stop when you are almost-full adventures in constructive termination dimitrios vytiniotis microsoft...
TRANSCRIPT
Stop when you are Almost-FullAdventures in constructive termination
Dimitrios VytiniotisMicrosoft Research, Cambridge
Thierry Coquand, David WahlstedtUniversity of Gothenburg
February 2012
2
Program termination big success storiesTermination testing with well-quasi-orders (WQOs)• Online testing in super-compilation [Sorensen & Glück,
Bolingbroke et al.]• Well known & widely used in term rewrite systems [see
Leuschel’s survey, Nipkow’s book]Proving termination using disjunctive well-foundedness• Rybalchenko and Podelski – using Ramsey’s
theorem• Led to industrial-strength tools: Terminator
[Cook et al.] Proving termination with size-change termination (SCT)• N. Jones, Sereni, Bohr and others • Comparable “strength” to Terminator
[Heizmann et al.]A striking observation (for the outsiders):Similar soundness proofs, proof strength, and automation capabilities, but developed independently …
3
This work
Explains the common theoretical foundation for the aforementioned success stories in a uniform way, and purely constructively inside Type Theory
Proposes an alternative way for writing recursive definitions in Type Theory and Coq, resurrecting an old idea, that of almost-full relations
Shows how Terminator and SCT can be proved and used intuitionistically inside Coq
Offers a modular toolkit to Coq programmers to use the power of these techniques in their scripts and easily show programs from the Terminator and SCT repertoire terminating …
4
The three communities … actually four
Termination testing with well-quasi-orders• Online testing in super-compilation, term rewrite systems
Proving termination using disjunctive well-foundedness• Rybalchenko and Podelski, Cook …
Proving termination with size-change termination• N. Jones, Sereni, Bohr …
Mathematicians and computer scientists working on Intuitionistic Ramsey Theory in the 90’s: Veldman, Bezem, Coquand, Fridlender, Berghofer …
5
Well-Quasi-Orders (WQOs)
Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()
… …𝑠0 𝑠1 𝑠𝑖 𝑠 𝑗…
R
Example: (le) on nat
10 7 6 4 1 5 4 33 3 3 3 …
6
Online termination testing with WQOs
Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()
Recall example: (le) on nat10 7 6 4 1 5 4 3
3 3 3 3 …
Input is a WQO () on “program states”. Basic idea:
1. Keep track of all “observed states of the program so far”2. New program state comes in: check that for every old it is 3. Every infinite sequence has two related values so this cannot
go on for ever!
7
WQO--: Intuitionistic Almost-Full Relations
Well founded trees represent winning strategies: Either I have won (ZT), or The context is giving me an (x:X) and I am making a new move
by picking a new (WFT X) to play on (SUP)!But of which game? Let’s take the game that says: I’ve won if every infinite
sequence contains two related elements
Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.
Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.
8
Intuitionistic Almost-Full Relations
Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.
An almost-full relation (AF) is one that is SecureBy a well-founded tree!
Definition almost_full (X:Set) (R:X->X->Prop) := p, SecureBy R p.
9
Inductively defining all possible choices
Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.
Suppose that we are given:(i) p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP (fun x=>ZT))))
(ii) SecureBy R p
What does that mean for a sequence ?
10
Example: all possible choices
Values
Secured relations Witness
SUP(fun x=>SUP(fun x=> SUP(fun x=>ZT)))
SUP(fun x=>SUP(fun x=>ZT))
SUP(fun x=>ZT)
ZT
Hence, relation must be True!
(i) p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP(fun x=>ZT))))
(ii) SecureBy R p
11
Building up intuitionsInductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.
Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.
LemmaIf (SecureBy R p) then every infinite sequence has two elements related by R
Proof by induction on p, two cases:1. ZT: done, just take the first two elements of the sequence2. SUP q: Consider the first element x and the WFT (q x). By
induction there exist y and z in the rest of the sequence such that R y z or R x y so we are done again!
12
AF relations vs WQOs
An AF relation satisfies (ii) intuitionistically NB: (ii) (and not our definition) is what Bezem & Veldmann called an AF
relation (and postulated bar induction to show an intuitionistic version of Ramsey’s theorem)
(i) we are going to forget about – not needed!
NB: we can’t intuitionistically prove a relation AF from (ii) Bezem and Veldman give a counterexample which relies on the consistency of type
theory and Church’s thesis. But that’s OK! AF relations now can be used for induction!
Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()
13
Getting AF from well-founded (WF) relations(* Well-founded relations in Coq *)Inductive Acc (A:Type) (R:A->A->Prop) (x:A) : Prop := Acc_intro : (forall y, R y x -> Acc R y) -> Acc R x.
Definition well_founded A (R:A->A->Prop) := forall a. Acc R a.
Lemma (af_from_wf):If R is a decidable WF relation then (fun x y => not (R y x)) is AF.
x
Know: Acc R x
Split: R(y,x)Recurse on (Acc R y)
Split: not (R(y,x))Return ZT
y
Introduce: SUP to check the next element
14
The crux: WF from AF Think of T:X->X->Prop, the “transition relation” of the
program, which relates all adjacent values T() in a trace Let be a WQO The WQO-based checker effectively implements:
(T+) = Can we state and prove something like that using AF
relations?
Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.
15
WF from AF
Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.
Theorem af_induction: (X:Set) (T R:X->X->Prop), almost_full R -> ( x y, T+ x y /\ R y x -> False) -> (P : X -> Set), ( x, ( y, T y x -> P y) -> P x)-> a, P a
User obligation 1:Provide transition
relation T
User obligation 2:Provide an AF
relation R
User obligation 3:Prove intersection
emptyness
16
NB: there’s an easier way
Lemma wf_from_wqo: (X:Set) (p:WFT X) (R:X->X->Prop),-> transitive R -> SecureBy R p -> well_founded (fun x y => R x y /\ not (R y x))
Think R := ()
17
So?af_induction: 3 proof obligations
Give transition relation Give AF relation and prove that it’s AF Show intersection emptyness
wf_induction: just 2 proof obligations Give transition relation Plus a proof that the transition relation is well-
founded
So, is there anything we’ve gained at the end of the day?
18
Composability Much like WQOs, AF relations compose well. It’s a very
well-behaved class of relations.
Some warming up:
( x y, A x y -> B x y) -> almost_full A -> almost_full B
almost_full A -> almost_full (fun x y => A x y \/ B x y)
almost_full A -> almost_full (fun x y => A (f x) (f y))
well_founded R -> decidable R -> almost_full (fun x y => not (R y x)
19
Intersections of AF relations and IRT
AF relations were not invented for induction, they were invented to prove the “intuitionistic version of Ramsey’s theorem” [Veldman and Bezem]
Theorem [Intuitionistic Ramsey Theorem – binary case]
almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y)
20
Proving the IRT
p0 ZT q = qp0 (SUP f) q = SUP (fun x => p0 (f x) q)
p1 ZT q = qp1 q ZT = qp1 p@(SUP f) q@(SUP g) = SUP (fun x => p0 (p1 (f x) q) (p1 p (g x)))
p2 ZT q = qp2 q ZT = qp2 p@(SUP f) q@(SUP g) = SUP (fun x => p1 (p2 (f x) q) (p2 p (g x)))
SecureBy (fun x y => A) p -> SecureBy (fun x y => B) q -> SecureBy (fun x y => A /\ B) (p0 p q)
SecureBy (fun x y => A x) p -> SecureBy (fun x y => B x) q -> SecureBy (fun x y => A x /\ B x) (p1 p q)
SecureBy (fun x y => A x y) p -> SecureBy (fun x y => B x y) q -> SecureBy (fun x y => A x y /\ B x y) (p2 p q)
21
Why is this the “Ramsey Theorem”?
Proof of standard Ramsey Theorem:Assume by contradiction that no such infinite homogenous set exists. This means (classically) that both and are AF and so is their intersection. But the empty relation cannot be AF.
Theorem [Intuitionistic Ramsey Theorem – binary case]
almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y)Theorem [Standard Ramsey Theorem – binary case]Let be a relation in nat. Call a subset of nat homogenous iff for all with we have , or for all with we have . Then has an infinite homogenous subset of nat.
22
Type-based composability
We’ve seen that AFs are closed under both unions and intersections
We’ve seen how to construct AF relations from WF Here are some type-based combinators (Exercise: Prove them!)
(t : Finite k) -> almost_full (@eq t)
almost_full A -> almost_full B -> almost_full (fun x y => A (fst x) (fst y) /\ B (snd x) (snd y)
sum_lift A B (inl x) (inl y) = A x ysum_lift A B (inr x) (inr y) = B x y sum_lift A B _ _ = False
almost_full A -> almost_full B -> almost_full (fun x y => sum_lift A B)
23
The Terminator principleTheorem [Disjunctive well-foundedness, Podelski-Rybalchenko]
If and are WF and T+ then T is well-founded
To prove disjunctive well-foundedness, instantiate wf_from_af with
R x y := not (R1 y x) /\ not (R2 y x)
Then use the AF intersection theorem and wf_from_af again!
RecallLemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.
24
Size-change termination
Class of recursive definitions with no lexicographic order Though no more expressive than lexicographic descent if
program is transformed [Ben-Amram] To write this in Coq, apply af_induction with:
gnlex (0,_) = 1gnlex (_,0) = 1gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x)
T (x,y) (x’,y’) := (x=y’/\ y<y’)\/(x=y’/\y<x’).R (x,y) (x’,y’) := x<=x’/\y<=y’.
The interesting proof obligation is a somewhat tedious but straightforward intersection emptyness lemma
25
Formal connection to SCT
Recursion patterns introduce size-change graphs:
gnlex (0,_) = 1gnlex (_,0) = 1gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x)
0
1
0
1¿
≤ 0
1
0
1¿≤𝐺0 𝐺1
Lemma: Let and every . If every in the transitive closure of the set satisfies for some AF then is well-founded. [Proof by AF induction!]
Lemma: Consider the AF (by af_intersection) = Then if and some contains an arc then
Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded!
26
More in paper and Coq development Mutual induction examples
f 0 = 1 f (x+1) = f x + g (x+2)g x | x < 2 = 1g (x+2) = f x
A discussion of the computational content of Ramsey’s theorem (enormous complexity bounds)
Prop vs Set witnesses: We’ve re-engineered all the previous discussion to streamline the SecureBy predicate in an entirely Prop-indexed definition:
Inductive AF X (R : X -> X -> Prop) : Prop := | AF_ZT : R, ( x y, R x y) -> AF R | AF_SUP : R, ( x, AF (fun y z => R y z \/ R x y)) -> AF R.
27
Some constructive WQO-related results S. Berghofer, D. Fridlender, M. Seisenberger:
Constructive proofs of Higman’s Lemma (homeomorphic embedding in lists gives WQOs). Similar constructions. Veldman had also such a proof and Fridlender reports earlier thesis from 1979 with a similar result. Fridlender’s proof is based on formalizing inductive bars.
Useful, not as general as Kruskal’s tree theorem (short proof by Nash-Williams), but I do not know of constructive proofs of the general cases.
Thierry Coquand had yet another proof of IRT around 1994, but less suitable for discussing the termination problem
To our knowledge no-one had connected AF relations with termination in type theory though in retrospect the connection seems obvious
28
Future directions
Extend combinators for recursive types (help needed!) Polish and release Coq library
It now contains an entirely Prop-based generalization of Ramsey’s theorem for relations of “inductive arities”
David has it also formalized in Agda (see the Agda Wiki) Formally support SCT or Terminator in Coq (help needed!) Investigate automation techniques to be used in the
context of Coq, think about programmer convenience (help needed!)
Explore AF proofs as constructive termination certificates
29
Start using AF relations!
We’ve suggested an alternative way to think about termination in constructive type theory, by switching to AF relations instead of WF relations
We’ve shown that this approach enjoys compositionality, and is in the core of other successful termination frameworks
http://research.microsoft.com/people/dimitris/constructive-fixpoints.pdf
Thanks!
30
Alternative SCT criterionAssume the transitive closure of size-change graphs is finite.
Lemma [Alternative SCT]: If every idempotent in the transitive closure of has an arc then is well-founded!
Why? Observe that every in the transitive closure of has a idempotent power. Since all powers of are in it must be that for some positive and . Take . [Well known in algebra: every element of a finite semi-group has an idempotent power]
Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded!
31
Bar inductionDefinition [Bar]: The predicate U:list A->Prop is a bar if every infinite sequence has an initial segment that satisfies U
Axiom [Bar induction]: Assume
Then
Fridlender formalizes inductively Bar(U, as) – Veldman and Bezem postulate Bar Induction to prove the IRT