330 likes | 433 Views
Stop when you are Almost-Full Adventures in constructive termination. Dimitrios Vytiniotis Microsoft Research, Cambridge Thierry Coquand , David Wahlstedt University of Gothenburg. February 2012. Program termination big success stories.
E N D
Stop when you are Almost-FullAdventures in constructive termination Dimitrios Vytiniotis Microsoft Research, Cambridge Thierry Coquand, David Wahlstedt University of Gothenburg February 2012
Program termination big success stories • Termination testing with well-quasi-orders (WQOs) • Online testing in super-compilation [Sorensen & Glück, Bolingbroke et al.] • Well known & widely used in term rewrite systems [see Leuschel’s survey, Nipkow’s book] • Proving termination using disjunctive well-foundedness • Rybalchenko and Podelski – using Ramsey’s theorem • Led to industrial-strength tools: Terminator [Cook et al.] • Proving termination with size-change termination (SCT) • N. Jones, Sereni, Bohr and others • Comparable “strength” to Terminator [Heizmannet al.] A striking observation (for the outsiders): Similar soundness proofs, proof strength, and automation capabilities, but developed independently …
This work Explains the common theoretical foundationfor the aforementioned success stories in a uniform way, and purely constructively inside Type Theory Proposes an alternative way for writing recursive definitions in Type Theory and Coq, resurrecting an old idea, that of almost-full relations Shows how Terminator and SCT can be proved and used intuitionistically inside Coq Offers a modular toolkit to Coq programmers to use the power of these techniques in their scripts and easily show programs from the Terminator and SCT repertoire terminating …
The three communities … actually four • Termination testing with well-quasi-orders • Online testing in super-compilation, term rewrite systems • Proving termination using disjunctive well-foundedness • Rybalchenko and Podelski, Cook … • Proving termination with size-change termination • N. Jones, Sereni, Bohr … Mathematicians and computer scientists working on Intuitionistic Ramsey Theory in the 90’s:Veldman, Bezem, Coquand, Fridlender, Berghofer …
Well-Quasi-Orders (WQOs) Definition [Well-Quasi-Order]: A binary relation (R : X -> X -> Prop) on a set X is WQO when: It is transitive, and For every infinite sequence there exist , with and R() R … … … Example: (le) on nat 10 7 6 4 1 5 4 3 3 3 3 3 …
Online termination testing with WQOs Definition [Well-Quasi-Order]: A binary relation (R : X -> X -> Prop) on a set X is WQO when: It is transitive, and For every infinite sequence there exist , with and R() Recall example: (le) on nat 10 7 6 4 1 5 4 3 3 3 3 3 … Input is a WQO () on “program states”. Basic idea: Keep track of all “observed states of the program so far” New program state comes in: check that for every old it is Every infinite sequence has two related values so this cannot go on for ever!
WQO--: Intuitionistic Almost-Full Relations Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X. Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x) end. Well founded trees represent winning strategies: Either I have won (ZT), or The context is giving me an (x:X) and I am making a new move by picking a new (WFT X) to play on (SUP)! But of which game? Let’s take the game that says: I’ve won if every infinite sequence contains two related elements
Intuitionistic Almost-Full Relations Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X. Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x) end. Definition almost_full (X:Set) (R:X->X->Prop) := p, SecureBy R p. An almost-full relation (AF) is one that is SecureBy a well-founded tree!
Inductively defining all possible choices Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X. FixpointSecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x) end. Suppose that we are given: p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP (fun x=>ZT)))) SecureBy R p What does that mean for a sequence ?
Example: all possible choices p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP(fun x=>ZT)))) SecureBy R p
Building up intuitions Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X. Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x) end. Lemma If (SecureByR p) then every infinite sequence has two elements related by R Proof by induction on p, two cases: ZT: done, just take the first two elements of the sequence SUP q: Consider the first element x and the WFT (q x). By induction there exist y and z in the rest of the sequence such that R y z or R x y so we are done again!
AF relations vs WQOs Definition [Well-Quasi-Order]: A binary relation (R : X -> X -> Prop) on a set X is WQO when: It is transitive, and For every infinite sequence there exist , with and R() An AF relation satisfies (ii) intuitionistically • NB: (ii) (and not our definition) is what Bezem& Veldmann called an AF relation (and postulated bar induction to show an intuitionistic version of Ramsey’s theorem) (i) we are going to forget about – not needed! NB: we can’t intuitionistically prove a relation AF from (ii) • Bezem and Veldman give a counterexample which relies on the consistency of type theory and Church’s thesis. • But that’s OK! AF relations now can be used for induction!
Getting AF from well-founded (WF) relations (* Well-founded relations in Coq *) Inductive Acc (A:Type) (R:A->A->Prop) (x:A) : Prop := Acc_intro : (forall y, R y x -> Acc R y) -> Acc R x. Definition well_founded A (R:A->A->Prop) := forall a. Acc R a. Lemma (af_from_wf): If R is a decidable WF relation then (fun x y => not (R y x)) is AF. Introduce: SUP to check the next element Know: Acc R x x y Split: R(y,x) Recurse on (Acc R y) Split: not (R(y,x)) Return ZT
The crux: WF from AF Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureByR p -> well_foundedT. Think of T:X->X->Prop, the “transition relation” of the program, which relates all adjacent values T() in a trace Let be a WQO The WQO-based checker effectively implements: (T+) = Can we state and prove something like that using AF relations?
WF from AF Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T. User obligation 1: Provide transition relation T Theorem af_induction: (X:Set) (TR:X->X->Prop), almost_full R -> ( x y, T+ x y /\ R y x -> False) -> (P : X -> Set), (x, (y, T y x -> P y) -> P x) -> a, P a User obligation 2: Provide an AF relation R User obligation 3: Prove intersection emptyness
NB: there’s an easier way Lemma wf_from_wqo: (X:Set) (p:WFT X) (R:X->X->Prop), -> transitive R -> SecureBy R p -> well_founded (fun x y => R x y /\ not (R y x)) Think R := ()
So? af_induction: 3 proof obligations • Give transition relation • Give AF relation and prove that it’s AF • Show intersection emptyness wf_induction: just 2 proof obligations • Give transition relation • Plus a proof that the transition relation is well-founded So, is there anything we’ve gained at the end of the day?
Composability well_founded R -> decidable R -> almost_full (fun x y => not (R y x) (x y, A x y -> B x y) -> almost_full A -> almost_full B almost_full A -> almost_full (fun x y => A x y \/ B x y) almost_full A -> almost_full (fun x y => A (f x) (f y)) Much like WQOs, AF relations compose well. It’s a very well-behaved class of relations. Some warming up:
Intersections of AF relations and IRT Theorem [Intuitionistic Ramsey Theorem – binary case] almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y) AF relations were not invented for induction, they were invented to prove the “intuitionistic version of Ramsey’s theorem” [Veldman and Bezem]
Proving the IRT SecureBy (fun x y => A) p -> SecureBy (fun x y => B) q -> SecureBy (fun x y => A /\ B) (p0 p q) p0 ZT q = q p0 (SUP f) q = SUP (fun x => p0 (f x) q) p1 ZT q = q p1 q ZT = q p1 p@(SUP f) q@(SUP g) = SUP (fun x => p0 (p1 (f x) q) (p1 p (g x))) p2 ZT q = q p2 q ZT = q p2 p@(SUP f) q@(SUP g) = SUP (fun x => p1 (p2 (f x) q) (p2 p (g x))) SecureBy (fun x y => A x) p -> SecureBy (fun x y => B x) q -> SecureBy (fun x y => A x /\ B x) (p1 p q) SecureBy (fun x y => A x y) p -> SecureBy (fun x y => B x y) q -> SecureBy (fun x y => A x y /\ B x y) (p2 p q)
Why is this the “Ramsey Theorem”? Theorem [Intuitionistic Ramsey Theorem – binary case] almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y) Theorem [Standard Ramsey Theorem – binary case] Let be a relation in nat. Call a subset of nathomogenousiff for all with we have , or for all with we have . Then has an infinite homogenous subset of nat. Proof of standard Ramsey Theorem: Assume by contradiction that no such infinite homogenous set exists. This means (classically) that both and are AF and so is their intersection. But the empty relation cannot be AF.
Type-based composability (t : Finite k) -> almost_full (@eq t) almost_full A -> almost_full B -> almost_full (fun x y => A (fst x) (fst y) /\ B (snd x) (snd y) sum_lift A B (inl x) (inl y) = A x y sum_lift A B (inr x) (inr y) = B x y sum_lift A B _ _ = False almost_full A -> almost_full B -> almost_full (fun x y => sum_lift A B) We’ve seen that AFs are closed under both unions and intersections We’ve seen how to construct AF relations from WF Here are some type-based combinators (Exercise: Prove them!)
The Terminator principle Theorem [Disjunctive well-foundedness, Podelski-Rybalchenko] If and are WF and T+ then T is well-founded Recall Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T. To prove disjunctive well-foundedness, instantiate wf_from_af with R x y := not (R1 y x) /\ not (R2 y x) Then use the AF intersection theorem and wf_from_af again!
Size-change termination gnlex (0,_) = 1 gnlex (_,0) = 1 gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x) T (x,y) (x’,y’) := (x=y’/\ y<y’)\/(x=y’/\y<x’). R (x,y) (x’,y’) := x<=x’/\y<=y’. • The interesting proof obligation is a somewhat tedious but straightforward intersection emptyness lemma • Class of recursive definitions with no lexicographic order • Though no more expressive than lexicographic descent if program is transformed [Ben-Amram] • To write this in Coq, apply af_induction with:
Formal connection to SCT gnlex (0,_) = 1 gnlex (_,0) = 1 gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x) 0 0 0 0 Lemma: Let and every . If every in the transitive closure of the set satisfies for some AF then is well-founded. [Proof by AF induction!] 1 1 1 1 Lemma: Consider the AF (by af_intersection) = Then if and some contains an arc then Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded! Recursion patterns introduce size-change graphs:
More in paper and Coq development f 0 = 1 f (x+1) = f x + g (x+2) g x | x < 2 = 1 g (x+2) = f x • A discussion of the computational content of Ramsey’s theorem (enormous complexity bounds) • Prop vs Set witnesses: We’ve re-engineered all the previous discussion to streamline the SecureBy predicate in an entirely Prop-indexed definition: Inductive AF X (R : X -> X -> Prop) : Prop := | AF_ZT : R, ( x y, R x y) -> AF R | AF_SUP : R, ( x, AF (fun y z => R y z \/ R x y)) -> AF R. Mutual induction examples
Some constructive WQO-related results • S. Berghofer, D. Fridlender, M. Seisenberger: • Constructive proofs of Higman’s Lemma (homeomorphic embedding in lists gives WQOs). Similar constructions. Veldman had also such a proof and Fridlender reports earlier thesis from 1979 with a similar result. Fridlender’s proof is based on formalizing inductive bars. • Useful, not as general as Kruskal’s tree theorem (short proof by Nash-Williams), but I do not know of constructive proofs of the general cases. • Thierry Coquand had yet another proof of IRT around 1994, but less suitable for discussing the termination problem • To our knowledge no-one had connected AF relations with terminationin type theory though in retrospect the connection seems obvious
Future directions • Extend combinators for recursive types (help needed!) • Polish and release Coq library • It now contains an entirely Prop-based generalization of Ramsey’s theorem for relations of “inductive arities” • David has it also formalized in Agda (see the Agda Wiki) • Formally support SCT or Terminator in Coq (help needed!) • Investigate automation techniques to be used in the context of Coq, think about programmer convenience (help needed!) • Explore AF proofs as constructive termination certificates
Start using AF relations! http://research.microsoft.com/people/dimitris/constructive-fixpoints.pdf Thanks! We’ve suggested an alternative way to think about termination in constructive type theory, by switching to AF relations instead of WF relations We’ve shown that this approach enjoys compositionality, and is in the core of other successful termination frameworks
Alternative SCT criterion Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded! Lemma [Alternative SCT]: If every idempotent in the transitive closure of has an arc then is well-founded! Why? Observe that every in the transitive closure of has a idempotent power. Since all powers of are in it must be that for some positive and . Take . [Well known in algebra: every element of a finite semi-group has an idempotent power] Assume the transitive closure of size-change graphs is finite.
Bar induction Definition [Bar]: The predicate U:list A->Prop is a bar if every infinite sequence has an initial segment that satisfies U Axiom [Bar induction]: Assume Then Fridlender formalizes inductively Bar(U, as) – Veldman and Bezem postulate Bar Induction to prove the IRT