The Essence of iRRAM Andrej Bauer (University of Ljubljana) Sewon - PowerPoint PPT Presentation

Thank you for giving me the opportunity to speak. I will present some recent work done jointly with Sewon Park and Alex Simpson. The work is still “in progress” but we think it’s worth reporting about. Our work was inspired by the ERC language, as Command-like Expressions presented by Sewon in the previous talk. for Real Infinite-precision Calculations But before I go on, I should say that there is a much better title for my talk. Andrej Bauer (University of Ljubljana) Sewon Park (KAIST) Alex Simpson (University of Ljubljana) Dagstuhl – November 2017 1 This one speaks for itself. But seriously, I am going to present a small language which tries to capture the essence of imperative real-number computation. The Essence of iRRAM Andrej Bauer (University of Ljubljana) Sewon Park (KAIST) Alex Simpson (University of Ljubljana) Dagstuhl – November 2017 2

When you see a silly title like this you know there is an even sillier acronym behind it. Command-like expressions for real infinite-precision calculations 3 Command-líké exp ŕ essíons for reaI infíníte-p ŕ ecísíon calcuIatíons 4

Clerical 5 And thus we named our language Clerical. It is Alex’s fault. We take the first meaning of the word. Clerical 1. concerned with or relating to work in an o ffi ce, especially routine documentation and administrative tasks 2. relating to the clergy 6

We set out to design a small and expressive programming language for exact real What we did number computation, much like ERC, but perhaps better structured. We want as simple semantics as possible, avoiding technicalities of domain theory as well as representation theory. Based on the semantics we formulate Hoare-style • A simple & expressive language for exact real numbers correctness rules with preconditions and postconditions. • Easy denotational semantics The language should of course be executable. Here we follow the execution model • Hoare-style correctness rules of iRRAM. • Operational semantics a la iRRAM The language is implemented in OCaml (3000 lines, of this 1800 for interval • Implement & formalize arithmetic) and formalized in Coq (work in progress). 7 Clerical is an imperative language. Commands & expressions It has three datatypes: booleans, integers, and (exact) reals. There are commands and expressions. The di ff erence is that commands do not yield any values, but expressions do. • Datatypes: boolean , integer , real An expresssion is pure if it does not modify the ambient variables (it may still • Commands & expressions: modify its own local variables). • local mutable variables • commands – read & write variables, no value • expressions – read & write variables, return value • pure expressions – read-only ambient variables, 
 but still write to its own local variables 8

Here is the entirety of Clerical syntax. There are standard commands, such as declaration of local variable, assignment, variable x and control-flow. constant k operator e 1 ⊙ e 2 var x := e 1 in c 2 local mutable variable x := e variable assignment skip do nothing c 1 ; c 2 sequencing if b then c 1 else c 2 conditional statement case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 9 Clerical also has typing rules. They are pretty standard and expected, so we do not show them here. But the rules check that certain expressions are pure. Namely, the variable x blue ones must be pure, so that we can give reasonable semantics to the constant k effectful language. operator e 1 ⊙ e 2 (read & write) var x := e 1 in c 2 local mutable variable The red ones may be efecful, unless they appear as subexpressions in positions x := e variable assignment where purity is required. skip do nothing c 1 ; c 2 sequencing pure 
 if b then c 1 else c 2 conditional statement (read only) case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 10

We support the usual arithmetical operators and comparisons. On reals we support those that make computational sense, namely the strict ones. variable x (The comparison x < x does not terminate.) constant k operator e 1 ⊙ e 2 var x := e 1 in c 2 local mutable variable + – × ÷ < > ≤ ≥ = ≠ x := e variable assignment but only < > ≠ on reals skip do nothing c 1 ; c 2 sequencing if b then c 1 else c 2 conditional statement case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 11 The conditional statement is not necessary because we can simulate it with the guarded non-deterministic case. variable x constant k operator e 1 ⊙ e 2 var x := e 1 in c 2 can be simulated local mutable variable x := e with case variable assignment skip do nothing c 1 ; c 2 sequencing if b then c 1 else c 2 conditional statement case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 12

We include non-deterministic guarded case. This is a source of multi-valued results. We will discuss it shortly. variable x constant k operator e 1 ⊙ e 2 var x := e 1 in c 2 local mutable variable x := e variable assignment skip do nothing multi-valued results c 1 ; c 2 sequencing if b then c 1 else c 2 conditional statement case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 13 The while loops are a source of non-termination, and they make the language Turing-complete. In fact, every computable real is expressible in the language. variable x constant k operator e 1 ⊙ e 2 var x := e 1 in c 2 local mutable variable x := e variable assignment skip do nothing c 1 ; c 2 sequencing non-termination if b then c 1 else c 2 conditional statement case b 1 ⇒ c 1 | b 2 ⇒ c 2 end guarded non-determinism while b do c end loop lim n ⇒ e n limit of a sequence 14

Let us take a closer look at the non-deterministic case. These are Dijsktra’s guarded commands. The case evaluates one of the commands c i whose case 
 corresponding boolean test b i evaluates to true (even if other tests diverge). If | b 1 ⇒ c 1 
 several branches are available any one may be chosen (but only one). | b 2 ⇒ c 2 
 end If b i is true then evaluate c i . Evaluate either if b 1 and b 2 are true. 15 For example, a real-valued comparison x < x is non-terminating, so execution must proceed with the second branch. case 
 | x < x ⇒ c 1 
 | true ⇒ c 2 
 end x < x diverges, execute c 2 16

The case statements are used to perform comparison tests with tolerance. On the overlapping areas any one of the branches may be executed. It is the responsibility case 
 of the programmer to take care of such cases. | x < ε ⇒ c 1 
 | - ε < x ⇒ c 2 
 end zero-test with tolerance ε 17 In Clerical real numbers are constructed as limits of rapidly converging sequences. It ain’t reals without limits It is important the e n be pure. It may be multi-valued, in which case lim n ⇒ e n Compute the limit x , provided | x – e n | ≤ 2 – n . 18

Here is an example that combines limits and case. It computes the absolute value of x. (In reality we would expect a primitive operations abs(x) that works directly lim n ⇒ 
 with intervals.) case 
 | x < 2 -n-1 ⇒ -x 
 | x > -2 -n-1 ⇒ x 
 end compute |x| 19 Clerical has a very simple type system. The only datatypes are booleans, integers Context of variables and reals. An expression is always considered in a context of variables. This is a sequence of variables x i with corresponding types τ i. Γ Δ The context has two parts, the read-write variables and the read-only variables . When a new local variable is introduced, it is placed on top of the read-write part, x 1 : τ 1 , …, x n : τ n ; x n+1 : τ n+1 , …, x n+m : τ n+m following a stack discipline . When a pure expression is evaluated the read-write read-write variables read-only variables variables are moved over to the read-only part. τ i ∈ { bool, int, real } 20

We may express the fact that an expression has a given type in the given context. Typed expressions Γ ; Δ ⊢ e : τ “In context Γ ; Δ expression e has type τ “ 21 We may state that an expression is pure by making the read-write part of the Typed expressions context empty. ⋅ ; Δ ⊢ e : τ “In context ⋅ ; Δ pure expression e has type τ “ 22

There is also the judgment that we have a command. This one does not have a Typed expressions type because it does not return anything. An alternative would be to introduce a unit type and commands return unit. (The unit type is misnamed “void” in many languages.) Γ ; Δ ⊢ c cmd “c is a command in in context Γ ; Δ “ 23 Let me touch briefly on the semantics of the language. Meaning of types The datatypes are interpreted in the most naive way, as sets. Because “reals are reals” this makes it easier to reason about programs, as one does not have to worry about intervals, representations, or anything like that. (How intervals are ⟦ bool ⟧ = 𝔺 actually used to execute programs is a matter for operational semantics .) ⟦ int ⟧ = ℤ The meaning of a typing context is just the product of the meaning of types. ⟦ real ⟧ = ℝ ⟦ x 1 : τ 1 ,…,x n : τ n ⟧ = ⟦ τ 1 ⟧ × ⋯ × ⟦ τ n ⟧ 24