Dieses Kapitel präsentiert eine umfassende Analyse von Brookes denotationaler Semantik des gemeinsamen Staates, wobei der Schwerpunkt auf seiner Zersetzung mittels algebraischer Effekte liegt. Das Modell zeichnet sich durch seine Kompositionalität, Vielseitigkeit und ein hohes Maß an Abstraktion aus, was es zu einem Eckpfeiler der denotationalen Semantik für Sprachen mit Nebenwirkungen macht. Die Autoren stellen eine zweisortierte algebraische Theorie vor, die das Modell in Schichten zerlegt, die unterschiedliche Arten der Interaktion zwischen einem Programmfragment und seiner gleichzeitigen Umgebung repräsentieren. Diese Zersetzung ermöglicht einen modulareren und prinzipienbasierteren Ansatz, um über den gleichzeitigen gemeinsamen Zustand nachzudenken, und adressiert die Beschränkungen früherer Modelle. Das Kapitel untersucht auch die Darstellung des Brookes-Modells anhand von Spurensätzen und bietet einen detaillierten Vergleich mit anderen Ansätzen, wobei die einzigartigen Vorteile der vorgeschlagenen Methode hervorgehoben werden. Darüber hinaus wird in dem Text das Potenzial diskutiert, dieses Rahmenwerk zu erweitern, um fortschrittlichere Features und Effekte bei gleichzeitiger Programmierung zu modellieren, was eine vielversprechende Richtung für zukünftige Forschungen bietet.
KI-Generiert
Diese Zusammenfassung des Fachinhalts wurde mit Hilfe von KI generiert.
Abstract
We define a two sorted equational theory of algebraic effects that models concurrent shared state with preemptive interleaving, recovering Brookes’s seminal 1996 trace-based model precisely. The decomposition allows us to analyse Brookes’s model algebraically in terms of separate but interacting components. The multiple sorts partition terms into layers. We use two sorts: a “hold” sort for layers that disallow interleaving of environment memory accesses, analogous to holding a global lock on the memory; and a “cede” sort for the opposite. The algebraic signature comprises of independent interlocking components: two new operators that switch between these sorts, delimiting the atomic layers, thought of as acquiring and releasing the global lock; non-deterministic choice; and state-accessing operators. The axioms similarly divide cleanly: the delimiters behave as a closure pair; all operators are strict, and distribute over non-empty non-deterministic choice; and non-deterministic global state obeys Plotkin and Power’s presentation of global state. Our representation theorem expresses the free algebras over a two-sorted family of variables as sets of traces with suitable closure conditions. When the held sort has no variables, we recover Brookes’s trace semantics. We define several other single-and two-sorted theories to elucidate the connection to Brookes’s model via translation embeddings and equivalences.
1 Introduction
We decompose Brooke’s pioneering denotational model of concurrent shared state under preemptive interleaving [6] using algebraic effects [30]. This model possesses several desirable features in the area of denotational models for programming languages with concurrent features. (I) It is based on traces, an elementary sequential gadget. (II) It is fully compositional, as in traditional denotational semantics for shared-state [e.g. 15, 17]. Each syntactic programming construct, including parallel composition, has a corresponding semantic operation combining the meanings of its constituents. Such full compositionality contrasts with some recent models in this area that require additional ‘semantic post-processing’: some form of quotient, pruning of auxiliary mathematical constructs, reasoning up/to behavioural equivalence; or capture only sequential blocks, reasoning about the parallel composition on a separate layer [e.g. 7, 8, 19, 21]. (III) Subsequent variations and extensions [4, 38, 39], as well as adaptations to relaxed memory models [12, 13, 21], attest to its versatility, making it a cornerstone in the denotational semantics for concurrent languages with side-effects. (IV) It achieves a high level of abstraction, evident in the many compiler transformations that the model supports, including the most common memory access introductions and eliminations, and the laws of parallel programming. Moreover, Brookes showed the model to be fully abstract in a language extended with the await construct, which blocks execution until all memory locations contain a given tuple of values, and then atomically updates them to contain another tuple of values. This construct is not a natural programming construct, but is clearly suggested by Brookes’s semantics.
Plotkin and Power’s modern theory of algebraic effects [30] refines Moggi’s monadic approach [26] with algebraic theories. The algebraic approach informs the monadic structure by identifying semantic counterparts to syntactic constructs and axiomatising their semantics equationally. The monadic structure emerges through the well-established connection between algebraic theories and monads [23] via representation theorems. For example: global state emerges by axiomatising memory lookup and update [30] and a representation theorem involving the state monad; non-determinism emerges by axiomatising semi-lattices and a representation theorem involving the powerdomains [15, 28]; and so on. The algebraic perspective may offer insights into the making of the denotational semantics. It can suggest methods for combining different effects and modularly augment a semantics with a given computational effect [17].
Anzeige
The connection between algebraic effects and concurrency has long been emphasised. For example, the ability to use algebraic effects, without any axioms, and their effect handlers [3, 32, 33] to allow users to define their own schedulers was the original motivation for their implementation in the OCaml programming language [9, 10, 35]. Nonetheless, exhibiting abstract models such as Brookes’s algebraically via equational axiomatisation of syntactic constructs has proved challenging. Our own previous algebraic model [11] invalidates a key transformation, reflecting a fundamental limitation.
To overcome this limitation, we use multi-sorted algebraic theories, a direction that was raised in personal discussions since the earliest work on algebraic effects [30]. A multi-sorted algebraic term decomposes into layers. Our two sorts represent two modes of interaction between a program fragment and its concurrent environment. A “hold” sort (\(\bullet \)) provides a reasoning layer in which the environment may not interfere, whereas in the “cede” sort (
) it may. We provide two operators that switch between these sorts. Our core idea is to axiomatise these operators as a closure pair, an established order-theoretic special Galois-connection, the dual to the domain-theoretic embedding-projection pairs [1]. Additionally, we axiomatise strict distributivity of the closure pair over non-determinism. The remaining axioms, all in the hold sort, are strikingly independent from these axioms. In our shared-state theory
, the remaining axioms are precisely those of non-deterministic global state.
We prove, twice over, that
recovers Brookes’s model in the cede sort. First, using sets of traces akin to Brookes’s, we define a representation of
. The representation recovers Brookes’s model via the adjunction that forgets the hold sort. Second, we define three algebraic theories for Brookes’s await and its sequential variant, relating them to global-state, shared-state, and each other via embeddings and equivalences. The theory for concurrent await is straightforwardly represented by Brookes’s model, and embeds in the cede sort of
.
Caveats In our development, we opt for mathematical simplicity whenever possible. For example, we use countable-join semilattices instead of finite-join semilattices to represent non-determinism. This choice streamlines the development leading up to the representation theorem, allowing us to use countable sets instead of finitely generated ones. We also do not treat recursion to avoid the complexity that a domain-theoretic account incurs. The resulting model—identical to Brookes’s—coincides with the elided domain-theoretic model over discrete pre-domains. This model also supports iteration (i.e. while-loops) without change thanks to countable-joins. It also supports first-order recursion without change by equipping it with a domain-theoretic structure. These compromises let us focus on the core concepts, and provide a relatively elementary exposition and a clear presentation of the underlying idea, motivating future inquiry.
Anzeige
2 Overview
Equational theories study terms constructed from algebraic operators (§3.1). In Plotkin and Power’s algebraic theory of effects, the operators represent fundamental program effects, and their arguments represent continuations. Equational axioms reflect fundamental relationships between the operators. The equations that hold in the theory, reflecting the semantics as a whole, are those that follow from its axiomatic presentation by equational logic (§3.2).
In the global-state theory, a theory for sequential stateful computation, the operators
and
represent updating and looking up bits in memory. For example, consider the global-state term
. After updating \(\texttt {y}\) to \(0\), the computation looks \(\texttt {y}\) up: if it finds \(0\), it returns 3; if it finds \(1\), it updates \(\texttt {x}\) and \(\texttt {y}\) to \(1\) in succession, then returns 7. Between the update and the lookup, the value at \(\texttt {y}\) cannot change. Therefore, the computation finds the value \(0\), and takes the left-hand continuation. The global-state axiom ()
reflects this fact. By (), \({\textsf {U}}_{\texttt {y},0}{\textsf {L}}_{\texttt {y}}( 3,{\textsf {U}}_{\texttt {x},1}{\textsf {U}}_{\texttt {y},1}7 ) = {\textsf {U}}_{\texttt {y},0} 3\) holds in global state.
A representing monadic model for an equational theory (§3.3) interprets the algebraic operators as corresponding operations over the model’s domain; such that each term, up-to equality in the theory, is represented uniquely in the domain. Interpretations respect the theory; that is, applying an operation to representations of terms results in the representation of the corresponding operator applied to said terms:
. For example, global-state terms are represented by memory-manipulating functions in the state-monad model. This model interprets update by precomposing a state update
; and interprets lookup by passing the input memory state
along to the
-continuation
. In this way, global state recovers the (historically precedent) state monad.
The state monad does not account for concurrent interference. The monad underlying Brookes’s denotational semantics does, by using sequences of transitions to denote potential behaviours (§6.1). Each transition
in sequence means that the computation, by relying on exclusive access to the memory at state
, can guarantee to provide the state
and yield to the environment.
Following the tradition of algebraic effects, we wish to recover Brookes’s model using an equational theory for shared state. This is rather straightforward using a single-sorted theory \(\textsf {B}\) (§6.3) in which transitions appear as operators. However, this theory is dissatisfying, for two reasons. (I) Transitions do not correspond to familiar programming constructs, but to Brookes artificial await construct. (II) Conceptualising shared state as global state with concurrent interference, we expect the global-state effects to be present in a theory of shared state, and the equations between them to hold when interference is prohibited.
A more appropriate approach adds an operator \({\textsf {Y}}\) to global state for yielding control to the environment. Otherwise, the computation has exclusive access to memory. This direction lead to a Brookes-like model [11]. However, unlike Brookes’s model, it does not validate the Irrelevant Read Introduction (IRI) program transformation, which introduces a read instruction that possibly yields to the environment and discards the value it read. The IRI transformation is useful as a stepping stone to other practical transformations, such as common-subexpression elimination from conditionals, and consequently loops. Invalidating IRI seems to be a fundamental limitation of the yield-operator approach, as we show in the extended manuscript [14, §A]. In retrospect, we can pinpoint the issue to \({\textsf {Y}}\) both releasing exclusive access to memory, and acquiring it back. Our key insight is that the mode of computation that cedes access to memory needs to be explicit, decomposing \({\textsf {Y}}\) into a pair of mode-switching operators.
The remaining structure falls into place straightforwardly and naturally, in our proposed two-sorted theory for shared state
(§4). Each sort represents a computation mode: hold\((\bullet )\) represents the computation’s exclusive access to memory; cede
represents positions in which the environment may interfere. Each operator has a sort and expects each continuation to have a specific sort. In
, update
and lookup
are
-sorted continuations, allowing us to reason about interference-free stateful interactions.
The theory
also supports non-deterministic choice in both sorts. For example, the term
either updates \(\texttt {x}\) to \(1\) and returns 2, or updates \(\texttt {x}\) to \(1\) and returns 5. We axiomatise
such that each operator distributes over non-deterministic choice, e.g.
. We order terms by potential behaviours \((l \ge r) :==(l = l \vee r)\), a partial-order for
-equality (§3.2).
The mode-switching operators of
are
and
. That is, \(\mathop {\lhd }\) is
-sorted and expects a \(\bullet \)-sorted continuation, and vice versa for \(\mathop {\rhd }\). We think of them as delimiting atomic blocks, or acquiring and releasing an abstract global lock. We axiomatise them in
by strict distributivity over countable joins, i.e. ()
and ()
; and:
(\( {\mathop {\lhd }\mathop {\rhd }y} = {y} \)). An empty atomic block has no observable effect.
These axiomatise \(\mathop {\lhd }\) and \(\mathop {\rhd }\) as an (insertion)-closure pair [e.g. 1].
Each
-term denotes a set of sort-delimited traces (§5.1), which generalise Brookes’s traces. For example, \(t:=={\textsf {U}}_{\texttt {y},0}\mathop {\rhd }\mathop {\lhd }{\textsf {L}}_{\texttt {y}}( 3,{\textsf {U}}_{\texttt {x},1}{\textsf {U}}_{\texttt {y},1}\mathop {\rhd }7 )\) denotes a set that includes
. Indeed, we can read off a corresponding computation from \(t\), initially holding the lock in the state \(\left( {\begin{smallmatrix}\texttt {x}\mapsto 1 \\ \texttt {y}\mapsto 1 \end{smallmatrix}}\right) \) of both bits \(1\): the computation updates \(\texttt {y}\) to \(0\), then yields to the environment before looking \(\texttt {y}\) up; finding \(1\), it updates \(\texttt {x}\) and \(\texttt {y}\) to \(1\), then releases the lock and returns 7. Brookes’s original traces correspond to those delimited by
on both ends.
With these traces we define our two-sorted generalisation of Brookes’s model, and prove that it represents
(§5.2). The
-sorted
-valued fragment (§6.2), which represents the “block-closed” terms, is Brookes’s original model (§6.1).
We also provide an algebraic perspective on the representation, by
-embedding (§6.4) the transitions-theory \(\textsf {B}\) into
(§6.5). This embedding maps
to
, where
is defined by global-state operators (§5.2).
3 Preliminaries
We present a standard treatment of countably-infinitary multi-sorted equational theories and their free models [e.g. 2, 37], straightforwardly generalising the single-sorted case by assigning sorts to functions and their arguments. The reader may choose to skim/skip this section, consulting it as necessary.
3.1 Terms
We define the logical language of multi-sorted equational logic. The basic vocabulary of multi-sorted algebra is parameterised by a set \({{\textbf {sort}}} \) whose elements
we call sorts. We will mostly focus on the single-sorted case (
) and the two-sorted case (
). A \({{\textbf {sort}}} \)-scheme
is a countable sequence of sorts from \({{\textbf {sort}}} \), i.e. a finite sequence
of length n, or countably infinite sequence
of length \(\omega \), where
for all i. For example: the empty scheme
of length 0; and the constant schemes
of length
. We write
for the scheme
.
A \({{\textbf {sort}}} \)-sorted signature
consists of a set of operators
and an arity assignment
. For
with
, we write
. The operator \(O\) will allow us to construct a
-sort term with a tuple of terms, with the \(i^{\text {th}}\) subterm having sort
. For single-sorted arities (
), we write \(O: \alpha \) for
. A signature is a set
and a \({{\textbf {sort}}}_{\Sigma }\)-sorted signature we also denote by \(\Sigma \).
We will use the following signature to model non-deterministic choice:
Example 1
The join semilattice single-sorted signature \(\texttt {J}\) consists of two operators: join\(\vee : 2\), i.e.
; and bottom\(\bot : 0\) , i.e.
. \(\square \)
To simplify the formulation of our representation theorem later, we generalise the signature to countable non-deterministic choice operators:
Example 2
The countable-join semilattice single-sorted signature
consists of an
-ary choice operator
for every
. In particular, the signature \(\texttt {J}\) is included with \(\alpha = 2\) (join) and \(\alpha = 0\) (bottom). \(\square \)
The final example demonstrates the treatment for multiple sorts:
Example 3
The finite dimensional transformations signature
consists of a sort for each pair of natural numbers
, an identity operator
for each
, and, for each triple \(m,n,k\in \mathbb {N}\), a composition operator
. \(\square \)
A signature generates a language of algebraic terms as follows. A \({{\textbf {sort}}} \)-family
is an assignment of a set
, to each sort
. We identify
, and use a set-like notation to specify families, e.g.
is the two-sorted family
and
. We can turn every \({{\textbf {sort}}} \)-family
into the set
equipped with the injections
. This construction is a special case of the Grothendieck construction, and lets us track the distinction between sets and families.
For a signature \(\Sigma \) and \({{\textbf {sort}}}_{\Sigma }\)-family
, define the \({{\textbf {sort}}}_{\Sigma }\)-family of \(\Sigma \)-terms over
:
,
inductively:
Here, the elements
, written
, represent variables of sort
. We may drop the set-brackets left of a trunstile, e.g. write
; and omit the sorts, especially in the single-sorted case, e.g. write \(x, y \vdash _{\texttt {J}} x \vee \bot \). For
, we write
to define \(\psi \) as \(t\), e.g.
.
A \({{\textbf {sort}}} \)-sorted map
is a \({{\textbf {sort}}} \)-indexed tuple of functions between the corresponding sets:
, for every
. Our development utilises sorted maps extensively. A (simultaneous) substitution
is a sorted function
, specifying which
-term
to substitute for each variable
. Each such substitution determines a sorted map
inductively, which we write in post-fix notation:
3.2 Equational logic
A
-sorted \(\Sigma \)-equation in context
is a pair
of
-sorted \(\Sigma \)-terms over
. We write this situation as
, or just \(l = r\), and call l the left-hand side (LHS) and r the right-hand side (RHS) of the equation. A presentation
consists of a signature
and axioms: a set
of \(\Sigma \)-equations.
Example 4
The join semilattice presentation \(\textsf {J}\) consists of the signature
of example 1, and the axioms \(\text {Ax}_{\textsf {J}}\) below:
Example 5
The countable-join semilattice presentation \(\textsf {V}\) consists of the signature
of example 2, and the axioms
:
Example 6
The finite dimensional transformations presentation \(\textsf {M}\) consists of the signature
of example 3 and the axioms
below, suppressing the sort indices (each axiom scheme includes every possible instantiation):
Figure 1 presents the deductive system called equational logic. We say that a presentation
proves an equation, writing
, when it is derivable from
using these standard equational reasoning rules, namely: reflexivity, symmetry, transitivity, use of an axiom, substitution, and congruence. This logic is monotone: assuming more axioms allows us to prove more equations. The algebraic theory of a presentation
is the smallest derivation-closed set of equations containing the axioms. We denote the theory of
by
as well.
Fig. 1.
Multi-sorted equational logic with countable arities
Example 7
We can prove
using an instance of and reflexivity with the following instance of congruence:
When a presentation
proves the semi-lattice axioms in one of its sorts
, then the encoding
of inequations as equations in this sort is a preorder that is a partial order w.r.t.
-equality, i.e.
.
We encode \((\ge )\) similarly. Due to the monotonicity property of equational logic, once we have included an axiomatisation of semi-lattices through a subset of the axioms, we may proceed to postulate inequations.
We also use a generalisation of distributivity axioms [18], reproducing familiar arithmetic distributivity equations such as
, the distributivity of \((\cdot )\) over \(\max \) in the right-hand-side position. The extended manuscript [14, §B] details the straightforward, but technical generalisation. The main message is as follows. In a given presentation
, if all operators distribute over binary joins in every position, the congruence rule is valid for inequations:
If a presentation
supports semi-lattices in every sort and they distribute over binary joins in every positions, then we say that
supports inequational reasoning. The theory of
then admits Bloom’s logic for ordered algebraic theories [5]. We let future work determine the most appropriate variety of inequational logic [29].
Going forward, all of our presentations support inequational reasoning in this sense, and all operators distribute over arbitrary non-empty joins, not just the binary ones. Moreover, they are all strict: \(O( \bot , \dots , \bot ) = \bot \) for every operator
. Such theories ‘absorb’ side-effects when their continuations diverge, an inherent ‘partial correctness’ property of Brookes’s model.
3.3 Algebras and models
After presenting the proof theory—equational logic—let’s turn to the model theory of universal algebra. A \(\Sigma \)-algebra\({\textbf {A}}\) consists of a \({{\textbf {sort}}}_{\Sigma }\)-family \(\underline{{\textbf {A}}} \in {\textbf {Set}}^{{{\textbf {sort}}}_{\Sigma }}\), the carrier, and an assignment
, for each operator
, of an operation over this carrier:
.
Example 8
For any set \(X\), define the
-algebra
by taking the carrier to be the set of countable (finite or infinite) \(X\)-subsets \(\underline{{\textbf {V}}X} :==\mathcal {P}^{\aleph _0} ( X )\), and interpret choice as union
. \(\square \)
Example 9
Define the \(\texttt {M}\)-algebra \({\textbf {M}}\) by taking the carrier to be the set of real-valued matrices of the corresponding dimensions, \(\underline{{\textbf {M}}}_{{\textbf {Hom}}\left( m,n \right) } :==\mathbb {M}^{\mathbb {R}}_{m\times n}\), interpret the identity
as the identity matrix, and composition
as matrix multiplication.
Let \({\textbf {A}}\) be an \(\texttt {M}\)-algebra. Define the opposite algebra \({{\textbf {A}}}^\textsf{op}\) by exchanging dimensions. So \(\underline{{{\textbf {A}}}^\textsf{op}_{{\textbf {Hom}}\left( m,n \right) }} :==\underline{{\textbf {A}}}_{{\textbf {Hom}}\left( n,m \right) }\), the same identity
, and reversing composition
. \(\square \)
Example 10
(term algebra). The \(\Sigma \)-terms with variables from
carry a canonical algebra structure
, given by
, with each \(O\)-term constructor as the corresponding \(O\)-operation:
. \(\square \)
A \(\Sigma \)-algebra homomorphism
is a sorted-function \(\varphi : \underline{{\textbf {A}}} \rightarrow \underline{{\textbf {B}}}\) that preserves the operations:
.
Example 11
Transposing real-valued matrices \(( - )^\intercal : \mathbb {M}^{\mathbb {R}}_{m\times n} \rightarrow \mathbb {M}^{\mathbb {R}}_{n\times m}\) is a homomorphism \(( - )^\intercal : {\textbf {M}}\rightarrow {{\textbf {M}}}^\textsf{op}\), by the well-known identity \(( A\cdot B )^\intercal = B^\intercal \cdot A^\intercal \). \(\square \)
A \(\Sigma \)-algebra allows us to interpret every \(\Sigma \)-term, by assigning values to its variables. Formally, let \({\textbf {A}}\) be a \(\Sigma \)-algebra. An
-environment in \({\textbf {A}}\) is a sorted function
. Given such an environment, interpret terms by induction:
Example 12
(substitution). An
-environment in
amounts to a substitution, and interpreting terms in
amounts to substitution. \(\square \)
Example 13
(evaluation homomorphism). Evaluation using an
-environment
in a
is a homomorphism
. \(\square \)
A \(\Sigma \)-algebra \({\textbf {A}}\)validates the equation
when evaluation in all environments equates its sides:
for all
. We then write
. A
-model is an algebra validating all of
. The soundness theorem of equational logic states that every
-model validates all the equations in the algebraic theory of
.
Example 14
Referring to previous examples, the algebras \({\textbf {V}}X\) are \(\textsf {V}\)-models, the algebras \({\textbf {M}}\) and \({{\textbf {M}}}^\textsf{op}\) are \(\textsf {M}\)-models, and algebras of terms are \(\emptyset \)-models. \(\square \)
Example 15
Consider the \(\Sigma _{\textsf {J}}\)-algebra \({\textbf {A}}\) for which the carrier is the set of natural numbers \(\underline{{\textbf {A}}} :==\mathbb {N}\), join interprets as addition
, and bottom as zero
. This is not a \(\textsf {J}\)-model, since, taking
with \(ex= 1\), we get
; and so
. \(\square \)
We end this section with representations of free models. These are
-models whose elements represent the
-terms up-to provable equality in
.
A
-model over a family
consists of a
-model \({\textbf {A}}\) and an
-environment in it
. A free
-model
over a family
is then a
-model over
such that every environment in every
-model
extends uniquely along \(\operatorname {return }\) to a
-homomorphism \(e^{\#}: {\textbf {A}}\rightarrow {\textbf {B}}\), i.e., for all
, we have:
. We then say that the algebra
represents
-environments via the assignment
, the corresponding representation.
The algebraic theory of effects [30] emphasises the role free models play in denotational semantics for programming languages with effects. In particular, given a free
-model over
for every family
, one standardly obtains a monad suitable for the denotational semantics of a language with computational effects conforming to the operators in
.
Example 16
For any set \(X\), the \(\texttt {V}\)-algebra \({\textbf {V}}X\) given by the countable powerset in example 8 represents \(X\)-environments; together with
it forms a free \(\textsf {V}\)-model over \(X\). The representation assigns
to
, defined
; how it enumerates \(D\) doesn’t matter since
is a
-model. The data
is a monad. \(\square \)
4 Shared state
To define the equational theory of shared state, we first recall the standard, single sorted (non-deterministic) global state theory \(\textsf {G}\) [17, 25, 30]. The variant we present here has countable non-determinism, and the global state operators manipulate a common memory store
with a finite set of locations
each storing a bit
. A larger finite set of storable-values would not be conceptually different. Infinite sets of storable-values or locations work similarly with more involved representation theorems. In concrete examples, we let
and use non-bracketed vectors for stores, e.g.
denotes
.
The signature \(\Sigma _{\textsf {G}}\) consists of the countable-join semilattice operators (example 2), as well as two kinds of memory-access operators: lookup operators \({\textsf {L}}_{\ell } : 2\), to look a location
up and branch according to the value found; and update operators \({\textsf {U}}_{\ell ,b} : 1\), to update a location \(\ell \in \mathbb {L}\) to the value
. The global state axioms
consists of the countable-join semilattice axioms (example 5), as well as the following:
The induced algebraic theory \(\textsf {G}\) includes axioms of less succinct presentations of the same theory [25]. For example, lookup also distributes over binary join, so the theory admits inequational reasoning; consecutively looking the same location up can be merged, e.g.
; and other combinations of looking-up and updating different locations commute, e.g. for any
we have
.
Our two-sorted presentation
of shared state extends global state. Its sorts are
. The hold sort \((\bullet )\) represents an uninterrupted sequence of memory accesses, whereas the cede sort
allows control to pass to the environment. The operators and the arities of the signature
consist of a copy of \(\Sigma _{\textsf {G}}\) at \(\bullet \), a copy of
at
, and new operators
and
.
The intuitive reading for algebraic effects is from the outside in. With this intuition, one interpretation of the operators \(\mathop {\lhd }\) and \(\mathop {\rhd }\) is to acquire and release a global lock. The hold sort (\(\bullet \)) represents the lock being held by one of the threads in the program. The cede sort (
) represents points in the execution in which one of the threads in the concurrent environment may acquire the lock. The sorts ensure exclusive access to the lock, and therefore to the store. In an alternative interpretation, these operators delimit atomic blocks; their sorts prevent nesting.
The shared state axioms
include a copy of the (non-deterministic) global state axioms
at \(\bullet \) and a copy of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\) at
. In particular,
proves the semi-lattice axioms in both sorts. It further includes standard strict distributivity axioms for the new unary operators:
With these axioms,
supports inequational reasoning, which represents the semantic refinement relation used to validate program transformations [e.g. 11].
Finally,
axiomatises \(\mathop {\lhd }\) and \(\mathop {\rhd }\) as an (insertion)-closure pair [e.g. 1]:
They are compatible with the global-lock interpretation:
(
). Acquiring and immediately releasing the lock has no effect on the sequence of effects that can occur as a result of arbitrary interleavings.
(\( {\mathop {\rhd }\mathop {\lhd }x} \ge {x} \)). Releasing and immediately acquiring the lock only allows more behaviours. The environment may or may not interleave there.
To summerise,
.
Example 17
The \(\Sigma _{\textsf {S}\!\!\textsf {S}}\)-equations appearing below are named after corresponding transformations that may or may not be valid, depending on the setting (e.g. is there concurrency, and under what assumptions), all
-sorted over
:
Intuitively, Irrelevant Read Intro & Elim should be valid in our setting, as looking a value up is not observable by the environment, and the computation itself disregards the value. Write Elim should be valid too, because it is possible that the environment does not look \(\ell \) up at the interference point between the updates on the LHS, covering the behaviour denoted by the RHS. On the other hand, Write Intro should be invalid in our setting because only on the LHS can a concurrently running thread look \(\ell \) up and find \(b_1\). Formally, we will show
does not prove Write Intro in example 25. Here we show
proves the other two:
5 Representation
We now establish the representation theorem describing a free
-model over any
. Following Brookes [6], we use sets of traces to denote behaviours.
5.1 Sorted traces
A sorted trace starts with a sort (
or
) followed by a non-empty sequence of state transitions, and ending in a sorted value. The initial sort in the trace and the initial store in each transition represent assumptions the trace relies on from its concurrent and sequential environment. The final sort and value and the final store in each transition represent guarantees the trace makes to its environment.
Formally, a (state) transition is a pair
. Let \(\xi ^?\in ( \mathbb {S}\times \mathbb {S} )^*\) range over possibly empty sequences of transitions, and \(\xi \in ( \mathbb {S}\times \mathbb {S} )^+\) range over non-empty ones. For any set \(X\), define the set of X-valued Brookes traces\(\textsf {T}X:==( \mathbb {S}\times \mathbb {S} )^+ \times X\), also used in Brookes’s model (§6). For any family
define the
-sorted family
of traces
. Then, for any sorted family
, we define the set of sorted traces over
by:
A
-sorted -valued trace is one of the form
in the set
.
Example 18
, with
, is \(\bullet \)-sorted and
-valued. \(\square \)
Intuitively, the trace
models a potential behaviour, or protocol, that a shared-state program phrase under preemptive interleaving concurrency can exhibit, or adhere to, given as a rely/guarantee sequence.
Example 19
The behaviour denoted by
relies on the preceding environment for \({\begin{smallmatrix}1 \\ 1 \end{smallmatrix}}\) and for the sequential environment to hold access to the store; then guarantees \({\begin{smallmatrix}1 \\ 0 \end{smallmatrix}}\); then relies on \({\begin{smallmatrix}1 \\ 1 \end{smallmatrix}}\); and finally guarantees \({\begin{smallmatrix}0 \\ 0 \end{smallmatrix}}\), and returns 7 to the succeeding sequential environment, ceding exclusive store access. \(\square \)
One can make these trace-semantic concepts more formal, for example, when formulating an adequacy proof w.r.t. an operational semantics. We will not define these concepts formally since we will not need the additional level of rigour, for example, because we appeal to the well-established adequacy of Brookes’s model.
We implicitly understand the exclusive access to the store is ceded (
) between transitions. For example, for the trace
, we could write
for emphasis. A hypothetical
would denote an impossible behaviour, making intermediate sorts redundant.
One of Brookes’s innovations is that sets of traces should be closed under what we now call (trace) deductions. Specifically, Brookes identified two such deductions, given as binary relations called stutter(
) and mumble(
), defined in such a way that if the program phrase can adhere to the source protocol (left of arrow), then it can adhere to the target protocol (right of arrow).
We define these deductions in our two-sorted setting. For convenience, we write
for the trace
in which, intuitively, the lock is ceded (
) at the marked spot. Formally, we require that both (a) if \(\xi ^?_1\) is empty, then
; and (b) if \(\xi ^?_2\) is empty, then
. In particular, the requirement holds when both \(\xi ^?_1\) and \(\xi ^?_2\) are non-empty, where we implicitly assume the ceded sort between them; and in the case of a
-sorted
-valued trace, i.e.
.
Example 20
We have the following valid/invalid notations for
:
We define the following sortedstutterandmumbledeductions:
The condition on stutter’s source rules out deductions which implicitly cede access to the store to the concurrent environment at the ends of the trace. We will compare these deductions to Brookes’s in §6.
Example 21
These deductions are valid, highlighting the change to the trace:
However, thanks to the condition on stutter’s source, this deduction is invalid:
The source protocol relies on the preceding sequential environment for \({\begin{smallmatrix}1 \\ 1 \end{smallmatrix}}\). We prohibit relaxing the protocol to rely on the concurrent environment for it.
The stutterand mumbledeductions follow the rely/guarantee intuition:
Stuttering() means a thread-pool also obeys the protocol that guarantees a state \(\sigma \) by relying on its environment for \(\sigma \).
Mumbling() means a thread-pool that guarantees the store
it later relies on also obeys the protocol in which we exclude the environment’s access to the store
at that point.
Sets of traces represent a non-deterministic choice between the behaviours that a program phrase may exhibit. For such a set \(K\), define its closure under trace deduction \(K^{\dagger }\) as the least set \(K'\) such that:
; and if
and
for
, then
. According to the rely/guarantee intuition above, a program phrase that is compatible with a set of traces is also compatible with its closure. We therefore represent program phrases as closed sets, i.e. sets \(K\) such that \(K= K^{\dagger }\). The closure \(K^{\dagger }\) of a countable \(K\) is countably infinite—by stuttering indefinitely—unless \(K\) is a finite set of single-transition \(\bullet \)-sorted \(\bullet \)-valued traces, in which case \(K\) is already closed.
For a set of traces \(U\) and sort
, define a
-sorted family \(\mathcal {P}^{\aleph _0} ( U )\) by taking its
component to be the set
of countable subsets of \(U\) whose elements are all
-sorted. Similarly, define
to be the set of closed countable subsets of \(U\) whose elements are all
-sorted.
The prefixing function adds the given transition to each \(\bullet \)-sorted trace:
It lifts to closed sets, i.e.
implies that
.
5.2 Representation theorem
For
, define the
-algebra of
-valued closed trace-sets
as:
Additionally, define
by
.
The rest of this section establishes that the algebra
over
is a free
-model over
. A key ingredient is reification: for any
-sorted family
, we define a sorted-function
, choosing a representative term
such that
. This use of countable choice is inessential, the mere existence of the defining term \(t_2\) suffices.
First define for any
and \(b\in \mathbb {B}\) the cell assertion term
that looks \(\ell \) up and only continues if it holds \(b\):
Next, for any
we define the open transition
, as a term that asserts the state is
, then updates the state to
, and returns \(x\):
Now we can represent traces as terms. Define the \(\Sigma _{\textsf {S}\!\!\textsf {S}}\)-term reifying a trace
by sequencing open transition as they are in \(\xi \), separated by
; and delimited by
on the left if
and by \(\mathop {\rhd }\) on the right if
.
Example 22
\(\square \)
Trace deductions are sound w.r.t. this encoding, in the following sense:
Proposition 23
Assume that \(\tau _1\) and \(\tau _2\) are
-sorted traces over
, such that
for
. Then
.
Finally, we reify a trace set by reifying its traces in a chosen enumeration:
By proposition 23, closure preserves reification:
.
Using reification, we state the representation theorem [14, proof in,§C].
Theorem 24
(-representation). The pair
is a free
-model over
. Its representation sends environments
to
-homomorphisms
by
. Moreover, for
we have:
Example 25
The model
invalidates Write Intro:
Every trace in the right-hand set has at most one state-changing transition. The left-hand set has traces with two. Therefore,
does not prove Write Intro. \(\square \)
6 Recovering Brookes’s model
The theory
recovers Brookes’s model (§6.1). We recover it twice, using different strategies that offer different perspectives. The first transforms the monad induced by the representation of §5.2 along a right adjoint
sending each
-family
to the set
(§6.2). In the second, we define a single-sorted theory of transitions \(\textsf {B}\) that recovers Brookes’s model straightforwardly (§6.3). In this theory, the transition operators correspond to Brookes’s await construct. After swiftly introducing embedding translations (§6.4), we show that \(\textsf {B}\) embeds into
. The embedding factors through another, two-sorted, theory of transitions \(\textsf {T\!r}\) (§6.5).
6.1 Brookes’s model
We designed our notions of traces, deduction, etc. from §5.1 based on the following model of Brookes [6], in which traces cannot hold exclusive memory access at their ends. In this model, ceding access is implicit.
For any set \(X\in {\textbf {Set}}\), recall the set of Brookes traces \(\textsf {T}X:==( \mathbb {S}\times \mathbb {S} )^+ \times X\) from §5.1. Writing
for
, Brookes’s stutterand mumbledeductions are:
We reuse the notation \(( - )^{\dagger }\) for closure under these deductions.
The difference between Brookes’s deductions and our multi-sorted deductions is the maintenance of the sort on each end of the trace. In particular, Brookes’s stutterdoes not need to explicitly allow interleaving at the relevant position in the source, because the environment may always interleave on either end.
Brookes’s semantic domain \(BX:==\mathcal {P}^{\dagger } ( \textsf {T}X )\) forms a monad. The monadic unit is
,
. The Kleisli extension
of every \(e: X\rightarrow BY\) is
. It interprets memory accesses, dereferencing (\(\ell !\)) and mutation (\(\ell := b\)), as follows:
These generic effects [31] correspond to these monadic algebraic operations:
6.2 Recovery via an adjunction
In Brookes’s model, yielding to the concurrent environment is implicit, and always allowed. From our two-sorted point-of-view, we expect the traces in Brookes’s model to represent
-sorted
-valued traces.
There is an abstract construction that recovers the monad and its operations in §6.2 from our
-sorted model. The functor
has a left-adjoint
. This functor sends each set \(X\) to the
-family
, using the set-like notation for families we introduced in §3.1. Monads transform along adjoints, and transforming the monad obtained standardly from the representation of §5.2 along the adjunction above results in Brookes’s model. Explicitly, denoting
, the resulting monad over \({\textbf {Set}}\) is
. This monad is isomorphic to Brookes’s
above by way of removing
from both ends of every trace. Thus, the Brookes model amounts to the free
-model from §5.2 transformed along the adjunction
. The monad \({\textbf {R}}\) supports the following generic effects. The adjunction transforms them, via its natural bijection on homsets, into Brookes’s generic effects for memory access:
6.3 The single-sorted theory of transitions
There is a more direct, single-sorted presentation \(\textsf {B}\) for Brookes’s model. It uses transitions as operators rather than lookup and update operators. The signature \(\Sigma _{\textsf {B}}\) consists of countable-joins
and a unary transition operator
for every
. The axioms
consist of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\), strict distributivity axioms
, and:
Fig. 2.
The hushrule
The first two axiom schemes are algebraic counterparts to mumbleand stutter. These alone do not recover Brookes’s model—the representation theorem for the theory without the (H) axioms includes potentially-empty traces. The axiom (H) fails in this model, but holds in Brookes’s. In the representation theorem for \(\textsf {B}\) it is tempting to require, along with closure under Brookes’s mumbleand stuttertrace deductions, closure under hush: presented in fig. 2 for a set of traces \(K\). However, there is no need, due to the non-emptiness of the traces. Indeed, either \(\xi ^?_1\) or \(\xi ^?_2\) must be non-empty for the rule to apply. Take
to match an adjacent transition, and apply the mumbleclosure rule to obtain the required consequence. This nuanced observation exposing the hushrule would be hard to notice without this algebraic analysis.
To conclude, we formulate the representation theorem for \(\textsf {B}\). Let \(X\in {\textbf {Set}}\). Define the \(\Sigma _{\textsf {B}}\)-algebra \({\textbf {B}}X\) with carrier \(\underline{{\textbf {B}}X} :==\mathcal {P}^{\dagger } ( \textsf {T}X )\) and interpretations:
Additionally, define
by
.
To prove that this is a free \(\textsf {B}\)-model, we use reification as in §5.2, though here reification is more straightforward. A trace is reified as itself, and sets of traces use countable-joins as before:
. The monad obtained from the next proposition is Brookes’s model:
Proposition 26
The pair
is a free \(\textsf {B}\)-model over \(X\), for which the representation sends
to
by
.
6.4 e
quivalences]Translations and equivalences
We will need the following notions for relating presentations. Consider a map between two sort sets
. It lifts to
by precomposition:
. It forms the object part of a geometric morphism between (pre)sheaf toposes, i.e., it has left and right adjoints. The left adjoint
is in this case
. When \(\epsilon \) is injective, the left adjoint is given by the simpler formula
.
Example 27
The geometric morphism for the map
is the forgetful functor
. As we saw in §6.2, its left adjoint is
. \(\square \)
Let \(\Sigma _1\) and \(\Sigma _2\) be signatures and
a map between their sort sets. A translation of signatures \({\textbf {E}}: \Sigma _1 \rightarrowtail \Sigma _2\) along \(\epsilon \) is an assignment, to each
, of a term
. Such a translation yields a functor \({\textbf {E}}_\textrm{tln}: {\textbf {Alg}}\Sigma _2 \rightarrow {\textbf {Alg}}\Sigma _1\), mapping a \(\Sigma _2\)-algebra \({\textbf {B}}\) to:
For a given family
, such a translation therefore extends uniquely to a \(\Sigma _1\)-homomorphism
.
Example 28
We have a translation
along
that translates the \(\Sigma _{\textsf {G}}\)-operators using their respective copies in the \(\bullet \) sort:
A translation of presentations
along \(\epsilon \) is a translation of their signatures along \(\epsilon \) that, moreover, preserves the provability of axioms:
Example 29
The translation of global state into shared state from example 28 is a translation of presentations
. \(\square \)
Translations along composable sort maps compose via substitution, and a translation
along
is an identity translation when, for all terms
, we have
. A translation
along \(\epsilon \) is an equivalence if \(\epsilon \) is a bijection, and there exists an embedding
along \(\epsilon ^{-1}\), such that \({\textbf {E}}\circ {\textbf {E}}^{-1}\) and \({\textbf {E}}^{-1}\circ {\textbf {E}}\) are identity translations. We then write
and say that the presentations are equivalent. Two multi-sorted theories are equivalent iff their associated free-model monads are isomorphic.
6.5 Translation through the two-sorted theory of transitions
We define a two-sorted presentation \(\textsf {T\!gs}\) of the open transitions
as sequential operators. The signature \(\Sigma _{\textsf {T\!gs}}\) consists of countable-joins \(\Sigma _{\textsf {V}}\) and a unary open transition operator
for
. The axioms \(\text {Ax}_{\textsf {T\!gs}}\) consist of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\), strict distributivity axioms
, and:
Translate \({\textbf {E}}_{\textsf {G}} : \textsf {T\!gs}\rightarrowtail \textsf {G}\) by interpreting transitions as the open transitions from §5.2:
. Conversely, translate \({\textbf {E}}_{\textsf {T\!gs}} : \textsf {G}\rightarrowtail \textsf {T\!gs}\) as follows, similar to the representation of update and lookup from §5.2:
Using the equivalence \(\textsf {T\!gs}\simeq \textsf {G}\) that these translations witness we can translate
along
. We define a two-sorted presentation \(\textsf {T\!r}\), mimicking the definition of
but replacing the operators and axioms of \(\textsf {G}\) with those of \(\textsf {T\!gs}\) in the hold (\(\bullet \)) sort:
. Extending the translations \({\textbf {E}}_{\textsf {T\!gs}}\) and \({\textbf {E}}_{\textsf {G}}\) to all of the operators gives an equivalence
. So \(\textsf {T\!r}\) induces the same monad as
, recovering Brookes’s model.
Fig. 3.
Th. chart
Define the translation \({\textbf {E}}_{\textsf {T\!r}} : \textsf {B}\rightarrowtail \textsf {T\!r}\) along
by sending transitions to their delimited open counterparts:
. Using
we get
(fig. 3). Brookes’s model, as a free \(\textsf {B}\)-model, is thus the
-sorted fragment of
over
-variables, formally.
7 Conclusion and further work
We presented an equational theory for shared state (
). It separates reasoning into two layers. In the held layer (\(\bullet \)), we prohibit the concurrent environment from accessing memory, and we can reason about memory accesses by a pool of threads sequentially. In the ceded layer (
), the concurrent environment may interleave, and local memory access is forbidden. We also presented theories of transitions (\(\textsf {B}\), \(\textsf {T\!gs}\), & \(\textsf {T\!r}\)) and formally related them to (non-deterministic) global state (\(\textsf {G}\)) and shared state (
). The single-sorted theory \(\textsf {B}\) recovers Brookes’s model, but it does so by using Brookes’s await construct, which we find unnatural; and it does not admit global state explicitly as a component of the theory. We believe that admitting global state will inform modelling other effects in the concurrent setting. Our theory
addresses these concerns. It admits the global state theory as-is, and axiomatises the mode-switching operators (
/\(\mathop {\rhd }\)) without explicit interaction with global state. This theory recovers Brookes’s model exactly, in a principled manner: by transforming a monad and its operations along an adjunction; and, independently, through algebraic translations.
Our theory uses countable-join semilattices to recover Brookes’s model. They can express iteration (i.e. while-loops). The same model admits first-order recursion, i.e. least-fixpoints of mutually-defined first-order functions, using the \(\omega \)-complete partial order structure of the refinement order and the Scott-continuity of the semantics. We can support higher-order recursion by recourse to domain-theory, generalising algebraic theories using order-enriched theories. There are several standard variants, each with subtle logical trade-offs [29]. We can also restrict the semantics to terminating languages by restricting to finite joins, and using finitely-generated closed subsets for the representation.
We want to analyse Brookes’s parallel composition operator algebraically. Brookes composed programs in parallel by interleaving traces from each thread. Initial results show we can define Brookes’s parallel composition by simultaneous induction over terms. However, we would like to provide a more abstract account, by recourse to the universal property of free models. This abstraction may expose special properties of global state, or lead to a general parallel composition operation satisfying the expected laws of concurrent programming [16, 27, 34].
We would like to model more effects within this modular multi-sorted algebraic framework. These effects include: more advanced notions of state, such as dynamic allocation [20], higher-order memory cells [24, 36], and weak memory [12, 13]; control-flow effects such as exceptions and effect handlers [3]; and probabilistic programming with shared state [22].
If the multi-sorted approach does indeed generalise to more sophisticated effects, then it will be instructive to review its assumptions. For example, the strictness axioms impose a partial-correctness discipline: the semantics says nothing about the effect a diverging program has on its memory. Relaxing or removing strictness may give a model that allows us to reason about diverging programs.
Our two sorts limit access to the whole store. We would like to explore finer granularity. For example, a theory with per-location access limitation, with sorts for every finite subset \(s \subseteq \mathbb {L}\) of locations, and operators
and
. We expect the axiomatisation’s design to require subtlety.
It may be interesting to to expose the sort discipline in the surface language through typing judgements, explicating regions that rule out data-races with the environment. It seems such judgements would rule out deadlocks structurally, and so may limit expressiveness. Whether this idea is useful remains to be seen.
In conclusion, our two-sorted decomposition of Brookes’s seminal model provides new insights into its assumptions and components, and reveals new directions for modelling more advanced features involving concurrent shared state.
Acknowledgments
Supported by the Israel Science Foundation (grant number 814/22) and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 851811); and by a Royal Society University Research Fellowship and Enhancement Award. For the purpose of Open Access the authors have applied a CC BY public copyright licence to any Author Accepted Manuscript version arising from this submission. We thank Danel Ahman, Andrej Bauer, Martín Escardó, Justus Matthiesen, Sam Staton, and Rob van Glabbeek for interesting and useful discussions and suggestions.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
) it may. We provide two operators that switch between these sorts. Our core idea is to axiomatise these operators as a closure pair, an established order-theoretic special Galois-connection, the dual to the domain-theoretic embedding-projection pairs [1]. Additionally, we axiomatise strict distributivity of the closure pair over non-determinism. The remaining axioms, all in the hold sort, are strikingly independent from these axioms. In our shared-state theory
, the remaining axioms are precisely those of non-deterministic global state.
recovers Brookes’s model in the cede sort. First, using sets of traces akin to Brookes’s, we define a representation of
. The representation recovers Brookes’s model via the adjunction that forgets the hold sort. Second, we define three algebraic theories for Brookes’s 
.
and
represent updating and looking up bits in memory. For example, consider the global-state term
. After updating \(\texttt {y}\) to \(0\), the computation looks \(\texttt {y}\) up: if it finds \(0\), it returns 3; if it finds \(1\), it updates \(\texttt {x}\) and \(\texttt {y}\) to \(1\) in succession, then returns 7. Between the update and the lookup, the value at \(\texttt {y}\) cannot change. Therefore, the computation finds the value \(0\), and takes the left-hand continuation. The global-state axiom ()
reflects this fact. By (), \({\textsf {U}}_{\texttt {y},0}{\textsf {L}}_{\texttt {y}}( 3,{\textsf {U}}_{\texttt {x},1}{\textsf {U}}_{\texttt {y},1}7 ) = {\textsf {U}}_{\texttt {y},0} 3\) holds in global state.
. For example, global-state terms are represented by memory-manipulating functions in the state-monad model. This model interprets update by precomposing a state update
; and interprets lookup by passing the input memory state
along to the
-continuation
. In this way, global state recovers the (historically precedent) state monad.
in sequence means that the computation, by relying on exclusive access to the memory at state
, can guarantee to provide the state
and yield to the environment.
(§4). Each sort represents a computation mode: hold \((\bullet )\) represents the computation’s exclusive access to memory; cede
represents positions in which the environment may interfere. Each operator has a sort and expects each continuation to have a specific sort. In
, update
and lookup
are
-sorted continuations, allowing us to reason about interference-free stateful interactions.
also supports non-deterministic choice in both sorts. For example, the term
either updates \(\texttt {x}\) to \(1\) and returns 2, or updates \(\texttt {x}\) to \(1\) and returns 5. We axiomatise
such that each operator distributes over non-deterministic choice, e.g.
. We order terms by potential behaviours \((l \ge r) :==(l = l \vee r)\), a partial-order for
-equality (§3.2).
are
and
. That is, \(\mathop {\lhd }\) is
-sorted and expects a \(\bullet \)-sorted continuation, and vice versa for \(\mathop {\rhd }\). We think of them as delimiting atomic blocks, or acquiring and releasing an abstract global lock. We axiomatise them in
by strict distributivity over countable joins, i.e. ()
and ()
; and:
-term denotes a set of sort-delimited traces (§5.1), which generalise Brookes’s traces. For example, \(t:=={\textsf {U}}_{\texttt {y},0}\mathop {\rhd }\mathop {\lhd }{\textsf {L}}_{\texttt {y}}( 3,{\textsf {U}}_{\texttt {x},1}{\textsf {U}}_{\texttt {y},1}\mathop {\rhd }7 )\) denotes a set that includes
. Indeed, we can read off a corresponding computation from \(t\), initially holding the lock in the state \(\left( {\begin{smallmatrix}\texttt {x}\mapsto 1 \\ \texttt {y}\mapsto 1 \end{smallmatrix}}\right) \) of both bits \(1\): the computation updates \(\texttt {y}\) to \(0\), then yields to the environment before looking \(\texttt {y}\) up; finding \(1\), it updates \(\texttt {x}\) and \(\texttt {y}\) to \(1\), then releases the lock and returns 7. Brookes’s original traces correspond to those delimited by
on both ends.
(§
-sorted
-valued fragment (§
-embedding (§
(§
to
, where
is defined by global-state operators (§
we call sorts. We will mostly focus on the single-sorted case (
) and the two-sorted case (
). A \({{\textbf {sort}}} \)-scheme
is a countable sequence of sorts from \({{\textbf {sort}}} \), i.e. a finite sequence
of length n, or countably infinite sequence
of length \(\omega \), where
for all i. For example: the empty scheme
of length 0; and the constant schemes
of length
. We write
for the scheme
.
consists of a set of operators
and an arity assignment
. For
with
, we write
. The operator \(O\) will allow us to construct a
-sort term with a tuple of terms, with the \(i^{\text {th}}\) subterm having sort
. For single-sorted arities (
), we write \(O: \alpha \) for
. A signature is a set
and a \({{\textbf {sort}}}_{\Sigma }\)-sorted signature we also denote by \(\Sigma \).
; and bottom \(\bot : 0\) , i.e.
. \(\square \)
consists of an
-ary choice operator
for every
. In particular, the signature \(\texttt {J}\) is included with \(\alpha = 2\) (join) and \(\alpha = 0\) (bottom). \(\square \)
consists of a sort for each pair of natural numbers
, an identity operator
for each
, and, for each triple \(m,n,k\in \mathbb {N}\), a composition operator
. \(\square \)
is an assignment of a set
, to each sort
. We identify
, and use a set-like notation to specify families, e.g.
is the two-sorted family
and
. We can turn every \({{\textbf {sort}}} \)-family
into the set
equipped with the injections
. This construction is a special case of the Grothendieck construction, and lets us track the distinction between sets and families.
, define the \({{\textbf {sort}}}_{\Sigma }\)-family of \(\Sigma \)-terms over
:
,
inductively: 
, written
, represent variables of sort
. We may drop the set-brackets left of a trunstile, e.g. write
; and omit the sorts, especially in the single-sorted case, e.g. write \(x, y \vdash _{\texttt {J}} x \vee \bot \). For
, we write
to define \(\psi \) as \(t\), e.g.
.
is a \({{\textbf {sort}}} \)-indexed tuple of functions between the corresponding sets:
, for every
. Our development utilises sorted maps extensively. A (simultaneous) substitution
is a sorted function
, specifying which
-term
to substitute for each variable
. Each such substitution determines a sorted map
inductively, which we write in post-fix notation: 
-sorted \(\Sigma \)-equation in context
is a pair
of
-sorted \(\Sigma \)-terms over
. We write this situation as
, or just \(l = r\), and call l the left-hand side (LHS) and r the right-hand side (RHS) of the equation. A presentation
consists of a signature
and axioms: a set
of \(\Sigma \)-equations.
of example 1, and the axioms \(\text {Ax}_{\textsf {J}}\) below:
of example 2, and the axioms
:
of example 3 and the axioms
below, suppressing the sort indices (each axiom scheme includes every possible instantiation):
proves an equation, writing
, when it is derivable from
using these standard equational reasoning rules, namely: reflexivity, symmetry, transitivity, use of an axiom, substitution, and congruence. This logic is monotone: assuming more axioms allows us to prove more equations. The algebraic theory of a presentation
is the smallest derivation-closed set of equations containing the axioms. We denote the theory of
by
as well.
using an instance of and reflexivity with the following instance of congruence: 
proves the semi-lattice axioms in one of its sorts
, then the encoding
of inequations as equations in this sort is a preorder that is a partial order w.r.t.
-equality, i.e.
.
, the distributivity of \((\cdot )\) over \(\max \) in the right-hand-side position. The extended manuscript [14, §B] details the straightforward, but technical generalisation. The main message is as follows. In a given presentation
, if all operators distribute over binary joins in every position, the congruence rule is valid for inequations: 
supports semi-lattices in every sort and they distribute over binary joins in every positions, then we say that
supports inequational reasoning. The theory of
then admits Bloom’s logic for ordered algebraic theories [5]. We let future work determine the most appropriate variety of inequational logic [29].
. Such theories ‘absorb’ side-effects when their continuations diverge, an inherent ‘partial correctness’ property of Brookes’s model.
, for each operator
, of an operation over this carrier:
.
-algebra
by taking the carrier to be the set of countable (finite or infinite) \(X\)-subsets \(\underline{{\textbf {V}}X} :==\mathcal {P}^{\aleph _0} ( X )\), and interpret choice as union
. \(\square \)
as the identity matrix, and composition
as matrix multiplication.
, and reversing composition
. \(\square \)
carry a canonical algebra structure
, given by
, with each \(O\)-term constructor as the corresponding \(O\)-operation:
. \(\square \)
is a sorted-function \(\varphi : \underline{{\textbf {A}}} \rightarrow \underline{{\textbf {B}}}\) that preserves the operations:
.
-environment in \({\textbf {A}}\) is a sorted function
. Given such an environment, interpret terms by induction: 
-environment in
amounts to a substitution, and interpreting terms in
amounts to substitution. \(\square \)
-environment
in a
is a homomorphism
. \(\square \)
when evaluation in all environments equates its sides:
for all
. We then write
. A
-model is an algebra validating all of
. The soundness theorem of equational logic states that every
-model validates all the equations in the algebraic theory of
.
, and bottom as zero
. This is not a \(\textsf {J}\)-model, since, taking
with \(ex= 1\), we get
; and so
. \(\square \)
-models whose elements represent the
-terms up-to provable equality in
.
-model
over a family
consists of a
-model \({\textbf {A}}\) and an
-environment in it
. A free
-model
over a family
is then a
-model over
such that every environment in every
-model
extends uniquely along \(\operatorname {return }\) to a
-homomorphism \(e^{\#}: {\textbf {A}}\rightarrow {\textbf {B}}\), i.e., for all
, we have:
. We then say that the algebra
represents
-environments via the assignment
, the corresponding representation.
-model over
for every family
, one standardly obtains a monad suitable for the denotational semantics of a language with computational effects conforming to the operators in
.
it forms a free \(\textsf {V}\)-model over \(X\). The representation assigns
to
, defined
; how it enumerates \(D\) doesn’t matter since
is a
-model. The data
is a monad. \(\square \)
with a finite set of locations
each storing a bit
. A larger finite set of storable-values would not be conceptually different. Infinite sets of storable-values or locations work similarly with more involved representation theorems. In concrete examples, we let
and use non-bracketed vectors for stores, e.g.
denotes
.
up and branch according to the value found; and update operators \({\textsf {U}}_{\ell ,b} : 1\), to update a location \(\ell \in \mathbb {L}\) to the value
. The global state axioms
consists of the countable-join semilattice axioms (example 5), as well as the following: 
; and other combinations of looking-up and updating different locations commute, e.g. for any
we have
.
of shared state extends global state. Its sorts are
. The hold sort \((\bullet )\) represents an uninterrupted sequence of memory accesses, whereas the cede sort
allows control to pass to the environment. The operators and the arities of the signature
consist of a copy of \(\Sigma _{\textsf {G}}\) at \(\bullet \), a copy of
at
, and new operators
and
.
) represents points in the execution in which one of the threads in the concurrent environment may acquire the lock. The sorts ensure exclusive access to the lock, and therefore to the store. In an alternative interpretation, these operators delimit atomic blocks; their sorts prevent nesting.
include a copy of the (non-deterministic) global state axioms
at \(\bullet \) and a copy of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\) at
. In particular,
proves the semi-lattice axioms in both sorts. It further includes standard strict distributivity axioms for the new unary operators:
supports inequational reasoning, which represents the semantic refinement relation used to validate program transformations [e.g. 11].
axiomatises \(\mathop {\lhd }\) and \(\mathop {\rhd }\) as an (insertion)-closure pair [e.g. 1]: 
). Acquiring and immediately releasing the lock has no effect on the sequence of effects that can occur as a result of arbitrary interleavings.
.
-sorted over
: 
does not prove Write Intro in example 25. Here we show
proves the other two: 
-model over any
. Following Brookes [6], we use sets of traces to denote behaviours.
or
) followed by a non-empty sequence of state transitions, and ending in a sorted value. The initial sort in the trace and the initial store in each transition represent assumptions the trace relies on from its concurrent and sequential environment. The final sort and value and the final store in each transition represent guarantees the trace makes to its environment.
. Let \(\xi ^?\in ( \mathbb {S}\times \mathbb {S} )^*\) range over possibly empty sequences of transitions, and \(\xi \in ( \mathbb {S}\times \mathbb {S} )^+\) range over non-empty ones. For any set \(X\), define the set of X-valued Brookes traces \(\textsf {T}X:==( \mathbb {S}\times \mathbb {S} )^+ \times X\), also used in Brookes’s model (§6). For any family
define the
-sorted family
of traces
. Then, for any sorted family
, we define the set of sorted traces over
by: 
-sorted
-valued trace is one of the form
in the set
.
, with
, is \(\bullet \)-sorted and
-valued. \(\square \)
models a potential behaviour, or protocol, that a shared-state program phrase under preemptive interleaving concurrency can exhibit, or adhere to, given as a rely/guarantee sequence.
relies on the preceding environment for \({\begin{smallmatrix}1 \\ 1 \end{smallmatrix}}\) and for the sequential environment to hold access to the store; then guarantees \({\begin{smallmatrix}1 \\ 0 \end{smallmatrix}}\); then relies on \({\begin{smallmatrix}1 \\ 1 \end{smallmatrix}}\); and finally guarantees \({\begin{smallmatrix}0 \\ 0 \end{smallmatrix}}\), and returns 7 to the succeeding sequential environment, ceding exclusive store access. \(\square \)
) between transitions. For example, for the trace
, we could write
for emphasis. A hypothetical
would denote an impossible behaviour, making intermediate sorts redundant.
) and mumble(
), defined in such a way that if the program phrase can adhere to the source protocol (left of arrow), then it can adhere to the target protocol (right of arrow).
for the trace
in which, intuitively, the lock is ceded (
) at the marked spot. Formally, we require that both (a) if \(\xi ^?_1\) is empty, then
; and (b) if \(\xi ^?_2\) is empty, then
. In particular, the requirement holds when both \(\xi ^?_1\) and \(\xi ^?_2\) are non-empty, where we implicitly assume the ceded sort between them; and in the case of a
-sorted
-valued trace, i.e.
.
: 
) means a thread-pool also obeys the protocol that guarantees a state \(\sigma \) by relying on its environment for \(\sigma \).
) means a thread-pool that guarantees the store
it later relies on also obeys the protocol in which we exclude the environment’s access to the store
at that point.
; and if
and
for
, then
. According to the rely/guarantee intuition above, a program phrase that is compatible with a set of traces is also compatible with its closure. We therefore represent program phrases as closed sets, i.e. sets \(K\) such that \(K= K^{\dagger }\). The closure \(K^{\dagger }\) of a countable \(K\) is countably infinite—by 
, define a
-sorted family \(\mathcal {P}^{\aleph _0} ( U )\) by taking its
component to be the set
of countable subsets of \(U\) whose elements are all
-sorted. Similarly, define
to be the set of closed countable subsets of \(U\) whose elements are all
-sorted.
implies that
.
, define the
-algebra of
-valued closed trace-sets
as: 
by
.
over
is a free
-model over
. A key ingredient is reification: for any
-sorted family
, we define a sorted-function
, choosing a representative term
such that
. This use of countable choice is inessential, the mere existence of the defining term \(t_2\) suffices.
and \(b\in \mathbb {B}\) the cell assertion term
that looks \(\ell \) up and only continues if it holds \(b\): 
we define the open transition
, as a term that asserts the state is
, then updates the state to
, and returns \(x\): 
by sequencing open transition as they are in \(\xi \), separated by
; and delimited by
on the left if
and by \(\mathop {\rhd }\) on the right if
.
\(\square \)
-sorted traces over
, such that
for
. Then
.
.
-representation). The pair
is a free
-model over
. Its representation sends environments
to
-homomorphisms
by
. Moreover, for
we have: 
invalidates Write Intro: 
does not prove Write Intro. \(\square \)
recovers Brookes’s model (§6.1). We recover it twice, using different strategies that offer different perspectives. The first transforms the monad induced by the representation of §5.2 along a right adjoint
sending each
-family
to the set
(§6.2). In the second, we define a single-sorted theory of transitions \(\textsf {B}\) that recovers Brookes’s model straightforwardly (§6.3). In this theory, the transition operators correspond to Brookes’s 
. The embedding factors through another, two-sorted, theory of transitions \(\textsf {T\!r}\) (§6.5).
for
, Brookes’s stutterand mumbledeductions are: 
,
. The Kleisli extension
of every \(e: X\rightarrow BY\) is
. It interprets memory accesses, dereferencing (\(\ell !\)) and mutation (\(\ell := b\)), as follows: 
-sorted
-valued traces.
-sorted model. The functor
has a left-adjoint
. This functor sends each set \(X\) to the
-family
, using the set-like notation for families we introduced in §3.1. Monads transform along adjoints, and transforming the monad obtained standardly from the representation of §5.2 along the adjunction above results in Brookes’s model. Explicitly, denoting
, the resulting monad over \({\textbf {Set}}\) is
. This monad is isomorphic to Brookes’s
above by way of removing
from both ends of every trace. Thus, the Brookes model amounts to the free
-model from §5.2 transformed along the adjunction
. The monad \({\textbf {R}}\) supports the following generic effects. The adjunction transforms them, via its natural bijection on homsets, into Brookes’s generic effects for memory access: 
and a unary transition operator
for every
. The axioms
consist of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\), strict distributivity axioms
, and: 
to match an adjacent transition, and apply the mumbleclosure rule to obtain the required consequence. This nuanced observation exposing the hushrule would be hard to notice without this algebraic analysis.
by
.
. The monad obtained from the next proposition is Brookes’s model:
is a free \(\textsf {B}\)-model over \(X\), for which the representation sends
to
by
.
. It lifts to
by precomposition:
. It forms the object part of a geometric morphism between (pre)sheaf toposes, i.e., it has left and right adjoints. The left adjoint
is in this case
. When \(\epsilon \) is injective, the left adjoint is given by the simpler formula
.
is the forgetful functor
. As we saw in §6.2, its left adjoint is
. \(\square \)
a map between their sort sets. A translation of signatures \({\textbf {E}}: \Sigma _1 \rightarrowtail \Sigma _2\) along \(\epsilon \) is an assignment, to each
, of a term
. Such a translation yields a functor \({\textbf {E}}_\textrm{tln}: {\textbf {Alg}}\Sigma _2 \rightarrow {\textbf {Alg}}\Sigma _1\), mapping a \(\Sigma _2\)-algebra \({\textbf {B}}\) to: 
, such a translation therefore extends uniquely to a \(\Sigma _1\)-homomorphism
.
along
that translates the \(\Sigma _{\textsf {G}}\)-operators using their respective copies in the \(\bullet \) sort: 
along \(\epsilon \) is a translation of their signatures along \(\epsilon \) that, moreover, preserves the provability of axioms: 
. \(\square \)
along
is an identity translation when, for all terms
, we have
. A translation
along \(\epsilon \) is an equivalence if \(\epsilon \) is a bijection, and there exists an embedding
along \(\epsilon ^{-1}\), such that \({\textbf {E}}\circ {\textbf {E}}^{-1}\) and \({\textbf {E}}^{-1}\circ {\textbf {E}}\) are identity translations. We then write
and say that the presentations are equivalent. Two multi-sorted theories are equivalent iff their associated free-model monads are isomorphic.
as sequential operators. The signature \(\Sigma _{\textsf {T\!gs}}\) consists of countable-joins \(\Sigma _{\textsf {V}}\) and a unary open transition operator
for
. The axioms \(\text {Ax}_{\textsf {T\!gs}}\) consist of the countable-join semilattice axioms \(\text {Ax}_{\textsf {V}}\), strict distributivity axioms
, and: 
. Conversely, translate \({\textbf {E}}_{\textsf {T\!gs}} : \textsf {G}\rightarrowtail \textsf {T\!gs}\) as follows, similar to the representation of update and lookup from §5.2: 
along
. We define a two-sorted presentation \(\textsf {T\!r}\), mimicking the definition of
but replacing the operators and axioms of \(\textsf {G}\) with those of \(\textsf {T\!gs}\) in the hold (\(\bullet \)) sort:
. Extending the translations \({\textbf {E}}_{\textsf {T\!gs}}\) and \({\textbf {E}}_{\textsf {G}}\) to all of the operators gives an equivalence
. So \(\textsf {T\!r}\) induces the same monad as
, recovering Brookes’s model.
by sending transitions to their delimited open counterparts:
. Using
we get
(fig. 3). Brookes’s model, as a free \(\textsf {B}\)-model, is thus the
-sorted fragment of
over
-variables, formally.
). It separates reasoning into two layers. In the held layer (\(\bullet \)), we prohibit the concurrent environment from accessing memory, and we can reason about memory accesses by a pool of threads sequentially. In the ceded layer (
), the concurrent environment may interleave, and local memory access is forbidden. We also presented theories of transitions (\(\textsf {B}\), \(\textsf {T\!gs}\), & \(\textsf {T\!r}\)) and formally related them to (non-deterministic) global state (\(\textsf {G}\)) and shared state (
). The single-sorted theory \(\textsf {B}\) recovers Brookes’s model, but it does so by using Brookes’s 
addresses these concerns. It admits the global state theory as-is, and axiomatises the mode-switching operators (
/\(\mathop {\rhd }\)) without explicit interaction with global state. This theory recovers Brookes’s model exactly, in a principled manner: by transforming a monad and its operations along an adjunction; and, independently, through algebraic translations.
and
. We expect the axiomatisation’s design to require subtlety.
