Temporal logic and functional reactive programming

Temporal Logic and Functional Reactive Programming
Sergei Winitzki
Bay Area Categories and Types
April 25, 2014
Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 1 / 23

What is reactive programming
Transformational programs Reactive programs
example: pdflatex frp_talk.tex example: any GUI program
start, run, then stop keep running indenitely
read some input, write some output wait for signals, send messages
execution: sequential + some parallel main run loop + concurrency
diculty: algorithms signal/response sequences
specication: classical logic temporal logic? owcharts?
verication: prove it correct model checking?
synthesis: extract code from proof temporal synthesis?
type theory: intuitionistic logic intuitionistic temporal logic

The uses of logic in computer science
1 Logic as a specication language - enables automatic verication
Automatic synthesis of programs from specications?
2 (Intuitionistic) logic as type theory - guides language design
Mathematicians have already minimized the set of axioms!
3 Logic programming - use a decidable subset of logic
Very high-level language, but limited to its domain
4 Automated theorem proving - derive a program as a proof artifact
Requires advanced type systems and proof heuristics

Part 1: Introduction to temporal logic
Let's forget all philosophy, what is time, what is true, modal logic...
We want to see logic as a down-to-earth, computationally useful tool
We begin with the computational view of classical Boolean logic

Boolean algebra: notation
Classical propositional (Boolean) logic: T , F , a ∨ b, a ∧ b, ¬a, a → b
A notation better adapted to school-level algebra: 1, 0, a + b, ab, a
The only new rule is 1 + 1 = 1
Dene a → b = a + b
Some identities:
0a = 0, 1a = a, a + 0 = a, a + 1 = 1,
a + a = a, aa = a, a + a = 1, aa = 0,
(a + b) = a b , (ab) = a + b , a = a
a (b + c) = ab + ac, (a + b) (a + c) = a + bc
DNF = expand all brackets. Some DNF simplication tricks:
a + ab = a, a (a + b) = a,
(a → b) a → c = ab + a c,
(a → x) b → x = a + x b + x = x a + xb

Boolean algebra: example
Of the three suspects A, B, C , only one is guilty of a crime.
Suspect A says: B did it. Suspect B says: C is innocent.
The guilty one is lying, the innocent ones tell the truth.
φ = ab c + a bc + a b c a b + ab b c + bc
Simplify: expand the brackets, omit aa , bb , cc , replace aa = a etc.:
φ = ab c + 0 + 0 = ab c
The guilty one is A.

Synthesis of Boolean programs
Specication of a Boolean program:
If the boss is in, I need to work unless the telephone rings.
If the boss is not in, I go drink tea.
b =boss is in, r =telephone rings, w =I work, w =I drink tea
φ(b, r , w ) = br → w b → w
= w br + wb = w b + r + wb
Goal: given any b and r , compute w such that φ(b, r , w ) = 1.
One solution is just φ(b, r , w = 1):
w = φ(b, r , 1) = 0 b + r + 1b = b
I work if and only if the boss is in
(Other solutions exist, e.g. w = br )

Propositional linear-time temporal logic (LTL)
Reactive programs respond to an innite stream of signals
So let's work with innite boolean sequences (linear time)
Boolean operations:
a = [a0, a1, a2, ...] ; b = [b0, b1, b2, ...] ;
a + b = [a0 + b0, a1 + b1, ...] ; a = a0, a1, ... ; ab = [a0b0, a1b1, ...]
Temporal operations:
(Next) Na = [a1, a2, ...]
(Sometimes) Fa = [a0 + a1 + a2 + ..., a1 + a2 + ..., ...]
(Always) Ga = [a0a1a2a3..., a1a2a3..., a2a3..., ...]
Other notation (from modal logic):
Na ≡ a; Fa ≡ ♦a; Ga ≡ a

Temporal xpoints and the µ-calculus notation
LTL admits only temporal functions dened by xpoints:
Fa = [a0 + a1 + a2 + a3 + ..., a1 + a2 + a3 + ..., ...]
Fa = a + N(Fa)
Ga = [a0a1a2a3..., a1a2a3..., a2a3..., ...]
Ga = aN(Ga)
Notation: µ for the least xpoint, ν for the greatest xpoint
Fa = µx. (a + Nx) ; Ga = νx. (a(Nx))
but νx. (a + Nx) = 1; µx. (a(Nx)) = 0
The most general xpoints involving only one N:
(weak Until) pUq = νx. (q + p(Nx))
(strict Until) p ˙Uq = µx. (q + p(Nx))

LTL: interpretation of Until
Weak Until: pUq = p holds from now on until q rst becomes true
pUq = q + pN(q + pN(q + ...))
Example:
a = [1, 0, 0, 0, 1, 0, ...]
b = [0, 1, 0, 1, 0, 1, ...]
aUb = [1, 1, 0, 1, 1, 1, ...]
Strict Until: p ˙Uq = q must become true, and p holds until then
Dualities: (Fa) = G(a ); also (p ˙Uq) = q U(p q )

LTL: temporal specication
Whenever the boss comes by my oce, I will start working.
Once I start working, I will keep working until the telephone rings.
G((b → Fw ) (w → w Ur )) = G b + Fw w + w Ur
Whenever the button is pressed, the dialog will appear.
The dialog will disappear after 1 minute of user inactivity.
G (b → Fd ) (d → Ft) d → d Utd
The timer t is an external event and is not specied here
Dicult to say x stays true until further notice

LTL: disjunctive normal form
What would be the DNF in LTL? Let's just expand brackets:
φ = G b + Fw w + w Ur = b + Fw w + w Ur Nφ
= b + w + N(Fw ) w + r + w N(w Ur ) Nφ
= b + w + N(w + N(Fw )) w + r + w N(r + w N(w Ur )) N(...)
= ... N(... ...N(... ...N(...))) ...
We will never nish expanding those brackets!
But many subformulas under N(...) are the same:
φ1 = Fw ; φ2 = w Ur ;
φ = b + w + Nφ1 w + r + w Nφ2 Nφ
= rw + b w Nφ + w N(φφ1) + w N(φφ2)

LTL: disjunctive normal form
Let's expand and simplify φφ1 and φφ2: we get simultaneous xpoints
φ = rw + b w N(φ) + w N(φφ1) + w N(φφ2);
φφ1 = rw N(φ) + r + w N(φφ1) + w N(φφ2);
φφ2 = r w + b N(φ) + r N(φφ1) + w N(φφ2).
The DNF for LTL is a graph!
φ φφ1
rw + b′
w′
w′
w
rw r
φφ2
w
r + w′
r(w + b′
)
w

The failure of LTL program synthesis
Goal: given b and r , determine w
The DNF generates a nondeterministic nite automaton (NFA) for w
States of the automaton are φ, φφ1, φφ2, ... (sets of xpoints of φ)
The DNF construction generates these states for us
Determinizing the automaton may exponentially increase its size
Worst case: for φ with n xpoints, DFA will have 2
2n
states
Specications will generally need to use many xpoints. Example:
Whenever b is pressed, send query q and show w (Waiting).
Upon reply r , show d (Done). Pressing c (Cancel) stops waiting.
φ = G[ bw → bUd w w → d w U(c + r )
cw → cUw q ↔ bw rw → r Udw ].
LTL is not particularly convenient for modular specication
Synthesis is not practical (I write and debug my automata by hand...)

Part 2: Temporal logic as type theory
Logic gives a recipe for designing a minimal programming language
(Curry-Howard isomorphism)
Typically, we use an intuitionistic version of the logic:
No negation, no ⊥; only a + b, ab, a → b
No law of excluded middle
No truth tables, no simplication
Usually, cannot derive proofs automatically
Axioms are predened terms needed in the language
Example: (a → c) → (b → c) → (a + b → c) is the case operator
Proof rules are predened constructions needed in the language
Example: modus ponens (a; a → b so b) is function application
Natural deduction rules are typing rules for the language

Interpreting values typed by LTL
What does it mean to have a value x of type, say, G(α → αUβ)?
x : Nα means that x : α will be available only at the next time tick
(x is a deferred value of type α)
x : Fα means that x : α will be available at some future tick(s)
(x is an event of type α)
x : Gα means that a (dierent) value x : α is available at every tick
(x is an innite stream of type α)
x : αUβ means a nite stream of α that may end with a β
Some temporal axioms of intuitionistic LTL:
(deferred apply) N(α → β) → (Nα → Nβ) ;
(streamed apply) G(α → β) → (Gα → Gβ) ;
(generate a stream) G(α → Nα) → (α → Gα) ;
(read innite stream) Gα → αN(Gα)
(read nite stream) αUβ → β + αN(αUβ)

A small FRP language: Elm
Core Elm: polymorphic λ-calculus with lift2, foldp, async
lift2 : (α → β → γ) → Gα → Gβ → Gγ
foldp : (α → β → β) → β → Gα → Gβ
async : Gα → Gα
(lift2 makes G an applicative functor)
async is a special scheduling instruction
Limitations:
Cannot have a type G(Gα), also no concept of N or F
Cannot construct temporal values by hand
This language is an incomplete Curry-Howard image of LTL!
I work after the boss comes by and until the phone rings:
let after_until w (b,r) = (w or b) and not r in
foldp after_until false (boss, phone)

Legacy FRP systems: FrTime, Fran, AFRP, etc.
Two functors: continuous behavior Gα and discrete event Fα
Time is conceptually continuous
Explicit N, delay by time ∆t, explicit values of time
Many predened combinators that do not follow from type theory:
value-now, delay-by, integral, ... (FrTime)
merge, switcher, G(Gα), ... (Fran)
AFRP: temporal values are not available, only combinators!

A lower-level FRP language: AdjS
A lower-level type system: Nα (next), ˆµα.Σ (µ+next), α (stable)
Explicit one-step temporal xpoints, for example Fτ = ˆµα.τ + α
τ = ˆµα.Σ ∼= ˆµα.
Nτ
α
Σ
Term assignments, simplied (see Krishnaswamy's paper):
Γ e : α
Γ next e : Nα
NI
Γ f : Nα Γ, x : α e : β
let next x = f in e : β
NE
Γ e : [N(ˆµα.Σ)/α] Σ
Γ into e : ˆµα.Σ
ˆµI
Γ e : ˆµα.Σ
Γ out e : [N(ˆµα.Σ)/α] Σ
ˆµE
Γ e : α
Γ stable e : α
I
Γ f : α Γ, x : α e : β
Γ let stable x = f in e : β
E

Dreams of an ideal FRP language
Requirements for a broadly usable FRP language:
stable and temporal types distinguished statically
seamless conversion from int to G(int) and back, for stable types
construct values of type Fα by hand: from asynchronous scheduling
construct values of type Fα from external sources (environment)
tick-free operation: N is not needed, use F instead
the runloop (UI thread / background threads) needs to be represented
I guess we are still in the research phase here...

Conclusions and outlook
LTL is not a good t as a specication language for reactive programs
LTL synthesis from specication is theoretical, not practical
FRP tries to make specication closer to implementation
There are some languages that implement FRP in various ad hoc ways
The ideal is not (yet) reached

Abstract
In my day job, most bugs come from imperatively implemented reactive
programs. Temporal Logic and FRP are declarative approaches that
promise to solve my problems. I will briey review the motivations behind
and the connections between temporal logic and FRP. I propose a rather
pedestrian approach to propositional linear-time temporal logic (LTL),
showing how to perform calculations in LTL and how to synthesize
programs from LTL formulas. I intend to explain why LTL largely failed to
solve the synthesis problem, and how FRP tries to cope.
FRP can be formulated as a λ-calculus with types given by the
propositional intuitionistic LTL. I will discuss the limitations of this
approach, and outline the features of FRP that are required by typical
application programming scenarios.
My talk will be largely self-contained and should be understandable to
anyone familiar with Curry-Howard and functional programming.

Suggested reading
E. Czaplicki, S. Chong. Asynchronous FRP for GUIs. (2013)
E. Czaplicki. Concurrent FRP for functional GUI (2012).
N. R. Krishnaswamy.
https://www.mpi-sws.org/∼neelk/simple-frp.pdfHigher-order functional
reactive programming without spacetime leaks(2013).
M. F. Dam. Lectures on temporal logic. Slides: Syntax and semantics of
LTL, A Hilbert-style proof system for LTL
E. Bainomugisha, et al. A survey of reactive programming (2013).
W. Jeltsch. Temporal logic with Until, Functional Reactive Programming
with processes, and concrete process categories. (2013).
A. Jerey. LTL types FRP. (2012).
D. Marchignoli. Natural deduction systems for temporal logic. (2002).
See Chapter 2 for a natural deduction system for modal and temporal
logics.

Temporal logic and functional reactive programming

More Related Content

What's hot (9)

Similar to Temporal logic and functional reactive programming (20)

Recently uploaded (20)

Temporal logic and functional reactive programming