axiomatic reals in type theory for program extractionsimpson/ccc2019talks/park.pdf · axiomatic...

Axiomatic Reals in Type Theory for ProgramExtraction

Sewon ParkKAIST

CCC2019, September 4, 2019

This work was supported by the National Research Foundation of Korea (NRF)grants funded by the Korea government (MSIT) (No. NRF-2016K1A3A7A03950702& No. NRF-2017R1E1A1A03071032) and the grant funded by the Koreagovernment (MOE) (No. NRF-2017R1D1A1B05031658) .

Sewon Axiomatic Reals in Type Theory for Program ExtractionSeptember 4, 2019 1 / 33

Outline

1 Motivation

2 Set of Axioms

3 Example: IVT


Motivation

Motivation


Motivation

Motivation: Exact Real Numbers in PL

Internal approaches:Construct a datatype REAL from primitive datatypesArithmetic operations defined by primitive operations(induced) Semantics are of course computable(?)

External approaches:Have primitive datatype REALArithmetic operations are primitiveNo need to care about representation related detailsNeed to be cautious that (defined) semantics are computable

REALPCF WHILECC* ERCiRRAM Ariadne AERN2 Marshall


Motivation


Pick one programming language with type systemAdd Real to its primitive datatypesAdd Real typed constants 0, 1,−1, · · ·Add primitive operators +,−,×, · · ·Define their semantics Jt : RealK ⊆ R ∪ {⊥}

J42K := {42}

Jx+ yK :=⋃

v1∈JxK v2∈JyK

{{v1 + v2} if v1, v2 6= ⊥{⊥} otherwise

Defined semantics should be computableMany computable functions should be expressible


Motivation


Partiality of Comparison:

Jx > yK :=⋃

v1∈JxK v2∈JyK

{tt} if v1 > v2

{ff } if v2 > v1

{⊥} if v1 = v2

Multivaluedness:

Jchoose(b1, b2)K :=⋃

v1∈Jb1K v2∈Jb2K

{tt} if v1 = tt{ff } if v2 = tt{⊥} if v1 = v2 = ⊥ or ff

Limit:when there exists u ∈ R s.t. ∀y ∈ Jf(n, x)K, |y − u| < 2−n

Jlimit(n, f(n, x))K := {u}


Motivation


NaiveComp(x, y) := x > y

SoftComp(x, y, e) := choose(x > y − e, y > x− e)

Max(x, y) := limit(n, if SoftComp(x, y, 2−n) then x else y)


Motivation

Motivation: Exact Real Numbers in TT

Real number type by constructionBuild a type REAL from primitive typesArithmetic operations definedProperties of real numbers can be proved.

Real number type by axiom:Say REAL is a type!Arithmetic operations are assumed as term constantsno need to care about representation related detailsProperties of real numbers also are axioms


Motivation

Motivation: Coq’s standard library for reals

Type R is assumed.Constants 0, 1 : R are assumed.terms +, ∗ : R→ R→ R, ×,÷ are assumed.The following axioms assumed:

Axiom Rplus_comm : ∀x y:Rx+ y = y + x

Axiom Rplus_assoc : ∀x y z:Rx+ y + z = x+ (y + z)...Axiom total_order_T : ∀x y:Rx > y ∨ x = y ∨ y > x

...


Motivation

Motivation: Coq’s standard library for reals(Consequence)

Lemma Sign : ∀x:R∃b:boolx > 0→ b = true ∧ x ≤ 0→ b = falseProofcase distinction ontotal_order_T : ∀x y:Rx > y ∨ x = y ∨ y > x

QedExtraction Sign

Which set of axioms?..


Set of Axioms

Set of Axioms


Set of Axioms

Base TT

Constructive Typei → ∧ ∀∃ ∨

Classical Prop ∃ ∨

∃x:AB(x) := [∃x:AB(x)]=T ,N, 2, 1, 0 and their induction principlesLEM and proof irrelevance assumedand R!!


Set of Axioms

Partiality, Multivaluedness and Limit

∀x y:Rx > y ∨ x = y ∨ y > x is Okay∀x y:Rx > y ∨ x = y ∨ y > x is not!is ∀x y e:Re > 0→ x > y − e ∨ y > x− e okay to have?

f : ∀x y e:Re > 0→ x > y − e ∨ y > x− efor any x = x′, y = y′ and p : e > 0 we have

f x y e p = f x′ y′ e p ={〈0, ·〉〈1, ·〉


Set of Axioms


Motivation:Given two semi-decidable propositions P,QGiven a promise that at least one of the two holds (withoutknowing exactly which one does)We can choose one multivaluedly

Axiom (Partiality type)S is a type with two known elements ↓, ↑: SDefine s ↓ to denote s = ↓: prop

Definitionsemi P := ∃s:S P ↔ s ↓


Set of Axioms


Axiom (Partiality type)S is a type with two known elements ↓, ↑: SDefine s ↓ to denote s = ↓: prop


Example

∀n m:N semi n = m

Define dec P := P ∨ ¬P . Then, dec P → semi Psemi P → dec P?


Set of Axioms


Axiom (multivalued types)When T is a type, mv T is a type. For any t : T , we haveι t : mv T .For any function f : A→ mv B, we can lift its domainlift f : mv A→ mv B.When T is weakly singleton, we can recover the single valuedelement r : ∃t:T 1→ ∀a b:Ta = b→ mv T → T .

Definition (multivalue existence)

Let ∃a:AB(a) be the multivalued type mv(∃a:AB(a)

)Let A ∨ B be the multivalued type mv

(A ∨B

)


Set of Axioms


Example (multivalue join)Suppose f : A→ ∃x:C P (x)Suppose g : B → ∃x:C P (x)Case distinction yields k : A ∨B → ∃x:C P (x)Injection and lifting yields k : A ∨ B → ∃x:C P (x)If A ∨ B is known, we have ∃x:C P (x)

Exactly the multivalued branching


Set of Axioms

Partiality, Multivaluedness and LimitMotivation:

Given two semi-decidable propositions P,QGiven a promise that at least one of the two holds (withoutknowing exactly which one does)We can choose one multivaluedly

Axiom (multivalued select)select : ∀s1,s2:S s1 ↓ ∨ s2 ↓ → s1 ↓ ∨ s2 ↓


Lemmachoose : ∀P,Q:prop semi P → semi Q→ P ∨ Q→ P ∨ Q


Set of Axioms


Example∀P :Prop semi P → semi ¬P → dec PProof

LEM P : P ∨ ¬PLet p1 : semi P and p2 : semi ¬Pchoose P ¬P p1 p2 (LEM P ) : P ∨ ¬PP ∨ ¬P is weakly singletonrecovering axiom yields P ∨ ¬P

Qed


Set of Axioms


∀x y:Rx > y ∨ x = y ∨ y > x is Okay∀x y:Rx > y ∨ x = y ∨ y > x is not!∀x y e:Re > 0→ x > y − e ∨ y > x− e is also not!Instead, we have ∀x y:R semi x > y

ExampleSoftComp : ∀x,y,ε:R ε > 0→ (x > y − ε ∨ y > x− ε)Proof

t : x > y − ε ∨ y > x− ε form weak totalitya : semi (x > y − ε) and b : semi (x > y − ε) are from axiomschoose a b t is a proof for (x > y − ε ∨ y > x− ε)

Qed


Set of Axioms


Example∀x:R x 6= 0→ x > 0 ∨ 0 > xProof

From weak total order, x > 0 ∨ x < 0From choose and semi, we have x > 0 ∨ x < 0x > 0 ∨ x < 0 weakly singletonRecovering axiom yields x > 0 ∨ x < 0

Qed


Set of Axioms


if a sequence of multivalued real numbers converge to a point u, the ucan be computed

lim :∃!u:R P u→∀n:N ∃z:R ∃u:R P u ∧ |z − u| < 2−n →∃u:R P u


Set of Axioms


Example (Maximum)∀x,y:R∃z:RM x y z where M x y z := x ≥ y → x = z ∧ y > x→ y = zProof

unique : ∃!z:RM ;x y z.Assume any natural number nConstruct f : x > y − 2−n → ∃u:R∃z:RM(x, y, z) ∧ |u− z| < 2−n

Construct g : y > x− 2−n → ∃u:R∃z:RM(x, y, z) ∧ |u− z| < 2−n

join f and g yieldsx > y − 2−n ∨ y > x− 2−n → ∃u:R∃z:RM(x, y, z) ∧ |u− z| < 2−n

SoftComp yields x > y − 2−n ∨ y > x− 2−n.Hence, we have k : ∀n:N∃u:R∃z:RM(x, y, z) ∧ |u− z| < 2−n

lim unique k is a proof.

QedSewon Axiomatic Reals in Type Theory for Program ExtractionSeptember 4, 2019 23 / 33

Set of Axioms

Axioms for Reals

Classical axioms for complete ordered field:

field axioms A1 0 6= 1A2 x+ y = y + x A3 x+ y + z = x+ (y + z)A4 x+ 0 = x A5 x− x = 0A6 x ∗ y = y ∗ x A7 x ∗ y ∗ z = x ∗ (y ∗ z)A8 x ∗ 1 = x A9 x ∗ /x = 1A10 x ∗ (y + z) = x ∗ y + x ∗ z order axiomsA11 x = y ∨ x > y ∨ y > x A12 x > y → y > z → x > z

A13 x > y → ¬y > x A14 x > y → x+ z > y + z

A15 z > 0 → x > y → z ∗ x→ z ∗ y order completeness


Set of Axioms

Axioms for Reals

Axioms for complete ordered field:

field axioms A1 0 6= 1A2 x+ y = y + x A3 x+ y + z = x+ (y + z)A4 x+ 0 = x A5 x− x = 0A6 x ∗ y = y ∗ x A7 x ∗ y ∗ z = x ∗ (y ∗ z)A8 x ∗ 1 = x A9 ∀t:x 6=0 x/t = 1A10 x ∗ (y + z) = x ∗ y + x ∗ z order axiomsA11 x = y ∨ x > y ∨ y > x A12 x > y → y > z → x > z

A13 x > y → ¬y > x A14 x > y → x+ z > y + z

A15 z > 0 → x > y → z ∗ x→ z ∗ y A16 semi x > y

A17 ∃n:N|x| < n < |x|+ 1 metric completeness (lim)


Set of Axioms

Axioms for Reals

Axiom (Reals R)R is a type with two known elements 0, 1 : R.+,-,*,/ are constantsThe axioms are inhabited


Example: IVT

Example: IVT


Example: IVT

Example: IVT

IVT f x y : continuous function f weakly has its root in (x, y)when f x < 0 < f y

IVT? f x y : continuous function f has its root in (x, y) whenf x < 0 < f y

uniq f x y := continuous f has weakly unique root in (x, y) withf x < 0 < f y

IVT f x y : f has a root in (x, y) when uniq f x y holds


Example: IVT

Example: IVT

refinement : ∀a b c:R a < b < c→ uniq f a c→f b < 0→ uniq f b c∧f b > 0→ uniq f a b

˜Signtest : ∀a b c d:Ra < b < c < d→ uniq f a d→ fb < 0 ∨ fc > 0Signtest : ∀a b c d:Ra < b < c < d→ uniq f a d→ fb < 0 ∨ fc > 0trisection_step : ∀a d:Ra < d→ uniq f a d→∃b c:Runiq f b c ∧ |c− d| < 2 ∗ |d− a|/3


Example: IVT

Example: IVT

∀n:N∃x y:R uniq f x y ∧ |y − x| < 2−n

Induction on n:∃a d:Runiq f a d ∧ |d− a| < 2−n

∃b c:Runiq f b c ∧ |b− c| < 2−n−1

Apply lift:∃a d:Runiq f a d ∧ |d− a| < 2−n

∃b c:Runiq f b c ∧ |b− c| < 2−n−1

Apply trisection_step twice


Example: IVT

Program Extraction

〈〈mv T 〉〉 := 〈〈T 〉〉〈〈ιt〉〉 := 〈〈t〉〉〈〈lift f〉〉 := 〈〈f〉〉〈〈S〉〉 := unit 〈〈↓〉〉 := ∗ 〈〈↑〉〉 := ⊥〈〈select s1 s2 p〉〉 := select 〈〈s1〉〉〈〈s2〉〉

lim : ∀P :R→prop ∃!z:R P z → (∀n:N. (∃z:R ∃u:R P u ∧ |u− z| < 2−n))→∃u:RP u

〈〈lim p f〉〉 := limλ n. fst 〈〈f〉〉 nA16 : semi x > y := ∃s:S s ↓↔ x > y

〈〈A16 x y〉〉 := (x > y, ∗)


Example: IVT

Program Extraction

implemented in OCaml (for fun); already takes few minutes totype check and extract the proof for max:

implemented in Coq as the standard library is:


Example: IVT

Conclusion

Specified a set of axioms for having real numbers which enablesERC-like program extractionProved some example lemmasfuture works?..


axiomatic reals in type theory for program extractionsimpson/ccc2019talks/park.pdf · axiomatic...

Documents