Download presentation
Presentation is loading. Please wait.
1
A Design Structure for Higher Order Quotients
Dr. Peter V. Homeier U.S. Department of Defense Making formal methods into normal methods
2
Higher Order Quotients
A quotient simplifies a system by disregarding some details and merging equivalent elements We say an element lifts to its simpler, quotient version Quotients should lift not only elements, but entire system, including types, constants (incl. operators), and theorems Automation needed to treat syntax of large, realistic languages Most prior packages did not lift constants or theorems, just types Uniquely, Harrison’s did, but only lifted first order theorems Lifting higher order thms requires higher order quotients (which lift a function type to a function type) Most important point to remember from talk: We give a new definition of quotients, which naturally supports higher order quotients, and enables automatic lifting of h.o. types, constants, and theorems. December 5, 2018 A Design Structure for Higher Order Quotients
3
Example: Finite Sets from Lists
Can define finite sets as quotient of lists by ~ where ~ : a list a list bool is defined by rule induction: _____________________ _________________ a :: (b :: A) ~ b :: (a :: A) a :: (a :: A) ~ a :: A A ~ B A ~ B A ~ B, B ~ C . [] ~ [] a :: A ~ a :: B B ~ A A ~ C We can easily prove ~ is an equivalence relation, reflexive, symmetric, and transitive We automatically create the new type “ a finite_set ” as isomorphic to the quotient of a list by ~ Abstraction function: finite_set_ABS : a list a finite_set Representation function: (uses Hilbert choice operator) finite_set_REP : a finite_set a list December 5, 2018 A Design Structure for Higher Order Quotients
4
Lifting Respectful Constants
Lifting types is where most quotient support stops. But important to also lift constants, especially operators on the lifted type (including functions and predicates). If lifting a group, should also lift the group operation! MEM x [] = F MEM x (h :: t) = (x = h) MEM x t To lift MEM, we must first prove MEM respects ~: MEM_RSP A B x. A ~ B (MEM x A MEM x B) Define lifted MEM: x In s = MEM x (finite_set_REP s) Some constants do NOT lift: LENGTH [] = 0 LENGTH (h :: t) = 1 + LENGTH t LENGTH does not respect ~, so cannot lift: [5;5;5] ~ [5] but LENGTH [5;5;5] ≠ LENGTH [5] We call LENGTH disrespectful. December 5, 2018 A Design Structure for Higher Order Quotients
5
A Design Structure for Higher Order Quotients
Lifting Theorems Very important to also lift theorems about lifted operators If lifting an abelian group, the lifted group should also be abelian! Requires automation to be practical and mathematically incisive The most interesting and difficult task to automate Thms proven manually took average of 16 lines of HOL tactics All constants appearing in the theorem must be respectful. Via MEM → In, [] → Empty, :: → Insert, MEM x [] = F MEM x (h :: t) = (x = h) MEM x t lifts to x In Empty = F x In (h Insert t) = (x = h) x In t But how to lift higher order theorems? Is P respectful? ? P : a list bool. P [] (t. P t h. P (h :: t)) l. P l Need quotient for every type, i.e. higher order quotients December 5, 2018 A Design Structure for Higher Order Quotients
6
Equivalence Relations and Equivalence Extension Theorems
Equivalence relations E : t t bool. (curried) Reflexivity: x : t. E x x Symmetry: x, y : t. E x y E y x Transitivity: x, y, z : t. E x y E y z E x z Equivalence: EQUIV E = x, y : t. E x y (E x = E y) fset_EQUIV EQUIV $~ Extension to lists: LIST_REL E : t list t list bool Extension theorems for lists, pairs, sums, option types. E. EQUIV E EQUIV (LIST_REL E) E1 E2. EQUIV E1 EQUIV E2 EQUIV (E1 ### E2) E1 E2. EQUIV E1 EQUIV E2 EQUIV (E1 +++ E2) E. EQUIV E EQUIV (OPTION_REL E) Equivalence relations do NOT extend to higher order! E1 E2. EQUIV E1 EQUIV E2 EQUIV (E1 ===> E2) X December 5, 2018 A Design Structure for Higher Order Quotients
7
Traditional Quotients Lift Elements to Equiv. Classes
Quotient Set Higher Abstraction Lifting Representation Original Set Lower Equivalence Classes Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients
8
Higher Order Quotients using Partial Equivalence Relations
Lifted Higher Order Type Higher Lifting Original Higher Order Type Lower Disrespectful functions Partial Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients
9
New Definition of Quotients
Disrespectful functions are elements that cannot be lifted To exclude elements, use partial equivalence relations – symmetric & transitive but not necessarily reflexive We say r respects R if and only if R r r (reflexive at r) ► Define quotient as triple R, abs, rep where R : t t bool, abs : t x, rep : x t Quotients must satisfy three key algebraic properties: a : x abs (rep a) = a a : x R (rep a) (rep a) r, s : t. R r s R r r R s s (abs r = abs s) If so, then quotient theorem: R, abs, rep t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients
10
Quotient Extension Theorems
Quotients extend naturally over lists, pairs, sums, options: LIST_QUOTIENT R abs rep. R, abs, rep LIST_REL R, MAP abs, MAP rep PAIR_QUOTIENT R1 abs1 rep1. R1, abs1, rep1 R2 abs2 rep2. R2, abs2, rep2 R1 ### R2, abs1 ## abs2, rep1 ## rep2 SUM_QUOTIENT R1 abs1 rep1. R1, abs1, rep1 R2 abs2 rep2. R2, abs2, rep2 R1 +++ R2, abs1 ++ abs2, rep1 ++ rep2 OPTION_QUOTIENT R abs rep. R, abs, rep OPTION_REL R, OPTION_ MAP abs, OPTION_ MAP rep ► But will quotients extend over functions? December 5, 2018 A Design Structure for Higher Order Quotients
11
(Higher Order) Function Quotient Extension Theorem
Quotients even extend naturally over functions: FUN_QUOTIENT R1 abs1 rep1. R1, abs1, rep1 (domain) R2 abs2 rep2. R2, abs2, rep2 (range) R1 ===> R2, rep1 --> abs2, abs1 --> rep2 where (R1 ===> R2) f g = (x y. R1 x y R2 (f x) (g y)) (f --> g) h x = g (h (f x)) This is the key, central, and crucial theorem, on which all higher order quotients theory and practice rests. Note that R1 ===> R2 is not an equivalence relation. Is reflexive at f, (R1 ===> R2 ) f f, iff f respects R1 ===> R2. December 5, 2018 A Design Structure for Higher Order Quotients
12
Creating Finite Sets as a Quotient: Example Invocation of Tool
val [In, Union, finite_set_EXTENSION, ..., finite_set_INDUCT] = define_quotient_types{ types = [{name = “finite_set”, equiv = fset_EQUIV}], defs =[{def_name=“In_def”, fname=“In”, fixity=Infix(NONASSOC,425), func=``MEM:’a -> ’a list -> bool``}, ... ], tyop_quotients = [FUN_QUOTIENT], tyop_equivs = [], tyop_simps = [FUN_REL_EQ, FUN_MAP_I], respects = [NIL_RSP, CONS_RSP, MEM_RSP, APPEND_RSP, Card1_RSP, Delete1_RSP, Inter1_RSP, Fold1_RSP], poly_preserves = [FORALL_PRS, EXISTS_PRS, COND_PRS], poly_respects = [RES_FORALL_RSP, RES_EXISTS_RSP, COND_RSP], old_thms = [MEM, APPEND, list_EXTENSION,..., list_INDUCT] }; An automatic tool is provided to lift in one step types, constants, and theorems concerning the types and constants of the original, lower level to the corresponding types, constants, theorems of the quotient, higher level. User must supply A (partial) equivalence theorem for each type being lifted, A respectfulness theorem for each constant being lifted, A quotient extension theorem for each type operator involved, A preservation theorem for each polymorphic constant involved, A respectfulness theorem for each polymorphic constant as well, Theorems to be lifted. Several dozen respectfulness and preservation theorems are provided preproven for existing standard polymorphic constants; user can add to these new ones he has proven December 5, 2018 A Design Structure for Higher Order Quotients
13
Examples of Lifting Theorems
(x. [] Delete1 x = []) ((A : a list) a x. (a :: A) Delete1 x = if a = x then A Delete1 x else a :: (A Delete1 x)) Is lifted to (x. Empty Delete x = Empty) ((A : a finite_set) a x. (a Insert A) Delete x = if a = x then A Delete x else a Insert (A Delete x)) Notice how the type of the if…then…else changes. Similarly, Fold1 can be defined and lifted to Fold. We can define Delete1 by primitive recursion on lists, and then lift this definition theorem to finite sets. Similarly, the Fold function on finite sets can be lifted from the definition of Fold1 on lists by primitive recursion. December 5, 2018 A Design Structure for Higher Order Quotients
14
Defining Fold on Finite Sets
(f g z. Fold1 f g z [] = z) (f g z a (A : a list). Fold1 f g z (a :: A) = if (u v. f u v = f v u) (u v w. f u (f v w) = f (f u v) w) then if MEM a A then Fold1 f g z A else f (g a) (Fold1 f g z A) else z (f g z. Fold f g z Empty = z) (f g z a (A : a finite_set). Fold f g z (a Insert A) = if (u v. f u v = f v u) (u v w. f u (f v w) = f (f u v) w) then if a In A then Fold f g z A else f (g a) (Fold f g z A) else z December 5, 2018 A Design Structure for Higher Order Quotients
15
Lifting Extension and Induction
Extension: (A : a list) B a. A ~ B a. MEM a A MEM a B (A : a finite_set) B a. A = B a. a In A a In B Induction: P : a list bool. P [] (t. P t h. P (h :: t)) l. P l P : a finite_set bool. P Empty (t. P t h. P (h Insert t)) l. P l This last theorem requires higher order quotients to lift. An induction principle for a type not defined inductively! This gives an induction principle for finite sets when that type was not defined inductively, but by a quotient on an inductive type. December 5, 2018 A Design Structure for Higher Order Quotients
16
Respectfulness and Preservation of Polymorphic Constants
Polymorphic constants must be polymorphically respectful: R, abs, rep A1 = A2 R B1 B2 R C1 C2 R (if A1 then B1 else C1) (if A2 then B2 else C2) R1, abs1, rep1 R2, abs2, rep2 R3, abs3, rep3 (R2 ===> R3) f1 f2 (R1 ===> R2) g1 g2 (R1 ===> R3) (f1 o g1) (f2 o g2) Polymorphic constants also must be preserved across quotients: R, abs, rep (if A then B else C) = abs (if A then rep B else rep C) R1, abs1, rep1 R2, abs2, rep2 R3, abs3, rep3 f o g = (rep1 --> abs3) (((abs2 --> rep3) f) o ((abs1 --> rep2) g)) December 5, 2018 A Design Structure for Higher Order Quotients
17
A Design Structure for Higher Order Quotients
The Axiom of Choice This design uses the Axiom of Choice, in the form of Hilbert’s choice operator e. Constructivists object to e. Paulson has studied first order quotients using only i, a weaker form of choice where i {x} = x, else indetermin. Can higher order quotients be built using only i, not e? Try alternate design eliminating representation functions. Redefine quotient as a pair R, abs where R : t t bool, abs : t x Quotients must satisfy two key algebraic properties: a : x. r : t. R r r (abs r = a) r, s : t. R r s R r r R s s (abs r = abs s) Now, quotients can be constructed without any use of e given a (partial) equivalence relation R. t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients
18
Does This Support Constructive Higher Order Quotients?
These quotients extend to lists, pairs, sums, and options. R abs. R, abs LIST_REL R, MAP abs Have proven a function quotient extension theorem! R1 abs1. R1, abs1 R2 abs2. R2, abs2 R1 ===> R2, (abs1 R1) +-> abs2 where we define (R1 ===> R2) f g = (x y. R1 x y R2 (f x) (g y)) (abs R) a r = R r r (abs r = a) (reps +-> abs) f x = i (IMAGE abs (IMAGE f (reps x))) But this can only be proven by using the Axiom of Choice. In fact, this theorem implies the Axiom of Choice, in that it implies the existence of a Hilbert choice operator like e: function quotient extension c. P x. P x P (c P) These designs cannot be used in constructive provers. December 5, 2018 A Design Structure for Higher Order Quotients
19
A Design Structure for Higher Order Quotients
Conclusions This design supports the mechanical creation of quotients with automatic lifting of types, constants, and theorems. Central contribution is a new definition of quotients, based on three key algebraic properties. Design supports the natural extension of quotients (with their properties) to both aggregate and higher order types. Uses the Axiom of Choice. An alternative design avoiding AC could not be extended constructively to higher order. In that design, higher order quotients implied the AC. Implemented in a package in the Higher Order Logic theorem prover version Kananaskis-2 & 3, now available. Design is readily portable to other theorem provers which support higher order logic and the Axiom of Choice. Now can model syntax of sizable programming languages December 5, 2018 A Design Structure for Higher Order Quotients
20
The End Soli Deo Gloria.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.