Computable values can be classical

Computable Values Can Be Classical (Preliminary Report) Val Bream- Tannen MIT Laboratory Cambridge, Albert R. Meyer Abstract. In programming languages of universal power, the computational integers must be distinguished from the classical integers beEven the cause of the “divergent” integer. equational theory corresponding to evaluation of integer expressions is distinct from the theory of classical integers, and classical reasoning about computational integers yields inconsistencies. We show that there exist ‘programming languages”, actually extensions of the polymorphic lambda calculus, that have tremendous computing power and yet whose computational integers, or any other algebraically specified abstract data type, coincide with their classical counterpart. In particular, the equational theory of the programming language is 8 tenservat& eztension of the theory of the underlying base types as given by algebraic data type specifications. This work was supported in part by NSF Grant DCR8511190 and in part by ONR Grant NO00 1488-K-0125. The first author was partially supported by an IBM Graduate Fellowehip. Permission to copy without fee all or part of this material is granted provided that the copies are not made or dietributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. 1 754 Recursion tive is not conserva- The concerns of this paper are illustrated by the following simple data type specification (a variation of one given in [Meyer & Reinhold 19861): There is one sort int, function symbols cond - : : 8UCC : 0,l : int’ --+ int int2 -+ int int --k int int . and axioms cond(O,s,y) cond(l,s,y) x-x SUCC(S) - 2 = = = x y 0 (1) (2) (3) = 1 . (4 Clearly the standard integers satisfy this specification, so it follows that equational reasoning from this specification cannot deduce, say, 0 = 1. Now, consider the following program: P dGf letrec f(5) = 8ucc(f(z)) in cond(f(O) Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specfic permission. 0 1987 o-89791-215-2/87/010-0238 Received 11/3/&j for Computer Science MA 02139, USA 238 - f(O), (41) Applying the axioms (3) and (1) to the conditional we get P = 0. On the other hand, expanding the first f(0) to succ(f(0)) by the copy rule, and then using axioms (4) and (2) we get P = 1. Hence 0 = l! cause they are essential for universal computing power. Both LCF and the logic of partial lambda calculus take recursion as a must and try to reason about the resulting data domains. In this paper, we take a different course: we aim to preserve classical reasoning about the data by achieving the kind of conservative extension that fails above. We do so by eliminating unrestricted recursion and consequently sacrificing universal computing power. We suggest that from a theoretical viewpoint, and possibly from a pragmatic one as well, the sacrifice need not be great. What is going on here? We have started from a simple functional language-that of arithmetical expressions. Associated with this language there is an equational theory-the one given by the specification above. Then, we have extended the language to allow recursion, adding the copy rule to our computation rules. Again we have an equational theory, one that extends (contains) the theory of the basic data type. But this extension is not consetoatiue since it allows us to prove an equation between purely arithmetical expressions, namely 1 = 0, that was not derivable from the data type specificati0n.l 2 extension ... Following familiar tradition [Landin 19651, we take lambda calculi with reduction rules as models of programming languages and their evaluation. For reasons soon to become clear, our choice here is the Girard-Reynolds polymorphic lambda calculus (Girard 19721, [Reynolds 19741, cf. [Fortune et al. 19831. We will symbolize this calculus by Xv. We expect the reader to be familiar with Av. The following example may help to bring us on common ground. This failure of conservative extension springs from a familiar source: a recursively defined function whose evaluation diverges. In the usual denotational semantics of functional programs, the copy rule for recursion is sound but the classical axiom (3)) z - x = 0, is not sound since I - I = L # 0, where i is the ‘divergent’ integer value. In order to reason about the underlying data types in such semantics, we need a logic that takes non-termination into account. LCF pro[Gordon et al. 19791 is a well-developed gramming environment supporting such logic, but problems of reasoning about divergent values remain apparent [Paulson 19841. In another recently proposed logic of partial computable functions based on partial lambda calculus [Plotkin 19851, [Moggi], divergent values are eliminated but well-formed expressions with undefined meaning must be considered. Potentially divergent constructs are ubiquitous in programming Conservative One way to compute ‘polymorphically” with integers is as follows. The numerals are taken to be the closed terms of type po1yint dgf vt. (t --* t) + t + t . The numeral corresponding to the integer n is ii de’ At. Xf: t + t. xx: t. f “x . One can define for example like recursion languages be- ‘Indeed, in thie case the extension ie not only not conservative, it ie equationally inconei.stent, viz., one can prove any arithmetic equation from 1 = 0 and axioms (1) and (2). 239 Add : polyint + polyint +polyint bY Add dgf Xu: polyint. Au: polyint. At. Af: t + t. xx: t. utf(vtfx) and prove in Xv that 3 Add+%% = mTn. Note, however, that Xv cannot prove Adduv with arbitrary = Addvu u and v of type polyint. We will take the position that, from a programming perspective, one would like a more general and flexible method of representing data types. In fact, we want to be able to add separate and arbitrary data type specifications to Xv. As we have seen, attempting to combine arbitrary data type specifications with unrestricted recursion leads to failure of conservative extension. However, the polymorphic type discipline is strongly normalizing, i.e., inherently “terminating”, therefore counterexamples in the spirit of the one we presented in Section 1 cannot be devised within it, And, indeed, the following initial technical result indicates that, in contrast to the situation with general recursion, it is safe, viz., conservative, to reason or compute polymorphically over a classical algebra. as an illustrative model of In particular, data type specifications we consider manysorted algebrcric theories [Goguen et al. 19781, [Guttag et al. 19781. For a! a (many-sorted) algebraic theory, let Xv’s be the extension of Xv in which the sorts of a! are added as type constants, the function symbols of CI!are added as constants (of suitably curried type), and the equations specifying cy are added to the axioms of xv. Theorem 1 For any algebraic theory cy, the extension Xv’s! is conservative ouer ~2. That is, for any ar-terms 8 and t, ... and computing power Theorem 1 tells us that we will not loose the ability to reason according to the data type specification, but it does not say anything about what can be gainedwhen we enrich the algebraic setting to a polymorphic one. In fact, there is no gain in the computing power over the elements of (Y: any function of such elements that is representable in X”CY has also a purely algebraic expression (an o-polynomial). This is too bad because we have chosen the polymorphic lambda calculus precisely for its computational power. This calculus is strongly normalizing, and hence incapable of representing all computable functions. Nevertheless, it has enormous built-in computational power, essentially due to the impredicativity of its type discipline. The arithmetic functions that are numeralwise representable in the calculus (in the way addition was represented above) are exactly the partial recursive functions that are provably total in second-order Peano arithmetic [Girard 19721, [Statman 19811 [Fortune et ul. 1983) . No uncontrived example of a total recursive function that is not in this class is known. (In fact, until recently, no natural example of a total recursive function that was not provably so in fir&order Peano arithmetic was known [Paris & Harrington 19771.) The limits on such computational power are hard to perceive, and one can argue that it is adequate for most purposes [Reynolds 19851, [Leivant 19831. 2 However, there is a way to strengthen Theorem 1 that does guarantee a gain in computing with the algebraically specified data types. We will show that there exist languages that offer “Another strongly normalizing calculus, even more powerful than the polymorphic lambda calculus, ir the calculus of constructions [Coquand k Huet 1985a]. We believe that the conservative extension results of this paper can be carried over to it aa well. 240 a ‘have your cake and eat it too’ option-both conservative extension and tremendous computational power. The IO (for Input-Output) extension two typed function constants The gain can be explained in terms of computable functions over an arbitrary algebraic specification. Assume that among the objects specified there exists a set of obseruables-say character strings or lists or trees-and we care only about computational behavior on the observables. (Of course there may be many other unobservable objects that are definable in the programming language, but these are significant only because of their role as parts of programs which yield observable outputs.) Moreover, assume there is some standard way of enumerating the distinct observables. This is true for all the familiar data type examples. The enumeration of observables yields a correspondence with nonnegative integers and hence a correspondence between functions on observables and functions on integers. Theorem 2 Let a! be an algebraic theory. Let be a sequence of distinct closed brterms, called observables, of some sort obs, such that no two distinct obseruables are provably equal in Q. Then, there is a uniform way of extending ar to a larger theory, XVcyIO, such that Co,Q,C2,..* 1. X”aIO and is a conservative extension of a, 2. every function on observables which is provably total recursive in second-order Peano arz’thmetic is representable by a closed XvaIO-term. Proof hint: As suggested by the notation, we start with X”CL The idea is to ensure that the computing power of Xv on its integer numerals connects properly with computability on user-specified observables. In : obs --t polyint : pol yint --) obs out and additional involves axioms In o Out = idpol,,i,,t out 5 = en n=O,l,... End hint The proof’s method for achieving computational power on user defined observables is essentially via Gijdel numbering and certainly does not suggest an attractive programming style. However, the case has been made elsewhere that programming in polymorphic style can be attractive.’ Theorem 2 thus provides an explanation for some of the theoretical benefits of adopting this style.4 4 Extending specifications higher-order We take the opportunity here to announce further improvements to the results in Sections 2 and 3. The detailed development of these improvements will appear in a future paper. Instead of algebraic specifications, we now consider higher-order specifications, specifically simply typed lambda theories. Such a theory consist of ground types out of which one builds simple (finite) types using the -+ operator, of a signature of constant symbols of arbitrary simple types and of axioms which are (wlog. closed) equations between simply typed lambda [Rsynolde 19851, [Coquand & Huet 1985b], ≈t;zfe5a], [Mohring 19861. , e.g., guaranteed termination, and decidable type-checking and equivalence, cf. [Meyer & Reinhold 19861. ‘See [Co2;;tfe 241 terms built from the given signature. Algebraic theories are particular cases, but the “expressive powern of such higher-order specifications is much bigger.s We have: Theorem 3 The addition constructions is conservative. of the polymorphic to any simply typed lambda theory Theorem 2 and Theorem 3 both improve Theorem 1, but in different directions. Namely, Theorem 3 says that addition of polymorphism to a “large” system of higher functional types is safe, but it does not calibrate the gain of making the addition. On the other hand, Theorem 2 says that addition of polymorphism to a %mall” system of first-order data types is not only safe but also guarantees substantial computational power over the small data type. One naturally asks whether both improvements can be achieved simultaneously. The answer, recently found by the first author, is positive: Theorem 4 Let UT be a simply typed lambda theory. Let CO,cl, ~2,. . . be a eequcnce of distinct closed ur -terms, called observables, of some ground type obs, such that no two distinct obsetvablea arc provably equal in or. Then, there is a uniform way of e&ending UT to a larger theory, X’urIO, such that 1. XvurIO and i8 a conservative extension of ur, 2. every function on observable8 which ia provably total recursive in second-order Peano arithmetic is representable by a closed X’urIO-term. *Actually, even unrestricted recursion can be modeled this way (with higher-order fixed point operators)! This may seem puzzling, in view of our counterexample in Section 1, but recall that conservative extension theoreme only ensure that one does not get worse, not that one gets better. 5 About the proofs By now, the reader has realized that we are more concerned with explaining the significance of our results than with spelling out all the technical details. We believe that the proofs are too long and too technical to develop adequately here therefore we will confine ourselves to providing some outlines, some comments and a reference to a much more technical companion paper that develops the model theory we have used: [Breasu-Tannen & Coquand 1987). Let us start from a conservative extension result that has a straightforward model-theoretic proof: Proposition 1 [Meyer tY Reinhold 19861 For any algebraic theory cy, the addition of a! to the simply typed X-calculus is a coneervative eztension of a. Namely, any algebra can serve as a base type for a classical frame of higher-order functions, i.e., where the type A + B is interpreted as all functions from A to B. The rules of the simply typed lambda calculus are certainly sound for this classical interpretation. (We say that any algebra can be furry and faithfully embedded in a model of the simply typed lambda calculus.) Since the original specified data type sits unchanged at the bottom of the type frame, no sound rules can prove anything that is not already true of it. models of the polymorphic Unfortunately, lambda calculus are not as easy to come by as the above construction. This is why, initially, we looked for, and found, a reduction-theoretical approach to proving Proposition 1. This ap preach turned out to extend to Theorem 1 and actually yields an effective proof, i.e., one that indicates a procedure for transforming any proof of 8 = t in Xvcr into a proof of a = t in CY.The 242 argument hinges crucially on the strong normalization and the Church-Rosser properties of At/. The main lemma is: Theorem Lemma 1 Let M and N be Xvcr-term.9 oj u constant type corresponding to 6 sort of a. Lj M and N can be transformed into each other u&g an instance of some axiom of CY, then the pqnormal forms of M and N can be transformed into each other by repeated application of the same axiom. CUhS. This leads directly to a model-theoretic proof of Theorem 1 paralleling the proof sketched for Proposition 1. Subsequently, the method was refined by the first author to yield: By taking all the terms that appear in the A”crform we get, almost, proof of 8 = t to &normal the desired a-proof of 8 = t. Almost, because, due to the possible presence of “noise” free variables of non-constant type, these terms are not necessarily a-terms. One needs the additional observation that by replacing the maximal subterms of constant type that have at head such “noise” variables with, say, some fixed variables of constant type, one gets a-terms that moreover give an a-proof of 8 = t. Theorem 7 [Breazu-Tannen 6 Coquand 19871 Let A be a many-sorted algebra. Let co, cl,c2,. . . be a aequencc of distinct clement8 of some sort obs of A, called observables. Then, there exists a model E of the polymorphic lambda calculus such that 1. A is fully and faithfully embedded in E, and 8. every junction on obeervablee which is provably total recursive in second-order Peano arithmetic is in &. An interesting byproduct of this method is the following result obtained by the first author: Theorem 5 Let a! be an algebraic rewrite system. If (Y hue the Church-Rocreer property then X’CY has the Church-Rosser 6 [Breazu-Tannen & Coquand 198‘71 Any manysorted algebra can be fully and faithfully embedded in a a model of the polymorphic lambda cal- property too. The proof uses a version of Lemma 1 in which “axiom” is replaced with “rewrite rule” followed by a more intricate combinatorial analysis of the resulting normalized terms. A detailed develop ment will appear in a future paper. We still don’t know how to extend this method to obtain a purely syntactic proof of Theorem 2. However, meanwhile, some new ideas for constructing more flexible models for Av had been developed [Moggi 19861, [Coquand 19861. Both constructions interpret types using partial equivalence relations. Using a generalization of the construction in [Coquand 19861, the first author and Thierry Coquand have obtained: 243 Part 2 is obtained by establishing the same oneto-one correspondence between the observables and the polymorphic integers as in the proof hint for Theorem 2. Thus, Theorem 2 follows as a corollary of the proof of this model-theoretic version since the open term algebra of cycan be fully and faithfully embedded into a model of Xv in which we also find a sound interpretation for the IO axioms. Detailed proofs of all the results mentioned here will also appear in [Breazu-Tannen]. Acknowledgment We are grateful to John Mitchell and Eugenio Moggi for a very useful discussion. References [Breazu-Tannen] [Breazu-Tannen V. Breazu-Tannen. & Coquand Ph.D. thesis, MIT. Expected Feb.1987. 19871 V. Breazu-Tannen and T. Coquand. Extensional models for polymorphism. In Proceedings of TAPSOFT’ - Colloquium on Functional and Logic Progarmming and Specifications, Pisa, March 1987, Springer-Verlag, Berlin, 1987. To appear. [Coquand & Huet 1985a] T. Coquand and G. Huet. A Calculus of Constructions. Technical Report, INRIA, Rocquencourt, France, June 1985. [Coquand & Huet 1985b] Thierry Coquand and GBrard Huet. Constructions: A Higher Order Proof System for Mechanizing Mathematics. Rapport de Recherche 401, INRIA, Domaine de Voluceau, 78150 Rocquencourt, France, May 1985. Presented at EUROCAL 85, Linz, Austria. [Coquand 19861 T. Coquand. Communication in the TYPES electronic (xx.lcs.mit.edu), April 14th. 1986. Unpublished. [Fortune et al. 19831 forum S. Fortune, D. Leivant, and M. O’Donnell. The expressiveness of simple and second-order type structures. Journal of the ACM, 30(1):151-185, January 1983. 19721 J.-Y. Girard. Interpre’tation fonctionelle et e’limination des coupures dans l’arithmttique d’ordre suptrieure. Ph.D. thesis, UniversitQ Paris VII, 1972. [Goguen et al. 19781 J. A. Goguen, J. W. Thatcher, and E. G. Wagner. An initial algebra approach to the specification, correctness, and implementation of abstract data types. In R.T. Yeh, editor, Current Trends in Programming Methodology, Prentice-Hall, 1978. [Girard EdinScience, [Gordon et al. 19791 M. J. Gordon, R. Milner, and C. P. Wadsworth. burgh LCF. Volume 78 of Lecture Notes in Computer Springer-Verlag, Berlin, 1979. [Guttag et al. 19781 J. V. Guttag, E. Horowitz, and D. R. Musser. types and software validation. Communications 21:1048-1064,1978. [Landin 19651 P.J. Landin. A correspondence between ALGOL 60 and church’s lambda notation. Communications of the ACM, 8:89--101; 158185, 1965. 244 Abstract data of the ACM, [Leivant 1983) [Meyer & Reinhold D. Leivant. Reasoning about functional programs and complexity classes associated with type disciplines. In 24th Symposium on Foundations of Computer Science, pages 460-469, IEEE, 1983. 19861 A. R. Meyer and M. B. Reinhold. ‘Type’ is not a type: preliminary report. In Conf. Record Thirteenth Ann. Symp. Principles of Programming Languages, pages 287-295, ACM, January 1986. Wggil E. Moggi. 1987. [Moggi 19861 Communication in the TYPES electronic E. Moggi. (xx.lcs.mit.edu), February 10th. 1986. Unpublished. [Mohring Christine Mohring. Algorithm development in the theory of constructions. In Symp. Logic in Computer Science, pages 8491, IEEE, 1986. 19861 [Paris & Harrington 19773 Ph.D. thesis, Edinburgh University. Forthcoming, forum J. Paris and L. Harrington. A mathematical incompleteness in Peano Arithmetic. In J. Barwise, editor, Handbook of mathematical logic, pages 1133-1142, North-Holland, Amsterdam, 1977. [Paulson 1984) L. Paulson. Deriving structural induction in LCF. In G. Kahn, D. B. MacQueen, and G. Plotkin, editors, Semantics of Data Types, pages 197-214, Springer-Verlag, Berlin, June 1984. [Plotkin G. D. Plotkin. lished. 19851 Personal communication, March. 1985. Unpub- [Reynolds 19741 J. C. Reynolds. Towards a theory of type structure. In B. Robinet, editor, Programming Symposium, pages 408-425, SpringerVerlag, Berlin, 1974. [Reynolds 19851 J. C. Reynolds. Three approaches to type structure. In TAPSOFT advanced seminar on the role of semantics in software development, Springer-Verlag, Berlin, 1985. [Statman 19811 R. Statman. Number theoretic functions computable by polyIn 22nd Symposium on Foundations of morphic programs. Computer Science, pages 279-282, IEEE, 1981. 245