Certified Exact Transcendental Real Number Computation in Coq
CCertified Exact Transcendental Real Number Com-putation in Coq ∗ by Russell O’Connor Institute for Computing and Information ScienceFaculty of ScienceRadboud University Nijmegen
Email: [email protected]
Abstract
Reasoning about real number expressions in a proof assistant is challenging. Several prob-lems in theorem proving can be solved by using exact real number computation. I haveimplemented a library for reasoning and computing with complete metric spaces in theCoq proof assistant and used this library to build a constructive real number implementa-tion including elementary real number functions and proofs of correctness. Using thislibrary, I have created a tactic that automatically proves strict inequalities over closed ele-mentary real number expressions by computation.
This work is hereby released into the Public Domain. To view a copy of the public domain dedi-cation, visit http://creativecommons.org/licenses/publicdomain/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Mathematics increasingly relies on computation for proofs. Because software is often errorprone, proofs depending on computation are sometimes considered suspect. Recently, peoplehave used proof assistants to verify these kinds of mathematical theorems [7]. Real number com-putation plays an essential role in some of these problems. These proofs typically require findinga rational approximation of some real number expression to within a specified error or proving a(strict) inequality between two real number expressions. Two examples of such proofs are thedisproof of Merten’s conjecture [15] and the proof of Kepler’s conjecture [8]. Certified realnumber computation also has other applications including verifying properties of hybridautomata.Proof assistants based on dependent type theory, such as Coq [17], allow one to develop aconstructive theory of real numbers in which approximations of real numbers can be evaluatedby the system. Functions on real numbers compute what accuracy is needed from their input tosatisfy the requested accuracy for their output. Rather than accumulating rounding errors, theresulting approximations are guaranteed to be within the accuracy requested. One can develop aconstructive theory of real numbers that yields efficient functions by taking care to ensure thecomputational aspects of the proofs are efficient. This paper illustrates how to develop such anefficient constructive theory. We begin reviewing some results that are detailed in a previouspublication [14]: • A theory of metric spaces is developed (Section 3) that is independent of the real num-bers. An operation for completing metric spaces is defined (Section 3.2), and this opera-tion is seen to be a monad. • This theory of complete metric spaces is used to define the real numbers (Section 4). Akey idea is to first define elementary functions over the rational numbers, and then, oncethe functions are shown to be uniformly continuous, lift these functions to the real num-bers by using the monad operations. ∗ . This paper is to be part of the proceedings of the 21st International Conference on Theorem Proving inHigher Order Logics (TPHOLs 2008).; This document has been written using the GNU TEX MACS text editor (see ). • The formalization was designed with efficient execution in mind (Section 5.1). • Care was needed to efficiently approximate infinite series (Section 5.2). • The technique of proof by reflection is used to verify a definition of π (Section 5.3). • Elementary functions are proved correct by showing that they are equivalent to their cor-responding functions defined in the CoRN library (Section 5.4). • This theory is put to use by developing a tactic that uses computation to automaticallyverify strict inequalities over closed real number expressions (Section 5.5).This formalization will be part of the next version of the CoRN library, which will be released atthe same time Coq 8.2 is released.
The propositions true and false are denoted by ⊤ and ⊥ respectively. The type of propositionsis written as ⋆ . In Coq this type is Prop .The type Q + denotes the strictly positive rational numbers, and I will use similar notationfor other number types. The type Q ∞ + denotes Q + + {∞} .Functions taking multiple arguments will be curried as in f : A ⇒ B ⇒ C ; however, for read-ability, I will often use mathematical notation when applying parameters, f ( x, y ) , even thoughit should technically be written as f ( x )( y ) .I denote the function f iterated n times as f ( n ) .Because constructive mathematics has a classical interpretation, all the theorems in thispaper can also be understood as theorems of classical analysis. Although some of the definitionsI use are somewhat different from the usual classical definitions, they are still equivalent (underclassical logic) to their classical counterparts. The real numbers are typically defined as a Cauchy sequence of rational numbers. A sequence x : N ⇒ Q is Cauchy when ∀ ε : Q . < ε ⇒ ∃ N : N . ∀ m : N .N ≤ m ⇒ | x m − x N | ≤ ε. The function mapping ε to N is the modulus of convergence. It tells you how far into thesequence you must reach in order to get good rational approximations to the real number that x represents.By using the constructive existential, one ensures that the value of N is computable from ε .This results in the constructive real numbers. One can compute approximations of constructivereal numbers to within any given precision.Real numbers are usually created from Cauchy sequences (which often arise from Taylorseries). Perhaps this is why the Cauchy sequence definition is common. On the other hand,approximation is the fundamental operation for consuming real numbers. This suggests an alter-native definition of real numbers based on how they are consumed. One can define a realnumber as a regular function of rational numbers. A regular function of rational numbers is afunction x : Q + ⇒ Q such that ∀ ε ε . | x ( ε ) − x ( ε ) | ≤ ε + ε . Regular functions are a generalization of regular sequences, which Bishop and Bridges use todefine the real numbers [1]. With regular functions, x directly represents the function thatapproximates a real number to within ε . The regularity condition ensures that the approxima-tions are coherent. Section 2 egular functions and Cauchy sequences can be used to construct more than just the realnumbers. They can be used to construct the completion of any metric space.
Usually a metric space X is defined by a metric function d : X × X ⇒ R ; however, this assumesthat the real numbers have already been defined. Instead, one can define a metric space basedon a ball relation β ε ( a, b ) , that characterizes when d ( a, b ) ≤ ε . Partial application, β ε ( a ) , yields apredicate that represents the set of points inside the closed ball of radius ε around a . The fol-lowing axioms characterize a ball relationship β : Q + ⇒ X ⇒ X ⇒ ⋆ .1. β ε ( a, a ) β ε ( a, b ) ⇒ β ε ( b, a ) β ε ( a, b ) ⇒ β ε ( b, c ) ⇒ β ε + ε ( a, c ) ( ∀ δ : Q + . β ε + δ ( a, b )) ⇒ β ε ( a, b ) Axioms 1 and 2 state that the ball relationship is reflexive and symmetric. Axiom 3 is a form ofthe triangle inequality. Axiom 4 states that the balls are closed. Closed balls are used becausetheir proof objects usually have no computational content and can be ignored during evaluation.For some metric spaces, such as the real numbers, open balls are defined with existential quanti-fiers and their use would lead to unnecessary computation [4].Two points are considered identical if they are arbitrarily close to each other. ( ∀ ε. β ε ( a, b )) ⇔ a ≍ b This can be considered either the definition of equivalence in X , or if X comes with an equiva-lence relationship, then it can be considered a fifth axiom.In Coq, a metric space X is a dependent record containing1. a type (called the carrier)2. a ball relation on that type3. a proof that this ball relation satisfies the the above axioms.The second projection function B returns the ball relation component of the metric space. I willwrite the metric space parameter in a superscript, as in B X . I will not distinguish between ametric space and its carrier, so X will denote either a metric space or its carrier depending onthe context.Sometimes an extended ball relation B ˇ X : Q ∞ + ⇒ X ⇒ X ⇒ ⋆ will be used where B ˇ ∞ X ( a, b ) always holds and reduces to B εX ( a, b ) when ε < ∞ . A uniformly continuous function allows one to approximate the output from an approximationof the input. The usual definition for a function f : X ⇒ Y to be uniformly continuous is ∀ ε. ∃ δ. ∀ ab.B δX ( a, b ) ⇒ B εY ( f ( a ) , f ( b )) . The function mapping ε to δ is what Bishop and Bridges [1] call the modulus of continuity andis denoted by µ f . (This is the inverse of what mathematicians usually call the modulus of conti-nuity.)It is advantageous to use a more general notion of modulus of continuity that can return ∞ .This is used for bounded functions when the requested accuracy is wider than the bound on thefunction. For example, µ sin ( ε ) = ∞ for ≤ ε because sin ( x )( ε ) = 0 for all x . We also pull out themodulus of continuity in order to reason about it directly. Thus, we define a function f : X ⇒ Y to be uniformly continuous with modulus µ f : Q + ⇒ Q ∞ + when ∀ abε. B ˇ µ f ( ε ) X ( a, b ) ⇒ B εY ( f ( a ) , f ( b )) . Metric Spaces n Coq, a uniformly continuous functions is a dependent record containing1. a function f between two metric spaces2. a modulus of continuity for f
3. a proof that f is uniformly continuous with the given modulus.This means that µ is really the second projection function. Again, I will not distinguish betweenthe uniformly continuous function f and its actual function.I will denote the type of uniformly continuous functions with the single bar arrow, as in X → Y . We are now in a position to define regular functions over an arbitrary metric space X . A func-tion x : Q ∞ + ⇒ X is a regular function when ∀ ε ε : Q + .B ε + ε X ( x ( ε ) , x ( ε )) . The function x is allowed to return anything when given ∞ .Two regular functions are equivalent ( x ≍ y ) when their approximations are arbitrarily closeto each other. ∀ ε ε : Q + .B ε + ε X ( x ( ε ) , y ( ε )) Thus, a regular function is a function that is equivalent to itself under this relation.Regular functions form a metric space [14], C ( X ) , where the ball relation B ε C ( X ) ( x, y ) is ∀ δ δ : Q + .B δ + ε + δ X ( x ( δ ) , y ( δ )) . This states that x and y are within ε of each other when their approximations are almost within ε of each other. The completion operator C forms a monad in the category of metric spaces and uniformly con-tinuous functions between them [14]. The injection of X into C ( X ) is unit : X → C ( X ) . Theproof that a complete metric space is complete yields join : C ( C ( X )) → C ( X ) . The function map :( X → Y ) ⇒ C ( X ) → C ( Y ) lifts uniformly continuous functions to the complete space. Finally,bind : ( X → C ( Y )) ⇒ C ( X ) → C ( Y ) is defined in terms of map and join in the usual way.unit ( a )( ε ) a join ( x )( ε ) x (cid:16) ε (cid:17)(cid:16) ε (cid:17) map ( f )( x )( ε ) f (cid:18) x (cid:18) µ f ( ε )2 (cid:19)(cid:19) (1)bind ( f ) join ◦ map ( f ) Here the function µ f : Q ∞ + ⇒ Q ∞ + maps ∞ to ∞ , and applies µ f otherwise.In my previous work, I used a simpler definition of mapmap ′ ( f )( x )( ε ) f ( x ( µ f ( ε ))) . (2)Unfortunately, this definition requires the additional assumption that X be a prelengthspace [14]. Recently, I inferred from Richman’s work [16] that map can be defined using equa-tion 3.2.1 and works for all metric spaces if the modulus of continuity of map ( f ) is smaller than µ f . Despite the above, in the common case that X is a prelength space, the definition of map ′ inequation 2 is more efficient, and map ′ ( f ) has the same modulus of continuity as f . Because ofthis, I use map ′ (and similarly bind ′ ) throughout my work. I use map mostly for theoreticalresults. Section 3 .2.2 Completion is a Strong Monad
Functions between two metric spaces form a metric space under the sup-norm. The ball relationbetween two functions B εX → Y ( f , g ) is ∀ a.B εY ( f ( a ) , g ( a )) Now the function map : ( X → Y ) → C ( X ) → C ( Y ) can be shown to be uniformly continuous [14].By defining ap : C ( X → Y ) → C ( X ) → C ( Y ) , higher arity maps such as map X → Y → Z ) → C ( X ) → C ( Y ) → C ( Z ) can be constructed.ap ( f )( x )( ε ) map (cid:16) f (cid:16) ε (cid:17)(cid:17) ( x ) (cid:16) ε (cid:17) map f ) ap ◦ map ( f ) Because the rational numbers Q are a metric space, the real numbers can be simply defined asthe completion of Q . R C ( Q ) Uniformly continuous operations on the real numbers are defined by lifting their rational coun-terparts with map or map . This is how + R and − R are defined [14].I find using monadic operators to define functions on R is easier than trying to define func-tions directly. It splits the problem into two parts. The first part is to define the the functionover Q , which is easier to work with because equality is decidable for Q . The second part is toprove that the function is uniformly continuous. A real number x is non-negative when ∀ ε : Q + . − ε ≤ Q x ( ε ) . The not-greater-than relation on real numbers, x ≤ R y , means that y − x is non-negative.A real number x is positive when ∃ ε : Q + . unit ( ε ) ≤ R x (recall that unit : Q → R ). One real number is less than another, x < R y , when y − x is positive.Two real numbers are apart, x ≶ y , when x < y ∨ y < x .This definition of positivity differs from what would be analogous to Bishop and Bridges’sdefinition, ∃ ε : Q + . ε < Q x ( ε ) . Although the two definitions are equivalent, my definition abovecontains a rational number in ]0 , x ] . This is exactly the information that will be needed to com-pute x − or ln ( x ) (Section 4.2). With Bishop and Bridges’s definition, one must compute x ( ε ) − ε , which is a potentially expensive calculation. Unfortunately not all functions that we want to consider are uniformly continuous. One can dealwith continuous functions by noting that they are uniformly continuous on some collection ofclosed sub-domains that cover the whole space. For example, λa : Q . a is uniformly continuouson [ − c, c ] . Thus, a real number x can be squared by finding some domain [ − c, c ] containing itand lifting ( λa. ( max ( min ( a, c ) , − c )) , which is uniformly continuous. In this case c can bechosen to be | x (1) | + 1 . One can prove that the result is independent of the choice of c , so longas x ∈ [ − c, c ] .Evaluating a non-uniformly continuous function is potentially a costly operation. The input x must be approximated twice. The first approximation finds a domain to operate in, and thesecond approximation is used to evaluate the function. In practice, I have found that one oftenhas a suitable domain lying around for the particular problem at hand. If that is the case, then x only needs to be approximated once. Real Numbers artial functions with open domains are handled in the same way as non-uniformly contin-uous functions. For example, λx. x − is uniformly continuous on the domains [ c, ∞ [ and ] −∞ , − c ] (where < c ). One difference is that one cannot automatically find a domain containing x .One requires a proof that x is apart from 0. From such a proof, one can find a suitable domaincontaining x .Partial functions with closed domains, such as λx. x √ , can be extended to continuous totalfunctions. I extend the square root function to return 0 for negative values. If one wishes, onecan then restrict the lifted function to only accept non-negative inputs. Transcendental functions are first defined from Q to R . Once these functions are shown to beuniformly continuous (or otherwise using the techniques from the previous section), they arethen lifted using bind to create functions from R to R .Most elementary functions can be defined on some sub-domain by an alternating decreasingseries. Inputs outside this domain can often be dealt with by using range reduction. Rangereduction uses elementary identities to reduce inputs from a wider to a narrower domain [14].For example, the alternating series P i =0 ∞ ( − i a i +1 (2 i + 1)! computes sin ( a ) , and is decreasingwhen a ∈ [ − , . For a outside this interval, range reduction is preformed by repeated applica-tion of the identity sin ( a ) ≍ sin (cid:16) a (cid:17) − sin (cid:16) a (cid:17) . The value of an infinite alternating series, is represented by a regular function that finds apartial sum having an error no more than ε . When an alternating series is decreasing, findingsuch a partial sum is easy because the last term also represents the error. One only needs toaccumulate terms until a term becomes less than ε .Coq will not accept a general recursive function that computes the above partial sum. Itrequires a proof of termination. This is done by computing an upper bound on the number ofterms that will be needed. Strategies for doing this efficiently in Coq are discussed Section 5.2.The elementary functions, sin, cos, and tan − are defined as described in my previous publi-cation [14]. The implementation of ln has been improved by defining it in terms of tanh − ,ln (cid:16) nd (cid:17) tanh − (cid:18) n − dn + d (cid:19) . However, the input is still range reduced into [ , before using the above formula.I have also implemented a function to sum sub-geometric series (a series where | a n +1 | ≤ r | a n | ). The error of the partial sums of these series is easy to compute from the last term and r .I now use this function to compute the exp ( a ) function for a ∈ ]0 , . Without intervention, the numerators and denominators of rational numbers occurring in realnumber computations become too large for practical computation. To help prevent this, Idefined a compression operation for real numbers.compress ( x )( ε ) approx Q (cid:16) x (cid:16) ε (cid:17) , ε (cid:17) where approx Q ( a, δ ) returns some rational number within δ of a . The idea is that approx Q ( a, δ ) quickly computes a rational number close to a but having a smaller numerator and denomi-nator. In my implementation, I return b n , where n is the smallest power of 2 greater than thedenominator of δ , and b is chosen appropriately so that the result is within δ of a .The compress function is equivalent to the identity function on R .compress ( x ) ≍ x Section 4 y liberally inserting compress into one’s expressions, one can often dramatically improvethe efficiency of real number calculations. I am considering adding a call to compress with everyuse of map or bind so that the user does not need to add these calls themselves. Too many callsto compress can harm performance but perhaps not enough to cause worry.
The theory of metric spaces and real numbers described in Sections 3 and 4 has been formalizedin the Coq proof assistant. I developed functions and proofs simultaneously. I did not extractfunctions from constructive proofs, nor did I write functions entirely separately from their proofsof correctness. Proofs and functions are often mixed together, such as in the dependent recordsof metric spaces, uniformly continuous functions, and regular functions.
A mixture of proofs and functions can still be efficient to evaluate by taking care to write thefunctional aspects efficiently and ensuring that the non-functional aspects are declared opaque.Declaring lemmas as opaque prevents call-by-value evaluation from normalizing irrelevantproofs.I used Coq’s
Prop / Set distinction (two different universes of types) to assist in the separa-tion of these concerns [4]. Types that have at most one member (extensionally) are proof-irrele-vant and go into
Prop . Lemmas having these types are declared opaque. Types that may havemore than one member go into
Set , and objects of such types are kept transparent. This crite-rion means that I use the
Set based sum and dependent pair types for the constructive disjunc-tion and constructive existential quantifier.When proving a constructive existential goal, one has to deal with both
Prop and
Set duringa proof. The existential lives in
Set , but after supplying the witness, a
Prop based proof obliga-tion remains. The witness needs to be transparent, but the proof obligation should be opaque.It is best to try and separate these two parts into two different definitions, one transparent andone opaque. However, in some instances I make the entire development transparent, but I markthe proof obligation part with Coq’s abstract tactic. The abstract tactic automaticallydefines an opaque lemma containing marked part of the proof and places this lemma into theproof object. Thus, the marked part is never evaluated.
One of the more challenging aspects of the formalization was computing the infinite seriesdefined in Section 4.3 in an efficient manner. In order to convince Coq that the procedure ofaccumulating terms until the error becomes sufficiently small terminates, I provided Coq withan upper bound on the number of terms that would be required. I tried two different methodsto accomplish this.The first method computes an upper bound on the number of terms needed as a Peano nat-ural number. The problem is that the call-by-value evaluation scheme used by Coq’s virtualmachine would first compute this value before computing the series. This upper bound is poten-tially extremely large, it is encoded in unary, and only a few terms may actually be needed inthe computation. The solution to this problem was to create a lazy natural number using thestandard trick of placing a function from the unit type inside the constructor.
Inductive LazyNat : Set :=| LazyO : LazyNat| LazyS : (unit -> LazyNat) -> LazyNat.
Figure 1.
Inductive definition of lazy natural numbers
The lambda expressions inside the lazy natural numbers delay the evaluation of the call-by-value scheme. With some care, only the number of constructors needed for the recursion areevaluated.
Formalization in Coq second method, suggested by Benjamin Grégoire, is to compute the number of termsneeded as a binary number. This prevents the term from becoming too big. It is possible to dorecursion over the binary natural numbers such that two recursive calls are made with theoutput of one recursive call being threaded through the other. In this way, up to n recursivecalls can be made even though only lg n constructors are provided by the witness of termination.In the simplified example below, the function F is iterated up to n times. Continuationpassing style is used to thread the recursive calls. Variable A R : TypeVariable F : (A -> R) -> A -> RFixpoint iterate_pos (n:positive) (cont: A -> R) : A -> R :=match n with| xH => F cont| xO n’ => iterate_pos n’ (fun a => iterate_pos n’ cont a)| xI n’ => F (fun a => (iterate_pos n’(fun a => iterate_pos n’ cont a)) a)end.
Figure 2.
The Coq function iterate_pos recurses F at up to n times, using continuation passing style. The η -expansion of the continuations in the above definition are important, otherwise thevirtual machine would compute the value of the iterate_pos n’ cont calls before reducing F .This is important because F may not utilize its recursive call depending on the value of a . Insuch a case, we do not want the recursive call to be evaluated. π A common definition of π is tan − (1) . This is an inefficient way of computing π because theseries for tan − (1) converges slowly. One can more efficiently compute π by calling tan − withsmaller values [18]. I chose an optimized formula for π from a list [19]: π
176 tan − (cid:18) (cid:19) +
28 tan − (cid:18) (cid:19) −
48 tan − (cid:18) (cid:19) +
96 tan − (cid:18) (cid:19) This formula can easily be shown to be equivalent to tan − (1) by repeated application of the arctangent sum law :if a, b ∈ ] − , then tan − ( a ) + tan − ( b ) ≍ tan − (cid:18) a + b − a b (cid:19) To apply the arctangent sum law, one needs to verify that a and b lie in ] − , . To solve this, Iwrote a Coq function to iterate the function f ( b ) a + b − a b , and at each step verify that theresult is in the interval ] − , . This function, called ArcTan_multiple , has type ∀ a : Q . − < a < ⇒ ∀ n. ⊤ ∨ (cid:16) n tan − ( x ) ≍ tan − ( f ( n ) (0)) (cid:17) It is easy to build a function of the above type that just proves ⊤ in all cases, but ArcTan_multiple tries to prove the non-trivial result if it can.To apply this lemma I use a technique called reflection. The idea is to evaluate the
ArcTan_multiple ( a, r, n ) into head normal form. This will yield either left ( q ) or right ( p ) . If right ( p ) is returned then p is the proof we want.My first attempt at building a tactic to implement this did not work well. I used Coq’s evalhnf command to reduce my expression to head normal form. However, this command repeatedlycalls simpl to expose a constructor instead of using the evaluation mechanism directly. Theproblem was that simpl does extra reductions that are not necessary to get head normal form,so using eval hnf was too time consuming.Instead, I built a reflection lemma, called reflect_right , to assist in applying the ArcTan_multiple function: ∀ z : A ∨ B. ( if z then ⊥ else ⊤ ) ⇒ B Section 5 his simple lemma does case analysis on z . If z contains a proof of A , it returns a proof of ⊥ ⇒ B . If z contains a proof of B , it returns a proof of ⊤ ⇒ B . To prove n tan − ( a ) ≍ tan − ( f ( n ) (0)) , for the example a and n reflect_right composed with ArcTan_multiple to reduce the goal to if (ArcTan_multiple ∗ ⊥ else ⊤ , where ∗ is the trivial proof of − < < . Then one normalizes this expression using lazy eval-uation to either ⊤ , if ArcTan_multiple succeeds, or ⊥ , if it fails. There are two ways to prove that functions are correct. One way is to prove that they satisfysome uniquely defining properties. The other way is to prove that the functions are equivalentto a given reference implementation. I have verified that my elementary functions are equivalentto the corresponding functions defined in the CoRN library [3]. The functions in the CoRNlibrary can be seen to be correct from the large library of theorems available about them. TheCoRN library contains many different characterizations of these functions and new characteriza-tions can easily be developed.The CoRN library defines a real number structure as a complete, ordered, Archimedean field.My first step was to prove that my operations form a real number structure. I first attempted todirectly show that my real numbers satisfy all the axioms of a real number structure, but thisapproach was difficult. Instead, I created an isomorphism between my real numbers and theexisting model of the real numbers developed by Niqui [6]. This was a much easier approachbecause Niqui’s Cauchy sequence definition and my regular function definition are closelyrelated. With this isomorphism in place, I proved my operations satisfied the axioms of a realnumber structure by passing through the isomorphism and using Niqui’s existing lemmas. Niquihas also proved that all real number structures are isomorphic, so I can create an isomorphismbetween my real numbers and any other real number structure.The next step was to define my elementary functions and prove that they are equivalent tothe corresponding CoRN functions. These theorems are of the form Φ( f CoRN ( x )) ≍ f (Φ( x )) where Φ is the isomorphism from CoRN’s real numbers to my real numbers.To aid in converting statements between different representations of real numbers, I have cre-ated a rewrite database that contains the correctness lemmas. By rewriting with this database,expressions can be automatically converted from CoRN’s real numbers into my real numbers.This database can easily be extended with more functions in the future.The CoRN library was more than just a specification; this library was useful throughout mydevelopment. For example, I was often able to prove that a differentiable function f is uniformlycontinuous with modulus λε. εM when M is a bound on the derivative of f . I could prove thisbecause the theory of derivatives had already been developed in CoRN. The CoRN library alsohelped me reduce the problem of proving the correctness of continuous functions on R toproving correctness only on Q . Whether a strict inequality holds between real numbers is semi-decidable. This question can bereduced to proving that some expression e : R is positive. To prove e is positive one must findan ε : Q + , such that unit ( ε ) ≤ e . I wrote a tactic to automate the search for such a witness. Itstarts with an initial δ : Q + , and computes to see if e ( δ ) − δ is positive. If it is positive, then e ( δ ) − δ is such a witness; otherwise δ is halved and the process is repeated. If e ≍ , then thisprocess will never terminate. If e < , then the tactic will notice that e ( δ ) + δ is negative andterminate with an error indicating that e is negative.This tactic has been combined with the rewrite database of correctness lemmas to produce atactic that solves strict inequalities of closed expressions over CoRN’s real numbers. This allowsusers to work entirely with CoRN’s real numbers. They need never be aware that my effectivereal numbers are running behind the scenes. Formalization in Coq ecently Cezary Kaliszyk has proved that Coq’s classical real numbers (from the standardlibrary) form a CoRN real number structure, and he has shown that Coq’s elementary functionsare equivalent to CoRN’s. Now strict inequalities composed from elementary functions overCoq’s classical real numbers can automatically be solved.The tactic currently only works for expressions composed from total functions. Partial func-tions with open domains pose a problem because proof objects witnessing, for example, that x ispositive for ln ( x ) must be transparent for computation. However, proof objects for CoRN func-tions are opaque, and Coq’s classical functions have no proof objects. The required proof objectsare proofs of strict inequalities, so I am developing a tactic that recursively solves these strictinequalities and creates transparent proof objects. This will allow one prove strict inequalitiesover expressions that include partial functions such as ln and λx.x − . Coq does not have quotient types. Setoids are used in place of quotient types. A setoid is a typeassociated with an equivalence relation on that type. A framework for working with setoids isbuilt into Coq. Coq allows one to associate an equivalence relation with a type and registerfunctions as morphisms by proving they are well-defined with respect to the given equivalencerelations. Coq allows you substitute terms with other equivalent terms in expressions composedfrom morphisms. Coq automatically creates proof objects validating these substitutions.Setoids have some advantages over quotient types. Some functions, most notably the func-tion that approximates real numbers, are not well-defined with respect to the equivalence rela-tion—two equivalent real numbers may compute different approximations. It is unclear how onewould support these functions if a system with quotient types was used.Support for setoids was invaluable for development; however, I encountered some difficultieswhen dealing with convertible types. The types CR , Complete Q_as_MetricSpace , and cs_crrCRasCRing , where cs_crr retrieves the carrier type, are all convertible. They are equivalent asfar as the underlying type theory is concerned, but Coq’s tactics work on the meta-level wherethese terms are distinguishable. The setoid system does not associate the equivalence relation onthe real numbers with all of these various forms of the same type. Adding type annotations wasnot sufficient; they were simplified away by Coq. Instead, I used an identity function to forcethe types into a suitable form:
Definition ms_id (m:MetricSpace) (x:m) : m := x.
The setoid system is being reimplemented in the upcoming Coq 8.2 release. Therefore, someof these issues may no longer apply.
Table shows examples of real number expressions that can be approximated. Approximationsof these expressions were evaluated to within 10 − on a 1.4 GHz ThinkPad X40 laptop usingCoq’s vm_compute command for computing with its virtual machine. These examples are takingfrom the “Many Digits” friendly competition problem set [13]. Coq ExpressionMathematical Expression Time Result Error (CRsqrt (compress (rational_exp (1))*compress (CRinv_pos (3 eπ q − (sin (compress (CRpower_positive 3(translate (1 sin (( e + 1) )
25 sec 0.90949524105726624718 10 − (exp (compress (exp (compress (rational_exp (1 e e e
146 sec 181.33130360854569351505 10 − Table 1.
Timings of approximations of various real number expressions.10
Section 5
Related Work
Julien is developing an implementation of real numbers in Coq using co-inductive streams ofdigits [11]. This representation allows common subexpressions to be easily shared becausestreams naturally memoize. Sharing does not work as well with my representation because realnumbers are represented by functions. One would require additional structure to reuse approxi-mations between subexpressions. Julien also uses the new machine integers implementation inCoq’s virtual machine to make his computations even faster. It remains to be seen if usingmachine integers would provide a similar boost in my implementation.Cruz-Filipe implemented CoRN’s library of theorems and functions over the real numbers inCoq [2]. His implementation forms the reference specification of my work. Although his imple-mentation is constructive, it was never designed for evaluation [5]. Many important definitionsare opaque and efficiency of computation was not a concern during development. Cruz-Filipeshowed that it is practical to develop a constructive theory of real analysis inside Coq. My workextends this result to show that it is also possible to develop a theory of real analysis that ispractical to evaluate.Muñoz and Lester implemented a system for approximating real number expressions inPVS [12]. Their system uses rational interval analysis for doing computation on monotone seg-ments of transcendental functions. Unfortunately, this leads to some difficulties when reasoningat a local minimum or maximum, so their system cannot automatically prove < sin (cid:0) π ) , forinstance.Harrison implemented a system to approximate real number expressions in HOL Light [9].His system runs a tactic that externally computes an approximation to an expression and gener-ates a proof that the approximation is correct. If such a technique were implemented for Coq, itwould generate large proof objects. This is not an issue in HOL Light where proof objects arenot kept.Jones created a preliminary implementation of real numbers and complete metric spaces inLEGO [10]. She represented real numbers as a collection containing arbitrarily small intervals ofrational numbers that all intersect. Complete metric spaces were similarly represented by usingballs in place of intervals. Because the only way of getting an interval from the collection is byusing the arbitrarily small interval property, her representation could have been simplified byremoving the collection and let it implicitly be the image of a function that produces arbitrarilysmall intervals. This is similar to my work because one can interpret a regular function f asproducing the interval [ f ( ε ) − ε, f ( ε ) + ε ] . Perhaps using functions that return intervals couldimprove computation by allowing one to see that an approximation maybe more accurate thanrequested.My work is largely based on Bishop and Bridges’s work [1]. Some definitions have been mod-ified to make the resulting functions more efficient. My definition of a metric space is more gen-eral; it does not require that the distance function be computable. The original motivation forthe ball relation was only to develop a theory of metric spaces that did not presuppose the exis-tence of the real numbers; however, it allows me to form a metric space of functions. Thismetric space does not have a computable distance function in general and would not be a metricspace according to Bishop and Bridge’s definition. We have seen a novel definition of a metric space using a ball relation. We have seen how tocreate an effective representation for complete metric spaces and seen that the completion oper-ation forms a monad. Using this monad, we defined the real numbers and used the monad oper-ations to define effective functions on the real numbers. This theory has been formalized in Coq,and the elementary functions have been proved correct. Real number expressions can be approx-imated to any precision by evaluation inside Coq. Finally, a tactic was developed to automati-cally proof strict inequalities over closed real number expressions.
Conclusion fter completing the Haskell prototype and after writing up detailed paper proofs [14], ittook about five months of work to complete the Coq formalization. This preparation allowed fora smooth formalization experience. Only a few minor errors were found in the paper proofs.These errors mostly consisted of failing to consider cases when ε may be too large, and theywere easy to resolve.My results show that one can implement constructive mathematics such that the resultingfunctionally can be efficiently executed. This may be seen as the beginning of the realization ofBishop’s program to see constructive mathematics as programming language. Bibliography [1]
Errett Bishop and Douglas Bridges.
Constructive Analysis . Number 279 in Grundlehren der mathematis-chen Wissenschaften. Springer-Verlag, 1985. [2]
L. Cruz-Filipe.
Constructive Real Analysis: a Type-Theoretical Formalization and Applications . PhDthesis, University of Nijmegen, April 2004. [3]
L. Cruz-Filipe, H. Geuvers, and F. Wiedijk. C-CoRN: the constructive Coq repository at Nijmegen. InA. Asperti, G. Bancerek, and A. Trybulec, editors,
Mathematical Knowledge Management, Third Interna-tional Conference, MKM 2004 , volume 3119 of
LNCS , pages 88–103. Springer–Verlag, 2004. [4]
L. Cruz-Filipe and B. Spitters. Program extraction from large proof developments. In D. Basin andB. Wolff, editors,
Theorem Proving in Higher Order Logics, 16th International Conference, TPHOLs2003 , volume 2758 of
LNCS , pages 205–220. Springer–Verlag, 2003. [5]
Luís Cruz-Filipe and Pierre Letouzey. A large-scale experiment in executing extracted programs.
Electr.Notes Theor. Comput. Sci. , 151(1):75–91, 2006. [6]
Herman Geuvers and Milad Niqui. Constructive reals in Coq: Axioms and categoricity. In PaulCallaghan, Zhaohui Luo, James McKinna, and Robert Pollack, editors,
TYPES , volume 2277 of
LectureNotes in Computer Science , pages 79–95. Springer, 2000. [7]
Georges Gonthier. A computer-checked proof of the four colour theorem. Technical report, MicrosoftResearch Cambridge, 2005. [8]
Thomas C. Hales. A computer verification of the Kepler conjecture. In
Proceedings of the InternationalCongress of Mathematicians, Vol. III (Beijing, 2002) , pages 795–804, Beijing, 2002. Higher Ed. Press. [9]
John Harrison.
Theorem Proving with the Real Numbers . Springer-Verlag, 1998. [10]
Claire Jones. Completing the rationals and metric spaces in LEGO. In
Papers presented at the secondannual Workshop on Logical environments , pages 297–316, New York, NY, USA, 1993. Cambridge Univer-sity Press. [11]
Nicolas Julien. Certified exact real arithmetic using co-induction in arbitrary integer base. In
Functionaland Logic Programming Symposium (FLOPS) , LNCS. Springer, 2008. [12]
C. Muñoz and D. Lester. Real number calculations and theorem proving. In J. Hurd and T. Melham,editors,
Proceedings of the 18th International Conference on Theorem Proving in Higher Order Logics,TPHOLs 2005 , volume 3603 of
Lecture Notes in Computer Science , pages 195–210, Oxford, UK, 2005.Springer-Verlag. [13]
Milad Niqui and Freek Wiedijk. The “Many Digits” friendly competition 2005. . [14] Russell O’Connor. A monadic, functional implementation of real numbers.
Mathematical. Structures inComp. Sci. , 17(1):129–159, 2007. [15]
A. M. Odlyzko and H. J. J. te Riele. Disproof of the Mertens conjecture.
J. Reine Angew. Math. ,357:138–160, 1985. [16]
Fred Richman. Real numbers and other completions.
Math. Log. Q. , 54(1):98–108, 2008. [17]
The Coq Development Team.
The Coq Proof Assistant Reference Manual – Version V8.0 , April 2004. http://coq.inria.fr . [18] Eric W. Weisstein. Machin-like formulas. http://mathworld.wolfram.com/Machin-LikeFormulas.html ,January 2004. From MathWorld–A Wolfram Web Resource. [19]
Roy Williams. Arctangent formulas for PI. , December 2002. Available from .12.12