Computational content of proofsschwicht/slides/ljubljana19.pdf · only. In contrast, TCF is based...
Transcript of Computational content of proofsschwicht/slides/ljubljana19.pdf · only. In contrast, TCF is based...
Intro Model Terms TCF Realizers Applications
Computational content of proofs
Helmut Schwichtenberg(j.w.w. Ulrich Berger, Nils Kopp, Kenji Miyamoto, Monika
Seisenberger, Hideki Tsuiki and Franziskus Wiesnet)
Mathematisches Institut, LMU, Munchen
Computability, Continuity, Constructivity –from Logic to Algorithms (CCC)
Ljubliana University, September 2019
1 / 80
Intro Model Terms TCF Realizers Applications
Proofs have two aspects:
1. they guarantee correctness, and
2. they may have computational content.
We address (2), and use a BHK-interpretation to extract programsfrom proofs. Features:
• The extract is a term in the underlying theory, hence we havea framework to formally prove its properties.
• Computational content in (co)inductive predicates only.
• From proofs in constructive analysis1 we can extract programsoperating on stream-represented real numbers.
1E. Bishop, Foundations of Constructive Analysis, 1967
2 / 80
Intro Model Terms TCF Realizers Applications
In more detail:
M 7→ et(M) ∈ T+, sp(M) : et(M) r A
where
• M proof of A in TCF,
• et(M) term of “cotype” ϕ(A) in T+,
• sp(M) soundness proof in TCF, of et(M) r A,
• r Keisel’s modified realizability.
3 / 80
Intro Model Terms TCF Realizers Applications
Related work, comparison.
• HAω and Martin-Lof style type theories use total functionalsonly. In contrast, TCF is based on the Scott2-Ershov3 modelof partial continuous functionals.
• Coq extracts programs in a programming language (OCaml,Scheme), and Agda uses whole proofs as programs. In bothcases it is difficult to formally prove properties of these.
2D. Scott, Outline of a mathematical theory of computation, Oxford 19703Y. Ershov, Model C of partial continuous functionals, Logic. Coll. 1977
4 / 80
Intro Model Terms TCF Realizers Applications
Information system A = (A,Con,`):
• A countable set of “tokens”,
• Con set of finite subsets of A,
• ` (“entails”) subset of Con× A.
such that
U ⊆ V ∈ Con→ U ∈ Con,
{a} ∈ Con,
U ` a→ U ∪ {a} ∈ Con,
a ∈ U ∈ Con→ U ` a,
U,V ∈ Con→ ∀a∈V (U ` a)→ V ` b → U ` b.
x ⊆ A is an ideal if
U ⊆ x → U ∈ Con (x is consistent),
x ⊇ U ` a→ a ∈ x (x is deductively closed).
5 / 80
Intro Model Terms TCF Realizers Applications
Function spacesLet A = (A,ConA,`A) and B = (B,ConB ,`B) be informationsystems. Define A→ B := (C ,Con,`) where
• C := ConA × B,
•
{ (Ui , bi ) | i ∈ I } ∈ Con :=
∀J⊆I (⋃j∈J
Uj ∈ ConA → { bj | j ∈ J } ∈ ConB),
• { (Ui , bi ) | i ∈ I } ` (U, b) means { bi | U `A Ui } `B b.
A→ B is an information system.
Application of an ideal x in A→ B to an ideal y in A is defined by
x(y) := { b ∈ B | ∃U⊆y ((U, b) ∈ x) }.
6 / 80
Intro Model Terms TCF Realizers Applications
(Free) algebras given by constructors:
N by 0N, SN→N
Y by 0Y,CY→Y→Y (binary trees)
α× β by 〈., .〉α→β→α×β
α + β by (InLαβ)α→α+β, (InRαβ)β→α+β
L(α) by []L(α), consα→L(α)→L(α)
S(α) by SConsα→S(α)→S(α)
S(α) has no nullary constructor, hence no “total” objects.
7 / 80
Intro Model Terms TCF Realizers Applications
Information systems C ρ = (Cρ,Conρ,`ρ)Cρ→σ := Cρ → Cσ. At base types ι:
Tokens are type correct constructor expressions Ca∗1 . . . a∗n.
(Examples: 0, C∗0, C0∗, C (C∗0)0.)
U = {a1, . . . , an} is consistent if
• all ai start with the same constructor,
• (proper) tokens at j-th argument positions are consistent.
(Example: {C∗0,C0∗}.)
U ` a (entails) if
• all ai ∈ U and also a start with the same constructor,
• (proper) tokens at j-th argument positions of ai entail j-thargument of a.
(Example: {C∗0,C0∗} ` C00).
8 / 80
Intro Model Terms TCF Realizers Applications
Definition
• A partial continuous functional of type ρ is an ideal in Cρ.
• A partial continuous functional is computable if it is a(primitive) recursively enumerable set of tokens.
Ideals in Cρ: Scott-Ershov domain of type ρ.
• x ι is total iff x = { a | {b} ` a } for some token (i.e.,constructor expression) b without ∗.
• x ι is cototal iff every token b(∗) ∈ x has a “one-stepextension” b(C~∗ ) ∈ x .
9 / 80
Intro Model Terms TCF Realizers Applications
Example: binary trees
Tokens: 0, Cab, Ca∗, C∗b, C∗∗, for instance
00 0
HHH���@@�� 0
∗ 0
HHH���@@��
Consistency:
0 ∗HHH��
� ↑∗ 0HHH��
�
0 0HHH�
�� 6↑0
∗ ∗
HHH���@@��
but
0 ∗HHH�
�� ↑0
∗ ∗
HHH���@@��
10 / 80
Intro Model Terms TCF Realizers Applications
Entailment:
{0 ∗HHH��
�,
∗ 0HHH��
� } `Y
0 0HHH��
�
and also
∗∗ 0
HHH���@@��
`Y
∗∗ ∗
HHH���@@��
and
∗ ∗HHH�
��
11 / 80
Intro Model Terms TCF Realizers Applications
Cototal ideal: R := closure of all
0
0
0
0 ∗
12 / 80
Intro Model Terms TCF Realizers Applications
Cototal ideal: 12 := closure of all
0
0 0
0 ∗ 0
0 ∗
13 / 80
Intro Model Terms TCF Realizers Applications
Total ideal: closure of
00 0
HHH��
�@@��
General ideal: closure of
0∗ 0
HHH���@@��
14 / 80
Intro Model Terms TCF Realizers Applications
A common extension T+ of Godel’s T and Plotkin’s PCF
Terms of T+ are built from (typed) variables and (typed)constants (constructors C or defined constants D, see below) by(type-correct) application and abstraction:
M,N ::= xρ | Cρ | Dρ | (λxρMσ)ρ→σ | (Mρ→σNρ)σ.
Every defined constant D comes with a system of computationrules, consisting of finitely many equations
D ~Pi (~yi ) = Mi (i = 1, . . . , n)
with free variables of ~Pi (~yi ) and Mi among ~yi , where the argumentson the left hand side must be “constructor patterns”, i.e., lists ofapplicative terms built from constructors and distinct variables.
15 / 80
Intro Model Terms TCF Realizers Applications
Examples
• +: N→ N→ N defined by
n + 0 = n
n + Sm = S(n + m)
• =N : N→ N→ B
(0 =N 0) = tt,
(0 =N Sn) = ff,
(Sm =N 0) = ff,
(Sm =N Sn) = (m =N n).
16 / 80
Intro Model Terms TCF Realizers Applications
Recursion operators
• Introduced by Hilbert4 and Godel5.
• Used to construct maps from the algebra ι to τ , by recursionon the structure of ι.
• Example: RτN of type N→ τ → (N→ τ → τ)→ τ .
• The first argument is the recursion argument, the second onegives the base value, and the third one gives the step function,mapping the recursion argument and the previous value to thenext value.
• For example, RNNnmλn,p(Sp) defines addition m + n by
recursion on n.
4D. Hilbert, Uber das Unendliche, Math. Ann. 19255K. Godel, Uber eine bisher noch nicht benutzte Erweiterung des finiten
Standpunkts, Dialectica 1958
17 / 80
Intro Model Terms TCF Realizers Applications
Corecursion operators
Recall
S(α) by SConsα→S(α)→S(α).
The corecursion operator coRτS(ρ) of type
τ → (τ → ρ× (S(ρ) + τ))→ S(ρ)
is defined by
coRxf :=
{SCons(y , z) if f (x) ≡ 〈y , InL(z)〉,SCons(y , coRx ′f ) if f (x) ≡ 〈y , InR(x ′)〉.
18 / 80
Intro Model Terms TCF Realizers Applications
How to use computation rules to define a computable functional?Inductively define ( ~U, a) ∈ [[λ~xM]], where M is a term with freevariables among ~x .Case λ~x ,y ,~zM with ~x free in M, but not y .
( ~U, ~W , a) ∈ [[λ~x ,~zM]]
( ~U,V , ~W , a) ∈ [[λ~x ,y ,~zM]](K ).
Case λ~xM with ~x the free variables in M.
U ` a
(U, a) ∈ [[λxx ]](V ),
( ~U,V , a) ∈ [[λ~xM]] ( ~U,V ) ⊆ [[λ~xN]]
( ~U, a) ∈ [[λ~x(MN)]](A).
For every constructor C and defined constant D:
~U ` ~a∗
( ~U,C~a∗) ∈ [[C]](C),
( ~V , a) ∈ [[λ~xM]] ~U ` ~P( ~V )
( ~U, a) ∈ [[D]](D),
with one rule (D) for every defining equation D ~P(~x ) = M.
19 / 80
Intro Model Terms TCF Realizers Applications
Properties of the denotational semantics.
• [[λ~xM]] is a partial continuous functional.
• The value is preserved under β, η-conversion and computationrules.
• An adequacy theorem holds: whenever a closed term Mι has atoken in its denotation [[M]], then M (head) reduces to aconstructor term entailing this token.
20 / 80
Intro Model Terms TCF Realizers Applications
• Recall: C := (|Cρ|)ρ Scott-Ershov model.
• Recall: “xρ computable” for xρ ∈ |Cρ| is defined.
• Goal: TCF, a theory of partial computable functionals.
TCF can be seen as a variant of both HAω and Martin-Lof typetheory. Features:
• Based on the model C: partial functionals allowed.
• Logic enriched type theory6: formulas and types kept separate.
• Computational content only arises from (co)inductivedefinitions.
6N. Gambino & P. Aczel, The generalized type-theoretic interpretation ofconstructive set theory, JSL 2006
21 / 80
Intro Model Terms TCF Realizers Applications
Definition. Clauses K have the form
∀~x(Y c → Znc → (∀~yi (Wnci → Xi ))i<n → X )
with X for X~t, and X lists of those. Call
I c := µX c ~K , I nc := µXnc ~K
a predicate form, and similarly with coI for I and ν for µ.
22 / 80
Intro Model Terms TCF Realizers Applications
Examples. (i).
K0 := X ([], []),
K1 := ∀x ,l ,x ′,l ′(Y (x , x ′)→ X (l , l ′)→ X (x :: l , x ′ :: l ′))
are clauses and both
∼L(Y ) := µX (K0,K1) similarity
≈L(Y ) := νX (K0,K1) bisimilarity
are predicate forms with Y a parameter predicate variable.
23 / 80
Intro Model Terms TCF Realizers Applications
Examples (continued). (ii).
K0 := X [],
K1 := ∀x ,l(Yx → Xl → X (x :: l))
are clauses and both
TL(Y ) := µX (K0,K1) totalitycoTL(Y ) := νX (K0,K1) cototality
are predicate forms with Y a parameter predicate variable.
24 / 80
Intro Model Terms TCF Realizers Applications
Algebra form of a predicate formDefinition. From a clause K we obtain a constructor type by (i)omitting quantifiers, (ii) dropping all n.c. predicates and from thec.r. predicates their arguments, and (iii) replacing the remainingpredicate variables by type variables. That is, from the clause
∀~x(Y c → Znc → (∀~yi (Wnci → Xi ))i<n → X )
we obtain the constructor type
~α→ (ξ)i<n → ξ.
With every predicate form I c := (µ/ν)X c ~K we canonicallyassociate the algebra form ιI c := µξ~κ.
For examples (i), (ii): ∼L, ≈L, TL, coTL the associated algebraform is L (the µ/ν-distinction is ignored).
25 / 80
Intro Model Terms TCF Realizers Applications
Definition of predicates and formulas.
P,Q ::= X | { ~x | A } | I (~ρ, ~P ) | coI (~ρ, ~P ) (predicates),
A,B ::= P~t | A→ B | ∀xA (formulas)
Call a predicate or formula C computationally relevant (c.r.) ornon-computational (n.c.) if its final predicate is.
Definition of the type τ(C ) of a c.r. predicate or formula C .Assume a global injective assignment of type variables ξ to X c .
τ(X c) := ξ,
τ({ ~x | A }) := τ(A),
τ((I/coI )(~ρ, ~P )) := ιI (τ(~Pc)),
τ(P~t ) := τ(P),
τ(A→ B) :=
{τ(A)→ τ(B) (A c.r.)
τ(B) (A n.c.)
τ(∀xA) := τ(A),
Call ιI (τ(~Pc)) the algebra associated with (I/coI )(~ρ, ~P).
26 / 80
Intro Model Terms TCF Realizers Applications
Examples (continued). (iii). Leibniz equality:
EqD := µXnc(∀xX ncxx) (D for “inductively defined”).
Abbreviation: (x ≡ y) := EqD(x , y).
(iv). Union. Since the parameter predicates Y ,Z can be chosen aseither c.r. or n.c. we obtain the variants
CupDY c ,Z c := µX c (∀~x(Y c~x → X c~x ), ∀~x(Z c~x → X c~x )),
CupLY c ,Znc := µX c (∀~x(Y c~x → X c~x ), ∀~x(Znc~x → X c~x )),
CupRY nc,Z c := µX c (∀~x(Y nc~x → X c~x ), ∀~x(Z c~x → X c~x )),
CupUY nc,Znc := µX c (∀~x(Y nc~x → X c~x ), ∀~x(Znc~x → X c~x )),
CupNcY ,Z := µXnc(∀~x(Y ~x → X nc~x ), ∀~x(Z~x → X nc~x )).
D for “double”, L for “left”, R for “right”, U for “uniform”.
27 / 80
Intro Model Terms TCF Realizers Applications
Then by definition
τ(CupD) = µξ(β0 → ξ, β1 → ξ) = β0 + β1,
τ(CupL) = µξ(β → ξ, ξ) = β + U,
τ(CupR) = µξ(ξ, β → ξ) = U + β,
τ(CupU) = µξ(ξ, ξ) = B.
In case of nullary predicates we use
A ∨d B := CupD{|A},{|B},
A ∨l B := CupL{|A},{|B},
A ∨r B := CupR{|A},{|B},
A ∨u B := CupU{|A},{|B},
A ∨nc B := CupNc{|A},{|B}.
“Decorations” determined by A,B: can be omitted except for ∨nc.∧, ∃ are treated similarly.
28 / 80
Intro Model Terms TCF Realizers Applications
Axioms
Theory of computable functionals (TCF):
• Formulas are the ones defined above, involving typed variables.
• Proofs use the rules of minimal logic for → and ∀, and theaxioms below.
An n.c. part of a proof M : A is a subproof N : B with B n.c. Suchn.c. parts will not contribute to the computational content of thewhole proof: can ignore all decorations in those parts.
29 / 80
Intro Model Terms TCF Realizers Applications
For each inductive predicate there are “clauses” or introductionaxioms, together with a “least-fixed-point” or elimination axiom.Write a clause ∀~x(Y c → Znc → (∀~yi (W nc
i → Xi ))i<n → X ) as
∀~x((Aν(X ))ν<n → X~t ).
I+i : ∀~xi ((Aiν(I ))ν<ni → I~ti ),
I− : (∀~xi ((Aiν(I ∩ X ))ν<ni → X~ti ))i<k → I ⊆ X
Examples.
Even+0 : 0 ∈ Even, Even+1 : ∀n(n ∈ Even→ S(Sn) ∈ Even)
The elimination axiom Even− is
0 ∈ X → ∀n(n ∈ Even→ n ∈ X → S(Sn) ∈ X )→ Even ⊆ X .
30 / 80
Intro Model Terms TCF Realizers Applications
Examples (continued).
∃+ : ∀x(Px → ∃xPx)
∃− : ∃xPx → ∀x(Px → C )→ C (x /∈ FV(C ))
∧+ : A→ B → A ∧ B
∧− : A ∧ B → (A→ B → C )→ C
∨+i : Ai → A0 ∨ A1
∨− : A ∨ B → (A→ C )→ (B → C )→ C
(∨nci )+ : Ai → A0 ∨nc A1
(∨nc)− : A ∨nc B → (A→ C )→ (B → C )→ C (C n.c.)
31 / 80
Intro Model Terms TCF Realizers Applications
The conjunction of the k clauses of an inductive I is equivalent to
∀~x(∨∨i<k
∃~xi (∧∧ν<ni
Aiν(I ) ∧ ~x ≡ ~ti )→ I~x ).
coI− : ∀~x(coI~x →∨∨i<k
∃~xi (∧∧ν<ni
Aiν(coI ) ∧ ~x ≡ ~ti ))
coI+ : ∀~x(X~x →∨∨i<k
∃~xi (∧∧ν<ni
Aiν(coI ∪ X ) ∧ ~x ≡ ~ti ))→ X ⊆ coI .
coI−: closure axiom.coI+: greatest-fixed-point (or coinduction) axiom.
32 / 80
Intro Model Terms TCF Realizers Applications
Example. The conjunction of the 2 clauses of Even is equivalent to
∀n(n ≡ 0 ∨ ∃n′(n′ ∈ Even ∧ n ≡ S(Sn′))→ n ∈ Even).
coEven is defined by its closure axiom coEven−:
∀n(n ∈ coEven→ n ≡ 0 ∨ ∃n′(n′ ∈ coEven ∧ n ≡ S(Sn′)))
and its greatest-fixed-point axiom coEven+:
∀n(Xn→ n ≡ 0 ∨ ∃n′(n′ ∈ (coEven ∪ X ) ∧ n ≡ S(Sn′)))→X ⊆ coEven.
33 / 80
Intro Model Terms TCF Realizers Applications
Example of a proof by coinduction.
• We show cototality of corecursion: coRxf ∈ coTS(ρ).
• Recall: the corecursion operator coRτS(ρ) of type
τ → (τ → ρ× (S(ρ) + τ))→ S(ρ)
is defined by
coRxf :=
{SCons(y , z) if f (x) ≡ 〈y , InL(z)〉,SCons(y , coRx ′f ) if f (x) ≡ 〈y , InR(x ′)〉.
34 / 80
Intro Model Terms TCF Realizers Applications
Lemma (Cototality of corecursion)
Let f : τ → ρ× (S(ρ) + τ) be of InR-form, i.e., f (x) has the form〈y , InR(x ′)〉 for all x . Then coRxf ∈ coTS(ρ) for all x .
Proof.By coinduction with competitor predicate
X := { z | ∃x(z ≡ coRxf ) }.
Need to prove that X satisfies the clause defining coTS(ρ):
∀z(z ∈ X → ∃y∃z ′(z ′ ∈ X ∧ z ≡ SCons(y , z ′))).
Let z ≡ coRxf for some x . Since f is assumed to be of InR-formwe have y , x ′ such that f (x) ≡ 〈y , InR(x ′)〉. By the definition ofcoRτS(ρ) obtain coRxf ≡ SCons(y , coRx ′f ). Use coRx ′f ∈ X .
35 / 80
Intro Model Terms TCF Realizers Applications
Recall: (co)totality on closed base types, e.g., Y.
(TY)+0 : 0 ∈ TY,
(TY)+1 : ∀x ,x ′(x , x ′ ∈ TY → Cxx ′ ∈ TY)
T−Y : 0 ∈ X → ∀x ′,x ′′(x ′, x ′′ ∈ X → Cx ′x ′′ ∈ X )→ TY ⊆ X
coT−Y : ∀x(x ∈ coTY → x ≡ 0 ∨ ∃x ′,x ′′(x ′, x ′′ ∈ coTY ∧ x ≡ Cx ′x ′′))
and coT+Y :
∀x(x ∈ X → x ≡ 0 ∨ ∃x ′,x ′′(x ′, x ′′ ∈ (coTY ∪ X ) ∧ x ≡ Cx ′x ′′))→X ⊆ coTY.
We have
TY ⊂ coTY ⊂ |CY| (proper inclusions)
36 / 80
Intro Model Terms TCF Realizers Applications
For arbitrary cotypes ϕ we define Eϕ (exists) by
(x ∈ Eι) := (x ∈ Tι),
(x ∈ Ecoι) := (x ∈ coTι),
(f ∈ Eϕ→ψ) := ∀x(x ∈ Eϕ → fx ∈ Eψ).
Similary for.
=ϕ (pointwise equal)
(x.
=ι y) := (x ∼ι y),
(x.
=coι y) := (x ≈ι y),
(f.
=ϕ→ψ g) := ∀x ,y (x.
=ϕ y → fx.
=ψ gy).
37 / 80
Intro Model Terms TCF Realizers Applications
What is the relation between.
= and Leibniz equality ≡? Firstconsider closed base cotypes.
• Case ι. In the model C we have
(x ∼ι y)↔ (x ∈ Tι ∧ x ≡ y).
This is also provable in TCF.
• Case coι. In the model C we have
(x ≈ι y)↔ (x ∈ coTι ∧ x ≡ y).
(Write x =⋃
n(x�n) and use induction on n). In TCF this isan axiom, called Bisimilarity Axiom.
38 / 80
Intro Model Terms TCF Realizers Applications
Recall that at higher types, pointwise equality relative to a cotypeis defined as a logical relation:
(f.
=ϕ→ψ g) := ∀x ,y (x.
=ϕ y → fx.
=ψ gy).
Then extensionality7 relative to a cotype ϕ is defined by
Extϕ(f ) := (f.
=ϕ f ).
Lemma. For closed cotypes ϕ the relation.
=ϕ is a partialequivalence relation (i.e., symmetric and transitive) whose domainis the set Extϕ of objects extensional w.r.t. ϕ.
7R. Gandy, PhD 1953, and On the axiom of extensionality – part I. JSL1956 and also G. Takeuti, On a generalized logic calculus, Jap. J. Math. 1953
39 / 80
Intro Model Terms TCF Realizers Applications
Lemma. Eϕ and Extϕ are equivalent for closed cotypes ϕ of level≤ 1.
Proof. For level 0 this holds be definition. For level 1 use inductionon the height of the cotype. Let ϕ→ ψ be a closed cotype of level1. The following are equivalent.
f ∈ Extϕ→ψ
f.
=ϕ→ψ f
∀x ,y (x.
=ϕ y → fx.
=ψ fy)
∀x(x ∈ Eϕ → fx.
=ψ fx) by definition, since lev(ϕ) = 0
∀x(x ∈ Eϕ → fx ∈ Extψ)
Now use the induction hypothesis and the definition of Eϕ→ψ.
40 / 80
Intro Model Terms TCF Realizers Applications
Are Eϕ and Extϕ equivalent for levels ≥ 2? No: we would needx.
=ϕ y → x ≡ y for ϕ of level 1. But the following are equivalent:
f.
=N→N g
∀n,m(n.
=N m→ fn.
=N gm)
∀n(n ∈ TN → fn.
=N gn)
∀n(n ∈ TN → fn, gn ∈ TN ∧ fn ≡ gn)
f , g ∈ EN→N ∧ ∀n(n ∈ TN → fn ≡ gn)
This cannot be Leibniz equality, since nothing is said on thebehaviour of f , g on non-total arguments.
41 / 80
Intro Model Terms TCF Realizers Applications
Lemma (Extensionality of the recursion operator)
Let I be an inductive predicate and ιI its associated algebra. Thenthe extracted term et(I−) := RτιI of its least-fixed-point (orelimination) axiom I− is extensional w.r.t. the formula of I−.
Lemma (Extensionality of the corecursion operator)
Let coI be a coinductive predicate and ιI its associated algebra.Then the extracted term et(coI+) := coRτιI of itsgreatest-fixed-point (or coinduction) axiom coI+ is extensionalw.r.t. the formula of coI+.
42 / 80
Intro Model Terms TCF Realizers Applications
Proofs have two aspects:
• they provide insight into why an argument is correct, and
• they can also have computational content.
The Brouwer-Heyting-Kolmogorov8 (BHK)-interpretation gives agood analysis of the latter. Modification here: computationalcontent only arises from (co)inductive predicates.
• p proves A→ B if and only if p is a construction transformingany proof q of A into a proof p(q) of B.
• p proves ∀xA if and only if p is a construction such that pproves A, irrespective of what x is.
8A. Kolmogorov, Zur Deutung der intuitionistischen Logik, Math. Z. 1932
43 / 80
Intro Model Terms TCF Realizers Applications
Unexplained notions:
what is a “construction”?
what is a proof of a prime formula?
Here we propose to take
construction := computable functional,
proof of a prime formula I~t := a “construction tree” for I~t,
proof of a prime formula coI~t := a “destruction tree” for coI~t.
Such a construction or destruction tree can seen as a (co)totalideal in the algebra ιI associated with the clauses of I .
44 / 80
Intro Model Terms TCF Realizers Applications
Realizability extension C r of c.r. predicates or formulas C
For n.c. C let C r := C . If C is c.r. C r is a predicate of arity(~σ, τ(C )) (~σ arity of C ). Write z r C for C rz if C is a c.r. formula.For X c let X r be the n.c. predicate variable provided, and
{ ~x | A }r := { ~x , z | z r A }.
CaseI/coI := (µ/ν)X ((Ki (X ))i<k
with algebra form ιI = µξ(κi (ξ))i<k where κi (ξ) := τ(Ki (X )). Thei-th constructor of ιI is Ci : κi (ιI ). Let
I r/coI r := (µ/ν)X r(Ci r Ki (X ))i<k .
45 / 80
Intro Model Terms TCF Realizers Applications
For c.r. formulas let
z r P~t := P r~tz ,
z r (A→ B) :=
{∀w (w r A→ zw r B) if A is c.r.
A→ z r B if A is n.c.
z r ∀xA := ∀x(z r A).
46 / 80
Intro Model Terms TCF Realizers Applications
Example. Let
I := µX (∀p,x(p ∈ TB → x ∈ T ncN→B → x ∈ X → px ∈ X ))
with px the function mapping 0 to p and Sn to xn. The type ofthe (single) clause K is the κ := B→ ξ → ξ (ξ := τ(X )) andτ(coI ) = µξ(B→ ξ → ξ) = S(B). Then
SCons r K :=
∀p,x ,q(T rBpq → x ∈ T nc
N→B → ∀s(X rxs → X r(px ,SCons(q, s))).
andcoI r = νX r(SCons r K ).
47 / 80
Intro Model Terms TCF Realizers Applications
Lemma (Realizers of totality). For closed base types ι the followingare equivalent.
• T rι xy ,
• x ∼ncι y ,
• x ∈ T ncι ∧ x ≡ y .
Lemma (Realizers of cototality). For closed base types ι thefollowing are equivalent.
• coT rι xy ,
• x ≈ncι y ,
• x ∈ coT ncι ∧ x ≡ y .
48 / 80
Intro Model Terms TCF Realizers Applications
z r ∃xA↔ ∃x(z r A) for A c.r.
z r (A ∧ B)↔z ≡ 〈lft(z), rht(z)〉 ∧ (lft(z) r A) ∧ (rht(z) r B) (A c.r., B c.r.)
(z r A) ∧ B (A c.r., B n.c.)
A ∧ (z r B) (A n.c., B c.r.)
z r (A ∨ B)↔∃x(x r A ∧ z ≡ InL(x)) ∨nc ∃y (y r B ∧ z ≡ InR(y)) (A c.r., B c.r.)
∃x(x r A ∧ z ≡ Inl(x)) ∨nc (B ∧ z ≡ DummyR) (A c.r., B n.c.)
(A ∧ z ≡ DummyL) ∨nc ∃y (y r B ∧ z ≡ Inr(y)) (A n.c., B c.r.)
(A ∧ z ≡ tt) ∨nc (B ∧ z ≡ ff) (A n.c., B n.c.)
49 / 80
Intro Model Terms TCF Realizers Applications
Extracted term et(M) of a proof MA with A c.r.
et(uA) := zτ(A)u (z
τ(A)u uniquely associated to uA),
et((λuAMB)A→B) :=
{λτ(A)zu et(M) if A is c.r.
et(M) if A is n.c.
et((MA→BNA)B) :=
{et(M)et(N) if A is c.r.
et(M) if A is n.c.
et((λxMA)∀xA) := et(M),
et((M∀xA(x)t)A(t)) := et(M).
Extracted terms for the axioms. Let ι := ιI .
et(I+i ) := Ci (Ci i-th constructor of ι, i < k)
et(I−) := Rτι
et(coI−) := Dι
et(coI+) := coRτι 50 / 80
Intro Model Terms TCF Realizers Applications
Soundness theorem
Recall: an n.c. part of a proof M : A is a subproof N : B with B n.c.Such n.c. parts will not contribute to the computational content ofthe whole proof: can ignore all decorations in those parts.
An assumption variable u : C with C c.r. must be replaced by acorresponding realizability assumption u : zu r C . However, if u : Cappears in an n.c. part of the proof we can keep it (sincecomputational content is ignored in such parts), and consider thetwo assumption variables u : zu r C and u : C to be the same.
Theorem (Soundness)
Let M be a proof of a c.r. formula A from assumptions u : C (c.r.)and v : D (n.c.) Then we can find a proof sp(M) of et(M) r Afrom assumptions u : zu r C and v : D.
51 / 80
Intro Model Terms TCF Realizers Applications
Exact real numbers can be given in different formats:
• Cauchy sequences (of rationals, with Cauchy modulus).
• Infinite sequences (“streams”) of signed digits {−1, 0, 1}, or
• {−1, 1,⊥} with at most one ⊥ ( “undefined”): Gray code.
Want formally verified algorithms on reals given as streams.
• Consider formal proofs M and apply realizability to extracttheir computational content.
• Switch between different formats of reals by relativising tocoinductive predicates. Instead of ∀x(x ∈ Realc → A) use
∀x(x ∈ Realnc → x ∈ coI → A) or
∀x(x ∈ Realnc → x ∈ coG → A).
Computational content of x ∈ coI (x ∈ coG ) is a representation of xas stream (via Gray code).
52 / 80
Intro Model Terms TCF Realizers Applications
A real number can be represented as a Cauchy sequence (an)n ofrationals together with a Cauchy modulus M satisfying
|an − am| ≤1
2pfor n,m ≥ M(p).
A real x := ((an)n,M) is called nonnegative (written x ∈ R0+) if
− 1
2p≤ aM(p) for all p ∈ Z+.
It is p-positive (written x ∈p R+, or x ∈ R+ if p is not needed) if
1
2p≤ aM(p+1).
53 / 80
Intro Model Terms TCF Realizers Applications
Arithmetical operations on real numbers x , y are defined by
cn L(p)
x + y an + bn max(M(p + 1),N(p + 1)
)−x −an M(p)|x | |an| M(p)x · y an · bn max
(M(p + 1 + py ),N(p + 1 + px)
)1x (|x | ∈q R+)
{1an
(an 6= 0)
0 (an = 0)M(2(q + 1) + p)
where 2px is an upper bound of x (Archimedian property).
54 / 80
Intro Model Terms TCF Realizers Applications
Comparison of reals. Write
(x ≤ y) := (y − x ∈ R0+),
(x < y) := (y − x ∈ R+).
From the existential and universal character of < and ≤ we obtain
x ≤ y ↔ y 6< x .
Lemma (ApproxSplit)
Let x , y , z be given and assume x < y . Then z ≤ y or x ≤ z .
55 / 80
Intro Model Terms TCF Realizers Applications
For simplicity x ∈ [−1, 1]. Dyadic rationals:∑i<k
ai2i+1
with ai ∈ {−1, 1}
0
−12
12
−34
34
−78
78
−1516
1516
1 1
1 1 1 1
1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
with 1 := −1. Adjacent dyadics can differ in many digits:
7
16∼ 1111,
9
16∼ 1111.
56 / 80
Intro Model Terms TCF Realizers Applications
Cure: flip after 1. Binary reflected (or Gray-) code.
0
−12
12
−34
34
−78
78
−1516
1516
L R
L R R L
L R R L L R R L
L R R L L R R L L R R L L R R L
7
16∼ RRRL,
9
16∼ RLRL.
57 / 80
Intro Model Terms TCF Realizers Applications
Problem with productivity:
1111 + 1111 · · · = ? (or LRLL . . . + RRRL · · · = ?)
What is the first digit? Cure: delay.
• For binary code: add 0. Signed digit code∑i<k
di2i+1
with di ∈ {−1, 0, 1}.
Widely used for real number computation. There is a lot ofredundancy: 11 and 01 both denote −1
4 .
• For Gray-code: add U (undefined), D (delay), FinL/R (finallyleft / right). Pre-Gray code.
58 / 80
Intro Model Terms TCF Realizers Applications
Pre-Gray code
0
12
14
34
38
58
716
916
U
D
R
R LU
FinR
UR
FinRD
FinL
RU
UL
FinR FinLD U
L
After computation in pre-Gray code, one can remove Fina by
U ◦ Fina 7→ a ◦ R, D ◦ Fina 7→ Fina ◦ L.
59 / 80
Intro Model Terms TCF Realizers Applications
RRRLLL . . . RLRLLL . . . RUDDDD . . .
all denote 12 . Only keep the latter to denote 1
2 . Then, generally,
• U occurs in a context UDDDD . . . only, and
• U appears iff we have a dyadic rational.
Result: unique representation, called pure Gray code.
60 / 80
Intro Model Terms TCF Realizers Applications
Average for pre-Gray code
Pre-Gray code: “cototal objects” in the (simultaneously defined)free algebras G and H given by the constructors
Lr : B→ G→ G
U : H→ G
Fin : B→ G→ H
D : H→ H
with B = {tt, ff}
61 / 80
Intro Model Terms TCF Realizers Applications
Predicates coG and coHLet Psd := {−1, 1} and
Γ(X ,Y ) := { x | ∃x ′∈X∃a∈Psd(x = −ax′ − 1
2) ∨ ∃x ′∈Y (x =
x ′
2) },
∆(X ,Y ) := { x | ∃x ′∈X∃a∈Psd(x = ax ′ + 1
2) ∨ ∃x ′∈Y (x =
x ′
2) }
and define
(coG , coH) := ν(X ,Y )(Γ(X ,Y ),∆(X ,Y )) (greatest fixed point)
Consequences:
∀x∈coG (∃x ′∈coG∃a∈Psd(x = −ax′ − 1
2) ∨ ∃x ′∈coH(x =
x ′
2))
∀x∈coH(∃x ′∈coG∃a∈Psd(x = ax ′ + 1
2) ∨ ∃x ′∈coH(x =
x ′
2))
62 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGUMinus)
∀x(coG (−x)→ coGx),
∀x(coH(−x)→ coHx).
Proof by coinduction (:= Gfp-axiom), using properties of the unaryminus function.
Implicit algorithm. f : G→ G and f ′ : H→ H defined by
f (Lra(u)) = Lr−a(u), f ′(Fina(u)) = Fin−a(u),
f (U(v)) = U(f ′(v)), f ′(D(v)) = D(f ′(v)).
63 / 80
Intro Model Terms TCF Realizers Applications
Using CoGUMinus we prove that coG and coH are equivalent.
Lemma (CoHToCoG)
∀x(x ∈ coH → x ∈ coG ),
∀x(x ∈ coG → x ∈ coH).
Implicit algorithm. g : H→ G and h : G→ H:
g(Fina(u)) = Lra(f −(u)), h(Lra(u)) = Fina(f −(u)),
g(D(v)) = U(v), h(U(v)) = D(v)
where f − := cCoGUMinus (cL denotes the function extractedfrom the proof of a lemma L). No corecursive call is involved.
64 / 80
Intro Model Terms TCF Realizers Applications
Let Sd2 := {−2,−1, 0, 1, 2}. To prove
∀x ,y∈coG (x + y
2∈ coG )
consider9 two sets of averages, the second one with a “carry”:
P := { x + y
2| x , y ∈ coG }, Q := { x + y + i
4| x , y ∈ coG , i ∈ Sd2 }.
Suffices: Q satisfies the clause coinductively defining coG .
• By the greatest-fixed-point axiom for coG we have Q ⊆ coG .
• Since also P ⊆ Q we obtain P ⊆ coG , which is our claim.
9U. Berger & M. Seisenberger, Proofs, programs, processes, Th. Computing2012
65 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGAvToAvc)
∀x ,y∈coG∃i∈Sd2∃x ′,y ′∈coG (x + y
2=
x ′ + y ′ + i
4).
Proof needs CoGPsdTimes: ∀a∈Psd∀x∈coG (ax ∈ coG ). Rest easy,using CoGClause.
Implicit algorithm.Write f ∗ for cCoGPsdTimes and s for cCoHToCoG.
f (Lra(u),Lra′(u′)) = (a + a′, f ∗(−a, u), f ∗(−a′, u′)),
f (Lra(u),U(v)) = (a, f ∗(−a, u), s(v)),
f (U(v),Lra(u)) = (a, s(v), f ∗(−a, u)),
f (U(v),U(v ′)) = (0, s(v), s(v ′)).
66 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGAvcSatCoICl).
∀i∈Sd2∀x ,y∈coG∃j∈Sd2∃k∈Sd∃x ′,y ′∈coG (x + y + i
4=
x ′+y ′+j4 + k
2).
Proof. We can relate x+d2 and x+y+i
4 by
x+d2 + y+e
2 + i
4=
x+y+J(d+e+2i)4 + K (d + e + 2i)
2with J,K : Z→ Z such that
∀i (i = J(i) + 4K (i)) ∀i (|J(i)| ≤ 2) ∀i (|i | ≤ 6→ |K (i)| ≤ 1)
Implicit algorithm.
f (i ,Lra(u),Lra′(u′))=(J(a+a′+2i),K (a+a′+2i), f ∗(−a, u), f ∗(−a′, u′)),
f (i ,Lra(u),U(v))=(J(a + 2i),K (a + 2i), f ∗(−a, u), s(v)),
f (i ,U(v),Lra(u))=(J(a + 2i),K (a + 2i), s(v), f ∗(−a, u)),
f (i ,U(v),U(v ′))=(J(2i),K (2i), s(v), s(v ′)).
67 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGAvcToCoG)
∀z(∃x ,y∈coG∃i∈Sd2(z =x + y + i
4)→ z ∈ coG ),
∀z(∃x ,y∈coG∃i∈Sd2(z =x + y + i
4)→ z ∈ coH).
Proof (by coinduction) uses CoGAvcSatCoICl. Need
SdDisj : ∀d∈Sd(d = 0 ∨ d ∈ Psd).
68 / 80
Intro Model Terms TCF Realizers Applications
Implicit algorithm.
g(i , u, u′) = let (i1, k , u1, u′1) = cCoGAvcSatCoICl(i , u, u′) in
case cSdDisj(k) of
0→ U(h(i1, u1, u′1))
a→ Lra(g(−ai1, f ∗(−a, u1), f ∗(−a, u′1))),
h(i , u, u′) = let (i1, k , u1, u′1) = cCoGAvcSatCoICl(i , u, u′) in
case cSdDisj(k) of
0→ D(h(i1, u1, u′1))
a→ Fina(g(−ai1, f ∗(−a, u1), f ∗(−a, u′1))).
69 / 80
Intro Model Terms TCF Realizers Applications
Theorem (CoGAverage)
∀x ,y∈coG (x + y
2∈ coG ).
Implicit algorithm. Compose cCoGAvToAvc with cCoGAvcToCoG.
70 / 80
Intro Model Terms TCF Realizers Applications
Multiplication for pre-Gray code
To prove∀x ,x ′(x , x ′ ∈ coG → x · x ′ ∈ coG ),
consider the two sets
P := { x · y | x , y ∈ coG },
Q := { x · y + z + i
4| x , y , z ∈ coG , i ∈ Sd2 }.
Suffices: Q satisfies the clause coinductively defining coG .
• By the greatest-fixed-point axiom for coG we have Q ⊆ coG .
• Since also P ⊆ Q we obtain P ⊆ coG , which is our claim.
71 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGMultToMultc).
∀x ,y∈coG∃i∈Sd2∃x ′,y ′,z∈coG (xy =x ′y ′ + z + i
4).
Implicit algorithm. We use s for cCoHToCoG, and au for f ∗(a, u).
g(Lra(u),Lrb(u′)) = case cCoGAverage(−abu,−abu′) of
Lrc(u′′)→ (c + ab, au, bu′,−cu′′)U(v)→ (ab, au, bu′, s(v))
g(Lra(u),U(v))) = (0,−au, s(v), as(v))
g(U(v),Lra(u)) = (0, s(v),−au, as(v))
g(U(v),U(v ′)) = (0, s(v), s(v ′), cCoGZero).
72 / 80
Intro Model Terms TCF Realizers Applications
Lemma (JKLr).
∀i∈Sd2∀a∈Psd∀v∈coG∃j∈Sd2∃d∈Sd∃z∈coG (v +a + i
4=
z + j
4+ d).
Implicit algorithm We use s for cCoHToCoG.
g(i , a,Lrb0(Lrb(w))) = (J(−b0b+2b0+a+i),K (−b0b+2b0+a+i), b0bw)
g(i , a,Lrb0(U(w))) = (J(2b0 + a + i),K (2b0 + a + i),−b0s(w))
g(i , a,U(Lrb(w))) = (J(b + a + i),K (b + a + i), bw)
g(i , a,U(U(w))) = (J(a + i),K (a + i), s(w))
Lemma (JKU).
∀i∈Sd2∀v∈coG∃j∈Sd2∃d∈Sd∃z∈coG (v +i
4=
z + j
4+ d)
73 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGMultcSatCoICl).
∀y∈coG∀i∈Sd2∀x ,z∈coG∃d∈Sd∃j∈Sd2∃x ′,z ′∈coG (xy + z + i
4=
x ′y+z ′+j4 + d
2).
Implicit algorithm. We use h for cCoGAvcToCoG, w0 for cCoGZero
g(u0, i ,Lra(u),Lrb(u′)) =
let (j , d ,w) = cJKLr(i , b, h(i , au0,−bu′)) in (d , j ,−au,w)
g(u0, i ,Lra(u),U(v)) =
let (j , d ,w) = cJKU(i , h(i , au0, s(v))) in (d , j ,−au,w)
g(u0, i ,U(v),Lra(u)) =
let (j , d ,w) = cJKLr(i , a, h(i ,w0,−au)) in (d , j , s(v),w)
g(u0, i ,U(v),U(v ′)) =
let (j , d ,w) = cJKU(i , h(i ,w0, s(v ′))) in (d , j , s(v),w)
74 / 80
Intro Model Terms TCF Realizers Applications
Lemma (CoGMultcToCoG).
∀z0(∃i∈Sd2∃x ,y ,z∈coG (z0 =xy + z + i
4)→ z0 ∈ coG ),
∀z0(∃i∈Sd2∃x ,y ,z∈coG (z0 =xy + z + i
4)→ z0 ∈ coH).
Proof (by coinduction) uses CoGMultcSatCoICl. Again need
SdDisj : ∀d∈Sd(d = 0 ∨ d ∈ Psd).
75 / 80
Intro Model Terms TCF Realizers Applications
Implicit algorithm.
g(i , u, u′, u′′) = let (d , j , u1, u′1) = cCoGMultcSatCoICl(u′, i , u, u′′) in
case cSdDisj(d) of
0→ U(h(j , u1, u′, u′1))
a→ Lra(g(−aj , u1, f ∗(−a, u′), f ∗(−a, u′1))),
h(i , u, u′, u′′) = let (d , j , u1, u′1) = cCoGMultcSatCoICl(u′, i , u, u′′) in
case cSdDisj(d) of
0→ D(h(j , u1, u′, u′1))
a→ Fina(g(aj , u1, f∗(a, u′), f ∗(a, u′1))).
76 / 80
Intro Model Terms TCF Realizers Applications
[iggg](CoRec sdtwo yprod ag yprod ag yprod ag=>ag
sdtwo yprod ag yprod ag yprod ag=>ah)iggg
([iggg0][let djgg (cCoGMultcSatCoICl
clft crht crht iggg0 clft iggg0
clft crht iggg0 crht crht crht iggg0)
[case (cSdDisj clft djgg)
(DummyL -> InR(InR(clft crht djgg pair
clft crht crht djgg pair
clft crht crht iggg0 pair
crht crht crht djgg)))
(Inr boole -> InL(boole pair
InR(cIntTimesSdtwoPsdToSdtwo
clft crht djgg(cPsdUMinus boole)pair
clft crht crht djgg pair
cCoGPsdTimes clft crht crht iggg0
(cPsdUMinus boole)pair
cCoGPsdTimes crht crht crht djgg
(cPsdUMinus boole))))]])
([iggg0][let djgg ...])
77 / 80
Intro Model Terms TCF Realizers Applications
Theorem (CoGMult)
∀x ,y∈coG (xy ∈ coG ).
Implicit algorithm.Compose cCoGMultToMultc with cCoGMultcToCoG.
78 / 80
Intro Model Terms TCF Realizers Applications
Method also works for average, multiplication and division:
x , y ∈ coG → x + y
2∈ coG ,
x , y ∈ coG → x · y ∈ coG ,
x , y ∈ coG → 1
4≤ y → x
y∈ coG ,
both w.r.t. signed digits (coI ) and Gray code (coG ).
79 / 80
Intro Model Terms TCF Realizers Applications
Slides:
http://www.math.lmu.de/∼schwicht/slides/ljubliana19.pdf
Course notes:
http://www.math.lmu.de/∼schwicht/lectures/logic/ss19/index.php
Implementation (Minlog, in examples/analysis):
git clone http://www.math.lmu.de/∼minlogit/git/minlog.git
(Use the development branch: git checkout dev).
80 / 80