Program extraction, simpli ed proof-terms and

Program extraction, simpli ed proof-terms and realizability David Albrecht1 and John N. Crossley2 fdwa,[email protected]

1 Introduction This paper forms part of a programme for extracting programs from proofs. Many people have done such work. What distinguishes our work is that our aim is to start with "real proofs", that is to say, proofs in a mathematics book - as opposed to (e.g. computer generated) proofs in formal logic. (We shall assume that all these proofs are correct.) Then we proceed to produce programs from them in a variant of the lambda calculus. The additions to the lambda calculus are essentially projections, de nition by cases and recursion together with (names for) the functions, relations and elements from the mathematical system considered. In order to carry out this programme we do, initially, consider proofs in formal logic. However, as we progress we shall speed up in the same way as a young mathematician develops by treating larger and larger proofs as single steps in order to prove a big theorem. In this paper we show how to extract the programs from proofs in formal logic. Our programs have the advantage of being reusable. That is to say, when we use a theorem A again in the proof of a later theorem B we only need to reuse the old program for A in order to get the new program for B. We do not need to write out the whole proof of A within the proof of B. Full details of this process will be presented in [1]. In the present paper we rst sketch our method for extracting the programs. (We shall give a full account in [1].) Then we consider a variant of lambda calculus using the constructs we have mentioned. Our main result here is that the formal terms thus constructed are realizers i.e. we give a semantics for the system of mathematics we consider. For clarity we restrict our attention to arithmetic, including induction. The technique, however, applies immediately to any rst order theory whose axioms are Harrop formulae (see below for a de nition). We restrict ourselves to constructive proofs in this paper. The original idea for the program-reductions found in section 2 is due to David Albrecht but can be traced back to remarks made by Michael McGaughey (in the 1990s), Georg Kreisel (about 1960) and Gerhard Gentzen (in the 1940s). We thank John Jeavons and John Shepherdson for their support in the ARC project. Thanks to Helmut Schwichtenberg who asked whether the simpli ed proof terms were realizers.

2 Curry-Howard or proof terms We consider the natural deduction system of logic, ND, shown in table 1. For further details on such a system see Kleene [5] or Gallier [3]. Corresponding to the proofs generated by the inferences in ND we obtain proof-terms which provide a linear notation for the proofs in the sense that there is (up to renaming of variables) a one-one correspondence between proof-terms Department of Computer Science Monash University, Clayton, Victoria 3168. Research partly supported by ARC grant A 49230989. 2 Department of Computer Science and of Mathematics, Monash University, Clayton, Vic 3168. 1

1

and proofs in the system ND. (For details see Crossley and Shepherdson [2] but note that we now use notation in the style of Gallier [3]. Note that the proof-terms for axioms we use dier from those in [2].)  (Axiom or assumption)









 (&I ) & []



( I ) 













& (&2 E )



? ( E ) (?E )  [] [ ]





















 _ (_ I ) (_ I ) (_E ) _ 1 _ 2

[]



















 8x  ( x=t ) 9 x

(8I ) (8E ) (9I ) (9E ) (x=t) 8x  9x 

& (& E )  1






  


Table 1: The system ND

Remark. As usual [] in a proof means that none or some or all occurrences of the premiss 

have been cancelled, (x=t) denotes the result of substituting t for all free occurrences of x in  subject to avoiding clashes of variables, and in the rules (8I ) and (9E ) the individual variable x is not free in or in any uncancelled premiss.

De nition 1 A formula is a Harrop formula if it is 1. an atomic formula, 2. of the form & where , are Harrop, 3. (  ) where  (but not necessarily  ) is Harrop or 4. 8x where  is Harrop.

Harrop formulae are named for Ronald Harrop (see his [4]). Intuitively they contain no essential use of 9 or _. We rst associate formal terms with Harrop formulae. If  is atomic, then its associate is  A where A is a term constant. If  is ( & ) then its associate is (F ; G ) & where F , G are associates of and . If  is 8x then its associate is (x:F )8x where F  is the associate of . If  is (  ) then its associate is (X  :F ) where X  is a new term variable and F is the associate of . We now de ne proof terms for Harrop formulae which are axioms as the associated formal terms. (Note that these terms are unique up to renaming of term variables.) 2

The remaining proof terms are given in table 2. If the term codes a proof of a formula , then  is its type. Note that for brevity we omit types where they can be inferred. X (Assumption)

P & P & P  Q (&I ) (&1E ) (&2 E ) (P; Q)& (1P ) (2P ) P  Q P? P (X ) ( I ) ( E ) (?E ) (X:P ) (PQ) (P) P P _ Q (X ) R (Y ) P ( _ I ) ( _ I ) (_E ) 1 2 (1; P )_ (2; P )_ case(P; X:Q; Y:R) P P 8x ( 8 I ) (8E ) (x:P )8x (Pt)(x=t) P 9x Q (X ) P (x=t) (9E ) ( 9 I ) select(P; x:X:Q) (t; P )9x

Table 2: Proof terms

Note. In the case of (9I ) if x does not occur in  we put in some standard term t. For arithmetic, which we treat below, we assume this standard term is zero. In many cases proofs can be simpli ed. For example a proof









 (&I ) & (&E )

can be reduced to its top right hand corner







by removing the & introduction and its immediately following elimination. In the notation of proof terms we say (2(F  ; G )& ) reduces to G : The reduction rules for proof terms are listed in table 3.

3

       Table 3:

1(P; Q) 2(P; Q) (X:P )Q (x:P )t case((1; P ); Q; R) case((2; P ); Q; R) select((t; P ); Q)

P Q P (X=Q) P (x=t) QP RP (Qt)P

The basic result for proof terms in natural deduction and in the arithmetic de ned below is that all reductions terminate leaving a term which is then said to be in normal form. This property is called strong normalization. (Weak normalization is when some sequence of reductions terminates.) For convenience we shall call these reductions proof reductions. Theorem 1 Every proof term strongly normalizes and the normal form is unique (up to renaming of variables). We now specify a further reduction process. First we delete all the types. Program-reductions are as shown in table 4. However, we "remember" the type of the original term, i.e. the outermost type  which is the formula whose proof is represented by the original proof term. The resulting terms are called simpli ed proof terms of type .

 ()  ()  ()  () Table 4:

A 1() 2 () ((); ())

Lemma 1 Program reductions commute with proof reductions. Proof. See Albrecht and Crossley [1].2

As a corollary we have: Theorem 2 Every sequence of proof-reductions and program-reductions terminates. Proof. By the lemma we can perform all the proof-reductions rst. This sequence of reductions terminates by theorem 1. Next, all program-reductions are length reducing hence any such sequence terminates.2

3 Arithmetic The usual axioms for successor s, + and * and the equality axioms are easily seen to be Harrop formulae (cf. Crossley and Shepherdson [2]). 4

We take the induction schema in the form (x=0) 8x(  (x=s(x))) (Ind) 8x(x) and introduce the proof term with the proof-reduction rules

(x:(F (x=0); G8x((x=s(x)))))8x

x:(F; G)0  F x:(F; G)s(t)  (Gt)(x:(F; G)t) for any term t.

Theorem 3 The above lemma and theorems also hold in the natural deduction system for arithmetic.

Proof. Routine but see Crossley and Shepherdson [2]. 2 De nition 2 0 is a numeral, if n is a numeral then so is s(n). We write 0 for 0 and n + 1 for s(n).

4 Realizers We now show that simpli ed proof-terms are realizers in the sense of Kleene's modi ed realizability (see Kreisel [6]). In fact we show somewhat more. We show that all terms built-up in the obvious way from the constructs in simpli ed proof-terms are realizers.

De nition 3 A pseudo-proof-term (ppt) is either a term variable X , Y; : : :, or a term (), (P; Q), 1 P , 2 P , X:P , (PQ), (1 ; P ), (2; P ), case(P; Q; R), x:P , Pt, (t; P ), select(P; Q), x:(P; Q), P, where P , Q, R are pseudo-proof-terms, t is an individual term and  is a formula. Pseudo proof-terms have the same program-reduction rules as proof-terms. It is an open question whether every pseudo-proof-term is the program-(and proof)-reduced form of a proof-term.

De nition 4 A ppt P realizes a formula , written P k? as follows. Case 1. If  is closed.

()k? for every true atomic sentence . P k?& if P reduces to the form (Q; R) where Qk? and Rk? . P k? _ if P reduces to the form (1; Q) and Qk? or P reduces to (2; Q) and Qk? . P k?  if, whenever Qk? then (PQ)k? . P k?8x if, for all numerals n, P nk?(x=n ). 5

P k?9x if P reduces to the form (t; Q) where Qk?(x=t). ~ ) for all sequences of numerals m ~ = Case 2. If  is open, P k? if P m1 : : : mn k?(~x=m m1; : : :; mn where ~x = x1 ; : : :; xn.

Theorem 4 Every theorem of constructive arithmetic is realizable. Proof. This follows the lines in, e.g. Kleene [5], theorem 62. We treat a few cases as examples. We want to show that if F k? _ , G(X )k? and H (Y )k? then case(F; X :G; Y :H )k? : If F k? _ then F  (1; K ) where K k? or F  (2; L) where Lk? . In the former case (X :G)K k? and in the latter (Y :H )Lk? . But, in the former case

case((1; K ); X :G; Y :H )  (X :G)K and in the latter it reduces to (Y :H )L. We show that if the premisses of the induction rule are realized, then so is the conclusion. Suppose F k?(x=0) and Gk?8x(  (x=s(x))) then, for all numerals n ,

Gn k?(x=n )  (x=s(n)): We prove by induction that x:(F; G)nk?(x=n ). If n = 0, then x:(F; G)0  F k?(x=0). If n = s(m  ) then by the induction hypothesis x:(F; G)mk?(x=m ): Gm k?(x=m )  (x=s(m )) by the remarks above. By the de nition of realizability for implication, G(m  )(x:(F; G)m)k?(x=s(m  )). Hence x:(F; G)s(m  )k?(x=s(m )). 2

De nition 5 We say a ppt P proves-and-realizes  if  is provable and P k?. As in Kleene [5] we can then show

Theorem 5 If 8x9y(x; y) is provable then there is an algorithm which yields a ppt Q depending on m  , such that, for each numeral m , Q proves-and-realizes 9y(m;  y ). We can then extract a program to compute t from m as follows. If Q proves and realizes 9y(m;  y ) then Q reduces to the form (t; R) where R proves-and-realizes (m;  y=t). Hence to obtain t just take the rst component of R.

5 Example As an example we show the extraction of the program for the predecessor function, p(x) de ned by p(0) = 0, p(s(x)) = x. This program starts from the proof below of the formula

8x9y((x = 0 & y = 0) _ (x = s(y))): 6

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

8x(x = x) Axiom 0 = 0 (8E ) 0 = 0 & 0 = 0 (&I ) (0 = 0 & 0 = 0) _ (0 = s(0)) (_1I ) 9y((0 = 0 & y = 0) _ (0 = s(y))) (9I ) 8x(x = x) Axiom s(x) = s(x) (8E ) (s(x) = 0 & x = 0) _ (s(x) = s(x)) (_2 I ) 9y((s(x) = 0 & y = 0) _ (s(x) = s(y))) (9I ) [9y ((x = 0 & y = 0) _ (x = s(y )))] Assumption 9y((x = 0 & y = 0) _ (x = s(y)))  9y((s(x) = 0 & y = 0) _ (s(x) = s(y))) ( I ) 8x(9y((x = 0 & y = 0) _ (x = s(y)))  9y((s(x) = 0 & y = 0) _ (s(x) = s(y)))) (8I ) 8x9y((x = 0 & y = 0) _ (x = s(y))) Ind using 5, 12.

From this proof we obtain proof-terms as follows. For legibility we omit types. However, to show the complexity involved we write out the full proof-term for line 13. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

x:A (x:A)0 ((x:A)0; (x:A)0) (1; ((x:A)0; (x:A)0)) (0; (1; ((x:A)0; (x:A)0))) x:A (x:A)s(x) (2; (x:A)s(x)) (x; (2; (x:A)s(x))) X X:(x; (2; (x:A)s(x))) x:(X:(x; (2; (x:A)s(x)))) 7

13. x:((0; (1; ((x:A)8x(x=x)0)0=0; ((x:A)8x(x=x)0)0=0)0=0&0=0 )(0=0&0=0)_(0=s(0)))9y((0=0&y=0)_(0=s(y))), (x:(X:(x; (2; ((x:A)8x(x=x)s(x))s(x)=s(x))(s(x)=0&x=0)_(s(x)=s(x)))9y((s(x)=0&y=0)_(s(x)=s(y))) )9y((x=0&y=0)_(x=s(y)))9y((s(x)=0&y=0)_(s(x)=s(y))))8x(9y((x=0&y=0)_(x=s(y)))9y((s(x)=0&y=0)_(s(x)=s(y)))) )8x9y((x=0&y=0)_(x=s(y))) Finally by performing all possible program-reductions we obtain.

x:((0; (1; ())); x:X:(x; (2; ())))



This term can be written out in a more user-friendly way as

rec x case x = 0 (0; (1; ())) case x = s(t) let (x; X ) = (t; rec t) in (x; (2; ())) It is easy to check that the term  realizes the formula 13. Finally we show how the term  applied to (the representation of) 2 reduces. (I.e. the eect of running the program .) x:((0; (1; ())); x:X:(x; (2; ())))s(s(0))  (x:(X:(x; (2; ())))s(0))(x:((0; (1; ())); x:X:(x; (2; ())))s(0))  (X:(s(0); (2; ())))(x:((0; (1; ())); x:X:(x; (2; ()))))  (s(0); (2; ())): From this we extract the value s(0), i.e. 1, as expected.

References [1] D.W. Albrecht and J.N. Crossley, Real programs from real proofs, (in preparation). [2] J.N. Crossley and J.C. Shepherdson, Extracting programs from proofs by an extension of the Curry{Howard process, pp. 222-288 in Logical Methods, ed. J.N. Crossley, J.B. Remmel, R.A. Shore, and M.E. Sweedler, Birkhauser, Boston (1993). [3] J. Gallier, Constructive Logics. A Tutorial on Proof Systems and Typed -Calculi, TCS 110 249{339 (1993). [4] R. Harrop, Concerning formulas of the types A ! B _ C , A ! (Ex)B (x) in Intuitionistic Formal Systems, J. Symb. Logic 25 27{32 (1960). [5] S.C. Kleene, Introduction to Metamathematics, North-Holland, Amsterdam (1952). [6] G. Kreisel, Interpretation of Analysis by means of constructive functionals of nite types, pp. 101-128 in Constructivity in Mathematics, Proceedings of the Colloquim held at Amsterdam in 1957, ed. A. Heyting, North-Holland, Amsterdam (1959). [7] M.E. Szabo, The Collected Papers of Gerhard Gentzen, North-Holland, Amsterdam (1969). 8