Realizability: Extracting Programs from proofs Types Summer School 2007 Bertinoro (Italia)

Realizability: Extracting Programs from proofs Types Summer School 2007 Bertinoro (Italia)

116 Views

Download Presentation
## Realizability: Extracting Programs from proofs Types Summer School 2007 Bertinoro (Italia)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Realizability: Extracting Programs from proofsTypes Summer**School2007 Bertinoro (Italia) 4-hours Course by: Stefano Berardi Semantic of Computation Research group Computer Science Dept. Turin University http://www.di.unito.it/~stefano**The text of this short course on Realizability may be found**in the home page of Stefano Berardi: http://www.di.unito.it/~stefano (look for the word “Bertinoro”)**Plan of the course**Lesson 1. The Realization Interpretation. • 1.1. The Realization Interpretation. 1.2. From Proofs to Realizers. 1.3. The Harrop Types. Lesson 2. Program Extraction and Useless Code. • 2.1. An example of Program Extraction. 2.2.Program Extraction and Useless code. 2.3.Useless Code Analysis.**Reference Text**• L. Boerio “Optimizing Programs Extracted from Proofs”. Ph. D. Thesis, C. S. Dept. Turin University, 1997. • Available in the web page of the course: http://www.di.unito.it/~stefano • (look for the words: “Boerio Ph.d.”)**Lesson 1**The Realization interpretation**Plan of Lesson 1**• § 1.1 The Realization Interpretation. • § 1.2 From Proofs to Realizers. • § 1.3 The Harrop Types.**§ 1.1 The Realization Interpretation**• In Intuitionistic Logic, any proof D of a closed formula of Heyting Arithmetic HA may be interpreted by some effective operation r associated to (Heyting’s Interpretation). • We will call such an r a Realizer of . • In the simplest case, r is the proof D itself, executed through normalization. • Yet, in order to effectively use Heyting Interpretation, is is convenient to think of r as a separate object, a term of a typed -calculus T. • We will define Heyting’s interpretation of HA in the typed -calculus T.**§ 1.1 The First Order system HA**• We formalize HA as the first order multi-sorted language for Integers and Lists of integers, with induction over Integers and over Lists. • HA has some fixed set of recursive functions, of predicates, and of rules having atomic premises and an atomic conclusion. • x denotes any sequences of variables of HA, each labeled with its type (Integer or List). • The quantifiers of HA are: yT.[x,y], yT.[x,y], with T = Integers, Lists.**§ 1.1 Extending the language of HA**• All what we will say applies when we have in Heyting Arithmetic not just the types T=Integers, List • but also the types T=any Bohm-Berarducci Data Type of cardinality > 1 • Look at Boerio Ph.d in the Web page of the docent if you want to learn more.**§ 1.1 The -calculus T**• We will define the realizers for HA in the simply typed -calculus T. • The atomic types of T are the Data Types Unit={unit}, Bool={True,False}, N={0,1,2,3,..}, List={nil, cons(n,nil), cons(n,cons(m,nil)),…} • T has product types and 1, 2, <_,>, arrow types and, , appl. T includesif, and primitive recursion recN,T, recL,T over integers and over lists. • We abbreviate AB…C by A,B,…C. We abbreviate 1(a), 2(a) by a.1, a.2.**§ 1.1 Dummy constants.**• For each simple type T of T, we need some dummy element dummyT:T, the default value for such a type. • We define dummyT:T by induction over T. • dummyUnit = unit • dummyBool = False • dummyN = 0 • dummyList = nil • dummyTU = x. dummyU • dummyTU = <dummyT, dummyU>**§ 1.1 The Realization relation**• For any formula of HA and any -term r of T, we will define the Realization relation “r is a realizer of ”, abbreviated “r:”. • If x1,…,xn are the free variables of (all integers or lists), then the realizer r may depend on the same variables. • We distinguish, in the definition of r: for any formula , one case for each possible first symbol of : P (any predicate letter ), , , , , **§ 1.1 Realizing Atomic Formulas.**• If = P(t1,…,tm), we define r:P(t1,…,tm) r=unit, and P(t1,…,tm) is true in the standard interpretation. • Note. We chose r=unit because a proof of an atomic formula corresponds to a vacuous operation, therefore to a dummy value. • The type Unit={unit} is the type of vacuous operations.**§ 1.1 Realizing Propositional Connectives**• r:12 r.1:1 and r.2:2 • r:12 r.1Bool r.1=True r.2.1:1 r.1=False r.2.2:2 if r.1=True, then the canonical choice for r.2.2 is a dummy constant, and conversely. • r:12 for all s:1, r(s):2**§ 1.1 Realizing Quantifiers.**• r:yT.[y] for all yT, r(y):[y] • r:yT.[y] r.1T and r.2:[r.1]**§ 1.1 Realization and programs**• The canonical choice for a realizer r : yT.(f(x,y)=0) is some pair r[x]=<y[x],unit>, of a function y=y[x]:T, solving the equation f(x,y)=0 (w.r.t. the parameters in x), and some dummy realizer unit of f(x,y)=0. • yT.(f(x,y)=0) says “there is a solution to f(x,y)=0, parametric in x”, while r finds it. • r:yT.(f(x,y)=0) may be seen as a program whose specification is yT.(f(x,y)=0). • We will define a Realization interpretation, turning any intuitionistic proof in HA of solvability of some equation, into a program which effectively solves such equation.**§ 1.1 Realization Interpretation of Formulas.**• Let be any formula of HA. Then there is some simple type || of T such that for all r: we have r of type ||. • The definition of || is by induction over . • |P(t1,…,tm)| = Unit for any predicate P • |12| = |1| |2| • |12| = Bool ( |1| |2|) • |12| = |1| |2| • |xT.| = T || • |xT.| = T ||**§ 1.1 Realization Interpretation of Proofs.**• Let ={1,…,n} be a set of formulas of HA with free variables in x=x1,…,xk. We may turn every natural deduction proof D: of HA, with free assumptions in , into some realizer r:, depending on free variables in x, and on some realizer variables 1:|1|, …, k:|k|. • The definition is in the next slides, by induction on the proof D. There is one clause for each possible rule at the conclusion of D. • For simplicity we write r for r[x1,…,xn].**§ 1.2 From Proofs to Realizers**• Assumptions: i : i • Atomic rules. Assume D ends by some rule of HA with atomic premises and conclusion. … … unit:P1(t1) … unit:Pm(tm) ---------------------------- unit:P(t) • If |- unit:P1(t1), …, |- unit:Pm(t1), then |- unit:P(t)**§ 1.2 Introduction of **• Rules for • Introduction rules: s1: s2: ------------------- <s1,s2>: • If |- s1: and |- s2: then |- <s1,s2>: **§ 1.2 Elimination of **• Elimination rules: s: s: ---------- ---------- 1(s): 2(s): • If |- s: , then |- 1(s): and |- 2(s):**§ 1.2 Introduction of **• Rules for . Let T=True, F=False, and _, _’, be dummy elements of ||, ||. • Introduction rules: r: s: ------------------------ ------------------------ <T,<r,_’>>: <F,<_,s>>: • If |- r: then |- <T,<r,_’>>: • If |- s: then |- <F,<_,s>>: **§ 1.2 Elimination of **• Elimination rules for . Leti=r.1and a = r.2.1 andb = r.2.2.Assume if i=True then a:, and if i=False then b:. Set: u =if (i=True) then s[a] else t[b] Then : : … … r: s[]: t[]: ---------------------------------------------- u: • If |- r: and , :|- and , :|-, then |- u: \ \**§ 1.2 Introduction of **• Rules for . Introduction rule: : … s[]: -------------------- .s[]: • If , : |- s[]:, then |- .s[]: \**§ 1.2 Elimination of **• Elimination rule: r: s: ------------------------- r(s): • If |-r: and |-s:, then |-r(s):.**§ 1.2 Introduction of **• Rules for : Introduction rule. Let t be any term of the language of HA. … r: [t] ------------------- <t,r>: xT.[x] • If |- r:[t] for some t, then |- <t,r>: x T.[x]**§ 1.2 Elimination of **• Rules for : Elimination rule. Assume thati=r.1 and a=r.2 and a: [i]. Then: , :[x] … … r: xT.[x] t[x,]: ----------------------------------- t[i,a]: • Provided xFV(,). • If |-r:xT.[x], ,:|-t[x,]:, and xFV(,), then |- t[i,a]: \**§ 1.2 Introduction of **• Rules for : Introduction rule. … r[x]:[x] ----------------------- x.r[x]:xT.[x] • Provided xFV() • If |-r:[x] and xFV(), then |- x.r[x]:xT.[x]**§ 1.2 Elimination of **• Rules for : Elimination rule. Let t be any term of the language of HA. … f:xT.[x] --------------- f(t):[t] • If |- f:xT.[x], then |-f(t):[t] for all t**§ 1.2 Induction axiom for N**Induction Axiom for the type N=Integers. • Let T=||. We define a realizer RecN,T: xN.([0]yN.([y][y+1])[x]) • Rec has type: N,T,(N,TT)T • Let n:N and r:T and s:N,TT. • We inductive define RecN,T(n,r,s):T by: • RecN,T(0,r,s) = r • RecN,T(n+1,r,s) = s(n,RecN,T(n,r,s))**§ 1.2 Induction axiom for L**Induction Axiom for the type L=Lists. • Let T=||. We define a realizer RecL,T: lL.([nil] xN,mL.([m][cons(x,m)]) [l]) • RecL has type: L,T,(N,L,TT)T • Let n:N and r:T and s:N,L,TT. • We inductive define RecL,T(l,r,s):T by: • RecL,T(nil,r,s) = r • RecL,T(cons(n,l),r,s) = s(n,l,RecL,T(l,r,s))**§ 1.2 A Model for Realizers**• In order to study the behavior of Realizers we first define a model for T. • For each simple type T of T we define some set-theoretical interpretation [T]Set: • [Unit] = {unit} • [Bool] = {True,False} • [N] = {0,1,2,3,…} • [L] = {nil, cons(n,nil), …} • [TU] = [T][U] (Cartesian Product) • [TU] = {Set-theoretical functions :[T][U]}**§ 1.3 The Harrop Types**• The set-theoretical interpretation of types of T may be extended to an interpretation of open terms of T. • We write t=Setu iff the open terms t, u have the same interpretation in the Set-Theoretical Model (for all values for free variables in t,u). • Denote the cardinality of [T] by C([T]). • For all types T: C([T])1 (because dummyT:T) • We say that H is an Harrop type (is Harrop, for short) iff C([T])=1 (iff t=Setu for all t,u:H).**§ 1.3 Characterizing Harrop Types**• Lemma (Criterion for Harrop types). • Unit is Harrop.Bool, N, L are not Harrop • HH’ is Harrop H, H’ are Harrop • TH is Harrop H is Harrop • Proof. • C({unit})=1,C({True,False}),C({0,1,2,..})>1,... • C([HH’]) = C([H])C([H’]) = 1 iff C([H]) = C([H’]) =1. • C([TH]) = C([H])C([T]) = 1 iff C([H]) = 1 (because C([T])1 ).**§ 1.3 The Harrop(.) map**• A term u is Harrop iff its type is. • We may decide if u is Harrop. If u:U is Harrop, then [U] is a singleton and u=SetdummyU. • Denote with Harrop(t) the term obtained out of t by replacing any maximal Harrop subterm u:U of t with dummyU. • Theorem. t=SetHarrop(t). • Proof. We defined Harrop(t) by replacing some subterms of t with some equal terms. • The map Harrop(.) is some simplification procedure over Realizers. What does it do?**§ 1.3 The Harrop(.) map**• If is any first order formula of HA, we say that is Harrop in HA iff || is Harrop in T. • If is an Harrop formula, then all r: are replaced with dummy|| by the map Harrop(.). • Therefore, if is Harrop, all Realizers r: correspond to some dummy operation. • Thus, we are interested in characterizing the set of Harrop formulas , in order to learn which realizers are (necessarily) dummy.**§ 1.3 Harrop formulas**• If =P(t), then ||=Unit is Harrop. • If =12, then ||=|1||2| is Harrop iff |1|,|2| are. • If =2, then ||=|||2| is Harrop iff |2| is Harrop. • If =xT.2, then ||=T|2| is Harrop iff |2| is Harrop. • If =12, then ||=(|1||2|)(|2||1|) is Harrop iff |1|, |2| are Harrop. • If =12, xT.2, then is not Harrop, because ||=Bool(|1||2|), T|2| have cardinality > 1 (because T has card. > 1).**§ 1.3 Characterizing Harrop Formulas**• Theorem (Harrop formulas). The set of Harrop formula is the smallest set including: • all atomic formulas, and with 1,2, also 12, xT.2, 12, and 2 (with any formula). • Corollary. We may decide if any is Harrop. • All proofs of Harrop formula may be neglected if we are looking for the program hidden in a proof: they generate a dummy realizer.**§ 1.3 Some Harrop Formulas**• Negations. All are Harrop, because =(), and is atomic, hence Harrop. Thus, any statement defined through a negation may be neglected. • Examples are: • “x is not a square”, • “x is a prime element = no y, z are a factorization of x”.**§ 1.3 More Harrop Formulas**• Universal properties. All quantifications x1,…,xn f(x1,…,xn) = g(x1,…,xn) • are Harrop. This set includes: • Associativity, Commutativity, all equational identities. • “the list l is sorted = every element in l but the last is of the next one” • “the lists l, m are permutations = for all integers x, the number of times x occurs in l and m are the same”.**§ 1.3 About Harrop Formulas**• Note. Being Harrop depends on the exact formal definition we choose. • For instance: if we formally define “l, m are permutations” • by “there is some permutation sending l into m” • then the statement we obtain is not Harrop (because of the existential quantifier in it). • From now on, we will write in green all Harrop parts. They are totally irrelevant and we could skip them all.**§ 1.3 Logical Parts**• Subproofs whose conclusion is an Harrop formulas correspond to purely logical parts of the proof. They define no action, but they may be used in order to prove that the action defined by the proof is correct. • An example. Suppose we are looking for a solution of (x2-3x+2)=0, and we find some a such that (a2+2=3a). Then using the Harrop statement xN.(x2-3x+2)=0 (x2+2=3x) • we may prove that a solves the original equation (x2-3x+2)=0.**Lesson 2**Program Extraction and Useless Code.**Plan of Lesson 2**• § 2.1An exampleof Program Extraction. • § 2.2Program Extraction andUseless Code. • § 2.3Useless Code Analysis.**2.1: An example of Program Extraction**• We extract a toy sorting algorithm out of a proof that all lists may be sorted. • We write first the proof, then the program. We write in green all Harrop parts. They are totally irrelevant and we could skip them all. • Assume Perm(l,m), Sorted(m) denote the Harrop statements: “l, m are permutations”, and “m is sorted”. • Let nil=<> and x*<x1, …, xn> = <x,x1, …, xn> • Assume we already proved that ordering on N is total: x,yN.(xy x>y).**2.1: The Sorting statement**• We are going to prove the formal statement: = lL.mL.(Perm(l,m) Sorted(m)) • A realizer sort: has type || = LLH, where H = |Perm(l,m) Sorted(m)| is Harrop. We abbreviate L’ = LH. • Any realizer sort: takes some list l, and returns some pair sort(l)=<m,_>:L’, where: • m = sorted version of l; • “_” = some realizer of type H, corresponding to some proof of (Perm(l,m) Sorted(m)).**2.1. Optimizing the realizer “sort”**• If we apply the simplification Harrop(sort), then any subterm “_:H” in sort is replaced by dummyH:H (some dummy constant). • Replacing “_” by dummyH is computationally correct: any proof of (Perm(l,m) Sorted(m))states something about l, m, but it performs no action on l, m.**2.1. Proof of Sorting by induction on Lists**• Base case:nil. We have to prove mL.Perm(nil,m) Sorted(m). We set m=nil. • Inductive case:x*l for some xN. By ind. hyp., Perm(l,m) and Sort(m) for some mList, hence Perm(x*l, x*m). • We first prove the Lemma : for all m, if Sorted(m), then for all x*m there is some permutation p of x*m which is sorted. =mL.Sorted(m)xN.pL.(Perm(x*m,p) Sorted(p)) • Out of the Lemma, we conclude Perm(x*m, p), and by transitivity of Perm, Perm(x*l,p), Q.E.D..**2.1. Proof of the Lemma**• A realizer ins: has type || = L,Unit,NL’. • The Lemma is proved by induction over some list m such that Sorted(m). • Base case of the Lemma: m=nil. • We choose p=x*nil. We have to prove Perm(x*nil, x*nil), Sorted(x*nil). This is immediate. • Inductive case of the Lemma. Let m=y*q for some q. Assume Sorted(m)Sorted(y*q). We distinguish two subcases: xy and x>y.**2.1. The two subcases**• Subcase xy. We choose p=x*y*q (p is obtained from x*y*q by the identity permutation). From Sorted(y*q) and xy we conclude Sorted(x*y*q) . • Subcase x>y. We switch x and y. By the induction hypothesis on q we have Perm(x*q,r) and Sorted(r) for some r. We choose p=y*r. We have to prove Perm(x*y*q, y*r) and Sorted(y*r) under the current hypotheses (which are: Sorted(y*q) and x>y).