OPLSS2012 Lect1 and 2

8/9/2019 OPLSS2012 Lect1 and 2

1/137

Robert L. Constable

Cornell University

Science


2/137

1. Present two new results :‐‐ ,‐‐ a bit of new theory and practice: synthesized

“ ” events.

2. Look toward what might come next in type theory.


3/137

the international Turing celebrations .

For example, I’ll mention the role of Turing and

Church in type theory . For the constructive aspects, ’w uw w .

, science , one from logic , and one from mathematicscreating the genome of constructive type theory.


4/137

Consider the broad international u take of Co !

Four Color Theorem of GonthierMSR investing in Gonthier’s unit proving Feit ‐ThompsonFundamental Theorem of Algebra

The CompCert CLight compiler of LeroyFields medalist Voevodsky’s Homotopy TheorySoftware Foundations textbook by Pierce et al

, Several key industrial applications (Java card, Air Bus,…)

–

And more …


5/137

Ex ert ro rammers di dee l into their lan ua es.

Imagine what expert Coq programmers learn, the kind of logic and mathematics that is part of what they routinely .

, formal logic with higher ‐order quantifiers

formal semantics classical versus constructive logicall in a unified theory


6/137

curriculum teaches algorithms , before middle school.

School students now learn sets in mathematics and .

‐programming in school as well, as they might?


7/137

, , ,

they share the theory of inductive types based on Nax Mendler’s LICS a ers, also for co‐inductive types.

The share the ITT redicative universe hierarch and realizability semantics.They share the LCF tactic mechanism from 1979.They even share code written by Chetan Murthy.


8/137

taken together span a large part of computing theorywith Coq especially strong in programming languages an a vance mat emat cs an upr strong n

distributed protocols and constructive domain theor artial t es .

’ “ of the lecture series” as they say on Car Talk here in America, and I’ll do one example on partial types.


9/137

about Turing:

His universal machine would compute with formulas as well as numbers.

Hod es sa s: ``It the universal machine ut lo ic not arithmetic, in the driving seat.''


10/137

type theory, and Turing wrote

Practical Forms of Type Theory, JSL, 1948.

His idea was that type theory was the natural “ ”

Church’s simple type theory was a good model – HOL users agree .


11/137

Constructive t e theories and their roof assistants are

the joint creation of computer science (informatics), logic, and mathematics – ITT, CTT, CIC are examples.

OPLSS is one of the schools that brings the players from these disci lines to ether nurtures work in t e theor –its basic concepts and important applications .

I believe that the PL community will continue to play a nurturing role and understands that the subject is far from finished and that it la s a unif in role in computing theory as well as in programming languages.


12/137

constructive type theory ‐‐ realizability semantics for lo ic ‐‐ under a variet of different names:

, proofs ‐as ‐programs (programs ‐from ‐proofs)

Curry ‐Howard isomorphism

uw y g g v


13/137

’ ‐ ‐

realizability is one of those ideas familiar to many OPLSS artici ants and that it will eventuall be known by all computer scientists – the way sets, open sets, continuous functions, vector spaces, etc. are known to all mathematicians.

How many people here could teach this idea to a com uter science 2nd ear student?


14/137

propositions , A,B,C, …. Here is how evidence is defined for com ound ro ositions.

A & B == A × B Cartesian roduct [A v B] == [A] + [B] disjoint union

= == [¬A] == [A] void functions to empty type


15/137

Brief Review: Pro ositional EvidenceSuppose that we have evidence types for the atomic

, , ,…

compound formulas using types (or sets).

& == x B A B

====

B A B∨ ⊕

== A A ¬ →


16/137

. ==

[Allx.B(x)] == x:D [B(x)] dependent functions

The existential quantifier is also regarded as a ∑type, a disjoint sum of a family of evidence types.


17/137

Evidence for Quantified Statements

: . : x x x x x==

: . : x x x A B x A B∀ == →

The existential quantifier is also regarded as a ∑

, .


18/137

realizability semantics:= = = =

‐ λ f. λ x.λ y. f() or

λ f,x,y. f()


19/137

realizability semantics:= = = =

, , ‐ ,

s s e spec ca on or e urry ng as .


20/137

‐

the untyped realizer is . . .1 .2

p.1 and p.

2 project from the pair,

e.g. p. 1 ε an p. 2 ε

t e typ ng u gment sf: (A => (B => C)), p: A&B | ‐ f(p.1)(p. 2) ε C


21/137

logic is natural and easy to understand, directly tied to specifying programming problems and all that.They learn some logic, get excited and want to know

the consistency and completeness theorems for this ea n pure rs ‐or er og c – .We give them proof rules and consistency, then …

We give them back Kripke semantics ‐‐ and possibly a classical completeness proof as well!! And then we

.


22/137

1. Look at a constructive completeness proof for

ntu t on st c rst ‐or er og c w t respect to its intended realizability semantics .

2. In ect scuss on o type t eory es gn ssues an possible future directions, and follow up in

interests.


23/137

‐

(math, philosophy, computer science, linguistics). It’s taught in basically all logic books .Gödel’s completeness theorem ties together proof

and validity ‐‐ central to classical FOL study liking .

intuitionistic first ‐order logic (iFOL) using the intended realizability semantics (BHK). Completeness only for Beth and Kripke semantics.


24/137

Gödel’s PhD Thesis was Completeness of FOL’ ,

approved by his advisor Hans Hahn. It was titled: On the com leteness o the calculus o lo ic.

In 1930 it was ublished as: The com leteness o the axioms of the functional calculus of logic. He used the axioms of Principia Mathematica.


25/137

n e s mp es an c eares proo s rom Smullyan’s First ‐Order Logic , Springer 1968, Dover

‐, , .


26/137

’ This theorem sa s that there is a set of inference

rules and axioms such that every formula of FOL that is true in every model (valid) is provable using these rules.

These are the complete set of rules .

This theorem sets us up for Gödel’s more famous incompleteness theorem for arithmetic.


27/137

don’t teach Gödel’s original proof since there are now much better ones. Also we now sometimes re er t e mo e s as ar s structures. ese structures have a domain of discourse D, assumed to be non ‐em t and for ever relation Rn of the lo ic we assign a propositional function Rn: D Bool. So we get as a structure or model.

Each Ri has an arity n i, Ri: Dni Bool.


28/137

The usual classical roof assumes that a formula

G is valid (true in all structures), and then a systematic method of searching for a proof is devised based on the proof rules.

We then show that if the systematic procedure fails to find a proof, it will generate a structure M

, validity. Running on forever creates such a structure as well b Köni ’s Lemma.


29/137

we need to change the formulation.

First, the domain D must be a type . Second, the

relations are not maps into Bool, they must be maps , . , semantics is not based on Tarski but on Brouwer, on realizability. Fourth, we must be able to find the proof, not show that the proof finding procedure must fail, we must know that it will halt.


30/137

,

computational content of proofs provides the realizers .

, , . suggest that there is no constructively valid

semantics and intuitionistic validity . I will mention these results next.


31/137

,

as given in Troelstra and van Dalen (TvD88). There is a va ueness and lack of “canonicalit ” there, but some results:

Kreisel based on Gödel showed that given Church’s

Moreover, completeness implies Markov’s Principle.


32/137

The validit semantics carries over the classical notion of a model and uses BHK semantics for the logical operators on propositions and types for the

universe, Type 1.

We say that formula G is valid iff it is realizable in all models of the domain and the atomic propositions.

, , and CTT make this semantics precise . That is a big step since 1988.


33/137

CTT implemented by Nuprl also provides a closely related notion uniform validit b usin intersection types and polymorphic terms .

That concept is not in CIC nor ITT. (It could easily be added to ITT82.)


34/137

strong completeness result, and the right one, since it ca tures recisel the observation that iFOL roofs provide uniform realizers, also called polymorphic

realizers, as their computational content.

Here is how I lan to rovide the details for this narrative.


35/137

concepts since 2002 needed for the completeness theorem.

2. Sketch a formal semantics for intuitionistic first ‐order logic (iFOL) and minimal first ‐order logic (mFOL).

3. State and illustrate the new completeness eorem , prove w ar c or n .


36/137

Some Unifying Basic Concepts from Type Theory

Computability , e.g. partial computable functions in


37/137

Implication Introduction (=>R)

ū:H | ‐ A => B by λ(x.slot)ū:H, x:A | ‐ B by b(x) ‐‐‐‐‐‐‐‐‐‐‐̂

The realizer or proof term is λū,x.b(x)


38/137

| ‐ A=>(B=>A) by λ(x.__ )x:A ‐ B=>A y y.__ ‐‐‐̂

x:A, y:B | ‐ A by x ‐‐‐‐‐‐‐̂ (axiom)

. . . this is polymorphic , i.e. uniform in A, B.


39/137

Constructive t e theor derives its meanin

from an underlying computation system, usually defined by reduction rules in the style of Plotkin’sstructured operational semantics .

For example, untyped lambda terms , λ(x.b), are considered irreducible values , and applications

value, then applying the function value to the ar ument a either b “name” or “value” .


40/137

The ITT and CTT a roach to com utation mediates a long standing debate in computer science between those in the “no types camp”

untyped , as in the untyped lambda calculus (Lisp,

Scheme), and those in the “types camp” who e eve s ou e ype go , ava, .

defining computability is untyped , but reasoning is typed, this is fundamental to completeness.


41/137

‐

open ended , it is not possible to prove unsolvability by enumerating all possible computational forms. In particular, Church’s Thesis (CT) is not postulated.

In building the Nuprl proof assistant for CTT84, we anticipated extending the computational model to

concurrent systems and to physical devices. Thus CT was not the appropriate notion.


42/137

‐ Edinburgh LCF showed the power of having a computational meta ‐theory based on a clean functional programming model as the basis for automatin reasonin . A da HOL Co Nu rl and MetaPRL are all descendents of the LCF proof assistant architecture.

Key to Milner’s LCF is the idea that programs are ol mor hic and the com iler attem ts to infer the

type in context given some base types such as integers and lists. The type checker was a small


43/137

‐

Nuprl’s implementation of CTT arose from a conver ence of concerns:

top down problem solving (AI)

ac cs an ac ca s(tableaux style proofs)


44/137

A Picture of Proof Trees ├ G

2 21 1

pf

44

P f St t ith E t t


45/137

Proof Structure with Extracts ├ G by op( op1(lt,md,rt) ; op2(lt,rt) )

2 2 by , y , ,

pf

45


46/137

Anal zin Proof Structure

key insightsclever step

filled in by machinehumans ignorehumans need

experts needed

routinelearners need obviousTrivial

well knownminor variant of pf

46


47/137

Polymorphism and computational semantics for , , .

Uniform validity and constructive completeness.

Computability of partial functions , domains.


48/137

‐

inference is well known.

I want to draw attention to the way in which ‐ ‐

as a computational semantics, illustrating the unity


49/137

The term λx.x is the identit function on all t es, i.e. λx.x ε A ‐> A for any type A.

The term λx.λy. pair(x;y)) denotes a pairing function of type (A ‐> (B ‐> (A × B)) for any types

< >

We sa that such terms are ol mor hic.

Note, the functions computed by these terms are “too big” to exist in Set Theories.


50/137

The binar intersection t e was used as a lo ical connective for propositional logic by Coppo and Dezani in 1978.

A B∩

These are the elements in both types A and B with = = = .


51/137

We can also intersect a family of types B . Let

aa A B∈∩

denote the type of elements that belong to Ba for every a in Type. This intersection operator acts as a uniform uantifier over A.

contains exactly λx.x.: A Type A A=>


52/137


53/137

the benefits of polymorphism and its explanatory power in understanding algebraic structure, classes, an o ects. s e us to ma e t ese new type constructors essential to CTT after 2003.

We began to systematically exploit these ideas and apply them heavily in our practical work and in

looking at logical questions. I made an observation in a 2010 class that fascinated me. Here it is.


54/137

,

that all of the realizers are uniformly valid in the sense that the belon to the t e of the axiom regardless of the domain D and the atomic propositions P

i and relations R(x

1,…,x

n).

We will look at this fact for refinement style

presentation of the inference rules and explain the realizers built from these rules.


55/137

top down . From a proof goal, we generate subgoals.

The goals and subgoals are sequents :

u1:A1, …, un:An | ‐ G

more succinctly ū:H | ‐ G


56/137

1 1, …, n n ‐ i i

Generally the Ai are propositions, but we will also have declarations d:D that d is in the domain of

scourse. ey w us y e goa n .


57/137

Implication Introduction (=>R)

ū:H | ‐ A => B by λ(x.slot)ū:H, x:A | ‐ B by b(x) ‐‐‐‐‐‐‐‐‐‐‐̂

The realizer or proof term is λū,λx.b(x)


58/137

| ‐ A=>(B=>A) by λ(x.__ )x:A ‐ B=>A y y.__ ‐‐‐̂

x:A, y:B | ‐ A by x ‐‐‐‐‐‐‐̂ (axiom)

. . . polymorphic , i.e. uniform in A, B.


59/137

Rules for ImplicationImplication Elimination(=>L)

’1 , , 2 ‐

ū : H x: A => B ū :H’ ‐ A b a ‐‐‐‐‐‐‐‐‐̂

ū1: H, x: A => B, y:B, ū2:H’ | ‐ G by g(y) ‐‐‐‐‐‐̂

realizer λū x ū . a x a


60/137


61/137

Elimination (&L)

ū1: H, x: A & B, ū2:H’ | ‐ G by spread(x; u,v. slot)ū1: H, u:A, v:B,ū2:H’ | ‐ G by g(u,v) for slot ‐‐‐‐̂

realizer λū1,u,v,ū2.spread(x; u,v. g(u,v))


62/137

, , , . , . ,

T e sprea notation is rom ITT82 an wor s well as a proof term, telling us how to name t e ypot eses us ng a e s u an v .

Given a pair p, u = p.1 and v = p.2. We can also sa “let = u v in ” an ML like notation.


63/137

Rules for Existential QuantifierExists Intro (ExistsR)

ū:H | ‐ Ex.G(x) by ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐̌

ū:H | ‐ G(d) by g(d) ‐‐‐‐‐‐‐‐‐̂ū:H | ‐ d in D

realizer λū.


65/137

Exists Elimination (ExistsL)

ū1:H, x: Ex.R(x), ū2:H’| ‐ G by spread( x; u,v. slot)

’1 , , , 2 ‐ , ‐‐‐‐‐‐‐‐‐‐‐‐

1, , , 2. ; , . ,


66/137

Universal Intro (All‐R)

ū:H | ‐ All x.G(x) by λ(x.slot)

, ‐ ‐‐‐‐‐‐

.


67/137

Rules for Universal QuantifierUniversal Elim (All‐L)

ū1:H, x: All x.R(x), ū2:H’| ‐ G by ap( x;d)ū

1:H, x: All x.R(x), y:R(d),ū

2:H’| ‐ G by g(y)

ū1:H, x: All x.R(x), ū2:H’| ‐ d in D

rea zer 1,x,

2.g ap x; y , .e. su st tute

ap(x; d) for y in g(y).


68/137

Rule for FalseFalse Elim

ū1: H, x: False, ū2:H’ | ‐ G by any (x)

λū1,x,ū2.any (x)

s ru e st ngu s es rom m .


69/137

Excluded Middle

H | ‐ P v ¬P by magic(P)

This realizer makes sense in a classical account of

oracle computability , given an oracle for P. This realizer is not polymorphic .


70/137

Notice that all of the realizers except for magic (P) are .

rule out Excluded Middle.


71/137

.

. . = = .

.sprea ;e, . sprea e; ,p.< , p > .

Exercise: Bui t e proo rom t is rea izer.


72/137

next lecture we will build a proof from them using the proof procedure for completeness .

3. ~ P & Q & P v ~P & Q v ~Q => ~P v ~Q.

4. Ex.(P(x) => C) => ( (Allx.P(x)) => C ) where C has no

free occurrences of x.My colleague, Liron Cohen , and Robbert Krebbersboth students in the school will help you understand the exercises.


73/137


74/137

We will look more closely at the completeness , . solution to exercise three as a motivator.

,

intersection type in CTT, the type theory of Nuprl e.g. its use in defining dependent records .See additional exercises on the last slides.


75/137

associated extracted realizers, we can see by a simple induction on the proof structure that iFOL is cons stent, every prova e ormu a s un orm y valid .

We will also see that our completeness theorem provides an alternative proof of cut elimination .


76/137

completeness theorems as an example of constructive model theor .


77/137


78/137

where he tried to define some notion of “uniform

truth” b talkin about ermutations. But we need a stronger notion.


79/137

, and no matter what atomic relations R

i, the realizer is

the same.

Because of the work of Co o and Dezani and the work of Reynolds and Pierce, we knew how to say this. We say that the evidence belongs to the intersection of all the evidence we can find for any D and Ri. This was a new idea.


80/137

uniformly valid.

Corollary : A formula G of iFOL is provable iff it is

uniforml valid.

completeness of first ‐order logic , arXiv 2011.


81/137

The binar intersection t e was used as a lo ical connective for propositional logic by Coppo and Dezani in 1978.

A B∩

These are the elements in both types A and B with = = = .


82/137


83/137

A formula G of iFOL is provable if and only if it is

atomic relations Ri.

Let’s try it only some simple examples and see if it .


84/137

~ v ~ v ~ => ~ v ~

λ h. spread h; na,dp,dq. decide dp;p. ….;np. Inl(np) ))

What to do in the case p. … ? Should we split on nq?


85/137

Q? YES, how about this evidence for ~Q?

p.inr( λq. na()

This is almost right, but it only proves False, we need ~ .

p.inr( λq. any(na()))


86/137

G and a realizer evd and we want to construct a proof

|= G, evd

In the case of |= G1 => G2, evdwe know that evd must reduce to λh.g. our evidence

, evd to be evidence . So we can start building the

roof. This ives us a new evidence structure .


87/137

h:(~(P & Q) & (P v ~P) & (Q v ~Q) ) |= ~P v ~Q ,

spread(h; na,dp,dq. decide(dp;p.inr( λq. any(na()));np. Inl(np) ))


88/137

na:~(P&Q), dp:(Pv~P),dq:(Qv~Q) |= ~P v ~Q, decide(dp;p.inr( λq. any(na()));np. inl(np) ))


89/137

~ ~ ~ ~, , ,

inr(λq. any(na()))

na:~(P&Q), p:P,dq:(Qv~Q) |= ~Q, q. any na

na:~(P&Q), p:P,dq:(Qv~Q), q:Q |= ~Q, ap(na;)


90/137

This example worked like a charm, but it was pretty . . They are also easy, but I end this lecture with a

harder challen e.


91/137

What about this very simple case?

|= (False => A), λf.any(f)

It also works like a charm! But so does this!

= False => A , λf.17

T is is isconcerting ecause once we ave Fa se as a hypothesis, we loose all evidence.


92/137

, of vacuous hypotheses, but then the theorem is less interestin .

Harve Friedman to the rescue! Harve showed how to embed iFOL into mFOL using his famous A‐translation . (Tim Griffin and Chet Murthy made this famous in the 1990’s solving an open problem using Nuprl.)


93/137

’ can get completeness for iFOL.

Given a formula G of iFOL, its embedding into mFOL, is obtained by replacing all occurrences of False by A,

.

If G is uniforml valid in iFOL then GA is uniforml valid in mFOL, hence provable. By replacing A by False it is provable in iFOL.


94/137

, work in evidence structures.

,

G1 & G2 G1 v G2 inl(g1), inr(g 2)

G1 => G2 λx.g2(x). .


95/137

H |= G1, g1H = G2, g2

H |= Gi, inl(g1)

cases, and we can keep decomposing the evidence term until we reach the leaves.


96/137


97/137

We justify this implication elimination case by . On these models for A we can ensure that if f is given

an ar ument not in A then it will diver e. Here we depend on having partial types , which we denote as Ā.

We say that a belongs to Ā if it belongs to A if it converges.


98/137

A => B that we make sure we return the same result if we call the function f twice on the same ar ument. We do this by noting that we can always assign constant functions to these witnesses for A => B because once we have any element of B, that suffices.


99/137

In the case of evidence functions for universally . , remember the applications of the function and store its ra h on domain elements. The functions need to be equal only on identical elements, d.


100/137

We have only been thinking about evidence that is “ ” , evd is given to us as any term in CTT that we know is evidence. It mi ht use number theor or ra h theory to show that G is realizable. How can we cope with any possible kind of evidence?


101/137

Show that the followin t e theor term is evidence for (((A&B) => (A&B)) => (C v D)) => (C => E) => E

λh,f,g. let n = gcd(10,5) inlet m = last(factorization(111)) in

e 1 = x.x nlet I2 = (λp.) m in

let x = h(I2) in if isl(x) then outl(x) else outr(x))


102/137

Instead of using König’s Lemma, our proof uses an intuitionistic version called the Fan Theorem . Kleene showed that this theorem is not consistent with Church’s Thesis.

The theorem says that in any finitely branching ree genera e y a cons ruc ve process, every

branch terminates, then there is a uniform bound .


103/137

theory more appealing and “complete”. A practical test of such theories is that we can use them as practical programming languages that support correct ‐by‐construction programming .

We will consider these issues in the last lecture on proofs as processes.


104/137

We will now examine some types used in the proof ’ ’ reflect on the future of type theory. We also see a si nificant difference from the set theor a roach to these ideas.


105/137

recursive functions. Consider the 3x+1 function with natural number in uts.

f x = if x=0 then 1 else if even(x) then f (x/2)

fi


106/137

f = function(x. if x=0 then 1 e se even x t en x

else f (3x+1))


107/137


108/137

fix(λ(f. λ(x. if x=0 then 1e se even x t en x

else f(3x+1)

fifi)))


109/137

f x = F f,x is a recursive definition, alsof = λ(x.F(f,x)) is another expression of it, and the CTT definition is:

fix(λ(f. λ(x. F(f,x)))

which reduces in one step to:

λ(x.F(fix(λ(f. λ(x. F(f,x)))),x))

by substituting the fix term for f in λ(x.F(f,x)) .

‐


110/137

elements of types hence non ‐terminating ones such as this

fix(λ(x.x)) which in one reduction step reduces to itself! So CTT

u g g g gu g .

programming language . In CTT it is essentially the programming language also used in the metatheory, ML.


111/137

of where type theory and set theory differ substantiall and where CTT differs from CIC. It is an important difference because the halting problem and related concepts are fundamentally about whether computations converge, and in type theory this is the essence of partiality. For example, we do

N ‐> N.


112/137

, in this slide, is a partial function from numbers to numbers, thus for an n, f n is a number if it converges (halts).

In CTT we say that a value a belongs to the bar type Āprovided that it belongs to A if it converges. So f belongs to A → Āfor Ā= N.


113/137

function in CTT that can solve the convergence roblem for elements of basic bar t es.

element ā that converges in A for basic types such

maps Āto Ā, then fix(F) is in Ā.

S th i f ti h th t d id h lti g g


114/137

Suppose there is a function h that decides halting, e.g. h: Bool. Define the following element of for ā in A:

d = fix(λ(x. if h(x) then ↑ else ā fi))

where ↑ is a diverging element, say fix(λ(x.x)).Note d is in by the typing rule for fix.

Now we ask for the value of h(d) and find a contradiction as follows:


115/137

= according to its definition, the result is the diverging

computation ↑ because by computing the fix term or one step, we re uce

d = fix(λ(x. if h(x) then ↑ else ā fi))to d = if h(d) then else ā fi by substituting the fix(…) for x in the body.

If hd(d) = f, then we see that d converges to ā, again a contradiction to the meaning of h.


116/137

purported halting function h. In classical mathematics there surel is a noncom utablefunction to decide halting. Moreover the standard wa to resent unsolvability constructively is to model Turing machines and prove that no Turing computable function can solve the halting problem. But this result says that no function can solve it.

A th t t k t f thi lt i th t


117/137

Another reason to take note of this result is that it is so simple, about the simplest unsolvabilityresult around ‐‐ no indexings, no reflection, simple realistic computing model.

But the main reason to take note is that this result contradicts classical mathematics and

with the law of excluded middle , as the rest of the theor is.


118/137


119/137

In the next few slides I present other results in CTT

impact on the implementation and for their wide use in Nu rl theories.


120/137

algebraic structures as records, illustrating other advanta es of intersection t es and ol mor hism. This work forms the basis of an account of object s in CTT.

There is a primitive subtyping relation in CTT.


121/137

p yp g

elements of B and a=b in A implies a=b in B.

{ }: | 0 x Z x Z > ( & )( & ) A A B B A B A B

A A B B A B A B

′ ′ ′ ′⇒ × ×

′ ′ ′ ′⇒ + +

( & ) A A B B A B A B′ ′ ′ ′⇒ → →


122/137

record types , objects, and inheritance . We will look at records and rovide a sim le semantics for them and a simple binary operation to build them.

This account also allows us to define dependent records , a significant extension of the record concept.


123/137

{x1:A

1; x

2:A

1(x

1);x

3:A(x

1,x

2);…;x

n:A

n(x

1,…,x

n‐1)}

functions r from Labels {x1,…,xn} to values where r(x1)ε A1, r(x2)εA2(r(x1)), etc.

We can define al ebraic structures as records. For exam le


124/137

We can define al ebraic structures as records. For exam le a monoid on carrier S is a record type over S with two components, an associative operator and an identity:

Monoid = o : S x S ‐> S id: S .

A group extends this record type on S by including an

.Group = { op : S x S ‐> S; id: S; inv:S ‐>S}

A Group is a subtype of a Monoid as we show next.

roup ono

The basic idea is that the elements of a record type


125/137

are functions from the field selectors names, e.g .

{op,id,inv} to elements of types assigned to them by a mapping ca e a signature, Sig: op,i ,inv ‐> Type . Here are the mappings for a Group over the carrier S.

g op = x ‐> , g = , g nv = ‐>Monoid and Group are these dependent function

, .

i: {op,id,inv} Sig(i) i:{op,id} Sig(i)

We can build records usin a binar intersection


126/137

of types, A B∩

These are the elements in both types A and B with x=y in the intersection iff x=y in A & x=y in B.

Top is the type of all closed terms with the trivial equality, x=y for all x, y in Top. Note for any type A, we have and . A Top A=∩ A Top


127/137

records as follows. Let = ‐ , , ,…

Sig(i)= Top as the default. Then

x:A П y:B =

{x:AПB} if x=y.

‐

,


128/137

, we axiomatized co‐inductive types and implemented them in Nu rl as rimitive.

Now with intersection t es and the To t e we can define them and introduce variants.

‐


129/137

F(T) = N x T or F(T) = St ‐> In ‐> St x T. Define ‐ .

as the intersection of the iterates of F applied .

:N( )n

nF T o p

o u e ements, we ta e t e xe po nt o a function f in the following type.

:

( )T Type

T F T →

‐

‐


130/137

recursive type for the function F(T) given by‐> ‐>

we use fix(λ(t. λ(s,i.))).

It is easy to show by induction that this .

function F is continuous, the type is a fixed oint of F F corec T.F T Ξ corec T.F T .


131/137

theory unify concepts from logic, mathematics, and com uter science . Homoto t e theor is a current example as are game semantics.

We will see applied formal theories support important deployed systems. These theories will be as dynamic as the systems.


132/137

=> => ~ => ~


133/137

where ~P means (P => False), “not P”.

In minimal logic, we take a special constant for =>

logic, (Any => P) does not hold for arbitrary P. Show2. P => => => An => P => An

~ ~ ~ ~ ~. .


134/137

. . . free occurrences of x.

~ ~. . . . .

. . . , . . ,

(Ally.(Allx.P(x,y) => Eu.Allv.Q(u,v)).

Recall the exam le:((( ) ( )) ( )) ( )


135/137

(((A&B) => (A&B)) => (C v D)) => (C => E) => E

Are these both correct realizers?

. . g . ec e 1 ;c. c ; .g

’ ’. . . 1 . . 2 . .

where id = λx.x , id2 = λx.s read x;x ,x .

For more information articles and

examples of verified code see. .


136/137


137/137

A so see www.nupr .org

Documents

OPLSS2012 Lect1 and 2