Table Of ContentFoundational Extensible Corecursion
JasminChristianBlanchette AndreiPopescu DmitriyTraytel
InriaNancy&LORIA,France DepartmentofComputerScience, TechnischeUniversitätMünchen,
Max-Planck-InstitutfürInformatik, SchoolofScienceandTechnology, Germany
Saarbrücken,Germany MiddlesexUniversity,UK
[email protected]
[email protected] [email protected]
5
Abstract falls within this fragment, since each call to natsFrom produces
1
one constructor before entering the nested call. Not only is the
0 Thispaperpresentsaformalizedframeworkfordefiningcorecur-
equationconsistent,italsofullyspecifiesthefunction’sbehavior.
2 sivefunctionssafelyinatotalsetting,basedoncorecursionup-to
The above definition is legitimate only if objects are allowed
andrelationalparametricity.Theendproductisageneralcorecur-
n to be infinite. This may be self-evident in a nonstrict functional
sor that allows corecursive (and even recursive) calls under well-
a language such as Haskell, but in a total setting we must care-
behavedoperations,includingconstructors.Corecursivefunctions
J fullydistinguishbetweenthewell-foundedinductive(oralgebraic)
thatarewellbehavedcanberegisteredassuch,therebyincreasing
2 the corecursor’s expressiveness. The metatheory is formalized in datatypes and the non-well-founded coinductive (or coalgebraic)
2 theIsabelleproofassistantandformsthecoreofaprototypetool. datatypes—oftensimplycalleddatatypesandcodatatypes,respec-
The corecursor is derived from first principles, without requiring tively.Recursivefunctionsconsumedatatypevalues,peelingoffa
] newaxiomsorextensionsofthelogic. finite number of constructors as they proceed; corecursive func-
L tionsproducecodatatypevalues,consistingoffinitelyorinfinitely
P Categories and Subject Descriptors F.3.1 [Logics and Mean- manyconstructors.Andinthesamewaythatinductionisavailable
. ingsofPrograms]:SpecifyingandVerifyingandReasoningabout asaproofprincipletoreasonaboutdatatypesandterminatingre-
s
c Programs—Mechanical verification; F.4.1 [Mathematical Logic cursivefunctions,coinductionsupportsreasoningovercodatatypes
[ and Formal Languages]: Mathematical Logic—Mechanical theo- andproductivecorecursivefunctions.
remproving,Modeltheory Despite their reputation for esotericism, codatatypes have an
1 important role to play in both the theory and the metatheory of
v GeneralTerms Algorithms,Theory,Verification programming. On the theory side, they allow a direct embedding
5 of a large class of nonstrict functional programs in a total logic.
2 Keywords (Co)recursion,parametricity,proofassistants, In conjunction with interactive proofs and code generators, this
4 higher-orderlogic,Isabelle enablescertifiedfunctionalprogramming[10].Onthemetatheory
5 side,codatatypesconvenientlycaptureinfinite,possiblybranching
0 processes.Majorproofdevelopmentsrelyonthem,includingthose
. 1. Introduction associated with a C compiler [33], a Java compiler [34], and the
1
0 Totalfunctionalprogrammingisadisciplinethatensurescomputa- Javamemorymodel[35].
5 tionsalwaysterminate.Itisinvaluableinaproofassistant,where Codatatypes are supported by an increasing number of proof
1 nonterminatingdefinitionssuchasfx=fx+1canyieldcontradic- assistants,includingAgda,Coq,Isabelle/HOL,Isabelle/ZF,Matita,
: tions.Hence,mostassistantswillacceptrecursivefunctionsonlyif and PVS. They are also present in the CoALP dialect of logic
v theycanbeshowntoterminate.Similarconcernsariseinspecifi- programming and in the Dafny specification language. But the
i cationlanguagesandverifyingcompilers. abilitytointroducecodatatypesisnotworthmuchwithoutadequate
X
However, some processes need to run forever, without their supportfordefiningmeaningfulfunctionsthatoperateonthem.For
r beinginconsistent.Animportantclassoftotalprogramshasbeen mostsystems,thissupportcanbecharacterizedasworkinprogress.
a identified under the heading of productive coprogramming [1, 7, The key question they all must answer is: What right-hand sides
51]: These are functions that progressively reveal parts of their canbesafelyallowedinafunctiondefinition?
(potentially infinite) output. For example, given a type of infinite Generally,therearetwomainapproachestosupportrecursive
streamsconstructedbySCons,thedefinition andcorecursivefunctionsinaproofassistantorsimilarsystem:
Theintrinsicapproach: A syntactic criterion is built into the
natsFromn=SConsn(natsFrom(n+1))
logic:terminationforrecursivespecifications,productivity(or
guardedness)forcorecursivespecifications.Theterminationor
productivitycheckerispartofthesystem’strustedcodebase.
Thefoundationalapproach: The(co)recursivespecificationsare
reducedtoafixpointconstruction,whichpermitsasimpledef-
initionoftheformf=...,wheref doesnotoccurintheright-
handside.Theoriginalequationsarederivedastheoremsfrom
thisinternaldefinition,usingdedicatedprooftactics.
Systemsfavoringtheintrinsicapproachincludetheproofassistants
Agda and Coq, as well as tools such as CoALP and Dafny. The
[Copyrightnoticewillappearhereonce’preprint’optionisremoved.] mainhurdlefortheirusersisthatsyntacticcriteriaareinflexible;
1 2015/1/23
the specification must be massaged so that it falls within a given Thisextensiblecorecursorgracefullyhandlescodatatypeswith
syntacticfragment,eventhoughthedesiredproperty(termination nestingthrougharbitrarytypeconstructors(e.g.,forinfinite-depth
orproductivity)issemantic.Butperhapsmoretroublinginsystems Rose trees nested through finite or infinite lists). Thanks to the
that process theorems, soundness is not obvious at all and very framework’smodularity,functionspecificationscancombinecore-
tedious to ensure; as a result, there is a history of critical bugs cursion with recursion, yielding quite expressive mixed fixpoint
interminationandproductivitycheckers,aswewillseewhenwe definitions(Section4).ThisisinspiredbytheDafnytool,butour
reviewrelatedwork(Section6).Indeed,Abel[2]observedthat approachissemanticallyfoundedandhenceprovablyconsistent.
ThecompletemetatheoryisimplementedinIsabelle/HOL,asa
Maybethetimeisripetoswitchtoamoresemanticalnotion combinationofagenericproofdevelopmentparameterizedbyar-
ofterminationandguardedness.Thesyntacticguardcondi- bitrarytypeconstructorsandatoolforinstantiatingthemetatheory
tiongetsyousomewhere,butthenneedsalotofextensions touser-specifiedinstances(Section5,[13]).
andpatchingtoworksatisfactoryinpractice.Formalverifi- Techniques such as corecursion and coinduction up-to have
cationofitbecomestoodifficult,andonlyintuitivejustifi- been known for years in the process algebra community, before
cationispronetoerrors. theywereembracedandperfectedbycategorytheorists(Section6).
This work is part of a wider program aiming at bringing insight
fromcategorytheoryintoproofassistants[12,49].Themaincon-
IncontrasttoAgdaandCoq,proofassistantsbasedonhigher-
tributionsofthispaperarethefollowing:
orderlogic(HOL),suchasHOL4,HOLLight,andIsabelle/HOL,
generally adhere to the foundational approach. Their logic is ex- • Werepresentinhigher-orderlogicanintegratedframeworkfor
pressive enough to accommodate the (co)algebraic constructions recursionandcorecursionabletoevolvebyuserinteraction.
underlying (co)datatypes and (co)recursive functions in terms of • We identify a sound fragment of mixed recursive–corecursive
functors on the category of sets [49]. The main drawback of this specifications,integrateitinourframework,andpresentseveral
approachisthatitrequiresalotofwork,bothconceptualandim- examplesthatmotivatethisfeature.
plementational.Moreover,itisnotavailableforallsystems,since
itrequiresanexpressiveenoughlogic. • WeimplementtheaboveinIsabelle/HOLwithinaninteractive
Because every step must be formally justified, foundational loopthatmaintainstherecursive–corecursiveinfrastructure.
definitionalprinciplestendtobesimplerandmorerestrictivethan • Weusethisinfrastructuretoautomaticallyderivemanyexam-
theirintrinsiccounterparts.Asatellingexample,codatatypeswere plesthatareproblematicinotherproofassistants.
introducedinIsabelle/HOLonlyrecently,almosttwodecadesafter
A distinguishing feature of our framework is that it does not
their inception in Coq, and they are still missing from the other
requiretheusertoprovidetypeannotations.Onthedesignspace,
HOLsystems;andcorecursionislimitedtotheprimitivecase,in
itliesbetweenthehighlyrestrictiveprimitivecorecursionandthe
whichcorecursivecallsoccurunderexactlyoneconstructor.
morebureaucraticup-toapproachessuchasclockvariables[7,15]
That primitive corecursion (or the slightly extended version
andsizedtypes[3],combiningexpressivenessandeaseofuse.The
supportedbyCoq)istoorestrictiveisanobservationthathasbeen
identificationofthis“sweetspot”canalsobeseenasacontribution.
made repeatedly by researchers who use corecursion in Coq and
nowalsoIsabelle.LochbihlerandHölzldedicatedapaper[36]to
ad hoc techniques for defining operations on corecursive lists in 2. MotivatingExamples
Isabelle.Onlyafterintroducingalotofmachinerydotheymanage We demonstrate the expressiveness of the corecursor framework
to define their central example—lfilter, a filter function on lazy byexamples,adoptingtheuser’sperspective.Thecasestudiesby
(coinductive)lists—andderivesuitablereasoningprinciples. Rutten[46]andHinze[21]onstreamcalculiserveasourstarting
We contend that it is possible to combine advanced features point.Streamsofnaturalnumberscanbedefinedas
as found in Agda and Coq with the fundamentalism of Isabelle.
Thelackofbuilt-insupportforcorecursion,anapparentweakness, codatatype Stream=SCons(head:Nat)(tail:Stream)
revealsitselfasastrengthasweproceedtointroducerichnotionsof where SCons:Nat→Stream→Stream is the constructor and
corecursion,withoutextendingthetypesystemoraddingaxioms. head:Stream→Nat, tail:Stream→Stream are its selectors.
In this paper, we formalize a highly expressive corecursion Althoughtheexamplesmayseemsimpleorcontrived,theywere
framework that extends primitive corecursion in the following carefullychosentoshowthemaindifficultiesthatariseinpractice.
ways:Itallowscorecursivecallsunderseveralconstructors;ital-
lowswell-behavedoperatorsinthecontextaroundorbetweenthe 2.1 CorecursionUp-to
constructorsandaroundthecorecursivecalls;importantly,itsup-
Asourfirstexampleofacorecursivefunctiondefinition,wecon-
portsblendingterminatingrecursivecallswithguardedcorecursive
siderthepointwisesumoftwostreams:
calls.Thisgeneralcorecursorisaccompaniedbyacorresponding,
equally general coinduction principle that makes reasoning about xs⊕ys=SCons(headxs+headys)(tailxs⊕tailys)
it convenient. Each of the corecursor, mixed recursor–corecursor,
The specification is productive, since the corecursive call occurs
andthecoinductionprinciplegrowinexpressivenessduringthein-
directlyunderthestreamconstructor,whichactsasaguard(shown
teractionwiththeuser,bylearningofnewwell-behavedcontexts.
underlined). Moreover, it is primitively corecursive, because the
Theconstructionsdrawheavilyfromcategorytheory.
topmost symbol on the right-hand side is a constructor and the
Before presenting the technical details, we first show through
corecursivecallappearsdirectlyasanargumenttoit.
exampleshowaprimitivecorecursorcanbeincrementallyenriched
Thesesyntacticrestrictionscanberelaxedtoallowconditional
toaccepteverrichernotionsofcorecursivecallcontext(Section2).
statementsand‘let’expressions[12],butdespitesuchtricksprim-
This is made possible by the modular bookkeeping of additional
itive corecursion remains hopelessly primitive. The syntactic re-
structure for the involved type constructors, including a relator
strictionforadmissiblecorecursivedefinitionsinCoqismoreper-
structure. This structure can be exploited to prove parametricity
missiveinthatitallowsforanarbitrarynumberofconstructorsto
theorems,whichensurethesuitabilityofoperatorsasparticipants
guardthecorecursivecalls,asinthefollowingdefinition:
to the call contexts, in the style of coinduction up-to. Each new
corecursivedefinitionisapotentialfutureparticipant(Section3). onetwos=SCons1(SCons2onetwos)
2 2015/1/23
OurframeworkachievesthesameresultbyregisteringSConsas supX=SCons((cid:70)(fimageheadX))(sup(fimagetailX))
awell-behavedoperation.Intuitively,anoperationiswellbehaved
Here,fimagegivestheimageofafinitesetunderafunction,and
ifitneedstodestructatmostoneconstructorofinputtoproduce (cid:70)Xisthemaximumofafinitesetofnaturalsor0ifXisempty.
oneconstructorofoutput.Forstreams,suchanoperationmayin-
specttheheadandthetail(butnotthetail’stail)ofitsarguments
2.2 NestedCorecursionUp-to
beforeproducinganSCons.Becausetheoperationpreservespro-
ductivity,itcansafelysurroundtheguardingconstructor. Although we use streams as our main example, the framework
The rigorous definition of well-behavedness will capture this generallysupportsarbitrarycodatatypeswithmultiplecurriedcon-
intuitioninaparametricitypropertythatmustbedischargedbythe structors and nesting through other type constructors. To demon-
user.Inexchange,theframeworkyieldsastrengthenedcorecursor stratethislastfeature,weintroducethetypeoffinitelybranching
thatincorporatesthenewoperation. Rosetreesofpotentiallyinfinitedepthwithnumericlabels:
TheconstructorSConsiswellbehaved,sinceitdoesnoteven
codatatype Tree=Node(val:Nat)(sub:ListTree)
needtoinspectitsargumentstoproduceaconstructor.Incontrast,
theselectortailisnotwellbehaved—itmustdestructtwolayersof ThetypeTreehasasingleconstructorNode:Nat→ListTree→
constructorstoproduceone: Treeandtwoselectorsval:Tree→Natandsub:Tree→ListTree.
TherecursiveoccurrenceofTreeisnestedinthefamiliarpolymor-
tailxs=SCons(head(tailxs))(tail(tailxs))
phicdatatypeoffinitelists.
The presence of non-well-behaved operations in the corecursive Wefirstdefinethepointwisesumoftwotreesanalogouslyto⊕:
call context is enough to break productivity, as in the example
t(cid:1)u=Node(valt+valu)
stallA=SCons1(tailstallA),whichstallsimmediatelyafterpro-
(map(λ(t(cid:48),u(cid:48)).t(cid:48)(cid:1)u(cid:48))(zip(subt)(subu)))
ducingoneconstructor,leavingtailstallAunspecified.
Another instructive example is the function that keeps every Here,mapisthestandardmapfunctiononlists,andzipconverts
otherelementinastream: two parallel lists into a list of pairs, truncating the longer list
if necessary. The criterion for primitive corecursion for nested
everyOtherxs=SCons(headxs)(everyOther(tail(tailxs)))
codatatypes requires the corecursive call to be applied through
The function is not well behaved, despite being primitive core- map, which is the case for (cid:1). Moreover, by virtue of being well
cursive.Italsobreaksproductivity:stallB=SCons1(everyOther behaved,(cid:1)canbeusedtodefinetheshuffleproductoftrees:
stallB)stallsafterproducingtwoconstructors.
Goingbacktoourfirstexample,weobservethattheoperation⊕ t(cid:2)u=Node(valxs×valys)
(map(λ(t(cid:48),u(cid:48)).(t(cid:2)u(cid:48))(cid:1)(t(cid:48)(cid:2)u))(zip(subt)(subu)))
iswellbehaved.Hence,itisallowedtoparticipateincorecursive
call contexts when defining new functions. In this respect, the Again, the corecursive call takes place inside map, but this time
frameworkismorepermissivethanCoq’ssyntacticrestriction.For alsointhecontextof(cid:1).Thespecificationof(cid:2)iscorecursiveup-to
example,wecandefinethestreamofFibonaccinumbersineither andwellbehaved.
ofthefollowingtwoways:
2.3 MixedRecursion–Corecursion
fibA=SCons0(SCons1fibA⊕fibA)
fibB=SCons0(SCons1fibB)⊕SCons0fibB It is often convenient to let a corecursive function perform some
finite computation before producing a constructor. With mixed
Well-behavedoperationsareallowedtoappearbothunderthecon- recursion–corecursion,afinitenumberofunguardedrecursivecalls
structorguard(asinfibA)andaroundit(asinfibB).Noticethattwo performthiscalculationbeforereachingaguardedcorecursivecall.
guardsarenecessaryinthesecondexample—oneforeachbranch Theintuitivecriterionforacceptingsuchdefinitionsisthatthe
ofthe⊕operator.Incidentally,wearenotawareofanyotherframe- unguardedrecursivecallcouldbeunfoldedtoarbitraryfinitedepth,
workthatallowssuchdefinitions.Withoutrephrasingthespecifi- ultimatelyyieldingapurelycorecursivedefinition.Anexampleis
cation,fibBcannotbeexpressedinRutten’sformatofbehavioral theprimesfunctiontakenfromDiGianantonioandMiculan[17]:
differentialequations[46]orinHinze’ssyntacticrestriction[21],
norviaAgdacopatterns[5,6]. primesmn=if(m=0∧n>1)∨gcdmn=1
Manyusefuloperationsarewellbehavedandcanthereforepar- thenSConsn(primes(m×n)(n+1))
ticipateinfurtherdefinitions.FollowingRutten,theshuffleproduct elseprimesm(n+1)
⊗oftwostreamsisdefinedintermsof⊕.Shuffleproductbeing
When called with m=1 and n=2, this function computes the
itselfwellbehaved,wecanemployittodefinestreamexponentia-
streamofprimenumbers.Theunguardedcallintheelsebranch
tion,whichalsoturnsouttobewellbehaved:
incrementsitssecondargumentnuntilitiscoprimetothefirstargu-
xs⊗ys=SCons(headxs×headys) mentm(i.e.,thegreatestcommondivisorofmandnis1).Forany
((xs⊗tailys)⊕(tailxs⊗ys)) positiveintegersmandn,thenumbersmandm×n+1arecoprime,
yielding an upper bound on the number of times n is increased.
expxs=SCons(2ˆheadxs)(tailxs⊗expxs)
Hence,thefunctionwilltaketheelsebranchatmostfinitelyof-
Next,weusethedefinedandregisteredoperationstospecifytwo tenbeforetakingthethenbranchandproducingoneconstructor.
streams of factorials of natural numbers facA (starting at 1) and Thereisaslightcomplicationwhenm=0andn>1:Withoutthe
facB(startingat0): firstdisjunctintheifcondition,thefunctioncouldstall.(Thiscor-
nercasewasoverlookedintheoriginalexample[17].)
facA=SCons1facA⊗SCons1facA
Mixedrecursion–corecursionalsoallowsustogiveadefinition
facB=exp(SCons0facB)
offactorialswithoutinvolvinganyauxiliarystreamoperations:
ComputingthefirstfewtermsoffacAmanuallyshouldconvince
facCnai=ifi=0thenSConsa(facC(n+1)1(n+1))
thereaderthatproductivityandefficiencyarenotsynonymous.
elsefacCn(a×i)(i−1)
Theargumentsofwell-behavedoperationsarenotrestrictedto
the Stream type. For example, we can define the well-behaved The recursion in the else branch computes the next factorial by
supremumofafinitesetofstreamsbyprimitivecorecursion: meansofanaccumulatoraandadecreasingcounteri.Whenthe
3 2015/1/23
counterreaches0,facCcorecursivelyproducesaconstructorwith distinguished by taking observations (i.e., by applying the head
theaccumulatedvalueandresetstheaccumulatorandthecounter. and tail selectors); therefore they must be equal. In other words,
Unguardedcallsmayalsooccurunderwell-behavedoperations: equalityisthelargestbisimulation.
CreativityisgenerallyrequiredtoinstantiateRwithabisimula-
catn=ifn>0thencat(n−1)⊕SCons0(cat(n+1))
tion.However,givenagoall=r,thefollowingcanonicalcandidate
elseSCons1(cat1)
oftenworks:λst.∃xs.s=l∧t=r,wherexsarevariablesoccur-
Thecallcat1computesthestreamofCatalannumbers:C ,C ,..., ringfreeinlorr.Asarehearsal,letusprovethattheprimitively
1 2
whereCi= n+11(cid:0)2nn(cid:1).Thisfactisfarfromobvious.Productivityis corecursiveoperation⊕iscommutative.
notentirelyobviouseither,butitisguaranteedbytheframework.
Proposition1. xs⊕ys=ys⊕xs.
Whenmixingrecursionandcorecursion,itiseasytogetthings
wrong in the absence of solid foundations. Consider this appar- Proof. WefirstshowthatR=(λst.∃xsys.s=xs⊕ys∧t=ys⊕
ently unobjectionable specification in which the corecursive call xs) is a bisimulation. We fix two streams s and t for which we
isguardedbySConsandtheunguardedcall’sargumentstrictlyde- assumeRst(i.e.,thereexisttwostreamsxsandyssuchthat s=
creasestoward0: xs⊕ysandt=ys⊕xs).Next,wemustshowthatheads=headt
and R(tail s)(tailt). The first property can be discharged by a
nastyn=ifn<2thenSConsn(nasty(n+1)) simplecalculation.Forthesecondone:
elseinc(tail(nasty(n−1)))
R(tails)(tailt)
Here, inc=smap(λx. x+1) and smap is the map function on ←→R(tail(xs⊕ys))(tail(ys⊕xs))
streams. A simple calculation reveals that this specification is in- ←→R(tailxs⊕tailys))(tailys⊕tailxs)
consistent because the tail selector before the unguarded call de- ←→∃xs(cid:48)ys(cid:48). tailxs⊕tailys=xs(cid:48)⊕ys(cid:48)∧
structsthefreshlyproducedconstructorfromtheotherbranch: tailys⊕tailxs=ys(cid:48)⊕xs(cid:48)
nasty2=inc(tail(nasty1)) Thelastformulacanbeshowntoholdbyselectingxs(cid:48)=tailxsand
=inc(tail(SCons1(nasty2))) ys(cid:48)=tailys.Moreover,R(xs⊕ys)(ys⊕xs)holds.Therefore,the
=inc(nasty2)
thesisfollowsbystructuralcoinduction.
Thisisaclosecousinoftheinfamousf x=f x+1examplemen-
Ifweattempttoprovethecommutativityof⊗analogously,we
tionedintheintroduction.Theframeworkrejectsthisspecification
eventuallyencounteraformulaoftheformR(···⊕···)(···⊕···),
onthegroundsthatthetailselectorintherecursivecallcontextis
because⊗isdefinedintermsof⊕.SinceRmentionsonly⊗but
notwellbehaved.
not ⊕, we are stuck. An ad hoc solution would be to replace the
We conclude this section with a practical example from the
canonicalRwithabisimulationthatallowsfordescendingunder⊕.
literature.Giventhepolymorphictype
However,thiswouldbeneededforalmosteverypropertyabout⊗.
codatatype LList(A)= Amorereusablesolutionistostrengthenthecoinductionprin-
LNil|LCons(head:A)(tail:LList(A)) ciple upon registration of a new well-behaved operation. The
strengthening mirrors the acquired possibility of the new opera-
oflazylists,thetaskistodefinethefunctionlfilter:(A→Bool)→
tiontoappearinthecorecursivecallcontext.Itistechnicallyrepre-
LList(A)→LList(A)thatfiltersoutallelementsfailingtosatisfy
sentedbyacongruenceclosurecl:(Stream→Stream→Bool)→
the given predicate. Thanks to the support for mixed recursion–
Stream→Stream→Bool.Thecoinductionup-toprincipleisal-
corecursion, the framework transforms what was for Lochbihler
mostidenticaltostructuralcoinduction,exceptthatthecorecursive
andHölzl[36]aresearchproblemintoaroutineexercise:
applicationofRisreplacedbyclR:
lfilterPxs=if∀x∈xs.¬Pxs Rlr ∀st.Rst−→heads=headt∧clR(tails)(tailt)
thenLNil
l=r
elseifP(headxs)
The principle evolves with every newly registered well-behaved
thenLCons(headxs)(lfilterP(tailxs))
operationinthesensethatourframeworkrefinesthedefinitionof
elselfilterP(tailxs) thecongruenceclosurecl.(Strictlyspeaking,afreshsymbolcl(cid:48) is
The first self-call is corecursive and guarded by LCons, whereas introducedeachtime.)Forexample,afterregisteringSConsand⊕,
thesecondself-callisterminating,becausethenumberof“false” clRistheleastreflexive,symmetric,transitiverelationcontainingR
elementsuntilreachingthenext“true”element(whoseexistenceis andsatisfyingtherules
guaranteedbythefirstifcondition)decreasesbyone. x=y clRxsys clRxsys clRxs(cid:48)ys(cid:48)
2.4 CoinductionUp-to clR(SConsxxs)(SConsyys) clR(xs⊕xs(cid:48))(ys⊕ys(cid:48))
Onceacorecursivespecificationhasbeenacceptedasproductive, After defining and registering ⊗, the relation clR is extended to
we normally want to reason about it. In proof assistants, codata- alsosatisfy
types are accompanied by a notion of structural coinduction that clRxsys clRxs(cid:48)ys(cid:48)
matchesprimitivelycorecursivefunctions.Fornonprimitivespeci- clR(xs⊗xs(cid:48))(ys⊗ys(cid:48))
fications,ourframeworkprovidesthemoreadvancedproofprinci-
pleofcoinductionuptocongruence—orsimplycoinductionup-to. Letusapplythestrengthenedcoinductionprincipletoprovethe
Thestructuralcoinductionprincipleforstreamsisasfollows: distributivityofstreamexponentiationoverpointwiseaddition:
Rlr ∀st. Rst−→heads=headt∧R(tails)(tailt) Proposition2. exp(xs⊕ys)=expxs⊗expys.
l=r Proof. WefirstshowthatR=(λst.∃xsys.s=exp(xs⊕ys)∧t=
Coinductionallowsustoproveanequalityonstreamsbyproviding expxs⊗expys)isabisimulation.Wefixtwostreams sandtfor
a relation R that relates the left-hand side with the right-hand whichweassumeRst(i.e.,thereexisttwostreamsxsandyssuch
side (first premise) and that constitutes a bisimulation (second thats=exp(xs⊕ys)andt=expxs⊗expys).Next,weshowthat
premise). Streams that are related by a bisimulation cannot be heads=headtandclR(tails)(tailt):
4 2015/1/23
heads=head(exp(xs⊕ys))=2ˆhead(xs⊕ys) • afunctorialactionFmap:∏A,B∈Setn∏ni=1(Ai→Bi)→FA→
=2ˆ(headxs+headys)=2ˆheadxs×2ˆheadys F B, i.e., a polymorphic function of the indicated type that
=head(expxs)×head(expys) commuteswithidentityidA:A→Aandcomposition;
=head(expxs⊗expys)=headt
• a relator Frel : ∏A,B∈Setn∏ni=1(Ai→Bi→Bool) → F A →
clR(tails)(tailt) FB→Bool,i.e.,apolymorphicfunctionoftheindicatedtype
←→clR(tail(exp(xs⊕ys)))(tail(expxs⊗expys)) whichcommuteswithbinary-relationidentityandcomposition.
←→clR((tailxs⊕tailys)⊗exp(xs⊕ys))
(expxs⊗(tailys⊗expys)⊕(tailxs⊗expxs)⊗expys) Followingstandardnotationfromcategorytheory,wewriteFin-
←→∗ clR((tailxs⊗exp(xs⊕ys)⊕tailys⊗exp(xs⊕ys)) stead of Fmap. Given binary relations Ri :Ai → Bi →Bool for
(tailxs⊗(expxs⊗expys)⊕tailys⊗(expxs⊗expys) 1≤i≤n,wethinkofFrelR:FA→FB→Boolasthenatural
⊕
←−clR(tailxs⊗exp(xs⊕ys))(tailxs⊗(expxs⊗expys))∧ lifting of R along F; for example, if F is List (and hence n=1),
clR(tailys⊗exp(xs⊕ys))(tailys⊗(expxs⊗expys)) Frelliftsarelationonelementstothecomponentwiserelationon
⊗
←−clR(tailxs)(tailxs)∧clR(tailys)(tailys)∧ lists(alsorequiringequallength).Itiswellknownthatthepositive
clR(exp(xs⊕ys))(expxs⊗expys) typeconstructorsdefinedbystandardmeans(basictypes,compo-
←−R(exp(xs⊕ys))(expxs⊗expys) sition,leastorgreatestfixpoints)havecanonicalfunctorialandre-
latorstructure.Thisiscrucialforthefoundationalconstructionof
Thestepmarkedwith∗appealstoassociativityandcommutativity
user-specified(co)datatypesinIsabelle/HOL[49].
of⊕and⊗aswellasdistributivityof⊗over⊕.Theseproperties But even nonpositive type constructors G : Setn → Set ex-
arelikewiseprovedbycoinductionup-to.Theimplicationsmarked
with⊕and⊗arejustifiedbytherespectivecongruencerules.The hibitarelator-likestructureGrel:∏A,B∈Setn (A→B)→(GA→
GB→Bool) (which need not commute with relation composi-
lastimplicationusesreflexivityandexpandsRtoitsclosureclR. tion, though). For example, if G : Set2 → Set is the function-
Finally,itiseasytoseethatR(exp(xs⊕ys))(expxs⊗expys)
space constructor G (A ,A ) = A → A and f ∈ G (A ,A ),
1 2 1 2 1 2
holds.Therefore,thethesisfollowsbycoinductionup-to.
g∈G(B ,B ),R :A →B →Bool,andR :A →B →Bool,
1 2 1 1 1 2 2 2
Theformalizationaccompanyingthispaper[13]alsocontains thenGrelR1R2 f gisdefinedas∀a1∈A1.∀b1∈B1.R1a1b1−→
proofs of facA=facC111=smapfac(natsFrom1), facB= R2 (f a1) (g b1). A polymorphic function c : ∏A∈SetnG A, c
SCons1facA,andfibA=fibB,wherefacisthefactorialonNat. is called parametric [41, 52] if ∀A,B ∈ Setn. ∀R : A → B →
Nested corecursion up-to is also reflected with a suitable Bool.GrelRc c . The maintenance of relator-like structures is
A B
strengthened coinduction rule. For Tree, this strengthening takes veryhelpfulforautomatingtheoremtransferalongisomorphisms
place under the rel operator on list, similarly to the corecursive andquotients[24].Hereweexploreanadditionalbenefitofmain-
callsoccurringnestedinthemapfunction: taining functorial and relator structure for type constructors: the
possibilitytoextendthecorecursorinreactiontouserinput.
Rlr ∀st.Rst−→vals=valt∧rel(clR)(subs)(subt)
Inthissection,weassumethatalltheconsideredtypeconstruc-
l=r tors are both functors and relators, that they include basic func-
TherelRoperatorliftsthebinarypredicateR:A→B→Boolto torssuchasidentity,constant,sum,andproduct,andthattheyare
a predicate ListA→ListB→Bool. More precisely, relRxsys closedunderleastfixpoints(initialalgebras)andgreatestfixpoints
holds if and only if xs and ys have the same length and parallel (final coalgebras). Examples of such classes of type constructors
elements of xs and ys are related by R. This nested coinduction includethedatafunctors[20],thecontainers[1],andthebounded
ruleisconvenientprovidedthereissomeinfrastructuretodescend naturalfunctors[49].
underrel(asisthecaseinIsabelle/HOL).Theformalization[13] Wefocusonthecaseofaunarycodatatype-generatingfunctor
establishesseveralarithmeticpropertiesof(cid:1)and(cid:2). F:Set→Set.Thecodatatypeofinterestwillbeitsgreatestfixpoint
(orfinalcoalgebra)J=gfpF.Thisgenericsituationalreadycovers
3. ExtensibleCorecursors thevastmajorityofinterestingcodatatypes,sinceFcanrepresent
arbitrarilycomplexnesting.Forexample,ifF=(λA.Nat×ListA),
Wenowdescribethedefinitionalandproofmechanismsthatsub- thenJcorrespondstotheTreecodatatypepresentedinSection2.2.
stantiate flexible corecursive definitions in the style of Section 2. The extension to mutually defined codatatypes is straightforward
They are based on the modular maintenance of infrastructure for buttedious.OurexampleswilltakeJtobetheStreamtypefrom
thecorecursorassociatedwithacodatatype,withthepossibilityof Section2,withF=(λA.Nat×A).
open-endedincrementalimprovement.Wepresenttheapproachfor GivenasetA,itwillbeusefultothinkoftheelementsx∈FAas
anarbitrarycodatatypegivenasthegreatestfixpointofanarbitrary consistingofashapetogetherwithcontentthatfillstheshapewith
(bounded)functor.Theapproachisquitegeneralanddoesnotrely elementsof A.IfFA=Nat×A,theshapeof x=(n,a)is(n,_)
onanyparticulargrammarforspecifyingcodatatypes. andthecontentisa;ifFA=ListA,theshapeof x=[x1,...,xn]
Extensibilityisanintegralfeatureoftheframework.Inprinci- isthen-slotcontainer[_,...,_]andthecontentconsistsofthexi’s.
ple,animplementationcouldredotheconstructionsfromscratch According to this view, for each f : A → B, the functorial
each time a well-behaved operation is registered, but it would actionassociatedwithFsendsany xintoanelementF f xofthe
give rise to a quadratic number of definitions, slowing down the same shape as x but with each content item a replaced by f a.
proofassistant.Theincrementalapproachisalsomoreflexibleand Technically, this view can be supported by custom notions such
future-proof,allowingmixedfixpointsandcompositionwithother ascontainers[1]or,moresimply,viaaparametricfunctionoftype
(co)recursors,includingsomethatdonotexistyet. ∏A∈SetFA→SetAthatcollectsthecontentelements[49].
3.1 FunctorsandRelators
3.2 PrimitiveCorecursion
Functionalprogramminglanguagesandproofassistantsnecessar-
ilymaintainadatabaseoftheuser-definedtypesor,moregenerally, ThecodatatypethatdefinesJalsointroducestheconstructorand
typeconstructors,whichcanbethoughtasfunctionsF:Setn→Set destructorbijectionsctor:FJ→Janddtor:J→FJandtheprim-
operatingonsets(orperhapsonorderedsets).Itisoftenusefulto itivecorecursorcorecPrim:∏A∈Set(A→FA)→A→Jcharacter-
maintainmorestructurealongwiththesetypeconstructors: izedbytheequationcorecPrimsa=ctor(F(corecPrims)(sa)).
5 2015/1/23
Inelementsx∈FA,theoccurrencesofcontentitemsa∈Ainthe
shapeofxcapturesthepositioningofthecorecursivecalls. KiJ fi (cid:47)(cid:47)J(cid:79)(cid:79)
Example3. Modulocurrying,thepointwisesumofstreams⊕is
definableascorecPrims,bytakings:Stream2→Nat×Stream2 Λ◦Σ(cid:104)id,dtor(cid:105)◦ιi ctor
tobeλ(xs,ys).(headxs+headys,(tailxs,tailys)). (cid:15)(cid:15)
In Example 3 and elsewhere, we lighten notation by identify F(Σ∗J) Feval (cid:47)(cid:47)FJ
thecurriedanduncurriedformsoffunctions,countingonimplicit
coercionsbetweenthetwo. Figure1:Thewell-behavednesscondition
3.3 TheCorecursionState
GivenanyfunctorΣ:Set→Set,wedefineitsfree-monadfunctor Butwhatguaranteesthatthe fi’sareindeedsafeascontextsfor
Σ∗ by Σ∗A=lfp(λB. A+Σ B). We write leaf :A→Σ∗A and corecursivecalls?Inparticular,howcantheframeworkexcludetail
op:Σ(Σ∗A)→Σ∗AfortheleftandrightinjectionsintoΣ∗A. whileallowingSCons,⊕,and⊗?Thisiswheretheparametricity
Thefunctionsleafandopareinfactpolymorphic;forexample, andwell-behavednessconditionsonthestateenterthepicture.
leaf hastype∏A∈SetA→Σ∗A.Weoftenomitthesetparameters Westartwithwell-behavedness.Assumex∈Ki,whichisunam-
ofpolymorphicfunctionsiftheycanbeinferredfromthecontext, biguouslyrepresentedinΣasιix.Let j1,..., jm∈Jbethecontent
writingleafandopinsteadofleafAandopA. itemsofιix(placedinvariousslotsintheshapeofx).Toevaluate fi
Atanygivenmoment,wemaintainthefollowingdataassoci- onx,wefirstcorecursivelydestructthe j’swhilealsokeepingthe
l
atedwithJ,whichwecallacorecursionstate: originals,thusreplacingeach j with(j,dtor j).Thenweapply
l l l
the transformation Λ to obtain an element of F(Σ∗J), which has
• afinitenumberoffunctorsK1,...,Kn:Set→Setand,foreach anF-shapeatthetop(thefirstproducedobservabledata)andfor
Ki,afunction fi:KiJ→J; eachslotinthisshapeanelementofΣ∗J,i.e.,aformal-expression
• apolymorphicfunctionΛ:∏A∈SetΣ(A×FA)→F(Σ∗A). treehavingleavesinJandbuiltusingoperationsymbolsfromthe
Wecallthe fi’sthewell-behavedoperationsanddefinetheircollec- signature(thecorecursivecontinuation):
tiisvtehseigsntaantduarerdfuenmctboerdΣdinasgλoAf.KKi1inAto+Σ··.·+WKencaAll,wΛhtehreecιio:rKeciu→rsoΣr KiJ−ι→i ΣJΣ(cid:104)−id→,dtor(cid:105)Σ(J×FJ)−Λ→F(Σ∗J)
seed.Thecorecursionstateissubjecttothefollowingconditions: Insummary,Λisaschematicrepresentationofthemutuallycore-
Parametricity: Λisparametric. cursivebehaviorofthewell-behavedoperationsuptotheproduc-
tionofthefirstobservabledata.Thisintuitionismadeformalinthe
Well-behavedness: Each fisatisfiesthecharacteristicequation well-behavednesscondition,whichstatesthatthediagraminFig-
fix=ctor(Feval(Λ(Σ(cid:104)id,dtor(cid:105)(ιix)))) ure1commutesforeach fi.(Wecouldreplacetherightupwardar-
rowlabeledbyctorwithadownwardarrowlabeledbydtorwithout
Theconvolutionoperator(cid:104)_,_(cid:105)buildsafunction(cid:104)f,g(cid:105):B→C×D changingthediagram’smeaning.However,weconsistentlyprefer
fromtwofunctions f :B→Candg:B→D,andeval:Σ∗J→J theconstructorviewinourexposition.)
isthecanonicalevaluationfunctiondefinedrecursively(usingthe Intheaboveexplanations,wesawthatitsufficestopeeloffone
primitiverecursorassociatedwithΣ∗): layer of the arguments ji (by applying dtor) for a well-behaved
eval(leaf j)= j operation fi to produce, via Λ, one layer of the result and to
delegate the rest of the computation to a context consisting of a
eval(opz) =casezofιit⇒ fi(Kievalt) combinationofwell-behavedoperations(anelementofΣ∗J).But
(Notethat,ontherecursivecallontherighteval,isappliedtotvia how to formally express that exploring one layer is enough, i.e.,
“lifting” it through the functor Ki.) Functions having the type of thatapplyingΛ:J×FJ→F(Σ∗J)to(ji,dtor ji)doesnotresult
Λandadditionallyassumedparametric(or,equivalently,assumed in a deeper exploration? An elegant way of capturing this is to
to be natural transformations) are known in category theory as requirethatΛ,whichisapolymorphicfunction,operateswithout
“abstractGSOSrules.”TheywereintroducedbyTuriandPlotkin analyzing J, i.e., that it operates in the same way on A×FA→
[50] and further studied by Bartels [8], Jacobs [26], Hinze and F(Σ∗A)foranysetA.Thisrequirementispreciselyparametricity.
James[22],Miliusetal.[38],andothers. Strictlyspeaking,thewell-behavedoperations f arearedundant
Thus, a corecursion state is a triple (K, f,Λ). As we will see pieceofdatainthestate(K, f,Λ),since,assumingΛparametric,
in Section 3.6, the state evolves as users define and register new
we can prove that there exists a unique tuple f that satisfies the
functions.The fi’saretheoperationsthathavebeenregisteredas well-behavednesscondition.Inotherwords,theoperations f could
safe for participating in the context of corecursion calls. Since fi bederivedonaper-needbasis.
hastypeKiJ→J,wethinkofKiasencodingthearityof fi.Then
Σ,thesumoftheKi’s,representsthesignatureconsistingofallthe Example 4. Let J = Stream and assume that SCons : Nat×
fi’s.Thus,foreachA,Σ∗Arepresentsthesetofformalexpressions Stream→Streamand⊕:Stream2→Streamaretheonlywell-
over Σ and A, i.e., the trees built starting from the “variables” in behaved operations registered so far. Then K1 =(λB. Nat×B),
A as leaves byapplying operations symbolscorresponding to the f =SCons,K =(λB.B2),and f =⊕.Moreover,Σ∗=lfp(λB.
1 2 2
fi’s.Finally,evalevaluatesinJtheformalexpressionsofΣ∗Jby A+(Nat×B+B2)) consists of formal-expression trees with
applyingthefunctions firecursively. leavesin Aandbuiltusingarity-correctapplicationsofoperation
IfthefunctorsKi arerestrictedtobefinitemonomialsλA.Aki, symbols corresponding to SCons and ⊕, denoted by SCons and
the functor Σ can be seen as a standard algebraic signature and ⊕. Given n∈Nat and a,b∈ A, an example of such a tree is
(Σ∗A,op)asthestandardtermalgebraforthissignature,overthe leaf a ⊕ SCons (n,leaf a ⊕ leaf b). If additionally A=J, then
variablesA.However,weallowKitobemoreexotic;forexample, evalappliedtotheabovetreeisa ⊕ SConsn(a ⊕ b).
KiA can be ANat (representing an infinitary operation) or one of But what is Λ? As we show below, we need not worry about
ListA and FinSetA (representing an operation taking a varying the global definition of Λ, since both Σ and Λ will be updated
finitenumberoforderedorunorderedarguments). incrementally when registering new operations as well behaved.
6 2015/1/23
Nonetheless,aglobaldefinitionofΛforSConsand⊕follows: operationswereregistered):
Λz=casezof ⊕,everyOther: corecFlex,corecTop,corecPrim
ι (n,(a,(m,a(cid:48))) ⇒(n, SCons(m,leafa(cid:48))) onetwos,fibA,⊗,exp,sup: corecFlex,corecTop
1
ι ((a,(m,a(cid:48))), (b,(n,b(cid:48))))⇒(m+n,leafa(cid:48) ⊕ leafb(cid:48)) fibB,facA,facB: corecFlex
2
Informally,SConsand⊕exhibitthefollowingbehaviors: WiththeusualidentificationofUnit→JandJ,wecandefinefibA
andfacAasfollows:
• toevaluateSConsonanumbernandanitemawith(heada,
taila)=(m,a(cid:48)), produce n and evaluate SCons on m and a(cid:48), fibA=corecTop(λu:Unit.(0, SCons(1,leafu) ⊕ (leafu)))
i.e.,outputSConsn(SConsma(cid:48))=SConsna;
facA=corecFlex(λu:Unit.leaf(1,leafu) ⊗ leaf(1,leafu))
• to evaluate ⊕ on a,b with (head a,tail a) = (m,a(cid:48)) and
(headb,tailb)=(n,b(cid:48)), produce m+n and evaluate ⊕ on Let us look at fibA closely, comparing its specification fibA=
a(cid:48)andb(cid:48),i.e.,outputSCons(m+n)(a(cid:48)⊕b(cid:48)). SCons 0 (SCons 1 fibA ⊕ fibA) with its definition in terms of
corecTop. The outer SCons guard (with 0 as first argument) cor-
3.4 CorecursionUp-to respondstotheouterpair(0,_).TheinnerSConsand⊕areinter-
Acorecursionstate(K, f,Λ)foranF-definedcodatatypeJconsists pretedaswell-behavedoperationsandrepresentedbythesymbols
of a collection of operations on J, fi :Ki J→J, that satisfy the SCons and ⊕ (cf. Example 4). Finally, the corecursive calls of
well-behavedness properties expressed in terms of a parametric fibAarecapturedbyleafu.
functionΛ.Wearenowreadytoharvestthecropofthissetting:a The desired specification can be obtained from the corecTop
corecursionprinciplefordefiningfunctionshavingJascodomain. formbythecharacteristicequationofcorecTop(forA=Unit)and
Theprinciplewillberepresentedbytwocorecursors,corecTop the properties of eval as follows, where we simply write s, fibA,
andcorecFlex.Althoughsubsumedbythelatter,theformerisinter- and leaf instead of their applications to the unique element () of
estinginitsownrightandwillgiveustheopportunitytoillustrate Unit,namelys(),fibA(),andleaf():
somefinepoints.Belowwelistthetypesofthesecorecursorsalong
fibA
withthatoftheprimitivecorecursorforcomparison:
= {bythecommutativityofFigure2b
Primitivecorecursor: withfibA=corecTops}
corecPrim:∏A∈Set(A→FA)→A→J ctor(F(eval◦Σ∗fibA)s)
= {bythedefinitionsofFands}
Top-guardedcorecursorup-to:
corecTop:∏A∈Set(A→F(Σ∗A))→A→J =SCons0((eval◦Σ∗fibA)(SC{obnyst(h1e,dleeafifn)it⊕ion(loefafΣ)∗)})
Flexiblyguardedcorecursorup-to: SCons0(eval(SCons(1,leaffibA) ⊕ (leaffibA))
corecFlex:∏A∈Set(A→Σ∗(F(Σ∗A)))→A→J = {bythedefinitionofeval}
Figure 2 presents the diagrams whose commutativity properties SCons0(SCons1fibA⊕fibA)
givethecharacteristicequationsofthesecorecursors. TheeliminationofthecorecTopinfrastructurereliesonsimplifica-
Eachcorecursorimplementsacontractofthefollowingform: tionrulesfortheinvolvedoperatorsandcanbefullyautomatized.
If,foreacha∈A,oneprovidestheintendedcorecursivebehavior
ofgarepresentedassa,wheresisafunctionfromA,oneobtains Parametricityandwell-behavednessarecrucialforprovingthat
thefunctiong:A→J(asthecorrespondingcorecursorappliedto thecorecursorsactuallyexist:
s)satisfyingasuitablefixpointequationmatchingthisbehavior.
Theorem6. ThereexistthepolymorphicfunctionscorecTopand
Thecodomainof sisthekeytounderstandingtheexpressive-
corecFlex making the diagrams in Figures 2b and 2c commute.
nessofeachcorecursor.Theintendedcorecursivecallsarerepre-
Moreover,foreachsofappropriatetype,corecTopsorcorecFlexs
sentedbyA,andthecallcontextisrepresentedbythesurrounding
istheuniquefunctionmakingitsdiagramcommute.
combinationoffunctors(involvingF,Σ∗,orboth):
Theorem 6 is a known result from the category theory litera-
• for corecPrim, the allowed call contexts consist of a single
ture:ThecorecTopsversionfollowsfromtheresultsinBartels’s
constructorguard(representedbyF);
thesis[9],whereasthecorecFlexsversionwasveryrecently(and
• forcorecTop,theyconsistofaconstructorguard(represented independently)provedbyMiliusetal.[38,Theorem2.16].
byF)followedbyanycombinationofwell-behavedoperations
fi(representedbyΣ∗); 3.5 InitializingtheCorecursionState
• forcorecFlex,theyconsistofanycombinationofwell-behaved The simplest relaxation of primitive corecursion is the allowance
operations satisfying the condition that on every path leading of multiple constructors in the call context, in the style of Coq,
toacorecursivecallthereexistsatleastoneconstructorguard as in the definition of onetwos (Section 2.1). Since this idea is
(representedbyΣ∗(F(Σ∗_))). independent of the choice of codatatype J, we realize it when
bootstrappingthecorecursionstate.
We can see the computation of ga by following the diagrams in
Moreprecisely,upondefiningacodatatypeJ,wetakethefol-
Figure2counterclockwisefromtheirleft-topcorners.Theapplica-
lowinginitialcorecursionstateinitState=(K, f,Λ):
tionsafirstbuildsthecallcontextsyntactically.Thengisapplied
corecursively on the leaves. Finally, the call context is evaluated: • Kisasingletonconsistingof(acopyof)F;
forcorecPrim,itconsistonlyoftheguard(ctor);forcorecTop,it
• f isasingletonconsistingofctor;
involvestheevaluationofthewell-behavedoperators(whichmay
also include several occurrences of the guard) and ends with the • Λ:∏A∈SetF(A×FA)→F(F∗A)isdefinedasF(op◦Fleaf◦
evaluation of the top guard; for corecFlex, the evaluation of the snd),wheresndisthesecondproductprojection.
guardisinterspersedwiththatoftheotherwell-behavedoperations.
Recall that the seed Λ is designed to schematically represent the
Example5. ForeachexamplefromSection2.1,wegivethecore- corecursive behavior of the registered operations by describing
cursors that can handle it (assuming the necessary well-behaved how they produce one layer of observable data. The definition in
7 2015/1/23
corecTops (cid:47)(cid:47) corecFlexs (cid:47)(cid:47)
A J(cid:79)(cid:79) A J(cid:79)(cid:79)
s ctor s eval
corecPrims (cid:47)(cid:47) (cid:15)(cid:15) (cid:15)(cid:15)
A J(cid:79)(cid:79)
F(Σ∗A) (cid:59)(cid:59)FJ Σ∗(F(Σ∗A)) Σ∗(cid:79)(cid:79) J
s ctor Feval Σ∗ctor
(cid:15)(cid:15) F(Σ∗(corecTops)) (cid:37)(cid:37) Σ∗(F(Σ∗(corecFlexs))) (cid:40)(cid:40)
FAF(corecPrims)(cid:47)(cid:47)FJ F(Σ∗J) Σ∗(F(Σ∗J))Σ∗(Feval)(cid:47)(cid:47)Σ∗(FJ)
(a)Primitivecorecursion (b)Top-guardedcorecursionup-to (c)Flexiblyguardedcorecursionup-to
Figure2:Thecorecursors
g=corecTops (cid:47)(cid:47)
KJ J(cid:79)(cid:79)
F(A×FA) Λ (cid:47)(cid:47)F(F(cid:79)(cid:79)∗A) K(cid:104)id,dtor(cid:105) (cid:40)(cid:40) ctor
s K(J×FJ) (cid:56)(cid:56)FJ
Fsnd Fop ρ
(cid:15)(cid:15) (cid:15)(cid:15) (cid:118)(cid:118) Feval
F(Fleaf)(cid:47)(cid:47) F(Σ∗g) (cid:47)(cid:47)
F(FA) F(F(F∗A)) F(Σ∗(KJ)) F(Σ∗J)
(a)DefinitionofΛfortheinitialstate (b)Anewwell-behavedoperationg
Figure3:DefinitionsofΛandg
Figure 3a depicts this for ctor and instantiates to the schematic Theorem8. If(K, f,Λ)isawell-formedcorecursionstate,sois
behaviorofSConspresentedattheendofExample4. nextStateg(K, f,Λ).
Theorem7. initStateisawell-formedcorecursionstate—i.e.,it In summary, we have the following scenario triggering the
satisfiesparametricityandwell-behavedness. state’sadvancement:
3.6 AdvancingtheCorecursionState 1. Onedefinesanewoperationg=corecTops.
Theroleofacorecursionstate(K, f,Λ)forJistoprovideinfras- 2. Oneshowsthat sfactorsthroughaparametricfunctionρand
tructureforflexiblecorecursivedefinitionsoffunctionsgbetween K(cid:104)id,dtor(cid:105)(asinFigure3b);inotherwords,oneshowsthatg’s
arbitrary sets A and J. If nothing else is known about A, this is corecursivebehavior sdecomposesintoaone-stepdestruction
theendofthestory.However,assumethatJisacomponentofA, of the arguments and a parametric transformation (which is
inthatAisconstructedfromJ(possiblyalongwithothercompo- independentofJ).
nents).Forexample,AcouldbeListJ,orJ×(Nat→ListJ).We 3. ThecorecursionstateisupdatedbynextStateg.
capturethisabstractlybyassumingA=KJforsomefunctorK.
Inthiscase,wehaveafruitfulsituationofwhichwecanprofit Example 9. The operations onetwos, ⊕, ⊗, and exp from Sec-
forimprovingthecorecursionstate,andhenceimprovingtheflex- tion 2.1 are covered by this scenario. For example, assume that
ibilityoffuturecorecursivedefinitions.Undersomeuniformityas- SConsand⊕areregisteredaswellbehavedatthetimeofdefin-
sumptions,gitselfcanberegisteredaswellbehaved. ing⊗(cf.Example4).ThenK=(λA.A2)and⊗=corecTops,
More precisely, assume that g:KJ→J is defined by g= where
corecTopsandthatscanbeprovedtobeuniforminthefollowing
s=(λ(xs,ys).(headxs×headys,
sFen(Σse∗:T(KheAre))exsiusctshathpaatrasm=etρric◦fKun(cid:104)cidti,odntoρr:(cid:105)∏(FAi∈gSuerteK3(bA).×TFheAn)w→e leaf(xs,tailys) ⊕ leaf(tailxs,ys)))
can integrate g as a well-defined operation as follows. We define Thefunctionsdecomposesintoρ◦K(cid:104)id,(cid:104)head,tail(cid:105)(cid:105),where
nasex(tKS(cid:48)t,aft(cid:48)e,gΛ(K(cid:48)),,wf,hΛer)e, the “next” corecursion state triggered by g, ρ:∏A∈Set(A×(Nat×A))2→Nat×Σ∗(A2)
• fKo(cid:48)r=the(Ks1ig,n..a.tu,rKenf,uKn)ct(osrimofilaKrl(cid:48)y; ntooteΣthvaetrswues eKs,sewnetiawllryitehaΣve(cid:48) iwshdiecfihniesdcbleyaρrl(y(ap,a(rmam,ae(cid:48)t)r)ic,.(bT,h(en,abc(cid:48)t))o)f=de(tmer×mnin,i(nag,bρ(cid:48))fr⊕om(a(cid:48)s,ba)n)d,
Σ(cid:48)=Σ+K); K(cid:104)id,(cid:104)head,tail(cid:105)(cid:105)issyntax-directed.
• f(cid:48)=(f1,..., fn,g); 3.7 CoinductionUp-to
• Λ(cid:48):∏A∈SetΣ(cid:48)(A×FA)→F(Σ(cid:48)∗A)isdefinedas[Λ◦FembL, Inaproofassistant,specificationmechanismsarenotveryuseful
ρ◦FembR]where[_,_]isthecaseoperatoronsums,which unlesstheyarecomplementedbysuitablereasoninginfrastructure.
buildsafunction[u,v]:B+C→Dfromtwofunctionsu:B→ Thenaturalcounterpartofcorecursionup-toiscoinductionup-to.
Dandv:C→D,andembL:Σ∗A→Σ(cid:48)∗A,embR:Σ∗(KA)→ In our incremental framework, the expressiveness of coinduction
Σ(cid:48)∗AarethenaturalembeddingsintoΣ(cid:48)∗A. up-togrowstogetherwiththatofcorecursionup-to.
8 2015/1/23
Westartwithstructuralcoinduction[45],allowingtoprovetwo Σ∗[leaf,flat], where flat:∏A∈SetΣ∗(Σ∗A)→A is the stan-
elementsofJequalbyexhibitinganF-bisimulation,i.e.,abinary dardjoinoperationoftheΣ∗-monad.
relation R on J such that whenever two elements j1 and j2 are • eval evaluatesalltheformaloperationsofΣ∗:
related,theirdtor-unfoldingsarecomponentwiserelatedbyR. _(F_+_)
eval =eval◦Σ∗([ctor◦Feval,eval])
R j j ∀j j ∈J.R j j −→FrelR(dtor j )(dtor j ) _(F_+_)
1 2 1 2 1 2 1 2
j1= j2 Theorem11. Ifthereexists(aunique)g:A→Σ∗(F(Σ∗A))such
Recall that our type constructors are not only functors but also that the diagram in Figure 4a commutes, there exists (a unique)
relators.Thenotionof“componentwiserelationship”referstoF’s f :A→JsuchthatthediagraminFigure4bcommutes,namely,
relatorstructureFrel. corecFlexg.
Uponintegratinganewoperationg(Section3.6),thecoinduc- Thetheoremcertifiesthefollowingprocedureformakingsense
tionruleismademoreflexiblebyallowingthedtor-unfoldingsto ofamixedfixpointdefinitionofafunction f:
becomponentwiserelatednotonlybyRbutmoregenerallybya
closureofRthattakesgintoaccount. 1. Separatetheguardedandtheunguardedcalls(asshowninthe
For a corecursion state (K, f,Λ) and a relation R:J→J→ codomainΣ∗(F(Σ∗A)+Σ∗A)ofs).
Bool,wedefinecl R,the f-congruenceclosureofR,asthesmall- 2. Provethattheunguardedcallseventuallyterminateorleadto
f
estequivalencerelationthatincludesRandiscompatiblewitheach guardedcalls(aswitnessedbyg).
fi:KiJ→J: 3. Pass the unfolded guarded calls to the corecursor—i.e., take
∀z ,z ∈K J.Krel Rz z −→cl R(f z )(f z ) f =corecFlexg.
1 2 i i 1 2 f i 1 i 2
whereKreliistherelatorassociatedwithKi. Example12. TheaboveprocedurecanbeappliedtodefinefacC,
The next theorem supplies the reasoning counterpart of the primes:Nat→Nat→Stream, and cat:Nat→Stream, while
definition principle stated in Theorem 6. It can be inferred from avoidingtheunsoundnasty(Section2.3).Asimpleanalysisreveals
recent,moreabstractresults[43]. thatthefirstself-calltoprimesisguardedwhilethesecondisnot.
Wedefineg:Nat×Nat→Σ∗(Nat×Σ∗(Nat×Nat))by
Theorem10. Thefollowingcoinductionruleupto f holdsinthe
corecursionstate(K, f,Λ): g(m,n)=if(m=0∧n>1)∨gcdmn=1
thenleaf(n,leaf(m×n,n+1))
R j j ∀j j ∈J.R j j −→Frel(cl R)(dtor j )(dtor j )
1 2 1 2 1 2 f 1 2 elseg(m,n+1)
j = j
1 2 Inessence,gbehaveslike(theintended) f exceptthattheguarded
Coinductionupto f istheidealabstractionforprovingequal- callsareleftsymbolic,whereastheunguardedcallsareinterpreted
ities involving functions defined by corecursion up to f: For ex- as actual calls to g. One can show that g is well defined by a
ample, a proof of commutativity for ⊗ naturally relies on con- standardterminationargument.Thischaracteristicequationofgis
textsinvolving⊕,because⊗’scorecursivebehavior(i.e.,⊗’sdtor- thecommutativityofthediagramdeterminedbysasinFigure4a,
unfolding)dependson⊕. where s:Nat×Nat→Σ∗(Nat×Σ∗(Nat×Nat)+Σ∗(Nat×
Nat))isdefinedasfollows(withInlandInrbeingtheleftandright
sumembeddings):
4. MixedFixpoints
Whenwewritefixpointequationstodefineafunction f,weoften s(m,n)=if(m=0∧n>1)∨gcdmn=1
want to distinguish corecursive calls from calls that are sound thenleaf(Inl(leaf(n,leaf(m×n,n+1))))
for other reasons—for example, if they terminate. We model this elseleaf(Inr(leaf(m,n+1)))
situationabstractlybyafunctions:A→Σ∗(F(Σ∗A)+Σ∗A).As Settingprimes=corecFlexgyieldsthedesiredcharacteristicequa-
usualforeacha,theshapeofsarepresentsthecallingcontextfor tionforprimesaftersimplification(cf.Example4).
f a,withtheoccurrencesofthecontentitemsa(cid:48)insarepresenting
callsto f a(cid:48).Thenewtwististhatwenowdistinguishguardedcalls Theprimesexamplehasallunguardedcallsintailform,which
(capturedbytheleft-handsideof+)frompossiblyunguardedones makestheassociatedfunctiongtail-recursive.Thisneednotbethe
(theright-handsideof+). case,asshownbythecatexample,whoseunguardedcallsoccur
Wewanttodefineafunction f withthebehaviorindicatedby underthewell-behavedoperation⊕.However,wedorequirethat
s,i.e.,makingthediagraminFigure4bcommute.Inthefigure,+ theunguardedcallsoccurincontextsformedbywell-behavedop-
denotes the map function u+v:B+C→D+E built from two erationsalone.Afterunfoldingalltheunguardedcalls,theresulting
functions u:B→D and v:C→E. In the absence of pervasive contextthatistobehandledcorecursivelymustbewellbehaved—
guards, we cannot employ the corecursors directly to define f. thisprecludesunsounddefinitionslikenasty.
However,ifwecanshowthatthenoncorecursivecallseventually
lead to a corecursive call, we will be able to employ corecFlex. 5. FormalizationandImplementation
Thispreconditioncanbeexpressedintermsofafixpointequation.
WeformalizedinIsabelle/HOLthemetatheoryofSections3and4.
According to Figure 4a, the call to g (shown on the base arrow)
Essentially,thismeansthattheresultshavebeenprovedinhigher-
happensonlyontheright-handsideof+,meaningthattheintended
order logic with Infinity, Choice, and a mechanism for defining
corecursivecallsareignoredwhen“computing”thefixpointg.Our
typesbyexhibitingnon-emptysubsetsofexistingtypes.Thelogic
goalistoshowthattheremainingcallsbehaveproperly.
iscomparabletoZermelosettheorywithChoice(ZC)butweaker
The functions reduce and eval that complete the diagrams of
thanZFC.Thedevelopmentwouldworkforanyclassoffunctors
Figure4aretheexpectedones:
that are relators (or closed under weak pullbacks), contain basic
• The elements of Σ∗(F(Σ∗A)) are formal-expression trees functors(identity,(co)products,etc.)andareclosedunderintersec-
guarded on every path to the leaves, and so are the elements tion,composition,andhaveinitialalgebrasandfinalcoalgebrathat
Σ∗(F(Σ∗A)+Σ∗(Σ∗(F(Σ∗A)))),butwithamorerestricted canberepresentedinhigher-orderlogic.However,ourIsabellede-
shape;reduceembedsthelatterintheformer:reduce=flat◦ velopmentfocusesonaspecificclass[49].
9 2015/1/23
A g (cid:47)(cid:47)Σ∗(F((cid:79)(cid:79)Σ∗A)) A f=corecFlexg (cid:47)(cid:47)J(cid:79)(cid:79)
s reduce s eval_(F_+_)
(cid:15)(cid:15) (cid:15)(cid:15)
Σ∗(id+Σ∗g)(cid:47)(cid:47) Σ∗(F(Σ∗f)+Σ∗f)(cid:47)(cid:47)
Σ∗(F(Σ∗A)+Σ∗A) Σ∗(F(Σ∗A)+Σ∗(Σ∗(F(Σ∗A))))) Σ∗(F(Σ∗A)+Σ∗A) Σ∗(F(Σ∗J)+Σ∗J)
(a)Assumption (b)Conclusion
Figure4:Mixedfixpoint
Theformalizationconsistsoftwoparts:Thebasederivesacore- 4. Extractapolymorphicfunctionρfromthespecificationoff.
cursorup-tofromaprimitivecorecursor;thestepstartswithacore-
5. Automaticallyproveρparametricorpasstheproofobligation
cursorup-toandintegratesanadditionalwell-behavedoperation.
totheuser.
ThebasepartstartsbyaxiomatizingafunctorFanddefinesa
codatatype with nesting through F: codatatype J = ctor(FJ). 6. Derivethenewstrengthenedcorecursoranditsnewcoinduction
(Ingeneral,Jcoulddependontypevariables,butthisisanorthog- principle.
onalconcernthatwouldonlycluttertheformalization.)Thenthe Thecoreccommandwillbecomplementedbyanadditionalcom-
formalizationdefinesthefreealgebraoverFandthebasiccorecur- mand,tentativelycalledwell_behaved_for_corec,forregistering
sorseedΛforinitializingthestatewithctoraswellbehaved(Sec- arbitraryoperationsf(notnecessarilydefinedusingcorec)aswell
tion3.5).ItalsoneedstoliftΛtothefreealgebra,atechnicalitythat behaved.Thecommandwillasktheusertoprovideacorecursive
wasomittedinthepresentation.Thenitdefinesevalandothernec- specificationoff asalemmaoftheformf x=Cons ... andthen
essarystructure(Section3.3).Finally,itintroducescorecTopand perform steps 4 to 6. The corec command will become stronger
corecFlex(Section3.4)andderivesthecorrespondingcoinduction andstrongerasmorewell-behavedoperationsareregistered.
principle(Section3.7). The following Isabelle theory fragment gives a flavor of the
Fromahigh-levelpointofview,thestepparthasasomewhat envisionedfunctionalityfromtheuser’spointofview:
similar structure to the base. It axiomatizes a domain functor K
andaparametricfunctionρassociatedwiththenewwell-behaved codatatype StreamA=SCons(head:A)(tail:StreamA)
operation g to integrate. Then it extends the signature to include
K, defines the extended corecursor seed Λ(cid:48), and lifts Λ(cid:48) to the corec(well_behaved)⊕:Stream→Stream→Stream
xs⊕ys=SCons(headxs+headys)(tailxs⊕tailys)
free algebra. Next, it defines the parameterized evalg and other
infrastructure (Section 3.6). Finally, it introduces corecTop and corec(well_behaved)⊗:Stream→Stream→Stream
corecFlexforthenewstateandderivesthecoinductionprinciple. xs⊗ys=SCons(headxs×headys)
The process of instantiating the metatheory to particular user- ((xs⊗tailys)⊕(tailxs⊗ys))
specified codatatypes is automated by a prototype tool: the user
pointstoaparticularcodatatype(typicallydefinedusingIsabelle’s lemma⊕_commute: xs⊕ys=ys⊕xs
existing(co)datatypespecificationlanguage[12]),andthenthetool by(coinductionarbitrary:xsysrule:stream.coinduct)auto
takesoverandinstantiatesthegenericcorecursortotheindicated
lemma⊗_commute: xs⊗ys=ys⊗xs
type, provinding the concrete corecursion and mixed recursion-
proof(coinductionarbitrary:xsysrule:stream.coinduct_upto)
corecursiontheorems.Thestreamandtreeexamplespresentedin
caseEq_stream
Section 2 have all been obtained with this tool. As a larger case
thus?caseunfoldingtail_⊗
study, we formalized all the examples from the extended version
by(subst⊕_commute)(autointro:stream.cl_⊕)
ofHinzeandJames’sstudy[22].Theparametricityproofobliga-
qed
tionsweredischargedbyIsabelle’sparametricityprover[24].The
mixedrecursion–corecursiondefinitionsweredoneusingIsabelle’s
6. RelatedWork
facilityfordefiningterminatingrecursivefunctions[29].
Unlike Isabelle’s primitive (co)recursion mechanism [12], our Thereisalotofrelevantwork,concerningboththemetatheoryand
tool currently lacks syntactic sugar support, so it still requires applicationsinproofassistantsandsimilarsystems.Wereferenced
someboilerplatefromtheuser,namelytheexplicinvocationofthe someofthemostcloselyrelatedworkintheearliersections.Here
corecursorandtheparametricityprover:thesearejustafewextra isanattemptatamoresystematicoverview.
lines of script per definition, and therefore the tool is also usable
Category Theory. The notions of corecursion and coinduction
inthecurrentform.Followingthedesignofitsprimitiveancestor,
up-to started with process algebra [44, 47] before they were re-
itsenvisionedfullyuser-friendlyextensionwillreplacetheexplicit
castintheabstractlanguageofcategorytheory[8,22,26,28,38,
invocation of the corecursor with a corec command, allowing
43,50].Ourapproachowesalottothistheoreticalwork,andin-
userstospecifyafunctionfcorecursivelyandthenperformingthe
deed formalizes some state-of-the-art category theoretical results
followingsteps(cf.Example5):
on corecursion and coinduction up-to [38, 43]. Besides adapting
1. Parse the specification of f and synthesize arguments to the existing results to higher-order logic within an incremental core-
cursorcycle,wehavealsoextendedthestateoftheartwithasound
current,mostpowerfulcorecursor.
mechanismformixingrecursionwithcorecursionup-to.
2. Definefintermsofthecorecursor. Categorytheoryprovidesanimpressivebodyofabstractresults
3. Derivetheoriginalspecificationfromthecorecursortheorems. that can be applied to solve concrete problems elegantly. Proof
assistants have a lot to benefit from category theory, as we hope
Passingthewell_behavedoptiontocorecwilladditionallyinvoke to have demonstrated with this paper. There has been prior work
thefollowingprocedure(cf.Example9): onintegratingcoinductionup-totechniquesfromcategorytheory
10 2015/1/23
