Fixed point semantics and partial recursion in Coq Yves Bertot, Vladimir Komendantsky To cite this version: Yves Bertot, Vladimir Komendantsky. Fixed point semantics and partial recursion in Coq. PPDP 2008, Jul 2008, Valencia, Spain. inria-00190975v8 HAL Id: inria-00190975 https://hal.inria.fr/inria-00190975v8 Submitted on 15 Apr 2008 (v8), last revised 24 Jul 2008 (v11) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Fixed point semantics and partial recursion in Coq ∗ Yves Bertot Vladimir Komendantsky INRIA Sophia Antipolis INRIA Sophia Antipolis France France [email protected] [email protected] ABSTRACT and that the function being considered is continuous. If the We propose to use the Knaster–Tarski least fixed point theo- goal is to define a partial recursive function then this requires rem as a basis to define recursive functions in the Calculus of using axioms of classical logic, and for this reason the step Inductive Constructions. This widens the class of functions is seldom made in the user community of type-theory based that can be modelled in type-theory based theorem prov- theorem proving. However, the constructive prejudice is not ing tools to potentially non-terminating functions. This is a necessity: adding classical logic axioms to the constructive only possible if we extend the logical framework by adding logic of type theory can often be done safely to retain the some axioms of classical logic. We claim that the extended consistency of the whole system. framework makes it possible to reason about terminating or non-terminating computations and we show that extraction In this paper, we work in classical logic to reason about po- can also be extended to handle the new functions. tentially non-terminating recursive functions. No inconsis- tency is introduced in the process, because potentially non- 1. INTRODUCTION terminating functions of type A → B are actually model-ed For theoretical computer scientists, the Knaster–Tarski least as functions of type A → B⊥: the fact that a function may fixed point theorem, as well as its application – the first fixed not terminate is recorded in its type, non-terminating com- point theorem of Kleene [30], is a firm theoretical ground to putations are given the value ⊥ which is distinguished from assert the existence of objects defined by recursive equations. all the regular values, and one can reason classically about These objects can be inductive types or recursive functions the fact that a function terminates or not. This is obviously as in [17, 16]. We consider the following generalised state- non-constructive but does not introduce any inconsistency. ment of the Knaster–Tarski theorem [1]: One of the advantages of type-theory based theorem proving is that actual programs can be derived from formal models, Theorem 1 (Knaster–Tarski; complete p.o.). Given with guarantees that these programs satisfy properties that a monotone function f on a chain-complete partial order, are predicted in formally verified proofs. This derivation consider the following transfinite sequence: process, known as extraction [27, 19], performs a cleaning xo = ⊥ operation so that all parts of the formal models that cor- respond to compile-time verifications are removed. The ex- xα+1 = f(xα) tracted programs are often reasonably efficient. In this pa- xβ = the least upper bound of the chain {f(xα)}α<β per, we also show that extraction can accommodate the new if β is a limit ordinal. class of potentially non-terminating functions. The function f has a least fixed point. Moreover, if f is When axioms are added to the logical framework, three cases continuous then the least fixed point is obtained in at most may occur: first, the new axioms may make the system in- ω iterations. consistent; second, the new axioms may be used only in the part of the models that is cleaned away by the extraction To use this theorem, one should be able to express that the process; third, the axioms may be used in the part that domain of interest has the required completeness property becomes included into the derived programs. There is no ∗ need to discuss the first case which should be avoided at This work is partially supported by the French ANR all costs. In the second case, the extraction process still project CompCert produces a consistent program, with the same guarantee of termination even if this guarantee relies on classical logic reasoning steps. In the third case, the added axiom needs to be linked to a computation process that implements the be- inria-00190975, version 8 - 15 Apr 2008 haviour predicted by the axiom. We claim that this can be done safely if the Knaster–Tarski least fixed point theorem is given a sensible computational content. Kleene’s least fixed point theorem can be used to justify the ord preorder existence of recursive functions, because these functions can cpo (pointed) complete preorder, cpo o be described as the least fixed point of the functional that → preordered function space m arises in their recursive equation. However, it is necessary → preordered monotonic function space c to ensure that the function space has the properties of a → preordered continuous function space complete partial order and that the functional is continuous. O → function cpo These facts can be motivated using a simple development of M basic domain theory. With the help of the axiom of definite → monotonic function cpo C description, this theorem can be used to produce a function, → continuous function cpo which we shall call fixp, that takes as argument a continuous nat ord natural numbers ordered by ≤ m function and returns the least fixed point of this function. chain O nat ord→O When the argument of fixp is a functional, the least fixed M chaincpo D nat ord→D point is a recursive function, which can then be combined o (preordered) function application with other functions to build larger software models. m monotonic function application c continuous function application With respect to extraction, we also suggest a few improve- @ monotonic function composition ments to the extraction process that should help making @@ continuous function composition sure that fairly efficient code can be obtained automatically ==O derived equality on the preorder O from the formal models studied inside our extension of the Calculus of Inductive Constructions. Figure 1: Notation From the formal proof point of view, the Knaster–Tarski least fixed point theorem provides us with two important order” as “cpo”, following the convention in [26], and we properties of the function it produces. The first property is systematically omit the word “pointed”. In Figure 1, we that the obtained function satisfies the fixed point equation. summarise some useful notation. The importance of fixed point equations is straightforward [3] and was already described by the first author in [4]. This We define the following inductive type which turns out to fixed point equation is useful when we want to prove proper- be equivalent to the standard option type of Coq: ties of the function, for instance, that under some conditions it is guaranteed to terminate. The second property is that the least fixed point is obtained in at most ω iterations. As Inductive partial (A : Type) : Type := a result, we can reason by induction on the length of compu- Def : A → partial A | Undef : partial A. tations, thus providing a poor man’s approximation of what is called fixed point induction in [30]. This possibility allows The type partial is introduced in order to provide hiding to prove properties of the function result when it exists, and mechanisms that would prevent the user of our library to can also be used to prove that under some conditions a func- encode a classical proof of the halting problem using the tion fails to terminate. standard option type of Coq. In this paper, we give an overview of our basic formalisa- The flat preorder on a type A is defined by specifying a tion of domain theory. Then, we show how this theory can binary relation ≤partial A such that, for x y : A, x ≤partial A y be used in the definition of simple recursive functions. We iff x = y or x = Undef. We denote this flat preorder by give examples with proofs about recursive functions. We &ord A. discuss extraction and execution of the recursive programs that are obtained in this way. Related work and possibili- Lifting of the flat preorder to a flat cpo requires a non- ties for further work are reviewed at the end of the paper. constructive definition for the lub function. Namely, using All the experiments described in this paper were done with the excluded middle law of classical propositional logic we Coq [13, 6] and can be found in the Internet from the first can prove ≤&ord A being complete in a sense that, for each author’s web page [7]. chain c on &ord A, there exists an x such that ∀n, c n ≤&ord A x and ∀y, (∀n, c n ≤&ord A y) → x ≤&ord A y, which proves 2. DOMAIN-THEORETIC CONSTRUCTIONS the two laws for the required least upper bound function. Our domain-theoretic development, found at [7], comprises Since we can prove that this least upper bound is unique, basic ideas of domain theory built on the notion of a pre- using the classical definite description axiom: order, that is a theory of (pointed) complete preorders [26].