Adjunct Elimination in Context Logic for Trees

1. Adjunct Elimination in Context Logic for Trees Cristiano Calcagno Thomas Dinsdale-Young Philippa Gardner Imperial College, London

2. Context Logic • Ambient Logic (Cardelli, Gordon) is a logic for reasoning about static properties of node-labelled, unranked trees (e.g. Firewalls, XML data) • Separation Logic (O’Hearn, Reynolds, Yang) is a logic for local reasoning about dynamic heap update • Context Logic evolved from these two as a logic for local reasoning about dynamic tree update • Talks both about trees and contexts into which they may be placed

4. u[P]

6. P1 | P2

8. K(P)

10. K  P

12. P1  P2

13. Adjoints • The adjoints allow us to reason hypothetically about an extended object • They are essential for expressing weakest preconditions • But for closed formulae, the adjoints add no expressive power to Separation Logic (Lozes) and Ambient Logic (Lozes, and later Dawar, Gardner, Ghelli)

14. Adjunct Elimination • Intuition: • adjoints make us reason about trees that are bigger than the ones we are actually interested in • we would expect that any property expressed in terms of these hypothetical trees could be expressed without them • In Context Logic for Trees, one of the adjoints () can also be eliminated, but the other () cannot (Dinsdale-Young)

15. Non-eliminability of  • Trees can be split arbitrarily into a context and subtree • Using , we can fill the context hole and then split it as a tree • We cannot split an arbitrary subtree (or subcontext) from a context

16. Counterexample • The formula 0 True(u[0]) • Expresses “putting the empty tree into the context hole gives a tree that has a leaf u” • Distinguishes ci from di for all i • There is no formula without adjoints that can express this property

17. Context Logic with Composition • Adding context composition “fixes” the counterexample – we can now split contexts • Not yet proved adjunct elimination • Still can’t split contexts in the same way as trees

23. Multi-holed Context Logic for Trees

24. Ehrenfeucht-Fraïssé Games • We prove adjunct elimination using ranked games • Played between Spoiler and Duplicator • On two tree contexts • Moves correspond with logical connectives • Rank determines which moves may be played and ensures termination • Spoiler’s aim is to demonstrate a difference between the two trees. Duplicator’s aim is to prevent this. • The games are sound and complete: Spoiler has a winning strategy if and only if the trees can be distinguished by a formula of the game rank (of which there are finitely many)

25. Games • Spoilerstarts each round by choosing a move to play (providing that the rank and rules allow it) and one of the context-environment pairs • The rules for the move determine what happens

26. Game Moves

27. CMP move

28. CMP move

29. CMP move

30. CMP move

31. CMP move

32. CMP move

33. Game Moves

34. RIG move

35. RIG move

36. RIG move

37. RIG move

38. RIG move

39. RIG move

40. RIG move

41. RIG move

42. Adjunct Elimination • We prove that whenever Spoiler has a winning strategy using adjunct moves he also has one without using adjunct moves • By soundness and completeness of games, this implies adjunct elimination

43. Key Result • We need to show: If Duplicator can win when Spoiler plays no adjunct moves then Duplicator can also win when Spoiler plays adjunct moves • We show how Duplicator responds to one adjunct move (LEF or RIG) • The result follows by induction

50. Key Result