Recursive Functions on Lazy Lists via Domains and Topologies - - PowerPoint PPT Presentation

Recursive Functions on Lazy Lists via Domains and Topologies

Andreas Lochbihler

Institute of Information Security ETH Zurich, Switzerland

Johannes H¨

• lzl

Institut f¨ ur Informatik TU M¨ unchen, Germany

ITP 2014

Running example: filtering lazy lists

Task: Given a codatatype define a recursive function and prove properties.

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Usual definition principles

• well-founded recursion
• guarded/primitive corecursion

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Usual definition principles

• well-founded recursion
• guarded/primitive corecursion

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Usual definition principles

• well-founded recursion
• guarded/primitive corecursion

guarded

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Usual definition principles

• well-founded recursion
• guarded/primitive corecursion

guarded unguarded

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Running example: filtering lazy lists

Task: Given a codatatype α llist = [ ] | α · α llist finite and infinite lists define a recursive function lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) and prove properties. lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Usual definition principles

• well-founded recursion
• guarded/primitive corecursion

guarded unguarded lfilter is underspecified: lfilter (≤ 0) (1 · [1, 1, 1, . . .]) = lfilter (≤ 0) [1, 1, 1, . . .]

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 2 / 11

Beyond well-founded and guarded corecursion

lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Previous approaches:

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 3 / 11

Beyond well-founded and guarded corecursion

lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) lfinite xs ∨ (∀n. ∃x ∈ lset (ldrop n xs). P x ∧ Q x) − → lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Previous approaches: Partiality leave unspecified for infinite lists w/o satisfying elements close to specification properties need preconditions no proof principles

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 3 / 11

Beyond well-founded and guarded corecursion

lfilter P [ ] = [ ] lfilter P (x · xs) = (if P x then x · lfilter P xs else lfilter P xs) lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs Previous approaches: Partiality leave unspecified for infinite lists w/o satisfying elements close to specification properties need preconditions no proof principles Search function check whether there are more elements

• if ¬ find P xs then [ ] else

total function, no preconditions additional lemmas about search function necessary ad hoc solution

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 3 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

• 1. produces a list corecursively
• lfilter :: β ⇒ α llist
• find chain-complete partial
• rder on α llist
• take the least fixpoint for lfilter

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

• 1. produces a list corecursively
• lfilter :: β ⇒ α llist
• find chain-complete partial
• rder on α llist
• take the least fixpoint for lfilter

proof principles domain theory fixpoint induction structural induction

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

• 1. produces a list corecursively
• lfilter :: β ⇒ α llist
• find chain-complete partial
• rder on α llist
• take the least fixpoint for lfilter
• 2. consumes a list recursively
• lfilter :: α llist ⇒ β
• find topology on α llist
• define lfilter on finite lists

by well-founded recursion

• take the limit for infinite lists

proof principles domain theory fixpoint induction structural induction

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

• 1. produces a list corecursively
• lfilter :: β ⇒ α llist
• find chain-complete partial
• rder on α llist
• take the least fixpoint for lfilter
• 2. consumes a list recursively
• lfilter :: α llist ⇒ β
• find topology on α llist
• define lfilter on finite lists

by well-founded recursion

• take the limit for infinite lists

proof principles domain theory fixpoint induction structural induction topology convergence on closed sets uniqueness of limits

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Proof principles pay off

Isabelle proofs of lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs

Paulson’s Structural induction Fixpoint induction Continuous extension

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 5 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

• lift (⊑, ) point-wise to function space β ⇒ α llist

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

• lift (⊑, ) point-wise to function space β ⇒ α llist

Knaster-Tarski theorem: If f on a ccpo is monotone, then f has a least fixpoint.

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

• lift (⊑, ) point-wise to function space β ⇒ α llist

Knaster-Tarski theorem: If f on a ccpo is monotone, then f has a least fixpoint. partial-function (llist) lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist where lfilter P xs = (case xs of [ ] ⇒ [ ] | x · xs ⇒ if P x then x · lfilter P xs else lfilter P xs)

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

• lift (⊑, ) point-wise to function space β ⇒ α llist

Knaster-Tarski theorem: If f on a ccpo is monotone, then f has a least fixpoint. partial-function (llist) lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist where lfilter P xs = (case xs of [ ] ⇒ [ ] | x · xs ⇒ if P x then x · lfilter P xs else lfilter P xs) Light-weight domain theory [ ] represents “undefined”, no additional values in α llist full function space ⇒, no continuity restrictions less automation less expressive (no nested or higher-order recursion)

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Induction is sound only for admissible statements Q

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A A

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Induction is sound only for admissible statements Q

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A A Q       Q ( )

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Induction is sound only for admissible statements Q

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A A Q       Q ( ) lemma lfilter P (lfilter Q xs ) = lfilter (λx. P x ∧ Q x) xs by(induction xs) simp all

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Induction is sound only for admissible statements Q

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A A Q       Q ( ) proof automation via syntactic decomposition rules for admissibility adm (λxs. lfilter P (lfilter Q xs ) = lfilter (λx. P x ∧ Q x) xs )

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The producer view: induction proofs

• structural induction

adm Q Q [ ] ∀x xs. lfinite xs ∧ Q xs − → Q (x · xs) Q xs

• fixpoint induction rule generated for lfilter

Induction is sound only for admissible statements Q

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A A Q       Q ( ) proof automation via syntactic decomposition rules for admissibility adm (λxs. lfilter P (lfilter Q xs ) = lfilter (λx. P x ∧ Q x) xs ) continuous contexts atomic predicate

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 7 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

infinite finite fi l t e r P

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

lfilter P xs = Lim (filter P) xs

• 2. Take the limit.

infinite finite fi l t e r P

Lim

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

lfilter P xs = Lim (filter P) xs

• 2. Take the limit.

infinite finite fi l t e r P

Lim

introduce CCPO topology define the open sets S A

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

lfilter P xs = Lim (filter P) xs

• 2. Take the limit.

infinite finite fi l t e r P

Lim

introduce CCPO topology define the open sets

• pen S

A

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A non-empty overlap

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

lfilter P xs = Lim (filter P) xs

• 2. Take the limit.

infinite finite fi l t e r P

Lim

introduce CCPO topology define the open sets

• pen S

A

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A non-empty overlap Properties of a CCPO topology limits are unique finite elements are discrete, i.e., open {xs}

• not the Scott topology!

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The consumer view: proving

• 1. Prove that filter P is continuous!

follows from monotonicity of filter

• 2. Proof rule convergence on a closed set (specialised for α llist):

closed {xs | Q xs} ∀ys. lfinite ys ∧ ys ⊑ xs − → Q ys Q xs lemma lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs by (rule converge closed[of xs]) (auto intro!: closed eq isCont lfilter )

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 9 / 11

The consumer view: proving

• 1. Prove that filter P is continuous!

follows from monotonicity of filter

• 2. Proof rule convergence on a closed set (specialised for α llist):

closed {xs | Q xs} ∀ys. lfinite ys ∧ ys ⊑ xs − → Q ys Q xs lemma lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs by (rule converge closed[of xs]) (auto intro!: closed eq isCont lfilter ) decomposition rules for closedness

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 9 / 11

Summary

Comparison least fixpoint continuous extension ccpo

• n result type
• n parameter type

monotonicity

• f the functional
• f the function

proof principles structural induction = convergence on a closed set fixpoint induction Available in the AFP entry Coinductive

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 10 / 11

Summary

Comparison least fixpoint continuous extension ccpo

• n result type
• n parameter type

monotonicity

• f the functional
• f the function

proof principles structural induction = convergence on a closed set fixpoint induction Available in the AFP entry Coinductive Which codatatypes can be turned into useful ccpos? extended naturals enat = 0 | eSuc enat n-ary trees α tree = Leaf | Node α (α tree) (α tree)

• finite

truncations streams α stream = Stream α (α stream) no finite elements

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 10 / 11

Two views on lfilter

lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist

• 1. produces a list corecursively
• lfilter :: β ⇒ α llist
• find chain-complete partial
• rder on α llist
• take the least fixpoint for lfilter
• 2. consumes a list recursively
• lfilter :: α llist ⇒ β
• find topology on α llist
• define lfilter on finite lists

by well-founded recursion

• take the limit for infinite lists

proof principles domain theory fixpoint induction structural induction topology convergence on closed sets uniqueness of limits

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 4 / 11

Proof principles pay off

Isabelle proofs of lfilter P (lfilter Q xs) = lfilter (λx. P x ∧ Q x) xs

Paulson’s Structural induction Fixpoint induction Continuous extension

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 5 / 11

The consumer view: continuous extensions

datatype α list = [] | α · α list

• 1. Define filter recursively

filter :: (α ⇒ bool) ⇒ α list ⇒ α list

• n finite lists.

lfilter P xs = Lim (filter P) xs

• 2. Take the limit.

infinite finite filter P

Lim

introduce CCPO topology define the open sets

• pen S

A

• . . .

⊑ ⊑ ⊑ ⊑ ⊑

A non-empty overlap

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 8 / 11

The producer view: least fixpoints

• prefix order ⊑ defined coinductively
• least upper bound Y defined by primitive corecursion

(⊑, ) forms a chain-complete partial order (CCPO) with ⊥ = [ ]

• . . .

A A ⊑ ⊑ ⊑ ⊑ ⊑ ⊑

• ⊑

⊒

• lift (⊑, ) point-wise to function space β ⇒ α llist

Knaster-Tarski theorem: If f on a ccpo is monotone, then f has a least fixpoint. partial-function (llist) lfilter :: (α ⇒ bool) ⇒ α llist ⇒ α llist where lfilter P xs = (case xs of [ ] ⇒ [ ] | x · xs ⇒ if P x then x · lfilter P xs else lfilter P xs)

Lochbihler (ETHZ), H¨

• lzl (TUM)

Recursive functions on lazy lists ITP 2014 6 / 11