. H · ζ ′ ∆ ⊢ C[e] : ζ =⇒ ∃ζ ′ : ∆; ∆′ ⊢ e : ζ ′ ∧ ∧

(22c)

νN. H · ζ ′ ⊑ ζ fn(ζ ′ ) ⊆ N ∪ fn(ζ)

∧ fnt (ζ) ⊆ fnt (ζ ′ ) ∆ ⊢ C[v] : ζ =⇒ ∃τ : ∆; ∆′ ⊢ v : τ  ε ∧ νN. τ  H ⊑ ζ

Proof. We first prove (22a) and (22b) by induction on the structure of C. There are the following cases: —C = •. In this case ∆′ = ∅, N = ∅ and H = ε. Point (22a) is trivial; for point (22b) choosing ζ ′ = ζ suffices. P —C = α(ξ); C ′ . Hence, T (C, ∆) = ( ρ∈∆(ξ) α(ρ) · H ′ , ∆′ ), where T (C ′ , ∆) = ¯ ¯ .H. ¯ Then, N = N ¯ and H = P (H ′ , ∆′ ). Let H ′ = ν N ρ∈∆(ξ) α(ρ) · H. ′ ¯ · ζ ′ . We For (22a), by the induction hypothesis it follows that ∆ ⊢ C [e] : νN. H ′ then have the following typing derivation for C[e] = α(ξ); C [e] = (λy. C ′ [e]) α(ξ): ¯ · ζ′ ∆; y : 1 ⊢ C ′ [e] : νN. H ¯ · ζ ′ )  ε ∆ ⊢ α(ξ) : 1  P ∆ ⊢ λy. C ′ [e] : 1 → (νN. H ρ∈∆(ξ) α(ρ) P ¯ · ζ ′) ∆ ⊢ (λy. C ′ [e]) α(ξ) : ( ρ∈∆(ξ) α(ρ)) · (νN. H

The thesis follows from two further applications of T-Wk: P ¯ · ζ ′) ( ρ∈∆(ξ) α(ρ)) · (νN. H
P ¯ · ζ′ = νN. ( ρ∈∆(ξ) α(ρ)) · H since N ∩ fn(∆) = ∅ P ¯ = νN. H · ζ ′ since H = ρ∈∆(ξ) α(ρ)) · H

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–51

For (22b), any typing derivation for ∆ ⊢ C[e] : ζ has the following form, where we assume that all the types in the premises are in νNF: ∆; y : 1 ⊢ C ′ [e] : ζC ′

T-Wk

P ∆ ⊢ α(ξ) : 1  ρ∈∆(ξ) α(ρ) ∆ ⊢ λy. C ′ [e] : 1 → ζC ′  ε T-Wk T-Wk ∆ ⊢ λy. C ′ [e] : 1 → ζC ′  H0 ∆ ⊢ α(ξ) : 1  H1 ′ ∆ ⊢ (λy. C [e]) α(ξ) : H0 · H1 · ζC ′ ∆ ⊢ (λy. C ′ [e]) α(ξ) : ζ

Let ζ¯ = H0 · P H1 · ζC ′ . By the three weakenings in the derivation, we have ζ¯ ⊑ ζ, ε ⊑ H0 , and ρ∈∆(ξ) α(ρ) ⊑ H1 . Without loss of generality we choose N 6 ∩ fn(∆). ¯ and U ⊆ fn(ζ) ¯ \ fn(ζ) such that: By Lemma C.11, there exist M ⊆ fnt (ζ) \ fnt (ζ) ¯ ⊑ζ ζ¯ ⊑ WM,U (ζ) ¯ ⊆ fn(ζ) fn(WM,U (ζ)) t ¯ fn (ζ) ⊆ fnt (WM,U (ζ))

(16) (17) (18)

¯. Without loss of generality, we can assume M, U 6 ∩ N By the induction hypothesis, there exists ζ¯′ such that: (20) (21)

∆; ∆′ ⊢ e : ζ¯′ ¯. H ¯ · ζ¯′ ⊑ ζC ′ νN ′ ¯ ∪ fn(ζC ′ ) fn(ζ¯ ) ⊆ N

(22)

fnt (ζC ′ ) ⊆ fnt (ζ¯′ )

(19)

We now prove the following two facts: ¯ = (fn(ζ) ¯ ∪ M) \ U fn(WM,U (ζ)) fnt (WM,U (ζ¯′ )) = (fnt (ζ¯′ ) ∪ M ) \ U

(23) (24)

If M = ∅, then Lemma C.9 implies both the equations. Otherwise, ∅ = 6 M ⊆ ¯ and so t(ζ) = S and t(ζ) ¯ = S¯ for some S¯ ⊆ S 6= {?}. Then, fnt (ζ) \ fnt (ζ), ¯. H ¯ · ζ¯′ ⊑ ζC ′ , and so Lemma C.9 implies (23). For (24), by (20) we have that ν N ¯ 6= {?}, then t(ζ¯′ ) 6= {?}. Therefore, the equation (24) follows since t(ζC ′ ) = t(ζ) by Lemma C.9. Let ζ ′ = WM,U (ζ¯′ ). We have that: P ¯ · ζ′ νN. H · ζ ′ = νN. ( ρ∈∆(ξ) α(ρ)) · H P ¯ · ζ′ by N 6 ∩ fn(∆) = ( ρ∈∆(ξ) α(ρ)) · νN. H P ¯ · ζ′ ⊑ H1 · νN. H by ρ∈∆(ξ) α(ρ) ⊑ H1 ¯ · ζ′ ⊑ H0 · H1 · νN. H by ε ⊑ H0 ′ ¯ ¯ = H0 · H1 · νN. H · WM,U (ζ ) ¯ · ζ¯′ ) ⊑ WM,U (H0 · H1 · νN. H ⊑ WM,U (H0 · H1 · ζC ′ )

by Lemma 10b by (20) + Lemma 10a

⊑ζ

by (16)

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–52

Massimo Bartoletti et al.

Also, we have that: fn(ζ ′ ) = fn(WM,U (ζ¯′ )) ⊆ (fn(ζ¯′ ) ∪ M ) \ U

by Definition C.8 by (21)

¯ ∪ fn(ζC ′ ) ∪ M ) \ U ⊆ (N ¯ ∪ M) \ U ¯ ∪ fn(ζ) ⊆ (N ¯ ∪ M) \ U ¯ ∪ (fn(ζ) =N ¯ ¯ ∪ fn(WM,U (ζ)) =N

¯ 6∩ U by N by (23)

⊆ N ∪ fn(ζ)

by (17)

Finally, we have that: fnt (ζ) ⊆ fnt (WM,U (H0 · H1 · ζC ′ ))

by (18)

t

= fn (WM,U (ζC ′ )) ⊆ (fnt (ζC ′ ) ∪ M ) \ U ⊆ (fnt (ζ¯′ ) ∪ M ) \ U ¯′

t

= fn (WM,U (ζ )) t

by (22) by (24)

′

= fn (ζ ) —C = new x in C ′ . In this case T (C, ∆) = (νn. new(n) · H ′ , ∆′ ), where ∆′ = ∆′′ ; x : {n} for some ∆′′ such that T (C ′ , ∆; x : {n}) = (H ′ , ∆′′ ) and n 6∈ ∆. Let ¯ . H. ¯ Then, N = N ¯ ∪ {n}, and H = new(n) · H. ¯ H′ = νN ¯. H ¯· For (22a), by the induction hypothesis it follows that ∆; x : {n} ⊢ C ′ [e] : ν N ζ ′ . We then have the following typing derivation for C[e] = new x in C ′ [e] = (λx. C ′ [e]) new : ¯. H ¯ · ζ′ ∆; x : {n} ⊢ C ′ [e] : ν N T-App

¯. H ¯ · ζ ′)  ε ∆ ⊢ λx. C ′ [e] : {n} → (ν N

∆ ⊢ new : νn. {n}  new(n) ¯. H ¯ · ζ ′) ∆ ⊢ (λx. C [e]) new : νn. new(n) · (ν N ′

To conclude, just note that: ¯. H ¯ · ζ ′ ) = ν{n} ∪ N ¯ . new(n) · H ¯ · ζ ′ = νN. H · ζ ′ νn. new(n) · (ν N For (22b), any typing derivation for ∆ ⊢ C[e] : ζ has the following form: ∆; x : R ⊢ C ′ [e] : ζC ′ T-Wk T-App T-Wk

∆ ⊢ λx. C ′ [e] : R → ζC ′  ε ∆ ⊢ new : νm. {m}  new(m) T-Wk ′ ¯ . R  H1 ′ ∆ ⊢ λx. C [e] : R → ζC  H0 ∆ ⊢ new : ν M ′ ¯ . H0 · H1 · ζC ′ ∆ ⊢ (λx. C [e]) new : ν M ∆ ⊢ (λx. C ′ [e]) new : ζ

¯ . H0 · H1 · ζC ′ . Then, by the three weakenings in the derivation we Let ζ¯ = ν M ¯ ¯ . R  H1 . We assume have that ζ ⊑ ζ, ε ⊑ H0 , and νm. {m}  new(m) ⊑ ν M ¯ that the types in the premises are in νNF (thus, M = R ∩ Nam). Also, by the ¯ 6 ∩ fn(∆). side conditions of T-App, M ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–53

¯ U ⊆ fn(ζ) ¯ \ fn(ζ) such that: By Lemma C.11, there exist M ⊆ fnt (ζ) \ fnt (ζ),

(26)

¯ ⊑ζ ζ¯ ⊑ WM,U (ζ) ¯ ⊆ fn(ζ) fn(WM,U (ζ))

(27)

¯ fnt (ζ) ⊆ fnt (WM,U (ζ))

(25)

¯ ). Without loss of generality, we can assume M, U 6 ∩ (N ∪ M ¯ . R  H1 : By Lemma C.3 used on the premise νm. {m}  new(m) ⊑ ν M (28)

¯ : {m}σ ⊑ R ∧ new(m)σ ⊑ H1 ∃σ : {m} ↔ M

¯ = {m} Since σ is a bijection, then M ¯ for some name m. ¯ Without loss of generality, we can suitably choose the fresh names in T (C, ∆) and in the rule T-New to be such that: (29)

¯ ∪ {m} ∪ fn(ζC ′ )) N 6 ∩ (M

¯ m 6∈ fn(∆) ∪ fn(ζC ′ ) ∪ M

There are now two cases, depending on whether R 6= {?} or R = {?}. C.3.0.2 Case R 6= {?}. Since the above derivation does not depend on the choice of n, without loss of generality we assume n 6∈ fn(ζC ′ ). By Lemma 5b used on the premise ∆; x : R ⊢ C ′ [e] : ζC ′ , it follows that: ∆; x : R{n/m} ¯ ⊢ C ′ [e] : ζC ′ {n/m} ¯ Then, by Lemma 5d: ∆; x : R{n/m} ¯ ∩ Nam ⊢ C ′ [e] : ζC ′ {n/m} ¯ ¯ ⊆ R, then: Since set types contain at most one name, and m ¯ ∈ R by M ¯ ∆; x : {n} ⊢ C ′ [e] : ζC ′ {n/m} By the induction hypothesis, there exists ζ¯′ such that:

(32)

∆; ∆′′ ; x : {n} ⊢ e : ζ¯′ ¯. H ¯ · ζ¯′ ⊑ ζC ′ {n/m} νN ¯ ′ ¯ ¯ ′ ¯ fn(ζ ) ⊆ N ∪ fn(ζC {n/m})

(33)

¯ ⊆ fnt (ζ¯′ ) fnt (ζC ′ {n/m})

(30) (31)

Let σ ′ = {m/n} (so, σ ◦ σ ′ = {m/n}). ¯ We now prove the following facts:

(37)

¯ .H ¯ · ζ¯′ )) {m}6 ∩ fn(new(n) · (ν N ¯ .H ¯ · ζ¯′ )σ ′ ) {m}6 ¯ ∩ fn(new(m) · (ν N ¯. H ¯ · ζ¯′ ){m/n})) {m}6 ¯ ∩ (fnt (ζC ′ ) \ fnt ((ν N ¯ ¯ ¯ fn(WM,U (ζ)) = (fn(ζ) ∪ M ) \ U

(38)

fnt (WM,U (ζ¯′ )) = (fnt (ζ¯′ ) ∪ M ) \ U

(34) (35) (36)

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–54

·

Massimo Bartoletti et al.

To prove (34), we have that: ¯ .H ¯ · ζ¯′ )) {m} ∩ fn(new(n) · (ν N ¯ .H ¯ · ζ¯′ )) = {m} ∩ fn((ν N ¯ )) = {m} ∩ (fn(∆; x : {n}) ∪ (fn(ζ¯′ ) \ N ′ ¯ ¯ = {m} ∩ (fn(ζ ) \ N )

by (29) by Definition C.21 by (29)

¯) ¯ ∪ fn(ζC ′ {n/m})) ¯ \N ⊆ {m} ∩ ((N ⊆ {m} ∩ (fn(ζC ′ ) ∪ {n})

by (32)

=∅

by (29)

To prove (35), we have that: ¯ .H ¯ · ζ¯′ )σ ′ ) {m} ¯ ∩ fn(new(m) · (ν N ¯ .H ¯ · ζ¯′ )σ ′ ) = {m} ¯ ∩ fn((ν N ¯ · ζ¯′ )σ ′ \ N ¯) = {m} ¯ ∩ (fn(H ′ ¯ · ζ¯ ) \ {n}) ∪ {m}) \ N ¯) ⊆ {m} ¯ ∩ (((fn(H ′ ¯ ¯ ⊆ {m} ¯ ∩ ((N ∪ fn(∆) ∪ {n}) ∪ fn(ζ ) \ {n})

by Definition σ ′ by Definition C.21 and (29)

⊆ {m} ¯ ∩ fn(ζ¯′ ) ¯ ∪ fn(ζC ′ {n/m}) ⊆ {m} ¯ ∩ (N ¯

by (29) by (32)

¯ ∪ {n}) ⊆ {m} ¯ ∩ ((fn(ζC ′ ) \ {m}) =∅

by (29) by (29)

by (29) ¯ σ′ = N ¯ by N

To prove (36), we have that: ¯. H ¯ · ζ¯′ ){m/n})) {m} ¯ ∩ (fnt (ζC ′ ) \ fnt ((ν N ¯ t t ¯′ ¯ = {m} ¯ ∩ (fn (ζC ′ ) \ (fn (ζ ) \ N ){m/n}) ¯ ¯ )) = {m} ¯ ∩ (fnt (ζC ′ ) \ (fnt (ζ¯′ {m/n}) ¯ \N = {m} ¯ ∩ (fnt (ζC ′ ) \ fnt (ζ¯′ {m/n})) ¯ t

t

t

t

⊆ {m} ¯ ∩ (fn (ζC ′ ) \ fn (ζC ′ {n/m}{ ¯ m/n})) ¯

by (29) by (33)

= {m} ¯ ∩ (fn (ζC ′ ) \ fn (ζC ′ )) =∅ For (37) and (38), if M = ∅, then Lemma C.9 implies both the equations. ¯ and so t(ζ) = S and t(ζ) ¯ = S¯ for some Otherwise, ∅ = 6 M ⊆ fnt (ζ) \ fnt (ζ), S¯ ⊆ S 6= {?}. Then, Lemma C.9 implies (37). For (38), by (31) we have that ¯ 6= {?}, then t(ζ¯′ ) 6= {?}. ¯. H ¯ · ζ¯′ ⊑ ζC ′ {n/m}, νN ¯ and so since t(ζC ′ ) = t(ζ) Therefore, the equation (38) follows by Lemma C.9. Let ζ ′ = WM,U (ζ¯′ ). We have the following subtyping relation (below we silently ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

use Lemma 10a in every weakening step under the WM,U ): νN. H · ζ ′ ⊑ WM,U (νN. H · ζ¯′ ) ¯ . new(n) · H ¯ · ζ¯′ ) = WM,U (ν{n} ∪ N ¯. H ¯ · ζ¯′ )) = WM,U (νn. new(n) · (ν N ¯. H ¯ · ζ¯′ )σ ′ ) ⊑ WM,U (νnσ ′ . new(n)σ ′ · (ν N ¯. H ¯ · ζ¯′ )σ ′ ) = WM,U (νm. new(m) · (ν N

·

App–55

by Lemma 10b ¯ by n 6∈ N by (34)

¯. H ¯ · ζ¯′ )(σ ◦ σ ′ )) ⊑ WM,U (νmσ. new(m)σ · (ν N ¯. H ¯ · ζ¯′ ){m/n}) = WM,U (ν m. ¯ new(m)σ · (ν N ¯ ′ ¯ ¯ ¯ ⊑ WM,U (ν m. ¯ H1 · (ν N . H · ζ ){m/n}) ¯

by (35) by (28)

¯. H ¯ · ζ¯′ ⊑ ζC ′ {n/m}. ¯. H ¯ · by (31), ν N ¯ Then, by Lemma 5b, it follows that (ν N ′ ζ¯ ){m/n} ¯ ⊑ ζC ′ . By (36), we can then apply Lemma 7b, and so: ⊑ WM,U (ν m. ¯ H1 · ζC ′ ) ¯ . H0 · H1 · ζC ′ ) ⊑ WM,U (ν M

by ε ⊑ H0

⊑ζ

by (25)

Also, we have that: fn(ζ ′ ) = fn(WM,U (ζ¯′ )) ⊆ (fn(ζ¯′ ) ∪ M ) \ U ¯ ∪ fn(ζC ′ {n/m}) ¯ ∪ M) \ U ⊆ (N ¯ ′ ⊆ (N ∪ (fn(ζC ) \ {m}) ¯ ∪ {n} ∪ M ) \ U

by Definition C.8 by (32)

¯ ∪ M) \ U = (N ∪ (fn(ζC ′ ) \ {m}) = N ∪ (((fn(ζC ′ ) \ {m}) ¯ ∪ M) \ U) ¯ ⊆ N ∪ ((fn(ζ) ∪ M ) \ U )

¯ ∪ {n} by N = N by N 6 ∩ U by ζ¯ = ν m. ¯ H0 · H1 · ζC ′

¯ = N ∪ fn(WM,U (ζ)) ⊆ N ∪ fn(ζ)

by (37) by (26)

Finally, we have that: ¯ fnt (ζ) ⊆ fnt (WM,U (ζ)) ¯ . H0 · H1 · ζC ′ ) ∪ M ) \ U ⊆ (fnt (ν M

by (27) by Definition C.8

¯ ) ∪ M) \ U = ((fn (ζC ′ ) \ M t

⊆ (fnt (ζC ′ {n/m}) ¯ ∪ M) \ U t ¯′ ⊆ (fn (ζ ) ∪ M ) \ U

by (33)

¯′

by (38)

t

= fn (WM,U (ζ )) t

′

= fn (ζ ) ¯ = ∅ and νn.new(n) ⊑ H1 . Without C.3.0.3 Case R = {?}. By Lemma C.3, M loss of generality, we can assume N 6 ∩ fn(ζC ′ ). By Lemma 5f applied to ∆; x : {?} ⊢ C ′ [e] : ζC ′ , it follows that: (39)

∆; x : {n} ⊢ C ′ [e] : ζC ′ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–56

·

Massimo Bartoletti et al.

By the induction hypothesis, there exists ζ¯′ such that:

(42)

∆; ∆′′ ; x : {n} ⊢ e : ζ¯′ ¯. H ¯ · ζ¯′ ⊑ ζC ′ νN ′ ¯ ∪ fn(ζC ′ ) fn(ζ¯ ) ⊆ N

(43)

fnt (ζC ′ ) ⊆ fnt (ζ¯′ )

(40) (41)

Therefore: ¯ ). new(n) · H ¯ · ζ¯′ νN. H · ζ¯′ = ν({n} ∪ N ¯. H ¯ · ζ¯′ ) = νn. new(n) · (ν N

¯ by n 6∈ N

¯. H ¯ · ζ¯′ )). Therefore, by N 6 ∩ fn(ζC ′ ) and (43), it follows that {n}6 ∩ (fnt (ζC ′ )\fnt (ν N by (41) and Lemma 7b, it follows that: ⊑ νn. new(n) · ζC ′ = (νn. new(n)) · ζC ′

by n 6∈ fn(ζC ′ )

⊑ H1 · ζC ′ ⊑ H0 · H1 · ζC ′ ¯ . H0 · H1 · ζC ′ = νM

by by by

νn. new(n) ⊑ H1 ε ⊑ H0 ¯ =∅ M

Also, we have that: ¯ ∪ fn(ζC ′ ) fn(ζ¯′ ) ⊆ N ⊆ N ∪ fn(H0 · H1 · ζC ′ ) = N ∪ fn(ζ)

by (42) ¯ ∪ {n} by N = N ¯ =∅ by M

Finally, we have that: fnt (ζ) = fnt (H0 · H1 · ζC ′ ) = fnt (ζC ′ ) ⊆ fnt (ζ¯′ )

by (43)

To prove (22c), let ∆ ⊢ C[v] : ζ with v 6= !e. By (22b), there exists ζ¯′ such that ∆; ∆′ ⊢ v : ζ¯′ and νN. H · ζ¯′ ⊑ ζ. By Lemma C.20, there exists τ and H ′ ⊒ ε such that ζ¯′ = τ  H ′ and ∆; ∆′ ⊢ v : τ  ε. To conclude, note that: νN.τ  H ⊑ νN.τ  H · H ′ = νN.H · ζ¯′ ⊑ ζ

C.4

Subject reduction

We state below the Subject Reduction Lemma, that will be crucial for proving our type and effect system correct. We state it in the traditional form where the type is preserved under computations. This was made possible by the big-step semantics of terms, where all the information about the generated histories is kept in a history context. Note instead this were not the case for a small-step operational semantics, like the one in Sect. 3, where histories grow along with computations. This would require Subject Reduction to “consume” the target type, to render the events fired, ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–57

and the resources created, in execution steps. Not preserving the type would make the inductive statement difficult to write and (even more difficult) to prove. C

Lemma C.23 Subject Reduction. If ∆ ⊢ e : ζ and e =⇒ v, then ∆ ⊢ C[v] : ζ. C

Proof. By induction on the size of derivation of e =⇒ v. There are the following exhaustive cases. —B-Val. Trivial. —B-Bang. The thesis follows directly from the rule T-Bang. —B-If. Straightfoward application of the induction hypothesis. —B-Ev. Here we have e = α(ξ), C = α(ξ); •, and v = ∗. Any typing derivation for α(ξ) has the following form: T-Ev

∆ ⊢ α(ξ) : 1 

T-Wk

P

ρ∈∆(ξ)

α(ρ) P

ρ∈∆(ξ)

∆ ⊢ α(ξ) : 1  H

α(ρ) ⊑ H

Thus, we have the following typing derivation for C[v] = (λy. ∗) α(ξ): ∆; y : 1 ⊢ ∗ : 1  ε T-Abs T-App

∆ ⊢ λy. ∗ : 1 → (1  ε)  ε

∆ ⊢ α(ξ) : 1  H

∆ ⊢ (λy. ∗) α(ξ) : H · (1  ε) The thesis follows from H · (1  ε) = 1  H. —B-New. Here we have e = new , C = new x in •, and v = x. Any typing derivation for new has the following form: T-New T-Wk

∆ ⊢ new : νn. {n}  new(n) ∆ ⊢ new : νM. R  H

where νn. {n}  new(n) ⊑ νM. R  H. Thus, we have the following typing derivation for C[v] = new x in x = (λx. x) new : ∆; x : R ⊢ x : R  ε T-Abs T-App

∆ ⊢ λx. x : R → (R  ε)  ε

∆ ⊢ new : νM. R  H

∆ ⊢ (λx. x) new : νM. H · (R  ε) The thesis follows from νM. H · (R  ε) = νM. R  H. —B-Beta. Here we have e = e0 e1 , and: C

0 =⇒ λz x. e′0 e0 =

C

1 =⇒ v1 e1 =

C

2 =⇒ v e′0 {v1 /x, λz x. e′0 /z} =

C0 [C1 [C2 ]]

e0 e1 =======⇒ v with bv (C0 ), bv (C1 ), bv (C2 ) pairwise disjoint. By ∆ ⊢ e0 : νN0 . (τ0 → ζ0 )  H0

T-App,

we have that:

∆ ⊢ e1 : νN1 . τ0  H1

∆ ⊢ e0 e1 : ν(N0 ∪ N1 ). H0 · H1 · ζ0 ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–58

·

Massimo Bartoletti et al.

with N0 6 ∩ N1 , N0 6 ∩ fn(∆), N1 6 ∩ fn(∆), N0 6 ∩ fn(H1 ), and by Remark 5.1 we assume both νN0 . (τ0 → ζ0 )H0 and νN1 . τ0 H1 be in νNF. By the induction hypothesis applied to the first two premises of B-Beta: (44)

∆ ⊢ C0 [λz x. e′0 ] : νN0 . (τ0 → ζ0 )  H0

(45)

∆ ⊢ C1 [v1 ] : νN1 . τ0  H1

¯0 . τ¯0  H ¯ 0 , where we choose N ¯0 such that: Let ζ0 = ν N (46)

¯0 6 ∩ (fn(∆) ∪ N0 ∪ N1 ∪ fn(H0 ) ∪ fn(H1 )) N

Let T (C0 , ∆) = (νN0′ .H0′ , ∆0 ), let T (C1 , ∆) = (νN1′ .H1′ , ∆1 ), where we choose N0′ and N1′ such that: (47)

¯0 ∪ fn(∆, τ¯0 , τ0 , H¯0 , H1 )) (N0′ ∪ N1′ )6 ∩ (N1 ∪ N

N0′ 6 ∩ N1′

Then, from (44) and Lemma 22c, there exists τ0′ such that: (48)

∆; ∆0 ⊢ λz x. e′0 : τ0′  ε

(49)

νN0′ . τ0′  H0′ ⊑ νN0 . (τ0 → ζ0 )  H0

From (45) and Lemma 22c, there exists τ1′ such that: ∆; ∆1 ⊢ v1 : τ1′  ε νN1′ . τ1′  H1′ ⊑ νN1 . τ0  H1

(50) (51)

By Remark 5.1, we have the following νNFs: (52)

νN0′ .τ0′  H0′ = ν Nˆ0 .τ0′  (ν Nˇ0 .H0′ )

(53)

νN1′ .τ1′  H1′ = ν Nˆ1 .τ1′  (ν Nˇ1 .H1′ )

Nˆ0 = N0′ ∩ fn(τ0′ ) Nˇ0 = N0′ \ fn(τ0′ ) Nˆ1 = N1′ ∩ fn(τ1′ ) Nˇ1 = N1′ \ fn(τ1′ )

Hence, by (49) and (51) it follows that: (54) (55)

ν Nˆ0 .τ0′  (ν Nˇ0 .H0′ ) ⊑ νN0 . (τ0 → ζ0 )  H0 ν Nˆ1 .τ1′  (ν Nˇ1 .H1′ ) ⊑ νN1 . τ0  H1

By Lemma C.3 on (54): (56)

∃σ0 : Nˆ0 ↔ N0 : τ0′ σ0 ⊑ τ0 → ζ0 ∧ (ν Nˇ0 .H0′ )σ0 ⊑ H0

By Lemma C.3 on (55), there are two cases, i.e. either τ0 6= {?} or τ0 = {?}. C.4.0.4 (57)

Case τ0 6= {?}. Then, by Lemma C.3 on (55): ∃σ1 : Nˆ1 ↔ N1 : τ1′ σ1 ⊑ τ0 ∧ (ν Nˇ1 .H1′ )σ1 ⊑ H1

By Lemma 5b on (48) and on (50): (58) (59)

(∆; ∆0 )σ0 ⊢ λz x. e′0 : τ0′ σ0  ε (∆; ∆1 )σ1 ⊢ v1 : τ1′ σ1  ε

By (47), ∆σ0 = ∆σ1 = ∆. By rule

T-Wk,

we have that:

∆; ∆0 σ0 ⊢ λz x. e′0 : τ0 → ζ0  ε ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–59

Inverting the derivation that led to the previous judgement, we obtain: (60)

∆; ∆0 σ0 ; x : τ0 ; z : τ0 → ζ0 ⊢ e′0 : ζ0

Also, by (57), (59) and (61)

T-Wk,

we have that: ∆; ∆1 σ1 ⊢ v1 : τ0  ε

Since by Definition C.21 bv (C0 ) = dom(∆0 ), bv (C1 ) = dom(∆1 ), and bv (C0 )6 ∩ bv (C1 ), then dom(∆0 )6 ∩ dom(∆1 ). Therefore, we can use T-AddVar on the premise of (60) and on (61) to obtain the judgements: ∆; ∆0 σ0 ; ∆1 σ1 ; z : τ0 → ζ0 ; x : τ0 ⊢ e′0 : ζ0 ∆; ∆0 σ0 ; ∆1 σ1 ; z : τ0 → ζ0 ⊢ v1 : τ0  ε From the above typing judgements, Lemma 5a gives: ∆; ∆0 σ0 ; ∆1 σ1 ; z : τ0 → ζ0 ⊢ e′0 {v ′ /x} : ζ0 By

T-AddVar

used on the judgment (58), we obtain: ∆; ∆0 σ0 ; ∆1 σ1 ⊢ λz x. e′0 : (τ0 → ζ0 )  ε

Therefore, a further application of Lemma 5a gives: ∆; ∆0 σ0 ; ∆1 σ1 ⊢ e′0 {v ′ /x, λz x. e′0 /z} : ζ0 C

2 =⇒ We can thus apply again the induction hypothesis on the third premise e′0 {v1 /x, λz x. e′0 /z} = v of B-Beta, and obtain:

(62)

∆; ∆0 σ0 ; ∆1 σ1 ⊢ C2 [v] : ζ0

By Definition C.21, applying σ0 and σ1 to T (C0 , ∆) and T (C1 , ∆; ∆0 σ0 ) gives: (63) (64)

T (C0 , ∆) = (νN0′ σ0 .H0′ σ0 , ∆0 σ0 ) T (C1 , ∆; ∆0 σ0 ) = (νN1′ σ1 .H1′ σ1 , ∆1 σ1 )

From (64) and (62), Lemma 22a yields: ∆; ∆0 σ0 ⊢ C1 [C2 [v]] : νN1′ σ1 . H1′ σ1 · ζ0 By the above and (63), a further application of Lemma 22a yields: (65)

∆ ⊢ C0 [C1 [C2 [v]]] : νN0′ σ0 . H0′ σ0 · (νN1′ σ1 . H1′ σ1 · ζ0 )

Note that by Definition C.21, fn(H1′ ) ⊆ fn(∆) ∪ N1′ , and so by (53) and (57) it follows that fn(H1′ )σ1 ⊆ fn(∆) ∪ N1 ∪ Nˇ1 . Then, by (46) and (47): (66)

¯0 6 ∩ fn(H ′ σ1 ) N 1

Similarly, fn(H0′ ) ⊆ fn(∆)∪N0′ , and so by (52) and (56) it follows that fn(H0′ )σ0 ⊆ fn(∆) ∪ N0 ∪ Nˇ0 . Then, by (46), (47) and by N1 6 ∩ N0 : (67) (68)

¯0 )6 ∩ fn(H ′ σ0 ) (N1 ∪ N 0 ¯0 6 ∩ (fn(H0′ σ0 ) ∪ fn(H1 )) N ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–60

·

Massimo Bartoletti et al.

Therefore, we have that: νN0′ σ0 . H0′ σ0 · (νN1′ σ1 . H1′ σ1 · ζ0 ) = ν(Nˆ0 ∪ Nˇ0 )σ0 . H0′ σ0 · (ν(Nˆ1 ∪ Nˇ1 )σ1 . H1′ σ1 · (ν N¯0 . τ¯0  H¯0 )) = ν(Nˆ0 ∪ Nˇ0 )σ0 . H0′ σ0 · (ν((Nˆ1 ∪ Nˇ1 )σ1 ∪ N¯0 ). τ¯0  H1′ σ1 · H¯0 ) = ν(N0 ∪ Nˇ0 ). H0′ σ0 · (ν(Nˆ1 σ1 ∪ Nˇ1 σ1 ∪ N¯0 ). τ¯0  H1′ σ1 · H¯0 ) = ν(N0 ∪ Nˇ0 ). H0′ σ0 · (ν(N1 ∪ Nˇ1 ∪ N¯0 ). τ¯0  H1′ σ1 · H¯0 ) = ν(N0 ∪ Nˇ0 ). H ′ σ0 · (ν(N1 ∪ N¯0 ). τ¯0  (ν Nˇ1 .H ′ )σ1 · H¯0 ) 0 Nˇ0 ). H0′ σ0

by (56) by (57) by (47)

1

· (ν(N1 ∪ N¯0 ). τ¯0  H1 · H¯0 ) = ν(N0 ∪ Nˇ0 ∪ N1 ∪ N¯0 ). τ¯0  H0′ σ0 · H1 · H¯0 ⊑ ν(N0 ∪

by (66)

by (57) by (67)

(ν Nˇ0 .H0′ )σ0

= ν(N0 ∪ N1 ∪ N¯0 ). τ¯0  · H1 · H¯0 ¯ ¯ ⊑ ν(N0 ∪ N1 ∪ N0 ). τ¯0  H0 · H1 · H0

by (47) by (56) by (46)

= ν(N0 ∪ N1 ). H0 · H1 · ζ0

Applying the above weakening to the type obtained in (65) concludes. C.4.0.5

Case τ0 = {?}. Lemma C.3 gives: N1 = ∅

(69) So, by

T-Wk

(70)

τ1′ ⊑ τ0

νN1′ . H1′ ⊑ H1

on (50), we have that: ∆; ∆1 ⊢ v1 : τ0  ε

Since by Definition C.21 bv (C0 ) = dom(∆0 ), bv (C1 ) = dom(∆1 ), and bv (C0 )6 ∩ bv (C1 ), then dom(∆0 )6 ∩ dom(∆1 ). Therefore, we can use T-AddVar on the premise of (60) and on (70) to obtain the judgements: ∆; ∆0 σ0 ; ∆1 ; z : τ0 → ζ0 ; x : τ0 ⊢ e′0 : ζ0 ∆; ∆0 σ0 ; ∆1 ; z : τ0 → ζ0 ⊢ v1 : τ0  ε From the above typing judgements, Lemma 5a gives: ∆; ∆0 σ0 ; ∆1 ; z : τ0 → ζ0 ⊢ e′0 {v ′ /x} : ζ0 By

T-AddVar

used on the judgment (48), we obtain: ∆; ∆0 σ0 ; ∆1 ⊢ λz x. e′0 : (τ0 → ζ0 )  ε

Therefore, a further application of Lemma 5a gives: ∆; ∆0 σ0 ; ∆1 ⊢ e′0 {v ′ /x, λz x. e′0 /z} : ζ0 C

2 =⇒ v of By the induction hypothesis on the premise e′0 {v1 /x, λz x. e′0 /z} = we obtain:

(71)

∆; ∆0 σ0 ; ∆1 ⊢ C2 [v] : ζ0

From T (C1 , ∆; ∆0 σ0 ) = (νN1′ .H1′ , ∆1 ) and (71), Lemma 22a yields: ∆; ∆0 σ0 ⊢ C1 [C2 [v]] : νN1′ . H1′ · ζ0 ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

B-Beta,

Local Policies for Resource Usage Analysis

·

App–61

By the above and (63), a further application of Lemma 22a yields: ∆ ⊢ C0 [C1 [C2 [v]]] : νN0′ σ0 . H0′ σ0 · (νN1′ . H1′ · ζ0 )

(72)

Therefore, we have that: νN0′ σ0 . H0′ σ0 · (νN1′ . H1′ · ζ0 ) = νN0′ σ0 . H0′ σ0 · ((νN1′ . H1′ ) · ζ0 ) ⊑ νN0′ σ0 . H0′ σ0 · H1 · ζ0 = ν(Nˆ0 ∪ Nˇ0 )σ0 . H0′ σ0 · H1 · ζ0 = ν((Nˆ0 ∪ Nˇ0 )σ0 ∪ N¯0 ). τ¯0  H0′ σ0 · H1 · H¯0 = ν(N0 ∪

Nˇ0 ∪ N¯0 ). τ¯0  H0′ σ0 · N¯0 ). τ¯0  (ν Nˇ0 .H0′ )σ0

H1 · H¯0 · H1 · H¯0

by (47) by (69) by (52) by (68) by (56)

= ν(N0 ∪ ⊑ ν(N0 ∪ N¯0 ). τ¯0  H0 · H1 · H¯0 = ν(N0 ∪ N1 ∪ N¯0 ). τ¯0  H0 · H1 · H¯0

by (56) by (69)

= ν(N0 ∪ N1 ). H0 · H1 · ζ0

by (46)

by (47)

Applying the above weakening to the type obtained in (72) concludes. —B-BetaBang1. Here we have e = e0 e1 , and: C

e0 =⇒ ! C

e0 e1 =⇒ ! By the rule (73)

T-App,

we have that:

∆ ⊢ e0 : νN0 . (τ0 → ζ0 )  H0

∆ ⊢ e1 : νN1 . τ0  H1

∆ ⊢ e0 e1 : ν(N0 ∪ N1 ). H0 · H1 · ζ0

with N0 6 ∩ N1 , N0 6 ∩ fn(∆), N1 6 ∩ fn(∆), N0 6 ∩ fn(H1 ), and we assume the types in the premise are in νNF. By the induction hypothesis: (74)

∆ ⊢ C[! ] : νN0 . (τ0 → ζ0 )  H0

Let T (C, ∆) = (νN ′ .H ′ , ∆′ ), where we choose N ′ such that: N ′ 6 ∩ (fn(∆) ∪ fn(H1 ) ∪ fn(ζ0 ) ∪ N0 ) By Lemma 22b, there exists ζ¯ such that: (76) νN ′ . H ′ · ζ¯ ⊑ νN0 . (τ0 → ζ0 )  H0 ¯ . τ¯  H ¯ be in νNF (i.e. N ¯ ⊆ fn(¯ ¯ chosen such that: Let ζ¯ = ν N τ )), with N ¯ 6 ∩ (N ′ ∪ N0 ∪ N1 ∪ fn(∆; ∆′ ) ∪ fn(H1 ) ∪ fn(H ′ )) (77) N (75)

¯ 6 ∩ fn(H ′ ) by (77), then: Since N ¯ ). τ¯  H ′ · H ¯ νN ′ . H ′ · ζ¯ = ν(N ′ ∪ N ¯ ⊆ fn(¯ By Remark 5.1, we have the following νNF (recall that N τ )): (78)

ˆ . τ¯  (ν N ˇ . H ′ · H) ¯ νN ′ . H ′ · ζ¯ = ν N

ˆ = (N ′ ∩ fn(¯ ¯ N τ )) ∪ N ′ ˇ N = N \ fn(¯ τ)

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–62

·

Massimo Bartoletti et al.

By Lemma C.3: ˆ ↔ N0 : τ¯σ ⊑ τ0 → ζ0 ∧ (ν N ˇ .H ′ · H)σ ¯ ⊑ H0 ∃σ : N

(79) By the rule

T-Bang,

we have: ¯ σ ∪ N1 ). Hσ ¯ · H1 · ζ0 ∆; ∆′ σ ⊢ ! : ν(N

By Definition C.21, we have T (C, ∆) = (νN ′ σ.H ′ σ, ∆′ σ). Then, by Lemma 22a: ¯ σ ∪ N1 ). Hσ ¯ · H1 · ζ0 ) ∆ ⊢ C[! ] : νN ′ σ. H ′ σ · (ν(N Note that, by Definition C.21, fn(H ′ σ) ⊆ fn(∆) ∪ N ′ σ. By the side conditions of ¯ σ ⊆ N0 and fn(∆)6 ∩ N1 . Since N 6 ∩ N ′ and σ is bijective, T-App in (73), fn(∆)6 ∩ N ′ ¯ then N σ6 ∩ N σ. Also, by N ′ σ ⊆ N0 and by N0 6 ∩ N1 , it follows that N ′ σ6 ∩ N1 . Therefore, we have proved that: ¯ σ ∪ N1 ) fn(H ′ σ)6 ∩ (N

(80)

To conclude, a further application of

T-Wk

is in order:

¯ σ ∪ N1 ). Hσ ¯ · H1 · ζ0 ) νN ′ σ. H ′ σ · (ν(N ¯ σ ∪ N1 ). H ′ σ · Hσ ¯ · H1 · ζ0 = ν(N ′ σ ∪ N

by (80)

¯ σ ∪ N1 ). H ′ σ · Hσ ¯ · H1 · ζ0 = ν((N ′ ∩ fn(¯ τ ))σ ∪ (N ′ \ fn(¯ τ ))σ ∪ N ˆσ ∪ N ˇ ∪ N1 ). H ′ σ · Hσ ¯ · H1 · ζ0 = ν(N

by (78)

ˆ σ ∪ N1 ). (ν N ˇ . H ′ σ · Hσ) ¯ · H1 · ζ0 = ν(N ˆ σ ∪ N1 ). (ν N ˇ . H ′ · H)σ ¯ · H1 · ζ0 = ν(N

by (75) by (78) by (79)

⊑ ν(N0 ∪ N1 ). H0 · H1 · ζ0 —B-BetaBang2. Here we have e = e0 e1 , and: C

0 =⇒ v0 e0 =

C

1 =⇒ ! e1 =

C0 [C1 ]

e0 e1 ====⇒ ! By the rule

T-App,

we have that:

∆ ⊢ e0 : νN0 . (τ0 → ζ0 )  H0

∆ ⊢ e1 : νN1 . τ0  H1

∆ ⊢ e0 e1 : ν(N0 ∪ N1 ). H0 · H1 · ζ0 where N0 6 ∩ N1 , N0 6 ∩ fn(∆), N1 6 ∩ fn(∆) N0 6 ∩ fn(H1 ), and we assume the types in the premise are in νNF. By the induction hypothesis applied on both the premises of B-BetaBang2: ∆ ⊢ C0 [v0 ] : νN0 . (τ0 → ζ0 )  H0 ∆ ⊢ C1 [! ] : νN1 . τ0  H1

(81) (82)

Let T (C0 , ∆) = (νN0′ .H0′ , ∆0 ) and let T (C1 , ∆) = (νN1′ .H1′ , ∆1 ), where we choose N0′ and N1′ such that: (83)

N0′ 6 ∩ N1′

(N0′ ∪ N1′ )6 ∩ (fn(∆) ∪ N0 ∪ N1 ∪ fn(ζ0 ) ∪ fn(H1 ))

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–63

By Lemma 22c used on (81) and Lemma 22b used on (82), there exist τ0′ and ζ¯1 such that: (84) (85)

∆; ∆0 ⊢ v0 : τ0′  ε ∆; ∆1 ⊢ ! : ζ¯1

νN0′ . τ0′  H0′ ⊑ νN0 .τ0 → ζ0  H0 νN1′ . H1′ · ζ¯1 ⊑ νN1 . τ0  H1 fn(ζ¯1 ) ⊆ N ′ ∪ fn(νN1 . τ0  H1 ) 1

¯ 1 , where we choose N ¯1 such that: Let ζ¯1 = ν N¯1 . τ¯1  H (86)

¯1 6 ∩ (fn(H ¯ 1 ) ∪ fn(∆) ∪ fn(H ′ ) ∪ fn(ζ0 ) ∪ N0 ∪ N1 ) N 1

¯1 6 ∩ fn(H ′ ) by (86), we have that: Since N 1 ¯1 ). τ¯1  H1′ · H ¯1 νN1′ .H1′ · ζ¯1 = ν(N1′ ∪ N By Remark 5.1, we have the following νNFs: (87) (88)

Nˆ0′ = N0′ ∩ fn(τ0′ ) Nˇ0′ = N0′ \ fn(τ0′ ) ′ ˆ′ ¯1 τ1 )) ∪ N ¯ 1 ) N1 = (N1 ∩ fn(¯ νN1′ .H1′ · ζ¯1 = ν Nˆ1′ .¯ τ1  (ν Nˇ1′ .H1′ · H ′ ′ ˇ τ1 ) N = N \ fn(¯

νN0′ .τ0′  H0′ = ν Nˆ0′ .τ0′  (ν Nˇ0′ .H0′ )

1

1

Thus, we have the following subtype relations between types in νNF: (89) (90)

ν Nˆ0′ .τ0′  (ν Nˇ0′ .H0′ ) ⊑ νN0 .τ0 → ζ0  H0 ¯ 1 ) ⊑ νN1 . τ0  H1 τ1  (ν Nˇ ′ .H ′ · H ν Nˆ ′ .¯ 1

1

1

By Lemma C.3 on (89): (91)

∃σ0 : Nˆ0′ ↔ N0 : τ0′ σ0 ⊑ τ0 → ζ0 ∧ (ν Nˇ0′ .H0′ )σ0 ⊑ H0

There are now two cases, depending on whether τ0 6= {?} or τ0 = {?}. C.4.0.6 (92)

Case τ0 6= {?}. By Lemma C.3 used on (90): ¯ 1 )σ1 ⊑ H1 ∃σ1 : Nˆ1′ ↔ N1 : τ¯1 σ1 ⊑ τ0 ∧ (ν Nˇ1′ . H1′ · H

¯1 6 ∩ fn(∆) ¯1 . Then, since N ′ 6 ∩ fn(∆) and N By (92) and (88), dom(σ1 ) ⊆ N1′ ∪ N 1 by (83) and (86), it follows that ∆σ1 = ∆. Let σ ˆ1 = σ1 |N¯1 and let σ ˇ1 = ˆ ˇ ˆ ˇ σ1 ) and N1 = ran(ˇ σ1 ) and σ1 |dom(σ1 )\N¯1 . Let N1 = N1 ∪ N1 , where N1 = ran(ˆ ˆ1 6 ∩ N ˇ1 . Then, by the rule T-Bang we have that: N (93)

¯1 . τ¯1 σ ¯ 1σ ∆; ∆1 σ1 ⊢ e¯1 : ν N ˇ1  H ˇ1

By Definition C.21 we have T (C0 , ∆) = (νN0′ σ0 .H0′ σ0 , ∆0 σ0 ), and T (C1 , ∆; ∆0 σ0 ) = (νN1′ σ1 .H1′ σ1 , ∆1 σ1 ). By Lemma 22a on the above judgement we have: ¯1 σ ¯ 1 σ1 · ζ0 ) ∆; ∆0 σ0 ⊢ C1 [! ] : νN1′ σ1 . H1′ σ1 · (ν N ˆ1 . H A further application of Lemma 22a then yields: ¯1 σ ¯ 1 σ1 · ζ0 )) ∆ ⊢ C0 [C1 [! ]] : νN0′ σ0 . H0′ σ0 · (νN1′ σ1 . H1′ σ1 · (ν N ˆ1 . H ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–64

Massimo Bartoletti et al.

We now prove the following facts: ¯1 σ N ˆ1 6 ∩ fn(H1′ σ1 ) N1 6 ∩ fn(H0′ σ0 )

(94) (95) To prove (94), note that:

¯1 σ N ˆ1 ∩ fn(H1′ σ1 ) = Nˆ1 ∩ fn(H1′ )σ1 ⊆ Nˆ1 ∩ (fn(∆)σ1 ∪ N1′ σ1 ) ˇ1 ) ⊆ Nˆ1 ∩ (fn(∆) ∪ N1′ ∪ N =∅ To prove (95), note that: N1 ∩ fn(H0′ σ0 ) ⊆ N1 ∩ (fn(∆)σ0 ∪ N0′ σ0 ) ⊆ N1 ∩ (fn(∆) ∪ N0′ ∪ N0 ) =∅ To conclude, a further application of

T-Wk

suffices, because:

¯1 σ ¯ 1 σ1 · ζ0 )) (νN1′ σ1 . H1′ σ1 · (ν N ˆ1 . H ′ ′ ¯ ¯ 1 σ1 · ζ0 ) (ν(N1 σ1 ∪ N1 σ ˆ1 ). H1 σ1 · H ¯ 1 σ1 ) · ζ0 ) ˆ1 ∪ N ˇ1 ). (ν Nˇ ′ . H ′ σ1 · H (ν(N 1 1

· ·

=

νN0′ σ0 . H0′ σ0 νN0′ σ0 . H0′ σ0 νN0′ σ0 . H0′ σ0

=

νN0′ σ0 . H0′ σ0

¯ 1 )σ1 · ζ0 ) · (νN1 . (ν Nˇ1′ . H1′ · H

=

·

by (94)

¯ 1 )σ1 ⊑ H1 . Therefore, by Lemma 7a, (ν Nˇ ′ . H ′ · by (90), we have that (ν Nˇ1′ . H1′ · H 1 1 ¯ H1 )σ1 · ζ0 ⊑ H1 · ζ0 . We can then apply twice Lemma 7b – the disjointness conditions of which are easy to check – and obtain: ⊑ νN0′ σ0 . H0′ σ0 · (νN1 . H1 · ζ0 ) = ν(N0′ σ0 ∪ N1 ). H0′ σ0 · H1 · ζ0

by (95)

since N0′ σ0 = (N0′ \ fn(τ0′ ))σ0 ∪ (N0′ ∩ fn(τ0′ ))σ0 = Nˇ0′ ∪ N0 : = ν(N0 ∪ Nˇ0′ ∪ N1 ). H0′ σ0 · H1 · ζ0 = ν(N0 ∪ N1 ). (ν Nˇ ′ . H ′ σ0 ) · H1 · ζ0

by (83)

= ν(N0 ∪ · H1 · ζ0 ⊑ ν(N0 ∪ N1 ). H0 · H1 · ζ0

by (89)

0 N1 ). (ν Nˇ0′ . H0′ )σ0 0

C.4.0.7

Case τ0 = {?}. We have N1 = ∅, and by Lemma C.3 used on (90): τ¯1 ⊑ τ0

(96) By the rule

T-Bang,

¯ 1 ⊑ H1 ν(N1′ ∪ N¯1 ). H1′ · H

we have that: ¯1 . H ¯ 1 · ζ0 ∆; ∆0 σ0 ; ∆1 ⊢ ! : ν N

By Lemma 22a, from the above judgement we obtain: ¯1 . H ¯ 1 · ζ0 ) ∆; ∆0 σ0 ⊢ C1 [! ] : νN1′ . H1′ · (ν N ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–65

By Definition C.21, we have T (C0 , ∆) = (νN0′ σ0 . H0′ σ0 , ∆0 σ0 ). Thus, a further application of Lemma 22a yields: ¯1 . H ¯ 1 · ζ0 )) ∆ ⊢ C0 [C1 [! ]] : νN0′ σ0 .H0′ σ0 · (νN1′ . H1′ · (ν N To conclude, a further application of

T-Wk

suffices, because:

¯1 . H ¯ 1 · ζ0 )) νN0′ σ0 . H0′ σ0 · (νN1′ . H1′ · (ν N ′ ′ ′ ′ ¯1 ). H1 · H ¯ 1 ) · ζ0 = νN0 σ0 . H0 σ0 · (ν(N1 ∪ N

by (86)

¯1 ). H ′ · H ¯ 1 ⊑ H1 . Therefore, by Lemma 7a, by (96), we have that ν(N1′ ∪ N 1 ′ ′ ¯ ¯ (ν(N1 ∪ N1 ). H1 · H1 )·ζ0 ⊑ H1 ·ζ0 . We can then apply Lemma 7b – the disjointness condition of which is easy to check – and obtain: ⊑ νN0′ σ0 . H0′ σ0 · H1 · ζ0 = ν(N0 ∪ Nˇ ′ ). H ′ σ0 · H1 · ζ0 0

0

= νN0 . (ν Nˇ0′ . H0′ σ0 ) · H1 · ζ0 = νN0 . (ν Nˇ ′ . H ′ )σ0 · H1 · ζ0

by (83)

⊑ ν(N0 ∪ N1 ). H0 · H1 · ζ0

by (89)

0

0

C.5

Correctness of effects and type safety

Lemma C.24. For all closed history contexts C, values v, and for all R: ∆ ⊢ C[v] : νN. τ  H ∧ fn(νN. H) = ∅ =⇒ H(C, R) ⊆? JνN. HK(R) Proof. By induction on the structure of C, there are the following three cases: —C = •. Trivial, since H(•, R) = { !}. —C = α(ξ); C ′ . Any typing derivation for C[v] = (λy. C ′ [v]) α(ξ) has the following form: .. .

T-Wk

P ∆ ⊢ α(ξ) : 1  ρ∈∆(ξ) α(ρ) ∆; y : 1 ⊢ C ′ [v] : ζ T-Wk ∆ ⊢ λy. C ′ [v] : 1 → ζ  ε ∆ ⊢ α(ξ) : 1  H ′ ∆ ⊢ (λy. C ′ [v]) α(ξ) : H ′ · ζ ∆ ⊢ (λy. C ′ [v]) α(ξ) : νN. τ  H

P

′ ¯ ¯  H, ¯ where w.l.o.g. we choose N ¯ where ρ∈∆(ξ) α(ρ) ⊑ H . Let ζ = ν N . τ disjoint from fn(H ′ ). Also, w.l.o.g. assume that both ζ and νN. τ  H are in ¯ · H ′ ). νNF, and that N 6 ∩ fn(H ¯ ¯ Let U = fn(H) \ N . By Lemma C.11, ζ ⊑ W∅,U (ζ), and by using (T-Wk) on the judgement ∆; y : 1 ⊢ C ′ [v] : ζ, we have:

(97)

¯ . W∅,U (¯ ¯ ∆; y : 1 ⊢ C ′ [v] : W∅,U (ζ) = ν N τ )  H{?/U }

¯ . H{?/U ¯ Since fn(ν N }) = ∅, then by the induction hypothesis: (98)

¯ . H{?/U ¯ H(C ′ , R) ⊆? Jν N }K(R) ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–66

·

Massimo Bartoletti et al.

Also, since H ′ · ζ ⊑ νN. τ  H, then by Lemma 10a: ¯ . W∅,U (¯ ¯ νN τ ). (H ′ · H){?/U } = W∅,U (H ′ · ζ) ⊑ W∅,U (νN. τ  H) = νN. τ  H There are now two subcases, depending on either τ 6= {?} or τ = {?}. ˆ = N ¯ ∩ fn(W∅,U (¯ ˇ = N ¯ \ fn(W∅,U (¯ If τ 6= {?}, let N τ )) and N τ )). Then, by Lemma C.2: ˆ ↔ N : (ν N ˇ . (H ′ · H){?/U ¯ ∃σ : N })σ ⊑ H

(99) Therefore:

H(C, R) = { !} ∪ { α(ξ)η | η ∈ H(C ′ , R) } ¯ . H{?/U ¯ ⊆? { !} ∪ { α(ξ)η | η ∈ Jν N }K(R) } by (98) P ¯ . H{?/U ¯ = J ρ∈∆(ξ) α(ρ)K(R) ⊙ Jν N }K(R) by fv (C) = ∅ ¯ . H{?/U ¯ ⊆? JH ′ K(R) · Jν N }K(R) by Lemma 7a ¯ . H ′ · H{?/U ¯ = Jν N }K(R) by N 6 ∩ fn(H ′ ) ¯ . (H ′ · H){?/U ¯ ⊆? Jν N }K(R) ′ ˆ . νN ˇ . (H · H){?/U ¯ = Jν N }K(R) ˆ σ. (ν N ˇ . (H ′ · H){?/U ¯ = Jν N })σK(R)

¯ by ran(σ)6 ∩ fn(H ′ · H)

⊆? JνN. HK(R)

by (99)

If τ = {?}, the proof proceeds similarly using the second item of Lemma C.3. —C = new x in C ′ . Any typing derivation for C[v] = new x in C ′ [v] = (λx. C ′ [v]) new has the following form: .. .

T-Wk

∆; x : S ⊢ C ′ [v] : ζ ∆ ⊢ new : νn. {n}  ε T-Wk ∆ ⊢ λx. C ′ [v] : S → ζ  ε ∆ ⊢ new : νM. S  H ′ ∆ ⊢ (λx. C ′ [v]) new : νM. H ′ · ζ ∆ ⊢ (λx. C ′ [v]) new : ζ ′

where νn. {n}  ε ⊑ νM. S  H ′ , and νM. H ′ · ζ ⊑ ζ ′ = νN. τ  H. Let ¯ . τ  H, ¯ and w.l.o.g. choose N ¯ , M, N such that: ζ = νN ¯ 6 ∩ (M ∪ fn(H ′ )) N

¯ ∪ fn(H ′ ) ∪ fn(H)) ¯ N 6 ∩ (M ∪ N

¯ \N ¯ . By Lemma C.11, ζ ⊑ W∅,U (ζ), and by using (T-Wk) on the Let U = fn(H) judgement ∆; x : S ⊢ C ′ [v] : ζ, we have: (100)

¯ . W∅,U (¯ ¯ ∆; x : S ⊢ C ′ [v] : W∅,U (ζ) = ν N τ )  H{?/U }

Assume τ 6= {?} (the other case is simpler). There are two further subcases. If S 6= {?}, then let M = {m} = S ∩ Nam. By using Lemma (5d) on (100), we have that ∆; x : {m} ⊢ C ′ [v] : W∅,U (ζ), and then by (5c), for all r: (101)

∆; x : {r} ⊢ C ′ [v]{r/x} : W∅,U (ζ{r/m}) ¯ . W∅,U (¯ = νN τ ){r/m}  H{?/U }{r/m}

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–67

¯ . H{r/m}) ¯ ¯ = ∅. Thus, we can apply the Note that fn(ν N ⊆ fn(H{?/U }) \ N induction hypothesis on (101) and obtain, for all r and R: (102)

¯ . H{?/U ¯ H(C ′ {r/x}, R ∪ {r}) ⊆? Jν N }{r/m}K(R ∪ {r})

Therefore: H(C, R) = { !} ∪

S

r6∈R

H(C ′ {r/x}, R ∪ {r})

and so by (102): ⊆? { !} ∪

S

r6∈R

¯ . H{?/U ¯ Jν N }{r/m}K(R ∪ {r})

¯: by Definition B.11, choosing n 6∈ N ¯ . H{?/U ¯ = Jνn. ε · ν N }K(R) since S 6= {?}, by Lemma C.3, there exists σ ′ : {n} ↔ {m} such that εσ ⊑ H ′ . ¯ . H{?/U ¯ Since {m}6 ∩ fn(ν N }), we have that: ¯ . H{?/U ¯ = Jνnσ. εσ · ν N }K(R) ¯ . H{?/U ¯ ⊆? Jνm. H ′ · ν N }K(R) ¯ 6 ∩ fn(H ′ ): since N ¯ ). H ′ · H{?/U ¯ = Jν(M ∪ N }K(R) ′ ¯ ¯ ⊆? Jν(M ∪ N ). (H · H){?/U }K(R) Since νM. H ′ · ζ ⊑ ζ ′ , then by Lemma 10a W∅,U (νM. H ′ · ζ) ⊑ W∅,U (ζ ′ ) = ζ ′ . ˆ = (M ∪ N ¯ ) ∩ fn(¯ ˇ = (M ∪ N ¯ ) \ fn(¯ Let N τ ) and N τ ). Since W∅,U (νM. H ′ · ζ) = ′ ¯ ν(M ∪ N ). W∅,U (¯ τ )  (H · H){?/U } and τ 6= {?}, then by Lemma C.3 there ˆ ↔ N such that (ν N ˇ . (H ′ · H){?/U })σ ⊑ H. Therefore: exists σ : N ˆ . νN ˇ . (H ′ · H){?/U ¯ = Jν N }K(R) ′ ¯ ˆ ˇ = Jν N σ. (ν N . (H · H){?/U })σK(R) ⊆? JνN. HK(R) If S = {?}, then M = ∅, and the proof proceeds as in the previous case. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–68

·

Massimo Bartoletti et al.

Theorem 5.4 (Correctness of effects). For all λ[ ] expressions e: ∆ ⊢ e : νN. (τ  H) ∧ ε, e →∗ η, e′ =⇒ η! ∈ JνN. HKden (∅)−[ ] ? Proof. By Lemma C.13, ε, e♯ →∗ η¯, e¯′ for some η¯ and e¯′ such that η¯−[ ] = η. By Lemma C.14, ∆ ⊢ e♯ : νN. (τ  H). By Lemma C.19, there exist C and C v such that e♯ =⇒ v and η¯! ∈ H(C, ∅). By Lemma C.23 (subject reduction), ∆ ⊢ C[v] : νN. (τ  H). By Lemma C.24, H(C, ∅) ⊆? JνN. HKden (∅). Summing up, we have that: η! = η¯! −[ ] ∈ H(C, ∅) −[ ] = H(C, ∅)−[ ] ? den

⊆ JνN. HK

because ? 6∈ C −[ ] ?

(∅)

by Lemma B.36

Theorem 5.5 (Type safety). If ⊢ e : νN.τ  H and |= νN. H, then for no η, ϕ and e′ , it happens that ε, e →∗ η, fail ϕ[e′ ] . Proof. By contradiction, assume that ε, e →∗ η, fail ϕ[e′ ] . By Lemma C.13, there exist η¯ and e′′ such that ε, e♯ →∗ η¯, e′′ and 6|= η¯, implying 6|= η¯!. By Lemma C.14, C ∆ ⊢ e♯ : νN. τ  H. By Lemma C.19, there exist C and v such that e♯ =⇒ v, and η¯! ∈ H(C, ∅). By Lemma C.23, ∆ ⊢ C[v] : νN. τ  H. By Lemma C.24, H(C, ∅) ⊆? JνN. HKden (∅). By Lemma B.31, since |= JνN. HKden (∅) then also |= H(C, ∅) – so contradicting 6|= η¯!. D.

PROOFS: VERIFICATION

The technical development proceeds as follows in three phases. We introduce regularization of history expressions in Definition 6.3. To prove it correct, we introduce the auxiliary notion of normal form for histories (Definition D.9). Intuitively, each event α(r) is enclosed in a framing that resumes all the policies the scope of which includes α(r). Lemma D.12 states that the normal forms represented by history expression coincide with those of its regularization. Lemma D.13 ensures that normalizing a history preserves its validity. Theorem 6.4 then exploits the above lemmata to guarantee that the histories represented by a regularized history expressions contain no redundant framings, while preserving validity. Lemma 3.4 proves that policy compliance can be decided by checking membership in a regular language. Lemma 6.6 relates validity of histories with acceptance by the framed automaton of Definition 6.5. In the last phase, we first relate history expressions to BPAs. Lemma D.24 shows that any history represented by H can be simulated by a trace of the BPA of H, where the dynamic resources are abstracted into the witness # or the “don’t care” . The converse is established by Lemma D.25. Finally, Theorem 6.13 states the correctness of our model-checking procedure. D.1

Regularization of history expressions

The semantics of a closed history expression always contains histories with balanced framings, i.e. each opening framing event [ϕ has a well-nested, corresponding closing ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–69

]ϕ . For example, α[ϕ α′ [ϕ′ α′′ ]ϕ′ ]ϕ is balanced, while α[ϕ α′ [ϕ′ α′′ ]ϕ is not. Also, the semantics of history expressions is preserved under substitution. We extend the definition of regularization of Definition 6.3 with the rule ! ↓Φ,Υ = !. Remark D.1. For regularization, we shall consider ϕ[H] a primitive construct, instead of expanding it to [ϕ ·H·]ϕ as usual. Herewith, we shall only consider histories that are prefixed of balanced histories. This is always the case for histories represented by history expressions obtained through the type and effect system of Definition 5.3. Definition D.1. Let η be a history (recall by Remark B.1 that ! may only occur in trailing position). We say that η has: —ϕ-framings, if η = η0 [ϕ η1 for some η0 , η1 . —redundant framings, if η = η0 [ϕ η1 [ϕ η2 for some ϕ, η0 , η1 , η2 with ]ϕ 6∈ η1 . We say Y ∈ Dden has ϕ-framings (resp. redundant framings) when, for some R ⊂ Res, there exists some η ∈ Y (R) such that η has ϕ-framings (resp. redundant framings). We say a closed history expression H has ϕ-framings (resp. redundant framings) when JHKden has ϕ-framings (resp. redundant framings). ∅ ˜ be a history expression with a single hole •, such that Definition D.2. Let H ˜ H = H{h/•}. We say that h (more precisely, the occurrence of h replacing •) is ˜ for some r 6∈ H (see Definition B.3). reachable when r ∈ R{{r}/•} (H) Lemma D.3. Consider an unreachable occurrence of h in H. Then, for all θ den and for all Y, Y ′ ∈ Dden , JHKden θ{Y /h} = JHKθ{Y ′ /h} . We now characterize in Lemma D.4 when a history expression has ϕ-framings. Note that this is not a complete characterization, e.g. it does not tell us that ϕ[α] has ϕ-framings. However, this will suffice for the subsequent technical development. A complete characterization of ϕ-framings can be easily obtained by replacing variables for events in history expressions. For instance, Jϕ[α]Kden has ϕ-framings if θ and only if Jϕ[h]Kden has. θ{⊥/h} Lemma D.4. Consider a reachable occurrence h in H. If θ(h) has ϕ-framings, or h is guarded by {ϕ} in H, then JHKden has ϕ-framings. θ Proof. We proceed by induction on the size of H. The base cases H = ε, H = !, H = α(r) and H = h are trivial. For the inductive case, there are the following cases: —if H = H0 · H1 , assume first that h is in H0 . If θ(h) has ϕ-framings or h is guarded by {ϕ}, then by induction hypothesis JH0 Kden has ϕ-framings, and so θ also JHKden is such. Consider now the case h in H . Since h is reachable, then 1 θ by Definition B.3 ↓∈ R∅ (H0 ). Then, by Lemma B.22 there exists some R and den has η0 ∈ JH0 Kden θ (R) such that ! 6∈ η0 . By the induction hypothesis, JH1 Kθ den ϕ-framings, and so there exists some η1 ∈ JH1 Kθ (R ∪ R(η0 )) such that η1 has ϕ-framings — as well as η0 ⊙ η1 = η0 η1 ∈ JHKden θ (R). —if H = H0 + H1 , or H = νn. H ′ , directly by the induction hypothesis. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–70

·

Massimo Bartoletti et al.

—if H = ϕ′ [H ′ ], there are two subcases. If ϕ′ 6= ϕ, then straightforward by the induction hypothesis. Otherwise, let η ∈ Jϕ[H ′ ]Kden θ (R), for some R. Then, there ′ exists η ′ ∈ JH ′ Kden (R) such that η = [ η ] . Therefore, η has ϕ-framings. ϕ ϕ θ ′ ′ i —if H = µh .H , then let η ∈ f (⊥)(R), for some R ⊂ Res, where f (Y ) = ′ JH ′ Kden θ{Y /h′ } . If θ(h) has ϕ-framings, then θ{Y /h } still has ϕ-framings. Otherwise, if h is guarded by {ϕ} in H, then it such also in H ′ . Then, by the induction hypothesis it follows that JH ′ Kden θ{Y /h′ } has ϕ-framings, for all Y . Hence, S i i≥0 f (⊥)(R) has ϕ-framings.

The following lemma helps in establishing when a history expression has redundant framings. Again, it does not completely characterize redundant framings (e.g. it does not state that ϕ[ϕ[α(r)]] has redundant framings), because completeness is unneeded in the subsequent technical development. Lemma D.5. JHKden has redundant framings if, for some ϕ: θ (5a)

for some reachable h, θ(h) has redundant framings, or

(5b) (5c)

for some reachable h guarded by {ϕ} in H, θ(h) has ϕ-framings, or H = µh′ .H ′ , with some h′ reachable in H ′ and guarded by {ϕ}.

Proof. We proceed by induction on the size of H. The base cases H = ε, H = !, H = α(r), and H = h are trivial. The inductive cases follow: —if H = H0 · H1 , then either h in H0 or h ∈ H1 . For (5a), consider first the case h is in H0 . If θ(h) has redundant framings, then, by the induction hypothesis, JH0 Kden has redundant framings, as well as JHKden θ θ . Consider now the case h in H1 . Since h is reachable, then by Definition B.3 ↓∈ R∅ (H0 ). Then, by Lemma B.22 there exists some R and η0 ∈ JH0 Kden θ (R) has redundant framings, such that ! 6∈ η0 . By the induction hypothesis, JH1 Kden θ and so there exists some η1 ∈ JH1 Kden θ (R ∪ R(η0 )) such that η1 has redundant framings — as well as η0 ⊙ η1 = η0 η1 ∈ JHKden θ (R). For (5b), assume h is guarded by {ϕ} in H and that θ(h) has ϕ-framings. If h ∈ H0 , then h is guarded by {ϕ} in H0 , hence by the induction hypothesis JH0 Kden has redundant framings, and so does JHKden θ θ . The case h ∈ H1 proceeds as above. —if H = H0 + H1 or H = νn. H ′ , direct by the induction hypothesis. —if H = ϕ′ [H], then (5a) is straightforward by the induction hypothesis. For (5b), let h be guarded by {ϕ} in H. If ϕ 6= ϕ′ , the induction hypothesis suffices. Otherwise ϕ′ = ϕ, and θ(h) has ϕ-framings. By Lemma D.4, JH ′ Kden has θ ′ den ϕ-framings, which implies JHKden (R) = ϕ[JH K (R)] has redundant framings. θ θ —if H = µh′ .H ′ , then let η ∈ f i (⊥)(R), for some R ⊂ Res, where f (Y ) = JH ′ Kden θ{Y /h′ } . For (5a), consider a reachable occurrence of h ∈ fv (H) = fv (H ′ ) \ {h′ } such that θ(h) has redundant framings. By the induction hypothesis, f (⊥)(R) = den JH ′ Kden θ{⊥/h′ } has redundant framings, and so does JHKθ (R). ′ For (5b), let h ∈ fv (H) be guarded by {ϕ} in H , and let θ(h) have ϕ-framings. By the induction hypothesis, f (⊥)(R) = JH ′ Kden θ{⊥/h′ } has redundant framings, den and so does JHKθ . ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–71

For (5c), consider a reachable occurrence of h′ in H ′ , such that h′ is guarded by {ϕ}. By Lemma D.4, f (⊥)(R) = JH ′ Kden θ{⊥/h′ } has ϕ-framings. By the induc2 tion hypothesis of the case (5b), f (⊥)(R) = JH ′ Kden θ{f (⊥)/h′ } (R) has redundant den framings — and so does JHKθ (R). The following lemma helps proving that our algorithm for regularizing history expressions does indeed produce histories with no redundant framings. It states that you can change the name of variables in history expressions and (under certain assumptions) the evaluation environment, while preserving the property of having ϕ-framings, and that of having no redundant framings. Lemma D.6. For all history expressions H, H ′ such that H = H ′ {h/h′ } and fn(H) = fn(H ′ ) = ∅, and for all θ: (6a)

if JHKden has no ϕ-framings, and θ′ (h′′ ) has no ϕ-framings for each θ has no ϕ-framings. reachable h′′ in H ′ , then JH ′ Kden θ′

(6b)

if JHKden has no redundant framings, and, for each reachable h′′ θ ′ ′ ′′ in H , θ (h ) has no redundant framings, and θ′ (h′′ ) has no framings in the guards of h′ in H ′ , then JH ′ Kden has no redundant framings. θ′

Proof. By induction on the size of H, we have the following cases: —if H = ε, H = α(r), or H = !, trivial. —if H = h, then H ′ = h′ , and so Jh′ Kden = θ′ (h′ ) has neither ϕ-framings nor θ′ redundant framings, by the hypotheses on θ′ . —if H = H0 · H1 , then H = H ′ {h/h′ } implies H ′ = H0′ · H1′ for some H0′ , H1′ such that H0 = H0′ {h/h′ }, H1 = H1′ {h/h′ }. has no ϕ-framings. Let θ′ be  JH1 Kden = JH0 Kden For (6a), assume that JHKden θ θ θ ′ ′ such that θ (h) has no ϕ-framings for all h ∈ fv (H ) = fv (H0′ ) ∪ fv (H1′ ). There are two cases. If T(H0 ) = ∅, then the above implies that JH0 Kden has no ϕ-framings. By the θ ′ den induction hypothesis, JH0′ Kden have no ϕ-framings. Then, JH ′ Kden θ′ θ ′ = JH0 Kθ ′ has no ϕ-framings. If T(H0 ) = {↓}, then neither JH0 Kden nor JH1 Kden have ϕ-framings. By the inducθ θ ′ den ′ den tion hypothesis, neither JH0 Kθ′ nor JH1′ Kden θ ′ have ϕ-framings. Then, JH Kθ ′ = ′ den ′ den JH0 Kθ′  JH1 Kθ′ , has no ϕ-framings. has no redundant framings. Let θ′ be such that For (6b), assume that JHKden θ ′ ′′ θ (h ) has no redundant framings and no framings in guard (H ′ ) for all the occurrences of h′′ ∈ fv (H ′ ). If h′′ ∈ fv (H0′ ) (resp. H1′ ), then guard (H ′ ) = guard (H0′ ) (resp. H1′ ). There are two cases. If T(H0 ) = ∅, then the above implies that JH0 Kden has no redundant framings. By θ has no redundant framings. Then, JH ′ Kden the induction hypothesis, JH0′ Kden ′ θ θ′ = ′ den JH0 Kθ′ has no redundant framings. If T(H0 ) = {↓}, then neither JH0 Kden nor JH1 Kden have redundant framings. By θ θ ′ den the induction hypothesis, neither JH0 Kθ′ nor JH1′ Kden θ ′ have redundant framings. ′ den ′ den Then, JH ′ Kden = JH K  JH K has no redundant framings. ′ ′ ′ 0 θ 1 θ θ —if H = H0 + H1 , straightforward by the induction hypothesis. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–72

·

Massimo Bartoletti et al.

—if H = ϕ′ [H0 ], then H ′ = ϕ′ [H0′ ] for some H0′ such that H0 = H0′ {h/h′ }. ′ den For (6a), assume that JHKden = ϕ′ [JH0 Kden θ θ ] = λR. ϕ [JH0 Kθ (R)] has no ϕ′ ′ ′ ′′ framings (so, ϕ 6= ϕ ), and let θ be such that θ (h ) has no ϕ-framings for all h′′ ∈ fv (H ′ ) = fv (H0′ ). By the induction hypothesis, JH0′ Kden θ ′ has no ϕ-framings. ′ ′ den Then, JH ′ Kden θ ′ = ϕ [JH0 Kθ ′ ] has no ϕ-framings. For (6b), assume that JHKden has no redundant framings. Then, JH0 Kden has θ θ ′ neither ϕ -framings nor redundant framings. Let θ′ be such that θ′ (h′′ ) has no redundant framings and no framings in guard (H ′ ) = {ϕ′ } ∪ guard (H0′ ) for all has neither ϕ′ h′′ ∈ fv (H ′ ) = fv (H0′ ). By the induction hypothesis, JH0′ Kden θ′ ′ den framings nor redundant framings. Then, JH Kθ′ has no redundant framings. —if H = µh0 .H0 , then H ′ = µh0 .H0′ , for some H0′ such that H0 =FH0′ {h/h′ }. Let ′ den den f (Y ) = JH0 Kden = i≥0 f i (⊥), and θ{Y /h0 } , and g(Y ) = JH0 Kθ ′ {Y /h0 } . Then, JHKθ F i JH ′ Kden θ′ = i≥0 g (⊥). has no ϕ-framings. Then, f i (⊥) has no ϕ-framings For (6a), assume that JHKden θ for all i ≥ 0. Let θ′ be such that θ′ (h′′ ) has no ϕ-framings for all h′′ ∈ fv (H ′ ) = fv (H0′ ) \ {h0 }. We prove by induction on i that g i (⊥) has no ϕ-framings for all i ≥ 0, which implies the thesis. The base case g 0 (⊥) = ⊥ is trivial. For the inductive case, assume that g i (⊥) has no ϕ-framings. By the induction hypothesis on the size of H, g i+1 (⊥) = JH0′ Kden θ ′ {g i (⊥)/h0 } has no ϕ-framings. den For (6b), assume that JHKθ has no redundant framings. Then, f i (⊥) has no redundant framings for all i ≥ 0. By Lemma (5c), there is no reachable occurrence of h0 in H0 guarded by some ϕ, and the same holds for H0′ . Let θ′ be such that θ′ (h′′ ) has neither redundant framings nor framings in guard (H ′ ) = guard (H0′ ) for all h′′ ∈ fv (H ′ ) = fv (H0′ ) \ {h0 }. We prove by induction on i that g i (⊥) has no redundant framings, for all i ≥ ∅. The base case g 0 (⊥) = ⊥ is trivial. For the inductive case, assume that g i (⊥) has no redundant framings. Since g i (⊥) has no ϕ-framings, then by the induction hypothesis on the size of H it follows that g i+1 (⊥) = JH0′ Kden θ ′ {g i (⊥)/h0 } has no redundant framings. Lemma D.7. For each history expression H, H ↓ is defined. Proof. We prove a stronger result: for each history expression H, set of policies Φ and mapping Υ from variables to history expressions, H ↓Φ,Υ is defined. Let Φ0 be the set of all policies contained in Φ, H and Υ. We proceed by induction on |Φ0 | − |Φ|. The base case is when |Φ| = |Φ0 |: since Φ ⊆ Φ0 , it must be Φ = Φ0 . By induction on the structure of H, we have the following cases: —if H = ε, H = h, H = α(ρ) and H = ! are trivial. —if H = H0 · H1 , then H ↓Φ0 ,Υ = H0 ↓Φ0 ,Υ ·H1 ↓Φ0 ,Υ . By the structural induction hypothesis, both H0 ↓Φ0 ,Υ and H1 ↓Φ0 ,Υ are defined. —if H = H0 + H1 , similar. —if H = νn. H ′ , straightforward by the induction hypothesis. —if H = ϕ[H ′ ], then H ↓Φ0 ,Υ = H ′ ↓Φ0 ,Υ , because ϕ ∈ Φ0 . By the structural induction hypothesis, H ′ ↓Φ0 ,Υ is defined. —if H = µh. H ′ , then H ↓Φ0 ,Υ = µh. (H ′ ↓Φ0 ,Υ{(µh. H ′ )Υ/h} ), because there is no occurrence of h ∈ fv (H ′ ) guarded by some ϕ 6∈ Φ0 (also note that when ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–73

σ ′ (hi ) = h, the value of σ(hi ) immaterial). By the structural induction hypothesis, H ′ ↓Φ0 ,Υ{(µh. H ′ )Υ/h} is defined. For the inductive case, let |Φ| = k, and assume that the statement holds for sets of policies with size greater than k. We proceed by induction on the structure of H. The cases ε, h, α(ρ), !, H0 · H1 , H0 + H1 and νn. H ′ are treated similarly to the base case. The other cases follow: —if H = ϕ[H ′ ], then there are two further subcases. If ϕ ∈ Φ, then H ↓Φ,Υ = H ′ ↓Φ,Υ , which is defined by the structural induction hypothesis. Otherwise, if ϕ 6∈ Φ, then H ↓Φ,Υ = ϕ[H ′ ↓Φ∪{ϕ},Υ ]. Since |Φ ∪ {ϕ}| > |Φ|, then H ′ ↓Φ∪{ϕ},Υ is defined by the induction hypothesis on |Φ0 | − |Φ|. —if H = µh. H ′ , then H ↓Φ,Υ = µh.(H ′′ σ ′ ↓Φ,Υ{(µh.H ′ )Υ/h} σ), where H ′′ , σ and σ ′ are as in Definition 6.3. When σ ′ (hi ) = h, the value of σ(hi ) immaterial, thus σ(hi ) = (µh.H ′ ) ↓Φ∪guard(H ′′ {•/hi }),Υ needs to be computed only if guard (H ′′ {•/hi }) 6⊆ Φ. Then, the induction hypothesis on |Φ0 | − |Φ| ensures that (µh.H ′ ) ↓Φ∪guard(H ′′ {•/hi }),Υ is defined. By the structural induction hypothesis, H ′ ↓Φ,Υ{(µh.H ′ )Υ/h} is defined. Since the substitution σ ′ just replaces some free variable hi for h, then also H ′′ σ ′ ↓Φ,Υ{(µh.H ′ )Υ/h} is defined. Lemma D.8. For each history expression H, H ↓ has no redundant framings. Proof. We prove the following, stronger, result. Let H, Φ, Υ, θ be such that (i) JHKden is defined, (ii) JΥ(h)Kden is defined for all h ∈ dom(Υ) = fv (H), and (iii) θ ∅ θ(h) has no framings for each h ∈ fv (H). Then, JH ↓Φ,Υ Kden has neither framings θ in Φ, nor redundant framings. Let Φ0 be the set of policies contained in Φ, H and θ. We proceed by induction on |Φ0 | − |Φ|. The base case is when |Φ| = |Φ0 |: since Φ ⊆ Φ0 , it must be Φ = Φ0 . In this case, we prove that JH ↓Φ,Υ Kden has no framings (and, consequently, no θ redundant framings). By induction on the structure of H, we have the following cases: —if H = ε, H = α(r), H = !, trivial. —if H = h, then Jh ↓Φ Kden = JhKden = θ(h) has no framings by hypothesis (iii). θ θ —if H = H0 · H1 , then: J(H0 · H1 ) ↓Φ,Υ Kden = JH0 ↓Φ,Υ ·H1 ↓Φ,Υ Kden = JH0 ↓Φ,Υ Kden  JH1 ↓Φ,Υ Kden θ θ θ θ The structural induction hypothesis then suffices. —if H = H0 + H1 or H = νn. H ′ , straightforward by structural induction. —if H = ϕ[H0 ], since Φ = Φ0 , then ϕ ∈ Φ. Thus, ϕ[H0 ] ↓Φ,Υ = H0 ↓Φ,Υ , and, by has no framings. the structural induction hypothesis, JH0 ↓Φ,Υ Kden θ —if H = µh.H0 , then (µh. H0 ) ↓Φ,Υ = µh. (H0 ↓Φ,Υ{HΥ/h} ), since there is no F = i≥0 f i (⊥), where h ∈ fv (H0 ) guarded by ϕ ∈ / Φ = Φ0 . Then, JH ↓Φ,Υ Kden θ f (Y ) = JH0 ↓Φ,Υ{HΥ/h} Kden θ{Y /h} . By induction on i, we prove that each Xi has no framings. The base case f 0 (⊥) = ⊥ is trivial. For the inductive case, assume that f i (⊥) has no framings. Then, by the induction hypothesis on the size of H, f i+1 (⊥) = JH0 ↓Φ,Υ{HΥ/h} Kden θ{f i (⊥)/h} has no framings. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–74

·

Massimo Bartoletti et al.

For the inductive case, let |Φ| = k, and assume that the statement holds for sets of policies with size greater than k. We proceed by induction on the size of H. The cases ε, !, α(r), h, H0 · H1 , H0 + H1 and νn. H ′ are treated similarly to the base case. The other cases follow: —if H = ϕ[H0 ], then we have the following two subcases. If ϕ ∈ Φ, then ϕ[H0 ] ↓Φ,Υ = H0 ↓Φ,Υ . By the induction hypothesis on the size of H, JH0 ↓Φ,Υ Kden has neither framings in Φ, nor redundant framings. θ If ϕ ∈ / Φ, then ϕ[H0 ] ↓Φ,Υ = ϕ[H0 ↓Φ∪{ϕ},Υ ]. By induction on |Φ0 | − |Φ ∪ {ϕ}| = |Φ0 | − |Φ| − 1 < |Φ0 | − |Φ|, JH0 ↓Φ∪{ϕ},Υ Kden has no framings in Φ ∪ {ϕ} and θ no redundant framings. Thus, Jϕ[H0 ↓Φ∪{ϕ},Υ ]Kden = ϕ[JH0 ↓Φ∪{ϕ},Υ Kden θ θ ] has no framings in Φ and no redundant framings. —if H = µh.H0 , let H0 = H ′ {h/hi }i , where the hi are fresh and h 6∈ fv (H ′ ). Let Φi = guard (H ′ {•/hi }), σ(hi ) = HΥ ↓Φ∪Φi ,Υ , and σ ′ (hi ) = h if Φi ⊆ Φ, otherwise σ ′ (hi ) = hi . Then, H ↓Φ,Υ = µh. (H ′ σ ′ ↓Φ,Υ{HΥ/h} σ). Consider now HΥ. By hypothesis, JHKden is defined, and JΥ(h′ )Kden is defined for all h′ ∈ dom(Υ), and θ ∅ den so Lemma B.16 ensures that JHΥKθ is defined. We have that: JH ↓Φ,Υ Kden = Jµh. H ′ σ ′ ↓Φ,Υ{HΥ/h} σKden θ θ let Yi = JHΥ ↓Φ∪Φi ,Υ Kden θ , and then by the substitution lemma (Lemma B.16) applied |dom(σ)| times: = Jµh. H ′ σ ′ ↓Φ,Υ{HΥ/h} Kden θ{Yi /hi } so by defining f (Z) = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden θ{Yi /hi ,Z/h} : =

F

n≥0

f n (⊥)

We now prove by induction on n that f n (⊥) has neither framings in Φ nor redundant framings, for all n ≥ 0, which clearly implies the thesis. The base case f 0 (⊥) = ⊥ is trivial. For the inductive case, recall that by hypothesis θ(h′ ) has no framings for all h′ ∈ fv (H) = fv (H0 ) \ {h}. Since Υ is closed when defined and fv (H) = dom(Υ), then HΥ is closed, and fv (H0 ) = fv (H) ∪ {h} = dom(Υ) ∪ {h} = dom(Υ{HΥ/h}). Therefore, by the induction hypothesis on the size of H, JH0 ↓Φ,Υ{HΥ/h} Kden θ{⊥/h} has neither framings in Φ, nor redundant framings. Let h′ ∈ fv (HΥ). Since Υ(h′ ) is closed, then h′ ∈ fv (H) \ dom(Υ), and θ(h′ ) has no framings by hypothesis. For all i such that σ ′ (hi ) = hi , we have that Φi 6⊆ Φ, and so |Φ ∪ Φi | > |Φ|. By the induction hypothesis on |Φ0 | − |Φ|, Yi has neither framings in Φ∪Φi , nor redundant framings. Let θ′ = θ{Yi /hi , f n (⊥)/h}i . Note that H0 = (H ′ σ ′ ){h/hi }i . The unreachable occurrences of hi in H ′ can be neglected by Lemma D.3. So, we only consider below the reachable ones. By Lemma (6a), f n+1 (⊥) has no framings in Φ. Consider a reachable occurrence of h′ in H ′ σ ′ and let Φ′ be its guards. If h′ = h, then θ′ (h) = f n (⊥) has neither redundant framings nor framings in Φ, hence θ′ (h) has no framings in Φ′ ⊆ Φ. If h′ = hi , then θ′ (h′ ) = Yi has neither redundant framings, nor framings in Φ ∪ Φi . If h′ 6∈ {h, hi }i , then θ′ (h′ ) = θ(h′ ) has no framings by hypothesis. By Lemma (6b), we conclude that f n+1 (⊥) has no redundant framings. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

Local Policies for Resource Usage Analysis

App–75

Regularization preserves validity. To show that, it is convenient to introduce a normal form for histories. It permits to compare the histories produced by an expression H with those of the regularization of H. Note that normalization is a non-regular transformation: constructing the normal form of a history requires counting the framing openings and closings. Definition D.9. Normalization For all histories η, we define η⇓ inductively as follows: ε⇓ = ε

(η [ϕ ) ⇓ = (η ]ϕ ) ⇓ = η⇓

!⇓ = !

(ηα(ρ))⇓ = η⇓ [ϕ α(ρ) ]ϕ where ϕ = V For all Φ ⊆ Pol, we define η⇓Φ = ( Φ[η])⇓.

V

ap(η)

For all X ∈ (Ev ∪ Frm)∗ ∪ (Ev ∪ Frm)∗ !, we define X⇓Φ = { η⇓Φ | η ∈ X }. For all Y ∈ Dden , we define Y ⇓Φ = λR. (Y (R)⇓Φ ).

Intuitively, normalization transforms policy framings into local checks. Indeed, η⇓ is intended to record that each event in η must obey to all the policies which are active for that event. Example D.1. Consider the history η = α[ϕ α′ [ϕ′ α′′ ]ϕ′ ]ϕ . Its normal form is: η⇓ = α ϕ[α′ ] (ϕ ∧ ϕ′ )[α′′ ] The next lemma shows that normalization is idempotent. Lemma D.10. For all histories η, and for all Φ ⊆ Pol: η⇓Φ⇓Φ = η⇓Φ V V Proof. ItVis easy to check that ap(η⇓Φ ) = (ap(η)∪Φ), that ap(η⇓Φ ) = ap(η⇓Φ ), and that Φ ∈ ap(η⇓Φ ). Therefore: ^ ap(η⇓Φ⇓Φ ) = (ap(η⇓Φ ) ∪ Φ) ^ = ap(η⇓Φ ) = ap(η⇓Φ )

which implies the thesis. The following lemma helps in proving Lemma D.12. It states that normalization is preserved by substitution of a variable, provided that the new evaluation enviroment maps that variable to a suitably normalized set of histories. ˜ Lemma D.11. Let H = H{h/•}. Then, for all θ and Φ′ ⊆ Φ: den JHKden θ ⇓Φ = JHKθ{θ(h)⇓

⇓Φ = JHKden θ{θ(h)⇓

Φ′ /h}

⇓Φ

˜ /h} Φ∪guard(H)

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–76

·

Massimo Bartoletti et al.

Proof. By induction on the structure of H. The base cases H = ε and H = α(ρ) ˜ = ∅, and: are trivial. If H = h, then guard (H) den JhKden θ ⇓Φ = θ(h)⇓Φ = θ(h)⇓Φ′ ⇓Φ = JhKθ{θ(h)⇓

⇓Φ

Φ′ /h}

den JhKden θ ⇓Φ = θ(h)⇓Φ = θ(h)⇓Φ⇓Φ = JhKθ{θ(h)⇓Φ∪∅ /h}⇓Φ

The inductive cases follow. —if H = H0 · H1 , let θ′ = θ{θ(h)⇓Φ′ /h}. Then, for the first equation: den JH0 · H1 Kden  JH1 Kden θ ⇓Φ = (JH0 Kθ θ )⇓Φ den = JH0 Kden θ ⇓Φ JH1 Kθ ⇓Φ den = JH0 Kden θ ′ ⇓Φ JH1 Kθ ′ ⇓Φ

=

by the ind. hyp.

(JH0 Kden θ′

= JH0 ·

 JH1 Kden θ ′ )⇓Φ den H1 Kθ{θ(h)⇓Φ /h}⇓Φ

˜ 0 {h/•} for some H ˜ 0 such that • ∈ H ˜ 0 (the For the second equation, let H0 = H ′ ˜ ˜ ˜ case • ∈ H1 is similar). Then, guard (H) = guard (H0 ). Let θ = θ{θ(h)⇓Φ∪guard(H˜ 0 ) /h}. We have that: den JH0 · H1 Kden  JH1 Kden θ ⇓Φ = (JH0 Kθ θ )⇓Φ den = JH0 Kden θ ⇓Φ JH1 Kθ ⇓Φ den = JH0 Kden θ ′ ⇓Φ JH1 Kθ ′ ⇓Φ

=

by the ind. hyp.

(JH0 Kden θ′

= JH0 ·

 JH1 Kden θ ′ )⇓Φ den H1 Kθ′ ⇓Φ

= JH0 · H1 Kden θ{θ(h)⇓

⇓Φ

˜ /h} Φ∪guard(H)

˜ = guard (H ˜ 0) by guard (H)

—if H = H0 + H1 or H = νH ′ , straightforward by the induction hypothesis. —if H = ϕ[H0 ], then, for the first equation: den Jϕ[H]Kden θ ⇓Φ = ϕ[JHKθ ]⇓Φ

= JHKden θ ⇓Φ∪{ϕ} = JHKden θ{θ(h)⇓

= ϕ[JHKden θ{θ(h)⇓ =

⇓Φ∪{ϕ}

Φ′ /h}

Φ′ /h}

by the ind. hyp.

]⇓Φ

Jϕ[H]Kden θ{θ(h)⇓Φ′ /h}⇓Φ

˜ 0 ]) = {ϕ} ∪ guard (H ˜ 0 ). Then: For the second equation, guard (ϕ[H den Jϕ[H]Kden θ ⇓Φ = ϕ[JHKθ ]⇓Φ

= JHKden θ ⇓Φ∪{ϕ} = JHKden θ{θ(h)⇓Φ∪{ϕ}∪guard(H) /h}⇓Φ∪{ϕ}

by the ind. hyp.

= ϕ[JHKden θ{θ(h)⇓Φ∪{ϕ}∪guard(H) /h} ]⇓Φ = Jϕ[H]Kden θ{θ(h)⇓Φ∪guard(ϕ[H]) /h}⇓Φ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–77

˜ = guard (H ˜ ′ ). Let θ′ = θ{θ(h)⇓Φ′ /h}, —if H = µh′ .H ′ , then h 6= h′ and guard (H) θ′′ = θ{θ(h)⇓Φ∪guard(H ′ )/h}, and: Jµh′ .H ′ Kden θ ⇓Φ = Jµh′ .H ′ Kden θ ′ ⇓Φ = Jµh′ .H ′ Kden θ ′′ ⇓Φ =

G

G

G

f0i (⊥)

f0 (Y ) = JH ′ Kden θ{Y /h′ }⇓Φ

f1i (⊥)

f1 (Y ) = JH ′ Kden θ ′ {Y /h′ }⇓Φ

f2i (⊥)

f2 (Y ) = JH ′ Kden θ ′′ {Y /h′ }⇓Φ

We prove by induction on i that f0i (⊥) = f1i (⊥) = f2i (⊥), for all i ≥ 0. The base case is trivial. For the inductive case, we have that: ⇓ f0i+1 (⊥) = JH ′ Kden θ{f i (⊥)/h′ } Φ 0

= JH ′ Kden ⇓ θ{f i (⊥)/h′ } Φ 1

= JH ′ Kden θ{f i (⊥)/h′ ,θ(h)⇓ 1

= f0i+1 (⊥)

=

⇓Φ

Φ′ /h}

f1i+1 (⊥) JH ′ Kden ⇓ θ{f0i (⊥)/h′ } Φ

= JH ′ Kden ⇓ θ{f i (⊥)/h′ } Φ 2

= JH ′ Kden θ{f i (⊥)/h′ ,θ(h)⇓ 2

⇓Φ

˜ ′ ) /h} Φ∪guard(H

= f2i+1 (⊥)

The following lemma establishes that a history expression H and its regularization H ↓ have the same normal form. Together with Lemma D.13, this will lead to proving that validity is preserved by regularization. den Lemma D.12. For all H and for all θ, JH ↓Kden θ ⇓ = JHKθ ⇓

Proof. For all H, θ, Φ and Υ, we prove the following stronger result. Let Φ0 be the set of all policies contained in Φ, H and θ. If θ(h) ⊆ JhΥKden for all h ∈ fv (H) ∩ dom(Υ), and if Φ ⊆ Φ0 , then: den den JHKden θ ⇓Φ ⊆ JH ↓Φ,Υ Kθ ⇓Φ ⊆ JHΥKθ ⇓Φ

We proceed by induction on |Φ0 | − |Φ|. The base case is when |Φ| = |Φ0 |: since Φ ⊆ Φ0 , it must be Φ = Φ0 . By induction on the structure of H, we have the following cases: —if H = ε, H = !, or H = α(ρ), then H ↓Φ,Υ = H = HΥ, and so the three terms are equal. —if H = h, then h ↓Φ,Υ = h proves the first inclusion. For the second one, let h ∈ dom(Υ) (otherwise hΥ = h and the statement holds trivially). Then, JhKden = θ θ(h) ⊆ JhΥKden . ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–78

·

Massimo Bartoletti et al.

—if H = H0 · H1 , then for all R: den JH0 · H1 Kden  JH1 Kden θ (R)⇓Φ = (JH0 Kθ θ )(R)⇓Φ den = { η0 ⊙ η1 | η0 ∈ JH0 Kden θ (R)⇓Φ , η1 ∈ JH1 Kθ (R ∪ R(η0 ))⇓Φ } den ⊆ { η0 ⊙ η1 | η0 ∈ JH0 ↓Φ Kden θ (R)⇓Φ , η1 ∈ JH1 ↓Φ Kθ (R ∪ R(η0 ))⇓Φ } den = { (η0 ⊙ η1 )⇓Φ | η0 ∈ JH0 ↓Φ Kden θ (R), η1 ∈ JH1 ↓Φ Kθ (R ∪ R(η0 )) }

= JH0 ↓Φ ·H1 ↓Φ Kden θ (R)⇓Φ = J(H0 · H1 ) ↓Φ Kden θ (R)⇓Φ

and for the second inequality:

den = { η0 ⊙ η1 | η0 ∈ JH0 ↓Φ Kden θ (R)⇓Φ , η1 ∈ JH1 ↓Φ Kθ (R ∪ R(η0 ))⇓Φ } den ⊆ { η0 ⊙ η1 | η0 ∈ JH0 ΥKden θ (R)⇓Φ , η1 ∈ JH1 ΥKθ (R ∪ R(η0 ))⇓Φ } den = { (η0 ⊙ η1 )⇓Φ | η0 ∈ JH0 ΥKden θ (R), η1 ∈ JH1 ΥKθ (R ∪ R(η0 )) }

= (JH0 ΥKden  JH1 ΥKden θ θ )(R)⇓Φ = J(H0 · H1 )ΥKden θ (R)⇓Φ

—if H = H0 + H1 , straightforward by the induction hypothesis. —if H = ϕ[H ′ ], then ϕ ∈ Φ = Φ0 , and, by the induction hypotheses and Lemma D.10: ′ den ′ den ′ den ′ den Jϕ[H ′ ] ↓Φ Kden θ ⇓Φ = JH ↓Φ Kθ ⇓Φ ⊇ JH Kθ ⇓Φ = ϕ[JH Kθ ]⇓Φ = Jϕ[H ]Kθ ⇓Φ ′ den ′ den ′ den ′ den Jϕ[H ′ ] ↓Φ Kden θ ⇓Φ = JH ↓Φ Kθ ⇓Φ ⊆ JH ΥKθ ⇓Φ = ϕ[JH ΥKθ ]⇓Φ = Jϕ[H ]ΥKθ ⇓Φ

—if H = µh.H0 , then (µh. H0 ) ↓Φ,Υ = µh. (H0 ↓Φ,Υ{HΥ/h} ), since there is no h ∈ fv (H0 ) guarded by ϕ ∈ / Φ = Φ0 . Let Υ0 = Υ|dom(Υ)\{h} . Then, HΥ = µh.(H0 Υ0 ), and we have that: F JHKden f0 (Y ) = JH0 Kden F0i = f0i (⊥)⇓Φ = i≥0 f0i (⊥) θ θ{Y /h} F den den i JH ↓Φ,Υ Kθ = i≥0 f1 (⊥) f1 (Y ) = JH0 ↓Φ,Υ{HΥ/h} Kθ{Y /h} F1i = f1i (⊥)⇓Φ F f2 (Y ) = JH0 ΥKden F2i = f2i (⊥)⇓Φ JHΥKden = i≥0 f2i (⊥) θ θ{Y /h} We prove, by induction on i, that F0i ⊆ F1i ⊆

F

i≥0

F2i . The base case is trivial.

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–79

For the inductive case, by the induction hypotheses: ⇓ F1i+1 = JH0 ↓Φ,Υ{HΥ/h} Kden θ{F i /h} Φ 1

⇓ ⊇ JH0 ↓Φ,Υ{HΥ/h} Kden θ{F i /h} Φ

by ind. hyp. on i

⇓ = JH0 ↓Φ,Υ{HΥ/h} Kden θ{f i (⊥)/h} Φ

by Lemma D.11

⊇ JH0 Kden ⇓ θ{f i (⊥)/h} Φ

by ind. hyp. on H

0

0

0

= F1i+1

F0i+1

⇓ = JH0 ↓Φ,Υ{HΥ/h} Kden θ{F i /h} Φ 1

⇓Φ ⊆ JH0 ↓Φ,Υ{HΥ/h} Kden den θ{JHΥKθ ⇓Φ /h}

by ind. hyp. on i

⇓Φ = JH0 ↓Φ,Υ{HΥ/h} Kden den θ{JHΥKθ /h}

by Lemma D.11

⇓Φ ⊆ JH0 Υ{HΥ/h}Kden den θ{JHΥKθ /h}

by ind. hyp. on H

⇓Φ = JH0 Υ0 {HΥ/h}Kden den θ{JHΥKθ /h} ⇓Φ = JH0 Υ0 {µh. (H0 Υ0 )/h}Kden den θ{JHΥKθ /h} ⇓Φ = JHΥKden den θ{JHΥKθ /h}

by Lemma B.17

= JHΥKden θ ⇓Φ For the inductive case, let |Φ| = k < |Φ0 |, and assume that the statement holds for sets of policies with size greater than k. We proceed by induction on the structure of H. The cases ε, !, α(r), h, H0 · H1 , H0 + H1 and νn. H ′ are treated similarly to the base case. The other cases follow: —if H = ϕ[H0 ], and ϕ 6∈ Φ, then, by the induction hypothesis: ′ den Jϕ[H ′ ] ↓Φ,Υ Kden θ ⇓Φ = Jϕ[H ↓Φ∪{ϕ},Υ ]Kθ ⇓Φ

= ϕ[JH ′ ↓Φ∪{ϕ},Υ Kden θ ]⇓Φ = JH ′ ↓Φ∪{ϕ},Υ Kden θ ⇓Φ∪{ϕ} ⊇ JH ′ Kden θ ⇓Φ∪{ϕ} = =

by ind. hyp. on |Φ|

ϕ[JH ′ Kden θ ]⇓Φ ′ den Jϕ[H ]Kθ ⇓Φ

′ den Jϕ[H ′ ] ↓Φ,Υ Kden θ ⇓Φ = Jϕ[H ↓Φ∪{ϕ},Υ ]Kθ ⇓Φ

= ϕ[JH ′ ↓Φ∪{ϕ},Υ Kden θ ]⇓Φ = JH ′ ↓Φ∪{ϕ},Υ Kden θ ⇓Φ∪{ϕ} ⊆ JH ′ ΥKden θ ⇓Φ∪{ϕ} = = =

by ind. hyp. on |Φ|

′

ϕ[JH ΥKden θ ]⇓Φ ′ Jϕ[H Υ]Kden θ ⇓Φ ′ den Jϕ[H ]ΥKθ ⇓Φ

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–80

Massimo Bartoletti et al.

The case ϕ ∈ Φ is similar to the base case.

—if H = µh.H0 , then HΥ = µh.(H0 Υ0 ), where Υ0 = Υ|dom(Υ)\{h} . Let H0 = ′ H ′ {h/hj }j , hj fresh, Φj = guard (H ′ ), Zj = JHΥ ↓Φ∪Φj ,Υ Kden θ , and σ (hj ) = h if ′ Φj ⊆ Φ, otherwise σ (hj ) = hj . Then, let:

F F0i = f0i (⊥)⇓Φ f0 (Y ) = JH0 Kden JHKden = f0i (⊥) θ θ{Y /h} F i ′ ′ den den JH ↓Φ,Υ Kθ = f1 (⊥) f1 (Y ) = JH σ ↓Φ,Υ{HΥ/h} Kθ{Y /h,Zj /hj } F1i = f1i (⊥)⇓Φ F JHΥKden = f2i (⊥) f2 (Y ) = JH0 Υ0 Kden F2i = f2i (⊥)⇓Φ θ θ{Y /h}

Note that in the definition of f1 (Y ) we have used Lemma B.16 to take care of the σ resulting from Definition 6.3. Since normalization⇓ is continuous, it suffices to prove that, for all i ≥ 0, F0i ⊆ F i i F1 ⊆ F2 . We proceed by induction on i. The base case is trivial. For the inductive case, we have that:

F1i+1 = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden ⇓ θ{F i /h,Zj /hj } Φ 1

⊇ JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden ⇓ θ{F i /h,Zj /hj } Φ

ind. hyp. on i

= JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden θ{F i /h,Zj ⇓Φ∪Φ

by Lemma D.11

0

0

= JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden i

θ{F0 /h,JHΥ

j

⇓ /hj } Φ

⇓Φ ↓Φ∪Φj Kden θ ⇓Φ∪Φj /hj }

by Definition Zj

⊇ JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden i

ind. hyp. on |Φ|

= JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kdeni

by Lemma D.11

⊇ JH ′ σ ′ Kdeni

ind. hyp. on H

⇓Φ den θ{F0 /h,JHΥKθ ⇓Φ∪Φj /hj }

⇓Φ den θ{f0 (⊥)/h,JHΥKθ /hj }

⇓Φ den θ{f0 (⊥)/h,JHΥKθ /hj }

⇓ ⊇ JH ′ σ ′ Kden θ{f i (⊥)/h,f i (⊥)/hj } Φ 0

=

0

JH0 Kden ⇓ θ{f0i (⊥)/h} Φ

= F0i+i ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

ind. hyp. on i by Lemma B.16

Local Policies for Resource Usage Analysis

·

App–81

F1i+i = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden ⇓ θ{F i /h,Zj /hj } Φ 1

⇓Φ ⊆ JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den θ{JHΥKθ ⇓Φ /h,Zj /hj }

ind. hyp. on i

⇓Φ = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den den θ{JHΥKθ ⇓Φ /h,JHΥ ↓Φ∪Φj Kθ /hj }

by Definition Zj

⇓Φ = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den den θ{JHΥKθ ⇓Φ /h,JHΥ ↓Φ∪Φj Kθ ⇓Φ∪Φj /hj }

by Lemma D.11

⇓Φ ⊆ JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den den θ{JHΥKθ ⇓Φ /h,JHΥΥKθ ⇓Φ∪Φj /hj }

ind. hyp. on |Φ|

⇓Φ = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den den θ{JHΥKθ ⇓Φ /h,JHΥKθ ⇓Φ∪Φj /hj }

by fv (Υ) = ∅

⇓Φ = JH ′ σ ′ ↓Φ,Υ{HΥ/h} Kden den den θ{JHΥKθ /h,JHΥKθ /hj }

by Lemma D.11

⇓Φ ⊆ JH ′ σ ′ Υ{HΥ/h}Kden den den θ{JHΥKθ /h,JHΥKθ /hj }

ind. hyp. on H

⇓Φ = JH0 Υ{HΥ/h}Kden den θ{JHΥKθ /h}

by Lemma B.16

⇓Φ = JH0 Υ0 {µh. (H0 Υ0 )/h}Kden den θ{JHΥKθ /h}

by Definition Υ0

⇓Φ = JHΥKden den θ{JHΥKθ /h}

by Lemma B.17

= JHΥKden θ ⇓Φ

The next lemma states that normalization preserves the validity of histories. Note that, by Remark C.2, we can always assume that all the framing events [ϕ in a history are followed by the dummy event ι. Summing up, we can conclude that a history expression H is valid if and only if its regularization H ↓ is valid. Lemma D.13. Let η be a history such that if η = η0 [ϕ η1 then η1 = ιη ′ for some η ′ . Then, η is valid if and only if η⇓ is valid. Proof. By induction on the length of η, with the following cases. —η = ε or η = !, trivial. V —η = η¯α(ρ). By Definition D.9, η ⇓= η¯ ⇓ ψ[α(ρ)], where ψ = ap(¯ η ). By Definition 4.5, |= η whenever |= η¯ and η¯−[ ] α(r) |= ϕ for all ϕ ∈ ap(¯ η ). By the induction hypothesis, |= η¯⇓ iff |= η¯. We are left to prove that: ∀ϕ ∈ ap(¯ η ) : η¯−[ ] α(r) |= ϕ ⇐⇒ ′

−[ ]

∀ϕ ∈ ap(¯ η⇓

[ψ α(ρ)) : η¯⇓−[ ] [ψ α(ρ) |= ϕ′

The thesis follows from η¯−[ ] = η¯⇓−[ ] , and ap(¯ η⇓−[ ] [ψ α(ρ)) = ψ. —η = η¯ [ϕ ι, then the proof proceeds as in the previous case, except that the induction hypothesis is now used on η¯. —if η = η¯ ]ϕ , The thesis follows by the induction hypothesis. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–82

·

Massimo Bartoletti et al.

Theorem 6.4. For each history expression H: —H ↓ is defined. —H ↓ has no redundant framings. —H ↓ is valid if and only if H is valid. Proof. By Remark C.2, we assume that each history η represented by H is of the form required by Lemma D.13. The first two items follow directly from Lemmata D.7 and D.8. For the third item, by Lemma D.13 we have that JHKden is valid if and only if JHKden ⇓ is valid. By Lemma D.12, JHKden ⇓= JH ↓Kden ⇓. By Lemma D.13 again, JH ↓Kden ⇓ is valid if and only if JH ↓Kden is valid. Summing up, JHKden is valid if and only if JH ↓Kden is valid. D.2

Framed Automata

Lemma D.14. For each history η, policy ϕ, and resource r: ∃R ⊇ R(η). η
Aϕ(r,R) =⇒ ∀R′ ⊇ R(η). η
Aϕ(r,R′ ) Proof. We prove the contrapositive. Assume that there exists R′ ⊇ R(η) such that η η 6
Aϕ(r,R′ ) , i.e. there is an offending run q0 − → qk of Aϕ(r,R′ ) . For all R ⊇ R(η), we show how to reconstruct an offending run of Aϕ(r,R) on η. Let δR , δ˙R , δ¨R and δR′ , δ˙R′ , δ¨R′ be the sets of transitions (see Definition 3.3) of the automata Aϕ(r,R) and Aϕ(r,R′ ) , respectively. ′

′

α(r ) α(r ) First, we show that, for each r′ ∈ R(η), q −−−→ q ′ in δ¨R′ if and only if q −−−→ q ′ ϑ in δ¨R . Consider an edge q −⊸ q ′ of the usage policy ϕ(x). There are the following exhaustive cases: ′

α(r ) —if ϑ = α(r′ ) with r′ ∈ Ress , then q −−−→ q ′ is in δ¨R′ , as well as in δ¨R . α(r) —if ϑ = α(x), then q −−−→ q ′ is in δ¨R′ , as well as in δ¨R . ′

α(r ) —if ϑ = α(¯ x), then q −−−→ q ′ is in δ¨R′ for all r′ ∈ (R′ ∪ {?}) \ {r}, and it is in δ¨R for all r′ ∈ (R ∪ {?}) \ {r}. Since r′ ∈ R(η), R′ ⊇ R(η), and R ⊇ R(η), then α(r ′ ) q −−−→ q ′ is in δ¨R′ as well as in δ¨R . ′

α(r ) Let r′ ∈ R(η). The above and R(η) ⊆ R, R′ imply q −−−→ q ′ in δ˙R′ if and only if ′ α(r ) q −−−→ q ′ in δ˙R , which in turn implies the thesis.

Lemma 3.4. For all histories η and policies ϕ: η |= ϕ ⇐⇒ ∃r′ ∈ Res \ R(η). ∀r ∈ R(η) ∪ {r′ }. η
Aϕ(r,R(η)) Proof. For the “only if” part, assume that η |= ϕ, i.e. that, for all r¯ ∈ Res, η
Aϕ(¯r,Res) . Choose any r′ ∈ Res\R(η). Given r ∈ R(η)∪{r′ }, we have η
Aϕ(r,Res) . By Lemma D.14, this implies η
Aϕ(r,R(η)) . For the “if” part, we prove the contrapositive. Assume that η 6|= ϕ, i.e. there exists some r¯ ∈ Res such that η 6
Aϕ(¯r,Res) . We now prove that for all r′ ∈ Res\R(η) there is an r ∈ R(η) ∪ {r′ } such that η 6
Aϕ(r,R(η)) . If r¯ ∈ R(η), then we are done by ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–83

choosing r = r¯, because Lemma D.14 implies that η 6
Aϕ(r,R(η)) . If r¯ 6∈ R(η), then for each r′ ∈ Res \ R(η), we let r = r′ and we prove that η 6
Aϕ(r′ ,Res) , which is the η thesis. To do that, consider an offending run q0 − → qk of the automaton Aϕ(¯r,Res) on η. We show how to reconstruct an offending run of Aϕ(r′ ,R(η)) on η. Let δ¨r¯,Res and δ¨r′ ,R(η) be the respective transition sets of these automata, as in Definition 3.3. ′′

α(r ) We will show in a while that, for each r′′ ∈ R(η), q −−−→ q ′ in δ¨r¯,Res if and only ′′ α(r ) if q −−−→ q ′ in δ¨r′ ,R(η) . Similarly to the proof of Lemma D.14, this implies that Aϕ(¯r,Res) and Aϕ(r′ ,R(η)) have the same transitions on the resources in R(η), which concludes the proof. ϑ

Let r′′ ∈ R(η), and consider an edge q −⊸ q ′ of ϕ(x). There are the following exhaustive cases: ′′

α(r ) —if ϑ = α(r′′ ) with r′′ ∈ Ress , then q −−−→ q ′ is in δ¨r¯,Res and in δ¨r′ ,R(η) . —the case ϑ = α(x) does not apply, because r¯, r′ 6∈ R(η), while r′′ ∈ R(η). ′′

α(r ) —if ϑ = α(¯ x), then q −−−→ q ′ is in δ¨r¯,Res if r′′ ∈ (Res ∪ {?}) \ {¯ r} ⊇ R(η), and it is α(r ′′ ) in δ¨r′ ,R(η) if r′′ ∈ (R(η) ∪ {?}) \ {r′ } ⊇ R(η). Since r′′ ∈ R(η), then q −−−→ q ′ is in δ¨r¯,Res as well as in δ¨r′ ,R(η) .

Lemma 6.6. Let η be a history with no redundant framings, and let r′ be an arbitrary resource in Res \ R(η). Then, η is valid if and only if η
Aϕ[ ] (r,R(η)) , for all ϕ occurring in η, and for all r ∈ R(η) ∪ {r′ }. Proof. The statement holds trivially for η = ε, because ε is valid (ap(ε) = {| |}), and ε
Aϕ[ ] (r,R(η)) (indeed, the initial state is in the first layer of the framed automaton, where all the states are non-offending). Let then η = η ′ β, where η ′ = β1 · · · βn . For the “if” part, we proceed by induction on the length of η. Assume that, for all policies ϕ occurring in η, η
Aϕ[ ] (r,R(η)) . Let r′ ∈ Res \ R(η). Since all the offending states in Aϕ[ ] (r,R(η)) are sinks by construction, then η ′
Aϕ[ ] (r,R(η)) . By the induction hypothesis, this implies that η ′ is valid. To prove that also η is valid, we have to consider the following cases on the form of the event β: —if β ∈ Ev, then ap(η) = ap(η ′ ). Let η¯ = η −[ ] = (η ′ )−[ ] β. So, we have to prove that |= η ′ , and η¯ |= ϕ for all ϕ ∈ ap(η ′ ). The first statement follows from the induction hypothesis. For the second statement, assume by contradiction that η¯ η¯ 6|= ϕ. Then, by Lemma 3.4 there is an offending run q¯(0) − → q¯(¯n) of Aϕ(r,R(η)) , ′ for some r ∈ R(η) ∪ {r }. We shall show in a while how to construct an offending η run q (0) − → q (n+1) of Aϕ[ ] (r,R(η)) . First, we introduce some notation. Let Q and Q˙ be respectively the states in the first and in the second layer of Aϕ[ ] (r,R(η)) . Let F and F˙ be the final states in Aϕ(r,R(η)) and in Aϕ[ ] (r,R(η)) . For each state q in Aϕ[ ] (r,R(η)) , let q@Q and q@Q˙ be the projections of q on the first and on second layer. At the first step of our construction for an offending run, let q (0) = q¯(0) . For the remaining steps, we shall scan the history η with the index k, the history η¯ with ¯ and at each step we shall define q (k) . For the k-th step, there are the following k, exhaustive cases: ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–84

Massimo Bartoletti et al.

—if βk = [ϕ , then q (k) ∈ Q, because η has no redundant framings. Let q (k+1) = ˙ By construction (see Definition 6.5), Aϕ (r,R(η)) has a transition q (k) @Q. [] [ϕ

q (k) −→ q (k+1) . ˙ because η has no redundant framings. Moreover, —if βk = ]ϕ , then q (k) ∈ Q, ¯ (k) q¯ 6∈ F , otherwise we have found a (strict) prefix of η that is offending for Aϕ[ ] (r,R(η)) . Let q (k+1) = q (k) @Q. Then, Aϕ[ ] (r,R(η)) can take the transition ]ϕ

q (k) −→ q (k+1) . —if βk = [ϕ′ or βk = ]ϕ′ for some ϕ′ 6= ϕ, then let q (k+1) = q (k) . —otherwise, if βk ∈ Ev, there are the following two subcases: ¯ —if q (k) ∈ Q, then choose q (k+1) = q¯(k+1) . ¯ ˙ then q¯(k) 6∈ F : otherwise, we have found a (strict) prefix of —if q (k) ∈ Q, η that is offending for Aϕ[ ] (r,R(η)) . Therefore, Aϕ(r,R(η)) has a transition ¯

β¯

¯

¯

k ˙ Then, Aϕ (r,R(η)) has the transition q¯(k+1) . Let q (k+1) = q¯(k+1) @Q. q¯(k) −→ []

βk

q (k) −→ q (k+1) . η

We have then constructed a run q (0) − → q (n+1) of Aϕ[ ] (r,R(η)) . Since ϕ ∈ ap(η), then in η the scope of ϕ has been entered but not exited. Thus, q (n+1) is in the second layer of Aϕ[ ] (r,R(η) . The state q (n+1) is offending, because q¯k ∈ F . This yields the expected contradiction. —if β = ]ϕ , then ap(η) ⊆ ap(η ′ ), so the induction hypothesis suffices. —if β = [ϕ , then ap(η) = ap(η ′ ) ∪ {|ϕ|}. Thus, η is valid if η ′ is valid (which is true by the induction hypothesis), (η ′ )−[ ] |= ϕ′ for all ϕ′ ∈ ap(η ′ ), and (η ′ )−[ ] |= ϕ. Similarly to the case β ∈ Ev, we can prove that the hypothesis (η ′ )−[ ] 6|= ϕ leads to a contradiction, i.e. that η 6|= Aϕ[ ] (r,R(η)) for some r ∈ R(η) ∪ {r′ } and r′ ∈ Res \ R(η). For the “only if” part, assume that η is valid. We proceed by induction on the length of η. The base case η = ε is trivial. For the inductive case, assume that η = η ′ β. We consider the following cases on the form of the event β: —if β ∈ Ev, then ap(η) = ap(η ′ ). Let η¯ = η −[ ] = (η ′ )−[ ] β. Since η is valid, then Lemma 4.6 implies that η ′ is valid. Also, η¯ |= ϕ for all ϕ ∈ ap(η). From the first fact, the induction hypothesis implies that η ′
Aϕ′[ ] (r,R(η)) for all ϕ′ ∈ η ′ . By contradiction, assume that η 6
Aϕ[ ] (r,R(η) for some ϕ, i.e. η drives Aϕ[ ] (r,R(η)) to η′

β

→ an offending state (note that any run on η ′ is non-offending). Let q (0) −→ q (n) − q (n+1) be such an offending run, with q (n+1) @Q ∈ F . We now show that this contradicts the hypothesis η¯ |= ϕ. To do that, we construct an offending run (η ′ )−[ ]

β

q¯(0) −−−−→ q (¯n) − → q (¯n+1) of Aϕ(r,R(η)) on η¯. At the first step of this construction, let q¯(0) = q (0) . For the remaining steps, ¯ and at each we shall scan the history η with the index k, the history η¯ with k, ¯ (k) step we shall define q¯ . For the k-th step, Since framing events are not present in η¯ = η −[ ] , it suffices to deal with the case βk ∈ Ev. Consider the transition βk ¯ q (k) −→ q (k+1) in Aϕ[ ] (r,R(η)) . Let q¯(k+1) = q (k+1) @Q. Then, Aϕ(r,R(η)) has the ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis ¯

β¯

¯

·

App–85

¯

k q¯(k+1) . Since q¯(k+1) = q (n+1) @Q ∈ F , we have then found an transition q¯(k) −→ offending run of Aϕ(r,R(η)) on η −[ ] – contradiction. —if β = [ϕ , then ap(η) = ap(η ′ ) ∪ {|ϕ|}. Since η is valid, then Lemma 4.6 implies that η ′ is valid. Also, η −[ ] |= ϕ′ for all ϕ′ ∈ ap(η ′ ), and η −[ ] |= ϕ. From the first fact, the induction hypothesis implies that η ′
Aϕ′[ ] (r,R(η)) for all ϕ′ ∈ η ′ . If ϕ′ 6= ϕ, then appending the framing event [ϕ to η ′ results in a self-loop in Aϕ′[ ] (r,R(η)) , and so η
Aϕ′[ ] (r,R(η)) . If ϕ′ = ϕ, then (similarly to the previous case

β ∈ Ev) we use the fact that η −[ ] |= ϕ in a contrapositive argument, to show that there cannot be offending runs of Aϕ[ ] (r,R(η)) on η. —if β = ]ϕ , then ap(η) = ap(η ′ ) \ {|ϕ|}. For all ϕ′ , the automaton Aϕ′[ ] (r,R(η)) has an edge labelled ]ϕ′ from the second to the first layer, which has no offending states. Therefore, since η ′
Aϕ′[ ] (r,R(η)) , then the event β results in a transition to the first layer, and so η
Aϕ′[ ] (r,R(η)) . D.3

Model-checking validity

Definition D.15. We say that a history η is well-formed (wf (η) in symbols) if either η = ε, or, if η = η ′ α(r), then: wf (η ′ ) ∧ (α = new =⇒ r ∈ Resd ∧ r 6∈ η ′ ) ∧ (α 6= new =⇒ r ∈ Ress ∨ new(r) ∈ η ′ ) Lemma D.16. For all e and well-formed η, if η, e →∗ η ′ , e′ then η ′ is wellformed. Proof. An inspection of the rules

E-Ev1

and

E-New

in Definition 3.6 suffices.

Lemma D.17. For all H and R such that { r | new(r) ∈ H } ⊆ Resd and { r | α(r) ∈ H } ⊆ R, if η ∈ JHKop (R) then η is well-formed. Proof. Simple inspection of the first two rules in Definition B.1. Lemma D.18. For each well-formed history η with # 6∈ R(η), policy ϕ, resource r, and name-collapsing σ such that σ(r) 6= : (a) if σ −1 (#) ⊆ {r, #} (i.e., only r and # are mapped to # by σ), then: η
Aϕ(r,R(η)) ⇐= ησ
Aϕ(rσ,R(ησ)) (b) if ησ
A# and r ∈ R(η), then: η
Aϕ(r,R(η)) =⇒ ησ
Aϕ(rσ,R(ησ)) (c) if r 6∈ R(η) ∪ R(ησ), then: η
Aϕ(r,R(η)) =⇒ ησ
Aϕ(r,R(ησ)) Proof. Let η = β1 · · · βk . Below, we shall refer to transition sets of the automaton Aϕ(r,R) as δr,R , δ˙r,R and δ¨r,R . (see Definition 3.3). For (D.18a), we prove the contrapositive. Assume that η 6
Aϕ(r,R(η)) . Then, there exists an offending run of Aϕ(r,R(η)) on η: β0

β1

βk−1

q0 −→ q1 −→ · · · −−−→ qk ∈ F ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–86

·

Massimo Bartoletti et al.

We now show how to construct an offending run of Aϕ(rσ,R(η)σ) on ησ. Consider a βi

transition qi −→ qi+1 , for i ≥ 0. There are three cases, according to Definition 3.3: either this transition was introduced by the relation δ¨r,R(η) , or it was introduced as a self loop by δ˙r,R(η) , or as an unknown-resource transition by δr,R(η) . βi ¨ We We consider first the case in which qi −→ qi+1 comes from the relation δ. have three subcases. α(x)

—the transition comes from instantiating qi −⊸ q ′ , and βi = α(r). The thesis comes from instantiating x with rσ. α(¯ x)

—the transition comes from instantiating qi −⊸ q ′ , and βi = α(r′ ) with r′ ∈ (R(η)∪ {?})\{r}. To instantiate x ¯ with r′ σ, we must prove that r′ σ ∈ (R(ησ)∪{?})\{rσ}. ′ Since r σ ∈ R(ησ) ∪ {?} is trivially implied by the above, it suffices to check r′ σ 6= rσ. There are the following cases. —If r = #, since r′ 6= r then r′ σ 6= # = rσ by the hypothesis of (a). —If r ∈ Ress , we have rσ = r 6= r′ = r′ σ. —If r ∈ Resd , since by hypothesis rσ 6= then rσ = #. By the hypothesis of (a), r 6= r′ implies r′ σ 6= # = rσ. α(r ′ )

—the transition comes from qi −⊸ q ′ for some r′ ∈ Ress and βi = α(r′ ). Since βi σ = βi , the thesis trivially holds. βi If instead the transition has been introduced by δ˙ as a self-loop, then ∄q ′ . qi −→ β σ i q ′ ∈ δ¨r,R(η) . To show that there is a corresponding self-loop qi −−→ qi+1 in δ˙rσ,R(η)σ , βi σ we show that ∄q ′ . qi −−→ q ′ ∈ δ¨rσ,R(η)σ . We proceed by proving the contrapositive. There are the following three cases. α(x)

—the transition comes from instantiating qi −⊸ q ′ , and βi σ = α(rσ). We have that βi = α(r′ ) for some r′ , and therefore rσ = r′ σ. We have the following three cases. —If r = #, then by the hypothesis of (a) we obtain r′ = # which implies the thesis. —Otherwise, if r ∈ Ress , then rσ = r = r′ σ and so r′ = r. —Otherwise, since r ∈ Resd and rσ 6= by hypothesis, we must have rσ = # = r′ σ. By the hypothesis of (a) there is only one such r. Thus, r = r′ , which implies the thesis. α(¯ x)

—the transition comes from instantiating qi −⊸ q ′ , and βi σ = α(r′′ ) with r′′ ∈ (R(ησ) ∪ {?}) \ {rσ}. We have that βi = α(r′ ) for some r′ such that r′ σ = r′′ , and r′ σ 6= rσ, which implies r′ 6= r. From this and r′ ∈ R(η), we can instantiate x ¯ with r′ to build a corresponding transition in δ¨r,R(η) . α(r ′ )

—the transition comes from qi −⊸ q ′ with r′ ∈ Ress , βi = α(r′ ), and r′ σ = r′ . The thesis trivially holds. βi

The above settles the cases in which the transition qi −→ qi+1 has been introduced ˙ If instead the transition has been introduced as an unknown-resource by δ¨ or by δ. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–87

transition by δ, then βi = α(?) was derived from a transition labelled α(r′ ), for some r′ ∈ R(η), in the relation δ˙r,R(η) . By the above, there exists a corresponding α(rσ) α(?) transition qi −−−→ qi+1 in δ˙rσ,R(η)σ . Therefore, we have a transition qi −−−→ qi+1 in δrσ,R(η)σ . The proof of (D.18b) is similar, by contrapositive. Assume that ησ 6
Aϕ(rσ,R(η)σ) . Then, there exists an offending run of Aϕ(rσ,R(η)σ) on ησ: β0 σ

β1 σ

βk−1 σ

q0 −−→ q1 −−→ · · · −−−−→ qk ∈ F We now show how to construct an offending run of Aϕ(r,R(η)) on η. Consider a βi σ

transition qi −−→ qi+1 , for i ≥ 0. There are three cases, according to Definition 3.3: either this transition was ¨ or it was introduced as a self loop by δ, ˙ or as an introduced by the relation δ, unknown-resource transition by δ. βi σ We first consider the case in which qi −−→ qi+1 comes from the relation δ¨rσ,R(η)σ . We have three subcases. α(x)

—the transition comes from instantiating qi −⊸ q ′ , and βi σ = α(rσ). So, βi = α(r′ ) with rσ = r′ σ. If r′ ∈ Ress , this implies r = r′ , and the thesis comes from instantiating x with rσ. Otherwise r′ ∈ Resd , and so r ∈ Resd . Since rσ 6= , we must have r′ σ = rσ = #. We now show r = r′ , which implies the thesis. If r 6= r′ , by the well-formedness of η, we have two distinct events new(r) and new(r′ ) in η. This would imply that we have a duplicate new(#) in ησ, and thus ησ 6
A# , contradicting the hypothesis. α(¯ x)

—the transition comes from instantiating qi −⊸ q ′ , and βi σ = α(r′ ) for some r′ ∈ R(η) such that r′ σ ∈ (R(η)σ ∪ {?}) \ {rσ}. Similarly to the previous case, this implies that r′ 6= r. So, we can instantiate x ¯ with r′ , and obtain the thesis. α(r ′ )

—the transition comes from qi −⊸ q ′ for some r′ ∈ Ress and βi = α(r′ ). Since βi σ = βi , the thesis trivially holds. βi σ If the transition has been added as a self-loop by δ˙rσ,R(η)σ , then ∄q ′ . qi −−→ q ′ ∈ δ¨rσ,R(η)σ . To show that there is a corresponding self-loop in δ˙r,R(η) , we show that βi ∄q ′ . qi −→ q ′ ∈ δ¨r,R(η) . We proceed by proving the contrapositive. There are the following three cases. α(x)

—the transition comes from qi −⊸ q ′ , and βi = α(r). Since r ∈ R(η) by the βi σ hypotheses of (b), then rσ ∈ R(ησ), and so qi −−→ q ′ ∈ δ¨rσ,R(ησ) . α(¯ x)

—the transition comes from qi −⊸ q ′ , and βi = α(r′ ) with r′ ∈ (R(η) ∪ {?}) \ {r}. If r′ ∈ Ress , then βi = βi σ which implies the thesis. If r′ ∈ Resd , we have either r′ σ = or r′ σ = #. In the first case, since rσ 6= by hypothesis, we have that r′ σ ∈ (R(ησ)∪{?})\{rσ}, so we can instantiate x ¯ with r′ σ. In the second case, we have rσ 6= #: otherwise, the well-formedness of η would imply that both new(r) and new(r′ ) occur in η, so there would be two new(#) in ησ, so contradicting ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–88

·

Massimo Bartoletti et al.

the hypothesis ησ
A# . Therefore, we have r′ σ ∈ (R(ησ) ∪ {?}) \ {rσ}, which implies the thesis. α(r ′ )

—the transition comes from qi −⊸ q ′ and βi = α(r′ ) with r′ σ = r′ ∈ Ress . The thesis trivially holds. If instead the transition has been introduced as an unknown-resource transition α(r ′ ) by δrσ,R(ησ) , then βi σ = α(?)σ = α(?) has been derived from a transition qi −−−→ qi+1 in δ˙rσ,R(ησ) , for some r′ ∈ R(ησ). By the above, there exists a corresponding ′′

α(r ) transition qi −−−→ qi+1 in δ˙r,R(η) , for some r′′ such that r′ σ = r′′ . Therefore, we α(?)

have a transition qi −−−→ qi+1 in δr,R(η) . For (D.18c), again we prove the contrapositive. Assume that ησ 6
Aϕ(r,R(η)σ) . Then, there exists an offending run of Aϕ(r,R(η)σ) on ησ: β0 σ

β1 σ

βk−1 σ

q0 −−→ q1 −−→ · · · −−−−→ qk ∈ F We now show how to construct an offending run of Aϕ(r,R(η)) on η. Consider a βi σ

transition qi −−→ qi+1 , for i ≥ 0. Similarly to the above items, we deal with the following cases. βi σ If qi −−→ qi+1 has been introduced by δ¨r,R(η)σ , there are three subcases. α(x)

—the transition comes from qi −⊸ q ′ , and βi σ = α(r). This contradicts the assumption r 6∈ R(ησ). α(¯ x)

—the transition comes from qi −⊸ q ′ , and βi σ = α(r′ ) for some r′ such that r′ ∈ (R(ησ) ∪ {?}) \ {r}. Then, βi = α(r′′ ), for some r′′ ∈ R(η) such that r′′ σ = r′ . Since r 6∈ R(η) by the hypotheses of (c), then r′′ 6= r. Therefore r′′ ∈ (R(η) ∪ {?}) \ {r}. α(r ′ )

—the transition comes from qi −⊸ q ′ for some r′ ∈ Ress and βi σ = α(r′ ). Since βi σ = βi , the thesis trivially holds. βi σ If the transition is a self-loop, then ∄q ′ . qi −−→ q ′ ∈ δ¨r,R(η)σ . To show that there βi is a corresponding self-loop qi −→ qi+1 in δ˙r,R(η) , we show by contrapositive that βi ∄q ′ . qi −→ q ′ ∈ δ¨r,R(η) . We have three cases. α(x)

—the transition comes from qi −⊸ q ′ , with βi = α(r). This contradicts the assumption r 6∈ R(η). α(¯ x)

—the transition comes from qi −⊸ q ′ , and βi = α(r′ ) for some r′ ∈ (R(η)∪{?})\{r}. This implies that r′ σ ∈ R(ησ) ∪ {?}. Since r 6∈ R(ησ) by the hypotheses of (c), then r′ σ 6= r. Thus, r′ σ ∈ (R(ησ) ∪ {?}) \ {r}. α(r ′ )

—the transition comes from qi −⊸ q ′ with βi = α(r′ ) and r′ σ = r′ ∈ Ress . The thesis trivially holds.

ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–89

Definition D.19. Le R be a binary relation over BPAs. We say that R is a bisimulation if and only if, whenever P RQ: a

a

—if P − → P ′ , then there exists Q′ such that Q − → Q′ and P ′ RQ′ , and a a ′ ′ —if Q − → Q , then there exists P such that P − → P ′ and P ′ RQ′ . We say that P is bisimilar to Q (P ∼ Q in symbols) when there exists a bisimulation R such that P RQ. Lemma D.20. Bisimulation between BPAs is an equivalence relation. Moreover, for all BPAs P, Q, R and substitution σ: (20a)

P ∼ Q =⇒ P σ ∼ Qσ

(20b)

P ∼ Q =⇒ P · R ∼ Q · R

Proof. Item (D.20a) is trivially true. To prove (D.20b), it suffices noting that if P ∼ 0, then P = 0. Definition D.21. Let ς be a substitution from BPA variables to BPA variables, and let P = hp, ∆i be a BPA. We say that ς is a coherent renaming of P when ∆ς is coherent. Lemma D.22. Let ς be a coherent renaming of P . Then, P ∼ P ς. Proof. It is straightforward to check that the relation { hP, P ςi | P is a BPA } is a bisimulation. Lemma D.23. For all H, H ′ , h′ and Θ, there exists a coherent renaming ς of B(H{H ′ /h′ })Θ such that ς is the identity on the BPA variables in Θ, and: B(H{H ′ /h′ })Θ ς = B(H)Θ{B(H ′ )Θ /h′ } where B(H)Θ{hp,∆i/h} is a shorthand for hp′ , ∆ + ∆′ i if B(H)Θ{p/h} = hp′ , ∆′ i. Proof. By induction on the structure of H. The base cases H = ε, α(r), h and the inductive cases H = H0 · H1 , H = H0 + H1 , H = νn. H ′′ and H = ϕ[H ′′ ] are straightforward. Consider H = µh. H ′′ . If h = h′ , trivial. Otherwise: B(H{H ′ /h′ })Θ = hX, {X , p} + ∆i

where hp, ∆i = B(H ′′ {H ′ /h′ })Θ{X/h}

B(H)Θ{B(H ′ )Θ /h′ } = hX, {X , p′ } + ∆′ i where hp′ , ∆′ i = B(H ′′ )Θ{X/h, B(H ′ )Θ /h′ } (note that we can choose the fresh variable X in both the equations). By the induction hypothesis, there exists a renaming ς coherent with B(H ′′ {H ′ /h′ })Θ{X/h} , such that ς leaves the variables in Θ{X/h} untouched (thus Xς = X), and: B(H ′′ {H ′ /h′ })Θ{X/h} ς = B(H ′′ )Θ{X/h,B(H ′ )Θ /h′ } i.e. pς = p′ and ∆ς = ∆′ . Therefore, it follows that: B(H{H ′ /h′ })Θ ς = hX, {X , p} + ∆i ς = hXς, {Xς , pς} + ∆ςi = hX, {X , p′ } + ∆′ i = B(H)Θ{B(H ′ )Θ /h′ } ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

·

App–90

Massimo Bartoletti et al.

Lemma D.24. Let H be an closed history expression, and let σ be a namecollapsing substitution. Then, for all a and H ′ : (D.24a)

a

aσ

H− → H ′ =⇒ ∀P ∼ B(H)σ. ∃P ′ ∼ B(H ′ )σ : P −−→ P ′

Moreover, if H is initial, then, for all η and H ′ : (D.24b)

η

ησ

H− → H ′ =⇒ ∃P ′ : B(H) −−→ P ′

Proof. For (D.24a), we proceed by induction on the structure of H. —H = ε. Trivial case, since ε is a final configuration. —H = α(r), with r ∈ Res ∪ {?}. Then a = α(r), and H ′ = ε. By hypothesis, α(r)σ

P ∼ B(H)σ = α(r)σ. By Definition D.19, P −−−→ P ′ , with P ′ ∼ 0. Then, P ′ ∼ B(H ′ )σ = 0. —H = νn.H ′′ . Then a = ε, and H ′ = H ′′ {r/n}, with r ∈ Resd . By hypothesis, P ∼ B(H)σ = B(H ′′ { /n})σ + B(H ′′ {#/n})σ. Since r is a dynamic resource and σ is name-collapsing, there are two subcases, i.e. either σ(r) = # ε or σ(r) = . If σ(r) = #, then, by Definition D.19, P − → P ′ ∼ B(H ′′ {#/n})σ = B(H ′′ {r/n})σ = B(H ′ )σ. The case σ(r) = is similar. —H = ϕ[H ′′ ] = [ϕ ·H ′′ ·]ϕ . This case is treated as the case H0 · H1 below. —H = H0 · H1 . There are two subcases, i.e. H0 = ε or H0 6= ε. ε If H0 = ε, then a = ε, H ′ = H1 , and P ∼ B(H)σ. Since B(H)σ = 0 · B(H ′ )σ − → ε B(H ′ )σ, by bisimilarity there exists P ′ ∼ B(H ′ )σ such that P − → P ′. a′

Otherwise, let H0 6= ε, and assume H0 −→ H0′ . Then, a = a′ , H ′ = H0′ · H1 , and P ∼ B(H)σ = B(H0 )σ · B(H1 )σ. Let P0 = B(H0 )σ. By the induction aσ hypothesis, there exists P0′ ∼ B(H0′ )σ such that P0 −−→ P0′ . Let P ′ = P0′ ·B(H1 )σ. aσ Then, P ∼ P0 · B(H1 )σ −−→ P0′ · B(H1 )σ = P ′ . By Lemma D.20b, it follows that P0′ · B(H1 )σ ∼ B(H0′ )σ · B(H1 )σ = B(H ′ )σ. —H = H0 + H1 . Then, a = ε, and there are two further subcases for H ′ , i.e. either H ′ = H0 or H ′ = H1 . By hypothesis, P ∼ B(H)σ = B(H0 )σ + B(H1 )σ. If ε H ′ = H0 , then P − → P ′ ∼ B(H0 )σ = B(H ′ )σ. The second case is similar. —H = µh. H ′′ . Then, a = ε, and H ′ = H ′′ {H/h}. Let P ∼ B(µh. H ′′ )σ = hX, {X , p} + ∆iσ, where hp, ∆i = B(H ′′ ){X/h} . By Definition D.19, since ε ε hX, {X , p} + ∆iσ − → hp, {X , p} + ∆iσ, then, for some BPA P ′ , P − → P′ ∼ hp, {X , p} + ∆iσ. Note that: hp, {X , p} + ∆iσ = B(H ′′ ){X/h} σ ∪ {X , p}σ = B(H ′′ ){B(H)/h} σ By Lemma D.23, it follows that: B(H ′′ {H/h})ς = B(H ′′ ){B(H)/h} for some renaming ς coherent with B(H ′′ {H/h}). Then, by Lemma D.22: B(H ′′ {H/h})ς ∼ B(H ′′ {H/h}) = B(H ′ ) Summing up, Lemmata D.20a and D.20d allow us to conclude that: P ′ ∼ hp, {X , p} + ∆iσ ∼ B(H ′ )σ ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

Local Policies for Resource Usage Analysis

·

App–91

For (D.24b) it suffices to use (D.24a) in an inductive argument. For the first step we pick P = B(H): indeed, B(H)σ = B(H) because H is initial. Lemma D.25. Let H be a closed history expression, and let σ be a name-collapsing substitution, mapping infinitely many resources to # and infinitely many to . Then, for each a, each P and P ′ : a

b

(D.25a) P ∼ B(H)σ ∧ P − → P ′ =⇒ ∃H ′ , b.(H − → H ′ ∧ P ′ ∼ B(H ′ )σ ∧ bσ = a) Moreover, if H is initial, then for each η¯ and P : (D.25b)

η¯

η

B(H) − → P =⇒ ∃H ′ , η. (H − → H ′ ∧ η¯σ = η)

Proof. For (D.25a), we proceed by induction on the structure of H. —If H = ε, then B(H)σ = 0 has no transitions. α(r)σ

—If H = α(r), then a = α(r)σ and B(H)σ −−−→ 0 ∼ P ′ . The thesis holds for H ′ = ε. —If H = νn.H ′′ , then P ∼ B(H)σ = B(H{#/n})σ + B(H{ /n})σ. In both a a cases, we have a = ε. So, either B(H)σ − → B(H ′′ {#/n})σ or B(H)σ − → B(H ′′ { /n})σ. ε If B(H)σ − → B(H ′′ {#/n})σ, we have P ′ ∼ B(H ′′ {#/n})σ. Choose a fresh r ∈ Resd such that rσ = #: this is possible because there is an infinite number ε of such resources. Then, we let H ′ = H ′′ {r/n}. Then, we have H − → H ′ and P ′ ∼ B(H ′ )σ. ε If B(H)σ − → B(H ′′ { /n})σ, we proceed in a similar way. —If H = ϕ[H ′′ ] = [ϕ ·H ′′ ·]ϕ , then this is a subcase of the case H = H0 · H1 . —If H = H0 · H1 , we have two further subcases: —If H0 = ε, then P ∼ B(H0 )σ · B(H1 )σ = 0 · B(H1 )σ. So, a = ε and P ′ ∼ B(H1 )σ. The thesis follows choosing H ′ = H1 . —If H0 6= ε, then P ∼ B(H0 )σ · B(H1 )σ, with B(H0 )σ 6= 0. So, we must have a a that B(H0 )σ · B(H1 )σ − → P ′′ · B(H1 )σ with B(H0 )σ − → P ′′ and P ′ ∼ P ′′ · B(H1 )σ. The induction hypothesis (with H = H0 and P = B(H0 )σ) implies b

that there exists some H0′ such that H0 − → H0′ and P ′′ ∼ B(H0′ )σ with bσ = a. ′′ ′ By Lemma D.20b, P · B(H1 )σ ∼ B(H0 )σ · B(H1 )σ. Let H ′ = H0′ · H1 : then b

H = H0 ·H1 − → H ′ . Moreover P ′ ∼ P ′′ ·B(H1 )σ ∼ B(H0′ )σ·B(H1 )σ = B(H ′ )σ. —If H = H0 + H1 , then P ∼ B(H0 )σ + B(H1 )σ. So we have a = ε, and either P ′ ∼ B(H0 )σ or P ′ ∼ B(H1 )σ. In the first case, we choose H ′ = H0 , while in the second H ′ = H1 . Then the thesis trivially holds. —If H = µh. H ′′ , then P ∼ B(H)σ = hX, {X , p} + ∆iσ, where hp, ∆i = B(H ′′ ){X/h} . From hX, {X , p} + ∆iσ there is only one transition, going to hp, {X , p} + ∆iσ. We must then have a = ε, and P ′ ∼ hp, {X , p} + ∆i. ε Let H ′ = H ′′ {H/h}. Clearly, H − → H ′ . By Lemma D.23 there is some coherent renaming ς such that B(H ′′ {H/h})ς = B(H ′′ ){B(H)/h} . So, by Lemma D.22, ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.

App–92

·

Massimo Bartoletti et al.

B(H ′′ {H/h}) ∼ B(H ′′ {H/h})ς. Then: B(H ′ )σ = B(H ′′ {H/h})σ ∼ B(H ′′ ){B(H)/h} σ = B(H ′′ ){hX,{X,p}+∆i/h} σ = hp, {X , p} + ∆ + {X , p} + ∆iσ = hp, {X , p} + ∆iσ ∼ P ′ For D.25(b), we proceed by induction on the number of transitions. Just note that at the first step B(H)σ = B(H), since H is initial. Theorem 6.13. An initial history expression H is valid if and only if, for all Aϕ[ ] (r,R) ∈ Φ(H): JB(H ↓)K
Aϕ[ ] (r,R) W A# Proof. For the “if” case (soundness), we prove the contrapositive. Assume H is not valid. By Theorem 6.4, H ↓ is not valid. By Lemma 6.6, let η ∈ JHKop (∅) be such that η 6
Aϕ[ ] (r,R) for some Aϕ[ ] (r,R) in Φ(H). Let σ be a name-collapsing substitution such that σ(#) = #, σ(r) = # and σ(r′ ) = for all the other dynamic resources r′ . Note that this σ satisfies the hypothesis of Lemma D.18(a). Since H is ησ initial, then # does not occur in H, so # 6∈ R(η). By Lemma D.24(b), B(H) −−→ P ′ , for some P ′ . By Lemma D.18(a), η 6
Aϕ[ ] (r,R(η)) implies that ησ 6
Aϕ[ ] (#,R(ησ)) . Since R(ησ) ⊆ R(H), by Lemma D.14 it follows that ησ 6
Aϕ[ ] (#,R(H)) . By Definition 6.9, Aϕ[ ] (#,R(H)) ∈ Φ(H). The “unique witness” policy A# is satisfied by η, because H can generate only well-formed histories, by Lemma D.17. Therefore, ησ 6
Aϕ[ ] (#,R(H)) W A# . For the “only if” part (completeness) we prove the contrapositive. Let η¯ ∈ JB(H ↓)K be such that η¯
A# and η¯ 6
Aϕ[ ] (r,R(H)) for some r ∈ H or r = #. Let σ be a name-collapsing substitution such that σ(r) 6= and such that there are infinitely many resources mapped to # and infinitely many mapped to . By η Lemma D.25(b), H ↓, ∅ − → H ′ , R′ , for some H ′ , R′ and η such that ησ = η¯. Since H is initial, then rσ = r and R(H)σ = R(H). We can then rephrase η¯ 6
Aϕ[ ] (r,R(H)) as ησ 6
Aϕ[ ] (rσ,R(H)σ) . Since R(ησ) ⊆ {r ∈ R(η)∩Ress }∪{#, } ⊆ R(H) = R(H)σ, by Lemma D.14 it follows that ησ 6
Aϕ[ ] (rσ,R(ησ)) . We have the following three exhaustive cases on r: —If r = # 6∈ ησ, by Lemma D.18(c) then η 6
Aϕ[ ] (#,R(η)) . —If r = # ∈ ησ, then α(#) occurs in ησ, for some action α. This implies that, for some dynamic r′ , α(r′ ) occurs in η and r′ σ = #. By Lemma D.18(b), η 6
Aϕ[ ] (r′ ,R(η)) . —Otherwise, # 6= r, then r ∈ Ress and we have two further subcases. If r ∈ R(η), by Lemma D.18(b) η 6
Aϕ[ ] (r,R(η)) . Otherwise r 6∈ R(η), which implies r 6∈ R(ησ) and then by Lemma D.18(c), η 6
Aϕ[ ] (r,R(η)) . In all the cases above, we have found an r′ such that η 6
Aϕ[ ] (r′ ,R(η)) . Therefore, from Lemma 6.6 it follows that H ↓ is not valid, and so by Theorem 6.4 we conclude that H is not valid. ACM Transactions on Programming Languages and Systems, Vol. , No. , 20.