Expression language: denotational semantics

In plain terms

The expression language panproto-expr is what you use to describe field-level transforms inside a migration (“the new full_name field is the old first plus a space plus the old last”) and predicates inside a query (“only records where created_at > '2024-01-01'”). Everything in the language is pure: no IO, no mutation, no clock reads, no random numbers. Two expressions that look the same always do the same thing. Every expression terminates within a fixed number of evaluation steps.

This page describes what those properties mean and what the evaluator actually computes.

Surface syntax

The Haskell-style surface, parsed by panproto-expr-parser:

expr  ::= literal
        | ident
        | expr expr                    -- application
        | "\\" ident "->" expr         -- lambda
        | "let" ident "=" expr "in" expr
        | "if" expr "then" expr "else" expr
        | "case" expr "of" alts        -- pattern match
        | builtin "(" expr,... ")"     -- builtin application
        | expr "." ident               -- field access
        | expr "[" expr "]"            -- index
literal ::= int | float | str | bool | "null"
        | "[" expr,... "]"             -- list
        | "{" ident ":" expr,... "}"   -- record

The parser desugars if c then a else b to a Match over a boolean scrutinee with two arms, and case e of ... to a Match directly. There is no separate If or Case node in the abstract syntax.

Abstract syntax

pub enum Expr {
    Var(Arc<str>),
    Lam(Arc<str>, Box<Self>),
    App(Box<Self>, Box<Self>),
    Lit(Literal),
    Record(Vec<(Arc<str>, Self)>),
    List(Vec<Self>),
    Field(Box<Self>, Arc<str>),
    Index(Box<Self>, Box<Self>),
    Match { scrutinee: Box<Self>, arms: Vec<(Pattern, Self)> },
    Let { name: Arc<str>, value: Box<Self>, body: Box<Self> },
    Builtin(BuiltinOp, Vec<Self>),
}

Match covers both if/then/else and case/of; pattern matching is the only branching primitive. Each arm pairs a Pattern (whose variants include Wildcard, Var, Lit, Record, List, and Constructor) with a body expression. The full enum lives at crates/panproto-expr/src/expr.rs.

Type system

The type-formation grammar:

$τ ::= Int ∣ Float ∣ Str ∣ Bool ∣ Null ∣ Any ∣ List τ ∣ Record ∣ τ \to τ$

A typing context $Γ$ is a finite map from variable names to types. The typing relation $Γ ⊢ e : τ$ is defined inductively by the usual rules; selected:

$Γ ⊢ n : Int (T-Int) \frac{x : τ \in Γ}{Γ ⊢ x : τ} (T-Var) \frac{Γ , x : τ _{1} ⊢ e : τ _{2}}{Γ ⊢ λ x . e : τ _{1} \to τ _{2}} (T-Lam)$

$\frac{Γ ⊢ e _{1} : τ _{1} \to τ _{2} Γ ⊢ e _{2} : τ _{1}}{Γ ⊢ e _{1} e _{2} : τ _{2}} (T-App) \frac{Γ ⊢ e : τ _{1} Γ , x : τ _{1} ⊢ e ^{'} : τ _{2}}{Γ ⊢ let x = e in e ^{'} : τ _{2}} (T-Let)$

Builtin signatures have type schemes given in reference/expression-language; each Builtin(op, \overline{e}) rule plugs in $o p$ ’s scheme and checks that the arguments match.

Semantic domain

Let $Val$ be the recursive sum

$Val ≅ Z + R + String + B + {⋆} + List (Val) + Record (Val) + [Val ⇀ Val]$

interpreting Null as the singleton ${⋆}$ and the function space as partial continuous maps. Lift to $Val_{⊥} = Val + {⊥}$ to adjoin a bottom for divergence under the step budget. Environments live in $Env = Var ⇀ Val$ , and ranked environments in $Env_{n} = Env \times N$ to track the remaining step budget.

Semantic function

The denotational semantics is the family

$[[\cdot]] : Expr \to Env_{n} \to Val_{⊥}$

defined by structural recursion on $Expr$ . Write $ρ_{n} = (ρ, n)$ and $ρ_{n} ↓ 1 = (ρ, n - 1)$ for the budget decrement. The equations:

$[[Lit (c)]] ρ_{n} [[Var (x)]] ρ_{n} [[Lam (x, e)]] ρ_{n} [[Let (x, e_{1}, e_{2})]] ρ_{n} [[App (e_{1}, e_{2})]] ρ_{n} [[Match (e, \overline{(p_{i}, b_{i})})]] ρ_{n} [[List (\overline{e})]] ρ_{n} [[Field (e, x)]] ρ_{n} [[Index (e, i)]] ρ_{n} [[Builtin (o p, \overline{e})]] ρ_{n} [[e]] (ρ, 0) = c = ρ (x) = λ v . [[e]] (ρ [x \mapsto v])_{n} = [[e_{2}]] (ρ [x \mapsto [[e_{1}]] ρ_{n}])_{n - 1} = ([[e_{1}]] ρ_{n}) ([[e_{2}]] ρ_{n}) = matchArms ([[e]] ρ_{n}, \overline{(p_{i}, b_{i})}, ρ_{n - 1}) = [[[e_{i}]] ρ_{n}]_{i} = ([[e]] ρ_{n}) . x = ([[e]] ρ_{n}) [[[i]] ρ_{n}] = apply_builtin (o p, \overline{[[e_{i}]] ρ_{n}}) = ⊥ (budget rule)$

The budget rule fires before any equation if the remaining steps are zero; otherwise the relevant equation applies and the recursive sub-denotations are evaluated with the budget decremented. Operationally this is EvalState::tick in crates/panproto-expr/src/eval.rs; when $⊥$ is returned the implementation surfaces ExprError::StepLimitExceeded(max_steps).

The auxiliary $matchArms$ is the standard pattern-match search: try each $(p_{i}, b_{i})$ in order, attempting to unify $p_{i}$ against the scrutinee value; on the first success bind the pattern variables into $ρ$ and evaluate $b_{i}$ ; on exhaustion raise NonExhaustiveMatch. The auxiliary $apply_builtin$ is the partial function defined in crates/panproto-expr/src/builtin.rs.

Builtin side conditions

The builtins listed under reference/expression-language are individually total or partial. The partial ones return a non- $⊥$ error rather than $⊥$ :

Div, Mod with zero divisor: DivisionByZero.
Integer arithmetic overflow: Overflow (i64::checked_*).
*ToInt / *ToFloat on unparseable input: ParseError.
List index out of bounds: IndexOutOfBounds; list operations past the configured maximum: ListLengthExceeded.
Record access on a missing field: FieldNotFound.
Match exhaustion: NonExhaustiveMatch.
App of a non-function value: NotAFunction.

Errors are distinct from $⊥$ . $⊥$ models resource exhaustion (StepLimitExceeded and DepthExceeded); errors model defined failure and propagate as Err(ExprError) from the implementation.

Soundness

The evaluator satisfies:

Type preservation. If $Γ ⊢ e : τ$ and $ρ ⊨ Γ$ and $ρ ⊢ e ⇓ v$ with $v \neq = ⊥$ , then $v \in [[τ]]$ .
Totality (within the budget). For every well-typed $e$ and well-typed $ρ$ , $[[e]]_{ρ}$ terminates in finitely many steps with either a value or $⊥$ .
Determinism. If $ρ ⊢ e ⇓ v_{1}$ and $ρ ⊢ e ⇓ v_{2}$ then $v_{1} = v_{2}$ .

Type preservation is enforced by the type-checker in crates/panproto-expr/src/typecheck.rs and by builtin signatures rejecting ill-typed arguments. Totality follows from the budget rule. Determinism follows from the absence of mutation and IO.

What is intentionally not modelled

Performance. Two expressions can have the same denotation but very different cost. The semantics fixes only what is computed, not how much it costs.
Step-budget tuning. The budget is a parameter set at the outermost call. The semantics treats it as fixed; the language itself does not expose it.
Floating-point determinism across architectures. Float operations follow IEEE 754, but bit-level reproducibility across hardware is not guaranteed.

Keyboard shortcuts

panproto