design and formal proof of a new optimal image segmentation
TRANSCRIPT
Design and formal proof of a new optimal
image segmentation program with hypermaps
Jean-Francois Dufourd
Universite Louis-Pasteur de StrasbourgUFR de Mathematique et d’Informatique,
Laboratoire des Sciences de l’Image, de l’Informatiqueet de la Teledetection (LSIIT, UMR CNRS-ULP 7005),
Pole API, Boulevard Sebastien Brant, 67400 Illkirch, France
Abstract
This article presents the design of a new functional 2D image segmentation al-gorithm by cell merging in a subdivision, its proof of total correctness, and thederivation of an optimal imperative program. The planar subdivisions are modeledby hypermaps. The formal specifications of hypermaps and segmentation are de-veloped in the Calculus of Inductive Constructions. The proofs are assisted by theCoq system. The final program is written in C.
Key words: image segmentation, hypermaps, formal specification, Coq system,computer-aided correctness proof
1 Introduction
This article presents an application of advanced software engineering and geo-metric modeling techniques in computer imagery, namely the design of a newfunctional algorithm of segmentation by cell merging, its computer-aided cor-rectness proof and the derivation of an original optimal imperative program.
Segmentation is one of the most common problems in computer imagery. Ba-sically, it consists in grouping adjacent pixels or voxels of the same colour intoclusters. In this paper, the problem is treated in a general way for any initialcoloured finite subdivision of the plane.
Email address: [email protected] (Jean-Francois Dufourd).
Preprint submitted to Pattern Recognition 9 February 2007
Such a subdivision is composed of a finite set of cells of dimensions 0, 1 and 2,i.e. vertices, edges and coloured faces, equipped with incidence and adjacencyrelationships. The geometrical forms and localizations of the cells within theplane do not matter. In other words, a coloured finite subdivision is a purelytopological structure, and the segmentation problem is above all the concernof computational topology.
For our purpose, plane subdivision topologies are best described by combina-torial map models, the most generic being the hypermaps, which are homoge-neous at all dimensions. The notion of hypermap and the operations it involvescan be axiomatized to formally prove properties of subdivisions. It is the basisof a formal specification of algorithms involving subdivisions in computationaltopology, among them segmentation. Equipped with an embedding in an Eu-clidean space, it is an attractive data structure for computational geometryas well.
In the following, we show how an hypermap framework for coloured finite planesubdivisions and the operations it involves, including segmentation, is entirelyformalized from scratch in a constructive way. We show how the proofs, es-pecially the one of the segmentation operation, are developed interactivelyand verified by a proof assistant. Indeed, considering the volume of the for-mal developments, that is the only way to insure comfort and safety. We haveopted for the Coq system developed at INRIA from the Calculus of InductiveConstructions. Finally, we show how a very efficient segmentation programwritten in an imperative language, namely C, is easily derived from a func-tional version of the segmentation algorithm into a realistic implementationof the hypermaps.
The paper is organized as follows. In Section 2, we recall the problem of planesegmentation in relation with partitions and subdivisions. In Section 3, wesummarize related work in computational topology and geometry, imageryand computer-aided proofs. In Section 4, we recall some basic mathematicalfacts about subdivisions and hypermaps. In Section 5, we present some pre-liminary formal specifications and we inductively define a type of free maps,in which all our specifications are rooted. In Section 6, we summarize thecentral notion of quasi-hypermap, a kind of open hypermap, and we specifyhypermaps and their features. In Section 7, we inductively specify a two-stepsegmentation on quasi-hypermaps and hypermaps. In Section 8, we prove thecorrectness of the segmentation of coloured hypermaps. In Section 9, we derivean implementation and an imperative optimal segmentation program from thespecification. Finally, in Section 10, we present some concluding remarks andoutline future work.
We progressively recall the main features of the Coq system used in our work.The whole process of specification and proof is described and explained, but
2
the full details of the proofs are out of the scope of this paper.
2 Segmentation and partitions
Image segmentation is often necessary to distinguish an object of interest fromthe rest of the image. Usually it consists in partitioning the image at best intohomogeneous zones.
More precisely, let π be an Euclidean plane supporting a continuous colouredimage. The partition set of π is ordered as follows : a partition B is coarserthan a partition A if each class of A is included in a class of B. Supposing thatall the partitions satisfy a given criterion, the segmentation problem consists,starting from an initial partition A in finding a partition coarser than A andmaximal for this ordering [30]. For complex or noised images, with criterionand thresholding worries, the problem can be awfully difficult [29, 19, 30]. In allthe following, we only consider a very simple segmentation problem operatingon partitions of the Euclidean plane through finite coloured subdivisions.
Definition 1 (Finite plane subdivision)A finite planar subdivision of π is a 3-tuple S = (V, E, F ) composed of a finiteset V of points called vertices, a finite set E of open Jordan arcs called edges,and a finite set F of open connected regions called faces, such that:(i) vertices, edges and faces of S, also called the k-cells of S, determines apartition of π;(ii) each edge of S is borded by 1 or 2 vertices of S.
An example is shown in Fig. 1(a), where we can remark dangling edges andan isolated vertex. In S, faces are said internal if they are bounded and exter-nal otherwise. When the underlying graph (V, E) is disconnected, one mustconsider that there is exactly one unbounded face per connected component.Of course, in usual image analysis, the notion of unbounded face is merelya commodity to avoid dealing with the image border. Fig. 1(a) contains 4connected components and 4 external faces.
The segmentation criterion is the preservation of the colour of each point, anhomogeneous coloration of the interior of each face, and the preservation ofthe vertices and edges which bord two faces of different colours. Each colour(or grey-level) is coded by a natural number. By convention, the colour ofeach edge or vertex is a rational obtained as the average of the colours ofits incident faces. In this case, the subdivisions are said to be well coloured.With this criterion, we have the uniqueness of the maximal subdivision forthe segmentation problem. Fig. 1(b) shows the segmentation of Fig. 1(a). Of
3
b. Segmentation of the subdivision in (a).
a. A finite coloured plane subdivision.
Fig. 1. An example of coloured finite plane subdivision and its segmentation.
course, it is obtained by cell merging. Note that the dangling edges and theisolated vertex have disappeared.
3 Related work
3.1 Segmentation and subdivision
If we follow J. Serra [30], the literature is rich of more than one thousandimage segmentation algorithms. Roughly, their strategies can be divided intoregion growing and border seeking. The first ones rely on classification methods(dynamic clouds, neural networks, etc.), and the second ones on mathematicalanalysis methods (gradient, convolution, variational calculus, snakes, etc.),often inspired by physics (waves, watershed, energy, optics, etc.), in continuousor discrete spaces [29, 19, 30].
Here, we are extremely modest in comparison with such sophisticated meth-ods. We only aim at rigorously designing and explaining a new algorithmwhich makes growing regions by cell merging while removing some edges andvertices, in a coloured subdivision. To be general, formal and constructive, weneed a convenient mathematical model of subdivisions.
4
3.2 Models of subdivisions
Models of finite plane subdivisions often derive from models of polyhedra,which have been investigated in many ways in geometric modeling [28]. Oneof the most used technique to describe polyhedra (or plane subdivision) is theboundary representation, which considers them through their cells, as well asincidence and adjacency relationships between cells.
Formal descriptions of polyhedra cells and relationships are mainly based ongraphs [22]. Among them, the most studied are the combinatorial map models[32, 22], one of the most generic being the hypermaps [10], we choose to usethem because of their genericity. Hence, our hypermap segmentation directlyworks on other map models, particularly on the combinatorial oriented maps[32], which have the same modeling power than the winged edge [2].
Map models are used in many applications in computational geometry andgeometric modeling [16, 4]. They are often used to represent subdivisions incomputer imagery and to perform segmentation, in 2D and in 3D [6, 5, 12].Often, map segmentation algorithms work in particular contexts, for instancewithan initial subdivision reduced to a pixel or voxel grid. They require astrategy based on a specific ordering to traverse the representation cells. Theyuse numerous local pixel/voxel configurations, or precodes, to represent thedifferent cases encountered [11, 12]. Conversely, our present propositions dealwith general subdivisions, allow any ordering and traversal strategy, and re-quire the examination of a limited number of cases. However, for the timebeing, we solve a basic segmentation problem in 2D only.
Finally, in [14], one can find a functional OCaml program based on principlesrather similar to the one we present hereafter. However, it uses a kind ofrecursion which does not allow proofs by structural induction. In addition, itdoes not lead so easily to an imperative program. All that is greatly revisedand corrected in the present work.
3.3 Formal specifications and proofs
To develop our specifications and proofs, we have choosen as a logical frame-work the Calculus of Inductive Constructions, or CiC [8, 25], which is a higherorder intuitionistic logic based on type theory, λ-calculus and induction. Amain advantage of CiC is that it is implemented in the Coq proof assistant.The specification language Gallina, the system libraries and the tactics of Coqhave provided an appropriate support for all our studies. For a first glimpseinto the Coq system, the reader can follow the on-line tutorial [20]. All thesystem features are detailed in [9]. For a comprehensive Coq presentation more
5
oriented towards program certification, the reader can refer to [3].
To our knowledge, not a single experiment was ever led in computer-aidedproof for image analysis or processing. Successful experiments have been car-ried out in computational geometry [26, 24]. A formalization in Isabelle/Isarof planar graphs is proposed in [1] to model planar triangulations and to provethe five colour theorem. However, the chosen model is designed for triangu-lations only and needs to manage an external face specifically. Using mapmodels instead of graphs would probably help to generalize this work.
Finally, Coq specifications of map models and proofs using Coq are proposedin [27, 13] for geometric modeling. Hypermaps are the combinatorial centralstructures used in [17] to prove the four colour theorem for a planar subdivisionusing Coq. The main part of this work is the gigantic proof of the theoremfollowing the pioneer’s proofs, while using hypermaps and sophisticated prooftechniques. This is an impressive result. However, a redundancy appears inthe hypermap description and the primitive constructors are neither intuitivenor atomic. Our present hypermap specifications offer more simplicity.
4 Mathematical Aspects
4.1 Subdivisions and hypermaps
The topology of a finite planar subdivision can be described by a hypermap.
Definition 2 (Hypermap)(i) A hypermap is an algebraic structure M = (D, α0, α1), where D is a finiteset, the elements of which are called darts, and where α0, α1 are permutationson D. M is a combinatorial oriented map if α0 is an involution.(ii) If y = αk(x), y is the k-successor of x, x is the k-predecessor of y, anddarts x and y are said to be k-linked, or k-sewn, together.
Example 3 (Hypermap) Let D = {1, . . . , 32}. Table 1 shows functions α0
and α1, which are permutations, i.e. one − to − one correspondences, on D.So, M = (D, α0, α1) is a hypermap. In Fig. 2, M is drawn on the plane byassociating each dart with an oriented arc of curve beginning with a bullet andending with a small stroke: 0-sewn darts share the same small stroke, while1-sewn darts share the same bullet. This hypermap models the subdivision inFig. 1(a). Additions of darts, edges or vertices are sometimes necessary tomaintain the hypermap consistency.
6
Table 1Permutations α0 and α1 of the hypermap in Fig. 2.
dart 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
α0 2 3 1 7 9 5 8 4 10 6 14 11 12 13 17 16
α1 11 2 4 5 6 3 1 12 8 17 7 13 20 16 14 15
dart 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
α0 20 19 18 15 23 24 21 25 22 29 28 27 26 31 30 32
α1 10 18 19 9 22 21 31 23 28 27 26 29 25 24 30 32
1
23
4
5
6
7
8
9
10
11
12
14
17
1516
20
13
21
22 23
24
30
3125
26
27
29
28
191832
Fig. 2. An example of hypermap.
A convention we always adopt in drawings is that k-successors turn counter-clockwise in the plane around strokes and bullets. Our hypermap definitionallows the void map, i.e. with D = Ø, and fixpoints with respect to k, i.e.darts x such that αk(x) = x. In geometric modeling, these particular casescan raise some problems, especially fixpoints with dangling edges and isolateddarts. They could be avoided, but they turn out to be convenient at all stagesof specification and programmation.
4.2 Cells of hypermaps
The topological cells of a hypermap, which model cells of the underlying sub-division, can be easily obtained thanks to the classical notion of orbit.
Definition 4 (Orbits and hypermap cells)(i) Let D be a set and f1, . . . , fn be n functions in D. The orbit of x ∈ D forf1, . . . , fn is the subset of D denoted by < f1, . . . , fn > (x), the elements ofwhich are accessible from x by any composition of f1, . . . , fn.(ii) In hypermap M = (D, α0, α1), < α0 > (x) is the 0-orbit or edge of dart x,< α1 > (x) its 1-orbit or vertex, < α−1
1 ◦α−1
0 > (x) its face, and < α0, α1 > (x)
7
its connected component. Vertices, edges and faces are also called topologicalk-cells, for dimension k = 0, 1 and 2.
Example 5 (Hypermap cells) The hypermap example in Fig. 2 contains 13edges (strokes), 13 vertices (bullets), 10 internal faces, 4 external faces. Forinstance, < α0 > (8) = {8, 5, 7} is the edge of dart 12, < α1 > (8) ={8, 12, 13, 20, 9} its vertex, < α−1
1 ◦ α−1
0 > (8) = {8, 11} its (internal) face.The (external) face of 22 is < α−1
1 ◦ α−1
0 > (22) = {22, 29, 27, 25, 30, 23}. Thehypermap has of course 4 connected components.
Since α0 and α1 are permutations, it is clear that, for Π =< α0 >, < α1 >,< α−1
1 ◦ α−1
0 >, or < α0, α1 >, y ∈ Π(x) is equivalent to x ∈ Π(y). Facesare defined by α−1
0 ◦ α−1
1 for a dart traversal in counterclockwise ordering,as well as the other orbits, with our convention of plane representation. In acombinatorial oriented map, where α0 is an involution, i.e. α0(α0(x)) = x forall x ∈ D, each edge is composed of 1 or 2 darts only.
4.3 Embedding
The representation of a hypermap in the Euclidean plane is its embedding. Inour framework, it corresponds to a mapping which transforms topological cellsinto geometric ones: darts into open Jordan arcs (sometimes empty), edgesand vertices into points, and faces into open simplely connected regions. Tobe proper, the embedding must project each hypermap connected componentinto a finite subdivision of the plane, each with an external face.
5 Basic specifications
5.1 Preliminary specifications
In Gallina, the specification language of Coq, the inductive type dim, with theconstructors zero and one coding the dimensions, can be written:
Inductive dim:Set:= zero: dim | one: dim.
Since all objects are typed in Gallina, dim is itself declared with the type Set
of all inductive types. In Coq, the constructors of a type are considered asinjective independent functions. Thus, dim is viewed exactly as the set formedby the distinct constant terms zero and one. At this stage, a first propertycan be proved, namely the decidability of the equality in dim. Recall that, thelogic of Coq being intuitionistic, the excluded middle axiom is not built-in.
8
Therefore, if necessary, the decidability of any predicate must be proved ordeclared. The equality predicate = is built-in for each inductive type, but notits decidability. For dim, it can be established as a lemma:
Lemma eq_dim_dec:
forall i j : dim, {i=j}+{~i=j}.
In Gallina, dimensions i and j being given, the decidability of i=j is conven-tionnaly written as the sum {i=j}+{~i=j}. In accordance with the paradigmproof as program of intuitionistic type theory, the proof is itself a functioncalled eq dim dec, with 2 arguments, i and j of type dim, the result being ofthe sum type above. An object of this type can be tested in an if ... then
... else ... conditional expression. This lemma is interactively proved withthe help of some tactics implementing inference rules. For short, they are notgiven here. The reasoning is simply a structural induction on both i and j.For an enumerated type like dim, it is in fact a simple reasoning by case anal-ysis. Indeed, from each inductive type definition, Coq generates an inductionprinciple, which can be used either to prove propositions or to build totalfunctions on objects of this type.
Then, the type dart of darts is defined. For the sake of simplicity, we have cho-sen to identify dart with nat, the built-in inductive type of naturals. In addi-tion, the decidability eq dart dec of dart equality is a renaming of eq nat dec
which is the built-in decidability of equality in nat. Moreover, the nil dart(useful to manage exceptions) is a renaming of 0:
Definition dart:= nat.
Definition eq_dart_dec:= eq_nat_dec.
Definition nil:= 0.
Finally, in this work, colours (or grey-levels) are also naturals, which are carriedby the darts, without a specific new type.
5.2 Free maps
The notion of hypermap is now approached by a more general notion of freemap. Indeed, considering free algebra first is a general trick when dealing withinductive specification and reasoning. The definition of the type fmap of thefree maps is written in Gallina:
Inductive fmap:Set:=
V : fmap
| I : fmap->dart->nat->fmap
| L : fmap->dim->dart->dart->fmap.
9
a. Empty map.
V m mI m x c
x
L m di0 x y
m
L m di1 x y
m
d. Linking of 2 darts at dimension 1.
c. Linking of 2 darts at dimension 0.
y y xx
y yx x
b. Insertion of an isolated dart with its colour.
Fig. 3. Action of the constructors.
Once again, it is an inductive type with 3 constructors, V, I and L, respectivelyfor the empty (or void) hypermap, the insertion of a dart into a hypermap(with its colour), and the linking of two darts within a hypermap. Their actionis illustrated in Fig. 3. By convention, each dart colour is carried on the left ofthe dart, from the vertex (bullet) to the edge (stroke). This is also the colourof the dart’s face, which generates a consistency problem between all the dartsof the same face. We will precisely answer this question in the following. InCoq, fmap is actually the smaller set of ground terms which can be built fromV applying I and L, considered as independent injections. Again, from theseconstructors Coq generates an induction principle in order to conduct proofsand to build functions on free maps.
Example 6 (A hypermap term) A part of hypermap in Fig. 2 is described byterm m3, where m1, m2 are subterms, and colours white, blue (or light grey),green (or dark grey) are coded by 1, 2, 4, respectively:
m1 := I (I (I (I (I V 3 4) 4 4) 5 1) 2 4) 8 2.
m2 := I (L (L (L (L m1 zero 2 3) one 3 4) one 4 5) one 2 2) 1 4.
m3 := L (L (L (L (I m2 6 1) zero 1 2) one 5 6) zero 3 1) zero 5 6.
The corresponding object is in Fig. 4. Sewings are materialized by arcs of circlearound strokes and bullets. It is easy to understand how an entire hypermapcan be built this way.
However, the direct application of these operations without restriction allowsus to build rather complex objects, even difficult to interpret as hypermaps.Constraints will come later.
10
1
23
4
5
6
8
Fig. 4. Object corresponding to term m3.
Observators of free maps can now be defined. One of the most immediateis the predicate exd, which tests whether a dart exists in a hypermap. Itsdefinition is recursive, which is indicated by the keyword Fixpoint, thanks toa pattern matching on m written match m with .... The annotation {structm} provides a hint to the proof system to ensure that the recursive calls areperformed on smaller fmap terms, thus certifying termination. The result isFalse or True, the basic constants of Prop, the built-in type of propositions.Note that terms are in prefix notation with as few parentheses as possible, andthat , the anonymous variable, denotes a unused argument. The decidabilityexd dec of exd directly derives, using a proof by induction on m:
Fixpoint exd(m:fmap)(z:dart){struct m}:Prop:=
match m with
V => False
| I m0 x _ => z=x \/ exd m0 z
| L m0 _ _ _ => exd m0 z
end.
Lemma exd_dec: forall (m:fmap)(z:dart),
{exd m z}+{~exd m z}.
A version called A of operation αk of the mathematical definition can be writ-ten, completed for convenience with nil. Note the use of the decidabilityfunctions eq dim dec and eq dart dec in conditional expressions:
Fixpoint A(m:fmap)(k:dim)(z:dart){struct m}:dart:=
match m with
V => nil
| I m0 x _ => A m0 k z
| L m0 k0 x y =>
if (eq_dim_dec k k0)
then if (eq_dart_dec z x) then y
else A m0 k z
else A m0 k z
end.
11
The definition of A’s inverse, denoted A 1, is quite similar. In the same way, afunction col returns the colour of each dart of a free map.
Auxiliary predicates succ and pred test whether a dart has a k-successor anda k-predecessor. The corresponding decidability functions are succ dec andpred dec. The proofs are performed using case analysis, e.g. for succ dec,depending on the fact that (A m k z) is nil or not:
Definition succ(m:fmap)(k:dim)(z:dart):=
A m k z <> nil.
Lemma succ_dec: forall (m:fmap)(k:dim)(z:dart),
{succ m k z} + {~succ m k z}.
Example 7 (Use of operations) In object m3 of the previous example, we have,with <-> denoting equivalent to:
A m3 zero 1 = 2; A m3 zero 2 = 3; A m3 zero 6 = nil.
A_1 m3 zero 5 = nil; A_1 m3 zero 6 = 5; A_1 m3 zero 8 = nil.
succ m3 zero 5 <-> True; succ m3 one 6 <-> False.
pred m3 one 4 <-> True; pred m3 zero 8 <-> False.
Finally, destructors are recursively defined. Firstly, D deletes the latest inser-tion of a dart by I. Secondly, B and B 1 break for a dart its latest k-linkinserted by L, forward and backward respectively. However, to obtain suitableobjects, the operations have to be constrained using preconditions. We discussthis point in the next section.
6 Quasi-hypermaps and hypermaps
6.1 Quasi-hypermaps
Each precondition is presented as a predicate on the operator’s parameters.Firstly, prec I m x imposes that dart x inserted in map m be different fromnil and do not exist in m. Secondly, prec L m k x y imposes that darts x andy both exist in m, x being without k-successor and y without k-predecessor:
Definition prec_I(m:fmap)(x:dart):=
x <> nil /\ ~ exd m x.
Definition prec_L(m:fmap)(k:dim)(x y:dart) :=
exd m x /\ exd m y /\ ~ succ m k x /\ ~ pred m k y.
If I and L are always used under these conditions, then the free map built israther close to a hypermap, which would sometimes have incomplete orbits.
12
13
4
5
6
7
8
9
10
11
12
14
17
1516
20
13
21
22 23
30
31
26
29
28
19182
25
27
24
32
Fig. 5. Quasi-hypermap for the example hypermap.
This is the reason why it is called a quasi-hypermap. It satisfies an invariantinv qhmap defined recursively:
Fixpoint inv_qhmap(m:fmap){struct m}:Prop:=
match m with
V => True
| I m0 x _ => inv_qhmap m0 /\ prec_I m0 x
| L m0 k x y => inv_qhmap m0 /\ prec_L m0 k x y
end.
Although Coq makes it possible to exactly define the type qhmap of the quasi-hypermaps as a subtype of fmap, we found it better to carry on with fmap andinv qhmap. Indeed, most function definitions and theorem proofs on qhmap
lean on a structural induction on fmap.
Example 8 (Quasi-hypermap) A quasi-hypermap is drawn in Fig. 5 for theexample sudivision. Note that m3 in Fig. 4 was already a quasi-hypermap.
Several properties about A and A 1 can be proved. The main ones concern thefact that, for any quasi-hypermap m and dimension k, (A m k) and (A 1 m k)
are inverses of each other, which was generally false in free maps. Finally, wecan prove that both are injections on their definition domains.
6.2 Hypermaps
From a constructive point of view, a true hypermap can be considered asa complete quasi-hypermap, i.e. it is equipped with closed k-orbits. No k-successor, or k-predecessor, can be nil. This means each dart of the hypermaphas a true k-successor and a true k-predecessor. This is expressed by theinvariant inv hmap for the type hmap of the hypermaps. Recall that -> if usedboth for functional types and for logical implications:
Definition inv_hmap(m:fmap):Prop:=
13
3
4
5
6
7
8
9
10
11
12
14
17
15
20
13
21
22 23
24
30
31
26
28
191816
2729
25
1
2
32
Fig. 6. Hypermap for the example subdivision.
inv_qhmap m
/\ forall (x:dart)(k:dim), exd m x -> succ m k x /\ pred m k x.
Example 9 (Hypermap) The hypermap which ”closes” the quasi-hypermapin Fig. 5 is drawn in Fig. 6.
Once more, it is easier to work with fmap and inv hmap than with a typehmap. We can prove the hypermap fundamental properties for any hypermapm and dimension k: (A m k) and (A 1 m k) are permutations on their commondomain (exd m), and are inverses of each other [15].
Finally, testing whether it is possible to go from one dart to another withina direct face is crucial to check the homogeneity of a face coloration. Thistest is performed by the predicate expf: fmap -> dart -> dart -> Prop
defined by induction on fmap, the decidability of expf m x y being expressedby expf dec m x y. Details are given in [15].
7 A functional segmentation algorithm on hypermaps
Everything is ready to specify segmentation on hypermaps. In fact, this oper-ation is designed for quasi-hypermaps, and defined inductively on free maps,as usual. The process is defined in 2 steps called seg1 and seg2. The first stepisolates darts which are not borders, and the second one removes them.
7.1 First segmentation step: seg1
First, it is necessary to define the notion of border in a coloured quasi-hypermap.For both dimensions we distinguish upper- and lower-borders. More precisely,(up border0 m z a) expresses that in hypermap m, the dart z has no succes-
14
z
z0
z
z0z
z zz0 z0 z
a. up_border0 m z (col m z0)
b. low_border0 m z (col m z0).
or
or
symbolised by:
symbolised by:
Fig. 7. Upper- and lower-border at dimension 0.
sor at dimension 0 or has a successor with a colour different of a fixed valuea. The predicates low border0, up border1 and low border1 are similar:
Definition up_border0(m:fmap)(z:dart)(a:nat):Prop:=
~succ m zero z \/ col m (A m zero z) <> a.
Definition low_border0(m:fmap)(z:dart)(a:nat):Prop:=
~pred m zero z \/ col m z <> a.
Definition up_border1(m:fmap)(z:dart)(a:nat):Prop:=
~succ m one z \/ col m z <> a.
Definition low_border1(m:fmap)(z:dart)(a:nat):Prop:=
~pred m one z \/ col m (A_1 m one z) <> a.
The cases concerning dimension 0 are illustrated in Fig. 7 for one dart z withz0 = (A m zero z) and a = (col m z0), where T symbolizes the possibleabsence of successor or predecessor when a dart is an upper- or a lower-border.The reason for such definitions and the value of a will be clear in the followingspecifications. Dimension 1 would be treated analogously. These predicatesare immediately proved decidable, with up border0 dec, low border0 dec,up border1 dec, low border1 dec. A functional inductive definition of seg1m, which keeps the interesting borders and isolates the other darts, follows:
Fixpoint seg1(m:fmap):fmap:=
match m with
V => V (*1*)
| I m0 x c => I (seg1 m0) x c (*2*)
| L m0 zero x y => (*3*)
let m1 := seg1 m0 in
let a := (col m0 y) in
if eq_dart_dec x y then m1 (*3.1*)
else
let x_0:= A_1 m1 zero x in
let y0 := A m1 zero y in
15
if up_border0_dec m1 y a
then
if low_border0_dec m1 x a (*3.2*)
then L m1 zero x y
else L (B_1 m1 zero x) zero x_0 y (*3.3*)
else
if low_border0_dec m1 x a (*3.4*)
then L (B m1 zero y) zero x y0
else
if eq_dart_dec x_0 y (*3.5.1*)
then B m1 zero y
else (*3.5.2*)
L (B (B_1 m1 zero x) zero y) zero x_0 y0
| L m0 one x y =>
let m1 := seg1 m0 in
let a := (col m0 x) in
if eq_dart_dec x y then m1
else
let x_1:= A_1 m1 one x in
let y1 := A m1 one y in
if up_border1_dec m1 y a
then
if low_border1_dec m1 x a
then L m1 one x y
else L (B_1 m1 one x) one x_1 y
else
if low_border1_dec m1 x a
then L (B m1 one y) one x y1
else
if eq_dart_dec x y1
then B m1 one y
else
L (B (B_1 m1 one x) one y) one x_1 y1
end.
Let us give some explanations, among the cases of the pattern matching on m:
• 1. m = V: the result is V.
• 2. m = I m0 x c: the result is I (seg1 m0) x, i.e. the insertion of x andits color c into (seg1 m0), the recursive application of seg1 on m0.
• 3. m = L m0 zero x y: first, (seg1 m0) and the colour col m0 y of y arenamed m1 and a. Then, there are five cases, according to the facts that x andy are equal or not, that y is up border0 or not, and that x is low border0 or
16
not. All of these cases are illustrated in Fig. 8:- 3.1. x = y: nothing is done in m1, since a sewing from x to y would create a0-fixpoint, i.e. a dangling dart, which would be eliminated in the final result.For the other cases where ~x = y, anso written x <> y, (A m1 zero y) and(A 1 m1 zero x) are named y0 and x 0.- 3.2. up border0 m1 y a and low border0 m1 x a: then, the 0-sewing (L
m1 zero x y) is created in m1 from x to y.- 3.3. up border0 m1 y a and ~low border0 m1 x a: since x is not a lower-border for 0, it must be isolated by B 1, and the 0-sewing is done from x 0 toy. The other cases are quite similar.- 3.4. ~up border0 m1 y a and low border0 m1 x a: since y is not an upper-border for 0, it must be isolated by B, and the 0-sewing is done from x to y0.- 3.5. ~up border0 m1 y a and ~low border0 m1 x a: this case combines thetwo previous ones, but it is necessary to be careful with one last condition,which enables two subcases:– 3.5.1 x 0 = y: y must be isolated by B, and there is no new sewing, otherwisea complete edge with twice the same dart, x 0 = y, or two darts with the samecolour, x and y, would be created.– 3.5.2 ~x 0 = y: x and y are isolated, and a new 0-sewing is created from x 0
to y0. Note that x 0 = y0 can be proved impossible.
• 4. m = L m0 one x y: a similar reasoning, that we do not detail, applieswith up border1 and low border1.
The deep reason of the above k-breaks and k-sewings is that we always haveto maintain the following invariant: in a segmented quasi-hypermap, there isnever two faces, adjacent by a vertex or by an edge, with the same colour, asillustrated in Fig. 9. This property will be proved in the following.
Example 10 (seg1 on a quasi-hypermap and on a hypermap) For the quasi-hypermap m in Fig. 5, the free map (in fact proved to be a quasi-hypermap later)seg1 m is draw in Fig. 10(a). It is easy to see that this result is not completelysatisfactory because it contains dangling darts which are not isolated. But, ifwe apply the same operation on Fig. 6, which contains a true hypermap, thisdrawback disappears, as illustrated in Fig. 11(a).
7.2 Second segmentation step: seg2
The second segmentation step seg2 is designed to remove all the darts withoutany k-sewing, for k = 0, 1, i.e. isolated in accordance with the followingpredicate, whose decidability can be easily established formally:
Definition isolated(m:fmap)(z:dart):Prop:=
17
x = yx = y
3.1. x = y.
xy xy
3.2. up_border0 m1 y a /\ low_border0 m1 x a.
xy yx_0 x_0
x
3.3. up_border0 m1 y a /\ ~low_border0 m1 x a.
x x
y0y0
yy
3.4. ~up_border0 m1 y a /\ low_border0 m1 x a.
x_0 = yx_0 = yx x
x
y0y0
yy
3.5.2. ~up_border0 m1 y a /\ ~low_border0 m1 x a /\ x_0 <> y.
x_0 x_0
x
3.5.1. ~up_border0 m1 y a /\ ~low_border0 m1 x a /\ x_0 = y.
Fig. 8. Cases for the segmentation (step 1: seg1, 0-sewings).
~succ m zero z /\ ~pred m zero z
/\ ~succ m one z /\ ~pred m one z.
An auxiliary function seg2 aux is defined to remove the isolated darts of a freemap m, by pattern matching on m. It uses a fixed free map called mr, alwaysegal to the original map m and serving as reference during all the analysis of m.Then, seg2 is immediately defined, as well as segmentation, which composesseg1 and seg2 to perform the complete segmentation:
Fixpoint seg2_aux (m mr: fmap){struct m}:fmap:=
match m with
V => V
| I m0 x c =>
if isolated_dec mr x
then seg2_aux m0 mr
else I (seg2_aux m0 mr) x c
| L m0 k x y => L (seg2_aux m0 mr) k x y
18
Configurations in a segmented quasi−hypermap
b.Possible
dimension 0 dimension 1
dimension 1
a.Impossible
dimension 0
z0 z_0
dimension 1
z z1
z_1
z
zz0 zz1
z_0
dimension 0
z
z_1
z
Fig. 9. Invariant of the segmentation (step 1: seg1).
3
5
7
8
9
10
11
17
15
20
21
22 23
24
30
31
1916
18
1 14
27296
4
132 12
28
2625
3
5
7
8
9
10
11
17
15
20
21
22 23
24
30
31
1 14
27296
412
28
2625
.
32
a. Segmentation of m, step 1 : (seg1 m)
b. Segmentation of m, steps 1 and 2 : (segmentation m).
Fig. 10. Complete segmention of the quasi-hypermap in Fig. 5.
end.
Definition seg2(m:fmap):=
seg2_aux m m.
Definition segmentation(m:fmap):=
seg2 (seg1 m).
19
5
7
8
9
10
11
15
20
21
22 23
24
30
31
1 143
17
4
5
6
7
8
9
10
11
1215
20
21
22 23
24
30
31
18
1 14
2
27
26
29
28
25
13
3
17
16
19
32
a. Segmentation of m, step 1 : (seg1 m).
b. Segmentation of m, steps 1 and 2 : (segmentation m).
Fig. 11. Complete segmention of the hypermap in 6.
Example 11 (seg2 on a quasi-hypermap and on a hypermap)The effect of seg2 is first illustrated in Fig.10(b) on the quasi-hypermap ex-ample of Fig. 10(a), which is the result of the first step on the quasi-hypermapin Fig. 5. However, we keep having some drawbacks due to the dangling darts.The same operations applied on the object of Fig. 11(a), which is the result ofthe first step on the hypermap in Fig. 6, yields the good result, as illustratedin Fig. 11(b). It exactly corresponds with Fig. 1(b).
Obtaining exact results on particular cases is essential but not sufficient. Acertification, in other words a proof of total correctness, is necessary for suchclever algorithms.
8 Certification of the segmentation
All the proofs we present are formal, and have been interactively computer-aided by the Coq system. Let us examine the first and second steps of thesegmentation.
20
8.1 Correctness of the first step: seg1
• a. Function seg1 always terminates because the property of termination isautomatically ensured for the definition by structural induction we have used.Indeed, during the pattern matching process on a fmap term m, the recursivecalls of seg1 always apply on terms strictly included in the term denoted bym. This property is required by the Coq system.
• b. We must challenge our specification by proving a few simple propertieswhich are always useful on free maps. For instance, we establish that seg1 m
preserves all the darts of m as well as their colours. The proofs are performedby structural induction on m, like most of the following proofs:
Lemma exd_seg1: forall(m:fmap)(z:dart),
(exd m z <-> exd (seg1 m) z).
Lemma col_seg1: forall(m:fmap)(z:dart),
col (seg1 m) z = col m z.
• c. We must ensure the type preservation, that is that starting with a qhmap
results in a qhmap. This is the aim of the following theorem:
Theorem inv_qhmap_seg1:forall(m:fmap),
inv_qhmap m -> inv_qhmap (seg1 m).
In fact, it is necessary to prove another important property as well, namelythat darts without k-successors or k-predecessors remain in the same stateafter seg1:
Lemma not_succ_pred_seg1:forall(m:fmap),
inv_qhmap m -> forall (k:dim)(z:dart),
(~succ m k z -> ~succ (seg1 m) k z)
/\ (~pred m k z -> ~pred (seg1 m) k z).
• d. We have to prove that the invariant we mentionned when sewing in seg1
is satisfied. This result, illustrated in Fig. 9, is given at dimension 0, but wehave a similar result for dimension 1:
Lemma succ0_pred0_seg1:forall(m:fmap)(z:dart),
inv_qhmap m -> let m1 := seg1 m in
succ m1 zero z -> pred m1 zero z ->
col m (A m1 zero z) <> col m z.
• e. It is possible to prove a great amount of simple facts about the exis-tence of k-successors and k-predecessors and about their colours in seg1 m
depending on those in m, and conversely. All of these properties lead to a bet-
21
ter understanding of the segmentation process we have described. Finally, weprove:
Theorem succ0_seg1_lb0:forall(m:fmap)(z:dart),
inv_qhmap m -> let m1 := seg1 m in
succ m1 zero z <->
(succ m zero z /\ low_border0 m z (col m (A m zero z))).
This theorem is a characterization of the 0-sewing remaining in seg1 m: dartswith a 0-successor in seg1 m are exactly those which had a 0-successor in m
and were low border0. We have similar results for pred and for dimension 1.
• f. Although this classification is interesting, it does not provide informationabout what the k-successors exactly are in the segmentation result. In orderto characterize them better, we first define an operation which, for a quasi-hypermap m and a dart z, outputs the first dart within the k-orbit of z whichis an upper-border at dimension k, when A is iterated, and nil if z has nosuch iterated successor. For dimension 0, this function, called uA0, is definedby pattern matching on the free map structure. A quite similar although lessgeneral, function is proposed in [11, 12] in a pixel grid framework. We do notdetail the corresponding technical definition, but rather consider an example.
Example 12 (First successor being a up-border) In the quasi-hypermap m ofFig. 5, we have uA0 m 1 = 3, uA0 m 3 = 5, uA0 m 14 = 11, uA0 m 17 =
10, uA0 m 6 = nil, uA0 m 18 = nil.
Then we prove the following facts, which completely characterize the result ofseg1 at dimension 0 in a quasi-hypermap:
Lemma not_succ_uA0_nil : forall(m:fmap)(z:dart),
inv_qhmap m ->
~ succ m zero z -> uA0 m z = nil.
Theorem A_seg1_uA0:forall(m:fmap)(z:dart),
inv_qhmap m ->
let m1:=seg1 m in
succ m1 zero z -> A m1 zero z = uA0 m z.
The lemma states that the darts without 0-successor in m have an upper-border nil at dimension 0. According to the theorem, the novelty is that the0-successors in seg1 m were exactly known in m. More precisely, 0-successorin seg1 m, when existing, is given by uA0 in m. We of course have a similarresult for dimension 1. These properties actually assert the maximality of thefirst segmentation step. However, a last doubt subsists about the colours ofthe faces.
• g. Therefore, it is necessary to examine the question of colour more closely. In
22
fact, the segmentation only concerns quasi-hypermaps which are well-coloured,i.e. where all darts in the same face have the same colour:
Definition well_coloured(m:fmap):=
forall(z t:dart),
expf m z t -> col m z = col m t.
However, this face-global property is difficult to deal with. A local prop-erty, which for each dart z only concerns the colours of its 0-successor and1-predecessor, is more tractable:
Definition well_coloured1(m:fmap):=
forall z:dart,
succ m zero z -> pred m one z ->
col m (A m zero z) = col m (A_1 m one z).
Both properties are proved to be equivalent:
Theorem well_coloured1_coloured : forall m:fmap,
inv_qhmap m ->
(well_coloured1 m <-> well_coloured m).
Finally, we prove the fundamental result, namely that seg1 preserves theproperty of being well-coloured:
Theorem correct2_seg1:
forall m:fmap, inv_qhmap m ->
well_coloured1 m -> well_coloured1 (seg1 m).
This nice property puts an end to the proof of partial correctness of seg1.With its termination, we have its total correctness.
8.2 Correctness of the second step: seg2
• a. The termination of seg2 aux is immediate, due to the structural inductionmechanism of Coq.
• b. Considering the partial correctness, we must prove small lemmas aboutseg2 aux, such as the following ones:
Lemma exd_seg2_aux:
forall(m mr:fmap)(z:dart),
exd (seg2_aux m mr) z <-> (exd m z /\ ~isolated mr z).
Lemma A_seg2_aux:
forall(m mr:fmap)(k:dim)(z:dart),
23
A (seg2_aux m mr) k z = A m k z.
In other words, seg2 aux only preserves the existence of the darts of m whichare not isolated, and always preserves operation A (and inverse A 1).
• c. We have to prove that segmentation is well typed: it preserves the in-variants of qhmap and hmap:
Theorem inv_qhmap_segmentation:forall(m:fmap),
inv_qhmap m -> inv_qhmap (segmentation m).
Theorem inv_hmap_segmentation:forall(m:fmap),
inv_hmap m -> well_coloured1 m ->
inv_hmap (segmentation m).
• d. A segmented hypermap preserves the colours of the darts:
Lemma col_segmentation:forall(m:fmap)(z:dart),
exd (segmentation m) z ->
col (segmentation m) z = col m z.
Then, when the hypermap m is well coloured, many nice interesting propertiesof m1:=seg1 m appear, such as the fact that a dart which is non isolated inm1 is actually completely sewn:
Lemma not_isolated_seg1:forall(m:fmap)(z:dart),
inv_hmap m -> well_coloured1 m ->
let m1 := seg1 m in ~isolated m1 z ->
(succ m1 zero z /\ pred m1 zero z /\
succ m1 one z /\ pred m1 one z).
• e. This contributes to establish the fundamental theorem, which asserts thata well coloured hypermap is segmented into a well coloured hypermap:
Theorem well_coloured1_segmentation:forall(m:fmap),
inv_hmap m ->
well_coloured1 m ->
well_coloured1 (segmentation m).
• f. We can easily prove that, in a hypermap, up border is equivalent tolow border. More precisely, at dimension 0:
Theorem up_border0_low_border0:forall(m:fmap),
inv_hmap m -> exd m z
-> let a:= col m (A m zero z) in
(up_border0 m z a <-> low_border0 m z a).
Moreover, under the same conditions and the fact that the hypermap is well
24
coloured, we immediately have an equivalence between the borders at dimen-sions 0 and 1, for instance:
Theorem up_border0_low_border0:forall(m:fmap),
inv_hmap m -> well_coloured m -> exd m z
-> let a:= col m (A m zero z) in
(up_border0 m z a <-> low_border1 m z a).
Then, we can conclude that, when the hypermap m is well coloured, the dartsof (segmentation m) are those which were low border0 (or up border0), orlow border1 (or up border1) in m. In fact, only one criterion out of the fouris sufficient to decide whether a dart remains or not in the final segmentedhypermap. This can be interesting for the imperative following program.
9 Real implementation and imperative optimal program
9.1 Hypermap linked implementation in C
It is not necessary to implement free maps to illustrate our propositions. A par-ticular representation of quasi-hypermaps and hypermaps is quite sufficient.We have chosen to represent them by a doubly linked list of dart records.Then, in C language, we have the following types and macros:
#define nil NULL
typedef unsigned integer colour;
typedef struct sdart
{
struct sdart * s; /* list successor */
struct sdart * p; /* list predecessor */
struct sdart * A[2]; /* k-successors at dim 0 and 1 */
struct sdart * A_1[2]; /* k-predecessors at dim 0 and 1 */
colour col; /* colour */
} Sdart, *dart;
typedef dart qhmap, hmap;
The dimensions are simply the naturals 0 and 1. A colour is defined as anunsigned integer value. A dart of type dart is a pointer on a record of typesdart struct, alias Sdart, nil being represented by NULL. Such a structurecontains a colour as well as all the necessary pointers to realize the operationsof the specification easily. Quasi-hypermaps and hypermaps are actually oftype dart.
25
Next, the map constructors are written with side effects, I being an insertionat the list tail:
qhmap V()
{ return (qhmap)NULL; }
qhmap I(qhmap m, dart x, colour c)
{
x->A[0]=x->A_1[0]=x->A[1]=x->A_1[1]=nil; x->col=c;
if(m==NULL) {x->p = x->s = x; return x;}
x->p = m->p; x->s = m; m->p->s=x; m->p = x;
return m;
}
qhmap L(qhmap m, int k, dart x, dart y)
{ x->A[k] = y; y->A_1[k] = x; return m; }
The equality of darts simply corresponds to the equality of pointers. Then,the predicates being transformed into Boolean functions, and preconditionsremaining out of the code, the observers are written as follows:
bool empty(qhmap m)
{ return m==NULL; }
dart A(qhmap m,int k,dart z)
{ return z->A[k]; }
colour col(qhmap m,dart z)
{ return z->col; }
Finally, destructors D and B are easily written with side effects. It is easy tounderstand how to program all the preliminary functions and predicates ofthe segmentation, such as up border0, isolated, etc.
9.2 Segmentation
Our formal specification of seg1 and seg2 is based on a local reasoning con-cerning the darts and sewings of the hypermap argument. Moreover, it doesnot impose any particular order for their traversal. One can say that it isindeterministic.
A program which performs seg1 or seg2 on our quasi-hypermap implemen-tation can be a simple traversal of the dart list, in any ordering, where thesuitable local processing on darts and sewings is made, while taking into ac-count the proven properties. In fact, segmentation can directly be written inan iterative way from head to tail of the dart list. Thus, naming x the currentdart, and programming again with side effects on the (quasi-)hypermap m, wehave:
26
qhmap segmentation(qhmap m)
{
dart x,y,x_0,y0,x_1,y1,xs;
colour a;
x = m;
while(x!=nil)
{
y = A(m,0,x);
if (y!=nil)
{
m = B(m,0,x);
if (x!=y)
{
a = col(m,y);
x_0 = A_1(m,0,x);
y0 = A(m,0,y);
if (up_border0(m,y,a))
{
if (low_border0(m,x,a))
m = L(m,0,x,y);
else m = L(B_1(m,0,x),0,x_0,y);
}
else
{
if (low_border0(m,x,a))
m = L(B(m,0,y),0,x,y0);
else
{
if (x_0==y) m = B(m,0,y);
else m = L(B(B_1(m,0,x),0,y),0,x_0,y0);
}
}
}
}
// ...similar for dimension 1...
xs = (x->s==m)?nil:x->s;
if (isolated(m,x)) m = D(m,x);
x = xs;
}
return m;
}
This program is surprisingly close to the formal expressions of seg1 andsegmentation. Therefore it is not necessary to paraphrase it. It has beensuccessfully tested, in particular on the previous examples of quasi-hypermap
27
a. Hypermap b. Combinatorial oriented map
Fig. 12. Two models for a pixel grid.
and hypermap in Fig. 10 and Fig. 11.
Moreover, it turns out to be a very efficient process. Indeed, all the elemen-tary operations being clearly performed in bounded time, the global timecomplexity of segmentation is in O(n), n being the number of darts in thequasi-hypermap. Morever, it does not use any auxiliary structure, apart fromsome pointers and integers in bounded number: its complexity in space is inO(1). This is of course an optimal process, both in time and in space.
When one is sure to deal with a well coloured hypermap, the absolute runtime can be improved, through simplifying some tests, in accordance with ourproved results. For instance, verifying isolated only requires checking thatone k-sewing only is absent.
9.3 Experimentation
The C program presented in the previous section can run on general colouredpixel grids. Such a grid can be modeled in a systematic way by a hypermap, asin Fig. 12(a), or by the special case of a combinatorial map, as in Fig. 12(b).In both cases, a pixel is modeled by a square face, with 2 darts in the firstcase, and 4 darts in the second. So, the second representation is more easy tounderstand and to interpret but it contains about twice more darts.
Finally, Fig. 13 presents four characteristic configurations our program treatedin order to illustrate its capabilities on regular grids modeled by hypermaps.For each one, the figure to the left is the initial grid and the one to the rightis the segmented image with all its regions and borders. Of course, the exter-nal border is kept if the darts which are incident to the unbounded externalface carry a particular colour. These configurations occur in real image gridsand influence the topology of the segmented final subdivision. As the testswere a success, there is absolutely no obstacle to adapt our C program todeal with real size subdivisions or images. The only complement is to buildinitial topological grids and to embed them on integer coordinates. At the Coqlevel, when the dart embedding is on line segments, one has to modify the
28
a. Configuration 1
b. Configuration 2
c. Configuration 3
d. Configuration 4
Fig. 13. Four tests with small coloured grid configurations.
specification. For instance, one can introduce a new type point, as a pair ofnatural coordinates, and add in the type of I an embedding on a pair of pointscorresponding with the origin and the extremity of a segment:
Definition point: Set := nat*nat.
Inductive fmap:Set:=
...
| I : fmap->dart->nat->point->point->fmap
....
Some additional constraints have to be considered to ensure consistent em-beddings, for instance to guaranty that darts in the same topological vertex(resp. edge) have the same origin (resp. extremity). This is comparable to thecolour management we have done in the faces by well coloured.
29
10 Conclusion
We have led an experimentation of formal specification, computer-assistedproof of total correctness and imperative programming in computational topol-ogy for imagery. The problem we have chosen, namely segmentation, is pro-totypic in 2D image processing. It applies to any well coloured finite planesubdivision, therefore possibly in a pixel grid equipped with the necessaryadjacency relationships, and ends with the coarsest well coloured plane sub-division.
The specification relies on an important base of hypermap specifications inCoq we had used to develop software in geometric modeling and to prove fun-damental results, such as the genus theorem and Euler’s formula. All of themrepresent about 6,000 lines of definitions, theorems and proofs, written as tac-tic lists. The present development for the segmentation represents about 5,000lines, including about 100 definitions, theorems and lemmas. It may be consid-ered as tedious, but that is the price of rigor and safety. Moreover, such a workneeds to be done only once, leading to a variety of possible implementations.
The Calculus of Inductive Constructions was well-suited to the specification ofour segmentation problem by structural induction. The Coq system turned outto be a precious auxiliary to guide and check all the proofs. The final originalimperative program we obtain is simple and optimal. It has been written ”byhand”, directly translating the functional definition into an imperative one inC language, hoping that this process preserves the correctness. However, inthe future, we intend to use another promising feature of provers which arebased on Curry-Howard isomorphism, namely the extraction of programs fromproofs. Such programs are automatically correct, or certified, with respect toformal specifications [3]. They can be functional or even imperative.
Besides, the problem of segmentation can be further investigated. For instance,we can improve the final segmentation by vertice and edge merging in partic-ular configurations [11]. We can build hierarchical map structures to performmulti-level segmentations [12, 7]. It would also be important to solve the sameproblem in 3D, adding a new permutation to our hypermaps to capture thethird dimension [11, 18]. More fundamentally, one can be interested by therespective genera of the starting and final hypermaps. The genus of a hy-permap is the minimal genus (i.e number of holes) of the surfaces where thehypermap can be embedded properly. It is clear that a null hypermap genusis preserved during segmentation. However, it would be better to prove it for-mally. Conversely, a hypermap genus greater than 0 is not always preserved.For instance, a well colored hypermap with genus 1, properly embedded on atorus and not on a plane, can be segmented into a hypermap of genus 0. In thefuture, elucidating this behavioral question would allow to work safely on any
30
surface. A formal computer-aided approach will help to give an incontestableanswer.
All the previous problems are mainly in the scope of computational topology.Real computational geometry problems, which concern geometric embedding,real numbers and round-off errors, are more difficult to tackle. We think thatprogress will be done using appropriate axiomatics of the numbers, or axiomat-ics allowing to bypass them, like the one of D. Knuth in [21] for orientationin the plane and convex hull. Finally, another fruitful way is discrete geome-try. A constructive axiomatic of discrete curves and surfaces is necessary, inorder to study other basic algorithmic problems in imagery, one of the mostpromising being polygonalization/polyhedrization [23, 31]. We hope that ourmethodology, based on one hand on map models and on the other hand onformal constructive specifications as well as proofs is a good way to go furtherin computer imagery.
References
[1] Bauer, G., Nipkow, T.: The 5 Colour Theorem in Isabelle/Isar. TheoremProving in HOL Conf. (2002). LNCS 2410, Springer-Verlag, 67–82.
[2] Baumgart, B.: A boundary representation for computer vision. 44th AFIPSNat. Conf. (1975), 589–596.
[3] Bertot, Y., Casteran, P.: Interactive Theorem Proving and Program De-velopment - Coq’Art: The Calculus of Inductive Construction. Text inTheoretical Computer Science, An EATCS Series, (2004), Springer-Verlag.
[4] Bertrand, Y., Dufourd, J.-F.: Algebraic specification of a 3D-modeler basedon hypermaps. Graphical Models and Image Processing 56:1 (1994) 29–60.
[5] Bertrand, Y., Fiorio, C., Pennaneach, Y.: Border map: a topological repre-sentation for nD image analysis. Discrete Geometry for Computer ImageryConf. (1999). LNCS 1568, Springer-Verlag, 241–257.
[6] Braquelaire, J.-P., Domenger, J.-P.: Representation of segmented imageswith discrete geometric maps. Image and Vision Computing 17:10 (1999)715–735.
[7] Brun, L., Kropatsch, W.G.: Contains and inside relationships within com-binatorial pyramids. Pattern Recognition 39(2006), 515–526.
[8] Coquand, T., Huet, G.: Constructions: A higher order proof systemfor mechanizing mathematics. EUROCAL (1985), LNCS 203, Springer-Verlag.
[9] The Coq Team Development - LogiCal Project: The Coq ProofAssistant Reference Manual - Version 8.0, INRIA, France (2004).http://coq.inria.fr/doc/main.html.
[10] Cori, R.: Un Code pour les Graphes Planaires et ses Applications.Asterisque 27 (1970), Societe Math. de France.
31
[11] Damiand, G.: Definition et etude d’un modele topologique minimal derepresentation d’images 2D et 3D. PhD Thesis, U. de Montpellier 2 (2001).
[12] Damiand, G., Bertrand Y., Fiorio, C.: Topological model for two-dimensional image representation: definition and optimal extraction algo-rithm. Computer Vision and Image Understanding 93:2 (2004), 111–154.
[13] Dehlinger, C., Dufourd, J.-F.: Formalizing the trading theorem in Coq.Theoretical Computer Science 323 (2004); 399–442.
[14] Dufourd, J.-F., Puitg, F.: Functional specification and prototyping withcombinatorial oriented maps. Computational Geometry - Theory and Ap-plications 16 (2000), 129–156.
[15] Dufourd, J.-F.: Polyhedra genus theorem and Euler’s formula: ahypermap-based formalized proof in Coq. submitted for publication (2006).
[16] Flato, E., et al.: The Design and Implementation of Planar Maps inCGAL. The ACM J. of Experimental Algorithmics. 16 (2000). Also inLNCS 1668 (WAE’99), Springer-Verlag, 154–168.
[17] Gonthier, G.: A computer-checked proof of the Four Colour Theorem.Microsoft Research, Cambridge, http://coq.inria.fr/doc/main.html (2005),57 pages.
[18] Grasset-Simon,C., Damiand, G., Lienhardt, P.: nD generalized map pyra-mids: Definition, representations and basic operations. Pattern Recogni-tion 39 (2006), 527–538.
[19] Haralick, R.M., Shapiro, L.G.: Image segmentation techniques. ComputerVision, Graphics and Image Processing 29 (1985), 100–132.
[20] Huet, G., Kahn, G., Paulin-Mohring, C.: The Coq Proof Assis-tant - A Tutorial - Version 8.0, Tech. report, INRIA, France (2004).http://coq.inria.fr/doc/main.html.
[21] Knuth, D.E.: Axioms and Hulls. LNCS 606 (1992), Springer-Verlag.[22] Lienhardt, P.: Topological models for boundary representation - A survey.
Computer Aided Design 23 (1991), 59–81[23] Lorensen, W.E., Cline, H.E., Marching cubes: A high resolution 3D sur-
face construction algorithm. Computer Graphics 21:4 (1987), 163–170.[24] Meikle, L., Fleuriot, J., Mechanical theorem proving in computational
geometry. In Automated Deduction in Geometry (2005), LNCS 3763,Springer-Verlag, 1–18.
[25] Paulin-Mohring, C.: Inductive Definition in the System Coq - Rules andProperties. In Typed Lambda-calculi and Applications (1993). LNCS 664,Springer-Verlag, 328–345.
[26] Pichardie, D., Bertot, Y.: Formalizing Convex Hulls Algorithms. TheoremProving in HOL Conf. (2001). LNCS 2152, Springer-Verlag, 346–361.
[27] Puitg, F., Dufourd, J.-F.: Formalizing mathematics in higher-order logic:A case study in geometric modelling. Theoretical Computer Science 234
(2000), 1–57.[28] Requicha, A.A.G.: Representations for Rigid Solids. ACM Computing
Surveys 12:4 (1980), 437–464.[29] Rosenfeld, A., Kak, A.C.: Digital Picture Processing 2. Academic Press,
32
New-York (1982).[30] Serra, J.: A Lattice Approach to Image Segmentation. J. of Mathematical
Imaging and Vision 24 (2006), 83–130.[31] Sivignon, I., Dupont, F., Chassery, J.M.: Reversible Polygonalization of a
3D Planar Discrete Curve: Application to Discrete Surfaces. Discrete Ge-ometry for Computer Imagery Conf. (2005). LNCS 3429, Springer-Verlag,347–358.
[32] Tutte, W.E.: Graph Theory. in Encyclopedia of Mathematics and its Ap-plications. Addison Wesley, Reading, MA (1984).
33