the pml language · the pml language: realizability at the service of program proofs rodolphe...
TRANSCRIPT
![Page 1: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/1.jpg)
The PML Language:Realizability at the Service of Program Proofs
Rodolphe LepigreRealizability workshop { 08/03/2018 { Marseille
![Page 2: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/2.jpg)
Using OCaml as a Proof System: A Silly Idea?
(* Empty type (logical absurdity). *)
type empty = { empty : 'a. 'a }
(* Logical negation. *)
type 'a neg = 'a � empty
(* The law of the excluded middle. *)
type 'a excluded_middle =
| True of 'a
| False of 'a neg
Rodolphe Lepigre 1 / 34
![Page 3: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/3.jpg)
Using OCaml as a Proof System: A Silly Idea?
(* Empty type (logical absurdity). *)
type empty = { empty : 'a. 'a }
(* Logical negation. *)
type 'a neg = 'a � empty
(* The law of the excluded middle. *)
type 'a excluded_middle =
| True of 'a
| False of 'a neg
(* The law of the excluded middle implies double negation elimination. *)
let proof : 'a excluded_middle � 'a neg neg � 'a = fun em h �
match em with
| True a � a
| False not_a � (h not_a).empty
Rodolphe Lepigre 1 / 34
![Page 4: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/4.jpg)
Toward a Programming Language, with Program Proving Features
An ML-like programming language with:
records, variants (constructors), ,
polymorphism, ,
a call-by-value evaluation strategy,
efzects (control operators),
a Curry-style syntax (light) and .
Rodolphe Lepigre 2 / 34
subtyping
general recursion
inductive types
![Page 5: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/5.jpg)
Toward a Programming Language, with Program Proving Features
An ML-like programming language with:
records, variants (constructors), ,
polymorphism, ,
a call-by-value evaluation strategy,
efzects (control operators),
a Curry-style syntax (light) and .
For proving program, the type system is enriched with:
programs as individuals (higher-order layer),
an equality type t� u (observational equivalence),
a dependent zunction type (typed quanti{cation).
Rodolphe Lepigre 2 / 34
Termination checking is required zor proozs.
subtyping
general recursion
inductive types
![Page 6: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/6.jpg)
Toward a Programming Language, with Program Proving Features
An ML-like programming language with:
records, variants (constructors), ,
polymorphism, ,
a call-by-value evaluation strategy,
efzects (control operators),
a Curry-style syntax (light) and .
For proving program, the type system is enriched with:
programs as individuals (higher-order layer),
an equality type t� u (observational equivalence),
a dependent zunction type (typed quanti{cation).
Rodolphe Lepigre 2 / 34
Termination checking is required zor proozs.
subtyping
general recursion
inductive types
![Page 7: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/7.jpg)
Example of Program and Proof
type rec nat = [Zero ; S of nat]
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
Rodolphe Lepigre 3 / 34
![Page 8: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/8.jpg)
Example of Program and Proof
type rec nat = [Zero ; S of nat]
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m�nat, add Zero m � m =
fun m { {} }
Rodolphe Lepigre 3 / 34
![Page 9: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/9.jpg)
Example of Program and Proof
type rec nat = [Zero ; S of nat]
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m�nat, add Zero m � m =
fun m { {} }
val rec add_n_Zero : �n�nat, add n Zero � n =
fun n {
case n {
Zero � {}
S[p] � add_n_Zero p
}
}
Rodolphe Lepigre 3 / 34
![Page 10: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/10.jpg)
Part III Specificities of the Type System
Part III Formalisation of the System and Semantics
Part III Semantical Value Restriction
Rodolphe Lepigre 4 / 34
![Page 11: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/11.jpg)
Part I
Specificities of the Type System
Rodolphe Lepigre 5 / 34
![Page 12: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/12.jpg)
Properties as Program Equivalences
Examples oz (equational) program properties:
add (add m n) k � add m (add n k) (associativity oz add)
rev (rev l) � l (rev is an involution)
map g (map f l) � map (fun x {g (f x)}) l (map and composition)
sort (sort l) � sort l (sort is idempotent)
Rodolphe Lepigre 6 / 34
![Page 13: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/13.jpg)
Properties as Program Equivalences
Examples oz (equational) program properties:
add (add m n) k � add m (add n k) (associativity oz add)
rev (rev l) � l (rev is an involution)
map g (map f l) � map (fun x {g (f x)}) l (map and composition)
sort (sort l) � sort l (sort is idempotent)
Speci{cation oz a sorting zunction using predicates:
is_increasing (sort l) � true (sort produces a sorted list)
is_perm (sort l) l � true (sort yields a permutation)
Rodolphe Lepigre 6 / 34
![Page 14: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/14.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
Rodolphe Lepigre 7 / 34
![Page 15: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/15.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
It is interpreted as:
� (the unit type) iz t and u are |equivalent},
� (the empty type) otherwise.
Rodolphe Lepigre 7 / 34
![Page 16: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/16.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
It is interpreted as:
� (the unit type) iz t and u are |equivalent},
� (the empty type) otherwise.
Rodolphe Lepigre 7 / 34
dec. proc. says |yes}
� ; t :� u � u1 2
� ; t : u � u1 2
![Page 17: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/17.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
It is interpreted as:
� (the unit type) iz t and u are |equivalent},
� (the empty type) otherwise.
Rodolphe Lepigre 7 / 34
dec. proc. says |yes}
� ; t :� u � u1 2
� ; t : u � u1 2
�, x :� ; , u � u t : C1 2
�, x : u � u ; t : C1 2
![Page 18: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/18.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
It is interpreted as:
� (the unit type) iz t and u are |equivalent},
� (the empty type) otherwise.
Remark: equivalence is undecidable.
Rodolphe Lepigre 7 / 34
dec. proc. says |yes}
� ; t :� u � u1 2
� ; t : u � u1 2
�, x :� ; , u � u t : C1 2
�, x : u � u ; t : C1 2
![Page 19: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/19.jpg)
Equality Types and Equivalence
We consider a new type zormer t� u (where t and u are untyped terms).
It is interpreted as:
� (the unit type) iz t and u are |equivalent},
� (the empty type) otherwise.
Remark: equivalence is undecidable.
Remark: decision oz equivalence only needs to be correct.
Rodolphe Lepigre 7 / 34
dec. proc. says |yes}
� ; t :� u � u1 2
� ; t : u � u1 2
�, x :� ; , u � u t : C1 2
�, x : u � u ; t : C1 2
![Page 20: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/20.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
Rodolphe Lepigre 8 / 34
![Page 21: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/21.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m, add Zero m � m = {- ??? -}
Rodolphe Lepigre 8 / 34
![Page 22: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/22.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m, add Zero m � m = {}
// Immediate by definition
Rodolphe Lepigre 8 / 34
![Page 23: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/23.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m, add Zero m � m = {}
// Immediate by definition
val add_n_Zero : �n, add n Zero � n = {- ??? -}
Rodolphe Lepigre 8 / 34
![Page 24: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/24.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m, add Zero m � m = {}
// Immediate by definition
val add_n_Zero : �n, add n Zero � n = {- ??? -}
// Nothing we can do
Rodolphe Lepigre 8 / 34
![Page 25: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/25.jpg)
First-Order Quantification is not Enough
val rec add : nat � nat � nat =
fun n m { case n { Zero � m | S[k] � S[add k m] } }
val add_Zero_m : �m, add Zero m � m = {}
// Immediate by definition
val add_n_Zero : �n, add n Zero � n = {- ??? -}
// Nothing we can do
We need a zorm oz typed quanti{cation!
Rodolphe Lepigre 8 / 34
![Page 26: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/26.jpg)
Dependent Functions for Typed Quantification
val rec add_n_Zero : �n�nat, add n Zero � n =
fun n {
case n {
Zero � {}
S[p] � add_n_Zero p
}
}
Rodolphe Lepigre 9 / 34
![Page 27: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/27.jpg)
Dependent Functions for Typed Quantification
val rec add_n_Zero : �n�nat, add n Zero � n =
fun n {
case n {
Zero � {}
S[p] � add_n_Zero p
}
}
Remark: we may inspect the elements oz the domain.
Rodolphe Lepigre 9 / 34
![Page 28: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/28.jpg)
Dependent Functions for Typed Quantification
val rec add_n_Zero : �n�nat, add n Zero � n =
fun n {
case n {
Zero � {}
S[p] � add_n_Zero p
}
}
Remark: we may inspect the elements oz the domain.
Rodolphe Lepigre 9 / 34
�, x : A ; t : B
� ; �x.t : �x�A.B
![Page 29: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/29.jpg)
Dependent Functions for Typed Quantification
val rec add_n_Zero : �n�nat, add n Zero � n =
fun n {
case n {
Zero � {}
S[p] � add_n_Zero p
}
}
Remark: we may inspect the elements oz the domain.
Rodolphe Lepigre 9 / 34
�, x : A ; t : B
� ; �x.t : �x�A.B
� ; t : �x�A.B � ; v : A
� ; t v : B[x� v]
![Page 30: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/30.jpg)
Structuring Proofs with Dummy Programs
val rec add_n_Sm : �n m�nat, add n S[m] � S[add n m] =
fun n m {
case n {
Zero � {}
S[k] � add_n_Sm k m
}
}
val rec add_comm : �n m�nat, add n m � add m n =
fun n m {
case n {
Zero � add_n_Zero m
S[k] � add_n_Sm m k; add_comm k m
}
}
Rodolphe Lepigre 10 / 34
![Page 31: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/31.jpg)
Part II
Formalisation of the System and Semantics
Rodolphe Lepigre 11 / 34
![Page 32: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/32.jpg)
Realizability Model
We build a model to prove that the language has the expected properties.
Rodolphe Lepigre 12 / 34
![Page 33: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/33.jpg)
Realizability Model
We build a model to prove that the language has the expected properties.
To construct the model, we need to:
1) give the syntax oz programs and types,
2) de{ne the interpretation oz types as sets oz terms (uses reduction),
3) de{ne adequate typing rules,
4) deduce termination, type safety and consistency.
Rodolphe Lepigre 12 / 34
![Page 34: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/34.jpg)
Realizability Model
We build a model to prove that the language has the expected properties.
To construct the model, we need to:
1) give the syntax oz programs and types,
2) de{ne the interpretation oz types as sets oz terms (uses reduction),
3) de{ne adequate typing rules,
4) deduce termination, type safety and consistency.
Advantage: it is modular (contrary to type preservation).
Rodolphe Lepigre 12 / 34
![Page 35: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/35.jpg)
Call-by-Value Abstract Machine
Rodolphe Lepigre 13 / 34
�� �seulaV w,v =:: ]v[Ck|})vi=l i(I�i
{|t.x�|x
���smreT u,t =:: t]�[|t.��|])t i�]x i[Ci(I�i
|v[|lk.v|u t|v
���skcatS �,� =:: )txetnocnoitaulave(�]t[|�.v|�|�
sessecorP q,p =:: ��t
![Page 36: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/36.jpg)
Call-by-value Reduction Relation
Rodolphe Lepigre 14 / 34
��u t � �]t[�u
�]t[�v � �.v�t
�.v�t.x� � ��]v�x[t
��lk.})vi=l i(I�i
{ � ��vk �I�k�
��])t i�]x i[Ci(I�i
|]v[Ck[ � ��]v�xk[tk �I�k�
��t.�� � ��]���[t
��t]�[ � ��t
![Page 37: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/37.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
Rodolphe Lepigre 15 / 34
![Page 38: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/38.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
�Dewnition: we write t � � � ifz t � � � v � � zor some value v (t � � � otherwise).
Rodolphe Lepigre 15 / 34
![Page 39: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/39.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
�Dewnition: we write t � � � ifz t � � � v � � zor some value v (t � � � otherwise).
(�x.x) {} � �� (�x.x x) (�x.x x) � �� (�x.t).l � ��1
Rodolphe Lepigre 15 / 34
![Page 40: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/40.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
�Dewnition: we write t � � � ifz t � � � v � � zor some value v (t � � � otherwise).
(�x.x) {} � �� (�x.x x) (�x.x x) � �� (�x.t).l � ��1
Dewnition: two terms are equivalent iz they converge in the same contexts.
Rodolphe Lepigre 15 / 34
![Page 41: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/41.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
�Dewnition: we write t � � � ifz t � � � v � � zor some value v (t � � � otherwise).
(�x.x) {} � �� (�x.x x) (�x.x x) � �� (�x.t).l � ��1
Dewnition: two terms are equivalent iz they converge in the same contexts.
� � � �� � � = t , u | � � , t � � � � u � � � X�v
Rodolphe Lepigre 15 / 34
![Page 42: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/42.jpg)
Successful Computation and Observational Equivalence
The abstract machine may either:
successzully compute a result (it converges),
zail with a runtime error or never terminate (it diverges).
�Dewnition: we write t � � � ifz t � � � v � � zor some value v (t � � � otherwise).
(�x.x) {} � �� (�x.x x) (�x.x x) � �� (�x.t).l � ��1
Dewnition: two terms are equivalent iz they converge in the same contexts.
� � � �� � � = t , u | � � , �� , t� � � � � u� � � � X�v
Rodolphe Lepigre 15 / 34
![Page 43: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/43.jpg)
Types as Sets of Canonical Values
� � � �Dewnition: a type A is interpreted as a set oz values A closed under � .
Rodolphe Lepigre 16 / 34
![Page 44: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/44.jpg)
Types as Sets of Canonical Values
� � � �Dewnition: a type A is interpreted as a set oz values A closed under � .
Rodolphe Lepigre 16 / 34
�}A2:l2;A1:l1{� = � X�v�A2
��v2 �A1��v1|}v2=l2;v1=l1{�
�]A2:C2|A1:C1[� = � X�v�Ai
��v 2,1�i|]v[Ci�
�A.X�� =�]��X[A��
epyt�
�A.X�� =�]��X[A��
epyt�
�A.x�� = �]t�a[A��eulavv
�A.x�� = �]t�a[A��eulavv
![Page 45: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/45.jpg)
Membership Types and Dependency
We consider a new membership type t�A (with t a term, A a type).
� � � � It is interpreted as t�A = v � A | t � v ,
and allows the introduction oz dependency.
Rodolphe Lepigre 17 / 34
![Page 46: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/46.jpg)
Membership Types and Dependency
We consider a new membership type t�A (with t a term, A a type).
� � � � It is interpreted as t�A = v � A | t � v ,
and allows the introduction oz dependency.
The dependent zunction type �x�A.B
is de{ned as �x.(x�A � B),
this is a zorm oz relativised quantizcation scheme.
Rodolphe Lepigre 17 / 34
![Page 47: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/47.jpg)
Semantic Restriction Type and Equalities
We also consider a new restriction type A � P:
it is build using a type A and a |semantic predicate} P,
� � � � � �A � P is equal to A iz P is satis{ed and to � otherwise.
We can use predicates like t � u , ¬P or P Q.
Rodolphe Lepigre 18 / 34
![Page 48: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/48.jpg)
Semantic Restriction Type and Equalities
We also consider a new restriction type A � P:
it is build using a type A and a |semantic predicate} P,
� � � � � �A � P is equal to A iz P is satis{ed and to � otherwise.
We can use predicates like t � u , ¬P or P Q.
The equality type t� u is encoded as � � t� u .
Rodolphe Lepigre 18 / 34
![Page 49: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/49.jpg)
Interpretation of the Function Type
� � � � � � A � B = �x.w | � v � A , w[x� v] � B
Rodolphe Lepigre 19 / 34
![Page 50: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/50.jpg)
Interpretation of the Function Type
� � � � � � A � B = �x.w | � v � A , w[x� v] � B
What about �-abstractions which bodies are terms?
Rodolphe Lepigre 19 / 34
![Page 51: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/51.jpg)
Interpretation of the Function Type
� � � � � � A � B = �x.w | � v � A , w[x� v] � B
What about �-abstractions which bodies are terms?
��� � � �We de{ne a completion operation A � A .
Rodolphe Lepigre 19 / 34
![Page 52: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/52.jpg)
Interpretation of the Function Type
� � � � � � A � B = �x.w | � v � A , w[x� v] � B
What about �-abstractions which bodies are terms?
��� � � �We de{ne a completion operation A � A .
��� � � �The set A contains terms |behaving} as values oz A .
Rodolphe Lepigre 19 / 34
![Page 53: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/53.jpg)
Interpretation of the Function Type
� � � � � � A � B = �x.w | � v � A , w[x� v] � B
What about �-abstractions which bodies are terms?
��� � � �We de{ne a completion operation A � A .
��� � � �The set A contains terms |behaving} as values oz A .
��� � � � � � Dewnition: we take A � B = �x.t | � v � A , t[x� v] � B .
Rodolphe Lepigre 19 / 34
![Page 54: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/54.jpg)
Pole and Orthogonality
��� �The de{nition oz A is parametrised by a set oz processes � � ��.
Rodolphe Lepigre 20 / 34
![Page 55: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/55.jpg)
Pole and Orthogonality
��� �The de{nition oz A is parametrised by a set oz processes � � ��.
We require that p � � and q � p implies q � �.
Rodolphe Lepigre 20 / 34
![Page 56: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/56.jpg)
Pole and Orthogonality
��� �The de{nition oz A is parametrised by a set oz processes � � ��.
We require that p � � and q � p implies q � �.
Intuitively, � is a set oz processes that |behave well}.
Rodolphe Lepigre 20 / 34
![Page 57: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/57.jpg)
Pole and Orthogonality
��� �The de{nition oz A is parametrised by a set oz processes � � ��.
We require that p � � and q � p implies q � �.
Intuitively, � is a set oz processes that |behave well}.
The set � = p | p� is a good choice.
Rodolphe Lepigre 20 / 34
![Page 58: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/58.jpg)
Pole and Orthogonality
��� �The de{nition oz A is parametrised by a set oz processes � � ��.
We require that p � � and q � p implies q � �.
Intuitively, � is a set oz processes that |behave well}.
The set � = p | p� is a good choice.
Rodolphe Lepigre 20 / 34
�A� � ��w�w�v ��v|� ��
�A� � = ����v,�A��v�|���
�A� �� = ����t,�A� ����|��t
![Page 59: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/59.jpg)
Value Restriction and Typing Judgments
Combining call-by-value and efzects leads to soundness issues (well-known).
Rodolphe Lepigre 21 / 34
![Page 60: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/60.jpg)
Value Restriction and Typing Judgments
Combining call-by-value and efzects leads to soundness issues (well-known).
Usual solution: |value restriction} on some typing rules.
Rodolphe Lepigre 21 / 34
![Page 61: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/61.jpg)
Value Restriction and Typing Judgments
Combining call-by-value and efzects leads to soundness issues (well-known).
Usual solution: |value restriction} on some typing rules.
This is encoded with two zorms judgments:
� ; v : A zor values only,val
� ; t : A zor terms (including values).
Rodolphe Lepigre 21 / 34
![Page 62: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/62.jpg)
Value Restriction and Typing Judgments
Combining call-by-value and efzects leads to soundness issues (well-known).
Usual solution: |value restriction} on some typing rules.
This is encoded with two zorms judgments:
� ; v : A zor values only,val
� ; t : A zor terms (including values).
Rodolphe Lepigre 21 / 34
� ; v : Aval
� ; v : A
![Page 63: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/63.jpg)
Value Restriction and Typing Judgments
Combining call-by-value and efzects leads to soundness issues (well-known).
Usual solution: |value restriction} on some typing rules.
This is encoded with two zorms judgments:
� ; v : A zor values only,val
� ; t : A zor terms (including values).
Rodolphe Lepigre 21 / 34
�, x : A ; x : Aval
�, x : A ; t : B
� ; �x.t : A � Bval
� ; v : Aval
� ; v : A
� ; t : A � B � ; u : A
� ; t u : B
![Page 64: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/64.jpg)
Adequate Typing Rule
Theorem (adequacy lemma):��� �iz t : A is derivable then t � A ,
� �iz v : A is derivable then v � A .val
Rodolphe Lepigre 22 / 34
![Page 65: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/65.jpg)
Adequate Typing Rule
Theorem (adequacy lemma):��� �iz t : A is derivable then t � A ,
� �iz v : A is derivable then v � A .val
Proof by induction on the typing derivation.
Rodolphe Lepigre 22 / 34
![Page 66: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/66.jpg)
Adequate Typing Rule
Theorem (adequacy lemma):��� �iz t : A is derivable then t � A ,
� �iz v : A is derivable then v � A .val
Proof by induction on the typing derivation.
We only need to check that our typing rules are |correct}.
Rodolphe Lepigre 22 / 34
![Page 67: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/67.jpg)
Adequate Typing Rule
Theorem (adequacy lemma):��� �iz t : A is derivable then t � A ,
� �iz v : A is derivable then v � A .val
Proof by induction on the typing derivation.
We only need to check that our typing rules are |correct}.
�� v : Aval � � � �For example is correct since A � A . v : A
Rodolphe Lepigre 22 / 34
![Page 68: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/68.jpg)
Adequacy of For All Introduction
� ; v : Aval X��� ; v : �X.Aval
Rodolphe Lepigre 23 / 34
![Page 69: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/69.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
Rodolphe Lepigre 23 / 34
![Page 70: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/70.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
� � � �We suppose v � A[X��] zor all �, and show v � �X.A .
Rodolphe Lepigre 23 / 34
![Page 71: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/71.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
� � � �We suppose v � A[X��] zor all �, and show v � �X.A .
� � � �This is immediate since �X.A = A[X��] .��
Rodolphe Lepigre 23 / 34
![Page 72: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/72.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
� � � �We suppose v � A[X��] zor all �, and show v � �X.A .
� � � �This is immediate since �X.A = A[X��] .��
X t : Abad
t : �X.A
Rodolphe Lepigre 23 / 34
![Page 73: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/73.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
� � � �We suppose v � A[X��] zor all �, and show v � �X.A .
� � � �This is immediate since �X.A = A[X��] .��
X t : Abad
t : �X.A
�� ��� � � �We suppose t � A[X��] zor all �, and show t � �X.A .
Rodolphe Lepigre 23 / 34
![Page 74: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/74.jpg)
Adequacy of For All Introduction
X v : Aval
v : �X.Aval
� � � �We suppose v � A[X��] zor all �, and show v � �X.A .
� � � �This is immediate since �X.A = A[X��] .��
X t : Abad
t : �X.A
�� ��� � � �We suppose t � A[X��] zor all �, and show t � �X.A .
���� ��� � � � � �� �However we have A[X��] �X.A = A[X��] .� �� �
Rodolphe Lepigre 23 / 34
![Page 75: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/75.jpg)
Properties of the System
Theorem (normalisation):�t : A implies t � � � v � � zor some value v.
Rodolphe Lepigre 24 / 34
![Page 76: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/76.jpg)
Properties of the System
Theorem (normalisation):�t : A implies t � � � v � � zor some value v.
Theorem (safety for simple datatypes):�t : A implies t � � � v � � zor some value v : A .
Rodolphe Lepigre 24 / 34
![Page 77: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/77.jpg)
Properties of the System
Theorem (normalisation):�t : A implies t � � � v � � zor some value v.
Theorem (safety for simple datatypes):�t : A implies t � � � v � � zor some value v : A .
Theorem (consistency):
there is no closed term t :�.
Rodolphe Lepigre 24 / 34
![Page 78: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/78.jpg)
Part III
Semantical Value Restriction
Rodolphe Lepigre 25 / 34
![Page 79: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/79.jpg)
Derived Rules for Dependent Functions
��x : A t : B a � x t : �a�A.B v : Aval
�x.t : �a�A.B t v : B[a� v]val
Rodolphe Lepigre 26 / 34
![Page 80: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/80.jpg)
Derived Rules for Dependent Functions
��x : A t : B a � x t : �a�A.B v : Aval
�x.t : �a�A.B t v : B[a� v]val
t : �a�A.B v : AvalDez �i
t : �a.(a�A � B) v : v�Aval� �e
t : v�A � B[a� v] v : v�A�e
t v : B[a� v]
Rodolphe Lepigre 26 / 34
![Page 81: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/81.jpg)
Derived Rules for Dependent Functions
��x : A t : B a � x t : �a�A.B v : Aval
�x.t : �a�A.B t v : B[a� v]val
t : �a�A.B v : AvalDez �i
t : �a.(a�A � B) v : v�Aval� �e
t : v�A � B[a� v] v : v�A�e
t v : B[a� v]
Value restriction breaks the compositionality oz dependent zunctions.
// add_n_Zero : �n�nat, add n Zero � n
add_n_Zero (add Zero S[Zero]) : add (add Zero S[Zero]) Zero � add Zero S[Zero]
Rodolphe Lepigre 26 / 34
![Page 82: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/82.jpg)
Semantical Value Restriction
t : �a�A.B v : A t : �a�A.B u : A u � vvalWe replace by . t v : B[a� v] t u : B[a� u]
Rodolphe Lepigre 27 / 34
![Page 83: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/83.jpg)
Semantical Value Restriction
t : �a�A.B v : A t : �a�A.B u : A u � vvalWe replace by . t v : B[a� v] t u : B[a� u]
v : A t : A t � vvalThis requires changing into . v : v�A t : t�Aval
Rodolphe Lepigre 27 / 34
![Page 84: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/84.jpg)
Semantical Value Restriction
t : �a�A.B v : A t : �a�A.B u : A u � vvalWe replace by . t v : B[a� v] t u : B[a� u]
v : A t : A t � vvalThis requires changing into . v : v�A t : t�Aval
Can this rule be derived in the system?
Rodolphe Lepigre 27 / 34
![Page 85: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/85.jpg)
Semantical Value Restriction
t : �a�A.B v : A t : �a�A.B u : A u � vvalWe replace by . t v : B[a� v] t u : B[a� u]
v : A t : A t � vvalThis requires changing into . v : v�A t : t�Aval
Can this rule be derived in the system?
t : A t � v�
v : A
v : Aval �i
v : v�Aval � v : v�A t � v
� t : t�A
Rodolphe Lepigre 27 / 34
![Page 86: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/86.jpg)
Biorthogonal Completion Closed for Values
v : AEverything goes down to having a rule .
v : Aval
Rodolphe Lepigre 28 / 34
![Page 87: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/87.jpg)
Biorthogonal Completion Closed for Values
v : AEverything goes down to having a rule .
v : Aval
v : AvalIt should not be conzused with . v : A
Rodolphe Lepigre 28 / 34
![Page 88: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/88.jpg)
Biorthogonal Completion Closed for Values
v : AEverything goes down to having a rule .
v : Aval
v : AvalIt should not be conzused with . v : A
��� � � �Semantically, this requires that v � A implies v � A .
Rodolphe Lepigre 28 / 34
![Page 89: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/89.jpg)
Biorthogonal Completion Closed for Values
v : AEverything goes down to having a rule .
v : Aval
v : AvalIt should not be conzused with . v : A
��� � � �Semantically, this requires that v � A implies v � A .
The biorthogonal completion should not introduce new values.
Rodolphe Lepigre 28 / 34
![Page 90: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/90.jpg)
Biorthogonal Completion Closed for Values
v : AEverything goes down to having a rule .
v : Aval
v : AvalIt should not be conzused with . v : A
��� � � �Semantically, this requires that v � A implies v � A .
The biorthogonal completion should not introduce new values.
The rule seems reasonable, but it is hard to justizy semantically.
Rodolphe Lepigre 28 / 34
![Page 91: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/91.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
Rodolphe Lepigre 29 / 34
![Page 92: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/92.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
Rodolphe Lepigre 29 / 34
![Page 93: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/93.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Rodolphe Lepigre 29 / 34
![Page 94: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/94.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :
Rodolphe Lepigre 29 / 34
![Page 95: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/95.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
Rodolphe Lepigre 29 / 34
![Page 96: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/96.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
�� �We need to {nd � � A such that v � � �.
Rodolphe Lepigre 29 / 34
![Page 97: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/97.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
�� �We need to {nd � � A such that v � � �.
� �We need to {nd � such that v � � � and �w � A , w � � �.
Rodolphe Lepigre 29 / 34
![Page 98: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/98.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
�� �We need to {nd � � A such that v � � �.
� �We need to {nd � such that v � � � and �w � A , w � � �.
We can take � = [�x.! ]�.x,v
Rodolphe Lepigre 29 / 34
![Page 99: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/99.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
�� �We need to {nd � � A such that v � � �.
� �We need to {nd � such that v � � � and �w � A , w � � �.
We can take � = [�x.! ]�.x,v
v � [�x.! ]� � �x.! � v . � � ! � ��x,v x,v v,v
Rodolphe Lepigre 29 / 34
![Page 100: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/100.jpg)
The New Instruction Trick
��� � � �We do not have v � A implies v � A in every reali~ability model.
We extend the system with a new term constructor ! such thatv,w
! � � � v � � ifz v " w.v,w
Idea oz the prooz with � = p | p� :��� � � �We assume v � A and show v � A .
�� �We need to {nd � � A such that v � � �.
� �We need to {nd � such that v � � � and �w � A , w � � �.
We can take � = [�x.! ]�.x,v
v � [�x.! ]� � �x.! � v . � � ! � ��x,v x,v v,v
� �w � [�x.! ]� � �x.! � w. � � ! � � � w � �� iz w � Ax,v x,v w,v
Rodolphe Lepigre 29 / 34
![Page 101: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/101.jpg)
Well-defined construction of equivalence and reduction
� � � �Problem: the de{nitions oz � and � are circular.
Rodolphe Lepigre 30 / 34
![Page 102: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/102.jpg)
Well-defined construction of equivalence and reduction
� � � �Problem: the de{nitions oz � and � are circular.
We need to rely on a strati{ed construction oz the two relations.
� � � � � �� �� = � # ! �� , v �� | � j < i , v " wi v,w j
� � � �� �� = t , u | � j$ i , � � , �%, t%��� � u%���i j j
We then take
� � � � � � � �� = � and � = � .i� i�i �� i ��
Rodolphe Lepigre 30 / 34
![Page 103: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/103.jpg)
|Demo} (?) and Conclusion
Rodolphe Lepigre 31 / 34
![Page 104: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/104.jpg)
Things That I did not Show
1) Syntax directed typing and subtyping rules using:
local subtyping judgments oz the zorm t � A & B,
choice operators like � (t �B) or � (t �A),x�A X
an encoding oz |neutral terms} into reduction.
2) Inductive types, coinductive types and recursion (more recent) using:
circular typing and subtyping proozs,
well-zoundedness established using the si{e change principle.
3) Unreachable code and rezutation oz patterns.
Rodolphe Lepigre 32 / 34
![Page 105: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/105.jpg)
Future Work
Practical issues (work in progress):
Composing programs that are proved terminating.
Extensible records and variant types (inzerence).
Toward a practical language:
Compiler using typing inzormations zor optimisations.
Built-in types (int64, �oat) with their speci{cation.
Theoretical questions:
Can we handle more side-efzects? (mutable cells, arrays)
What can we realise with (variations oz) ! ?v,w
Can we extend the system with quotient types?
Can we zormalise mathematics in the system?
Rodolphe Lepigre 33 / 34
![Page 106: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/106.jpg)
References for Technical Details
A Classical Reali{ability Model for a Semantical Value Restriction
R. Lepigre (ESOP 2016)
https://lepigre.zr/{les/docs/lepigre2016_svr.pdz
Practical Subtyping for Curry-Style Languages
R. Lepigre and C. Rafzalli (submitted to TOPLAS)
https://lepigre.zr/{les/docs/lepigre2017_subml.pdz
Semantics and Implementation of an Extension of ML for Proving Programs
R. Lepigre, PhD manuscript
http://lepigre.zr/{les/docs/phd.pdz
Rodolphe Lepigre 34 / 34
![Page 107: The PML Language · The PML Language: Realizability at the Service of Program Proofs Rodolphe Lepigre Realizability workshop { 08/03/2018 { Marseille. ... give the syntax oz programs](https://reader035.vdocuments.mx/reader035/viewer/2022071418/611601cc62fa0e54951a7dd7/html5/thumbnails/107.jpg)
Thanks!