Temporal Logic and Functional Reactive Programming

Sergei Winitzki

Bay Area Categories and Types

April 25, 2014

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 1 / 23

What is �reactive programming�

Transformational programs Reactive programs

example: pdflatex frp_talk.tex example: any GUI program

start, run, then stop keep running inde�nitely

read some input, write some output wait for signals, send messages

execution: sequential + some parallel �main run loop� + concurrency

di�culty: algorithms signal/response sequences

speci�cation: classical logic temporal logic? �owcharts?

veri�cation: prove it correct model checking?

synthesis: extract code from proof temporal synthesis?

type theory: intuitionistic logic intuitionistic temporal logic

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 2 / 23

The uses of logic in computer science

1 Logic as a speci�cation language - enables automatic veri�cation

I Automatic synthesis of programs from speci�cations?

2 (Intuitionistic) logic as type theory - guides language design

I Mathematicians have already minimized the set of axioms!

3 Logic programming - use a decidable subset of logic

I Very high-level language, but limited to its domain

4 Automated theorem proving - derive a program as a proof artifact

I Requires advanced type systems and proof heuristics

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 3 / 23

Part 1: Introduction to temporal logic

Let's forget all philosophy, �what is time�, �what is true�, modal logic...

We want to see logic as a down-to-earth, computationally useful tool

We begin with the computational view of classical Boolean logic

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 4 / 23

Boolean algebra: notation

Classical propositional (Boolean) logic: T , F , a ∨ b, a ∧ b, ¬a, a→ b

A notation better adapted to school-level algebra: 1, 0, a + b, ab, a′

The only �new rule� is 1 + 1 = 1De�ne a→ b = a′ + b

Some identities:

0a = 0, 1a = a, a + 0 = a, a + 1 = 1,

a + a = a, aa = a, a + a′ = 1, aa′ = 0,

(a + b)′ = a′b′, (ab)′ = a′ + b′,(a′)′

= a

a (b + c) = ab + ac , (a + b) (a + c) = a + bc

DNF = �expand all brackets�. Some DNF simpli�cation tricks:

a + ab = a, a (a + b) = a,

(a→ b)(a′ → c

)= ab + a′c ,

(a→ x)(b → x ′

)=

(a′ + x

) (b′ + x ′

)= x ′a′ + xb′

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 5 / 23

Boolean algebra: example

Of the three suspects A, B, C , only one is guilty of a crime.

Suspect A says: �B did it�. Suspect B says: �C is innocent.�

The guilty one is lying, the innocent ones tell the truth.

φ =(ab′c ′ + a′bc ′ + a′b′c

) (a′b + ab′

) (b′c ′ + bc

)Simplify: expand the brackets, omit aa′, bb′, cc ′, replace aa = a etc.:

φ = ab′c ′ + 0 + 0 = ab′c ′

The guilty one is A.

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 6 / 23

Synthesis of Boolean programs

Speci�cation of a �Boolean program�:

If the boss is in, I need to work unless the telephone rings.

If the boss is not in, I go drink tea.

b =�boss is in�, r =�telephone rings�, w =�I work�, w ′ =�I drink tea�

φ(b, r ,w) =(br ′ → w

) (b′ → w ′)

= w ′ (br ′)′ + wb = w ′ (b′ + r)

+ wb

Goal: given any b and r , compute w such that φ(b, r ,w) = 1.

One solution is just φ(b, r ,w = 1):

w = φ(b, r , 1) = 0(b′ + r

)+ 1b = b

�I work if and only if the boss is in�

(Other solutions exist, e.g. w = br ′)Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 7 / 23

Propositional linear-time temporal logic (LTL)

Reactive programs respond to an in�nite stream of signals

So let's work with in�nite boolean sequences (�linear time�)Boolean operations:

a = [a0, a1, a2, ...] ; b = [b0, b1, b2, ...] ;

a + b = [a0 + b0, a1 + b1, ...] ; a′ =[a′0, a

′1, ...

]; ab = [a0b0, a1b1, ...]

Temporal operations:

(Next) Na = [a1, a2, ...]

(Sometimes) Fa = [a0 + a1 + a2 + ..., a1 + a2 + ..., ...]

(Always) Ga = [a0a1a2a3..., a1a2a3..., a2a3..., ...]

Other notation (from modal logic):

Na ≡ ©a; Fa ≡ ♦a; Ga ≡ �a

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 8 / 23

Temporal �xpoints and the µ-calculus notation

LTL admits only temporal functions de�ned by �xpoints:

Fa = [a0 + a1 + a2 + a3 + ..., a1 + a2 + a3 + ..., ...]

Fa = a + N(Fa)

Ga = [a0a1a2a3..., a1a2a3..., a2a3..., ...]

Ga = aN(Ga)

Notation: µ for the least �xpoint, ν for the greatest �xpoint

Fa = µx . (a + Nx) ; Ga = νx . (a(Nx))

but νx . (a + Nx) = 1; µx . (a(Nx)) = 0

The most general �xpoints involving only one N:

(weak Until) pUq = νx . (q + p(Nx))

(strict Until) pU̇q = µx . (q + p(Nx))

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 9 / 23

LTL: interpretation of �Until�

Weak Until: pUq = �p holds from now on until q �rst becomes true�

pUq = q + pN (q + pN (q + ...))

Example:

a = [1, 0, 0, 0, 1, 0, ...]

b = [0, 1, 0, 1, 0, 1, ...]

aUb = [1, 1, 0, 1, 1, 1, ...]

Strict Until: pU̇q = �q must become true, and p holds until then�

Dualities: (Fa)′ = G(a′); also (pU̇q)′ = q′U(p′q′)

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 10 / 23

LTL: temporal speci�cation

Whenever the boss comes by my o�ce, I will start working.

Once I start working, I will keep working until the telephone rings.

G ((b → Fw) (w → wUr)) = G((b′ + Fw

) (w ′ + wUr

))Whenever the button is pressed, the dialog will appear.

The dialog will disappear after 1 minute of user inactivity.

G((b → Fd) (d → Ft)

(d → dUtd ′))

The timer t is an external event and is not speci�ed here

Di�cult to say �x stays true until further notice�

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 11 / 23

LTL: disjunctive normal form

What would be the DNF in LTL? Let's just expand brackets:

φ = G((b′ + Fw

) (w ′ + wUr

))=

(b′ + Fw

) (w ′ + wUr

)Nφ

=(b′ + w + N(Fw)

) (w ′ + r + wN(wUr)

)Nφ

=(b′ + w + N(w + N(Fw))

) (w ′ + r + wN(r + wN(wUr))

)N (...)

= ... N (... ...N(... ...N (...))) ...

We will never �nish expanding those brackets!

But many subformulas under N(...) are the same:

φ1 = Fw ; φ2 = wUr ;

φ =(b′ + w + Nφ1

) (w ′ + r + wNφ2

)Nφ

=(rw + b′w ′)Nφ+ w ′N(φφ1) + wN(φφ2)

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 12 / 23

LTL: disjunctive normal form

Let's expand and simplify φφ1 and φφ2: we get simultaneous �xpoints

φ =(rw + b′w ′)N(φ) + w ′N(φφ1) + wN(φφ2);

φφ1 = rwN(φ) +(r + w ′)N(φφ1) + wN(φφ2);

φφ2 = r(w + b′

)N(φ) + rN(φφ1) + wN(φφ2).

The DNF for LTL is a graph!

φ φφ1

rw + b′w′w′

w

rw r

φφ2

w

r + w′

r(w + b′)

w

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 13 / 23

The failure of LTL program synthesis

Goal: given b and r , determine w

The DNF generates a nondeterministic �nite automaton (NFA) for w

States of the automaton are φ, φφ1, φφ2, ... (sets of �xpoints of φ)

I The DNF construction generates these states for us

Determinizing the automaton may exponentially increase its size

I Worst case: for φ with n �xpoints, DFA will have 22n

states

Speci�cations will generally need to use many �xpoints. Example:Whenever b is pressed, send query q and show w (�Waiting�).

Upon reply r , show d (�Done�). Pressing c (�Cancel�) stops waiting.

φ = G [(bw ′ → bUd ′w

) (w → d ′wU (c + r)

)(cw → cUw ′) (q ↔ bw ′) (rw → rUdw ′)].

I LTL is not particularly convenient for modular speci�cationI Synthesis is not practical (I write and debug my automata by hand...)

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 14 / 23

Part 2: Temporal logic as type theory

Logic gives a recipe for designing a minimal programming language(Curry-Howard isomorphism)

Typically, we use an intuitionistic version of the logic:

I No negation, no ⊥; only a + b, ab, a→ bI No law of excluded middleI No truth tables, no �simpli�cation�I Usually, cannot derive proofs automatically

Axioms are prede�ned terms needed in the language

I Example: (a→ c)→ (b → c)→ (a + b → c) is the case operator

Proof rules are prede�ned constructions needed in the language

I Example: modus ponens (a; a→ b so b) is function application

Natural deduction rules are typing rules for the language

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 15 / 23

Interpreting values typed by LTL

What does it mean to have a value x of type, say, G(α→ αUβ)?I x : Nα means that x : α will be available only at the next time tick

(x is a deferred value of type α)I x : Fα means that x : α will be available at some future tick(s)

(x is an event of type α)I x : Gα means that a (di�erent) value x : α is available at every tick

(x is an in�nite stream of type α)I x : αUβ means a �nite stream of α that may end with a β

Some temporal axioms of intuitionistic LTL:

(deferred apply) N (α→ β)→ (Nα→ Nβ) ;

(streamed apply) G (α→ β)→ (Gα→ Gβ) ;

(generate a stream) G (α→ Nα)→ (α→ Gα) ;

(read in�nite stream) Gα→ αN(Gα)

(read �nite stream) αUβ → β + αN(αUβ)

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 16 / 23

A small FRP language: Elm

Core Elm: polymorphic λ-calculus with lift2, foldp, async

lift2 : (α→ β → γ)→ Gα→ Gβ → Gγfoldp : (α→ β → β)→ β → Gα→ Gβasync : Gα→ Gα

(lift2 makes G an applicative functor)

async is a special scheduling instruction

Limitations:

I Cannot have a type G(Gα), also no concept of N or FI Cannot construct temporal values by handI This language is an incomplete Curry-Howard image of LTL!I I work after the boss comes by and until the phone rings:

let after_until w (b,r) = (w or b) and not r infoldp after_until false (boss, phone)

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 17 / 23

�Legacy� FRP systems: FrTime, Fran, AFRP, etc.

Two functors: �continuous behavior� Gα and �discrete event� Fα

Time is conceptually continuous

Explicit N, delay by time ∆t, explicit values of time

Many prede�ned combinators that do not follow from type theory:value-now, delay-by, integral, ... (FrTime)merge, switcher, G (Gα), ... (Fran)

AFRP: temporal values are not available, only combinators!

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 18 / 23

A lower-level FRP language: AdjS

A lower-level type system: Nα (next), µ̂α.Σ (µ+next), �α (stable)

Explicit one-step temporal �xpoints, for example Fτ = µ̂α.τ + α

τ = µ̂α.Σ ∼= µ̂α.

[Nτ

α

]Σ

Term assignments, simpli�ed (see Krishnaswamy's paper):

Γ ` e : α

Γ ` next e : NαNI

Γ ` f : Nα Γ, x : α ` e : β

let next x = f in e : βNE

Γ ` e : [N(µ̂α.Σ)/α] Σ

Γ ` into e : µ̂α.Σµ̂I

Γ ` e : µ̂α.Σ

Γ ` out e : [N(µ̂α.Σ)/α] Σµ̂E

Γ ` e : α

Γ ` stable e : �α �I

Γ ` f : �α Γ, x : α ` e : β

Γ ` let stable x = f in e : β�E

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 19 / 23

Dreams of an ideal FRP language

Requirements for a broadly usable FRP language:

I �stable� and �temporal� types distinguished staticallyI seamless conversion from int to G(int) and back, for �stable� typesI construct values of type Fα by hand: from asynchronous schedulingI construct values of type Fα from external sources (environment)I tick-free operation: N is not needed, use F insteadI the runloop (UI thread / background threads) needs to be represented

I guess we are still in the research phase here...

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 20 / 23

Conclusions and outlook

LTL is not a good �t as a speci�cation language for reactive programs

LTL synthesis from speci�cation is theoretical, not practical

FRP tries to make speci�cation closer to implementation

There are some languages that implement FRP in various ad hoc ways

The ideal is not (yet) reached

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 21 / 23

Abstract

In my day job, most bugs come from imperatively implemented reactiveprograms. Temporal Logic and FRP are declarative approaches thatpromise to solve my problems. I will brie�y review the motivations behindand the connections between temporal logic and FRP. I propose a rather"pedestrian" approach to propositional linear-time temporal logic (LTL),showing how to perform calculations in LTL and how to synthesizeprograms from LTL formulas. I intend to explain why LTL largely failed tosolve the synthesis problem, and how FRP tries to cope.

FRP can be formulated as a λ-calculus with types given by thepropositional intuitionistic LTL. I will discuss the limitations of thisapproach, and outline the features of FRP that are required by typicalapplication programming scenarios.

My talk will be largely self-contained and should be understandable toanyone familiar with Curry-Howard and functional programming.

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 22 / 23

Suggested reading

E. Czaplicki, S. Chong. Asynchronous FRP for GUIs. (2013)E. Czaplicki. Concurrent FRP for functional GUI (2012).N. R. Krishnaswamy.https://www.mpi-sws.org/∼neelk/simple-frp.pdfHigher-order functionalreactive programming without spacetime leaks(2013).M. F. Dam. Lectures on temporal logic. Slides: Syntax and semantics ofLTL, A Hilbert-style proof system for LTLE. Bainomugisha, et al. A survey of reactive programming (2013).W. Jeltsch. Temporal logic with Until, Functional Reactive Programmingwith processes, and concrete process categories. (2013).A. Je�rey. LTL types FRP. (2012).D. Marchignoli. Natural deduction systems for temporal logic. (2002). �See Chapter 2 for a natural deduction system for modal and temporallogics.

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 23 / 23