Two talks about specification and objectsAgay Spring School, March 29, 2002

Jean-Louis KrivinePPS Group, University Paris VII, C.N.R.S.

e-mail krivine@pps.jussieu.fr

In these talks, which will be developed in forthcoming papers, I give twocases of a very general and interesting problem which arises naturallyfrom the Curry-Howard correspondence, and which I call the specifica-tion problem. Indeed, if you take seriously the correspondence : theo-rem⇒ specification, then you ask the following : given a mathematicaltheorem Θ, what are the common features of all the programs whichare associated with all the proofs of Θ ? If you can answer this question,you have found the specification associated with Θ.

The naive answer to this problem is : the specification associatedwith a theorem is given by its very text. In fact, this is true for anyarithmetical theorem of the form (∀x ∈ N)(∃y ∈ N)F (x, y) where F is arecursive predicate ; like : ‘‘ There are infinitely many prime numbers ’’.But this naive idea is completely false in practically every other case,even the simplest ones. Take, for example, the excluded middle whichcorresponds to control instructions ; this specification was only foundrather recently, about ten years ago, which means it was not so trivial !

In order to study this problem, there is a powerful tool, which isoften very helpful : the method of realizability in classical logic. The re-alizability in intuitionistic logic was used with great success, particularlyby Tait and by Girard, to prove strong normalisation theorems. Somesubstantial adaptations are needed in order to use it in the context ofclassical logic, and they are (briefly) explained in these lectures.

In the first lecture, I consider the specification problem for arithmeti-cal theorems in prenex form like before, but with an arbitrary prefix ;

for example, (∀x ∈ N)(∃y ∈ N) (∀z ∈ N)F (x, y, z) where F is again arecursive predicate. The famous Roth’s theorem, about rational approx-imations of algebraic numbers, is of this form and it is known to be nonconstructive.The second lecture deals with the trivial valid formula : ∃x(Px→ ∀y Py),which is sometimes called the ‘‘drinker’s theorem’’.It is interesting to observe that, in both cases, object oriented program-ming appears in a natural way. Moreover, the second example seemsto give a good theoretical basis for this programming style.

**********

Arithmetical theoremscall-by-value, objects

Jean-Louis Krivine

PPS Group, University Paris 7, CNRS

krivine@pps.jussieu.fr

1

Two games for a formulaLet © ≡ ∃x1∀y1 . . .∃xk∀yk F(x1, y1, . . . , xk, yk) (F is quantifier-free).Consider these games between the player ∃ and the opponent ∀ :

Game 1. ∃ plays n1 ∈ N , ∀ plays p1 ∈ N , . . . , ∃ plays nk , ∀ plays pk.∃ wins iff F(n1, p1, . . . , nk, pk).

Game 2. No change for ∀, but a much better situation for ∃ :A position of the game is an integer sequence n1p1 . . . nipi (0 ≤ i < k).∃ chooses first an already reached position n1p1 . . . nipi (possibly i = 0)then an integer ni+1. ∀ chooses an integer pi+1.If i+1 < k, they have reached the position n1p1 . . . ni+1pi+1. Go on.If i+1 = k : if F(n1, p1, . . . , nk, pk), then ∃ won. Else go on.Thus ∀ wins iff the game lasts infinitely long.

2

Truth of arithmetical formulasIt is trivial that N |= © iff the player ∃ has a winning strategy for game 1.The same is true for game 2. But the difference is that, in this case, we caneffectively (and easily) describe such a winning strategy. Moreover thisstrategy does not depend on ©, but only on the number k of quantifiers.

A universal strategy

The player ∃ uses an effective enumeration of Nk. When he comes tothe k-uple n1 . . . nk , he chooses the longest already reached positionof the form n1p1 . . . nipi. Then he successively plays ni+1, . . . , nkregardless of the choices of ∀. Then he takes the next k-uple.If this play is infinite, we get k functions fi(x1, . . . , xi) such that

N |= ∀x1 . . .∀xk ¬F(x1, f1x1, x2, f2x1x2, . . . , xk, fkx1 . . . xk)which is the Skolem form of ¬©. Thus N |= ¬©.

3

Truth of arithmetical formulas (cont.)

Conversely, if N |= ¬©, there exists k functions fi(x1, . . . , xi)such that the Skolem form of ¬© is satisfied.Of course, they provide a winning strategy to the opponent ∀. QED

On the contrary, in the case of game 1, there is no such universal strategy.Indeed, for a given true formula ©, it is in general impossible to describeeffectively a winning strategy for ∃, even in the case k = 1.

All this is pure model theory : it is simply a way to definethe satisfaction of a prenex formula in a denumerable model.

4

Specification of arithmetical theoremsLet us write every quantifier-free arithmetical formula F in the formφ(x1, y1, . . . , xk, yk) = ψ(x1, y1, . . . , xk, yk) where φ, ψ are terms builtwith primitive recursive functions (or even simply with 0, s,+,×).Assume that © ≡ ∃x1∀y1 . . .∃xk∀yk F(x1, y1, . . . , xk, yk) is provablein classical second order arithmetic. Then a natural problem is :not to extract programs from the proofs of © (which is trivial)but to extract a specification from the formula © itself.

In other words : What is the common behaviour of the programsassociated with all the proofs of © ?

I call this question the specification problem for the theorem ©.50 years ago, in [3,4], G. Kreisel raised a partial form of this problem :What is the constructive interpretation of such arithmetical theorems ©?He answered by means of his no-counterexample interpretation.

5

Today, our answer to the specification problem will be given by theTheorem. The formula © corresponds to the following specification :an interactive program which can stand in for the player ∃ in the secondgame associated with © and always win.The existence of such a program does not seem extraordinary, since we sawthat there is a very simple universal winning strategy. But the strategies givenby the various proofs of © will be typable λ-terms of type ©. Therefore, wecan use them as modules inside a proved main program.The proof of this theorem is interesting, because two essential features ofimperative programming languages appear in it, in a natural way :• call-by-value for a given data type (here the type of integers)• object oriented programming, at least for one important aspect which isdynamic binding.We now define realisability in classical second order logicwhich is the essential tool for this proof.

6

The λc-calculus¤ (resp. ¤0) is the set of arbitrary (resp. closed) λc-terms.¦ is the set of stacks. They are built following these rules :

1. Any variable x, and the constant cc are λc-terms.2. If t, u are λc-terms and x is a variable, then (t)u and λx t are λc-terms.3. If π is a stack, the constant kπ is a λc-term (called a continuation).

A stack is a sequence π = t1. . . . .tn.ρ of closed λc-terms tiended with a stack constant ρ (the bottom of the stack) ;t.π denotes the stack obtained by pushing t on the top of π.

A process is a ‘‘ product ’’ : t ? π (t ∈ ¤0 , π ∈ ¦). It can be performed,a λc-term alone cannot.t is called the head of the process t ? π ; at each time, the head isthe part of the process which is executed.

7

Execution of processesLet π, π0 ∈ ¦ and t, u ∈ ¤0 :

tu ? π Â t ? u.π (push) cc ? t.π Â t ? kπ.π (store the stack)

λx t ? u.π Â t[u/x] ? π (pop) kπ ? t.π0 Â t ? π (restore the stack)

Now, let ⊥⊥ be a fixed cc-saturated set of processes, i.e. :

t ? π ∈ ⊥⊥, t0 ? π0 Â t ? π ⇒ t0 ? π0 ∈ ⊥⊥A truth value is a subset of ¤0 of the form P→ ⊥⊥ for any P ⊂ ¦.

P→ ⊥⊥= {t ∈ ¤0 ; (∀π ∈ P) t ? π ∈ ⊥⊥}The set of truth values is denoted by <⊥⊥ or simply <.The truth value of a formula, defined below, will be the set of λc-termswhich realize this formula.

8

Typing in classical 2nd order logicThe only logical symbols are →, ∀ and function symbols on individuals.⊥ is defined as ∀XX ; ∃xF [x] as ∀X{∀x(F [x]→ X)→ X} ; etc.

Let ¡ denote x1 : A1, . . . , xn : An (a context). Typing rules are :

1. ¡ ` xi : Ai (1 ≤ i ≤ n)2. ¡ ` t : A→ B, ¡ ` u : A ⇒ ¡ ` tu : B.3. ¡, x : A ` t : B ⇒ ¡ ` λx t : A→ B.4. ¡ ` t : (A→ B)→ A ⇒ ¡ ` cc t : A.5. ¡ ` t : A ⇒ ¡ ` t : ∀xA (resp. ∀X A) if x (resp. X) is not free in ¡.6. ¡ ` t : ∀xA ⇒ ¡ ` t : A[τ/x] for every term τ .7. ¡ ` t : ∀X A ⇒ ¡ ` t : A[©(x1, . . . , xn)/Xx1 . . . xn] for every formula ©.This is the comprehension scheme for second order logic.

9

RealizabilityA model M is a set M of individuals, together with an interpretationfM :Mk →M of each k-ary function symbol f .The domain of variation of k-ary 2nd order variables is <Mk

where< is the set of truth values.Let A be a closed 2nd order formula with parameters in M and <Mk

.Its truth value, defined below, is |A| = kAk→ ⊥⊥ with kAk ⊂ ¦.We say that t k−A (t realizes A) if t ∈ |A| i.e. (∀π ∈ kAk) t ? π ∈ ⊥⊥.

The definition is by induction on A. If A is atomic, i.e. R(a1, . . . , ak)with ai ∈M and R ∈ <Mk

the definition is evident.

kA→ Bk = {t.π ; t k−A, π ∈ kBk} ; k∀xAk = [a∈M

kA[a/x]k

k∀X Ak= [{kA[ª/X]k; ª ∈ <Mk}10

The general specification problemGiven a provable 2nd order formula ©, what is the common behaviour ofthe λc-terms t such that ` t : © ? In other words :what is the specification associated with the given theorem © ?This a very interesting but difficult problem. Realizability is a valuabletool because it is compatible with classical 2nd order deduction :

Adequation lemma.If x1 :©1, . . . , xn :©n ` t :© and if ti k−©i (1 ≤ i ≤ n)

then t[t1/x1, . . . , tn/xn] k−©.

Thus, we study the behaviour of the λc-terms which realize ©.

We now use this framework in order to solve the specification problemfor an arithmetical theorem in prenex form :

© ≡ ∃x1∀y1 . . .∃xk∀yk[φ(x1, y1, . . . , xk, yk) = 0]

11

The model (when k = 1)

Of course, we take N as the set of individuals, with standard operations.In such models, second order logic (i.e. comprehension axiom) is realized.Unfortunately, and contrary to intuition, the formula ¬∀x Int(x), that isthe negation of the induction axiom is also realized !Therefore, we must consider the formula ©Int with quantifiers restrictedto the formula Int(x) ≡ ∀X[∀y(Xy → Xsy),X0→ Xx].

If k = 1, we get © ≡ ∃x∀y[φ(x, y) = 0] and therefore©Int ≡ ∀x[Int(x), ∀y(Int(y)→ φ(x, y) = 0)→ ⊥]→ ⊥.

In order to define ⊥⊥, we add to λc-calculus the following constants :κnp (n, p ∈ N) and κ which is an input instruction.Thus the λc-terms become interactive programs.

12

The model (cont.)The rule of reduction for κ is :

κ ? sn0.ξ.π ÂÂ ξ ? sp0.κnp.π0n, p ∈ N, ξ ∈ ¤0, π,π0 ∈ ¦ are arbitrary ;s is is a fixed λ-term for the successor in Church integers.Meaning : the program proposes n ∈ N, the opponent plays p ∈ N, and theexecution goes on ; κnp keeps a trace of the reached position np.We define ⊥⊥ as the set of processes all reductions of which end up intoκnp ? π with φ(n, p) = 0.The ordered pair (sn0, ξ) is an object made up with a data n and a method ξ.This method uses the data p given by the opponent in order to update thevalue of n.In the source program, this method has a fixed name (κ.method), whichrepresents a new piece of code ξ each time it is called (i.e. κ arrives in headposition). This an example of dynamic binding.

13

Call-by-name, call-by-valueDefine T = λfλn(n)λg g◦s.f.0 (storage operator [6]).Theorem. If f.sn0 k−X then Tf k− Int(n)→ X .Proof. Let kPjk = {sn−j0.π; π ∈ kXk} for 0 ≤ j ≤ n and kPjk = ∅ forj > n. Then λg g◦s k−∀x(Px → Psx) and f k−P0. Thus, if ν k− Int(n)then ν.λg g◦s.f k−Pn which gives Tfν k−X . QED

Let ν be a λc-term which realizes Int(n).In other words, ν is a program which ”behaves like” the integer n.In the λc-term fν this data is called by name by the program f .In the λc-term Tfν the same data is called by value by f .Call-by-value is only defined for data types.

We have got now all the necessary tools in order to show the specificationassociated with the formula ©Int.

14

The main result (for k = 1)

Theorem. If θ k− [∃x∀y(φ(x, y) = 0)]Int then every reduction ofθ ? Tκ.π following ÂÂ ends up into κnp ? π0 with φ(n, p) = 0.It follows that a proof of © in classical second order arithmeticprovides an interactive program which wins against every opponent.Notice the presence of the storage operator T . It means thatthe first argument of κ is a called-by-value integer.In other words, it must be computed first.This is very natural, since the instruction κ introduces the name κnp.Indeed, after each reply of the opponent, the program provides an object(sn0, ξ) made up with an integer n (the provisional solution) and an exceptionhandler ξ which is used in case of a relevant reply from the opponent.These are the two arguments of κ which is therefore a pointer towardsthis object.

15

ProofWe have θ k−∀x[Int(x),∀y(Int(y)→ φ(x, y) = 0)→ ⊥]→ ⊥.Thus, by the adequation lemma, it is sufficient to prove that :Tκ k−∀x[Int(x),∀y(Int(y)→ φ(x, y) = 0)→ ⊥].By the theorem about T , this becomes :κ.sn0 k−∀y(Int(y)→ φ(n, y) = 0)→ ⊥ for every n ∈ N.Let ξ k−∀y(Int(y)→ φ(n, y) = 0), thus ξ.sp0 ∈ |φ(n, p) = 0| for p ∈ N.If φ(n, p) = 0 : then |φ(n, p) = 0| is |∀X(Xφ(n, p)→ X0)| or else|∀Z(Z → Z)|. But, by definition of ⊥⊥, we have also κnp ∈ ⊥. Therefore :(*) ξ.sp0.κnp ∈ ⊥ that is ξ ? sp0.κnp.π ∈ ⊥⊥ for every stack π.If φ(n, p) 6= 0 : then |φ(n, p) = 0| is >→ ⊥ where > is the set ofall closed λc-terms. Therefore (*) is again true.Thus, we have ξ ? sp0.κnp.π ∈ ⊥⊥ for every p ∈ N and π ∈ ¦.Therefore, by definition of ⊥⊥, we get κ ? sn0.ξ.π ∈ ⊥⊥. QED

16

The general caseThe proof is almost the same, just a bit more complicated. We introduce theconstants κin1p1...nipi for 0 ≤ i ≤ k. Their rule of reduction is :

κin1p1...nipi ? sni+10.ξ.π ÂÂ ξ ? spi+10.Ti+1κ

i+1n1p1...ni+1pi+1.π

0

with Ti = T for 1 ≤ i < k and Tk = I .

Theorem. If θ k− [∃x1∀y1 . . .∃xk∀yk(φ(x1, y1, . . . , xk, yk) = 0)]Int

then every reduction of θ ? Tκ0.π following ÂÂ ends up intoκkn1p1...nkpk ? π

0 with φ(n1, p1, . . . , nk, pk) = 0.

This means that each proof of ©Int gives an interactive program, which winsagainst every opponent, in the second game which gives the satisfactionin N of the formula © ≡ ∃x1∀y1 . . .∃xk∀yk(φ(x1, y1, . . . , xk, yk) = 0).

17

Concluding remarksThe constant κin1p1...nipi is a dynamic name of a pointer to anobject (ni+1, ξi+1). This object is made up with the integer proposedby the player ∃ (which is, in fact, the program) and a method in orderto continue the game.Of course, the piece of code for this method is itself dynamic.

There is a theory of this programming style (which is nothing else thanobject oriented programming) which uses the λc-terms of type∀P∃x(Px→ ∀y Py) (the so-called ”drinker’s theorem”). Cf. next lecture.Note that the drinker’s theorem can replace the excluded middle in orderto prove a negation ∀~x¬A(~x). The prenex arithmetical theorems whichwe have just considered are of this form, since we translate ∃ by ¬∀¬ .This explains the fact that we obtain programs in object oriented style.

18

References1. Thierry Coquand A semantics of evidence for classical arithmetic.J. Symbolic Logic 60, pp. 325-337 (1995).2. Ulrich Kohlenbach On the no-counterexample interpretation.J. Symbolic Logic 64, pp. 1491-1511 (1999).3. Georg Kreisel On the interpretation of non-finitist proofs, part I.J. Symbolic Logic 16, pp. 241-267 (1951).4. Georg Kreisel On the interpretation of non-finitist proofs, part II: Interpreta-tion of number theory, applications. J. Symbolic Logic 17, pp. 43-58 (1952).5. Georg Kreisel Mathematical significance of consistency proofs.J. Symbolic Logic 23, pp. 155-182 (1958).6. Jean-Louis Krivine A general storage theorem for integers in call-by-nameλ-calculus. Th. Comp. Sc. 129, pp. 79-94 (1994).

19

The drinker and the objectsJean-Louis Krivine

PPS Group, University Paris 7, CNRS

krivine@pps.jussieu.fr

1

The specification problem (reminder)

Given a provable 2nd order formula ©, what is the common behaviour ofthe λ-terms t such that ` t : © ? In other words :what is the specification associated with the given theorem © ?This a very interesting but difficult problem. Realizability is a valuabletool because it is compatible with classical 2nd order deduction :

Adequation lemma.If x1 :©1, . . . , xn :©n ` t :© and if ti k−©i (1 ≤ i ≤ n)

then t[t1/x1, . . . , tn/xn] k−©.

Thus, we study the behaviour of the λc-terms which realize ©.

We now use this framework in order to solve the specification problemfor the so-called drinker’s formula i.e. :

∀P∃x(Px→ ∀yPy)2

The drinker’s termThis formula may be written as :

∀P∀Y {∀y[(Py → ∀xPx)→ Y ]→ Y }We shall first study the behaviour of a λc-term given by a particularproof (the simplest, of course). We shall see later that any term givenby any proof behaves in the same way. The λc-term in question is :

γ = λσ(cc)λk(σ)λd(cc)λz(k)(σ)zThis very short program has a truly remarkable execution : it carriesout a dynamic management of names (creation and assignment) whichseems to be a good theoretical basis for object oriented programming.

This λc-term is nothing else than a piece of executable machine codewithout documentation. What we shall do now is preciselyto disassemble this code, which is very funny hacking.

3

The proofσ : ∀y[(Py → ∀xPx)→ Y ], k : Y → ∀xPx `

k◦σ : (Py → ∀xPx)→ Py ; λd(cc)k◦σ : Py → ∀xPxTherefore σ : ∀y[(Py → ∀xPx)→ Y ] ` (cc)λk(σ)λd(cc)k◦σ : Y .

Performing the process γ ? σ.πFor σ ∈ ¤0 and π ∈ ¦ , let χσ,π = λd(cc)λz(kπ)(σ)z. Then we have :

γ ? σ.π Â σ ? χσ,π.πχσ,π ? t.$ Â σ ? k$.π

Meaning : introduce a new name χ and look at the first time it comesin head position, i.e. σ ? χ.π Â χ ? t0[χ].$0[χ].This allows many short-circuits in the remainder of the execution :

χσ,π ? t.$ Â t0[k$] ? $Indeed χσ,π ? t.$ Â σ ? k$.π Â k$ ? t0[k$].$0[k$] Â t0[k$] ? $

4

A first approximationThe process γ ? σ.π seems to behave as follows :

γ ? σ.π Â σ ? χ.π Â χ ? t0[χ].$0[χ]where χ is a name, created when γ came in head position.Afterwards, each time χ comes back in head position, it throws awayits argument and is replaced with the fixed term (cc)λχ t0[χ].Indeed χ ? t.$ Â t0[k$] ? $ which is equivalent to :

χ ? t.$ Â (cc)λχ t0[χ] ? $.Summary : each execution of γ creates a name χ. The first time thisname comes in head position, it is assigned with its argument t0[χ](in fact by (cc)λχ t0[χ]). This is clearly an example of dynamic binding.But all this is only an approximation.(Un)fortunately, the real thing is more complicated(and more interesting).

5

The problem of namesThe mistake is that we have identified :

• the reduction of σ ? k$.π• the reduction σ ? χ.π Â χ ? t0[χ].$0[χ] in which we replace χ with k$.

But this is valid only if no names are created during these reductions :otherwise, the names created in both reductions are not the same,with catastrophic consequences.In order to settle this problem, we must introduce serious complicationsin the reduction rules of processes, and thus in the implementation.But this is more than balanced by the gain in speed at execution,whole pieces of which are short-circuited.

We have to manage changes of names inside objects, at each assignment.

6

New rules of executionWe add to the λc-calculus a constant γ and an infinite set C of new names.We now give the rules of execution, not of a process alone, but of a pair,made up with a process and a list of

• creations : a creation is simply a name c ∈ C ;• and assignments : it is a pair c ] τ (read: c is assigned with τ )

with c ∈ C and τ ∈ ¤0.Each name is created and assigned only once (at most).The assignment for a name always takes place after its creation.At each execution step, we only add new elements at the end of the list.

Rule 1γ ? σ.π Â σ ? c.πwhere c ∈ C does not appear in σ,π.Add to the list : the creation of c ; no assignment.

7

Rule 2c ? t.$ Â ~τ [k$/c] ? $where τ is given by the assignment of c. In case c is not assigned :add to the list the assignment c ] t and take τ = t.

Definition of υ 7→ ~υ :For each name d 6= c which is created between the creation and the assignmentof c, take simply for ~d a new name in C (d 7→ ~d injective).Now, to obtain the λc-term ~υ, just carry out in υ all the substitutions [~d/d].

Then, add to the list the creation of these names ~d.Add also the assignments ~d ] ~υ[k$/c]for every name d, the creation and the assignment (d ] υ) of which took placebetween the creation and the assignment of c.Take care to order all these creations and assignments in the same wayas the corresponding creations and assignments of the original names d.

8

Rules 1 and 2 are correct

Let p0 be a process in which no name in C appear.Let (p0,§0), . . . , (pn,§n), . . . be the execution following these rulesof the pair (p0,§0) where §0 is the empty sequence.Then we can define an application ι : C → ¤0(which maps names into closed λc-terms)such that ι(pn) is a cofinal subsequence of the execution of the process p0.

This subsequence skips many steps,hence an important gain in speed at execution time.

9

ObjectsA name c defines a class τ at the moment it is assigned (c ]τ ),and an object ~τ [k$/c] each time it comes in head positionwith an environment (stack) $(in particular, at the first time, when it is assigned).A method of τ is a name d which is created between the creationand the assignment of c. There are two possibilities :

• d is assigned before c : then the method is the same in each objectof the class τ . It is a part of the fixed structure of this class.

• d is assigned after c : then the method will be assigned in various waysin each object of the class τ . By means of these new classes,the structure of the class τ can be enriched arbitrarily.This gives a way to formalize inheritance.

10

Henkin deduction systemTo each formula F [x] (resp. F [X]) with only one free variable,we associate a new constant a (resp. A) : the Henkin witness of F .The introduction rule for ∀ is replaced with the Henkin axiom :` χF : F [a/x]→ ∀xF [x] for first order` χF : F [A/X]→ ∀X F [X] for second order.This gives a conservative extension of classical second order logic.χF is the name associated with the formula F .For example, the Henkin witness of the formula ∀XX is ⊥.In this system, there is an intuitionistic proof of the drinker’s formula :` χ0λf fχ1 : ∀P∀Y {∀y[(Py → ∀xPx)→ Y ]→ Y } ≡ ∀P ©[P ]where χ0 is the name associated with ©[P ] and χ1 with Axwhere A is the Henkin witness of ©[P ].

11

Realization of Henkin axiomsLet F be a formula without any witness and

χ1:A1[a1]→ ∀x1A1[x1], . . . ,χn:An[an]→ ∀xnAn[xn] ` τ [χ1, . . . ,χn]:Fa proof of F in this system. We assume that ai, . . . , an do not appearin Ai[xi], in other words Ai[xi] ≡ Ai[a1, . . . , ai−1, xi].Then, the process τ [χ1, . . . ,χn] ? π must be performed, assuming thatthe names χ1, . . . ,χn are created in this order and not yet assigned.

Indeed, we show easily that ` γλχ1 . . . γλχn τ [χ1, . . . ,χn] : F .Taking π ∈ kFk, we have γλχ1 . . . γλχn τ ?π ∈ ⊥⊥. If this process is performedfollowing rules 1 and 2, we immediately get τ ? π.

Example 1χ0λf fχ1 and γ are executed in the same way, and both have the typeof the drinker’s formula.

12

Example 2. Update

Consider a program like χ0 t[χ1n0,χ1n1, x0, x1, . . .] ; assume thatthe names χ0, χ1 are created in this order and not yet assigned(we may, for example, put γλχ0γλχ1 as a heading of the process) ;n0, n1 are λc-terms of integer type which may contain the variables xi.At execution, χ0 is assigned with t, then χ1 is assigned by the term nisuch that χ1ni comes first in head position, say χ1n0. After that, it does nottake care of the others : this means that χ1nk may now be read as χ1n0.This is valid until χ0 comes back in head position. Then χ1 is assigned witha new ni when it comes back in head position.We see that the value of χ1 is updated, and this update is controlled by χ0.

It is a way to realize a standard example of object :a memory cell with two methods : reading and writing.

13

Specification of drinker’s formulaSo far, we have analysed the behaviour of a particular λc-term :

γ = λσ(cc)λk(σ)λd(cc)λz(k)(σ)zwhich is the simplest of type ∀P∃x[Px→ ∀y Py].Does any term γ0 of this type behave like γ , in some sense ?The following theorem tells us that γ and γ0 are operationally equivalent.I think that much stronger statements are true.

Theorem. Let γ0 be a λc-term such that ` γ0 : ∀P∃x[Px→ ∀y Py] ; andp[x, a0, . . . , an] a process with one free variable and some constants. Thenp[γ, a0, . . . , an] Â a0 ? π for some stack π

iff p[γ0, a0, . . . , an] Â a0 ? π0 for some stack π0.Moreover, the stacks π and π0 have the same length and the same bottom stackconstant.

14