Stop when you are Almost-FullAdventures in constructive termination

Dimitrios VytiniotisMicrosoft Research, Cambridge

Thierry Coquand, David WahlstedtUniversity of Gothenburg

JFLA, February 2012

2

Program termination big success storiesTermination testing with well-quasi-orders (WQOs)• Online testing in super-compilation [Sorensen & Glück,

Bolingbroke et al.]• Well known & widely used in term rewrite systems [see

Leuschel’s survey, Nipkow’s book]Proving termination using disjunctive well-foundedness• Rybalchenko and Podelski – using Ramsey’s

theorem• Led to industrial-strength tools: Terminator

[Cook et al.] Proving termination with size-change termination (SCT)• N. Jones, Sereni, Bohr and others • Comparable “strength” to Terminator

[Heizmann et al.]A striking observation (for the outsiders):Similar soundness proofs, proof strength, and automation capabilities, but developed independently …

3

This work

Explains the common theoretical foundation for the aforementioned success stories in a uniform way, and purely constructively inside Type Theory

Proposes a novel way for writing recursive definitions in Type Theory and Coq, resurrecting an old idea, that of almost-full relations

Shows how Terminator and SCT can be proved and used intuitionistically inside Coq

Offers a modular toolkit to Coq programmers to use the power of these techniques in their scripts and easily show programs from the Terminator and SCT repertoire terminating …

4

The three communities … actually four

Termination testing with well-quasi-orders• Online testing in super-compilation, term rewrite systems

Proving termination using disjunctive well-foundedness• Rybalchenko and Podelski, Cook …

Proving termination with size-change termination• N. Jones, Sereni, Bohr …

Mathematicians and computer scientists working on Intuitionistic Ramsey Theory in the 90’s: Veldman, Bezem, Coquand, Fridlender, Berghofer …

5

Well-Quasi-Orders (WQOs)

Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()

… …𝑠0 𝑠1 𝑠𝑖 𝑠 𝑗…

R

Example: (le) on nat

10 7 6 4 1 5 4 33 3 3 3 …

6

Online termination testing with WQOs

Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()

Recall example: (le) on nat10 7 6 4 1 5 4 3

3 3 3 3 …

Input is a WQO () on “program states”. Basic idea:

1. Keep track of all “observed states of the program so far”2. New program state comes in: check that for every old it is 3. Every infinite sequence has two related values so this cannot

go on for ever!

7

WQO--: Intuitionistic Almost-Full Relations

Well founded trees represent winning strategies: Either I have won (ZT), or The context is giving me an (x:X) and I am making a new move

by picking a new (WFT X) to play on (SUP)!But of which game? Let’s take the game that says: I’ve won if every infinite

sequence contains two related elements

Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.

Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.

8

Intuitionistic Almost-Full Relations

Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.

An almost-full relation (AF) is one that is SecureBy a well-founded tree!

Definition almost_full (X:Set) (R:X->X->Prop) := p, SecureBy R p.

9

Inductively defining all possible choices

Inductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.

Suppose that we are given:(i) p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP (fun x=>ZT))))

(ii) SecureBy R p

What does that mean for a sequence ?

10

Example: all possible choices

Values

Secured relations Witness

SUP(fun x=>SUP(fun x=> SUP(fun x=>ZT)))

SUP(fun x=>SUP(fun x=>ZT))

SUP(fun x=>ZT)

ZT

Hence, relation must be True!

(i) p:=SUP(fun x=>SUP(fun x=>SUP(fun x=>SUP(fun x=>ZT))))

(ii) SecureBy R p

11

Building up intuitionsInductive WFT (X : Set) : Set := | ZT : WFT X | SUP : (X -> WFT X) -> WFT X.

Fixpoint SecureBy (X:Set) (R:X->X->Prop) (p:WFT X) : Prop := match p with | ZT => x y, R x y | SUP p => x, SecureBy (fun y z => R y z \/ R x y) (p x)end.

LemmaIf (SecureBy R p) then every infinite sequence has two elements related by R

Proof by induction on p, two cases:1. ZT: done, just take the first two elements of the sequence2. SUP q: Consider the first element x and the WFT (q x). By

induction there exist y and z in the rest of the sequence such that R y z or R x y so we are done again!

12

AF relations vs WQOs

An AF relation satisfies (ii) intuitionistically NB: (ii) (and not our definition) is what Bezem called an AF relation (and

postulated bar induction to show an intuitionistic version of Ramsey’s theorem)

(i) we are going to forget about – not needed!

NB: we can’t intuitionistically prove a relation AF from (ii) Bezem and Veldman give a counterexample which relies on the consistency of type

theory and Church’s thesis. But that’s OK! AF relations now can be used for induction!

Definition [Well-Quasi-Order]:A binary relation (R : X -> X -> Prop) on a set X is WQO when:(i) It is transitive, and (ii) For every infinite sequence there exist , with and R()

13

Getting AF from well-founded (WF) relations(* Well-founded relations in Coq *)Inductive Acc (A:Type) (R:A->A->Prop) (x:A) : Prop := Acc_intro : (forall y, R y x -> Acc R y) -> Acc R x.

Definition well_founded A (R:A->A->Prop) := forall a. Acc R a.

Lemma (af_from_wf):If R is a decidable WF relation then (fun x y => not (R y x)) is AF.

x

Know: Acc R x

Split: R(y,x)Recurse on (Acc R y)

Split: not (R(y,x))Return ZT

y

Introduce: SUP to check the next element

14

The crux: WF from AF Think of T:X->X->Prop, the “transition relation” of the

program, which relates all adjacent values T() in a trace Let be a WQO The WQO-based checker effectively implements:

(T+) = Can we state and prove something like that using AF

relations?

Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.

15

WF from AF

Lemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.

Theorem af_induction: (X:Set) (T R:X->X->Prop), almost_full R -> ( x y, T+ x y /\ R y x -> False) -> (P : X -> Set), ( x, ( y, T y x -> P y) -> P x)-> a, P a

User obligation 1:Provide transition

relation T

User obligation 2:Provide an AF

relation R

User obligation 3:Prove intersection

emptyness

16

NB: there’s an easier way

Lemma wf_from_wqo: (X:Set) (p:WFT X) (R:X->X->Prop),-> transitive R -> SecureBy R p -> well_founded (fun x y => R x y /\ not (R y x))

Think R := ()

17

So?af_induction: 3 proof obligations

Give transition relation Give AF relation and prove that it’s AF Show intersection emptyness

wf_induction: just 2 proof obligations Give transition relation Plus a proof that the transition relation is well-

founded

So, is there anything we’ve gained at the end of the day?

18

Composability Much like WQOs, and unlike WF relations, AF relations

compose well. It’s a very well-behaved class of relations.

Some warming up:

( x y, A x y -> B x y) -> almost_full A -> almost_full B

almost_full A -> almost_full (fun x y => A x y \/ B x y)

almost_full A -> almost_full (fun x y => A (f x) (f y))

well_founded R -> decidable R -> almost_full (fun x y => not (R y x)

19

Intersections of AF relations and IRT

AF relations were not invented for induction, they were invented to prove the “intuitionistic version of Ramsey’s theorem” [Veldman and Bezem]

Theorem [Intuitionistic Ramsey Theorem – binary case]

almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y)

20

Proving the IRT

p0 ZT q = qp0 (SUP f) q = SUP (fun x => p0 (f x) q)

p1 ZT q = qp1 q ZT = qp1 p@(SUP f) q@(SUP g) = SUP (fun x => p0 (p1 (f x) q) (p1 p (g x)))

p2 ZT q = qp2 q ZT = qp2 p@(SUP f) q@(SUP g) = SUP (fun x => p1 (p2 (f x) q) (p2 p (g x)))

SecureBy (fun x y => A) p -> SecureBy (fun x y => B) q -> SecureBy (fun x y => A /\ B) (p0 p q)

SecureBy (fun x y => A x) p -> SecureBy (fun x y => B x) q -> SecureBy (fun x y => A x /\ B x) (p1 p q)

SecureBy (fun x y => A x y) p -> SecureBy (fun x y => B x y) q -> SecureBy (fun x y => A x y /\ B x y) (p2 p q)

21

Why is this the “Ramsey Theorem”?

Proof of standard Ramsey Theorem:Assume by contradiction that no such infinite homogenous set exists. This means (classically) that both and are AF and so is their intersection. But the empty relation cannot be AF.

Theorem [Intuitionistic Ramsey Theorem – binary case]

almost_full A -> almost_full B -> almost_full (fun x y => A x y /\ B x y)Theorem [Standard Ramsey Theorem – binary case]Let be a relation in nat. Call a subset of nat homogenous iff for all with we have , or for all with we have . Then has an infinite homogenous subset of nat.

22

Type-based composability

We’ve seen that AFs are closed under both unions and intersections

We’ve seen how to construct AF relations from WF Here are some type-based combinators (Exercise: Prove them!)

(t : Finite k) -> almost_full (@eq t)

almost_full A -> almost_full B -> almost_full (fun x y => A (fst x) (fst y) /\ B (snd x) (snd y)

sum_lift A B (inl x) (inl y) = A x ysum_lift A B (inr x) (inr y) = B x y sum_lift A B _ _ = False

almost_full A -> almost_full B -> almost_full (fun x y => sum_lift A B)

23

The Terminator principleTheorem [Disjunctive well-foundedness, Podelski-Rybalchenko]

If and are WF and T+ then T is well-founded

To prove disjunctive well-foundedness, instantiate wf_from_af with

R x y := not (R1 y x) /\ not (R2 y x)

Then use the AF intersection theorem and wf_from_af again!

RecallLemma wf_from_af: (X:Set) (p:WFT X) (R:X->X->Prop) (T:X->X->Prop), ( x y, T+ x y /\ R y x -> False) -> SecureBy R p -> well_founded T.

24

Size-change termination

Class of recursive definitions with no lexicographic order Though no more expressive than lexicographic descent if

program is transformed [Ben-Amram] To write this in Coq, apply af_induction with:

gnlex (0,_) = 1gnlex (_,0) = 1gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x)

T (x,y) (x’,y’) := (x=y’/\ y<y’)\/(x=y’/\y<x’).R (x,y) (x’,y’) := x<=x’/\y<=y’.

The interesting proof obligation is a somewhat tedious but straightforward intersection emptyness lemma

25

Formal connection to SCT

Recursion patterns introduce size-change graphs:

gnlex (0,_) = 1gnlex (_,0) = 1gnlex (x+1,y+1) = gnlex(y+1,y) + gnlex(y+1,x)

0

1

0

1¿

≤ 0

1

0

1¿≤𝐺0 𝐺1

Lemma: Let and every . If every in the transitive closure of the set satisfies for some AF then is well-founded. [Proof by AF induction!]

Lemma: Consider the AF (by af_intersection) = Then if and some contains an arc then

Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded!

26

More in paper and Coq development Mutual induction examples

f 0 = 1 f (x+1) = f x + g (x+2)g x | x < 2 = 1g (x+2) = f x

A discussion of the computational content of Ramsey’s theorem (enormous complexity bounds)

Prop vs Set witnesses: We’ve re-engineered all the previous discussion to streamline the SecureBy predicate in an entirely Prop-indexed definition:

Inductive AF X (R : X -> X -> Prop) : Prop := | AF_ZT : R, ( x y, R x y) -> AF R | AF_SUP : R, ( x, AF (fun y z => R y z \/ R x y)) -> AF R.

27

Some constructive WQO-related results S. Berghofer, D. Fridlender, M. Seisenberger:

Constructive proofs of Higman’s Lemma (homeomorphic embedding in lists gives WQOs). Similar constructions. Veldman had also such a proof and Fridlender reports earlier thesis from 1979 with a similar result. Fridlender’s proof is based on formalizing inductive bars.

Useful, not as general as Kruskal’s tree theorem (short proof by Nash-Williams), but I do not know of constructive proofs of the general cases.

Thierry Coquand had yet another proof of IRT around 1994, but less suitable for discussing the termination problem

To our knowledge no-one had connected AF relations with termination in type theory though in retrospect the connection seems obvious!

28

Future directions

Extend combinators for recursive types (help needed!) Polish and release Coq library

It now contains an entirely Prop-based generalization of Ramsey’s theorem for relations of “inductive arities”

We have also formalized it in Agda (see the Agda Wiki) Formally support SCT or Terminator in Coq (help needed!) Investigate automation techniques to be used in the

context of Coq, think about programmer convenience (help needed!)

Explore AF proofs as constructive termination certificates

29

Start using AF relations!

We’ve suggested an alternative way to think about termination in constructive type theory, by switching to AF relations instead of WF relations

We’ve shown that this approach enjoys compositionality, and is in the core of other successful termination frameworks

http://research.microsoft.com/people/dimitris/constructive-fixpoints.pdf

Thanks!

30

Alternative SCT criterionAssume the transitive closure of size-change graphs is finite.

Lemma [Alternative SCT]: If every idempotent in the transitive closure of has an arc then is well-founded!

Why? Observe that every in the transitive closure of has a idempotent power. Since all powers of are in it must be that for some positive and . Take . [Well known in algebra: every element of a finite semi-group has an idempotent power]

Corollary [SCT]: If every in the transitive closure of has a power with an arc then is well-founded!

31

Bar inductionDefinition [Bar]: The predicate U:list A->Prop is a bar if every infinite sequence has an initial segment that satisfies U

Axiom [Bar induction]: Assume

Then

Fridlender formalizes inductively Bar(U, as) – Veldman and Bezem postulate Bar Induction to prove the IRT