Fixed Point Semantics and Partial Recursion in Coq Yves Bertot, Vladimir Komendantsky

Fixed point semantics and partial recursion in Coq Yves Bertot, Vladimir Komendantsky

To cite this version:

Yves Bertot, Vladimir Komendantsky. Fixed point semantics and partial recursion in Coq. PPDP 2008, Jul 2008, Valencia, Spain. inria-00190975v8

HAL Id: inria-00190975 https://hal.inria.fr/inria-00190975v8 Submitted on 15 Apr 2008 (v8), last revised 24 Jul 2008 (v11)

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. inria-00190975, version 8 - 15 Apr 2008 oano neethsterqie opeeesproperty completeness the that required express the to has able interest be should of one domain theorem, this use To most at in obtained is point fixed least ω the then continuous h function The osdrtefloigtasnt sequence: transfinite following the consider function monotone a rjc CompCert project ∗ si 1,1] ecnie h olwn eeaie state- generalised [1]: following the theorem Knaster–Tarski consider the We functions of recursive 16]. ment or [17, types in inductive as be can to equatio recursive ground objects by theoretical defined These firm objects of a existence fixed is the first [30], assert the Kleene – of application its theorem as point well as theorem, point l fixed Knaster–Tarski the scientists, computer theoretical INTRODUCTION For functions. 1. new the handle to extended be extraction that also or show can terminating extended we about and the reason computations that to non-terminating claim adding possible We by it makes framework logic. framework logical classical i of the This axioms extend prov- some we functions. theorem if non-terminating based possible potentially only type-theory to in tools modelled function ing of be class of can the Calculus that the widens in This functions recursive Constructions. define Inductive to theo- basis point a fixed as least Knaster–Tarski rem the use to propose We ABSTRACT hswr sprilyspotdb h rnhANR French the by supported partially is work This x iterations. hoe KatrTrk;cmlt p.o.). complete (Knaster–Tarski; 1 Theorem α x +1 x β o ie on eatc n ata euso nCoq in recursion partial and semantics point Fixed = = = ⊥ f if h es pe on ftechain the of bound upper least the ( x β α f salmtordinal limit a is ) a es xdpit oevr if Moreover, point. fixed least a has [email protected] NI ohaAntipolis Sophia INRIA f nacancmlt ata order, partial chain-complete a on vsBertot Yves France . { f ( x α ) } α<β f east Given ns. is s s ec sitoue ntepoes eas oetal non potentially type because of process, functions the po- terminating incons in about introduced No reason is to tency functions. logic recursive classical in non-terminating work tentially the we paper, retain this to In safely done system. be whole often the can of theory consistency construct the type to of axioms logic logic classical no adding is based necessity: prejudice step type-theory constructive a the of the community However, reason user this proving. the theorem for in and made logic, seldom is classical requi this of then the function axioms If recursive using partial continuous. a is define considered to is being goal function the that and sfntoso type of functions as o emnt srcre nistp,nntriaigcom- value non-terminating the type, given its are in putations recorded is terminate not oesfl fteKatrTrk es xdpittheorem content. computational point be sensible fixed can a least this given Knaster–Tarski that is the claim if We be- safely axiom. the done implements the that by to process needs predicted logi axiom computation haviour added a classical the to on case, linked still third be relies the process In guarantee of extraction steps. this guarantee reasoning at the same if avoided the case, even with be termination second program, should consistent the which that a no In case produces part is first the There costs. the in all programs. discuss used extraction derived to be the the need by may into away included axioms cleaned becomes the is the third, that in only in- models process; used system the be the of may make axioms part may new axioms the new second, the consistent; cases first, three framework, occur: logical the may to added are axioms When functions. new the non-terminating accommodate pa- potentially can this of extraction In class that cor- show efficient. also that we reasonably ex- models per, often The formal are removed. programs the are tracted cleaning verifications of a compile-time parts to derivation performs all respond 19], This that [27, so extraction proofs. operation as verified known formally process, tha in properties models, predicted satisfy formal programs are from these derived that be guarantees can with programs proving actual theorem that based type-theory is of advantages the of One inconsistency obviously any is This introduce not about not. does or classically terminates but reason function non-constructive can a one that fact and the values, regular the all [email protected] ldmrKomendantsky Vladimir NI ohaAntipolis Sophia INRIA A France → B ⊥ h atta ucinmay function a that fact the : ⊥ A hc sdsigihdfrom distinguished is which → B r culymodel-ed actually are ∗ ive res is- . c t t - Kleene’s least fixed point theorem can be used to justify the ord preorder existence of recursive functions, because these functions can cpo (pointed) complete preorder, cpo o be described as the least fixed point of the functional that → preordered function space m arises in their recursive equation. However, it is necessary → preordered monotonic function space c to ensure that the function space has the properties of a → preordered continuous function space complete partial order and that the functional is continuous. O → function cpo These facts can be motivated using a simple development of M basic domain theory. With the help of the axiom of definite → monotonic function cpo C description, this theorem can be used to produce a function, → continuous function cpo which we shall call fixp, that takes as argument a continuous nat ord natural numbers ordered by ≤ m function and returns the least fixed point of this function. chain O nat ord→O When the argument of fixp is a functional, the least fixed M chaincpo D nat ord→D point is a recursive function, which can then be combined o (preordered) function application with other functions to build larger software models. m monotonic function application c continuous function application With respect to extraction, we also suggest a few improve- @ monotonic function composition ments to the extraction process that should help making @@ continuous function composition sure that fairly efficient code can be obtained automatically ==O derived equality on the preorder O from the formal models studied inside our extension of the Calculus of Inductive Constructions. Figure 1: Notation From the formal proof point of view, the Knaster–Tarski least fixed point theorem provides us with two important order” as “cpo”, following the convention in [26], and we properties of the function it produces. The first property is systematically omit the word “pointed”. In Figure 1, we that the obtained function satisfies the fixed point equation. summarise some useful notation. The importance of fixed point equations is straightforward [3] and was already described by the first author in [4]. This We define the following inductive type which turns out to fixed point equation is useful when we want to prove proper- be equivalent to the standard option type of Coq: ties of the function, for instance, that under some conditions it is guaranteed to terminate. The second property is that the least fixed point is obtained in at most ω iterations. As Inductive partial (A : Type) : Type := a result, we can reason by induction on the length of compu- Def : A → partial A | Undef : partial A. tations, thus providing a poor man’s approximation of what is called fixed point induction in [30]. This possibility allows The type partial is introduced in order to provide hiding to prove properties of the function result when it exists, and mechanisms that would prevent the user of our library to can also be used to prove that under some conditions a func- encode a classical proof of the halting problem using the tion fails to terminate. standard option type of Coq.

In this paper, we give an overview of our basic formalisa- The flat preorder on a type A is defined by specifying a tion of domain theory. Then, we show how this theory can binary relation ≤partial A such that, for x y : A, x ≤partial A y be used in the definition of simple recursive functions. We iff x = y or x = Undef. We denote this flat preorder by give examples with proofs about recursive functions. We &ord A. discuss extraction and execution of the recursive programs that are obtained in this way. Related work and possibili- Lifting of the flat preorder to a flat cpo requires a non- ties for further work are reviewed at the end of the paper. constructive definition for the lub function. Namely, using All the experiments described in this paper were done with the excluded middle law of classical propositional logic we Coq [13, 6] and can be found in the Internet from the first can prove ≤&ord A being complete in a sense that, for each author’s web page [7]. chain c on &ord A, there exists an x such that ∀n, c n ≤&ord A x and ∀y, (∀n, c n ≤&ord A y) → x ≤&ord A y, which proves 2. DOMAIN-THEORETIC CONSTRUCTIONS the two laws for the required least upper bound function. Our domain-theoretic development, found at [7], comprises Since we can prove that this least upper bound is unique, basic ideas of domain theory built on the notion of a pre- using the classical definite description axiom: order, that is a theory of (pointed) complete preorders [26]. In addition to the constructive complete preorders of [26], Axiom constructive_definite_description : we introduce flat complete preorders that we define mak- ∀ A(P:A→Prop), (∃!x:A,Px) → { x : A | P x }. ing certain non-constructive steps which are to be specified below. Various developments of domain theory have been carried out in several proof systems. Therefore we just in- we obtain a Σ-type definition for the least upper bound of c : vite the reader to grasp the basic constructions by reading chain A that contains two parts: an element a :&ord A and our development since these basics are quite standard for the proof of a being the least upper bound of c. In this way such a library. we obtain the function lub&ord A : chain (&ord A) → &ord A as the first projection of this Σ-type object. Thus we have In the present paper we abbreviate “pointed complete pre- a cpo structure on &ord A; we denote it by &cpo A. One may note that the definite description axiom is incom- such that f = F f. A proof of such a functional F being ac- patible with variants of the Calculus of Constructions where tually continuous is usually non-trivial but considerably reg- the Set sort is impredicative [11]. Fortunately, this is not ular. For a proof, one might use the following intuition: The the default for Coq and our work is done with predicative condition of continuity of F corresponds to the interpreta- Set. tion of “potential non-termination” according to which every expression containing a potentially non-terminating compu- 3. KLEENE'S FIXED POINT THEOREM tation should fail to terminate if it actually uses the value The well-known fixed point theorem of Kleene, see [30], has returned by this computation and that computation fails to a mild generalisation in the setting of complete preorders. terminate. To use the value of a potentially non-terminating Below we outline a formalised proof for this statement. Our computation one needs to write a pattern-matching con- proof follows the lines of the classical textbook proofs found struct on this computation: the continuity condition will in, e.g., [22, 30]. The fixed point functional defined for this be satisfied if we ensure that the value Undef is returned in proof can and will be used in this paper to define partial the case Undef of this matching construct. recursive functions and reason about them. For example, consider the minimisation functional µ defined The construction of the fixed point functional is closely re- as follows: for all A : Type, f : A → nat → nat, the value lated to the one given in [26]. First, we define a function of µf is a function g : A → nat such that g x is defined f_iter as follows (⊥ denotes the bottom element of the cpo and has value y if and only if y is the least value for which D): (f x) y = 0 holds. From this definition it follows that g x is undefined in case no least value y is found, that is µ can be used to define partial functions. m Fixpoint f_iter (D:cpo)(f:D → D)(n:nat_ord) : D := match n with Let A:Type and f:A → nat → partial nat. First, we specify a 0 ⇒ ⊥ functional f mu as follows: | S n’ ⇒ f (f_iter f n’) end. Definition f_mu (mu : A → nat → partial nat) : A → nat → partial nat := Then we prove monotonicity of f_iter and define iter of type fun x y ⇒ chain D to be f_iter with the attached proof of monotonicity; match f x y with and we define the function f_fixp to be the least upper bound Undef ⇒ Undef of this chain. | Def 0 ⇒ Def y | _ ⇒ mu x (S y) m end. Definition f_fixp (D:cpo)(f:D → D) : D := lub (iter f).

We can prove the fixed point property f_fixp f == f (f_fixp Then we prove monotonicity and then continuity of f_mu f). Next, we define the required fixed point functional which and specify the functions mono mu and cont mu with the is a continuous version of f_fixp, and we also have the corre- proofs of monotonicity and, respectively, continuity attached sponding fixed point property. as follows:

C C Definition mono_mu : Definition fixp (D:cpo) : (D → D) → D := . . . o o m o o c (A → nat_ord → &ord nat) → (A → nat_ord → &ord nat) := . . . Lemma fixp_eq : ∀ D (f:D→D), fixp f == f (fixp f). Definition cont_mu : O O C O O (A → nat_ord → &cpo nat) → (A → nat_ord → &cpo nat):= ... Therefore Kleene’s theorem can be formalised as follows:

c Once the continuity proof is completed, we can define the Theorem 2 (Kleene). ∀ (D:cpo)(f:D → D), functional with a command of the following form: f (fixp f) == fixp f ∧ (∀ x, f x ≤ x → fixp f ≤ x).

Definition mu := fixp cont_mu. The fixed point returned by fixp is the least by construction; it is the least upper bound of the iter chain, which allows reasoning on partial recursive functions. Now we can illustrate the use of our mu. Consider the function λxy.|x − y2| with the following definition (note the use 4. FIXED POINT DEFINITIONS OF PAR- of truncated subtraction): TIAL RECURSIVE FUNCTIONS To model partiality of a function f0 with arguments of type Definition abs_x_minus_y_squared (x y : nat) := A and values of type B, first we define a recursive function Def ((x - y*y) + (y*y - x)). f : A → &cpo B for which we ought to construct a continuous functional F of type The value of µ(λxy.|x − y2|)k is defined if and only if k is a O C O (A→&cpo B)→(A→&cpo B) perfect square. This can be defined in Coq as follows: Definition perfect_sqrt (x:nat) := mu abs_x_minus_y_squared x 0. Proof. intros x Hx. unfold perfect sqrt, mu. Next, we demonstrate some proof ideas concerning this par- destruct (fixp flat witness 2 tial recursive function. (@cont mu nat abs x minus y squared) x 0) as [n Hn]. rewrite Hn. 5. CERTIFICATION OF FUNCTIONS apply perfect sqrt Undef iter with (1:=Hx). In [30], Winskel describes fixed point induction as a tech- Qed. nique for proving properties of least fixed points of continuous functions. This style of induction is restricted to certain This lemma asserts that the function perfect sqrt never ter- predicates which are called refining in his work. The same minates on inputs which are not perfect squares. In the notion also appears in HOLCF, see [29, 21], under the name proof of this lemma we refer to the two-argument version of of admissible predicates and the authors argue that it is fixp flat witness (which can be easily proved either directly or important to provide strong automation facilities to man- by currying followed by an application of the one-argument age the corresponding proofs of admissibility. Our work is fixp flat witness): less advanced than HOLCF – we do not provide automated admissibility proofs – still we provide basic techniques for proofs about recursive functions with flat target types. Lemma fixp flat witness 2 : O O C O O ∀ ABC(f:(A → B → &cpo C) → (A → B → &cpo C)) x y, In our setting, we want to prove properties of functions ob- ∃ n, fixp f x y = iter f n x y. tained using fixp and we have two tools at hand. The first tool is the lemma fixp_eq. The second tool is an omnipresent and then we refer to the following statement proved by in- lemma that we employ to return a value of the least upper duction on n: bound of a chain on a flat cpo:

Lemma perfect sqrt Undef iter : Lemma lub_flat_cpo_witness : ∀ nxy,(∀ z:nat, ¬x = z*z) → ∀ (c : chain &cpo), ∃ n, c n = lub c. iter (mono_mu abs_x_minus_y_squared) n x y = Undef. Proof. The above lemma can be used to prove that, for any input, induction n. the value of fixp f can also be computed by iter f n for some reflexivity. natural number n: simpl; unfold f mu; simpl. intros x y Hxneq. case eq(x-y*y+(y*y-x)). Lemma fixp_flat_witness : intro Heq0. O C O ∀ AB(f:(A→&cpo B)→(A→&cpo B)) x, assert (Hcontr: x = y*y) by omega. ∃ n, fixp f x = iter f n x. contradiction (Hxneq y Hcontr). Proof. intros . intros A B f x. apply (IHn x (S y) Hxneq). destruct (lub_flat_cpo_witness (iter f o x)) as [n Hn]; Qed. exists n. match goal with The third tool is provided by the following lemma that re- Hn: ?a = ⊢ = ?b ⇒ change b with a end; lates computations done with iter and values of a recursive rewrite Hn. function: case f; intro f’; case f’; reflexivity. Qed. Lemma iter_Def_eq_fixp : O C O ∀ AB(f:(A→&cpo B)→(A→&cpo B)) x n v, The number n can be intuitively understood as an upper iter f n x = Def v → fixp f x = Def v. bound on the number of recursive calls that are needed to compute the value x. Notably, the match step is only needed in some specific versions of Coq where the unification algo- Using this lemma, one can compute values of recursive func- rithm is not powerful enough to solve the given higher-order tions, provided that none of these values is Undef. One sim- unification problem. Thanks to this theorem, one can rea- ply needs to guess the right argument n that leads to a def- son by induction on n and simulate the fixed point induction inite value of the form Def v which in this case is known to of [30]. be the value of the recursive function for the corresponding argument. The problem is to decide whether a given number For instance, using fixp_flat_witness we can conclude with n is the right one. If the chosen value that is too small, the the following lemma (by simulating the fixed point induc- value returned by the iterative process is the uninformative tion): Undef. For the sake of the example below we can prove the two- Lemma perfect_sqrt_Undef : argument version iter_Def_eq_fixp by currying and then ap- ∀ x, (∀ y:nat, ¬x = y*y) → perfect_sqrt x = Undef. plying iter_Def_eq_fixp (the alternative direct proof is easy): Lemma iter_Def_eq_fixp_2 : lining of functions and erasing occurrences of Obj.magic, be- O O C O O ∀ A B C (f:(A→B→&cpo C)→(A→B→&cpo C)) x y n v, comes iterf n xy = Defv → fixp f x y = Def v. let fixp d = fun n → d.lub (f iter d ((fun c → c) n)) Now we can demonstrate a simulation of an iterative computation: Thus one can see that, in OCaml, the lub of a flat cpo has essentially no computational content, and therefore fixp on a Lemma compute_perfect_sqrt_36 : perfect_sqrt 36 = Def 6. flat cpo does not compute the expected value. For this rea- Proof. son, the extraction mechanism expects the user to handwrite unfold perfect_sqrt, mu. the procedure that returns the expected value wherever the apply iter_Def_eq_fixp_2 with (n:=100); reflexivity. axiom is used. Qed. We propose the following solution to this problem. The The number 100 used in this example is only required to be constructive definite description axiom is only used in the an upper bound on the recursive calls enough to compute definition of the function fixp, to transform the existential perfect sqrt 36 (in this case 7 would be enough). This ap- statement of Theorem 1 into a value that can be used in proach may be used in reflexive tactics, for example, in a other functions. We can provide a handwritten construc- proof that involves computation of the value of a recursive tive content for the function fixp, so that the logical value of function. One can try a fixed number of calls, and if a value this function is not used, and hence make sure that the def- of the form Def is returned, the proof can proceed, other- inite description axiom is never used in the extracted code. wise the tactic fails, which nevertheless does not signify the We simply need to choose a constructive procedure for fixp divergence of the recursive function. that can be written in the target language of extraction and whose behaviour corresponds to the behaviour described in 6. EXTRACTION TO FUNCTIONAL PRO- the Coq development. GRAMMING LANGUAGES We construct a function fix that computes the fixed point of The function perfect_sqrt from Section 4 can be successfully functionals, so that this function should satisfy the following extracted using the extraction mechanism provided by Coq. equality: The extracted code exhibits the expected partial behaviour, that is it loops exactly on arguments which are not perfect squares. Below we show how this can be made possible. f(fixdf)=fixdf

Some our lemmas rely on the Classical and ClassicalDescrip- tion extensions of the Coq libraries. These extensions add The introduced argument d corresponds to the cpo argument only two axioms to the logic of Coq, namely, the axiom of in Coq that is in most cases implicit there but explicit in excluded middle, and the constructive definite description OCaml. Changing the orientation of the equation seems axiom: ∀ A(P:A→Prop), (∃! x: A,Px) → {x : A | P x}. enough to do the job: The antecedent states that there exists a unique x satisfying the property P but it does not provide a method to construct let rec fix d f = f (fix d f) x. The consequent asserts that one can use this unique x as a constructive value. Using this axiom, one eliminates the distinction between constructive values and logically unique However, this is not satisfactory in a call-by-value language, values. This of course disrespects the distinction between since this code directly attempts to compute fix f again and Set and Prop that plays the central role during the extrac- enters a looping computation. The execution can be delayed tion process of Coq. as follows:

The extraction mechanism relies on the assumption that, for every element of the form {x : A | P x }, there exists a let rec fix d f = f (fun y → fix d f y) constructive procedure for obtaining the x’s part. However, the axiom produces elements of that form without providing any constructive procedure. For example, the flat cpo type The obtained function fix is the function we propose to at- extracts into OCaml as tach to the function fixp for extraction purposes. The corresponding instruction to Coq extraction mechanism is the following: let flat cpo = o cpo = flat ord; bot = (Obj.magic (Obj.magic Undef)); lub = (fun x → projT1 (ExistT Extract Constant fixp ⇒ ((match excluded middle informative with ”let rec fix d f x = f (fun y → fix d f y) x in fix” | Left → Obj.magic | Right → Obj.magic Undef), ))) There is a leap of faith in this binding, which is as strong as the leap of faith one does when using extra axioms. In whereas the fixp functional in OCaml, after systematic in- our current understanding of this extraction strategy, we (** val mu : (’a1 → nat → nat partial) → Obj.t **) they contain no spontaneous divergence. We can also assume that programs extracted to OCaml or Haskell inherit let mu f = the corresponding property from the initial Coq functions. Obj.magic (Obj.magic (fixp (funcpo (funcpo flat cpo)))) We will now discuss optimisations that can be performed for (Obj.magic this class of programs. (Obj.magic (Obj.magic (fun x x0 x1 → We have the following result: match f x0 x1 with | Def n → (match n with Theorem 4. If an expression e contains no spontaneous | O → Def x1 divergence then its value can never be the value Undef. | S n0 → x x0 (S x1)) | Undef → Undef)))) Proof. One proves the statement by induction on the length of an execution of e. The only sub-expressions that can produce the value Undef are the Undef expressions that Figure 2: Unoptimised mu appear in the Undef branch of a pattern-matching construct. In the pattern-matching construct, the matched expression can give a partial correctness result: when computation ter- also has the property of containing no spontaneous diver- minates and returns a first-order value, the result is still gence and one can therefore use the induction hypothesis. predicted by the Coq model.

In the case of the mu function, the extracted OCaml code is We verified a formal Coq model of this proof in the context shown in Figure 2. Occurrences of Obj.magic correspond to of the Mini-ML language [12] extended with a data-type implicit coercions that appear in Coq. representing the type partial and the corresponding pattern- matching construct [7]. For the rest of this section we assume that the argument d of fix is implicit. If values Undef can never be produced then the operations of encapsulating expressions inside the constructor Def and the operations of removing the constructor Def done by pattern- Theorem 3. If the extracted code for fixp f a is some ex- matching seem to be useless. They can be deleted from pression fix f’ a’, and the computation of fix f’ a’ terminates the program, and the type partial can be deleted from the in the target language, then the expression fixp f a can be program. In other words, every instance of Def e can be proved to terminate with the corresponding value in Coq. replaced with e and every instance of the construct

Proof. Assume that the extraction process behaves cor- match e with Undef ⇒ e1 | Def x ⇒ e2 rectly for expressions that do not contain fixp. We reason by induction on the number of execution steps in the execution of fix f’ a’. When executing fix f’ a’, the first steps lead can be replaced with let x = e in e2. In what follows, we ′ to execution of f’ (fun y → fix f’ y) a, and the subsequent denote by e the result of the transformation of e. steps concern execution of a and f’. Any execution of a fix expression occurring in f’ or a uses less steps, so that these executions behave as predicted by the corresponding fixp ex- Theorem 5. If e is an expression containing no spontaneous divergence and the value of executing e is v then the pression in the Coq model. Moreover, execution of (fun y → ′ ′ fix f’ y) e has the same behaviour as execution of fix f’ e. value of executing e is v . Together with the assumption that the extracted code in f’ and a’ outside of fix expressions behaves as expected, the As in Theorem 4, the statement can be proved by induc- latter consideration ensures the property. tion on the length of an execution of e. We actually prove a more general statement which also includes the environ- ′ The extracted code can be improved in two ways, based on a ments in which e and e are executed: we need to assume that the expression e is executed in an environment ρ and few basic observations. In our model of recursive functions, ′ ′ the expression e is executed in an environment ρ , so that the value Undef is only used for functions that are undefined ′ because they fail to terminate (and hence Undef expresses the value associated to each variable in ρ is obtained by divergence). We say that a Coq expression contains a spon- applying the transformation to the corresponding value in taneous divergence if it contains an instance of Undef which ρ. is not encapsulated inside a pattern-matching construct on ′ the type partial, or if it appears in any of the parts e and e2 For example, if the value of e is Def 3 then the value of e is of a pattern matching construct of the following shape: 3. If e is fun x → Def a, and the current environment binds a with Def 3 and b with 4, then the value of e is the closure that can be written match e with Undef ⇒ e1 | Def ⇒ e2 end hfun x → Def a, (a, Def 3) · (b, 4)i In our approach to modelling recursive functions, the func- In this case, e′ is fun x → a, the transformed environment tions we produce in Coq always satisfy the property that binds a with the value 3 and b with 4, and the result of the (** val mu : (’a1 → nat → nat) → Obj.t **) 7. AUTOMATION OF THE LEAST FIXED let mu f = POINT DEFINITION Obj.magic (Obj.magic (fixp (funcpo (funcpo flat cpo)))) We develop a command we called Fcpo Function that allows (Obj.magic to define least fixed points of partial recursive functions and (Obj.magic automate certain routine steps in this process. The defini- (Obj.magic (fun x x0 x1 → tion of mu using the new command (in its current version) match f x0 x1 with is the following: | O → Def x1 | S n0 → x x0 (S x1))))) Variable A : Type. Variable f : A → nat → partial nat. Figure 3: mu, optimised according to Theorem 5 Fcpo Function mu : A → nat → partial nat := fun x y ⇒ evaluation of e′ is match f x y with Undef ⇒ Undef hfun x → a, (a, 3) · (b, 4)i | Def 0 ⇒ Def y | ⇒ mu x (S y) end. The two most important cases of the proof concern trans- formations of e: Then the command generates the recursive functional f mu, as in Section 4, and two proof obligations that the user is 1. If e has the form Def e1 then e1 also contains no spontaneous divergence, and we can use the induction hy- required to satisfy in order to complete the definition: pothesis on the evaluation of e1. Hence if v1 is the ′ ′ value of e1, the value of e1 is v1. But in this case, we ′ ′ ′ 1. The first obligation is the monotonicity proof for f mu, have e = e1 and the value of e is Def v1. However, ′ ′ ′ followed by the automated definition of the monotonic we obviously have (Def v1) = v1, which justifies the version of f mu, that is mono mu (see Section 4). result. 2. The second obligation is the continuity proof for mono mu, 2. If e has the form followed by the definition of the continuous version of mono mu, that is cont mu. match e1 with Undef → . . . | Def x → e2

′ Finally, the required least fixed point of cont mu is defined then e is the expression automatically as fixp cont mu.

′ ′ let x = e1 in e2 The syntax of Fcpo Function is the following:

If v1 is the value of e1, we know that v1 necessarily has Fcpo Function ident [binder 1 [... binder n]] : the shape Def w for some w, because e1 contains no term 1 := term 2 spontaneous divergence and therefore the result cannot be Undef. Therefore the result of evaluating e is the result of evaluating e2 in the environment (x, Def w) · where term 1 is a type with target partial A, for A a type. ρ. We call this value v2. By induction hypothesis on the evaluation of e1, we have that the result of ′ ′ ′ ′ This command is compatible with the standard Coq extrac- evaluating e1 is v1 = (Def w) = w . Hence the result ′ ′ ′ tion procedure augmented by the two extraction constants, of evaluating e is the result of evaluating e2 in (x, w )· ′ ′ as we described in Section 6. ρ = ((x, Def w) · ρ) . By induction hypothesis, this ′ evaluation yields v2. There are a few features that are now in development stage:

A model of this proof was formally verified using the Mini- 1. Comprehensive automation of monotonicity and con- ML description of the language. This proof is available in tinuity proofs. [7]. 2. Elimination of the cpo structure from the extracted The extracted code of the mu function can be optimised code. according to Theorem 5 as shown in Figure 3. Thus we have eliminated the type partial from the code. Occurrences 3. Techniques that allow to hide partial from the user of of Obj.magic still remain as traces of coercions that appear the command. Such techniques would exclude the pos- in the Coq code for mu. All these occurrences can be safely sibility of encoding, for instance, a proof for the halting erased from the code. problem. In fact, hiding techniques would require full proof automa- In one of our experiments [5], we defined the semantics of tion as well since otherwise one would still need to work at a small programming language in the spirit of [22, 30]. We the level of partial types during the work on proof obligations used the Knaster–Tarski fixed point theorem to describe the generated by the command. semantics of while loops as suggested in [30]. Then we were able to prove that when a value is returned, the same computation can be modelled by a natural semantics deriva- 8. RELATED WORK tion, using an encoding of the natural semantics based on an inductive predicate. This reproduces a similar formalised The work described here contributes to all the work that was proof in [23]. Once extracted to ML, this gives a certified done to ease the description and formal proofs about general interpreter for the language. recursive functions. A lot of effort was put into providing relevant collections of inductive types with terminating com- In an early version of the Calculus of Constructions, formali- putation derived from the notion of primitive recursion [10, sations of the Knaster–Tarski least fixed point theorem were 25, 2]. In particular, it was shown that the notion of accessi- also used to show how inductive definitions could be encoded bility or noetherian induction could be described using an in- directly in the pure (impredicative) Calculus of Construc- ductive predicate in [24]. This accessibility predicate makes tions [17]. In this respect, it is also worthwhile to mention it possible to encode well-founded recursion when one can that [16] shows how this theorem can be used to give a defi- prove that all elements of the input type satisfy the acces- nitional justification of inductive types in higher-order logic. sibility predicate for a well-chosen relation (such a relation is called well-founded). If it is not true that all elements In this paper, we formalised only the minimal amount of do- are accessible (or if one cannot exhibit a well-founded remain theory just enough to make it possible to define sim- lation that suits the function being defined), the recursive ple potentially non-terminating functions and perform basic function may still be defined but have well-defined values reasoning steps on these functions. More complete studies only for the elements that can be proved to be accessible. of domain theory were performed in the LCF system [28]. It This idea was further refined in [14, 8], where termination is was also formalised in Isabelle’s HOL instantiation to pro- not described using an accessibility predicate, but directly vide a package known as HOLCF [29, 21]. We believe these with an inductive predicate that actually describes exactly other experiments can give us guidelines for improvements. those inputs for which the function terminates. As a result, formal developers still need to prove that a potentially Our effort to formalise optimisations of the extracted code non-terminating function is only used when termination is should also be compared with efforts done to give a for- guaranteed and extracted programs inherit the termination mal description of the extraction procedure, as studied by guarantee. By contrast, the approach of this paper relieves Letouzey and Glondu [15]. the developer from the burden of proving termination and does not guarantee it either, which can be useful for some applications, like interpreters for Turing-complete languages 9. CONCLUSION (where termination is undecidable) or functions for which There is a popular belief that type-theory based proof tools potential non-termination is an accepted defect. can only be used to reason about functions that are total and terminating for all inputs, because termination of re- There are analogous techniques that also do not require ductions is needed to ensure the consistency of the systems a termination proof. One of such methods is the Prop- in question. The major aim of this paper is to provide yet bounded recursion based on a coinductive monad [20, 9]. another way to model potentially non-terminating functions. In this method the coinductive type permits to represent in- Our inspiration comes from the Knaster–Tarski least fixed finitely long coomputations as (potentially) infinitely large point theorem. objects of coinductive types. One also is able to write a function that directly refers to itself, which would be in- Our contributions can be summarised as follows. compatible with, e.g., Fixpoint due to syntactic restrictions. However, the method of [20] requires the JMeq axiom of First, we formalised a domain theory based on the notion Coq. of a preorder and equipped it with flat cpos. This work is analogous to Isabelle/HOLCF and allows one to provide po- Another work [4, 6] attempts to provide tools that stay tentially non-terminating functions with a least fixed point closer to the level of expertise of programmers in conven- semantics in Coq. tional functional programming. The key point is to start from the recursive equation and to generate the recursive Second, we provided arguments in favour of our claim that function definition from this equation. Users still need to the fixed point combinator is the right computational value prove that the recursive calls happen on predecessors of the for the Knaster–Tarski theorem and should therefore be used initial input for a chosen well-founded relation, but these re- for extraction of functional programs from Coq. quirements appear as proof obligations that are generated as a complement of the recursive equation. The tool produces Third, we used two extraction axioms (excluded middle and the recursive function and a proof of the recursive equation. computational definite description) in course of extraction Again, this approach is restricted to total functions, but we and obtained a powerful way to represent in Coq potentially plan to follow this work as inspiration to provide a similar non-terminating functions and reason about them. tool where users can describe their program in a language that is as close as possible to a conventional programming language. Acknowledgements Benjamin Werner and Hugo Herbelin played a significant [13] Coq development team. The Coq Proof Assistant role in understanding what form of the axioms of classical Reference Manual, version 8.0, 2004. logic provide safe extensions of the Calculus of Inductive [14] C. Dubois and V. V. Donzeau-Gouge. A step towards Constructions. This work also benefited from early exper- the mechanization of partial functions: domains as iments by Kuntal Das Barman and suggestions by Peter inductive predicates, July 1998. www.cs.bham.ac.uk/~ Aczel. The first author also wishes to remember the late mmk/cade98-partiality. Gilles Kahn, who started work on formalising domain the- [15] S. Glondu. Garantie formelle de correction pour ory in the context of the Calculus of Inductive Constructions l’extraction Coq, 2007. in 1996 [18]. http://stephane.glondu.net/rapport.2007.pdf. [16] J. Harrison. Inductive definitions: Automation and 10. REFERENCES application. In P. J. Windley, T. Schubert, and [1] S. Abian and A. B. Brown. A theorem on partially J. Alves-Foss, editors, Higher Order Logic Theorem ordered sets with applications to fixed point theorems. Provoing and Its Applications: Proceedings of the 8th Canadian J. Math., 13:78–82, 1961. International Workshop, volume 971 of Lecture Notes [2] P. Aczel. An introduction to inductive definitions. In in Computer Sciences. Springer-Verlag, 1995. J. Barwise, editor, Handbook of Mathematical Logic, [17] G. Huet. Induction principles formalized in the volume 90 of Studies in Logic and the Foundations of calculus of constructions. In TAPSOFT’87, volume Mathematics. North Holland, 1977. 249 of LNCS, pages 276–286. Springer, 1987. [3] R. C. Backhouse. Fixed point calculus. In R. C. [18] G. Kahn. Elements of constructive geometry group Backhouse, R. Crole, and J. Gibbons, editors, theory and domain theory, 1995. available as a Coq Algebraic and Coalgebraic Methods in the Mathematics user contribution at of Program Construction, volume 2297 of LNCS. http://coq.inria.fr/contribs-eng.html. Springer-Verlag, 2002. [19] P. Letouzey. A new extraction for Coq. In H. Geuvers [4] A. Balaa and Y. Bertot. Fonctions récursives générales and F. Wiedijk, editors, TYPES 2002, volume 2646 of par itération en théorie des types. In Journées Lecture Notes in Computer Science. Springer-Verlag, Francophones pour les Langages Applicatifs, Jan. 2003. 2002. [20] A. Megacz. A coinductive monad for prop-bounded [5] Y. Bertot. Theorem proving support in programming recursion. In A. Stump and H. Xi, editors, Proceedings language semantics, 2007. of the ACM Workshop Programming Languages meets http://hal.inria.fr/inria-00160309. Program Verification, PLPV 2007, pages 11–20, New [6] Y. Bertot and P. Castéran. Interactive theorem York, NY, USA, 2007. ACM. proving and program development, Coq’art: the [21] O. Muller,¨ T. Nipkow, D. v. Oheimb, and O. Slotosch. calculus of inductive constructions. Texts in HOLCF = HOL + LCF. Journal of Functional Theoretical Computer Science: an EATCS series. Programming, 9:191–223, 1999. Springer-Verlag, 2004. [22] H. R. Nielson and F. Nielson. Semantics with [7] Y. Bertot and V. Komendantsky. Proofs on domain Applications: A Formal Introduction. Wiley, 1992. theory and partial recursion, 2008. http://www- [23] T. Nipkow. Winskel is (almost) right:towards a sop.inria.fr/marelle/Yves.Bertot/tarski.html. mechanized semantics textbook. Formal Aspects of [8] A. Bove. General recursion in type theory. In Computing, 10:171–186, 1998. H. Geuvers and F. Wiedijk, editors, Types for Proofs [24] B. Nordström. Terminating general recursion. BIT, and Programs, International Workshop TYPES 2002, 28:605–619, 1988. The Netherlands, number 2646 in Lecture Notes in [25] C. Paulin-Mohring. Inductive Definitions in the Computer Science, pages 39–58, March 2003. System Coq - Rules and Properties. In M. Bezem and [9] A. Bove and V. Capretta. Computation by prophecy. J.-F. Groote, editors, Proceedings of the conference In S. R. D. Rocca, editor, Typed Lambda Calculi and Typed Lambda Calculi and Applications, number 664 Applications, 8th International Conference, TLCA in Lecture Notes in Computer Science, 1993. LIP 2007, Paris, France, June 26-28, 2007, Proceedings, research report 92-49. volume 4583 of Lecture Notes in Computer Science, [26] C. Paulin-Mohring. A constructive pages 70–83. Springer, 2007. denotational semantics for Kahn networks in Coq, 2007. [10] J. Camilleri and T. Melham. Reasoning with http://www.lri.fr/~paulin/PUBLIS/paulin07kahn.pdf. inductively defined relations in the HOL theorem [27] C. Paulin-Mohring and B. Werner. Synthesis of ML prover. Technical report, University of Cambridge, programs in the system Coq. Journal of Symbolic 1992. Computation, 15:607–640, 1993. [11] L. Chicli, L. Pottier, and C. Simpson. Mathematical [28] L. C. Paulson. Logic and computation, Interactive quotients and quotient types in Coq. In H. Geuvers proof with Cambridge LCF. Cambridge University and F. Wiedijk, editors, Types for Proofs and Press, 1987. Programs, number 2646 in LNCS, pages 95–107. [29] F. Regensburger. HOLCF: Higher order logic of Springer, 2003. computable functions. In P. J. Windley, T. Schubert, [12] D. Clément, J. Despeyroux, T. Despeyroux, and and J. Alves-Foss, editors, Higher Order Logic G. Kahn. A simple applicative language: Mini-ML. In Theorem Provoing and Its Applications: Proceedings of proceedings of the 1986 ACM Conference on Lisp and the 8th International Workshop, volume 971 of Lecture Functional Programming, Aug. 1986. Notes in Computer Sciences. Springer-Verlag, 1995. [30] G. Winskel. The Formal Semantics of Programming Languages, an introduction. Foundations of Computing. The MIT Press, 1993.