Logic for exact real arithmetic
Helmut Schwichtenberg, Franziskus Wiesnet

TL;DR
This paper presents a method to extract a division algorithm for real numbers represented as digit streams from formal proofs using coinductive predicates, with implementation in Minlog and translation to Haskell.
Contribution
It introduces a formal proof framework for real arithmetic with coinductive definitions and demonstrates extraction of executable algorithms from these proofs.
Findings
Successfully extracted a division algorithm from formal proofs.
Implemented the algorithm in Haskell for practical use.
Validated the approach with experimental results.
Abstract
Continuing earlier work of the first author with U. Berger, K. Miyamoto and H. Tsuiki, it is shown how a division algorithm for real numbers given as a stream of signed digits can be extracted from an appropriate formal proof. The property of being a real number represented as a stream is formulated by means of coinductively defined predicates, and formal proofs involve coinduction. The proof assistant Minlog is used to generate the formal proofs and extract their computational content as terms of the underlying theory, a form of type theory for finite or infinite data. Some experiments with running the extracted term are described, after its translation to Haskell.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\lmcsdoi
1727 \lmcsheadingLABEL:LastPageMay 01, 2019Apr. 20, 2021
Logic for exact real arithmetic
Helmut Schwichtenberg\rsupera
\lsuperaMathematisches Institut, LMU, München
and
Franziskus Wiesnet\rsuperb
\lsuperbMathematisches Institut, LMU, München and Dipartimento di Matematica, Università degli Studi di Trento
Abstract.
Continuing earlier work of the first author with U. Berger, K. Miyamoto and H. Tsuiki, it is shown how a division algorithm for real numbers given as a stream of signed digits can be extracted from an appropriate formal proof. The property of being a real number represented as a stream is formulated by means of coinductively defined predicates, and formal proofs involve coinduction. The proof assistant Minlog is used to generate the formal proofs and extract their computational content as terms of the underlying theory, a form of type theory for finite or infinite data. Some experiments with running the extracted term are described, after its translation to Haskell.
Key words and phrases:
signed digit code, real number computation, inductive and coinductive definitions, corecursion, program extraction, realizability
This project has received funding from the European Union’s 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 731143. The second author is a Marie Skłodowska-Curie fellow of the Istituto Nazionale di Alta Matematica
Real numbers in the exact (as opposed to floating-point) sense can be defined as Cauchy sequences (of rationals, with modulus). However, for computational purposes it is better to see them as coded by “streams” of signed digits . A variant stream representation is the so-called “binary reflected” or Gray-code [Gia99, Tsu02] explained below. Apart from being practically more useful, the stream view turns real numbers into “infinite data” and hence objects of type level [math]. As a consequence the type level of other concepts in constructive analysis [Bis67] is lowered by one, which simplifies matters considerably.
Our overall goal is to obtain formally verified algorithms (given by terms in our language) operating on stream represented real numbers. Given an informal idea of how the algorithm should work, there are two methods how this can be achieved.
- (I)
Formulate (using corecursion) the algorithm in the term language of a suitable theory, and then formally prove that this term satifies the specification; 2. (II)
Find a formal existence proof (using coinduction) for the object the algorithm is supposed to return. Then apply a proof theoretic method (“realizability”) to extract ’s computational content as a term (involving corecursion) in the term language of the underlying theory. The verification is done by a formal soundness proof of the realizability interpretation. The extraction of the computational content and the verification are automatic.
A general advantage of (II) over (I) is that one does not need to begin with a detailed formulation of the algorithm, but instead can stay on a more abstract level when proving the (existential) specification. In mathematics we know how to organize proofs, for instance by splitting them into lemmas or on occasion make use of more abstract concepts. In short, mathematical experience can help to find a well-structured algorithmic solution.
Method (I) was employed in [CG06] using Coq, and method (II) in [Ber09, MS15, BMST16] using Minlog. The present paper continues previous work [MS15, BMST16] by a case study on division. It is shown how a division algorithm for real numbers represented as either streams of signed digits or else in binary reflected form (Gray code) can be extracted from an appropriate formal proof dealing with concrete real numbers (Cauchy sequences of rationals, with moduli); in [MS15, BMST16] real numbers were treated axiomatically. The reason for switching to concrete real numbers is the desire to have reliable programs, which are less studied for real number computation. The method described in this paper achieves reliability by providing an (automatically generated) formal proof that the extracted program meets its specification. These proofs are in a formal theory whose consistency is guaranteed by a concrete model [Sco70, Ers77]. There is no need to rely on an axiom system for real numbers as in [MS15, BMST16].
We will work with constructive existence proofs in the style of [Bis67], but in such a way that we can switch on and off the availability of input data for the constructions implicit in the proof [Ber93]. In the present context this will be applied to real numbers as input data: we do not want to make use of the Cauchy sequence for the constructions to be done, but only the computational content of an appropriate coinductive predicate to which the real number is supposed to belong. We consider division of real numbers as a non-trivial case study; it has been dealt with in [CG06] using method (I). Based on the algorithmic idea in [CG06], we employ method (II) to extract signed digit and Gray code based stream algorithms for division from proofs that the reals are closed under division (under some obvious restrictions). As a benefit from the necessary organization into a sequence of lemmas we obtain a relatively easy analysis of the “look-ahead”, i.e., how far we have to look into the argument streams to obtain the -th digit of the result stream.
The paper is organized as follows. Section 1 collects some background material. Section 1.1 describes (mainly by examples) the base type objects of the Scott-Ershov [Sco70, Ers77] model of partial continuous functionals, which is the intended model of the theory we are going to use. It is a form of type theory suitable for reasoning with finite and infinite data. This theory is described in Section 1.2. The notion of computational content of proofs is introduced in Section 1.3. Section 1.4 recalls the constructive theory of real numbers of Bishop [Bis67, Ch.2]. In Section 2 division for stream-represented real numbers is studied, both for signed and binary reflected digit streams. Formalizations of the relevant proofs are described, including the terms (programs) extracted from them. Numerical experiments after translating these terms into Scheme or Haskell programs are discussed. Section 3 recalls the notion of realizability in Section 3.1, sketches a proof of the general soundness theorem in Section 3.2, and its formalization for real division algorithms in Section 3.3. Section 4 concludes.
1. Preliminaries
We informally describe a formal theory [SW12, Section 7.1] which will be used to carry out proofs on real numbers and also functions and predicates on real numbers. In contrast to [MS15, BMST16] where an axiomatic approach was used we now work with concrete real numbers: Cauchy sequences of rationals, with moduli. The reason for this switch is that we aim at full reliability of the soundness proofs we will (automatically) generate (see Section 3). The axioms the formal theory is based upon, and hence all propositions proved, are valid in a model and therefore correct.
The base type data of the theory are free algebras given by their constructors, for instance lists of signed digits. Functions (“program constants”) are defined by defining equations (“computation rules”) whose left hand sides are non-overlapping constructor patterns. Termination is not required, which makes it possible the have the corecursion operator (see below) as an ordinary constant in the language. Predicates are least and greatest fixed points of clauses.. Examples are totality and cototality of lists of signed digits. The only axioms are the defining equations of the functions and the introduction and elimination axioms for the (co)inductively defined constants, which state their fixed point properties.
An important predicate is equality. Clearly we have the inductively defined Leibniz equality and the decidable equality for finitary algebras like the natural numbers. Equality on the (concrete) reals is more delicate. It is defined from an inductive -predicate which refers to the underlying Cauchy sequences and their moduli. For all functions and predicates on the reals that we consider it is necessary to prove compatibility with real equality. The reason for this extension of the axiomatic treatment is to obtain formal proofs which rest only on the fixed point axioms and in this sense are correct: the propositions proved are valid in the concrete model of .
1.1. Objects
Base type objects of our theory are determined by the constructors of (free) algebras. More precisely, let be type variables.
Definition**.**
Constructor types have the form
[TABLE]
with all type variables distinct from each other and from . Iterated arrows are understood as associated to the right. An argument type of a constructor type is called a parameter argument type if it is different from , and a recursive argument type otherwise. A constructor type is nullary if it has no recursive argument types. We call
[TABLE]
an algebra form (“form” since type parameters may occur). An algebra form is non-recursive (or explicit) if it does not have recursive argument types.
Examples**.**
We list some algebra forms without parameters, with standard names for the constructors added to each constructor type.
[TABLE]
Algebra forms with type parameters are
[TABLE]
The default name for the -th constructor of an algebra form is .
Definition** (Type).**
[TABLE]
where is an algebra form with its parameter type variables, and the result of substituting the (already generated) types for . Types of the form are called algebras. An algebra is closed if it has no type variables. The level of a type is defined by
[TABLE]
Base types are types of level [math], and a higher type has level at least .
Examples**.**
-
, , are algebras.
-
, , are closed base types.
-
is a closed algebra of level .
There can be many equivalent ways to define a particular type. For instance, we could take to be the type of booleans, to be the type of natural numbers, and to be the type of positive binary numbers.
We introduce the base type objects by example only, for , , ; cf. [SW12, Section 6.1.4] for the general case. These objects are built from tokens, which are type correct constructor expressions possibly containing the special symbol which carries no information. Examples in the algebra of binary trees are
[TABLE]
or pictorially
[TABLE]
For tokens we have obvious concepts called consistency () and entailment (). For instance
[TABLE]
Examples for entailment in are
[TABLE]
and also
[TABLE]
Definition**.**
Objects of a base type are finite or infinite sets of tokens with are consistent and closed under entailment. An object is cototal if for each of its tokens with a distinguished occurrence of there is another token in where this occurrence of is replaced by a constructor expression with only ’s as arguments. We call total if it is cototal and finite.
The tokens of are shown in Figure 1. For tokens we have if and only if there is a path from (up) to (down). There is exactly one cototal object, consisting of , , …. Note that is not a token; the “bottom” object is the empty set.
Examples of more interesting objects in are
- (1)
closure (under entailment) of all tokens of the form
[TABLE] 2. (2)
is defined similarly 3. (3)
4. (4)
closure of all tokens of the form
[TABLE] 5. (5)
Closure of
[TABLE] 6. (6)
Closure of
[TABLE]
Among these are
[TABLE]
Finally we consider the algebra of lists of booleans, to represent finite or infinite paths. Tokens in are for instance (writing for )
[TABLE]
Consistency in :
[TABLE]
Entailment in :
[TABLE]
Objects in :
[TABLE]
Objects of higher type are canonically defined in the Scott-Ershov model [Sco70, Ers77]. A detailed exposition is in [SW12, Chapter 6].
1.2. Type theory for finite and infinite data
Terms are built from (typed) variables, constructors and (equationally) defined constants by -abstraction and application, where termination of the defining equations is not required. Defined constants are given by their type and computation rules. Examples for the type of lists of signed digits are
Terms are built from (typed) variables, constructors and (equationally) defined constants by -abstraction and application, where termination of the defining equations is not required. Defined constants are given by their type and computation rules. Examples for the type of lists of signed digits are
[TABLE]
takes a recursion argument , an initial value and a “step” argument operating according to the structure of the given list. The meaning of is determined by the computation rules
[TABLE]
operates by disassembling the given list into its head and tail. The computation rules are
[TABLE]
For the “step” operates by inspection (or observation) of its argument . More precisely, the meaning of is given by the (non-terminating) computation rule
[TABLE]
We use for Leibniz equality (inductively defined by the clause ).
Predicates are either (co)inductively defined or of the form where is a formula. We identify with . Formulas are given as atomic formulas where is a predicate and are terms, or else as or where and are already formulas. The formulas , and technically are inductively defined (nullary) predicates.
An inductively defined predicate is given by clauses of the form
[TABLE]
for , and , where only occurs strictly positive in each and contains all free variables of and . The clauses are called introduction axioms of .
An example is the totality predicate . Its clauses are
[TABLE]
where is the totality predicate for the three-element algebra of signed digits, defined by the three clauses for a signed digit.
Intuitively, an inductively defined predicate is the smallest (w.r.t. ) predicate fulfilling its clauses. This is expressed by its elimination axiom:
[TABLE]
where can be any predicate with the same arity as . The axiom is also called induction axiom. For example,
[TABLE]
Let be an inductively defined predicate given by its clauses , and assume that there are recursive calls in some clauses. To every such we associate a “companion” and call it a coinductively defined predicate. The elimination (or closure) axiom of the coinductively defined predicate says that if holds, then it comes from one of the clauses:
[TABLE]
In words: if holds, then there is at least one clause whose premises (with instead of ) are fulfilled and whose conclusion is up to Leibniz equality. For example, the co-predicate associated with is cototality . Its elimination axiom is
[TABLE]
The introduction (or coinduction or greatest-fixed-point) axiom of says that is the greatest predicate such that
[TABLE]
This means that any other “competitor” predicate satisfying the same closure property is below . For example,
[TABLE]
1.3. Computational content
We are interested in the computational content of proofs, which in the present setting arises from inductively and coinductively defined predicates only: they can be declared to be computationally relevant (c.r.) or non-computational (n.c.). This also applies to predicate variables . The (finitely many) clauses of a c.r. inductive predicate determine an algebra . A “witness” that or holds has type . It will be a total object in the first and a cototal object in the second case. For instance, the type of the c.r. version of or is . A formula built from atomic formulas by , is c.r. if its final conclusion is. The type is defined by
[TABLE]
Recall that , and technically are inductively defined (nullary) predicates. If they are c.r., their types are ; depending on the c.r./n.c. status of ; depending on the c.r./n.c. status of .
Let be a proof in of a c.r. formula . We define its extracted term , of type , with the aim to express ’s computational content. It will be a term built up from variables, constructors, recursion operators, destructors and corecursion operators by -abstraction and application:
[TABLE]
It remains to define extracted terms for the axioms. Consider a (c.r.) inductively defined predicate . For its introduction and elimination axioms define and , where both the constructor and the recursion operator refer to the algebra associated with . For the closure and greatest-fixed-point axioms of define and , where both the destructor and the corecursion operator again refer to the algebra associated with .
1.4. Real numbers
Rational numbers are defined by , where the pair of and is denoted by . We also have the expected notion of equality between rational numbers. In contrast to the positive, natural, rational numbers or the integers, the real numbers are not an algebra. The property to be a real number is a predicate on . Totality on this type means that both components map total arguments into total values. By a real number we mean a pair of this type whose first component is a Cauchy sequence of rationals with the second component as modulus, i.e.,
[TABLE]
We write for this predicate. For real numbers we can define the arithmetic functions , , and the inverse and also the absolute value . Note that the inverse needs a witness that the real number is positive. We will not go into details here. An exact definition of these functions and also of positivity can be found in [Wie17, Wie18] and in the library of Minlog111http://minlog-system.de..
An important predicate on the real numbers is real equality: we define by
[TABLE]
and real equality by . Most of the predicates and functions on real numbers will be compatible with real equality; however, this must be proved in each case.
The rational numbers can be embedded into the real numbers by identifying a rational number with the pair consisting of the constant Cauchy sequence and the constant modulus .
We use variable names
[TABLE]
Let be the n.c. version of the totality predicate for , and similarly for other types. Let be the (formally inductive) predicate consisting of the integers , i.e., is given by the three clauses , and . We require that has computational content (in the three-element algebra ), and write
[TABLE]
and similarly for . In this case the premise is not necessary because it follows from . The predicate and also on real numbers are assumed to be n.c. We write (with ranging over )
[TABLE]
and again similarly for . The totality of is part of .
We inductively define a predicate on reals such that the generating sequence for means that is between and . Let be defined by the two clauses
[TABLE]
Then the induction axiom is
[TABLE]
The clauses of also determine the dual predicate , which is coinductively given by the closure axiom
[TABLE]
and the coinduction axiom
[TABLE]
We require that both predicates and have computational content. The data type associated to these clauses is the algebra of lists of signed digits. This association is quite canonical: the first constructor is a witness for the first clause, which does not need any further information. The second constructor of type is a witness for the second clause consisting of a signed digit and a witness that . We refer to [SW12, Section 7.2] for a formal definition of the type of a (co)inductively defined predicate.
The computational content of the clauses are the constructors, of the induction axiom the recursion operator , of the closure axiom the destructor and of the coinduction axiom the corecursion operator . All these have been explained in Section 1.2.
2. Division for stream-represented real numbers
2.1. Division for signed digit streams
From a computational point of view, a real number is best seen as a device producing for a given accuracy a rational number being -close to , i.e., . For simplicity we again restrict ourselves to real numbers in the interval (rather than ), and to dyadic rationals ().
Clearly we can represent real numbers (in ) as streams of . Now when doing arithmetic operations on such streams the problem of “productivity” arises: suppose we want to add the two streams and . Then the first digit of the output stream will only be known after we have checked the two input streams long enough, but there is no bound how far we have to look. The well-known cure for this problem is to add a delay digit [math] and work with signed digits , now with . We have a lot of redundancy here (for instance and both denote ), but this is not a serious problem.
Since [math] as real number is represented by the stream consisting of the digit [math] only, we can simplify our example by removing the nullary clause from the inductive definition of , and define and accordingly. We only need , coinductively defined by the closure axiom
[TABLE]
Therefore, the coinduction axiom is
[TABLE]
The canonically associated data type then becomes the algebra given by a single binary constructor of type , again denoted by (infix). Note that we do not require that holds for any . Objects are called streams of signed digits.
The computational content of the closure axiom (1) now is the destructor of type , defined by
[TABLE]
For the coinduction axiom (2) we have the corecursion operator of type . Note that appears since has the a single constructor of type . The meaning of is determined by a (non-terminating) computation rule similar to the one for (see Section 1.2), with the first case left out.
Our goal in this section is to prove that is closed under division under some conditions, w.r.t. the representation of reals as signed digit streams. For division we clearly need a restriction on the denominator to stay in the interval , and must assume that is strictly positive. For simplicity we assume ; this can easily be extended to the case (using induction on and Lemma 3 below). The main idea of the algorithm and also of the proof, which is inspired by [CG06], consists in three representations of :
[TABLE]
where
[TABLE]
Depending on what we know about we choose one of these representations of to obtain its first digit. This will give us a corecursive definition of .
As we see in the representation of , we will use that is closed under the average:
Theorem 1**.**
The average of two real numbers in is in :
[TABLE]
Proof 2.1**.**
The proof in [Ber09, BMST16] can be adapted to the present setting with concrete rather than abstract reals.
The term extracted from this proof corresponds to an algorithm transforming stream representations of and into a stream representation of their average . For the first digits in the representation of one needs the first digits in the representations of and .
Lemma 2**.**
is closed under shifting a real () by ():
[TABLE]
Proof 2.2**.**
We only consider the first claim; the second one is proved similarly. Since we want to prove that something is in , the proof must use its introduction axiom given in (2):
[TABLE]
The crucial point is how to choose the competitor predicate . Looking at the formula we want to prove, we take as competitor predicate. Then we have
[TABLE]
and since is compatible with the real equality, this implies
[TABLE]
Therefore it suffices to prove the premise of the formula above. Let be given. Then by definition of there is with , and . From we know and with also . We need and such that
[TABLE]
Again from we obtain and with . We now distinguish cases on .
Case . Then and hence . Picking and gives the claim. Here we need a lemma CoIOne stating that is in . The proof of this lemma (by coinduction) is omitted.
Case . Pick and . Then and hence the r.h.s. of the disjunction above holds with for . Also .
Case . Pick and . Then the l.h.s. of the disjunction above holds, and .
We have formalized this proof in the Minlog222The development described here resides in minlog/examples/analysis, file sddiv.scm proof assistant. Minlog has a tool to extract from the proof a term representing its computational content; it is a term in the theory described in Section 1.2. The extracted term is displayed as
[u](CoRec ai=>ai)u ([u0][case (DesYprod u0) (s pair u1 -> [case s (SdR -> SdR pair InL cCoIOne) (SdM -> SdR pair InR u1) (SdL -> SdR pair InL u1)])])
Here [u] means lambda abstraction , and (CoRec ai=>ai) is the corecursion operator defined above, where is again. The type of is . The first argument of the corecursion operator is the abstracted variable u of type , and the second ([u0][case …]) is the “step” function, which first destructs its argument u0 into a pair of a signed digit s and another stream u1, and then distinguishes cases on s. In the SdR case the returned pair of type has SdR again as its left component, and as right component the (left embedding into a sum type) of a certain stream denoted cCoIOne. This is the computational content (hence the “c”) of CoIOne, essentially an infinite sequence of the digit (written ).
The algorithm represented by the extracted term can be understood as follows. If , then must be non-negative. Hence , and a stream-representation of is . Here we do not need a corecursive call, and hence the result is . The same happens in case . Here can be determined easily by changing the first digit from to and leaving the tail as it is. Hence the result is . Only in case we have a corecursive call. Here we change the first digit from to , which however amounts to adding only. Therefore the procedure continues with the tail. Hence the result is . Using the computation rule for we can now describe the computational content as a function defined by
[TABLE]
A similar argument for the second part of the lemma gives with
[TABLE]
Lemma 3**.**
For in with we have in :
[TABLE]
Proof 2.3**.**
Let be given. From the closure axiom (1) for we obtain and such that . We distinguish cases on .
Case . Then and hence . Since we have . Now the first part of Lemma 2 gives the claim.
Case . Then and hence .
Case . Then and hence . Since we have . Now the second part of Lemma 2 gives the claim.
Using arguments similar to those in the remark after Lemma 2 we can see that the corresponding algorithm can be written as a function with
[TABLE]
where and are the functions from this remark.
Lemma 4**.**
For in with , and () we have ( ) in :
[TABLE]
Proof 2.4**.**
In the formulas above instead of we have written to make Theorem 1 applicable. We also use two lemmas stating that is closed under and . To prove the first claim, let in with , and . Then clearly , and by Theorem 1. We have
[TABLE]
Hence we can apply Lemma 3 twice and obtain . The proof of the second claim is similar.
The computational content of the proofs is :
[TABLE]
Here represent the computational content of the two lemmas used in the proof; both are proved by coinduction. The function prepends to the stream, and negates all digits:
[TABLE]
Theorem 5**.**
For in with and we have in :
[TABLE]
Proof 2.5**.**
The proof uses coinduction (2) on with . It suffices to prove (2)’s premise for this . Let be given with , , and . From we have . By a trifold application of the closure axiom (1) to we obtain and such that or for short. We now distinguish three cases.
If , or , then . Pick and with . Then by Lemma 4. From (3) we also obtain and hence . One can easily check that .
If , or , then . Pick and with . We can then proceed as in the first case.
The final case is . Then ; pick and with . We obtain and with Lemma 3 also . Therefore , and is easily checked.
The term Minlog extracts is displayed in Figure 3.
The three occurrences of cCoIClosure correspond to the trifold application of the closure axioms (1) to . The seven cases , , , , , and are clearly visible. In the first three cases SdR corresponds to picking and usage of the function from Lemma 4, and similarly in the last three cases SdL corresponds to picking and usage of . In the middle case SdM corresponds to ; there we use the computational content of Lemma 3. We can describe the extracted term by a function corecursively defined by
[TABLE]
As abbreviation in the case distinction, we have denoted and by and and we have omitted the constructor .
We use this description of the extracted term to see how far we have to look into and to determine the first entries of . To this end we write the above equation as
[TABLE]
where depends on the first three digits of , and is one of , or , according to the present case. Recall
[TABLE]
By the equations for , , and we see that the first entries of
[TABLE]
Hence , and all need at most the first entries of and entries of . Iterating the above equation for gives for the representation
[TABLE]
Therefore the first entries of depend on at most the first entries of and the first entries of .
2.2. Division for binary reflected digit streams
In the stream representation of real numbers described in Section 2.1 adjacent dyadics of the same length can differ in many digits:
[TABLE]
A possible cure is to flip after an occurrence of ; see Figure 4. The result is called binary reflected (or Gray-) code.
Then two dyadics of the same length are adjacent if and only if they differ in exactly one digit. For instance we now have
[TABLE]
This is a desirable property of stream-coded real numbers.
Again when doing arithmetical operations on Gray code the problem of productivity arises, which is dealt with in a somewhat different way. The idea is to introduce two “modes” when generating the code, and flip from one mode to the other whenever we encounter the digit . More precisely, instead of the predicate we now use two predicates ( for Gray, next character) and flip from one to the other after reading . They are defined by simultaneous induction, with clauses
[TABLE]
Here (for proper signed digit) is the (inductive) predicate consisting of the integers . We require that has computational content, in the booleans . Note that there are no nullary clauses (as for ), since they are not needed. We are only interested in the duals , coinductively defined by the simultaneous closure axioms
[TABLE]
and the simultaneous coinduction axioms
[TABLE]
We require that the predicates and therefore as well have computational content, in simultaneously defined algebras and given by the constructors
[TABLE]
We write for and for , and similarly for . Then means left/right, means finally left/right. The delay constructors are (“undefined”) for and (“delay”) for . Figure 5 indicates how these constructors generate Gray code.
Totality , and cototality , can be defined as for above. Objects are called streams in Gray code.
The computational content of the closure axioms (4) are the destructors and defined by
[TABLE]
The computational content of the coinduction axioms (5) are instances of the simultaneous corecursion operators
[TABLE]
with step types
[TABLE]
The type appears since has the two constructors and , and has the two constructors and . Omitting the upper indices of the computation rules for the terms and are
[TABLE]
with of type and of type .
Our goal in this section is to prove that is closed under division (for ), w.r.t. the representation of reals in Gray code. We proceed essentially as for the signed digit case. The main difference is that the simultaneous definition of and makes it necessary to use simultaneous coinduction.
Theorem 6**.**
The average of two real numbers in is in :
[TABLE]
Proof 2.6**.**
The proof in [BMST16] can be adapted to the present setting with concrete rather than abstract reals.
Lemma 7**.**
and are closed under minus:
[TABLE]
Proof 2.7**.**
We prove both claims simultaneously, by coinduction:
[TABLE]
We choose and . Since and are invariant under real equality (also proven by coinduction) we have to prove the two premises. We only consider the first one; the second is proved similarly. Let be given. The goal is
[TABLE]
From we get and therefore
[TABLE]
by the closure axiom. If the right hand side of this disjunction holds, we are done by definition of . If the left hand side holds, we have for some and . To get the left hand side of the disjunction in the goal formula, we take and .
The function we get from the proof takes a Gray code and flips all to and the other way around. We denote this function by . Then the computation rules are:
[TABLE]
Lemma 8**.**
and are equivalent:
[TABLE]
Proof 2.8**.**
In the coinduction axiom we choose and and the conclusion in the coinduction axiom is our goal. Therefore we have to prove the premises of the coinduction axiom. We only consider the first one; the secound one is proved similarly. Let be given. By the closure axiom of we have
[TABLE]
If the second part of this disjunction holds, we get directly the second part of the first premise. If the first part of the disjunction holds, we have for some and . Then and using Lemma 7 we get the first part of disjunction in the premise.
As computational content we have two functions and , with computation rules
[TABLE]
Note that no corecursive call is involved. We denote , by , , respectively.
We show that is closed under shifting a real () by ():
[TABLE]
The proof is by coinduction, simultaneously with the same proposition for . For the coinduction proof it is helpful to reformulate the claim in such a way that the conclusion has the form :
Lemma 9**.**
[TABLE]
Proof 2.9**.**
We use the introduction axiom for and , and simultaneously prove
[TABLE]
The competitor predicates are
[TABLE]
It suffices to prove the premises of the coinduction axiom for these , . We only consider the first part; the second is proved similarly. Let be given. Then we have with , and . From we know and with also . We need to prove the disjunction
[TABLE]
From we obtain either (i) , with or else (ii) with . In case (i) we have since . We distinguish cases on , and use Lemma 7.
Case . Then , hence . If , take and go for the l.h.s. of the disjunction . Picking and gives the claim (since ). If , take and go for the l.h.s. of the disjunction . Picking and gives the claim (since ).
Case . If , go for the l.h.s. of the disjunction , picking and . Then . If , go for the l.h.s. of the disjunction , picking and . Then .
In case (ii) we have (since ) and (since and ). Hence . If , go for the l.h.s. of the disjunction , picking and . Then (since also and ), and . If , go for the l.h.s. of the disjunction , with and . Then again and .
As computational content of a formalization of this proof Minlog returns a term involving simultaneous corecursion. The corresponding algorithm can be described as a pair of two functions and defined by
[TABLE]
Recall that is the function extracted from the proof of Lemma 8 stating that and are equivalent. If , we have computational content of the first part of the lemma. If , we have the second part.
Lemma 10**.**
For in with we have in :
[TABLE]
Proof 2.10**.**
Let be given. From the closure axiom for we obtain either (i) , with , or else (ii) with . In case (i) we distinguish cases on . In case we obtain and hence . Since we have . Now the first part of Lemma 9 gives the claim. The case is similar, using the second part of Lemma 9. In case (ii) we have , hence the goal follows from the equivalence of and .
Using arguments similar to those in the remark after Lemma 9 we can see that the corresponding algorithm can be written as a function with
[TABLE]
where and are the functions from this remark.
Parallel to Lemma 4 we can now prove
Lemma 11**.**
For in with , and () we have ( ) in :
[TABLE]
Proof 2.11**.**
We only consider the first claim, and again use Theorem 6 on the average. In the formulas above instead of we have written to make Theorem 6 applicable. One can see easily that is closed under . Formally, this is proved by coinduction, and the corresponding algorithm is given by a function . To prove the first claim, let in with , and . Then clearly , and by Theorem 6. We have the same estimate (3) as in the proof of Lemma 4; hence we can apply Lemma 10 twice and obtain . The proof of the second claim is similar.
The computational content are functions with
[TABLE]
Parallel to the essential part of Theorem 5 we can now prove that division by satisfies to closure axiom for :
Theorem 12**.**
For in with and we find a signed digit such that for some with :
[TABLE]
Proof 2.12**.**
We proceed as for Theorem 5, now using Lemma 11. The proof uses a trifold application of the coinduction axioms for and to obtain the first three digits.
The computational content is a function defined by
[TABLE]
Corollary 13**.**
For in with and we have in :
[TABLE]
Proof 2.13**.**
By coinduction, simultaneously with the same formula where is replaced by . Theorem 12 is used in both cases of the simultaneous coinduction. The extracted term could be analyzed in a similar way as in the remark after Theorem 5.
2.3. Translation to Haskell
The terms extracted from Theorem 5 and Corollary 13 can be translated into Scheme or Haskell programs. Because of the presence of corecursion operators in the extracted terms the lazy evaluation of Haskell is more appropriate. As tests we have run (in ghci with time measuring by :set +s) the signed digit division files333sddiv.scm and graydiv.scm residing in minlog/examples/analysis on approximations of and . To return the first 19 digits of the result of dividing by took about 0.04 seconds in the signed digit case and about 0.06 seconds in the Gray case.
In the following table we see how the runtime increases if we increase the number of signed digits in the output. Of course, this depends on the used computer, but instead of the concrete numbers we are interested in the scale of the runtime.
In the remark after Theorem 5 we have shown that the look-ahead of the input is linear in the digits of the output, i.e., we need at most the first entries of and to compute the first entries of . But here we see that the runtime is clearly not linear. This is not surprising because in this remark we had the representation
[TABLE]
of . Therefore, for the first digits, we have to compute
[TABLE]
and we have to read the first digits of and and operate on them times. We see that occurs twice in the calculation and hence the runtime has to be at least quadratic in the numbers of digits of the output. We also see this in the table above:
If we compare, for example, the runtimes for 100, 1000 and 10000 digits, we see that a multiplication of the numbers of digits by 10 causes a multiplication of the runtime by approximately 100. Therefore the runtime seems to be approximately quadratic in the number of computed digits.
3. Soundness
We have extracted terms from the two proofs of Theorem 5 and Corollary 13 and tested them on numerical examples. Now we want to prove that these terms are correct, in the sense that they “satisfy their specification”. We interpret this statement in the sense of Kolmogorov [Kol32]: a (c.r.) formula should be viewed as a problem asking for a solution. But what is a solution of a formula/problem ? We use Kreisel’s notion of (modified) realizability and understand “the term is a solution of ” as ( realizes ). This definition is reviewed in Section 3.1. Then we go on and prove in Section 3.2 that for every proof of a c.r. formula its extracted term realizes , i.e., . In this proof we make use of “invariance axioms”444They are called (A-r) “to assert is to realize” in [Fef79]. stating that every c.r. formula is invariant under realizability, formally . Finally in Section 3.3 we report on a Minlog tool automatically generating such soundness proofs.
3.1. Realizers
Recall that computational content arises from (co)inductive predicates only. Therefore we begin with a definition of what it means to be a realizer of such a predicate. We restrict ourselves to define realizers for special instances only; a general treatment can be found in [SW12, p.334].
Consider the definition of the inductive predicate in Section 1.4. By another (n.c.) inductive predicate of arity we can express that a list witnesses (“realizes”) that the real is in . We write ( is a realizer of ) for . The predicate is required to be non-computational, since in we already have a realizer . is inductively defined by the two clauses
[TABLE]
and the induction axiom
[TABLE]
where is the signed digit corresponding to [SW12, p.334]). We write ( is a realizer of ) for . The predicate is required to be non-computational, since in we already have a realizer . is inductively defined by the two clauses
[TABLE]
and the induction axiom
[TABLE]
where is the signed digit corresponding to . Similarly we coinductively define the n.c. predicate of arity to express that a list witnesses (“realizes”) that the real is in . We write ( is a realizer of ) for . The closure axiom is
[TABLE]
and the coinduction axiom
[TABLE]
3.2. Soundness theorem
A formula or predicate is called -free if it does not contain any of the - or -predicates. A proof is called -free if it contains -free formulas only.
Theorem 14** (Soundness).**
Let be an -free proof of a formula from assumptions ( ). Then we can derive
[TABLE]
from assumptions
[TABLE]
Proof 3.1**.**
By induction on . In the base case we have to prove that the extracted terms of , realize the respective axioms. The proofs in [SW12, Sections 7.2.8 and 7.2.10] can be adapted to the present situation. The step cases are easier; we only consider the ones where invariance axioms are used.
Case with c.r. and n.c. We need a derivation of . By induction hypothesis we have a derivation of from . Using the invariance axiom we obtain the required derivation of from as follows.
[TABLE]
Case with c.r. and n.c. The goal is to find a derivation of . By induction hypothesis we have derivations of and of . Now using the invariance axiom we obtain the required derivation of by from the derivation of and
[TABLE]
3.3. Formal soundness proofs for real division algorithms
In the files sddiv.scm, graydiv.scm the Minlog command add-sound has been applied repeatedly to c.r. theorems to automatically generate the corresponding soundness proofs.
4. Conclusion
Recall that our goal was the extraction of computational content from proofs in constructive analysis. Although these proofs work with some standard representation of real numbers, the technique used here makes it possible to extract from such proofs terms describing algorithms which operate on different representations of real numbers, for instance streams of signed digits or Gray code. Moreover, formal proofs of their correctness can be generated automatically.
As future work it is planned to extend the present approach to problems involving e.g. the exponential function and more generally power series. A promising application area would be Euler’s existence proof of solutions for ordinary differential equations satisfying a Lipschitz condition.
Acknowledgment
We thank Tatsuji Kawai, Nils Köpp, Kenji Miyamoto, Hideki Tsuiki and three anonymous referees for helpful comments.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[Ber 93] Ulrich Berger. Program extraction from normalization proofs. In M. Bezem and J.F. Groote, editors, Typed Lambda Calculi and Applications , volume 664 of LNCS , pages 91–106. Springer Verlag, Berlin, Heidelberg, New York, 1993.
- 2[Ber 09] Ulrich Berger. From coinductive proofs to exact real arithmetic. In E. Grädel and R. Kahle, editors, Computer Science Logic , volume 5771 of LNCS , pages 132–146. Springer Verlag, Berlin, Heidelberg, New York, 2009.
- 3[Bis 67] Errett Bishop. Foundations of Constructive Analysis . Mc Graw-Hill, New York, 1967.
- 4[BMST 16] Ulrich Berger, Kenji Miyamoto, Helmut Schwichtenberg, and Hideki Tsuiki. Logic for Gray-code computation. In D. Probst and P. Schuster, editors, Concepts of Proof in Mathematics, Philosophy, and Computer Science , pages 69–110. De Gruyter, 2016.
- 5[CG 06] Alberto Ciaffaglione and Pietro Di Gianantonio. A certified, corecursive implementation of exact real numbers. Theoretical Computer Science , 351:39–51, 2006.
- 6[Ers 77] Yuri L. Ershov. Model C 𝐶 C of partial continuous functionals. In R. Gandy and M. Hyland, editors, Logic Colloquium 1976 , pages 455–467. North-Holland, Amsterdam, 1977.
- 7[Fef 79] Solomon Feferman. Constructive theories of functions and classes. In K. Mc Aloon M. Boffa, D. van Dalen, editor, Logic Colloquium 78 , volume 97 of Studies in Logic and the Foundations of Mathematics , pages 159–224. North-Holland, Amsterdam, 1979.
- 8[Gia 99] Pietro Di Gianantonio. An abstract data type for real numbers. Theoretical Computer Science , 221(1-2):295–326, 1999.
