Foundational Extensible Corecursion JasminChristianBlanchette AndreiPopescu DmitriyTraytel InriaNancy&LORIA,France DepartmentofComputerScience, TechnischeUniversitätMünchen, Max-Planck-InstitutfürInformatik, SchoolofScienceandTechnology, Germany Saarbrücken,Germany MiddlesexUniversity,UK [email protected] [email protected] [email protected] 5 Abstract falls within this fragment, since each call to natsFrom produces 1 one constructor before entering the nested call. Not only is the 0 Thispaperpresentsaformalizedframeworkfordefiningcorecur- equationconsistent,italsofullyspecifiesthefunction’sbehavior. 2 sivefunctionssafelyinatotalsetting,basedoncorecursionup-to The above definition is legitimate only if objects are allowed andrelationalparametricity.Theendproductisageneralcorecur- n to be infinite. This may be self-evident in a nonstrict functional sor that allows corecursive (and even recursive) calls under well- a language such as Haskell, but in a total setting we must care- behavedoperations,includingconstructors.Corecursivefunctions J fullydistinguishbetweenthewell-foundedinductive(oralgebraic) thatarewellbehavedcanberegisteredassuch,therebyincreasing 2 the corecursor’s expressiveness. The metatheory is formalized in datatypes and the non-well-founded coinductive (or coalgebraic) 2 theIsabelleproofassistantandformsthecoreofaprototypetool. datatypes—oftensimplycalleddatatypesandcodatatypes,respec- The corecursor is derived from first principles, without requiring tively.Recursivefunctionsconsumedatatypevalues,peelingoffa ] newaxiomsorextensionsofthelogic. finite number of constructors as they proceed; corecursive func- L tionsproducecodatatypevalues,consistingoffinitelyorinfinitely P Categories and Subject Descriptors F.3.1 [Logics and Mean- manyconstructors.Andinthesamewaythatinductionisavailable . ingsofPrograms]:SpecifyingandVerifyingandReasoningabout asaproofprincipletoreasonaboutdatatypesandterminatingre- s c Programs—Mechanical verification; F.4.1 [Mathematical Logic cursivefunctions,coinductionsupportsreasoningovercodatatypes [ and Formal Languages]: Mathematical Logic—Mechanical theo- andproductivecorecursivefunctions. remproving,Modeltheory Despite their reputation for esotericism, codatatypes have an 1 important role to play in both the theory and the metatheory of v GeneralTerms Algorithms,Theory,Verification programming. On the theory side, they allow a direct embedding 5 of a large class of nonstrict functional programs in a total logic. 2 Keywords (Co)recursion,parametricity,proofassistants, In conjunction with interactive proofs and code generators, this 4 higher-orderlogic,Isabelle enablescertifiedfunctionalprogramming[10].Onthemetatheory 5 side,codatatypesconvenientlycaptureinfinite,possiblybranching 0 processes.Majorproofdevelopmentsrelyonthem,includingthose . 1. Introduction associated with a C compiler [33], a Java compiler [34], and the 1 0 Totalfunctionalprogrammingisadisciplinethatensurescomputa- Javamemorymodel[35]. 5 tionsalwaysterminate.Itisinvaluableinaproofassistant,where Codatatypes are supported by an increasing number of proof 1 nonterminatingdefinitionssuchasfx=fx+1canyieldcontradic- assistants,includingAgda,Coq,Isabelle/HOL,Isabelle/ZF,Matita, : tions.Hence,mostassistantswillacceptrecursivefunctionsonlyif and PVS. They are also present in the CoALP dialect of logic v theycanbeshowntoterminate.Similarconcernsariseinspecifi- programming and in the Dafny specification language. But the i cationlanguagesandverifyingcompilers. abilitytointroducecodatatypesisnotworthmuchwithoutadequate X However, some processes need to run forever, without their supportfordefiningmeaningfulfunctionsthatoperateonthem.For r beinginconsistent.Animportantclassoftotalprogramshasbeen mostsystems,thissupportcanbecharacterizedasworkinprogress. a identified under the heading of productive coprogramming [1, 7, The key question they all must answer is: What right-hand sides 51]: These are functions that progressively reveal parts of their canbesafelyallowedinafunctiondefinition? (potentially infinite) output. For example, given a type of infinite Generally,therearetwomainapproachestosupportrecursive streamsconstructedbySCons,thedefinition andcorecursivefunctionsinaproofassistantorsimilarsystem: Theintrinsicapproach: A syntactic criterion is built into the natsFromn=SConsn(natsFrom(n+1)) logic:terminationforrecursivespecifications,productivity(or guardedness)forcorecursivespecifications.Theterminationor productivitycheckerispartofthesystem’strustedcodebase. Thefoundationalapproach: The(co)recursivespecificationsare reducedtoafixpointconstruction,whichpermitsasimpledef- initionoftheformf=...,wheref doesnotoccurintheright- handside.Theoriginalequationsarederivedastheoremsfrom thisinternaldefinition,usingdedicatedprooftactics. Systemsfavoringtheintrinsicapproachincludetheproofassistants Agda and Coq, as well as tools such as CoALP and Dafny. The [Copyrightnoticewillappearhereonce’preprint’optionisremoved.] mainhurdlefortheirusersisthatsyntacticcriteriaareinflexible; 1 2015/1/23 the specification must be massaged so that it falls within a given Thisextensiblecorecursorgracefullyhandlescodatatypeswith syntacticfragment,eventhoughthedesiredproperty(termination nestingthrougharbitrarytypeconstructors(e.g.,forinfinite-depth orproductivity)issemantic.Butperhapsmoretroublinginsystems Rose trees nested through finite or infinite lists). Thanks to the that process theorems, soundness is not obvious at all and very framework’smodularity,functionspecificationscancombinecore- tedious to ensure; as a result, there is a history of critical bugs cursion with recursion, yielding quite expressive mixed fixpoint interminationandproductivitycheckers,aswewillseewhenwe definitions(Section4).ThisisinspiredbytheDafnytool,butour reviewrelatedwork(Section6).Indeed,Abel[2]observedthat approachissemanticallyfoundedandhenceprovablyconsistent. ThecompletemetatheoryisimplementedinIsabelle/HOL,asa Maybethetimeisripetoswitchtoamoresemanticalnotion combinationofagenericproofdevelopmentparameterizedbyar- ofterminationandguardedness.Thesyntacticguardcondi- bitrarytypeconstructorsandatoolforinstantiatingthemetatheory tiongetsyousomewhere,butthenneedsalotofextensions touser-specifiedinstances(Section5,[13]). andpatchingtoworksatisfactoryinpractice.Formalverifi- Techniques such as corecursion and coinduction up-to have cationofitbecomestoodifficult,andonlyintuitivejustifi- been known for years in the process algebra community, before cationispronetoerrors. theywereembracedandperfectedbycategorytheorists(Section6). This work is part of a wider program aiming at bringing insight fromcategorytheoryintoproofassistants[12,49].Themaincon- IncontrasttoAgdaandCoq,proofassistantsbasedonhigher- tributionsofthispaperarethefollowing: orderlogic(HOL),suchasHOL4,HOLLight,andIsabelle/HOL, generally adhere to the foundational approach. Their logic is ex- • Werepresentinhigher-orderlogicanintegratedframeworkfor pressive enough to accommodate the (co)algebraic constructions recursionandcorecursionabletoevolvebyuserinteraction. underlying (co)datatypes and (co)recursive functions in terms of • We identify a sound fragment of mixed recursive–corecursive functors on the category of sets [49]. The main drawback of this specifications,integrateitinourframework,andpresentseveral approachisthatitrequiresalotofwork,bothconceptualandim- examplesthatmotivatethisfeature. plementational.Moreover,itisnotavailableforallsystems,since itrequiresanexpressiveenoughlogic. • WeimplementtheaboveinIsabelle/HOLwithinaninteractive Because every step must be formally justified, foundational loopthatmaintainstherecursive–corecursiveinfrastructure. definitionalprinciplestendtobesimplerandmorerestrictivethan • Weusethisinfrastructuretoautomaticallyderivemanyexam- theirintrinsiccounterparts.Asatellingexample,codatatypeswere plesthatareproblematicinotherproofassistants. introducedinIsabelle/HOLonlyrecently,almosttwodecadesafter A distinguishing feature of our framework is that it does not their inception in Coq, and they are still missing from the other requiretheusertoprovidetypeannotations.Onthedesignspace, HOLsystems;andcorecursionislimitedtotheprimitivecase,in itliesbetweenthehighlyrestrictiveprimitivecorecursionandthe whichcorecursivecallsoccurunderexactlyoneconstructor. morebureaucraticup-toapproachessuchasclockvariables[7,15] That primitive corecursion (or the slightly extended version andsizedtypes[3],combiningexpressivenessandeaseofuse.The supportedbyCoq)istoorestrictiveisanobservationthathasbeen identificationofthis“sweetspot”canalsobeseenasacontribution. made repeatedly by researchers who use corecursion in Coq and nowalsoIsabelle.LochbihlerandHölzldedicatedapaper[36]to ad hoc techniques for defining operations on corecursive lists in 2. MotivatingExamples Isabelle.Onlyafterintroducingalotofmachinerydotheymanage We demonstrate the expressiveness of the corecursor framework to define their central example—lfilter, a filter function on lazy byexamples,adoptingtheuser’sperspective.Thecasestudiesby (coinductive)lists—andderivesuitablereasoningprinciples. Rutten[46]andHinze[21]onstreamcalculiserveasourstarting We contend that it is possible to combine advanced features point.Streamsofnaturalnumberscanbedefinedas as found in Agda and Coq with the fundamentalism of Isabelle. Thelackofbuilt-insupportforcorecursion,anapparentweakness, codatatype Stream=SCons(head:Nat)(tail:Stream) revealsitselfasastrengthasweproceedtointroducerichnotionsof where SCons:Nat→Stream→Stream is the constructor and corecursion,withoutextendingthetypesystemoraddingaxioms. head:Stream→Nat, tail:Stream→Stream are its selectors. In this paper, we formalize a highly expressive corecursion Althoughtheexamplesmayseemsimpleorcontrived,theywere framework that extends primitive corecursion in the following carefullychosentoshowthemaindifficultiesthatariseinpractice. ways:Itallowscorecursivecallsunderseveralconstructors;ital- lowswell-behavedoperatorsinthecontextaroundorbetweenthe 2.1 CorecursionUp-to constructorsandaroundthecorecursivecalls;importantly,itsup- Asourfirstexampleofacorecursivefunctiondefinition,wecon- portsblendingterminatingrecursivecallswithguardedcorecursive siderthepointwisesumoftwostreams: calls.Thisgeneralcorecursorisaccompaniedbyacorresponding, equally general coinduction principle that makes reasoning about xs⊕ys=SCons(headxs+headys)(tailxs⊕tailys) it convenient. Each of the corecursor, mixed recursor–corecursor, The specification is productive, since the corecursive call occurs andthecoinductionprinciplegrowinexpressivenessduringthein- directlyunderthestreamconstructor,whichactsasaguard(shown teractionwiththeuser,bylearningofnewwell-behavedcontexts. underlined). Moreover, it is primitively corecursive, because the Theconstructionsdrawheavilyfromcategorytheory. topmost symbol on the right-hand side is a constructor and the Before presenting the technical details, we first show through corecursivecallappearsdirectlyasanargumenttoit. exampleshowaprimitivecorecursorcanbeincrementallyenriched Thesesyntacticrestrictionscanberelaxedtoallowconditional toaccepteverrichernotionsofcorecursivecallcontext(Section2). statementsand‘let’expressions[12],butdespitesuchtricksprim- This is made possible by the modular bookkeeping of additional itive corecursion remains hopelessly primitive. The syntactic re- structure for the involved type constructors, including a relator strictionforadmissiblecorecursivedefinitionsinCoqismoreper- structure. This structure can be exploited to prove parametricity missiveinthatitallowsforanarbitrarynumberofconstructorsto theorems,whichensurethesuitabilityofoperatorsasparticipants guardthecorecursivecalls,asinthefollowingdefinition: to the call contexts, in the style of coinduction up-to. Each new corecursivedefinitionisapotentialfutureparticipant(Section3). onetwos=SCons1(SCons2onetwos) 2 2015/1/23 OurframeworkachievesthesameresultbyregisteringSConsas supX=SCons((cid:70)(fimageheadX))(sup(fimagetailX)) awell-behavedoperation.Intuitively,anoperationiswellbehaved Here,fimagegivestheimageofafinitesetunderafunction,and ifitneedstodestructatmostoneconstructorofinputtoproduce (cid:70)Xisthemaximumofafinitesetofnaturalsor0ifXisempty. oneconstructorofoutput.Forstreams,suchanoperationmayin- specttheheadandthetail(butnotthetail’stail)ofitsarguments 2.2 NestedCorecursionUp-to beforeproducinganSCons.Becausetheoperationpreservespro- ductivity,itcansafelysurroundtheguardingconstructor. Although we use streams as our main example, the framework The rigorous definition of well-behavedness will capture this generallysupportsarbitrarycodatatypeswithmultiplecurriedcon- intuitioninaparametricitypropertythatmustbedischargedbythe structors and nesting through other type constructors. To demon- user.Inexchange,theframeworkyieldsastrengthenedcorecursor stratethislastfeature,weintroducethetypeoffinitelybranching thatincorporatesthenewoperation. Rosetreesofpotentiallyinfinitedepthwithnumericlabels: TheconstructorSConsiswellbehaved,sinceitdoesnoteven codatatype Tree=Node(val:Nat)(sub:ListTree) needtoinspectitsargumentstoproduceaconstructor.Incontrast, theselectortailisnotwellbehaved—itmustdestructtwolayersof ThetypeTreehasasingleconstructorNode:Nat→ListTree→ constructorstoproduceone: Treeandtwoselectorsval:Tree→Natandsub:Tree→ListTree. TherecursiveoccurrenceofTreeisnestedinthefamiliarpolymor- tailxs=SCons(head(tailxs))(tail(tailxs)) phicdatatypeoffinitelists. The presence of non-well-behaved operations in the corecursive Wefirstdefinethepointwisesumoftwotreesanalogouslyto⊕: call context is enough to break productivity, as in the example t(cid:1)u=Node(valt+valu) stallA=SCons1(tailstallA),whichstallsimmediatelyafterpro- (map(λ(t(cid:48),u(cid:48)).t(cid:48)(cid:1)u(cid:48))(zip(subt)(subu))) ducingoneconstructor,leavingtailstallAunspecified. Another instructive example is the function that keeps every Here,mapisthestandardmapfunctiononlists,andzipconverts otherelementinastream: two parallel lists into a list of pairs, truncating the longer list if necessary. The criterion for primitive corecursion for nested everyOtherxs=SCons(headxs)(everyOther(tail(tailxs))) codatatypes requires the corecursive call to be applied through The function is not well behaved, despite being primitive core- map, which is the case for (cid:1). Moreover, by virtue of being well cursive.Italsobreaksproductivity:stallB=SCons1(everyOther behaved,(cid:1)canbeusedtodefinetheshuffleproductoftrees: stallB)stallsafterproducingtwoconstructors. Goingbacktoourfirstexample,weobservethattheoperation⊕ t(cid:2)u=Node(valxs×valys) (map(λ(t(cid:48),u(cid:48)).(t(cid:2)u(cid:48))(cid:1)(t(cid:48)(cid:2)u))(zip(subt)(subu))) iswellbehaved.Hence,itisallowedtoparticipateincorecursive call contexts when defining new functions. In this respect, the Again, the corecursive call takes place inside map, but this time frameworkismorepermissivethanCoq’ssyntacticrestriction.For alsointhecontextof(cid:1).Thespecificationof(cid:2)iscorecursiveup-to example,wecandefinethestreamofFibonaccinumbersineither andwellbehaved. ofthefollowingtwoways: 2.3 MixedRecursion–Corecursion fibA=SCons0(SCons1fibA⊕fibA) fibB=SCons0(SCons1fibB)⊕SCons0fibB It is often convenient to let a corecursive function perform some finite computation before producing a constructor. With mixed Well-behavedoperationsareallowedtoappearbothunderthecon- recursion–corecursion,afinitenumberofunguardedrecursivecalls structorguard(asinfibA)andaroundit(asinfibB).Noticethattwo performthiscalculationbeforereachingaguardedcorecursivecall. guardsarenecessaryinthesecondexample—oneforeachbranch Theintuitivecriterionforacceptingsuchdefinitionsisthatthe ofthe⊕operator.Incidentally,wearenotawareofanyotherframe- unguardedrecursivecallcouldbeunfoldedtoarbitraryfinitedepth, workthatallowssuchdefinitions.Withoutrephrasingthespecifi- ultimatelyyieldingapurelycorecursivedefinition.Anexampleis cation,fibBcannotbeexpressedinRutten’sformatofbehavioral theprimesfunctiontakenfromDiGianantonioandMiculan[17]: differentialequations[46]orinHinze’ssyntacticrestriction[21], norviaAgdacopatterns[5,6]. primesmn=if(m=0∧n>1)∨gcdmn=1 Manyusefuloperationsarewellbehavedandcanthereforepar- thenSConsn(primes(m×n)(n+1)) ticipateinfurtherdefinitions.FollowingRutten,theshuffleproduct elseprimesm(n+1) ⊗oftwostreamsisdefinedintermsof⊕.Shuffleproductbeing When called with m=1 and n=2, this function computes the itselfwellbehaved,wecanemployittodefinestreamexponentia- streamofprimenumbers.Theunguardedcallintheelsebranch tion,whichalsoturnsouttobewellbehaved: incrementsitssecondargumentnuntilitiscoprimetothefirstargu- xs⊗ys=SCons(headxs×headys) mentm(i.e.,thegreatestcommondivisorofmandnis1).Forany ((xs⊗tailys)⊕(tailxs⊗ys)) positiveintegersmandn,thenumbersmandm×n+1arecoprime, yielding an upper bound on the number of times n is increased. expxs=SCons(2ˆheadxs)(tailxs⊗expxs) Hence,thefunctionwilltaketheelsebranchatmostfinitelyof- Next,weusethedefinedandregisteredoperationstospecifytwo tenbeforetakingthethenbranchandproducingoneconstructor. streams of factorials of natural numbers facA (starting at 1) and Thereisaslightcomplicationwhenm=0andn>1:Withoutthe facB(startingat0): firstdisjunctintheifcondition,thefunctioncouldstall.(Thiscor- nercasewasoverlookedintheoriginalexample[17].) facA=SCons1facA⊗SCons1facA Mixedrecursion–corecursionalsoallowsustogiveadefinition facB=exp(SCons0facB) offactorialswithoutinvolvinganyauxiliarystreamoperations: ComputingthefirstfewtermsoffacAmanuallyshouldconvince facCnai=ifi=0thenSConsa(facC(n+1)1(n+1)) thereaderthatproductivityandefficiencyarenotsynonymous. elsefacCn(a×i)(i−1) Theargumentsofwell-behavedoperationsarenotrestrictedto the Stream type. For example, we can define the well-behaved The recursion in the else branch computes the next factorial by supremumofafinitesetofstreamsbyprimitivecorecursion: meansofanaccumulatoraandadecreasingcounteri.Whenthe 3 2015/1/23 counterreaches0,facCcorecursivelyproducesaconstructorwith distinguished by taking observations (i.e., by applying the head theaccumulatedvalueandresetstheaccumulatorandthecounter. and tail selectors); therefore they must be equal. In other words, Unguardedcallsmayalsooccurunderwell-behavedoperations: equalityisthelargestbisimulation. CreativityisgenerallyrequiredtoinstantiateRwithabisimula- catn=ifn>0thencat(n−1)⊕SCons0(cat(n+1)) tion.However,givenagoall=r,thefollowingcanonicalcandidate elseSCons1(cat1) oftenworks:λst.∃xs.s=l∧t=r,wherexsarevariablesoccur- Thecallcat1computesthestreamofCatalannumbers:C ,C ,..., ringfreeinlorr.Asarehearsal,letusprovethattheprimitively 1 2 whereCi= n+11(cid:0)2nn(cid:1).Thisfactisfarfromobvious.Productivityis corecursiveoperation⊕iscommutative. notentirelyobviouseither,butitisguaranteedbytheframework. Proposition1. xs⊕ys=ys⊕xs. Whenmixingrecursionandcorecursion,itiseasytogetthings wrong in the absence of solid foundations. Consider this appar- Proof. WefirstshowthatR=(λst.∃xsys.s=xs⊕ys∧t=ys⊕ ently unobjectionable specification in which the corecursive call xs) is a bisimulation. We fix two streams s and t for which we isguardedbySConsandtheunguardedcall’sargumentstrictlyde- assumeRst(i.e.,thereexisttwostreamsxsandyssuchthat s= creasestoward0: xs⊕ysandt=ys⊕xs).Next,wemustshowthatheads=headt and R(tail s)(tailt). The first property can be discharged by a nastyn=ifn<2thenSConsn(nasty(n+1)) simplecalculation.Forthesecondone: elseinc(tail(nasty(n−1))) R(tails)(tailt) Here, inc=smap(λx. x+1) and smap is the map function on ←→R(tail(xs⊕ys))(tail(ys⊕xs)) streams. A simple calculation reveals that this specification is in- ←→R(tailxs⊕tailys))(tailys⊕tailxs) consistent because the tail selector before the unguarded call de- ←→∃xs(cid:48)ys(cid:48). tailxs⊕tailys=xs(cid:48)⊕ys(cid:48)∧ structsthefreshlyproducedconstructorfromtheotherbranch: tailys⊕tailxs=ys(cid:48)⊕xs(cid:48) nasty2=inc(tail(nasty1)) Thelastformulacanbeshowntoholdbyselectingxs(cid:48)=tailxsand =inc(tail(SCons1(nasty2))) ys(cid:48)=tailys.Moreover,R(xs⊕ys)(ys⊕xs)holds.Therefore,the =inc(nasty2) thesisfollowsbystructuralcoinduction. Thisisaclosecousinoftheinfamousf x=f x+1examplemen- Ifweattempttoprovethecommutativityof⊗analogously,we tionedintheintroduction.Theframeworkrejectsthisspecification eventuallyencounteraformulaoftheformR(···⊕···)(···⊕···), onthegroundsthatthetailselectorintherecursivecallcontextis because⊗isdefinedintermsof⊕.SinceRmentionsonly⊗but notwellbehaved. not ⊕, we are stuck. An ad hoc solution would be to replace the We conclude this section with a practical example from the canonicalRwithabisimulationthatallowsfordescendingunder⊕. literature.Giventhepolymorphictype However,thiswouldbeneededforalmosteverypropertyabout⊗. codatatype LList(A)= Amorereusablesolutionistostrengthenthecoinductionprin- LNil|LCons(head:A)(tail:LList(A)) ciple upon registration of a new well-behaved operation. The strengthening mirrors the acquired possibility of the new opera- oflazylists,thetaskistodefinethefunctionlfilter:(A→Bool)→ tiontoappearinthecorecursivecallcontext.Itistechnicallyrepre- LList(A)→LList(A)thatfiltersoutallelementsfailingtosatisfy sentedbyacongruenceclosurecl:(Stream→Stream→Bool)→ the given predicate. Thanks to the support for mixed recursion– Stream→Stream→Bool.Thecoinductionup-toprincipleisal- corecursion, the framework transforms what was for Lochbihler mostidenticaltostructuralcoinduction,exceptthatthecorecursive andHölzl[36]aresearchproblemintoaroutineexercise: applicationofRisreplacedbyclR: lfilterPxs=if∀x∈xs.¬Pxs Rlr ∀st.Rst−→heads=headt∧clR(tails)(tailt) thenLNil l=r elseifP(headxs) The principle evolves with every newly registered well-behaved thenLCons(headxs)(lfilterP(tailxs)) operationinthesensethatourframeworkrefinesthedefinitionof elselfilterP(tailxs) thecongruenceclosurecl.(Strictlyspeaking,afreshsymbolcl(cid:48) is The first self-call is corecursive and guarded by LCons, whereas introducedeachtime.)Forexample,afterregisteringSConsand⊕, thesecondself-callisterminating,becausethenumberof“false” clRistheleastreflexive,symmetric,transitiverelationcontainingR elementsuntilreachingthenext“true”element(whoseexistenceis andsatisfyingtherules guaranteedbythefirstifcondition)decreasesbyone. x=y clRxsys clRxsys clRxs(cid:48)ys(cid:48) 2.4 CoinductionUp-to clR(SConsxxs)(SConsyys) clR(xs⊕xs(cid:48))(ys⊕ys(cid:48)) Onceacorecursivespecificationhasbeenacceptedasproductive, After defining and registering ⊗, the relation clR is extended to we normally want to reason about it. In proof assistants, codata- alsosatisfy types are accompanied by a notion of structural coinduction that clRxsys clRxs(cid:48)ys(cid:48) matchesprimitivelycorecursivefunctions.Fornonprimitivespeci- clR(xs⊗xs(cid:48))(ys⊗ys(cid:48)) fications,ourframeworkprovidesthemoreadvancedproofprinci- pleofcoinductionuptocongruence—orsimplycoinductionup-to. Letusapplythestrengthenedcoinductionprincipletoprovethe Thestructuralcoinductionprincipleforstreamsisasfollows: distributivityofstreamexponentiationoverpointwiseaddition: Rlr ∀st. Rst−→heads=headt∧R(tails)(tailt) Proposition2. exp(xs⊕ys)=expxs⊗expys. l=r Proof. WefirstshowthatR=(λst.∃xsys.s=exp(xs⊕ys)∧t= Coinductionallowsustoproveanequalityonstreamsbyproviding expxs⊗expys)isabisimulation.Wefixtwostreams sandtfor a relation R that relates the left-hand side with the right-hand whichweassumeRst(i.e.,thereexisttwostreamsxsandyssuch side (first premise) and that constitutes a bisimulation (second thats=exp(xs⊕ys)andt=expxs⊗expys).Next,weshowthat premise). Streams that are related by a bisimulation cannot be heads=headtandclR(tails)(tailt): 4 2015/1/23 heads=head(exp(xs⊕ys))=2ˆhead(xs⊕ys) • afunctorialactionFmap:∏A,B∈Setn∏ni=1(Ai→Bi)→FA→ =2ˆ(headxs+headys)=2ˆheadxs×2ˆheadys F B, i.e., a polymorphic function of the indicated type that =head(expxs)×head(expys) commuteswithidentityidA:A→Aandcomposition; =head(expxs⊗expys)=headt • a relator Frel : ∏A,B∈Setn∏ni=1(Ai→Bi→Bool) → F A → clR(tails)(tailt) FB→Bool,i.e.,apolymorphicfunctionoftheindicatedtype ←→clR(tail(exp(xs⊕ys)))(tail(expxs⊗expys)) whichcommuteswithbinary-relationidentityandcomposition. ←→clR((tailxs⊕tailys)⊗exp(xs⊕ys)) (expxs⊗(tailys⊗expys)⊕(tailxs⊗expxs)⊗expys) Followingstandardnotationfromcategorytheory,wewriteFin- ←→∗ clR((tailxs⊗exp(xs⊕ys)⊕tailys⊗exp(xs⊕ys)) stead of Fmap. Given binary relations Ri :Ai → Bi →Bool for (tailxs⊗(expxs⊗expys)⊕tailys⊗(expxs⊗expys) 1≤i≤n,wethinkofFrelR:FA→FB→Boolasthenatural ⊕ ←−clR(tailxs⊗exp(xs⊕ys))(tailxs⊗(expxs⊗expys))∧ lifting of R along F; for example, if F is List (and hence n=1), clR(tailys⊗exp(xs⊕ys))(tailys⊗(expxs⊗expys)) Frelliftsarelationonelementstothecomponentwiserelationon ⊗ ←−clR(tailxs)(tailxs)∧clR(tailys)(tailys)∧ lists(alsorequiringequallength).Itiswellknownthatthepositive clR(exp(xs⊕ys))(expxs⊗expys) typeconstructorsdefinedbystandardmeans(basictypes,compo- ←−R(exp(xs⊕ys))(expxs⊗expys) sition,leastorgreatestfixpoints)havecanonicalfunctorialandre- latorstructure.Thisiscrucialforthefoundationalconstructionof Thestepmarkedwith∗appealstoassociativityandcommutativity user-specified(co)datatypesinIsabelle/HOL[49]. of⊕and⊗aswellasdistributivityof⊗over⊕.Theseproperties But even nonpositive type constructors G : Setn → Set ex- arelikewiseprovedbycoinductionup-to.Theimplicationsmarked with⊕and⊗arejustifiedbytherespectivecongruencerules.The hibitarelator-likestructureGrel:∏A,B∈Setn (A→B)→(GA→ GB→Bool) (which need not commute with relation composi- lastimplicationusesreflexivityandexpandsRtoitsclosureclR. tion, though). For example, if G : Set2 → Set is the function- Finally,itiseasytoseethatR(exp(xs⊕ys))(expxs⊗expys) space constructor G (A ,A ) = A → A and f ∈ G (A ,A ), 1 2 1 2 1 2 holds.Therefore,thethesisfollowsbycoinductionup-to. g∈G(B ,B ),R :A →B →Bool,andR :A →B →Bool, 1 2 1 1 1 2 2 2 Theformalizationaccompanyingthispaper[13]alsocontains thenGrelR1R2 f gisdefinedas∀a1∈A1.∀b1∈B1.R1a1b1−→ proofs of facA=facC111=smapfac(natsFrom1), facB= R2 (f a1) (g b1). A polymorphic function c : ∏A∈SetnG A, c SCons1facA,andfibA=fibB,wherefacisthefactorialonNat. is called parametric [41, 52] if ∀A,B ∈ Setn. ∀R : A → B → Nested corecursion up-to is also reflected with a suitable Bool.GrelRc c . The maintenance of relator-like structures is A B strengthened coinduction rule. For Tree, this strengthening takes veryhelpfulforautomatingtheoremtransferalongisomorphisms place under the rel operator on list, similarly to the corecursive andquotients[24].Hereweexploreanadditionalbenefitofmain- callsoccurringnestedinthemapfunction: taining functorial and relator structure for type constructors: the possibilitytoextendthecorecursorinreactiontouserinput. Rlr ∀st.Rst−→vals=valt∧rel(clR)(subs)(subt) Inthissection,weassumethatalltheconsideredtypeconstruc- l=r tors are both functors and relators, that they include basic func- TherelRoperatorliftsthebinarypredicateR:A→B→Boolto torssuchasidentity,constant,sum,andproduct,andthattheyare a predicate ListA→ListB→Bool. More precisely, relRxsys closedunderleastfixpoints(initialalgebras)andgreatestfixpoints holds if and only if xs and ys have the same length and parallel (final coalgebras). Examples of such classes of type constructors elements of xs and ys are related by R. This nested coinduction includethedatafunctors[20],thecontainers[1],andthebounded ruleisconvenientprovidedthereissomeinfrastructuretodescend naturalfunctors[49]. underrel(asisthecaseinIsabelle/HOL).Theformalization[13] Wefocusonthecaseofaunarycodatatype-generatingfunctor establishesseveralarithmeticpropertiesof(cid:1)and(cid:2). F:Set→Set.Thecodatatypeofinterestwillbeitsgreatestfixpoint (orfinalcoalgebra)J=gfpF.Thisgenericsituationalreadycovers 3. ExtensibleCorecursors thevastmajorityofinterestingcodatatypes,sinceFcanrepresent arbitrarilycomplexnesting.Forexample,ifF=(λA.Nat×ListA), Wenowdescribethedefinitionalandproofmechanismsthatsub- thenJcorrespondstotheTreecodatatypepresentedinSection2.2. stantiate flexible corecursive definitions in the style of Section 2. The extension to mutually defined codatatypes is straightforward They are based on the modular maintenance of infrastructure for buttedious.OurexampleswilltakeJtobetheStreamtypefrom thecorecursorassociatedwithacodatatype,withthepossibilityof Section2,withF=(λA.Nat×A). open-endedincrementalimprovement.Wepresenttheapproachfor GivenasetA,itwillbeusefultothinkoftheelementsx∈FAas anarbitrarycodatatypegivenasthegreatestfixpointofanarbitrary consistingofashapetogetherwithcontentthatfillstheshapewith (bounded)functor.Theapproachisquitegeneralanddoesnotrely elementsof A.IfFA=Nat×A,theshapeof x=(n,a)is(n,_) onanyparticulargrammarforspecifyingcodatatypes. andthecontentisa;ifFA=ListA,theshapeof x=[x1,...,xn] Extensibilityisanintegralfeatureoftheframework.Inprinci- isthen-slotcontainer[_,...,_]andthecontentconsistsofthexi’s. ple,animplementationcouldredotheconstructionsfromscratch According to this view, for each f : A → B, the functorial each time a well-behaved operation is registered, but it would actionassociatedwithFsendsany xintoanelementF f xofthe give rise to a quadratic number of definitions, slowing down the same shape as x but with each content item a replaced by f a. proofassistant.Theincrementalapproachisalsomoreflexibleand Technically, this view can be supported by custom notions such future-proof,allowingmixedfixpointsandcompositionwithother ascontainers[1]or,moresimply,viaaparametricfunctionoftype (co)recursors,includingsomethatdonotexistyet. ∏A∈SetFA→SetAthatcollectsthecontentelements[49]. 3.1 FunctorsandRelators 3.2 PrimitiveCorecursion Functionalprogramminglanguagesandproofassistantsnecessar- ilymaintainadatabaseoftheuser-definedtypesor,moregenerally, ThecodatatypethatdefinesJalsointroducestheconstructorand typeconstructors,whichcanbethoughtasfunctionsF:Setn→Set destructorbijectionsctor:FJ→Janddtor:J→FJandtheprim- operatingonsets(orperhapsonorderedsets).Itisoftenusefulto itivecorecursorcorecPrim:∏A∈Set(A→FA)→A→Jcharacter- maintainmorestructurealongwiththesetypeconstructors: izedbytheequationcorecPrimsa=ctor(F(corecPrims)(sa)). 5 2015/1/23 Inelementsx∈FA,theoccurrencesofcontentitemsa∈Ainthe shapeofxcapturesthepositioningofthecorecursivecalls. KiJ fi (cid:47)(cid:47)J(cid:79)(cid:79) Example3. Modulocurrying,thepointwisesumofstreams⊕is definableascorecPrims,bytakings:Stream2→Nat×Stream2 Λ◦Σ(cid:104)id,dtor(cid:105)◦ιi ctor tobeλ(xs,ys).(headxs+headys,(tailxs,tailys)). (cid:15)(cid:15) In Example 3 and elsewhere, we lighten notation by identify F(Σ∗J) Feval (cid:47)(cid:47)FJ thecurriedanduncurriedformsoffunctions,countingonimplicit coercionsbetweenthetwo. Figure1:Thewell-behavednesscondition 3.3 TheCorecursionState GivenanyfunctorΣ:Set→Set,wedefineitsfree-monadfunctor Butwhatguaranteesthatthe fi’sareindeedsafeascontextsfor Σ∗ by Σ∗A=lfp(λB. A+Σ B). We write leaf :A→Σ∗A and corecursivecalls?Inparticular,howcantheframeworkexcludetail op:Σ(Σ∗A)→Σ∗AfortheleftandrightinjectionsintoΣ∗A. whileallowingSCons,⊕,and⊗?Thisiswheretheparametricity Thefunctionsleafandopareinfactpolymorphic;forexample, andwell-behavednessconditionsonthestateenterthepicture. leaf hastype∏A∈SetA→Σ∗A.Weoftenomitthesetparameters Westartwithwell-behavedness.Assumex∈Ki,whichisunam- ofpolymorphicfunctionsiftheycanbeinferredfromthecontext, biguouslyrepresentedinΣasιix.Let j1,..., jm∈Jbethecontent writingleafandopinsteadofleafAandopA. itemsofιix(placedinvariousslotsintheshapeofx).Toevaluate fi Atanygivenmoment,wemaintainthefollowingdataassoci- onx,wefirstcorecursivelydestructthe j’swhilealsokeepingthe l atedwithJ,whichwecallacorecursionstate: originals,thusreplacingeach j with(j,dtor j).Thenweapply l l l the transformation Λ to obtain an element of F(Σ∗J), which has • afinitenumberoffunctorsK1,...,Kn:Set→Setand,foreach anF-shapeatthetop(thefirstproducedobservabledata)andfor Ki,afunction fi:KiJ→J; eachslotinthisshapeanelementofΣ∗J,i.e.,aformal-expression • apolymorphicfunctionΛ:∏A∈SetΣ(A×FA)→F(Σ∗A). treehavingleavesinJandbuiltusingoperationsymbolsfromthe Wecallthe fi’sthewell-behavedoperationsanddefinetheircollec- signature(thecorecursivecontinuation): tiisvtehseigsntaantduarerdfuenmctboerdΣdinasgλoAf.KKi1inAto+Σ··.·+WKencaAll,wΛhtehreecιio:rKeciu→rsoΣr KiJ−ι→i ΣJΣ(cid:104)−id→,dtor(cid:105)Σ(J×FJ)−Λ→F(Σ∗J) seed.Thecorecursionstateissubjecttothefollowingconditions: Insummary,Λisaschematicrepresentationofthemutuallycore- Parametricity: Λisparametric. cursivebehaviorofthewell-behavedoperationsuptotheproduc- tionofthefirstobservabledata.Thisintuitionismadeformalinthe Well-behavedness: Each fisatisfiesthecharacteristicequation well-behavednesscondition,whichstatesthatthediagraminFig- fix=ctor(Feval(Λ(Σ(cid:104)id,dtor(cid:105)(ιix)))) ure1commutesforeach fi.(Wecouldreplacetherightupwardar- rowlabeledbyctorwithadownwardarrowlabeledbydtorwithout Theconvolutionoperator(cid:104)_,_(cid:105)buildsafunction(cid:104)f,g(cid:105):B→C×D changingthediagram’smeaning.However,weconsistentlyprefer fromtwofunctions f :B→Candg:B→D,andeval:Σ∗J→J theconstructorviewinourexposition.) isthecanonicalevaluationfunctiondefinedrecursively(usingthe Intheaboveexplanations,wesawthatitsufficestopeeloffone primitiverecursorassociatedwithΣ∗): layer of the arguments ji (by applying dtor) for a well-behaved eval(leaf j)= j operation fi to produce, via Λ, one layer of the result and to delegate the rest of the computation to a context consisting of a eval(opz) =casezofιit⇒ fi(Kievalt) combinationofwell-behavedoperations(anelementofΣ∗J).But (Notethat,ontherecursivecallontherighteval,isappliedtotvia how to formally express that exploring one layer is enough, i.e., “lifting” it through the functor Ki.) Functions having the type of thatapplyingΛ:J×FJ→F(Σ∗J)to(ji,dtor ji)doesnotresult Λandadditionallyassumedparametric(or,equivalently,assumed in a deeper exploration? An elegant way of capturing this is to to be natural transformations) are known in category theory as requirethatΛ,whichisapolymorphicfunction,operateswithout “abstractGSOSrules.”TheywereintroducedbyTuriandPlotkin analyzing J, i.e., that it operates in the same way on A×FA→ [50] and further studied by Bartels [8], Jacobs [26], Hinze and F(Σ∗A)foranysetA.Thisrequirementispreciselyparametricity. James[22],Miliusetal.[38],andothers. Strictlyspeaking,thewell-behavedoperations f arearedundant Thus, a corecursion state is a triple (K, f,Λ). As we will see pieceofdatainthestate(K, f,Λ),since,assumingΛparametric, in Section 3.6, the state evolves as users define and register new we can prove that there exists a unique tuple f that satisfies the functions.The fi’saretheoperationsthathavebeenregisteredas well-behavednesscondition.Inotherwords,theoperations f could safe for participating in the context of corecursion calls. Since fi bederivedonaper-needbasis. hastypeKiJ→J,wethinkofKiasencodingthearityof fi.Then Σ,thesumoftheKi’s,representsthesignatureconsistingofallthe Example 4. Let J = Stream and assume that SCons : Nat× fi’s.Thus,foreachA,Σ∗Arepresentsthesetofformalexpressions Stream→Streamand⊕:Stream2→Streamaretheonlywell- over Σ and A, i.e., the trees built starting from the “variables” in behaved operations registered so far. Then K1 =(λB. Nat×B), A as leaves byapplying operations symbolscorresponding to the f =SCons,K =(λB.B2),and f =⊕.Moreover,Σ∗=lfp(λB. 1 2 2 fi’s.Finally,evalevaluatesinJtheformalexpressionsofΣ∗Jby A+(Nat×B+B2)) consists of formal-expression trees with applyingthefunctions firecursively. leavesin Aandbuiltusingarity-correctapplicationsofoperation IfthefunctorsKi arerestrictedtobefinitemonomialsλA.Aki, symbols corresponding to SCons and ⊕, denoted by SCons and the functor Σ can be seen as a standard algebraic signature and ⊕. Given n∈Nat and a,b∈ A, an example of such a tree is (Σ∗A,op)asthestandardtermalgebraforthissignature,overthe leaf a ⊕ SCons (n,leaf a ⊕ leaf b). If additionally A=J, then variablesA.However,weallowKitobemoreexotic;forexample, evalappliedtotheabovetreeisa ⊕ SConsn(a ⊕ b). KiA can be ANat (representing an infinitary operation) or one of But what is Λ? As we show below, we need not worry about ListA and FinSetA (representing an operation taking a varying the global definition of Λ, since both Σ and Λ will be updated finitenumberoforderedorunorderedarguments). incrementally when registering new operations as well behaved. 6 2015/1/23 Nonetheless,aglobaldefinitionofΛforSConsand⊕follows: operationswereregistered): Λz=casezof ⊕,everyOther: corecFlex,corecTop,corecPrim ι (n,(a,(m,a(cid:48))) ⇒(n, SCons(m,leafa(cid:48))) onetwos,fibA,⊗,exp,sup: corecFlex,corecTop 1 ι ((a,(m,a(cid:48))), (b,(n,b(cid:48))))⇒(m+n,leafa(cid:48) ⊕ leafb(cid:48)) fibB,facA,facB: corecFlex 2 Informally,SConsand⊕exhibitthefollowingbehaviors: WiththeusualidentificationofUnit→JandJ,wecandefinefibA andfacAasfollows: • toevaluateSConsonanumbernandanitemawith(heada, taila)=(m,a(cid:48)), produce n and evaluate SCons on m and a(cid:48), fibA=corecTop(λu:Unit.(0, SCons(1,leafu) ⊕ (leafu))) i.e.,outputSConsn(SConsma(cid:48))=SConsna; facA=corecFlex(λu:Unit.leaf(1,leafu) ⊗ leaf(1,leafu)) • to evaluate ⊕ on a,b with (head a,tail a) = (m,a(cid:48)) and (headb,tailb)=(n,b(cid:48)), produce m+n and evaluate ⊕ on Let us look at fibA closely, comparing its specification fibA= a(cid:48)andb(cid:48),i.e.,outputSCons(m+n)(a(cid:48)⊕b(cid:48)). SCons 0 (SCons 1 fibA ⊕ fibA) with its definition in terms of corecTop. The outer SCons guard (with 0 as first argument) cor- 3.4 CorecursionUp-to respondstotheouterpair(0,_).TheinnerSConsand⊕areinter- Acorecursionstate(K, f,Λ)foranF-definedcodatatypeJconsists pretedaswell-behavedoperationsandrepresentedbythesymbols of a collection of operations on J, fi :Ki J→J, that satisfy the SCons and ⊕ (cf. Example 4). Finally, the corecursive calls of well-behavedness properties expressed in terms of a parametric fibAarecapturedbyleafu. functionΛ.Wearenowreadytoharvestthecropofthissetting:a The desired specification can be obtained from the corecTop corecursionprinciplefordefiningfunctionshavingJascodomain. formbythecharacteristicequationofcorecTop(forA=Unit)and Theprinciplewillberepresentedbytwocorecursors,corecTop the properties of eval as follows, where we simply write s, fibA, andcorecFlex.Althoughsubsumedbythelatter,theformerisinter- and leaf instead of their applications to the unique element () of estinginitsownrightandwillgiveustheopportunitytoillustrate Unit,namelys(),fibA(),andleaf(): somefinepoints.Belowwelistthetypesofthesecorecursorsalong fibA withthatoftheprimitivecorecursorforcomparison: = {bythecommutativityofFigure2b Primitivecorecursor: withfibA=corecTops} corecPrim:∏A∈Set(A→FA)→A→J ctor(F(eval◦Σ∗fibA)s) = {bythedefinitionsofFands} Top-guardedcorecursorup-to: corecTop:∏A∈Set(A→F(Σ∗A))→A→J =SCons0((eval◦Σ∗fibA)(SC{obnyst(h1e,dleeafifn)it⊕ion(loefafΣ)∗)}) Flexiblyguardedcorecursorup-to: SCons0(eval(SCons(1,leaffibA) ⊕ (leaffibA)) corecFlex:∏A∈Set(A→Σ∗(F(Σ∗A)))→A→J = {bythedefinitionofeval} Figure 2 presents the diagrams whose commutativity properties SCons0(SCons1fibA⊕fibA) givethecharacteristicequationsofthesecorecursors. TheeliminationofthecorecTopinfrastructurereliesonsimplifica- Eachcorecursorimplementsacontractofthefollowingform: tionrulesfortheinvolvedoperatorsandcanbefullyautomatized. If,foreacha∈A,oneprovidestheintendedcorecursivebehavior ofgarepresentedassa,wheresisafunctionfromA,oneobtains Parametricityandwell-behavednessarecrucialforprovingthat thefunctiong:A→J(asthecorrespondingcorecursorappliedto thecorecursorsactuallyexist: s)satisfyingasuitablefixpointequationmatchingthisbehavior. Theorem6. ThereexistthepolymorphicfunctionscorecTopand Thecodomainof sisthekeytounderstandingtheexpressive- corecFlex making the diagrams in Figures 2b and 2c commute. nessofeachcorecursor.Theintendedcorecursivecallsarerepre- Moreover,foreachsofappropriatetype,corecTopsorcorecFlexs sentedbyA,andthecallcontextisrepresentedbythesurrounding istheuniquefunctionmakingitsdiagramcommute. combinationoffunctors(involvingF,Σ∗,orboth): Theorem 6 is a known result from the category theory litera- • for corecPrim, the allowed call contexts consist of a single ture:ThecorecTopsversionfollowsfromtheresultsinBartels’s constructorguard(representedbyF); thesis[9],whereasthecorecFlexsversionwasveryrecently(and • forcorecTop,theyconsistofaconstructorguard(represented independently)provedbyMiliusetal.[38,Theorem2.16]. byF)followedbyanycombinationofwell-behavedoperations fi(representedbyΣ∗); 3.5 InitializingtheCorecursionState • forcorecFlex,theyconsistofanycombinationofwell-behaved The simplest relaxation of primitive corecursion is the allowance operations satisfying the condition that on every path leading of multiple constructors in the call context, in the style of Coq, toacorecursivecallthereexistsatleastoneconstructorguard as in the definition of onetwos (Section 2.1). Since this idea is (representedbyΣ∗(F(Σ∗_))). independent of the choice of codatatype J, we realize it when bootstrappingthecorecursionstate. We can see the computation of ga by following the diagrams in Moreprecisely,upondefiningacodatatypeJ,wetakethefol- Figure2counterclockwisefromtheirleft-topcorners.Theapplica- lowinginitialcorecursionstateinitState=(K, f,Λ): tionsafirstbuildsthecallcontextsyntactically.Thengisapplied corecursively on the leaves. Finally, the call context is evaluated: • Kisasingletonconsistingof(acopyof)F; forcorecPrim,itconsistonlyoftheguard(ctor);forcorecTop,it • f isasingletonconsistingofctor; involvestheevaluationofthewell-behavedoperators(whichmay also include several occurrences of the guard) and ends with the • Λ:∏A∈SetF(A×FA)→F(F∗A)isdefinedasF(op◦Fleaf◦ evaluation of the top guard; for corecFlex, the evaluation of the snd),wheresndisthesecondproductprojection. guardisinterspersedwiththatoftheotherwell-behavedoperations. Recall that the seed Λ is designed to schematically represent the Example5. ForeachexamplefromSection2.1,wegivethecore- corecursive behavior of the registered operations by describing cursors that can handle it (assuming the necessary well-behaved how they produce one layer of observable data. The definition in 7 2015/1/23 corecTops (cid:47)(cid:47) corecFlexs (cid:47)(cid:47) A J(cid:79)(cid:79) A J(cid:79)(cid:79) s ctor s eval corecPrims (cid:47)(cid:47) (cid:15)(cid:15) (cid:15)(cid:15) A J(cid:79)(cid:79) F(Σ∗A) (cid:59)(cid:59)FJ Σ∗(F(Σ∗A)) Σ∗(cid:79)(cid:79) J s ctor Feval Σ∗ctor (cid:15)(cid:15) F(Σ∗(corecTops)) (cid:37)(cid:37) Σ∗(F(Σ∗(corecFlexs))) (cid:40)(cid:40) FAF(corecPrims)(cid:47)(cid:47)FJ F(Σ∗J) Σ∗(F(Σ∗J))Σ∗(Feval)(cid:47)(cid:47)Σ∗(FJ) (a)Primitivecorecursion (b)Top-guardedcorecursionup-to (c)Flexiblyguardedcorecursionup-to Figure2:Thecorecursors g=corecTops (cid:47)(cid:47) KJ J(cid:79)(cid:79) F(A×FA) Λ (cid:47)(cid:47)F(F(cid:79)(cid:79)∗A) K(cid:104)id,dtor(cid:105) (cid:40)(cid:40) ctor s K(J×FJ) (cid:56)(cid:56)FJ Fsnd Fop ρ (cid:15)(cid:15) (cid:15)(cid:15) (cid:118)(cid:118) Feval F(Fleaf)(cid:47)(cid:47) F(Σ∗g) (cid:47)(cid:47) F(FA) F(F(F∗A)) F(Σ∗(KJ)) F(Σ∗J) (a)DefinitionofΛfortheinitialstate (b)Anewwell-behavedoperationg Figure3:DefinitionsofΛandg Figure 3a depicts this for ctor and instantiates to the schematic Theorem8. If(K, f,Λ)isawell-formedcorecursionstate,sois behaviorofSConspresentedattheendofExample4. nextStateg(K, f,Λ). Theorem7. initStateisawell-formedcorecursionstate—i.e.,it In summary, we have the following scenario triggering the satisfiesparametricityandwell-behavedness. state’sadvancement: 3.6 AdvancingtheCorecursionState 1. Onedefinesanewoperationg=corecTops. Theroleofacorecursionstate(K, f,Λ)forJistoprovideinfras- 2. Oneshowsthat sfactorsthroughaparametricfunctionρand tructureforflexiblecorecursivedefinitionsoffunctionsgbetween K(cid:104)id,dtor(cid:105)(asinFigure3b);inotherwords,oneshowsthatg’s arbitrary sets A and J. If nothing else is known about A, this is corecursivebehavior sdecomposesintoaone-stepdestruction theendofthestory.However,assumethatJisacomponentofA, of the arguments and a parametric transformation (which is inthatAisconstructedfromJ(possiblyalongwithothercompo- independentofJ). nents).Forexample,AcouldbeListJ,orJ×(Nat→ListJ).We 3. ThecorecursionstateisupdatedbynextStateg. capturethisabstractlybyassumingA=KJforsomefunctorK. Inthiscase,wehaveafruitfulsituationofwhichwecanprofit Example 9. The operations onetwos, ⊕, ⊗, and exp from Sec- forimprovingthecorecursionstate,andhenceimprovingtheflex- tion 2.1 are covered by this scenario. For example, assume that ibilityoffuturecorecursivedefinitions.Undersomeuniformityas- SConsand⊕areregisteredaswellbehavedatthetimeofdefin- sumptions,gitselfcanberegisteredaswellbehaved. ing⊗(cf.Example4).ThenK=(λA.A2)and⊗=corecTops, More precisely, assume that g:KJ→J is defined by g= where corecTopsandthatscanbeprovedtobeuniforminthefollowing s=(λ(xs,ys).(headxs×headys, sFen(Σse∗:T(KheAre))exsiusctshathpaatrasm=etρric◦fKun(cid:104)cidti,odntoρr:(cid:105)∏(FAi∈gSuerteK3(bA).×TFheAn)w→e leaf(xs,tailys) ⊕ leaf(tailxs,ys))) can integrate g as a well-defined operation as follows. We define Thefunctionsdecomposesintoρ◦K(cid:104)id,(cid:104)head,tail(cid:105)(cid:105),where nasex(tKS(cid:48)t,aft(cid:48)e,gΛ(K(cid:48)),,wf,hΛer)e, the “next” corecursion state triggered by g, ρ:∏A∈Set(A×(Nat×A))2→Nat×Σ∗(A2) • fKo(cid:48)r=the(Ks1ig,n..a.tu,rKenf,uKn)ct(osrimofilaKrl(cid:48)y; ntooteΣthvaetrswues eKs,sewnetiawllryitehaΣve(cid:48) iwshdiecfihniesdcbleyaρrl(y(ap,a(rmam,ae(cid:48)t)r)ic,.(bT,h(en,abc(cid:48)t))o)f=de(tmer×mnin,i(nag,bρ(cid:48))fr⊕om(a(cid:48)s,ba)n)d, Σ(cid:48)=Σ+K); K(cid:104)id,(cid:104)head,tail(cid:105)(cid:105)issyntax-directed. • f(cid:48)=(f1,..., fn,g); 3.7 CoinductionUp-to • Λ(cid:48):∏A∈SetΣ(cid:48)(A×FA)→F(Σ(cid:48)∗A)isdefinedas[Λ◦FembL, Inaproofassistant,specificationmechanismsarenotveryuseful ρ◦FembR]where[_,_]isthecaseoperatoronsums,which unlesstheyarecomplementedbysuitablereasoninginfrastructure. buildsafunction[u,v]:B+C→Dfromtwofunctionsu:B→ Thenaturalcounterpartofcorecursionup-toiscoinductionup-to. Dandv:C→D,andembL:Σ∗A→Σ(cid:48)∗A,embR:Σ∗(KA)→ In our incremental framework, the expressiveness of coinduction Σ(cid:48)∗AarethenaturalembeddingsintoΣ(cid:48)∗A. up-togrowstogetherwiththatofcorecursionup-to. 8 2015/1/23 Westartwithstructuralcoinduction[45],allowingtoprovetwo Σ∗[leaf,flat], where flat:∏A∈SetΣ∗(Σ∗A)→A is the stan- elementsofJequalbyexhibitinganF-bisimulation,i.e.,abinary dardjoinoperationoftheΣ∗-monad. relation R on J such that whenever two elements j1 and j2 are • eval evaluatesalltheformaloperationsofΣ∗: related,theirdtor-unfoldingsarecomponentwiserelatedbyR. _(F_+_) eval =eval◦Σ∗([ctor◦Feval,eval]) R j j ∀j j ∈J.R j j −→FrelR(dtor j )(dtor j ) _(F_+_) 1 2 1 2 1 2 1 2 j1= j2 Theorem11. Ifthereexists(aunique)g:A→Σ∗(F(Σ∗A))such Recall that our type constructors are not only functors but also that the diagram in Figure 4a commutes, there exists (a unique) relators.Thenotionof“componentwiserelationship”referstoF’s f :A→JsuchthatthediagraminFigure4bcommutes,namely, relatorstructureFrel. corecFlexg. Uponintegratinganewoperationg(Section3.6),thecoinduc- Thetheoremcertifiesthefollowingprocedureformakingsense tionruleismademoreflexiblebyallowingthedtor-unfoldingsto ofamixedfixpointdefinitionofafunction f: becomponentwiserelatednotonlybyRbutmoregenerallybya closureofRthattakesgintoaccount. 1. Separatetheguardedandtheunguardedcalls(asshowninthe For a corecursion state (K, f,Λ) and a relation R:J→J→ codomainΣ∗(F(Σ∗A)+Σ∗A)ofs). Bool,wedefinecl R,the f-congruenceclosureofR,asthesmall- 2. Provethattheunguardedcallseventuallyterminateorleadto f estequivalencerelationthatincludesRandiscompatiblewitheach guardedcalls(aswitnessedbyg). fi:KiJ→J: 3. Pass the unfolded guarded calls to the corecursor—i.e., take ∀z ,z ∈K J.Krel Rz z −→cl R(f z )(f z ) f =corecFlexg. 1 2 i i 1 2 f i 1 i 2 whereKreliistherelatorassociatedwithKi. Example12. TheaboveprocedurecanbeappliedtodefinefacC, The next theorem supplies the reasoning counterpart of the primes:Nat→Nat→Stream, and cat:Nat→Stream, while definition principle stated in Theorem 6. It can be inferred from avoidingtheunsoundnasty(Section2.3).Asimpleanalysisreveals recent,moreabstractresults[43]. thatthefirstself-calltoprimesisguardedwhilethesecondisnot. Wedefineg:Nat×Nat→Σ∗(Nat×Σ∗(Nat×Nat))by Theorem10. Thefollowingcoinductionruleupto f holdsinthe corecursionstate(K, f,Λ): g(m,n)=if(m=0∧n>1)∨gcdmn=1 thenleaf(n,leaf(m×n,n+1)) R j j ∀j j ∈J.R j j −→Frel(cl R)(dtor j )(dtor j ) 1 2 1 2 1 2 f 1 2 elseg(m,n+1) j = j 1 2 Inessence,gbehaveslike(theintended) f exceptthattheguarded Coinductionupto f istheidealabstractionforprovingequal- callsareleftsymbolic,whereastheunguardedcallsareinterpreted ities involving functions defined by corecursion up to f: For ex- as actual calls to g. One can show that g is well defined by a ample, a proof of commutativity for ⊗ naturally relies on con- standardterminationargument.Thischaracteristicequationofgis textsinvolving⊕,because⊗’scorecursivebehavior(i.e.,⊗’sdtor- thecommutativityofthediagramdeterminedbysasinFigure4a, unfolding)dependson⊕. where s:Nat×Nat→Σ∗(Nat×Σ∗(Nat×Nat)+Σ∗(Nat× Nat))isdefinedasfollows(withInlandInrbeingtheleftandright sumembeddings): 4. MixedFixpoints Whenwewritefixpointequationstodefineafunction f,weoften s(m,n)=if(m=0∧n>1)∨gcdmn=1 want to distinguish corecursive calls from calls that are sound thenleaf(Inl(leaf(n,leaf(m×n,n+1)))) for other reasons—for example, if they terminate. We model this elseleaf(Inr(leaf(m,n+1))) situationabstractlybyafunctions:A→Σ∗(F(Σ∗A)+Σ∗A).As Settingprimes=corecFlexgyieldsthedesiredcharacteristicequa- usualforeacha,theshapeofsarepresentsthecallingcontextfor tionforprimesaftersimplification(cf.Example4). f a,withtheoccurrencesofthecontentitemsa(cid:48)insarepresenting callsto f a(cid:48).Thenewtwististhatwenowdistinguishguardedcalls Theprimesexamplehasallunguardedcallsintailform,which (capturedbytheleft-handsideof+)frompossiblyunguardedones makestheassociatedfunctiongtail-recursive.Thisneednotbethe (theright-handsideof+). case,asshownbythecatexample,whoseunguardedcallsoccur Wewanttodefineafunction f withthebehaviorindicatedby underthewell-behavedoperation⊕.However,wedorequirethat s,i.e.,makingthediagraminFigure4bcommute.Inthefigure,+ theunguardedcallsoccurincontextsformedbywell-behavedop- denotes the map function u+v:B+C→D+E built from two erationsalone.Afterunfoldingalltheunguardedcalls,theresulting functions u:B→D and v:C→E. In the absence of pervasive contextthatistobehandledcorecursivelymustbewellbehaved— guards, we cannot employ the corecursors directly to define f. thisprecludesunsounddefinitionslikenasty. However,ifwecanshowthatthenoncorecursivecallseventually lead to a corecursive call, we will be able to employ corecFlex. 5. FormalizationandImplementation Thispreconditioncanbeexpressedintermsofafixpointequation. WeformalizedinIsabelle/HOLthemetatheoryofSections3and4. According to Figure 4a, the call to g (shown on the base arrow) Essentially,thismeansthattheresultshavebeenprovedinhigher- happensonlyontheright-handsideof+,meaningthattheintended order logic with Infinity, Choice, and a mechanism for defining corecursivecallsareignoredwhen“computing”thefixpointg.Our typesbyexhibitingnon-emptysubsetsofexistingtypes.Thelogic goalistoshowthattheremainingcallsbehaveproperly. iscomparabletoZermelosettheorywithChoice(ZC)butweaker The functions reduce and eval that complete the diagrams of thanZFC.Thedevelopmentwouldworkforanyclassoffunctors Figure4aretheexpectedones: that are relators (or closed under weak pullbacks), contain basic • The elements of Σ∗(F(Σ∗A)) are formal-expression trees functors(identity,(co)products,etc.)andareclosedunderintersec- guarded on every path to the leaves, and so are the elements tion,composition,andhaveinitialalgebrasandfinalcoalgebrathat Σ∗(F(Σ∗A)+Σ∗(Σ∗(F(Σ∗A)))),butwithamorerestricted canberepresentedinhigher-orderlogic.However,ourIsabellede- shape;reduceembedsthelatterintheformer:reduce=flat◦ velopmentfocusesonaspecificclass[49]. 9 2015/1/23 A g (cid:47)(cid:47)Σ∗(F((cid:79)(cid:79)Σ∗A)) A f=corecFlexg (cid:47)(cid:47)J(cid:79)(cid:79) s reduce s eval_(F_+_) (cid:15)(cid:15) (cid:15)(cid:15) Σ∗(id+Σ∗g)(cid:47)(cid:47) Σ∗(F(Σ∗f)+Σ∗f)(cid:47)(cid:47) Σ∗(F(Σ∗A)+Σ∗A) Σ∗(F(Σ∗A)+Σ∗(Σ∗(F(Σ∗A))))) Σ∗(F(Σ∗A)+Σ∗A) Σ∗(F(Σ∗J)+Σ∗J) (a)Assumption (b)Conclusion Figure4:Mixedfixpoint Theformalizationconsistsoftwoparts:Thebasederivesacore- 4. Extractapolymorphicfunctionρfromthespecificationoff. cursorup-tofromaprimitivecorecursor;thestepstartswithacore- 5. Automaticallyproveρparametricorpasstheproofobligation cursorup-toandintegratesanadditionalwell-behavedoperation. totheuser. ThebasepartstartsbyaxiomatizingafunctorFanddefinesa codatatype with nesting through F: codatatype J = ctor(FJ). 6. Derivethenewstrengthenedcorecursoranditsnewcoinduction (Ingeneral,Jcoulddependontypevariables,butthisisanorthog- principle. onalconcernthatwouldonlycluttertheformalization.)Thenthe Thecoreccommandwillbecomplementedbyanadditionalcom- formalizationdefinesthefreealgebraoverFandthebasiccorecur- mand,tentativelycalledwell_behaved_for_corec,forregistering sorseedΛforinitializingthestatewithctoraswellbehaved(Sec- arbitraryoperationsf(notnecessarilydefinedusingcorec)aswell tion3.5).ItalsoneedstoliftΛtothefreealgebra,atechnicalitythat behaved.Thecommandwillasktheusertoprovideacorecursive wasomittedinthepresentation.Thenitdefinesevalandothernec- specificationoff asalemmaoftheformf x=Cons ... andthen essarystructure(Section3.3).Finally,itintroducescorecTopand perform steps 4 to 6. The corec command will become stronger corecFlex(Section3.4)andderivesthecorrespondingcoinduction andstrongerasmorewell-behavedoperationsareregistered. principle(Section3.7). The following Isabelle theory fragment gives a flavor of the Fromahigh-levelpointofview,thestepparthasasomewhat envisionedfunctionalityfromtheuser’spointofview: similar structure to the base. It axiomatizes a domain functor K andaparametricfunctionρassociatedwiththenewwell-behaved codatatype StreamA=SCons(head:A)(tail:StreamA) operation g to integrate. Then it extends the signature to include K, defines the extended corecursor seed Λ(cid:48), and lifts Λ(cid:48) to the corec(well_behaved)⊕:Stream→Stream→Stream xs⊕ys=SCons(headxs+headys)(tailxs⊕tailys) free algebra. Next, it defines the parameterized evalg and other infrastructure (Section 3.6). Finally, it introduces corecTop and corec(well_behaved)⊗:Stream→Stream→Stream corecFlexforthenewstateandderivesthecoinductionprinciple. xs⊗ys=SCons(headxs×headys) The process of instantiating the metatheory to particular user- ((xs⊗tailys)⊕(tailxs⊗ys)) specified codatatypes is automated by a prototype tool: the user pointstoaparticularcodatatype(typicallydefinedusingIsabelle’s lemma⊕_commute: xs⊕ys=ys⊕xs existing(co)datatypespecificationlanguage[12]),andthenthetool by(coinductionarbitrary:xsysrule:stream.coinduct)auto takesoverandinstantiatesthegenericcorecursortotheindicated lemma⊗_commute: xs⊗ys=ys⊗xs type, provinding the concrete corecursion and mixed recursion- proof(coinductionarbitrary:xsysrule:stream.coinduct_upto) corecursiontheorems.Thestreamandtreeexamplespresentedin caseEq_stream Section 2 have all been obtained with this tool. As a larger case thus?caseunfoldingtail_⊗ study, we formalized all the examples from the extended version by(subst⊕_commute)(autointro:stream.cl_⊕) ofHinzeandJames’sstudy[22].Theparametricityproofobliga- qed tionsweredischargedbyIsabelle’sparametricityprover[24].The mixedrecursion–corecursiondefinitionsweredoneusingIsabelle’s 6. RelatedWork facilityfordefiningterminatingrecursivefunctions[29]. Unlike Isabelle’s primitive (co)recursion mechanism [12], our Thereisalotofrelevantwork,concerningboththemetatheoryand tool currently lacks syntactic sugar support, so it still requires applicationsinproofassistantsandsimilarsystems.Wereferenced someboilerplatefromtheuser,namelytheexplicinvocationofthe someofthemostcloselyrelatedworkintheearliersections.Here corecursorandtheparametricityprover:thesearejustafewextra isanattemptatamoresystematicoverview. lines of script per definition, and therefore the tool is also usable Category Theory. The notions of corecursion and coinduction inthecurrentform.Followingthedesignofitsprimitiveancestor, up-to started with process algebra [44, 47] before they were re- itsenvisionedfullyuser-friendlyextensionwillreplacetheexplicit castintheabstractlanguageofcategorytheory[8,22,26,28,38, invocation of the corecursor with a corec command, allowing 43,50].Ourapproachowesalottothistheoreticalwork,andin- userstospecifyafunctionfcorecursivelyandthenperformingthe deed formalizes some state-of-the-art category theoretical results followingsteps(cf.Example5): on corecursion and coinduction up-to [38, 43]. Besides adapting 1. Parse the specification of f and synthesize arguments to the existing results to higher-order logic within an incremental core- cursorcycle,wehavealsoextendedthestateoftheartwithasound current,mostpowerfulcorecursor. mechanismformixingrecursionwithcorecursionup-to. 2. Definefintermsofthecorecursor. Categorytheoryprovidesanimpressivebodyofabstractresults 3. Derivetheoriginalspecificationfromthecorecursortheorems. that can be applied to solve concrete problems elegantly. Proof assistants have a lot to benefit from category theory, as we hope Passingthewell_behavedoptiontocorecwilladditionallyinvoke to have demonstrated with this paper. There has been prior work thefollowingprocedure(cf.Example9): onintegratingcoinductionup-totechniquesfromcategorytheory 10 2015/1/23