Programming modulo representations

Programming modulo representationsCorrectness by Construction Research Project

Dr M Benini

Università degli Studi dell’InsubriaVisiting JAIST until 16th June 2014

[email protected]

5th June 2014

A bizarre idea to discuss

The aim of this talk is to show, through an elementary example, how onecan change the point of view on (functional) programming.

The idea has a philosophical motivation: is it possible to conceive aprogramming system which does not allow to inspect its output and, at thesame time, is able to ensure that the result of a computation is correct?

This talk will provide a positive answer, but its consequences are stillwork-in-progress.

This talk extends the one I gave in Genoa, so I have to apologise to those whohave already listened to the first part as it will be a repetition.

(2 of 18)

Concrete and abstract lists

Usually, lists are defined as the elements of the free algebra over thesignature ⟨{E ,L} , {nil :L,cons :E ×L→ L}⟩.

And, in the standard practice of traditional programming, they arerepresented as follows:■ a cell is a record in the computer memory which contains two fields:

ä the head which is an element in E ;ä the tail of the list which is a list;

■ in turn, a list is a pointer (memory address) to a cell;■ the empty list, nil, becomes the null pointer.Thus, cons is a procedure that allocates a cell, fills the head with its firstparameter, and the tail with the second one, finally returning its address.

Evidently, up to the ability to read computer memory, the result of anycomputation on lists can be inspected.

(3 of 18)

Concrete manipulation of a list

As an example of program, we consider the concatenate function.

Its specification is: “Given the lists [x1, . . . ,xn] and [y1, . . . ,ym], concatenatehas to return the list [x1, . . . ,xn,y1, . . . ,ym]”.

Usually, it is implemented as

concatenate(x ,y)≡if x = nil then return yelse q := x

while q 6= nil dop := qq := q → tail

p → tail := yreturn x

(4 of 18)

Correctness

The previous algorithm is correct. In fact, when x = nil, it returns y ,satisfying the specification.When x 6= nil, x = [x1, . . . ,xn]. So, at the end of the i-th iteration step,p = [xi , . . . ,xn] and q = [xi+1, . . . ,xn], as it is immediate to prove by induction.Also, the cycle terminates after n iterations, and p = [xn].But, in the concrete representation of x , p → tail must be nil and theassignment p → tail := y substitutes nil with y . So x becomes[x1, . . . ,xn,y1, . . . ,ym], as required.

The proof sketched above uses in an essential way the concreterepresentation of the x list, because the algorithm uses “list surgery”.

The algorithm, as one deduces from the proof, computes in O (|x |) steps,and uses a constant amount of memory, apart the one used the representthe input.

(5 of 18)

A functional derivation

Dropping list surgery, we can use the abstract formalisation of lists directly:

concatenate(x ,y)≡if x = nil then return yelse return cons (hdx) (concatenate(tlx ,y))

where hd and tl return the head and the tail of its argument, respectively.

Of course, this is a functional program, and it is justified by the followingreasoning, which can be immediately converted into a formal correctnessproof by induction on the structure of x :1. we want that concatenate([x1, . . . ,xn], [y1, . . . ,ym])= [x1, . . . ,xn,y1, . . . ,ym],2. as before, if x = nil, the result is just y3. when x 6= nil, concatenate([x1, . . . ,xn], [y1, . . . ,ym]) yields the same result

as consx1 (concatenate([x2, . . . ,xn], [y1, . . . ,ym]));4. in the line above, the recursive application decreases the length of the

first argument, so recursion terminates after n steps, yielding the result.

(6 of 18)

Recursion versus induction

In the functional implementation of concatenate, we may interpret therecursive schema as the computational counterpart of an inductive schema.

It is immediate to see that such an inductive schema becomes the skeletonof the correctness proof. So, the functional program “carries” with itself itsproof of correctness, in some sense.

Usually, the functional implementation of concatenate is regarded asinefficient because it recursively constructs a number of intermediate listsbefore yielding the final results. That is, the functional program computes inO (|x |) steps, but it uses O

(|x |2) memory cells in a plain implementation ofthe language.

To inspect the result we need to know that nil and cons are the constructorsof the data type of lists, a piece of knowledge that is shared between theuser and the programmer.

(7 of 18)

Abstracting over lists

We formalised a list [x1, . . . ,xm] as consx1 (consx2 (. . .(consxm nil) . . .)). Wecan use a slightly different representation1:

λn,c . c x1 (c x2 (. . .(c xm n) . . .)) .

The key idea is to abstract over the structure of the data type, making itpart of the representation of the datum.

Alternatively, we can interpret this representation A as the abstract datum,and the concrete one, C can be obtained by passing the instances of theconstructors to A.

For example, the standard formalisation is obtained by (Anil cons).

1As far as I know, the general algorithm to derive such a representation is due toBöhm and Berarducci, and it can be traced back to Church. But the paper of Böhm andBerarducci is subtle as it relies on a typed λ-system.

(8 of 18)

Abstracting one step further

In fact, it is possible, by assuming that the λ-calculus (type theory) we areusing has pairs, to abstract a bit further, so to completely hide the datatype. Instead of writing [x1, . . . ,xm] as

λn,c . c x1 (c x2 (. . .(c xm n) . . .)) ,

we may substitute the constructors with the data type a, which is a 2-tuple,the first element being the concrete representation for nil, the second beingthe concrete representation for cons:

λa.π2 a x1 (π2 a x2 (. . .(π2 a xm (π1 a)) . . .)) ,

where π1 and π2 are the standard projections.

In this way, the programmer does not know how the list is concretelyrepresented, but simply that the first element of a is how to interpret nil andthe second element of a is how to represent cons.

(9 of 18)

Interpreting abstract lists

An abstract list can be thought of as representing a term in the first-orderlogical language with the equality relation symbol, and the signature of thedata type of lists.

The λ-term standing for the abstract list realises the mapping from thelogical term — the list, the body of the abstraction — into some model,which is specified when we apply to the λ-term the way to interpret thefunction symbols, which, in turn, are not specified.

If we fix this point of view, we can write a “correct by construction”implementation of concatenate:

concatenate ≡λx ,y ,a. x⟨(y a) ,(π2 a)

⟩.

(10 of 18)

Correctness by construction I

concatenate ≡λx ,y ,a. x⟨(y a) ,(π2 a)

⟩It is worth explaining the construction of this program:1. it is a function, which takes two argument x and y ;2. it returns an abstract list, so a λ-term of the form λa. L, with L a logical

term in the language of lists, the constructors represented as projectionsfrom the signature a;

3. the y abstract list gets interpreted in the same model as the result ofconcatenate — and this is rendered by (y a);

4. the x abstract list gets interpreted in a model which has the sameinterpretation for cons, (π2 a), but it interprets nil as the ‘concrete’ y .

We should remark that, in fact, this abstract implementation is, in essence,the very same algorithm we have shown in the beginning, deprived from theirrelevant details about the concrete data structure of lists. So, it is anefficient functional implementation.

(11 of 18)

Correctness by construction II

concatenate ≡λx ,y ,a. x⟨(y a) ,(π2 a)

⟩The above definition is a direct coding of the explanation. In turn, theexplanation can be converted into a correctness proof by observing that■ the structure depicted in point (4) is a model for the theory of lists;■ there is a mapping that preserves the meaning between the standard termmodel and the model above;

■ this mapping is just the function concatenate.

The idea behind this proof is that the function concatenate, intended as aprogram, is nothing but a morphism between models of the same theory.

A non-evident aspect of the explanation of concatenate is that it correctlyoperates in any model for the theory of lists.

(12 of 18)

One program, many meanings

For example, natural numbers, described as the structure generated by zeroand successor, are a model for lists: cons≡λe, l . suc l and nil≡ 0. Andconcatenate becomes just the usual addition.

For example, interpreting cons as the Cartesian product and nil as theterminal object in a category with products, we get another model for lists.And concatenate becomes just the Cartesian product of two products.

For example, interpreting cons as function application and nil as the identityfunction, we get another model for lists. And concatenate becomes functioncomposition.

And, in all these cases, the programmer is not aware of what his program isactually computing. But, still, as far as he assumes that there is morphismbetween the standard representation of lists and the intended concretestructure the program will operate on, he will be able to prove that hisprogram is correct.

(13 of 18)

Interpretations and computing

Suppose to have three actors: the real user of the program; the programmer;and a malicious user of the program.

Since the real user can invoke the program by providing the inputs x and y ,but not the concrete interpretation, he will obtain an abstract result which isa program that takes as input just the concrete representation a, somethinghe can use locally and privately.

The programmer knows that the purpose of the program is to concatenatelists, and he is able to write a correct implementation, even if he does notknow how lists are concretely represented. So, he cannot inspect the outputof the user, but he is able to test the program in the usual way by employinga standard representation for lists.

The malicious user, who wants to steal the result of the real user, caninspect x and y , as well as the program, but he does not know a, as the realuser does not provide it. So he can inspect the abstract result, but he will beunable to understand its meaning in the world of the real user.

(14 of 18)

Generalising

■ Does it work only for lists?The theory behind the abstract representation for data types has beendeveloped by Böhm and Berarducci, and it directly applies to all the datastructures that can be formalised as free algebras of terms over afirst-order signature. This holds for a large number of the elementarystructures which are used in the current practice of programming. In asimilar way, co-inductive data structures can be modelled as well.For data structures which are not free (co-)algebras, there are still someopen problems, but, to some extent, they can be modelled in the samespirit — essentially, most data types used in programming are quotientsof free (co-)algebras, so the inductive pattern still works, that is,recursion on the structure of the free (co-)algebra is a correct way toperform computation, even if not necessarily efficient.

■ Does it work in a “real” programming language?As far as the programming language supports the dynamic creation offunctions, e.g., by providing abstraction, the technique can beimmediately used. This is the case for any functional language.

(15 of 18)

A philosophical remark

Any program which takes as input the description of the data types it uses,in the abstract sense we introduced earlier, automatically computes moduloa concrete representation.

Nothing prevents to use arbitrary representations: as far as one can providea morphism from the free (co-)algebra of terms to the intended model, theresult will be correctly computed.

Using a bizarre representation hides the result to the programmer and to anyother user who does not know the morphism that maps the abstract resultinto its concrete representation. So, this technique, in principle, may providea way to perform anonymous correct computations.

On another side, nothing prevents from using a non-computable concreterepresentation: in this way, the result cannot be inspected even by the user,although he perfectly knows, by means of a mathematical proof, that it iscorrect. So, inspectability and computability are distinct concepts and, inparticular, the latter does not imply the former.

(16 of 18)

Conclusions

In the previous slide there is a hidden assumption: that the logical theoryhas a canonical model which can be transformed into a any other model viaa suitable mapping.

This is not true in general. So the presented point of view can be stretchedonly when considering logical theories having such a classifying model —which is the case for free (co-)algebras of terms, for example.

In my recent research (and my previous talk here), I’ve shown a semanticsfor first-order intuitionistic logical theories, based on a categorical setting,which has classifying models. So, every such a theory could, in principle, beregarded as a “data type” in the sense of this talk.

Of course, much work has to be done... so any hint, suggestion, critique,question is mostly welcome!

(17 of 18)

The end

Harmony — © Marco Benini (2014)

(18 of 18)