A Design Structure for Higher Order Quotients Dr. Peter V. Homeier palantir@trustworthytools.com U.S. Department of Defense Making formal methods into normal methods

Higher Order Quotients A quotient simplifies a system by disregarding some details and merging equivalent elements We say an element lifts to its simpler, quotient version Quotients should lift not only elements, but entire system, including types, constants (incl. operators), and theorems Automation needed to treat syntax of large, realistic languages Most prior packages did not lift constants or theorems, just types Uniquely, Harrison’s did, but only lifted first order theorems Lifting higher order thms requires higher order quotients (which lift a function type to a function type) Most important point to remember from talk: We give a new definition of quotients, which naturally supports higher order quotients, and enables automatic lifting of h.o. types, constants, and theorems. December 5, 2018 A Design Structure for Higher Order Quotients

Example: Finite Sets from Lists Can define finite sets as quotient of lists by ~ where ~ : a list  a list  bool is defined by rule induction: _____________________ _________________ a :: (b :: A) ~ b :: (a :: A) a :: (a :: A) ~ a :: A A ~ B A ~ B A ~ B, B ~ C . [] ~ [] a :: A ~ a :: B B ~ A A ~ C We can easily prove ~ is an equivalence relation, reflexive, symmetric, and transitive We automatically create the new type “ a finite_set ” as isomorphic to the quotient of a list by ~ Abstraction function: finite_set_ABS : a list  a finite_set Representation function: (uses Hilbert choice operator) finite_set_REP : a finite_set  a list December 5, 2018 A Design Structure for Higher Order Quotients

Lifting Respectful Constants Lifting types is where most quotient support stops. But important to also lift constants, especially operators on the lifted type (including functions and predicates). If lifting a group, should also lift the group operation! MEM x [] = F  MEM x (h :: t) = (x = h)  MEM x t To lift MEM, we must first prove MEM respects ~: MEM_RSP  A B x. A ~ B  (MEM x A  MEM x B) Define lifted MEM: x In s = MEM x (finite_set_REP s) Some constants do NOT lift: LENGTH [] = 0  LENGTH (h :: t) = 1 + LENGTH t LENGTH does not respect ~, so cannot lift: [5;5;5] ~ [5] but LENGTH [5;5;5] ≠ LENGTH [5] We call LENGTH disrespectful. December 5, 2018 A Design Structure for Higher Order Quotients

A Design Structure for Higher Order Quotients Lifting Theorems Very important to also lift theorems about lifted operators If lifting an abelian group, the lifted group should also be abelian! Requires automation to be practical and mathematically incisive The most interesting and difficult task to automate Thms proven manually took average of 16 lines of HOL tactics All constants appearing in the theorem must be respectful. Via MEM → In, [] → Empty, :: → Insert,  MEM x [] = F  MEM x (h :: t) = (x = h)  MEM x t lifts to  x In Empty = F  x In (h Insert t) = (x = h)  x In t But how to lift higher order theorems? Is P respectful? ?  P : a list  bool. P []  (t. P t  h. P (h :: t))  l. P l Need quotient for every type, i.e. higher order quotients December 5, 2018 A Design Structure for Higher Order Quotients

Equivalence Relations and Equivalence Extension Theorems Equivalence relations E : t  t  bool. (curried) Reflexivity: x : t. E x x Symmetry: x, y : t. E x y  E y x Transitivity: x, y, z : t. E x y  E y z  E x z Equivalence: EQUIV E = x, y : t. E x y  (E x = E y) fset_EQUIV  EQUIV $~ Extension to lists: LIST_REL E : t list  t list  bool Extension theorems for lists, pairs, sums, option types.  E. EQUIV E  EQUIV (LIST_REL E)  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 ### E2)  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 +++ E2)  E. EQUIV E  EQUIV (OPTION_REL E) Equivalence relations do NOT extend to higher order!  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 ===> E2) X December 5, 2018 A Design Structure for Higher Order Quotients

Traditional Quotients Lift Elements to Equiv. Classes Quotient Set Higher Abstraction Lifting Representation Original Set Lower Equivalence Classes Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients

Higher Order Quotients using Partial Equivalence Relations Lifted Higher Order Type Higher Lifting Original Higher Order Type Lower Disrespectful functions Partial Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients

New Definition of Quotients Disrespectful functions are elements that cannot be lifted To exclude elements, use partial equivalence relations – symmetric & transitive but not necessarily reflexive We say r respects R if and only if R r r (reflexive at r) ► Define quotient as triple R, abs, rep where R : t  t  bool, abs : t  x, rep : x  t Quotients must satisfy three key algebraic properties: a : x. abs (rep a) = a a : x. R (rep a) (rep a) r, s : t. R r s  R r r  R s s  (abs r = abs s) If so, then quotient theorem:  R, abs, rep t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients

Quotient Extension Theorems Quotients extend naturally over lists, pairs, sums, options: LIST_QUOTIENT  R abs rep. R, abs, rep  LIST_REL R, MAP abs, MAP rep PAIR_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  R2 abs2 rep2. R2, abs2, rep2  R1 ### R2, abs1 ## abs2, rep1 ## rep2 SUM_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  R2 abs2 rep2. R2, abs2, rep2  R1 +++ R2, abs1 ++ abs2, rep1 ++ rep2 OPTION_QUOTIENT  R abs rep. R, abs, rep  OPTION_REL R, OPTION_ MAP abs, OPTION_ MAP rep ► But will quotients extend over functions? December 5, 2018 A Design Structure for Higher Order Quotients

(Higher Order) Function Quotient Extension Theorem Quotients even extend naturally over functions: FUN_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  (domain) R2 abs2 rep2. R2, abs2, rep2  (range) R1 ===> R2, rep1 --> abs2, abs1 --> rep2 where (R1 ===> R2) f g = (x y. R1 x y  R2 (f x) (g y)) (f --> g) h x = g (h (f x)) This is the key, central, and crucial theorem, on which all higher order quotients theory and practice rests. Note that R1 ===> R2 is not an equivalence relation. Is reflexive at f, (R1 ===> R2 ) f f, iff f respects R1 ===> R2. December 5, 2018 A Design Structure for Higher Order Quotients

Creating Finite Sets as a Quotient: Example Invocation of Tool val [In, Union, finite_set_EXTENSION, ..., finite_set_INDUCT] = define_quotient_types{ types = [{name = “finite_set”, equiv = fset_EQUIV}], defs =[{def_name=“In_def”, fname=“In”, fixity=Infix(NONASSOC,425), func=``MEM:’a -> ’a list -> bool``}, ... ], tyop_quotients = [FUN_QUOTIENT], tyop_equivs = [], tyop_simps = [FUN_REL_EQ, FUN_MAP_I], respects = [NIL_RSP, CONS_RSP, MEM_RSP, APPEND_RSP, Card1_RSP, Delete1_RSP, Inter1_RSP, Fold1_RSP], poly_preserves = [FORALL_PRS, EXISTS_PRS, COND_PRS], poly_respects = [RES_FORALL_RSP, RES_EXISTS_RSP, COND_RSP], old_thms = [MEM, APPEND, list_EXTENSION,..., list_INDUCT] }; An automatic tool is provided to lift in one step types, constants, and theorems concerning the types and constants of the original, lower level to the corresponding types, constants, theorems of the quotient, higher level. User must supply A (partial) equivalence theorem for each type being lifted, A respectfulness theorem for each constant being lifted, A quotient extension theorem for each type operator involved, A preservation theorem for each polymorphic constant involved, A respectfulness theorem for each polymorphic constant as well, Theorems to be lifted. Several dozen respectfulness and preservation theorems are provided preproven for existing standard polymorphic constants; user can add to these new ones he has proven December 5, 2018 A Design Structure for Higher Order Quotients

Examples of Lifting Theorems  (x. [] Delete1 x = [])  ((A : a list) a x. (a :: A) Delete1 x = if a = x then A Delete1 x else a :: (A Delete1 x)) Is lifted to  (x. Empty Delete x = Empty)  ((A : a finite_set) a x. (a Insert A) Delete x = if a = x then A Delete x else a Insert (A Delete x)) Notice how the type of the if…then…else changes. Similarly, Fold1 can be defined and lifted to Fold. We can define Delete1 by primitive recursion on lists, and then lift this definition theorem to finite sets. Similarly, the Fold function on finite sets can be lifted from the definition of Fold1 on lists by primitive recursion. December 5, 2018 A Design Structure for Higher Order Quotients

Defining Fold on Finite Sets  (f g z. Fold1 f g z [] = z)  (f g z a (A : a list). Fold1 f g z (a :: A) = if (u v. f u v = f v u)  (u v w. f u (f v w) = f (f u v) w) then if MEM a A then Fold1 f g z A else f (g a) (Fold1 f g z A) else z  (f g z. Fold f g z Empty = z)  (f g z a (A : a finite_set). Fold f g z (a Insert A) = if (u v. f u v = f v u)  (u v w. f u (f v w) = f (f u v) w) then if a In A then Fold f g z A else f (g a) (Fold f g z A) else z December 5, 2018 A Design Structure for Higher Order Quotients

Lifting Extension and Induction Extension:  (A : a list) B a. A ~ B  a. MEM a A  MEM a B  (A : a finite_set) B a. A = B  a. a In A  a In B Induction:  P : a list  bool. P []  (t. P t  h. P (h :: t))  l. P l  P : a finite_set  bool. P Empty  (t. P t  h. P (h Insert t))  l. P l This last theorem requires higher order quotients to lift. An induction principle for a type not defined inductively! This gives an induction principle for finite sets when that type was not defined inductively, but by a quotient on an inductive type. December 5, 2018 A Design Structure for Higher Order Quotients

Respectfulness and Preservation of Polymorphic Constants Polymorphic constants must be polymorphically respectful: R, abs, rep  A1 = A2  R B1 B2  R C1 C2  R (if A1 then B1 else C1) (if A2 then B2 else C2) R1, abs1, rep1  R2, abs2, rep2  R3, abs3, rep3  (R2 ===> R3) f1 f2  (R1 ===> R2) g1 g2  (R1 ===> R3) (f1 o g1) (f2 o g2) Polymorphic constants also must be preserved across quotients: R, abs, rep  (if A then B else C) = abs (if A then rep B else rep C) R1, abs1, rep1  R2, abs2, rep2  R3, abs3, rep3  f o g = (rep1 --> abs3) (((abs2 --> rep3) f) o ((abs1 --> rep2) g)) December 5, 2018 A Design Structure for Higher Order Quotients

A Design Structure for Higher Order Quotients The Axiom of Choice This design uses the Axiom of Choice, in the form of Hilbert’s choice operator e. Constructivists object to e. Paulson has studied first order quotients using only i, a weaker form of choice where i {x} = x, else indetermin. Can higher order quotients be built using only i, not e? Try alternate design eliminating representation functions. Redefine quotient as a pair R, abs where R : t  t  bool, abs : t  x Quotients must satisfy two key algebraic properties: a : x. r : t. R r r  (abs r = a) r, s : t. R r s  R r r  R s s  (abs r = abs s) Now, quotients can be constructed without any use of e given a (partial) equivalence relation R. t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients

Does This Support Constructive Higher Order Quotients? These quotients extend to lists, pairs, sums, and options.  R abs. R, abs  LIST_REL R, MAP abs Have proven a function quotient extension theorem!  R1 abs1. R1, abs1  R2 abs2. R2, abs2  R1 ===> R2, (abs1  R1) +-> abs2 where we define (R1 ===> R2) f g = (x y. R1 x y  R2 (f x) (g y)) (abs  R) a r = R r r  (abs r = a) (reps +-> abs) f x = i (IMAGE abs (IMAGE f (reps x))) But this can only be proven by using the Axiom of Choice. In fact, this theorem implies the Axiom of Choice, in that it implies the existence of a Hilbert choice operator like e: function quotient extension  c. P x. P x  P (c P)  These designs cannot be used in constructive provers. December 5, 2018 A Design Structure for Higher Order Quotients

A Design Structure for Higher Order Quotients Conclusions This design supports the mechanical creation of quotients with automatic lifting of types, constants, and theorems. Central contribution is a new definition of quotients, based on three key algebraic properties. Design supports the natural extension of quotients (with their properties) to both aggregate and higher order types. Uses the Axiom of Choice. An alternative design avoiding AC could not be extended constructively to higher order. In that design, higher order quotients implied the AC. Implemented in a package in the Higher Order Logic theorem prover version Kananaskis-2 & 3, now available. Design is readily portable to other theorem provers which support higher order logic and the Axiom of Choice. Now can model syntax of sizable programming languages December 5, 2018 A Design Structure for Higher Order Quotients

The End Soli Deo Gloria.