the guard condition of coqfreek/courses/tt-2012/papers/chit-barras.pdfthe guard condition of coq...
TRANSCRIPT
![Page 1: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/1.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
The guard condition of Coq
Bruno Barras
December 19, 2006
![Page 2: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/2.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Why this talk ?
Defining functions by recursion is very common
Logical consistency relies heavily on termination
Reference Manual of Coq refers to Gimenez’ paper“Codifying guard definitions with recursive schemes” (94)
This condition has been extended over the years to supportmore schemes
Bugs (or scary error messages)Uncaught exception: Assert failure("kernel/inductive.ml", )
![Page 3: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/3.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Why this talk ?
Defining functions by recursion is very common
Logical consistency relies heavily on termination
Reference Manual of Coq refers to Gimenez’ paper“Codifying guard definitions with recursive schemes” (94)
This condition has been extended over the years to supportmore schemes
Bugs (or scary error messages)
Uncaught exception: Assert failure("kernel/inductive.ml", )
![Page 4: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/4.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Why this talk ?
Defining functions by recursion is very common
Logical consistency relies heavily on termination
Reference Manual of Coq refers to Gimenez’ paper“Codifying guard definitions with recursive schemes” (94)
This condition has been extended over the years to supportmore schemes
Bugs (or scary error messages)Uncaught exception: Assert failure("kernel/inductive.ml", )
![Page 5: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/5.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview of the talk
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 6: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/6.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 7: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/7.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
A long time ago...
Recursion was made by recursors (Godel T).
Only allows recursive calls on direct subterms
Cumbersome in a functional programming setting
Example
Definition half n :=fst(Rec (0,false)
(fun (k,odd) ⇒ if odd then (k+1,false)else (k,true))
n)
instead of
Fixpoint half n :=match n with S(S k) ⇒ half k | ⇒ 0 end
![Page 8: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/8.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Syntactic guard criterion
Towards syntactic guard criterion
Proposal by Coquand (92):recursor = pattern-matching + fixpoint
Gimenez’ paper (94): translation towards recursors.For f : I → T , define If similar to I such that every subtermof type I comes with its image by f . Then write g : I → Ifand h : If → T .
Blanqui (05), Calculus of Algebraic Constructions: reducibilityproof (CC + higher order rewriting)
Only work for simple criterion.
![Page 9: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/9.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Strictly positive inductive definitions
Positivity condition
Also crucial for consistency
ListsInductive list (A:Type) : Type :=
nil | cons (x:A) (l:list A).
Ordinals Inductive ord:Set :=O | S(o:ord) | lim(f:nat→ord).
Useful extension: nested inductive typesInductive tree:Set := None(l:list tree).Reuse list library
![Page 10: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/10.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Strictly positive inductive definitions
Positivity condition (more formally)
Definition (Terms)
s | x | Πx : T .U | λx : T .M | M N
| Ind(X : A){~C} | Constr(n, I ) | Fix Fk : T := M| Match M with ~p ⇒ ~t end
Definition (strict positivity)
Π~x : ~t.C is strictly positive w.r.t. X if forall i either:
(Norec) X does not occur free in ti , or
(Rec) ti = Π~y : ~u.X ~w where X does not occur in ~u~w , or
(Nested) ti = Π~y : ~u. Ind(Y : B){~D} ~w and
X does not occur free in ~u~wDi is strictly positive w.r.t. X forall i
![Page 11: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/11.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Strictly positive inductive definitions
Impredicativity
Recursive calls cannot be allowed on all constructor arguments
Inductive I : Set := C (f:forall A:Set,A->A).Fixpoint F (x:I) : False :=match x withC f => F (f I x)
end
Definition (recursive positions)
constructors arguments that satisfy (Rec) or (Nested) clause ofpositivity.
![Page 12: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/12.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Strictly positive inductive definitions
Regular trees
Different instances of the same inductive type may havedifferent sets of recursive positions
Example (Str(list) and Str(tree))
list
[ ] [ ⊥, . ]
tree
[ . ]
list
[ ] [ ., . ]
![Page 13: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/13.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Strictly positive inductive definitions
Trees as sets of paths
While checking positivity, we build a regular tree that identifiesrecursive positions.But: parameters not instanciated
Lemma
The computed tree is the set of paths that cannot contain aninfinite number of inductive objects.
![Page 14: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/14.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 15: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/15.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Size information
(strict) σ− ::= > | τ−
(non-strict) σ+ ::= ⊥ | τ+
(size info) σ ::= σ+ ∪ σ−
A map ρ associates size information to every variable
>
⊥
τ−1 τ−2 τ−3 τ−4
τ+1 τ+
2 τ+3 τ+
4
. . .
![Page 16: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/16.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Guard condition in short
A judgement ρ `S M ⇒ σ meaning that M has sizeinformation σ, where ρ associates size information to variables
A judgement M ∈ CheckF ,kρ meaning that M does recursive
calls to F only on strict subterms, as specified by ρ
Pattern-matching propagates information on pattern variablesConstr(i , I ) x1 . . . xk | σ = {(xj , σ.i .j−) | j ≤ k}
Remarks
Easy encoding of recursors as fix+match (non regression)
Allow recursive calls on deep subterms
![Page 17: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/17.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Definition of the condition (1)
Typing rule:
Γ (F : T ) ` M : T M ∈ GuardFk
Γ ` (Fix Fk : T := M) : T
tk = Ind(X : A){~C} ~u Str(X , ~C ) = τ M ∈ CheckF ,k{(xk ,τ+)}
λ~x : ~t.M ∈ GuardFk
![Page 18: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/18.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Definition of the condition (2)
M ∈ Checkf ,kρ ρ `S M ⇒ σ ∀i . bi ∈ Checkf ,k
ρ∪(pi |σ)
Match M with ~p ⇒ ~b end ∈ Checkf ,kρ
ρ `S tk ⇒ σ− ∀i , ti ∈ Checkf ,kρ
f ~t ∈ Checkf ,kρ
![Page 19: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/19.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Definition of the condition (boring cases)
Simply check recursively that subexpressions are guarded
f 6∈ FV (M)
M ∈ Checkf ,kρ
T ∈ Checkf ,kρ U ∈ Checkf ,k
ρ
Πx : T U ∈ Checkf ,kρ
T ∈ Checkf ,kρ U ∈ Checkf ,k
ρ
λx : T U ∈ Checkf ,kρ
M ∈ Checkf ,kρ N ∈ Checkf ,k
ρ
M N ∈ Checkf ,kρ
![Page 20: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/20.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Subterms
(x , σ) ∈ ρ
ρ `S x ~t ⇒ σ
ρ `S M ⇒ σ
ρ `S λx : A.M ⇒ σ
![Page 21: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/21.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 22: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/22.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Checking guard modulo reduction
In fact, the typing rule for fixpoints is:
Γ (F : T ) ` M : T M →∗β M ′ M ′ ∈ GuardF
k
Γ ` (Fix Fk : T := M) : T
Breaks strong normalization!
Example
Fixpoint F n := let x := F n in 0.Eval compute in (F 0).
![Page 23: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/23.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Pattern-matching
∀i , ρ `S bi ⇒ σi
ρ `S Match M with ~p ⇒ ~b end ⇒ u~σ
Example
Definiton pred n (H:n<>0) :=match n with0 ⇒ match H with end
| S k ⇒ kend.
Fixpoint F x :=if eq nat dec x 0 then 0 else F (pred x)
![Page 24: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/24.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Fixpoints as argument of F
A fix returns a strict subterm if its body does
Size information of recursive argument is propagated
ρ `S un ⇒ σ ρ ∪ {(G , τ−), (xn, σ)} `S M ⇒ τ−
ρ `S (Fix Gn : T := λ~x : ~t.M) ~u ⇒ τ−
Example
Fixpoint F x y :=if ‘‘x ≤ y’’ then x else F (x-S(y)) y
![Page 25: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/25.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Nested fixpoints
ρ `S un ⇒ σ M ∈ CheckF ,kρ{(xk ,σ)} T ∈ CheckF ,k
ρ ~u ∈ CheckF ,kρ
(Fix Gn : T := M) ~u ∈ CheckF ,kρ
Example (size of a tree)
Fixpoint size (t:tree) :=match t withNode l ⇒ fold right (fun t’ n ⇒ n+size t’) 1 l
end.
![Page 26: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/26.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 27: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/27.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Nested vs. mutual inductive types
Example (Guard violated)
Fixpoint size (t:tree) :=match t with
Node l ⇒ S(size forest l)end
with size forest (l:list tree) :=match l withnil ⇒ 0
| t::l’ ⇒ size t + size l’end.
Mutual inductive types can be used in the context of both mutualfixpoints and nested fixpoints.Nested inductive types cannot be used in the context of mutualfixpoints.
![Page 28: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/28.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Overview
1 IntroductionSyntactic guard criterionStrictly positive inductive definitions
2 A simple criterion
3 Refinements
4 Pitfalls
5 Conclusion
![Page 29: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/29.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
Many extensions already,
Many are still missing (syntactic criterion)
![Page 30: The guard condition of Coqfreek/courses/tt-2012/papers/chit-barras.pdfThe guard condition of Coq Bruno Barras December 19, 2006 Introduction A simple criterion Refinements Pitfalls](https://reader036.vdocuments.us/reader036/viewer/2022071609/6147fc7da830d0442101ca52/html5/thumbnails/30.jpg)
Introduction A simple criterion Refinements Pitfalls Conclusion
So why this talk ?
An opportunity to stop and think
A highly critical (implementation) bug found: apply the patch!
Syntactic criterions are dead: Gimenez, Blanqui, Barthe(and...) moved to type-based guard verification (sizeannotation)