Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Design Structure for Higher Order Quotients

Published byDevi Hartanto Modified over 5 years ago

Similar presentations

Presentation on theme: "A Design Structure for Higher Order Quotients"— Presentation transcript:

1 A Design Structure for Higher Order Quotients
Dr. Peter V. Homeier U.S. Department of Defense Making formal methods into normal methods

2 Higher Order Quotients
A quotient simplifies a system by disregarding some details and merging equivalent elements We say an element lifts to its simpler, quotient version Quotients should lift not only elements, but entire system, including types, constants (incl. operators), and theorems Automation needed to treat syntax of large, realistic languages Most prior packages did not lift constants or theorems, just types Uniquely, Harrison’s did, but only lifted first order theorems Lifting higher order thms requires higher order quotients (which lift a function type to a function type) Most important point to remember from talk: We give a new definition of quotients, which naturally supports higher order quotients, and enables automatic lifting of h.o. types, constants, and theorems. December 5, 2018 A Design Structure for Higher Order Quotients

3 Example: Finite Sets from Lists
Can define finite sets as quotient of lists by ~ where ~ : a list  a list  bool is defined by rule induction: _____________________ _________________ a :: (b :: A) ~ b :: (a :: A) a :: (a :: A) ~ a :: A A ~ B A ~ B A ~ B, B ~ C . [] ~ [] a :: A ~ a :: B B ~ A A ~ C We can easily prove ~ is an equivalence relation, reflexive, symmetric, and transitive We automatically create the new type “ a finite_set ” as isomorphic to the quotient of a list by ~ Abstraction function: finite_set_ABS : a list  a finite_set Representation function: (uses Hilbert choice operator) finite_set_REP : a finite_set  a list December 5, 2018 A Design Structure for Higher Order Quotients

4 Lifting Respectful Constants
Lifting types is where most quotient support stops. But important to also lift constants, especially operators on the lifted type (including functions and predicates). If lifting a group, should also lift the group operation! MEM x [] = F  MEM x (h :: t) = (x = h)  MEM x t To lift MEM, we must first prove MEM respects ~: MEM_RSP  A B x. A ~ B  (MEM x A  MEM x B) Define lifted MEM: x In s = MEM x (finite_set_REP s) Some constants do NOT lift: LENGTH [] = 0  LENGTH (h :: t) = 1 + LENGTH t LENGTH does not respect ~, so cannot lift: [5;5;5] ~ [5] but LENGTH [5;5;5] ≠ LENGTH [5] We call LENGTH disrespectful. December 5, 2018 A Design Structure for Higher Order Quotients

5 A Design Structure for Higher Order Quotients
Lifting Theorems Very important to also lift theorems about lifted operators If lifting an abelian group, the lifted group should also be abelian! Requires automation to be practical and mathematically incisive The most interesting and difficult task to automate Thms proven manually took average of 16 lines of HOL tactics All constants appearing in the theorem must be respectful. Via MEM → In, [] → Empty, :: → Insert,  MEM x [] = F  MEM x (h :: t) = (x = h)  MEM x t lifts to  x In Empty = F  x In (h Insert t) = (x = h)  x In t But how to lift higher order theorems? Is P respectful? ?  P : a list  bool. P []  (t. P t  h. P (h :: t))  l. P l Need quotient for every type, i.e. higher order quotients December 5, 2018 A Design Structure for Higher Order Quotients

6 Equivalence Relations and Equivalence Extension Theorems
Equivalence relations E : t  t  bool. (curried) Reflexivity: x : t. E x x Symmetry: x, y : t. E x y  E y x Transitivity: x, y, z : t. E x y  E y z  E x z Equivalence: EQUIV E = x, y : t. E x y  (E x = E y) fset_EQUIV  EQUIV $~ Extension to lists: LIST_REL E : t list  t list  bool Extension theorems for lists, pairs, sums, option types.  E. EQUIV E  EQUIV (LIST_REL E)  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 ### E2)  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 +++ E2)  E. EQUIV E  EQUIV (OPTION_REL E) Equivalence relations do NOT extend to higher order!  E1 E2. EQUIV E1  EQUIV E2  EQUIV (E1 ===> E2) X December 5, 2018 A Design Structure for Higher Order Quotients

7 Traditional Quotients Lift Elements to Equiv. Classes
Quotient Set Higher Abstraction Lifting Representation Original Set Lower Equivalence Classes Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients

8 Higher Order Quotients using Partial Equivalence Relations
Lifted Higher Order Type Higher Lifting Original Higher Order Type Lower Disrespectful functions Partial Equivalence Relation December 5, 2018 A Design Structure for Higher Order Quotients

9 New Definition of Quotients
Disrespectful functions are elements that cannot be lifted To exclude elements, use partial equivalence relations – symmetric & transitive but not necessarily reflexive We say r respects R if and only if R r r (reflexive at r) ► Define quotient as triple R, abs, rep where R : t  t  bool, abs : t  x, rep : x  t Quotients must satisfy three key algebraic properties: a : x abs (rep a) = a a : x R (rep a) (rep a) r, s : t. R r s  R r r  R s s  (abs r = abs s) If so, then quotient theorem:  R, abs, rep t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients

10 Quotient Extension Theorems
Quotients extend naturally over lists, pairs, sums, options: LIST_QUOTIENT  R abs rep. R, abs, rep  LIST_REL R, MAP abs, MAP rep PAIR_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  R2 abs2 rep2. R2, abs2, rep2  R1 ### R2, abs1 ## abs2, rep1 ## rep2 SUM_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  R2 abs2 rep2. R2, abs2, rep2  R1 +++ R2, abs1 ++ abs2, rep1 ++ rep2 OPTION_QUOTIENT  R abs rep. R, abs, rep  OPTION_REL R, OPTION_ MAP abs, OPTION_ MAP rep ► But will quotients extend over functions? December 5, 2018 A Design Structure for Higher Order Quotients

11 (Higher Order) Function Quotient Extension Theorem
Quotients even extend naturally over functions: FUN_QUOTIENT  R1 abs1 rep1. R1, abs1, rep1  (domain) R2 abs2 rep2. R2, abs2, rep2  (range) R1 ===> R2, rep1 --> abs2, abs1 --> rep2 where (R1 ===> R2) f g = (x y. R1 x y  R2 (f x) (g y)) (f --> g) h x = g (h (f x)) This is the key, central, and crucial theorem, on which all higher order quotients theory and practice rests. Note that R1 ===> R2 is not an equivalence relation. Is reflexive at f, (R1 ===> R2 ) f f, iff f respects R1 ===> R2. December 5, 2018 A Design Structure for Higher Order Quotients

12 Creating Finite Sets as a Quotient: Example Invocation of Tool
val [In, Union, finite_set_EXTENSION, ..., finite_set_INDUCT] = define_quotient_types{ types = [{name = “finite_set”, equiv = fset_EQUIV}], defs =[{def_name=“In_def”, fname=“In”, fixity=Infix(NONASSOC,425), func=``MEM:’a -> ’a list -> bool``}, ... ], tyop_quotients = [FUN_QUOTIENT], tyop_equivs = [], tyop_simps = [FUN_REL_EQ, FUN_MAP_I], respects = [NIL_RSP, CONS_RSP, MEM_RSP, APPEND_RSP, Card1_RSP, Delete1_RSP, Inter1_RSP, Fold1_RSP], poly_preserves = [FORALL_PRS, EXISTS_PRS, COND_PRS], poly_respects = [RES_FORALL_RSP, RES_EXISTS_RSP, COND_RSP], old_thms = [MEM, APPEND, list_EXTENSION,..., list_INDUCT] }; An automatic tool is provided to lift in one step types, constants, and theorems concerning the types and constants of the original, lower level to the corresponding types, constants, theorems of the quotient, higher level. User must supply A (partial) equivalence theorem for each type being lifted, A respectfulness theorem for each constant being lifted, A quotient extension theorem for each type operator involved, A preservation theorem for each polymorphic constant involved, A respectfulness theorem for each polymorphic constant as well, Theorems to be lifted. Several dozen respectfulness and preservation theorems are provided preproven for existing standard polymorphic constants; user can add to these new ones he has proven December 5, 2018 A Design Structure for Higher Order Quotients

13 Examples of Lifting Theorems
 (x. [] Delete1 x = [])  ((A : a list) a x. (a :: A) Delete1 x = if a = x then A Delete1 x else a :: (A Delete1 x)) Is lifted to  (x. Empty Delete x = Empty)  ((A : a finite_set) a x. (a Insert A) Delete x = if a = x then A Delete x else a Insert (A Delete x)) Notice how the type of the if…then…else changes. Similarly, Fold1 can be defined and lifted to Fold. We can define Delete1 by primitive recursion on lists, and then lift this definition theorem to finite sets. Similarly, the Fold function on finite sets can be lifted from the definition of Fold1 on lists by primitive recursion. December 5, 2018 A Design Structure for Higher Order Quotients

14 Defining Fold on Finite Sets
 (f g z. Fold1 f g z [] = z)  (f g z a (A : a list). Fold1 f g z (a :: A) = if (u v. f u v = f v u)  (u v w. f u (f v w) = f (f u v) w) then if MEM a A then Fold1 f g z A else f (g a) (Fold1 f g z A) else z  (f g z. Fold f g z Empty = z)  (f g z a (A : a finite_set). Fold f g z (a Insert A) = if (u v. f u v = f v u)  (u v w. f u (f v w) = f (f u v) w) then if a In A then Fold f g z A else f (g a) (Fold f g z A) else z December 5, 2018 A Design Structure for Higher Order Quotients

15 Lifting Extension and Induction
Extension:  (A : a list) B a. A ~ B  a. MEM a A  MEM a B  (A : a finite_set) B a. A = B  a. a In A  a In B Induction:  P : a list  bool. P []  (t. P t  h. P (h :: t))  l. P l  P : a finite_set  bool. P Empty  (t. P t  h. P (h Insert t))  l. P l This last theorem requires higher order quotients to lift. An induction principle for a type not defined inductively! This gives an induction principle for finite sets when that type was not defined inductively, but by a quotient on an inductive type. December 5, 2018 A Design Structure for Higher Order Quotients

16 Respectfulness and Preservation of Polymorphic Constants
Polymorphic constants must be polymorphically respectful: R, abs, rep  A1 = A2  R B1 B2  R C1 C2  R (if A1 then B1 else C1) (if A2 then B2 else C2) R1, abs1, rep1  R2, abs2, rep2  R3, abs3, rep3  (R2 ===> R3) f1 f2  (R1 ===> R2) g1 g2  (R1 ===> R3) (f1 o g1) (f2 o g2) Polymorphic constants also must be preserved across quotients: R, abs, rep  (if A then B else C) = abs (if A then rep B else rep C) R1, abs1, rep1  R2, abs2, rep2  R3, abs3, rep3  f o g = (rep1 --> abs3) (((abs2 --> rep3) f) o ((abs1 --> rep2) g)) December 5, 2018 A Design Structure for Higher Order Quotients

17 A Design Structure for Higher Order Quotients
The Axiom of Choice This design uses the Axiom of Choice, in the form of Hilbert’s choice operator e. Constructivists object to e. Paulson has studied first order quotients using only i, a weaker form of choice where i {x} = x, else indetermin. Can higher order quotients be built using only i, not e? Try alternate design eliminating representation functions. Redefine quotient as a pair R, abs where R : t  t  bool, abs : t  x Quotients must satisfy two key algebraic properties: a : x. r : t. R r r  (abs r = a) r, s : t. R r s  R r r  R s s  (abs r = abs s) Now, quotients can be constructed without any use of e given a (partial) equivalence relation R. t is the original, lower type; x is the quotient, higher type December 5, 2018 A Design Structure for Higher Order Quotients

18 Does This Support Constructive Higher Order Quotients?
These quotients extend to lists, pairs, sums, and options.  R abs. R, abs  LIST_REL R, MAP abs Have proven a function quotient extension theorem!  R1 abs1. R1, abs1  R2 abs2. R2, abs2  R1 ===> R2, (abs1  R1) +-> abs2 where we define (R1 ===> R2) f g = (x y. R1 x y  R2 (f x) (g y)) (abs  R) a r = R r r  (abs r = a) (reps +-> abs) f x = i (IMAGE abs (IMAGE f (reps x))) But this can only be proven by using the Axiom of Choice. In fact, this theorem implies the Axiom of Choice, in that it implies the existence of a Hilbert choice operator like e: function quotient extension  c. P x. P x  P (c P)  These designs cannot be used in constructive provers. December 5, 2018 A Design Structure for Higher Order Quotients

19 A Design Structure for Higher Order Quotients
Conclusions This design supports the mechanical creation of quotients with automatic lifting of types, constants, and theorems. Central contribution is a new definition of quotients, based on three key algebraic properties. Design supports the natural extension of quotients (with their properties) to both aggregate and higher order types. Uses the Axiom of Choice. An alternative design avoiding AC could not be extended constructively to higher order. In that design, higher order quotients implied the AC. Implemented in a package in the Higher Order Logic theorem prover version Kananaskis-2 & 3, now available. Design is readily portable to other theorem provers which support higher order logic and the Axiom of Choice. Now can model syntax of sizable programming languages December 5, 2018 A Design Structure for Higher Order Quotients

20 The End Soli Deo Gloria.

Download ppt "A Design Structure for Higher Order Quotients"

Similar presentations

T YPE I SOMORPHISM O LA M AHMOUD S UPERVISED BY : D R. M ARCELO F IORE UNIVERSITY OF CAMBRIDGE Computer Laboratory Theory & Semantics Group I NTRODUCTION.

T YPE I SOMORPHISM O LA M AHMOUD S UPERVISED BY : D R. M ARCELO F IORE UNIVERSITY OF CAMBRIDGE Computer Laboratory Theory & Semantics Group I NTRODUCTION.
Presented by: Ms. Maria Estrellita D. Hechanova, ECE

Presented by: Ms. Maria Estrellita D. Hechanova, ECE
Introduction The concept of transform appears often in the literature of image processing and data compression. Indeed a suitable discrete representation.

Introduction The concept of transform appears often in the literature of image processing and data compression. Indeed a suitable discrete representation.
F28PL1 Programming Languages Lecture 14: Standard ML 4.

F28PL1 Programming Languages Lecture 14: Standard ML 4.
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Primitive Recursive Functions (Chapter 3)

Primitive Recursive Functions (Chapter 3)
1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.

1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.
Instructor: Hayk Melikya

Instructor: Hayk Melikya
Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,

Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,
The Engineering Design of Systems: Models and Methods

The Engineering Design of Systems: Models and Methods
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Solving Partial Order Constraints for LPO termination.

Solving Partial Order Constraints for LPO termination.
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.

Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.
Preliminaries/ Chapter 1: Introduction. Definitions: from Abstract to Linear Algebra.

Preliminaries/ Chapter 1: Introduction. Definitions: from Abstract to Linear Algebra.
Describing Syntax and Semantics

Describing Syntax and Semantics
1 FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY 15-453 For next time: Read 2.1 & 2.2.

1 FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY For next time: Read 2.1 & 2.2.
The ACL2 Proof Assistant Formal Methods Jeremy Johnson.

The ACL2 Proof Assistant Formal Methods Jeremy Johnson.
Introduction Chapter 0. Three Central Areas 1.Automata 2.Computability 3.Complexity.

Introduction Chapter 0. Three Central Areas 1.Automata 2.Computability 3.Complexity.
Math 3121 Abstract Algebra I Section 0: Sets. The axiomatic approach to Mathematics The notion of definition - from the text: It is impossible to define.

Math 3121 Abstract Algebra I Section 0: Sets. The axiomatic approach to Mathematics The notion of definition - from the text: "It is impossible to define.

Similar presentations

Ads by Google