The Size-Change Principle for Mixed Inductive and Coinductive types
TTHE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE ANDCOINDUCTIVE TYPES
PIERRE HYVERNATUniversit´e Grenoble Alpes, Universit´e Savoie Mont Blanc, CNRS, LAMA, 73000 Chamb´ery, France. e-mail address : [email protected]
URL : http://lama.univ-savoie.fr/˜hyvernat/ Abstract.
This paper describes how to use Lee, Jones and Ben Amram’s size-changeprinciple to check correctness of arbitrary recursive definitions in an ML / Haskell likeprogramming language. The main point is that the size-change principle isn’t only usedto check termination, but also productivity for infinite objects. The main point is thatthe resulting principle is sound even in the presence of arbitrary nestings of inductive andcoinductive types. A small prototype has been implemented and gives a practical argumentin favor of this principle.This work relies on a characterization of least and greatest fixed points as sets of winningstrategies for parity games that was developed by L. Santocanale in his work on circularproofs.Half of the paper is devoted to the proof of correctness of the criterion, which relieson an untyped extension of the language’s denotational semantics to a domain of valuesextended with non-deterministic sums. We can recast all the syntactical constructions inthis domain and check they are semantically sound.
Contents
Introduction 2Related Works 3Plan of the Paper 61. The Language and its Semantics 61.1. Values 61.2. Type Definitions 71.3. Semantics in Domains 81.4. Semantics in Domains with Totality 91.5. Recursive Definitions 102. Combinatorial Description of Totality 122.1. Parity Games 132.2. Parity Games from Types 142.3. Forgetting Types 173. Call-Graph and Totality 173.1. Introduction 17Received by the editors January 25, 2019.
Key words and phrases: coinductive types; nested fixed points; size-change principle; functional program-ming; recursive definitions.
Preprint submitted toLogical Methods in Computer Science c (cid:13)
Pierre Hyvernat CC (cid:13) Creative Commons a r X i v : . [ c s . L O ] J a n PIERRE HYVERNAT
Introduction
Inductive types (also called algebraic datatypes) have been a cornerstone for typed functionalprogramming: Haskell and Caml both rely heavily on those. One mismatch between thetwo languages is that Haskell is lazy while Caml is strict . A definition like val nats : nat -> nat| nats n = n::(nats (n+1)) is useless (but valid) in Caml because the evaluation mechanism will try to evaluate itcompletely (call-by-value evaluation). In Haskell, because evaluation is lazy (call-by-need),such a definition can be used productively. Naively, it seems that types in Caml correspondto “least fixed points” while they correspond to “greatest fixed points” in Haskell.The aim of this paper is to introduce a language, called chariot , where the distinctionbetween least and greatest fixed points makes sense and where one can define datatypes withan arbitrary nesting of polarities. To allow a familiar programming experience, definitionsare not restricted: any (well-typed) recursive definition is allowed. In particular, it is possibleto write badly behaved definitions like val f : nat -> nat| f 0 = 1| f (n+1) = f(f n) To guarantee that a definition is correct, two-steps are necessary:(1) Hindley-Milner type-checking [Mil78] to guarantee that evaluation doesn’t provokeruntime errors,(2) a totality test to check that the defined function respects the fixed points polaritiesinvolved in its type. The examples in the paper are all given using the syntax of chariot which is briefly described insections 1.2 and 1.5. A prototype implementation in Caml is available from https://github.com/phyver/chariot . HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 3
The second point generalizes a previous termination checker [Hyv14]: when no coinductivetype is involved, totality amount to termination. It is important to keep in mind that anydefinition that passes this test is guaranteed to be correct but there are correct definitionsthat are rejected. In a programming context, the result of this second step can be ignoredwhen the programmer (thinks he) knows better. In a proof-assistant context however, itcannot be ignored: non total definitions can lead to inconsistencies. The most obviousexample is the definition val undefined = undefined which is non-terminating but belongs to all types, even the empty one! There are subtlerexamples of definitions that normalize to values but still lead to inconsistencies [AD12] (c.f.example on page 12).In Coq [The04], the productivity condition for coinductive definitions is ensured by avery strict syntactic condition (guardedness [Coq93]) similar to the condition that inductivedefinitions need to have one structurally decreasing argument. In Agda [Nor08], the usercan write arbitrary recursive definitions and the productivity condition is ensured by thetermination checker. The implemented checker extends a published version [AA02] to dealwith coinductive types, but while this is sound for simple types like streams, it is known tobe unsound for nested coinductive and inductive types [AD12]. This paper provides a firststep toward a solution for this problem.
Related Works.
Circular proofs.
The primary inspiration for this work comes from the ideas developed byL. Santocanale in his work on circular proofs [San02c, San02a, San02b]. Circular proofs aredefined for a linear proof system and are interpreted in categories with products, coproductsand enough initial algebras / terminal coalgebras. In order to get a functional language,we need to add rules and interpret them in cartesian closed categories with coproducts andenough initial algebras / terminal coalgebras (like the category of sets and functions, or thecategory of domains).What is described in this paper seems to amount to using a strong combinatorialprinciple (the size-change principle) to check a sanity condition on a circular “preproof”.This condition implies that the corresponding cut free preproof (an infinite object) canbe interpreted in a sufficiently well behaved category. This condition is strictly strongerthan the one L. Santocanale and G. Fortier used in their work, which corresponded to thesyntactical structurally decreasing / guardedness condition on recursive definitions.Note however that while circular proofs were a primary inspiration, this work cannotbe reduced to a circular proof system. The main problem is that all such proof systemsare linear and do not enjoy a simple cut-elimination procedure. Cuts and exponentials areneeded to interpret the full chariot language and while cuts can added to the originalsystem of circular proofs [FS14, For14], adding exponentials looks extremely difficult andhasn’t been done.Note also that more recent works in circular proof theory replace L. Santocanale’scriterion by a much stronger combinatorial condition. Without going into the details,it is equivalent to some infinite word being recognized by a parity automata (which is The halting problem is, after all, undecidable [Tur36] .
PIERRE HYVERNAT decidable) [Dou17b, Dou17a]. The presence of parity automata points to a relation betweenthis work and the present paper, but the different contexts make it all but obvious.
Size-change principle.
The main tool used for checking totality is the size-change principle (SCP) from C. S. Lee, N. D. Jones and A. M. Ben-Amram [LJBA01]. The problem oftotality is however subtler than termination of programs. While the principle used tocheck termination of ML-like recursive definitions [Hyv14] was inherently untyped, totalitychecking needs to be somewhat type aware. For example, in chariot , records are lazy andare used to define coinductive types. The following definition val inf = Node { Left = inf; Right = inf } yields an infinite, lazy binary tree. Depending on the types of
Node , Fst and
Snd , thedefinition may be correct or incorrect (refer to page 12 for more details)!
Charity.
The closest ancestor to chariot is the language charity [CF92, Coc96], developedby R. Cockett and T. Fukushima, allows the user to define types with arbitrary nesting ofinduction and coinduction. Values in these types are defined using categorical principles. • Inductive types are initial algebras: defining a function from an inductive type amountsto defining an algebra for the corresponding operator. • Coinductive types are terminal coalgebras: defining a function to an inductive type amountto defining a coalgebra for the corresponding operator.Concretely, it means the user can only define recursive functions that are “trivially” struc-turally decreasing on one argument, or “trivially” guarded. In particular, all functionsterminate and the language is not Turing complete.This is very different from the way one can write, for example, the Ackermann functionwith pattern matching: val ack 0 n = n+1| ack (m+1) 0 = ack m 1| ack (m+1) (n+1) = ack m (ack (m+1) n) Guarded recursion.
Another approach to checking correctness of recursive definitions isbased on “guarded recursion”, initiated by H. Nakano [Nak00] and later extended in severaldirections [CBGB16, Gua18]. In this approach, a new modality “later” (usually written “ (cid:46) ”)is introduced in the type theory. The new type (cid:46)T gives a syntactical way to talk aboutterms that “will later (after some computation) have type T ”. This work is rather successfuland has been extended to very expressive type systems. The drawbacks are that this requiresa non-standard type theory with a not quite standard denotational semantics (topos oftrees). Moreover, it makes programming more difficult as it introduces new constructs intypes and terms. Finally, these works only consider greatest fixed points (as in Haskel) andare thus of limited interest for systems such as Agda or Coq. By the way, the name chariot was chosen as a reminder of this genealogy.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 5
Sized-types.
This approach also extends type theory with a notion of “size” for types. Ithas been successful and is implemented in Agda [Abe10, Abe12]. This makes it possible,for example, to specify that the map function on list has type ∀ n, list n ( T ) → list n ( T ),where list n ( T ) is the type of lists with n elements of type T . These extra parameters allowto gather information about recursive functions and make it easier to check termination. Adrawback is that functions on sized-types must take extra size parameters. This complexityis balanced by the fact that most of them can be inferred automatically and are thus mostlyinvisible to the casual user. Note however that this approach still needs to have a way tocheck that definition respect the sizes.
Fixed points in game semantics.
An important tool for checking totality of definitions inthis paper is the notion of parity game . P. Clairambault [Cla13] explored a notion of game(from a categorical, games semantics point of view) enriched with winning conditions forinfinite plays. The way the winning condition is defined for least and greatest fixed points isreminiscent of L. Santocanale’s work on circular proofs and the corresponding category iscartesian closed.Because this work is done in a more complex setting (categories of games) and aims forgenerality, it seems difficult to extract a practical test for totality from it. The present paperaims for specificity and practicality by devising a totality test for the “intended” semantics(i.e. in plain sets and functions) of recursion.
SubML.
C. Raffalli and R. Lepigre also used the size-change principle in order to checkcorrectness of recursive definitions in the language SubML [LR18]. Their approach usesa powerful but non-standard type theory with many features: subtyping, polymorphism,sized-types, control operators, some kind of dependent types, etc. On the downside, it makestheir type theory more difficult to compare with other approaches. Note that like in Agdaor chariot , they do allow arbitrary definitions that are checked by an incomplete totalitychecker. The similarity of the approach isn’t surprising considering previous collaborationsbetween the authors. One interesting point of their work is that the size-change terminationis only used to check that some object (a proof tree) is well-founded: even coinductive typesare justified with well-founded proofs.
Nax.
Another programming language with nested inductive / coinductive types is the Naxlanguage [Ahn14], based on so called “Mendler style recursion” [Men91]. One key differenceis that the Nax language is very permissive on the definitions of types (it is for examplepossible to define fixed points for non positive type operators) and rather restrictive onthe definition of values: they are defined using various combinators similar (but strongerthan) to the way values are defined in charity . From the point of view of a Haskell / Camlprogrammer, the restriction on the way programs are written is difficult to accept. The libraries’ implementors still needs to give the appropriate type to map though. No implementation of Nax language is available, it is thus difficult to experiment with it.
PIERRE HYVERNAT
Plan of the Paper.
We start by introducing the language chariot and its denotationalsemantics in section 1, together with the notion of totality for functions. Briefly, totalitygeneralizes termination in a way that accounts for inductive and coinductive types. Aninteresting point is that this notion is semantical rather than syntactical. We then describe,in section 2, a combinatorial approach to totality that comes from L. Santocanale’s work oncircular proofs. This reduces checking totality of a definition to checking that the definitionsgives a winning strategy in a parity game associated to the type of the definition. Section 3describes how the size-change principle can be applied to this problem: a recursive definitiongives a call-graph, and the size-change principle can be used to check a totality condition onall infinite path in this call-graph. This section is written from the implementor’s point ofview, and most proofs are omitted: they are given in the following section. The last sectionis the longest and gives the proof of correctness. This works by showing that the call-graphand the operations defined on it have a sound semantics in domains.1.
The Language and its Semantics
Values.
We are interested in a condition on the semantics of recursive definitions.What is interesting is that this doesn’t mention the reduction strategy: everything takesplace in the realm of values.
Definition 1.1.
The set of values with leaves in X ,. . . , X n , written V ( X , . . . , X n ) isdefined coinductively by the grammar v ::= ⊥ | x | C v | {D = v ; . . . ; D k = v k } where • each x is in one of the X i , • each C belongs to a finite set of constructors , • each D i belongs to a finite set of destructors , • the order of fields inside records is irrelevant, • k can be 0.Locally, only a finite number of constructors / destructors will be necessary: thoseappearing in the type definitions involved in the definitions we are checking. There is anatural ordering on finite values, which can be extended to infinite ones (c.f. remark aboutideal completion on page 26). Definition 1.2.
If the X i are ordered sets, the order ≤ on V ( X , . . . , X n ) is generated by(1) ⊥ ≤ u for all values v ,(2) if x ≤ x (cid:48) in X i , then x ≤ x (cid:48) in V ( X , . . . , X n ),(3) if u ≤ v then C [ u ] ≤ C [ v ] for any context C [ ]. It is natural to give an infinite semantics for coinductive types, and infinite values are thus allowed.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 7
Type Definitions.
The approach described in this paper is entirely first-order. We areonly interested in the way values in datatypes are constructed and destructed. Higher orderparameters are allowed in the implementation but they are ignored by the totality checker.The examples in the paper will use such higher order parameters but for simplicity’s sake,they are not formalized. Note that it is not possible to just ignore higher order parametersas they can hide some recursive calls: val app f x = f x -- non recursive val g x = app g x
In order to deal with that, the implementation first checks that all recursive functions arefully applied. If that is not the case, the checker aborts and gives a negative answer.Just like in charity , types in chariot come in two flavors: those corresponding to sumtypes (i.e. colimits) and those corresponding to product types (i.e. limits). The syntax isitself similar to that of charity : • a data comes with a list of constructors whose codomain is the type being defined, • a codata comes with a list of destructors whose domain is the type being defined.The syntax is data new type where| C : T -> new type ...| C k : T k -> new type codata new type where| D : new type -> T ...| D k : new type -> T k Each T i is built from earlier types, parameters and new type . Types parameters are writtenwith a quote as in Caml but the parameters of new type cannot change in the definition.Mutually recursive types are possible, but they need to be of the same polarity (all data or all codata ). We can always suppose that all the mutually defined types have the sameparameters as otherwise, the definition could be split in several, non mutual definitions.Here are some examples: codata unit where -- no destructor codata prod(’x,’y) where Fst : prod(’x,’y) -> ’x| Snd : prod(’x,’y) -> ’ydata nat where Zero : unit -> nat| Succ : nat -> natdata list(’x) where Nil : unit -> list(’x)| Cons : prod(’x, list(’x)) -> list(’x)codata stream(’x) where Head : stream(’x) -> ’x| Tail : stream(’x) -> stream(’x) The examples given in the paper (and the implementation) do not adhere strictly tothis syntax: n -ary constructors are allowed, and Zero will have type nat (instead of unit -> nat ) while
Cons will be uncurried and have type ’x -> list(’x) -> list(’x) (instead of prod(’x, list(’x)) -> list(’x) ).Because destructors act as projections, it is useful to think about elements of a codatatypeas records. This is reflected in the syntax of terms, and the following defines the streamwith infinitely many 0s.
PIERRE HYVERNAT val zeros : stream(nat)| zeros = { Head = Zero ; Tail = zeros }
As the examples show, codata are going to be interpreted as coinductive types, while dataare going to be inductive . The denotational semantics will reflect that, and in order to havean operational semantics that is sound, codata need to be lazy . The simplest is to stopevaluation on records: evaluating “ zeros ” will give “ {Head = ???; Tail = ???} ” wherethe “ ??? ” are not evaluated. Surprisingly, the details are irrelevant to rest of paper.We will use the following conventions: • outside of actual type definitions (given using chariot ’s syntax), type parameters will bewritten without quote: x , x , . . . • an unknown datatype will be called θ µ ( x , . . . , x n ) and an unknown codatatype will becalled θ ν ( x , . . . , x n ), • an unknown type of unspecified polarity will be called θ ( x , . . . , x n ).1.3. Semantics in Domains.
Our notion of domain is the historical one: a domain is a • consistently complete (finite bounded sets have a least upper bound) • algebraic (with a basis of compact elements) • directed-complete partial order (DCPO: every directed set has a least upper bound).While helpful in section 4, intimate knowledge of domain theory is not necessary to followthe description of the totality checker.There is a natural interpretation of types in the category Dom of domains, wheremorphisms are continuous functions. (Note that morphisms are not required to preserve theleast element.) The category theory aspect is not important because all the types are in factsubdomains of V . The following can be proved directly but is also a direct consequence of ageneral fact about orders and their “ideal completion”. Lemma 1.3.
If the X i s are domains, then (cid:0) V ( X , . . . , X n ) , ≤ (cid:1) is a domain. Type expressions with parameters are generated by the grammar T ::= X | x | θ µ ( T , . . . , T n ) | θ ν ( T , . . . , T n )where X is any domain (or set, depending on the context) called a parameter, and θ µ isthe name of a datatype of arity n and θ ν is the name of a codatatype of arity n . A type is closed if it doesn’t contain variables. (It may contains parameters, that is, subdomains ofthe domain of values.) Definition 1.4.
The interpretation of a closed type T (cid:0) X (cid:1) with domain parameters isdefined coinductively as the set of (possibly infinite) values well typed according to:(1) ⊥ : T for any type T ,(2) u ∈ Xu : X for any parameter X ,(3) u : T [ σ ] C u : θ µ ( σ ) where C : T → θ µ ( σ ) is a constructor of θ µ , HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 9 (4) u : T [ σ ] . . . u k : T k [ σ ] {D = u ; . . . ; D k = u k } : θ ν ( σ ) where D i : θ ν ( σ ) → T i , i = 1 , . . . , k are all thedestructors for type θ ν .In the third and fourth rules, σ denotes a substitution [ x := T , . . . , x n := T n ] and T [ σ ]denotes the type T where each variable x i has been replaced by T i .If T is a type with free variables x , . . . , x n , we write (cid:74) T (cid:75) (cid:0) X (cid:1) for the interpretationof T [ σ ] where σ is the substitution [ x := X , . . . , x n := X n ].All the ⊥ coming from the parameters are identified. There are thus several ways to provethat ⊥ belongs to the interpretation of a type: either with rule (1) or rules (2). The followingis proved by induction on the type expression T . Proposition 1.5.
Let X ,. . . , X n be domains, if T is a type then • with the order inherited from the X i s, (cid:74) T (cid:75) ( X , . . . , X n ) is a domain, • X , . . . , X n (cid:55)→ (cid:74) T (cid:75) ( X , . . . , X n ) gives rise to a functor from Dom n to Dom . • if T = θ µ ( x , . . . , x n ) is a datatype with constructors C i : T i → T , we have (cid:74) T (cid:75) (cid:0) X (cid:1) = (cid:110) C i u i | i = 1 , . . . , n and u i ∈ (cid:74) T i (cid:75) (cid:111) ∪ {⊥}∼ = (cid:16) (cid:74) T (cid:75) (cid:0) X (cid:1) + · · · + (cid:74) T k (cid:75) (cid:0) X (cid:1)(cid:17) ⊥ • if T = θ ν ( x , . . . , x n ) is a codatatype with destructors D i : T i → T , we have (cid:74) T (cid:75) (cid:0) X (cid:1) = (cid:110) { . . . ; D i = u i ; . . . } | i = 1 , . . . , n and u i ∈ (cid:74) T i (cid:75) (cid:111) ∪ {⊥}∼ = (cid:16) (cid:74) T (cid:75) (cid:0) X (cid:1) × · · · × (cid:74) T k (cid:75) (cid:0) X (cid:1)(cid:17) ⊥ The operations + and × are the set theoretic operations (disjoint union and cartesianproduct), and S ⊥ is the usual notation for S ∪ {⊥} . This shows that the semantics of typesare fixed points of natural operators. For example, (cid:74) nat (cid:75) is the domain of “lazy naturalnumbers”: ⊥ Succ ⊥ Succ ( Succ ⊥ ) ... Succ ( Succ Zero ) Succ ZeroZero and the following are different elements of (cid:74) stream(nat) (cid:75) : • ⊥ , • { Head = Succ ⊥ ; Tail = ⊥}• { Head = Zero ; Tail = { Head = Zero ; Tail = { Head = Zero ; . . . }}} Semantics in Domains with Totality.
At this stage, there is no distinction be-tween greatest and least fixed point: the functors defined by types are algebraically com-pact [Bar92], i.e. their initial algebras and terminal coalgebras are isomorphic. For example,
Succ ( Succ ( Succ ( . . . ))) is an element of (cid:74) nat (cid:75) as the limit of the chain ⊥ ≤ Succ ⊥ ≤
Succ ( Succ ⊥ ) ≤ · · · . In order to distinguish between inductive and coinductive types, weadd a notion of totality to the domains. Definition 1.6. (1) A domain with totality ( D, | D | ) is a domain D together with a subset | D | ⊆ D .(2) An element of D is total when it belongs to | D | .(3) A function f from ( D, | D | ) to ( E, | E | ) is a function from D to E . It is total if f ( | D | ) ⊆ | E | ,i.e. if it sends total elements to total elements.(4) The category Tot has domains with totality as objects and total continuous functions asmorphisms.To interpret (co)datatypes inside the category
Tot , it is enough to describe the associatedtotality predicate. The following definition corresponds to the “natural” interpretation ofinductive / coinductive types in the category of sets.
Definition 1.7. If T is a type whose parameters are domains with totality, we define | T | by induction • if T = X then | T | = | X |• if T = θ µ ( T , . . . , T n ) is a datatype, then | T | = µX.θ µ ( X, | T | , . . . , | T n | ), • if T = θ ν ( T , . . . , T n ) is a codatatype, then | T | = νX.θ ν ( X, | T | , . . . , | T n | ),where(1) if T = θ µ ( x , . . . , x n ) is a datatype with constructors C i : T i → T , θ µ is the operator X, X , . . . , X n (cid:55)→ (cid:91) i =1 ,...,k (cid:110) C i u (cid:12)(cid:12)(cid:12) u ∈ (cid:12)(cid:12) T i [ σ ] (cid:12)(cid:12)(cid:111) (2) if T = θ ν ( x , . . . , x n ) is a codatatype with destructors D i : T → T i , θ ν is the operator X, X , . . . , X n (cid:55)→ (cid:110) {D = u ; . . . ; D k = u k } (cid:12)(cid:12)(cid:12) each u i ∈ (cid:12)(cid:12) T i [ σ ] (cid:12)(cid:12)(cid:111) In both cases, σ is the substitution [ T := X, x := X , . . . , x n := X n ].The least and greatest fixed points exist by Knaster-Tarski theorem: the correspondingoperators act on subsets of the set of all values. It is not difficult to see that each elementof | T | is in (cid:74) T (cid:75) and doesn’t contain ⊥ , i.e. is a maximal element of the domain (cid:74) T (cid:75) : Lemma 1.8. If T is a type with domain parameters, (cid:0) (cid:74) T (cid:75) , | T | (cid:1) is a domain with totality.Moreover, each t ∈ | T | is maximal in (cid:74) T (cid:75) . Recursive Definitions.
Like in Haskell, recursive definitions are given by lists ofclauses. The Ackermann function was given on page 4 and here is the map function onstreams: val map : (’a -> ’b) -> stream(’a) -> stream(’b)| map f { Head = x ; Tail = s } = { Head = f x ; Tail = map f s } Formally, a (recursive) definition is introduced by the keyword val and consists of severalclauses of the form f p ... p n = u Intrinsic notions of totality exist [Ber93] but are seemingly unrelated to what is considered below. This definition isn’t strictly speaking first order as it take a function as argument. We will ignore sucharguments and they can be seen as free parameters.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 11 where • f is a function name, • each p i is a finite pattern p ::= x i | C p | {D = p ; . . . ; D k = p k } where each x i is a variable name, • and u is a finite term u ::= x i | f | C u | {D = u ; . . . ; D k = u k } | u u where each x i is a variable name and each f is a function name (possibly one of thefunctions being defined).Note that it is not possible to directly project a record on one of its field in the syntax ofterms. This makes the theory somewhat simpler and doesn’t change expressivity of thelanguage. It is always possible to • remove a projection on a variable by extending the pattern on the left, • replace a projection on the result of a recursively defined function by several mutuallyrecursive functions for each of the fields, • replace a projection on a previously defined function by another previously defined function.Of course, the implementation doesn’t enforce this restriction and the theory can be extendedaccordingly.There can be many clauses and many different functions defined mutually. The system(1) checks some syntactical constraints (linearity of pattern variables, . . . ),(2) performs Hindley-Milner type checking (or type inference if no type annotation wasgiven),(3) performs an exhaustivity check ensuring that the patterns cover all the possibilities andthat records have all their fields.Those steps are well-known [PJ87] and not described here. Hindley-Milner type checkingguarantees that each list of clauses for functions f : T , . . . , f n : T n (each T i is an arrowtype) gives rise to an operator θ f ,..., f n : (cid:74) T (cid:75) × · · · × (cid:74) T n (cid:75) → (cid:74) T (cid:75) × · · · × (cid:74) T n (cid:75) where the semantics of types is extended with (cid:74) T → T (cid:48) (cid:75) = (cid:2) (cid:74) T (cid:75) → (cid:74) T (cid:48) (cid:75) (cid:3) . The semanticsof f , . . . , f n is then defined as the fixed point of the operator θ f ,..., f n which exists by Kleenetheorem.Typing ensures that the definition is well behaved from an operational point of view:the “ ⊥ ” that appear in the result correspond only to non-termination, not to failure ofthe evaluation mechanism (projecting on a non-existing field or similar problems). For thedefinition to be correct from a denotational point of view, we need to check more: that it is total with respect to its type. For example, the definition val all_nats : nat -> list(nat)| all_nats n = Cons n (all_nats (Succ n)) is well typed and sends elements of the domain (cid:74) nat (cid:75) to the domain (cid:74) list ( nat ) (cid:75) but itsresult on Zero contains all the natural numbers. This definition is not total because totalityfor list ( nat ) contains only the finite lists (it is an inductive type). Similarly, the definition val last_stream : stream(nat) -> nat| last_stream {Head=_; Tail=s} = last_stream s sends any stream to ⊥ , which is non total. A subtle example.
Here is a surprising example due to T. Altenkirch and N. A. Daniels-son [AD12]: we define the inductive type data stree where Node : stream(stree) -> stree where the type of stream was defined on page 7. This type is similar to the usual type of“Rose trees”, but with streams instead of lists. Because streams cannot be empty, there is noway to build such a tree inductively: this type has no total value. Consider however thefollowing definitions: val s : stream(stree)| s = { Head = Node s ; Tail = s }val t : stree| t = Node s
This is well typed, but because evaluation is lazy, evaluation of t or any of its subtermsterminates: the semantics of t doesn’t contain ⊥ . Unfolding the definition, we obtain Node{Head=_; Tail=_}Node{Head=_; Tail=_}Node . . . {Head=_; Tail=_} . . . . . . {Head=_; Tail=_}Node{Head=_; Tail=_} . . . . . . {Head=_; Tail=_}Node . . . {Head=_; Tail=_} . . . . . .
Such a term leads to inconsistencies and shows that a simple termination checker isn’tenough.The rest of the paper describes a partial totality test on recursive definitions: somedefinitions are tagged “total” while some other are tagged “unsafe” either because they areindeed not total, or because the argument for totality is too complex.2.
Combinatorial Description of Totality
The set of total values for a given type can be rather complex when datatypes and codatatypesare interleaved. Consider the definition val inf = Node { Left = inf; Right = inf } It is not total with respect to the type definitions codata pair(’x,’y) where Left : pair(’x,’y) -> ’x| Snd : pair(’x,’y) -> ’ydata tree where Node : pair(tree, tree) -> tree but it is total with respect to the type definitions data box(’x) where Node : ’x -> box(’x)codata tree2 where Left : tree2 -> box(tree2)| Right : tree2 -> box(tree2) HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 13
In this case, the value inf is of type box(tree2) . Analysing totality requires a combinatorialunderstanding of the least and greatest fixed points involved. Fortunately, there is a closerelationship between set theoretic least and greatest fixed points and winning strategies for parity games .2.1.
Parity Games.
Parity games are a two players games played on a finite transitionsystem where each node is labeled by a priority (a natural number). The height of sucha game is the maximum priority of its nodes. By extension, the priority of a transitionis the priority of its target node. When the node has odd priority,
Marie (or “player”) isrequired to play. When the node is even,
Nicole (or “opponent”) is required to play. A moveis simply a choice of a transition from the current node and the game continues from thenew node. When Nicole (or Marie) cannot move because there is no outgoing transitionfrom the current node, she looses. In case of infinite play, the winning condition is(1) if the maximal node visited infinitely often is even, Marie wins,(2) if the maximal node visited infinitely often is odd, Nicole wins.Equivalently, the condition could be stated using the priorities of the transitions taken duringthe infinite play. We will call a priority principal if “it is maximal among the prioritiesappearing infinitely often”. The winning condition can thus be rephrased as “Marie wins aninfinite play if and only if the principal priority of the play is even”.In order to analyse types with parameters, we add special nodes called parameters . Thosenodes have no outgoing transition, have priority ∞ and each of them has an associatedset X . On reaching them, Marie is required to choose an element of X to finish the game.She wins if she can do it and looses if she cannot (when the set is empty). Here are threeexamples of such parity games: l l l l
21 10 l l l l l l X ∞ l l l l l l Each position p in a parity game G with parameters X , . . . , X n defines a set || G p || depending on X ,. . . , X n [San02c]. This set valued function p (cid:55)→ || G p || is defined by inductionon the height of G and the number of positions having maximum priority: • if all the positions are parameters, each position is interpreted by the correspondingparameter || G X || = X ; • otherwise, take p to be one of the positions of maximal priority and construct G/p withparameters Y , X , . . . , X n as follows: it is identical to G , except that position p is replacedby parameter Y and all its outgoing transitions are removed. Compute recursively theinterpretations (
G/p ) q , depending on Y , X , . . . X n and: Those parameter nodes do not count when defining the depth of a parity game. because ∞ is obviously odd This game is called the predecessor of G [San02c]. – if p had an odd priority, define (cid:40) || G p || = µY. (cid:0) ( G/p ) q + · · · + ( G/p ) q k (cid:1) || G q || = ( G/p ) q (cid:2) Y := || G p || (cid:3) when q (cid:54) = p where p → q , . . . p → q k are all the transitions out of p . – if p had an even priority, define (cid:40) || G p || = νY. (cid:0) ( G/p ) q × · · · × ( G/p ) q k (cid:1) || G q || = ( G/p ) q (cid:2) Y := || G p || (cid:3) when q (cid:54) = p where p → q , . . . p → q k are all the transitions out of p .An important result is: Proposition 2.1 (L. Santocanale [San02c]) . • For each position p of G , the operation X , . . . , X n (cid:55)→ || G ( X , . . . , X n ) p || is a functorfrom Set n to Set , • there is a natural isomorphism || G p || ∼ = W ( G ) p where W ( G ) p is the set of winning strategiesfor Marie in game G from position p . In order to analyse totality, we now construct a parity game G from a type expression T in such a way that | T | ∼ = || G T || , for some distinguished position T in G .2.2. Parity Games from Types.Definition 2.2. If T is a type expression (possibly with parameters), the graph of T isdefined as the subgraph reachable from T in the following (infinite) transition system: • nodes are type expressions (possibly with parameters), • transitions are labeled by constructors and destructors: a transitions T t −→ T is either adestructor t of type T → T or a constructor t of type T → T (note the reversal).Here is for example the graph of list(nat) unitlist(nat) natprod(nat,list(nat)) FstSndNilCons Zero Succ The orientation of transitions means that • on data nodes, a transition is a choice of constructor for the origin type, • on codata nodes, a transition is a choice of field for a record for the origin type.Because of that, a value of type T can be seen as a strategy for a game on the graph of T where Marie (the player) chooses constructors and Nicole (the opponent) chooses destructors. Lemma 2.3.
The graph of T is finite.Proof of Lemma 2.3. We write T (cid:118) T if T appears in T . More precisely: • T (cid:118) X iff T = X , HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 15 • T (cid:118) θ ( T , . . . , T n ) if and only if T = θ ( T , . . . , T n ) or t (cid:118) T or . . . or t (cid:118) T n .To each datatype / codatatype definition, we associate its “definition order”, an integergiving its index in the list of all the type definitions. A (co)datatype may only use parametersand “earlier” type names in its definition and two types of the same order are part of thesame mutual definition. The order of a type is the order of its head type constructor.Suppose that the graph of some type T is infinite, and that T is minimal in the sensethat it is of order κ and graphs for types of order less than κ are finite. Since the graph of T has bounded out-degree, by K¨onig’s lemma, it contains an infinite simple (without repeatedvertex) path ρ = T → T → T → · · · . For any n , there is some l > n such that T l is oforder κ . Otherwise, the path T n +1 → T n +2 → · · · is infinite and contradicts the minimalityof T .All transitions in the graph of T are of the form θ ( T ) → β where β is built using thetypes in T and possibly the θ (cid:48) ( T ) with the same order as θ . There are three cases:(1) In transitions θ ( T ) → T i , i.e., transitions to a parameter, the target is a subexpressionof the origin. It is the only way the order a type may strictly increase along a transition.This is the case of Head : stream(nat) → nat .(2) In transitions θ ( T ) → θ (cid:48) ( T ), i.e. transitions to a type in the same mutual definition,the order remains constant. An example in Succ : nat → nat .(3) In all other cases, the transition is of the form θ ( T ) → β , where β is strictly earlierthan θ . In this case however, because of the way β is built, the subexpressions of β withorder greater than that of θ are necessarily subexpressions of θ ( T ). This is for examplethe case of Cons : list(nat) → prod(nat, list(nat)) (recall that the transition goesin the opposite direction).The only types of order κ reachable from T (of order κ ) are thus: • subexpressions of T (obtained with transitions of the form (1) and (3)), • or variants of the above where some types θ ( T ) of order κ have been replaced by θ (cid:48) ( T ) ofsame order (obtained with transitions of the form (2)).Since there are only finitely many of those, the infinite path ρ necessarily contains a cycle!This is a contradiction. Definition 2.4. If T is a type expression (possibly with parameters), a parity game for T is a parity game G T on the graph of T satisfying(1) each parameter of T is a parameter of G T ,(2) if T is a datatype in the graph of T , its priority is odd,(3) if T is a codatatype in the graph of T , its priority is even,(4) if T (cid:118) T then the priority of T is greater than the priority of T . Lemma 2.5.
Each type has a parity game.Proof.
The relation (cid:64) is a strict order and doesn’t contain cycles. Its restriction to thegraph of T can be linearized. This gives the relative priorities of the nodes and ensurescondition (4) from the definition. Starting from the least priorities (i.e. the larger types),we can now choose a priority odd / even compatible with this linearization. (Note that wedon’t actually need to linearize the graph and can instead chose a normalized parity game ,i.e. one that minimizes gaps in priorities.) Here are the first two parity games from page 13, seen as parity games for stream(nat) and list(nat) (the priorities are written as an exponent). unit nat stream(nat) Head TailZero Succ unit list(nat) nat prod(nat,list(nat)) FstSndNilCons Zero Succ
The last example from page 13 corresponds to a coinductive version of Rose trees: codata rtree(’x) where| Root : rtree(’x) -> ’x| Subtrees : rtree(’x) -> list(rtree(’x)) with parity game rtree( X ) unit X ∞ list(rtree( X )) prod(rtree( X ),list(rtree( X ))) Root Subtrees NilConsSndFst
As those examples show, the priority of T can be anything from minimal to maximal in itsparity graph. Lemma 2.6.
For any type T , if G is a parity game for T and if T is a node of G , we havea natural isomorphism || G T || ∼ = | T | .Proof. The proof follows from the following simple fact by a simple induction:
Fact 2.7. If G is a parity game for T and T one of its maximal nodes, then the predecessorgame G/T ( Y ) is a parity game for T [ T = Y ]. Corollary 2.8. If T is a type and G a parity game for T , we have W ( G ) T ∼ = | T | . Inparticular, v ∈ (cid:74) T (cid:75) is total iff every branch of v has even principal priority. Since any v ∈ (cid:74) T (cid:75) gives a strategy in the game of T , priorities can be looked up in the game of T . HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 17
Forgetting Types.
A consequence of the previous section is that checking totalitydoesn’t really need types: it needs priorities. We thus annotate each occurrence of constructor/ destructor in a definition with its priority (taken from the type’s parity game). The refinednotion of value is given by v ::= ⊥ | x | C p v | {D = v ; . . . ; D k = v k } p where • each x is in one of the X i , • each priority p belong to a finite set of natural numbers, • each C belongs to a finite set of constructors , and their priority is odd, • each D i belongs to a finite set of destructors , and their priority is even, • k can be 0.The whole domain of values V now has a notion of totality. Definition 2.9.
Totality for V is defined as v ∈ |V| iff and only if every branch of v haseven principal priority.Priorities are an artefact used for checking totality. They play no role in definitions orevaluation and are inferred internally:(1) each instance of a constructor / destructor is annotated by its type during type checking,(2) all the types appearing in the definitions are gathered (and completed) to a parity games,(3) each constructor / destructor is then associated with the priority of its type (and thetype itself can be dropped).Because none of this has any impact on evaluation, checking if a definition is total amountsto checking that the annotated definition is total, which can be done without types.3. Call-Graph and Totality
Introduction.
A function f between domains with totality is total if it sends totalelements to total elements. Equivalently, it is total if whenever f ( v ) = w , either v is nontotal, or w is total. As a result, checking that a recursive definition of f is total requireslooking at the the arguments that f “consumes” and at the result that f “constructs”. Thetwo are not independent as shown by the following function: val sums : stream(list(nat)) -> stream(nat)| sums { Head = [] ; Tail = s } = { Head = 0 ; Tail = sums s }| sums { Head = [n] ; Tail = s } = { Head = n ; Tail = sums s }| sums { Head = n::m::l ; Tail = s }= sums { Head = (add n m)::l ; Tail = s } where we use the following abbreviations: • [] for Nil , • [a] for Cons { Fst = a ; Snd = Nil } , • a::l for Cons { Fst = a ; Snd = l } .This function maps a stream of lists of natural numbers into a stream of natural numbersby computing the sums of all the lists. It does so by accumulating the partial sums of agiven list in its first element. This function is productive (it constructs something) becausethe third clause cannot occur infinitely many times consecutively (it consumes something).
As we saw in the previous section, a total value in type t is a winning strategy for aparity game of t . The totality checker thus needs to check something like: for all pairs ( v, w ) in the graph of the recursive function, • either all the infinite branches of w have an even principal priority, • or v contains an infinite branch whose principal priority is odd. The analysis is local: it only looks at one mutually recursive definition. The previouslydefined functions are assumed to be total, but nothing more is known about them. For thatreason, we only look for infinite branches that come from the current definition.The first step of the analysis is to extract some information from the clauses of thedefinition. The resulting structure is called the call-graph (section 3.3). The analysis thenlooks at infinite path in the call-graph. In order to use the size-change principle [LJBA01,Hyv14], care must be taken to restrict the information kept along calls to a finite set.This is done by introducing a notion of approximation and by collapsing calls to boundedinformation.Formalizing and proving that this condition is correct will be done in the last section(starting on page 26). We will for the moment only give a high level description of how onecan implement the test, using both the concepts developed in the previous section and thesize-change principle.
Simplifying assumptions.
In order to reduce the notation overhead, we assume all thefunctions have a single argument. As far as expressivity is concerned, this is not a realrestriction: we can introduce ad-hoc codata (product types) to uncurry all functions. Thisrestriction is of course not enforced in the implementation. Dealing with multiple argumentswould require using substitutions instead of terms [Hyv14].3.2.
Interpreting Calls.
A single clause may contain several recursive calls. For example,the hypothetic rule | f (C { D = x; D = C y }) = C (f (C (f (C y))) contains two recursive calls (underlined). It is clear that the final result starts with C ,constructed above the leftmost recursive call. It is also clear that the rightmost recursivecall uses part of the initial argument. It is however unclear if the rightmost call contributesanything to the final result or if the leftmost call uses part of the initial argument. For eachrecursive call in a recursive definition, we keep some information about • the output branch above this recursive call, • the way the argument of the call is constructed from the initial argument.The information about the argument of the recursive call uses the same technology that wasused when checking termination [Hyv14]. The information about the output is simpler: weonly record the number of constructors above the recursive call. A recursive call is guardedsimply when it occurs under at least one constructor / record. Each call will thus beinterpreted by a rule of the form: f x (cid:55)→ (cid:104) W (cid:105) f v where W is a weight and v is a generalized pattern with free variable x . For example, theinterpretation of the previous clause will consist of two calls: Refer to page 45 for an idea about what could be done without this simplification.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 19 • f x (cid:55)→ (cid:104)− (cid:105) f (C Ω ) for the leftmost call: – (cid:104)− (cid:105) : this call is guarded by one constructor ( C ) – C Ω: the argument starts with constructor C • f x (cid:55)→ Ω f (C C - .D C - x) for the rightmost call: – Ω: we don’t know what this call contributes to the result – ( C C - .D C - x ): the argument starts with C and “ C - .D C - x ” represents the y from thedefinition: it is obtained from the argument x by: removing C (written C - ), projectingon field D (written .D ) and removing C (written C - ).Since we want to to check totality using parity games, counting the constructors is notenough: we also need to remember their priority. The weights are thus more complex thanplain integers. Definition 3.1.
Define(1) Z ∞ = Z ∪ {∞} with the obvious addition and order,(2) W , the set of weights is generated by W ::= Ω | (cid:104)(cid:105) | (cid:104) w (cid:105) p | W + W where w ∈ Z ∞ and each p comes from a finite set P of natural numbers called priorities.This set is quotiented by • associativity and commutativity of +, • Ω + W = Ω, • (cid:104) w (cid:105) p + (cid:104) w (cid:48) (cid:105) p = (cid:104) w + w (cid:48) (cid:105) p , • equivalence generated from the order given below.(3) Order ≤ on weights is generated from • Ω ≤ W , • (cid:104) (cid:105) p ≤ (cid:104)(cid:105) , • (cid:104) w (cid:105) p ≤ (cid:104) w (cid:105) p whenever w ≥ w in Z ∞ , • W + W (cid:48) ≤ W . (In particular, W + Ω = Ω.)“ κ p ” is a synonym for (cid:104) (cid:105) p and we usually write (cid:104) W (cid:105) for an arbitrary weight and (cid:104) (cid:105) for (cid:80) ≤ i ≤ p (cid:104) (cid:105) i (where p is the maximal priority involved locally). The symbols (cid:104) and (cid:105) areloosely used as grouping for weights...The intuition is that κ p represents anything that adds at most one constructor of priority p .Similarly, − κ p represents anything that removes at least one constructor of priority p .Note that (cid:104) (cid:105) p is different from (cid:104)(cid:105) : the former could add one constructor of priority p andremove another, while the later does nothing. The weight Ω is not very different from theweight (cid:80) p (cid:104)∞(cid:105) p and can be identified with it in the implementation. Definition 3.2.
Generalized patterns are given by the following grammar t ::= C p t | {D = t ; . . . ; D n = t n } p |(cid:104) W (cid:105) t ∗ · · · ∗ (cid:104) W n (cid:105) t n | C p - t | .D p t | x | | f t where n ≥ x is a formal parameter , each f belongs to a finite set of function names andeach (cid:104) W (cid:105) is a weight. As previously, C and D come from a finite set of constructor anddestructor names, and their priorities come from a finite set of natural numbers. Theyare respectively odd and even. The product is implicitly commutative, idempotent andassociative. Here are some points worth remembering. • x is the parameter (unique in our case) of the definition. • Priorities are associated to instances of constructors: the list constructor may appear inthe parity game with different priority! We write C p to give a name to the correspondingpriority, and just C when the priority is not important. • In ML style, the term C - u is similar to the partial “ match u with C v -> v ” with asingle pattern. This is used to deconstruct a value. • represents runtime errors which we can ignore in our analysis because typing forbidsthem. It propagates through values. • The product is used to approximate records: {Fst=Succ - x; Snd=Succ x} can for exam-ple be approximated by (cid:104) (cid:105) Succ - x ∗ (cid:104) (cid:105) x . All the branches of an element approximatedby (cid:104) W (cid:105) t ∗ · · · ∗ (cid:104) W n (cid:105) t n must be approximated by a (cid:104) W i (cid:105) t i . Definition 3.3. A call from g to f is of the form “ g (cid:55)→ (cid:104) W (cid:105) f v ” where (cid:104) W (cid:105) ∈ W and v is a generalized pattern.For symmetry reasons, output weights are counted negatively: adding one constructor onthe output will be represented as (cid:104)− (cid:105) . Just like removing some constructor in a recursiveargument is “good” (think structural recursion), adding a constructor on the result is “good”(think guardedness). The two are thus counted similarly.The next few pages recall, without proofs, the notions and results that are useful forimplementing the totality criterion. The proofs will be given in the next section. Definition 3.4.
We define a reduction relation on generalized patterns:(0) C , C - , .D → (0) { . . . ; D = ; . . . } → (0) (cid:104) W (cid:105) ∗ P → P (0) (cid:104) W (cid:105) → only for unary product(1) C - C t → t (1) .D j { . . . ; D j = t j ; . . . } → t j if no t i → ∗ (2) C - C (cid:48) t → if C (cid:54) = C (cid:48) (2) .D{ . . . } → if the record has no field D (2) C - { . . . } → (2) .D C t → (3) (cid:104) W (cid:105) C p t → (cid:104) W + κ p (cid:105) t (3) (cid:104) W (cid:105) {D = t ; . . . } p → (cid:104) W + κ p (cid:105) t ∗ · · · if the record is not empty(3) C p - (cid:81) i (cid:104) W i (cid:105) t i → (cid:81) i (cid:104) W i − κ p (cid:105) t i (3) .D p (cid:81) i (cid:104) W i (cid:105) t i → (cid:81) i (cid:104) W i − κ p (cid:105) t i (3) (cid:0) (cid:104) W (cid:105) p (cid:81) i (cid:104) W i (cid:105) t i (cid:1) ∗ P → (cid:0) (cid:81) i (cid:104) W + W i − κ p (cid:105) t i (cid:1) ∗ P Group (1) of reductions corresponds to the operational semantics of the language, group(3) deals with approximations in a way that is compatible with group (1), and groups (0)and (2) deal with errors. In particular, in group (2) • the first 3 reductions are forbidden by type checking (we cannot project a constructor, orpattern match on a record), • the last reduction is forbidden by the operational semantics (if the argument starts witha C (cid:48) , the reduction doesn’t take the C clause). for example when dealing with lists of streams of lists HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 21
Looking at groups (3) of reductions, is is clear that weights absorb all constructors on theirright and all destructors on their left. As a result, non- normal forms have a very specificshape: • a tree of constructors (akin to a value), • followed by (linear) branches of destructors. h W i * h W i x x hi x Ω x constructors: { . . . ; D = _ ; . . . } or C destructors: .D or C - Lemma 3.5. (1)
This reduction is confluent and strongly normalizing. We write nf ( t ) for the normalform of t . (2) The normal forms are either , or generated by the grammar p ::= C p | { . . . ; D i = p i ; . . . } | (cid:104) W (cid:105) λ ∗ · · · ∗ (cid:104) W n (cid:105) λ n λ ::= {} | δ x δ ::= δ C - | δ .D There is a notion of approximation: for example, S - S - S - S - x can be approximated by S - S - (cid:104)− (cid:105) x where (cid:104)− (cid:105) means that “at least 2 constructors were removed”. Definition 3.6.
The relation “ u ≤ v ” (read “ u approximates v ”) is defined with • ≤ is contextual: if u ≤ v then t [ x := u ] ≤ t [ x := v ], • ≤ is compatible with reduction: if u → v then v ≤ u , and in particular, nf ( u ) ≤ u , • is a greatest element, • for every weights (cid:104) V (cid:105) ≤ (cid:104) W (cid:105) , we have (cid:104) V (cid:105) t ≤ (cid:104) W (cid:105) t , • (cid:104) (cid:105) t ≤ t This order is extended to calls with f x (cid:55)→ (cid:104) W (cid:105) f u ≤ f x (cid:55)→ (cid:104) W (cid:48) (cid:105) f u (cid:48) iff (cid:104) W (cid:105) ≤ (cid:104) W (cid:48) (cid:105) and u ≤ u (cid:48) Call-Graph and Composition.
The next definition is very verbose, but the examplefollowing it should make it clearer.
Definition 3.7.
From a recursive definition, we construct its (oriented) call-graph with • vertices are the names of the functions mutually defined • arcs from f to g are given by all the “ f x (cid:55)→ (cid:104) W (cid:105) g v [ σ p ]” where “ (cid:104) W (cid:105) g v ” ∈ calls ( u )for some clause f p = u and σ p and calls ( u ) are defined with:(1) Given a pattern p , define the substitution σ p as follows: – σ y = [ y := x ] – σ C p = C - ◦ σ p , – σ { ... ; D i = p i ; ... } = (cid:83) i ( .D i ◦ σ p i ).where ◦ represents composition of substitutions.(2) From each right-hand side u of a clause f p . . . p k = u , we define calls ( u ): calls (cid:0) C p u (cid:1) = (cid:104) κ p (cid:105) . calls (cid:0) u (cid:1) ( i ) calls (cid:0) { . . . ; D i = u i ; . . . } p (cid:1) = (cid:91) i (cid:104) κ p (cid:105) . calls (cid:0) u i (cid:1) calls (cid:0) f u . . . u l (cid:1) = (cid:8) (cid:104) (cid:105) f u Ω1 . . . u Ω k (cid:9) ∪ (cid:91) i Ω . calls ( u i ) ( ii ) calls (cid:0) g u . . . u l (cid:1) = (cid:91) i Ω . calls (cid:0) u i (cid:1) ( iii ) calls (cid:0) x (cid:1) = ∅ where( i ) (cid:104) κ p (cid:105) .S is a notation for {(cid:104) κ p (cid:105) u | u ∈ S } ,( ii ) if f is one of the functions recursively defined and where u Ω is obtained from u by replacing each function application g u . . . u l (recursive or otherwise) by Ω.( iii ) the name g could also be a parameter x j coming from the left pattern.An example is probably more informative. Consider the definition from page 17 withexplicit priorities: val sums : stream (list (nat )) -> stream (nat )| sums { Head = [] ; Tail = s } = { Head = 0 ; Tail = sums s }| sums { Head = [n] ; Tail = s } = { Head = n ; Tail = sums s }| sums { Head = n:: m:: l ; Tail = s }= sums { Head = (add n m ):: l ; Tail = s } The three associated calls will be sums x (cid:55)→ (cid:104)− (cid:105) sums (.Tail x) (twice) and sums x -> (cid:104)(cid:105) sums { Head = Ω :: (.Head .Tail - .Snd .Tail - .Snd x) ;Tail = .Tail x } (Recall the “ a :: l ” is an abbreviation for “ Cons{Fst= a ; Snd= l } ”.)A call gives some information about one recursive call: depth of the recursive call, andpart of the shape of the original argument. We can compose them: val length : list(x) -> nat| length Nil = Zero| length (Cons{Fst=x; Snd=l}) = Succ (length l) has a single call: “ length l (cid:55)→ (cid:104)− (cid:105) length (.Snd Cons - l) ”. Composing this call withitself will give length l (cid:55)→ (cid:104)− (cid:105) length (.Snd Cons - .Snd Cons - l) . Definition 3.8.
The composition β ◦ α of the calls α = f x (cid:55)→ (cid:104) W (cid:105) g p and β = g x (cid:55)→ (cid:104) W (cid:48) (cid:105) h q is defined as β ◦ α = f x (cid:55)→ (cid:104) W + W (cid:48) (cid:105) h q [ x := p ]Some compositions are automatically ignored: “ fx (cid:55)→ (cid:104)(cid:105) f C C - x ”, arising from val f (C x) = f (C x)| ... HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 23 gives when composed with itself. This is because “ C x ” doesn’t match “ C y ”.Totality can sometimes be checked on the call-graph. Since we haven’t yet formalizedinfinite compositions, this condition is for the moment expressed in a very informal way. Definition 3.9 (Informal Totality Condition) . A call-graph is total if, along all infinitepath,(1) either its output weight obviously has an even principal priority,(2) or one of the branches in its argument obviously has an odd principal priority.Two such examples are the call-graphs with a single arc:(1) fx (cid:55)→ (cid:104)(cid:104)− (cid:105) + (cid:104)− (cid:105) (cid:105) f x : the prefixes of the only infinite path give the compositions • fx (cid:55)→ (cid:104)(cid:104)− (cid:105) + (cid:104)− (cid:105) (cid:105) f x • fx (cid:55)→ (cid:104)(cid:104)− (cid:105) + (cid:104)− (cid:105) (cid:105) f x • ...The recursive calls are guarded by an increasing number of constructors of priority 2(coinductive). Some inductive constructors are also added, but those have smallerpriority. The limit will construct a term with infinitely many constructors of priority 2and infinitely many constructors of priority 1: this is a total value.(2) fx (cid:55)→ Ω f Succ - x : prefixes of the only infinite path in this graph give • fx (cid:55)→ Ω f Succ - Succ - x • fx (cid:55)→ Ω f Succ - Succ - Succ - x • ...Such terms only apply to arguments having enough Succ constructors (of priority 1)and no other constructors. The limit thus only applies to arguments having infinitelymany constructors of priority 1 (and no other): that is not possible of total values!
Theorem 3.10 (informal) . If a call-graph is total, then the original recursive definitiondefines total functions.
Collapsing.
The totality condition on call-graphs involves infinite path. It is naturalto try using the size-change principle to get a decidable approximation of this condition. Forthat, we need a finite call-graph that is closed under composition (its transitive closure).This is impossible: the example of length l can be composed with itself many times to get length l (cid:55)→ (cid:104)− n (cid:105) length (.Snd Cons - ... .Snd Cons - l) Both the output weight and the recursive argument of the call can grow arbitrarily. Toprevent that, we collapse the calls to bound their depth and weights [Hyv14].
Definition 3.11.
Given a strictly positive bound B , the weight collapsing function (cid:100) (cid:101) B acts on terms by replacing each weight (cid:104) w (cid:105) p by (cid:104)(cid:100) w (cid:101) B (cid:105) p where (cid:100) w (cid:101) B = − B if w < − Bw if − B ≤ w < B ∞ if B ≤ w Recall that constructors are counted negatively for the output.
Ensuring a bounded depth is more complex: we introduce some “ (cid:104) (cid:105) ” below D construc-tors and above D destructors. Because of the reduction, those new weights will absorb theconstructors with depth greater than D and the destructors with “inverse depth” greaterthan D . For example, collapsing C C C (cid:104) W (cid:105) .D C - C - .D x at depth 2 gives C C (cid:104) (cid:105) C (cid:104) W (cid:105) C - .D C - (cid:104) (cid:105) C - .D x → ∗ C C (cid:104) W − (cid:105) C - .D x Definition 3.12.
Given a positive bound D , the height collapsing function _ (cid:22) D acts onterms by integrating constructors below D and destructors above D into weights: (cid:0) C t (cid:1) (cid:22) i def = C (cid:0) t (cid:22) i − (cid:1) if i > { . . . ; D k = t k ; . . . } (cid:22) i def = { . . . ; D k = t k (cid:22) i − ; . . . } if i > (cid:0) W β (cid:1) (cid:22) i def = W (cid:0) β (cid:23) D (cid:1) if i > β (cid:22) i def = β (cid:23) D t (cid:22) def = nf (cid:0) (cid:104) (cid:105) t (cid:1) (cid:23) D ( ∗ )and (cid:0) (cid:104) W (cid:105) t ∗ · · · ∗ (cid:104) W n (cid:105) t n (cid:1) (cid:23) i def = ( (cid:104) W (cid:105) t ) (cid:23) i ∗ · · · ∗ ( (cid:104) W n (cid:105) t n ) (cid:23) i ( ∗∗ ) (cid:0) (cid:104) W (cid:105) {} (cid:1) (cid:23) i def = (cid:104) W (cid:105) {} ( ∗∗ ) (cid:0) (cid:104) W (cid:105) β x (cid:1) (cid:23) i def = (cid:104) W (cid:105) β (cid:23) i x ( ∗∗ ) (cid:0) β C p (cid:1) (cid:23) i def = β (cid:23) i − C p (cid:0) β .D p (cid:1) (cid:23) i def = β (cid:23) i − .D p β (cid:23) def = β (cid:104) (cid:105)• The clauses are not disjoint and only the first appropriate one is used. • We compute a normal form in clause ( ∗ ) to ensure that the clauses ( ∗∗ ) cover all cases(since weights absorb constructors on their right, (cid:104) (cid:105) t doesn’t contain constructors),We can extend collapsing to calls. Definition 3.13. If α is a call f x (cid:55)→ (cid:104) W (cid:105) g u , we put • (cid:100) α (cid:101) B = f x (cid:55)→ (cid:100) W (cid:101) B g (cid:100) u (cid:101) B • α (cid:22) D = f x (cid:55)→ (cid:104) W (cid:105) g u (cid:22) D Lemma 3.14 ([Hyv14]) . For any call α , we have • (cid:100) α (cid:101) B ≤ α , • α (cid:22) D ≤ α . Definition 3.15.
Given some bounds B and D , collapsed composition is defined by β (cid:5) B,D α := nf (cid:18)(cid:108)(cid:0) β ◦ α (cid:1) (cid:22) D (cid:109) B (cid:19) Since the bounds are fixed, we usually write β (cid:5) α .Unfortunately, this composition is not associative. For example, with bound B = 2 if α = f x (cid:55)→ (cid:104) (cid:105) f x and β = f x (cid:55)→ (cid:104)− (cid:105) f x we have β (cid:5) ( α (cid:5) α ) = f x (cid:55)→ (cid:104)∞(cid:105) f x but( β (cid:5) α ) (cid:5) α = f x (cid:55)→ (cid:104) (cid:105) f x . The next property can be seen as a kind of weak associativity. except when B = 1 and D = 0 HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 25
Lemma 3.16. If σ n ◦ · · · ◦ σ (cid:54) = , and if τ and τ are the results of computing σ n (cid:5) · · · (cid:5) σ in two different ways, then τ and τ are compatible , written τ ¨ τ . This means that thereis some τ (cid:54) = such that τ ≤ τ and τ ≤ τ .Proof. Take τ = σ n ◦ · · · ◦ σ .3.5. Size-Change Principle.
The initial call-graph G of a definition is finite, and collapsedcomposition ensures that there exists a finite transitive closure of this initial call-graph:starting with G = G , we define the new edges of G n +1 with: if α and β are edges from f to g and from g to h in G n , then β (cid:5) α is a newedge from f to h in G n +1 . Finiteness of the set of bounded terms guarantees that this sequence stabilizes on somegraph, written G ∗ .To simplify the statement of the size-change totality principle, we first define the p -norm a finite branch inside a generalized pattern: it counts constructors and destructors ofpriority p . Definition 3.17.
Given p ∈ P and a branch β in a generalized pattern, the p -norm of β ,written | β | p is defined with: • | C p β | p = | β | p + 1 and | C q β | p = | β | p if p (cid:54) = q , • | {D = β } p | p = | β | p + 1 and | {D = β } q | p = | β | p if p (cid:54) = q , • | C p - β | p = | β | p − | C q - β | p = | β | p if p (cid:54) = q , • | .D p - β | p = | β | p − | .D q - β | p = | β | p if p (cid:54) = q , • | Ω β | p = ∞ , • |(cid:104)(cid:105) β | p = | β | p , • |(cid:104) w (cid:105) p β | p = w and |(cid:104) w (cid:105) q β | p = | β | p if p (cid:54) = q , • |(cid:104) W + · · · + W n (cid:105) β | p = (cid:80) i |(cid:104) W i (cid:105) β | p . Theorem 3.18 (size-change principle) . Suppose every loop γ = f x (cid:55)→ (cid:104) W (cid:105) f u in G ∗ that satisfies γ ¨ γ (cid:5) γ also satisfies one of the following two conditions: • either the maximal priority appearing in (cid:104) W (cid:105) is even, with negative weight, • or there is a subterm β (cid:81) (cid:104) W i (cid:105) λ i of v where the maximal priority p of each β (cid:104) W i (cid:105) λ i isodd, with negative weight (i.e. | β (cid:104) W i (cid:105) λ i | p < )then the definition is total. Here is an informal sketch of the proof. The combinatorial lemma at the heart ofthe size-change principle implies that every infinite path can be decomposed (up to a finiteprefix) into an infinite sequence of the same idempotent loop ( γ ¨ γ (cid:5) γ ). The conditionof totality on G involves such infinite path, i.e., infinite sequences of identical idempotentloops in G ∗ . • If such a loop satisfies the first condition, composing it infinitely many times will surelyadd an infinite number of constructors of even priority, while not involving constructorsof higher priority. Hence the infinite path satisfies the first totality condition from page 23. given in a slightly simplified form in section 4.37, or in greater generality in [Hyv14] recall that on the output, negative weight means adding constructors • If such a loop satisfies the second condition, composing it infinitely many times will explore,in the original argument, a branch β (cid:104) W i (cid:105) λ i β (cid:104) W i (cid:105) λ i . . . containing an infinite numberof constructors of odd priority, and no constructor of higher priority. Thus, there is abranch of the initial argument with odd principal priority (second condition from page 23).3.6. The Algorithm.
All this makes it possible to actually implement a correct (butincomplete) totality test for some mutual recursive definition of f , . . . f n .(1) Compute the call-graph G of the definition. This step is purely syntactical and linearin the size of the definition.(2) Compute the transitive closure G ∗ of G by iterating collapsed composition. G ∗ ispotentially exponentially bigger than G , but this doesn’t happen in practice.(3) Check all idempotent loops against the conditions of theorem 3.18. Since there are onlyfinitely many branches, finding β can be done by exploring the argument.This is what is implemented, with minor variations, in the chariot prototype. More detailsabout the actual implementation, including the definition of the order or compatibilityrelations by induction on terms can be found in [Hyv14].4. Semantics and Correctness of the Call-Graph
We can now define the semantics of the call-graph from the previous section, and provecorrectness of the size change principle. It roughly proceeds as follows: • we extend the domain of values with non-deterministic sums, • we define (generalizing definition 3.2) a domain of syntactical operators, • totality of such an operator implies totality of the corresponding definition, • the call-graph is another operator and its totality implies that of the previous one.Several notions from domain theory will be used in this section but the prerequisitesare kept to a minimum. They can be found in any of the several introductions to domaintheory [Plo83, SHGL94, AJ94]. One particular result that is worth knowing is that anypartial order can be completed to an algebraic DCPO whose compact elements are exactlythe elements of the original partial order. This ideal completion formally adds limits of alldirected sets. Moreover, if the original order is a sup-semi-lattice, its ideal completion is adomain. This is one way to easily prove that values (definition 1.1) form a domain.4.1. Smyth power domain.
We first extend the grammar of values with formal sums: v ::= ⊥ | C p v | {D = v ; . . . ; D k = v k } p | v + v together with the order generated from: • the order on V (definition 1.2), • commutativity, associativity and idempotence ( v + v = v ) of “+”, • (multi)linearity of C and {D = _ ; . . . } , • u + v ≤ u . A sup-semi-lattice is a partial order where every finite bounded set as a least upper bound.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 27
This gives rise to a preorder instead of a partial order which we implicitly quotient bythe corresponding equivalence. This construction is well known: it is the “Smyth powerdomain” [Smy78]. The ideal completion of the finite terms generated by this grammarintroduces some infinite sums: the Smyth power domain contains all “finitely generated”sums. The following gives a concrete description of the corresponding order [Smy83, AJ94].
Proposition 4.1.
The Smyth power domain on V satisfies (1) Compact elements are finite sets of compact elements of V , (2) Elements are finitely generated subsets V ⊆ V , (3) U ≤ V iff V ↑ ⊆ U ↑ , (where V ↑ = (cid:83) v ∈ V v ↑ and v ↑ = { u | v ≤ u } ) (4) directed least upper bounds are given by intersections, (5) binary greatest lower bounds exist and are given by unions. The resulting structure is a preorder rather than a partial order, but it is possible totake V ↑ as a representative for the equivalence class of V (if V is finitely generated, so is V ↑ )in which case the order is reverse inclusion. When working with concrete examples, it iseasier to take Min ( V ), the set of minimal elements of V , as a representative of V , which willoften be finite. This can serve as a representative of V ↑ since V ↑ = Min ( V ) ↑ for any subsetof V . Note that this gives a way to check that an infinite sum is finitely generated: we needto check that it is the limit of a directed set (or chain) of finite sums of compact elements.We also need a special term , greater than all other elements, to denote errors. Lemma 4.2.
For any domain D , D ∪ {(cid:62)} is a domain. Applied to a Smyth power domain, adding a greatest element amounts to allowing the emptyset, which is explicitly forbidden in the definition of finitely generated set. We write thisnew empty sum . Definition 4.3.
The domain A of values with approximations is obtained from V by theSmyth power domain construction, allowing the empty sum. Definition 4.4.
An element of A (a sum of elements of V ) is total when all its summandsare total. In particular, is total.The following follows directly from lemma 1.8 and proposition 4.1. It implies in particularthat totality is compatible with equivalence: if T ≈ T and T is total, so is T . Lemma 4.5. If T ≤ T in A and if T is total, then so is T . Here is a summary of the properties of A . Corollary 4.6.
The compact elements of A are inductively generated by v ::= ⊥ | C p v | {D = v ; . . . ; D k = v k } p | v + v | The order satisfies • if u ≤ v in V then u ≤ v in A , • + is commutative, associative and idempotent, with neutral element , • u + v is the greatest lower bound of u and v and is the greatest element, • constructors and records are (multi) linear: The sets of limits of the infinite branches of a finitely branching tree of elements of the domain. Domains with a top element are in fact complete lattices and thus, algebraic lattices. – C (cid:0) (cid:80) i v i (cid:1) = (cid:80) i C v i – { . . . ; D = (cid:80) i t i ; . . . } = (cid:80) i { . . . ; D = t i ; . . . } . Preliminaries: Recursion and Fixed Points.
Simplifying assumption.
In order to simplify notation, we will restrict the rest of this sectionto the case where the recursive definition we are interested in contains a single function (nomutually recursive functions) with a single argument.
A formula for fixed points.
Whenever ϕ : D → D is a continuous function on a domainand b ∈ D such that b ≤ ϕ ( b ), it has a least fixed point greater than b (Kleene theorem)defined with fix ( f, b ) = (cid:71) ↑ n ≥ f n ( b )In our case, we are interested in the fixed point of an operator from [ A → A ] to itself.Moreover, we require that the functions satisfy f ( ) = , i.e. that errors propagate. Thereis a least such function, written Ω: v (cid:55)→ Ω( v ) = (cid:40) if v = ⊥ otherwiseThe fixed points we are computing are thus of the form fix ( ϕ, Ω) = (cid:71) ↑ n ≥ ϕ n (Ω)From now on, every fixed point is going to be of this form, and we will simply write fix ( ϕ ).A recursive definition for f : A → B gives rise to an operator Θ f on [ (cid:74) A (cid:75) → (cid:74) B (cid:75) ] whosefixed point is called the semantics of f . It is written (cid:74) f (cid:75) : (cid:74) A (cid:75) → (cid:74) B (cid:75) . The operator Θ f isdefined as follows: if f : (cid:74) A (cid:75) → (cid:74) B (cid:75) and v ∈ (cid:74) A (cid:75) , the value of Θ f ( f ) (cid:0) v (cid:1) is obtained by:(1) taking the first clause “ f p = u ” in the definition of f where p matches v ,(2) returning (cid:74) u [ σ ] (cid:75) ρ, f := f where σ is the most general unifier of u and p .The unifier matching a pattern p to a value v can be described as [ p := v ], computedinductively: • [ C p := C v ] = [ p := v ], • [ {D = p ; . . . ; D n = p n } := {D = v ; . . . ; D n = v n } ] = [ p := v ] ∪ · · · ∪ [ p n := v n ], • [ C p := C (cid:48) v ] (when C (cid:54) = C (cid:48) ), [ { . . . } := { . . . } ] (when the records have different sets of fields),[ C p := { . . . } ] and [ { . . . } := C v ] are undefined: the patterns don’t match the values.The fact that definitions are well-typed guarantees that there is always a matching clause.It is possible for patterns to overlap, and in that case, the first matching clause is used. HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 29
Setup.
Our aim is to define a domain that extends the language of the call-graph (defini-tion 3.2). Every element of this domain will represent an operator and the call-graph will bea particular one satisfying the condition “if its fixed point is total, then so is the fixed pointof the recursive definition”.A definition of f naturally gives rise to an “untyped” φ f : [ A → A ] → [ A → A ]: • φ f ( f ) (cid:0) (cid:80) v (cid:1) = (cid:80) φ f ( f )( v ) • for φ f ( f ) (cid:0) v (cid:1) , with v ∈ V , take the first clause “ f p = u” where p matches v , andreturn (cid:74) u [ σ ] (cid:75) where σ is the most general unifier of u and p , • if no clause matches v , φ A ( f )( v ) = .In order for this to make sense, the functions from the environment need to be lifted toaccept arbitrary values: if g is a previously defined function of type T → T , its semanticsis extended by giving for any value outside of (cid:74) T (cid:75) . Lemma 4.7. (0) Ω ≤ φ (Ω) . (1) fix ( φ f ) restricted to (cid:74) A (cid:75) is equal to fix (Θ f ) . (2) If fix ( φ f ) is total (on A ), then fix (Θ f ) is total (on (cid:74) A (cid:75) ).Proof. The first point follows from the definitions. The second follows from the fact thatif f satisfies f ( a ) ∈ (cid:74) B (cid:75) for every a ∈ (cid:74) A (cid:75) , then φ f ( f ) (cid:22) (cid:74) A (cid:75) = Θ f ( f (cid:22) (cid:74) A (cid:75) ). This follows fromthe definition of Θ f and φ f . This implies that φ n f (Ω) (cid:22) (cid:74) A (cid:75) = Θ n f (Ω). Since fix ( F ) = (cid:70) ↑ n F n (Ω),we get fix (Θ f ) = fix ( φ f ) (cid:22) (cid:74) A (cid:75) . The last point is immediate as b ∈ (cid:74) B (cid:75) is total iff { b } ∈ A istotal.The following lemma shows how approximations relate to totality. Lemma 4.8. (1)
Suppose θ ≤ φ in [ A → A ] → [ A → A ] , then fix ( θ ) ≤ fix ( φ ) in A → A . (2) If f ≤ g in A → A and f is total, then so is g .Proof. The first point follows from the fact that fix ( φ ) = (cid:70) ↑ φ n (Ω) and that θ ≤ φ impliesthat θ n ≤ φ n for any n . The second point follows from the fact that if U ≤ V (in A ) and U is total, then V is also total (lemma 4.5).4.3. A Language for Operators.
Terms.
Definition 4.9. F is the set of terms inductively generated from t ::= C p t | {D = t ; . . . ; D n = t n } p | C p - t | .D p t | x | Ω θ | f t | where x is a formal parameter , each f belongs to a finite set of function names and each θ = { t , . . . , t n } is a finite set (possibly empty) of terms. As previously, C and D come from This is monotonic because types are downward closed sets of values. a finite set of constructor and destructor names, and their priorities come from a finite setof natural numbers. They are respectively odd and even. We usually write “Ω” for Ω {} and“Ω t ” for Ω { t } .We impose the following (in)equalities:( ∗ ) (0) C = (0) C - = (0) .D = (0) {D = ; . . . } = (0) Ω { , θ } = (0) f = (1) C - C t = t (1) .D i { . . . ; D i = t i ; . . . } ≥ t i if no t i = (2) C - C (cid:48) t = if C (cid:54) = C (cid:48) (2) .D{ . . . } = if the record has no field D (2) C - { . . . } = (2) .DC t = (3) Ω { C t, θ } = Ω { t, θ } (3) Ω (cid:8) {D = t ; . . . ; D k = t k } , θ (cid:9) = Ω { t , . . . , t k , θ } (3) C - Ω θ = Ω θ (3) .D Ω θ = Ω θ (3) Ω (cid:8) Ω { t ; . . . ; t k } , θ (cid:9) = Ω { t , . . . , t k , θ } The order ≤ on F is furthermore generated from • t ≤ , • Ω { t } ≤ Ω { t , t } and Ω {} ≤ t , • contextuality (if C [ ] is a context, then t ≤ t = ⇒ C [ t ] ≤ C [ t ]), • if C [ ] is a context, then Ω { t } ≤ C [ t ], and in particular, Ω { t } ≤ t ,We call simple term any element of F different from .The whole group of inequalities ( ∗ ) naturally gives rise to a notion of reduction (writ-ten → ) when oriented from left to right. Lemma 4.10.
The reduction → is strongly normalizing and confluent. We write nf ( t ) forthe normal form of a term. Non zero normal forms are given by the grammar t ::= C p t | {D = t ; . . . ; D n = t n } p | ββ ::= Ω { δ , . . . , δ n } | δδ ::= C p - δ | .D p δ | x | f t Sketch of proof.
Reduction is strongly normalizing because the size of the term decreases.Because of the side condition “no t i = 0” in the rule .D i { . . . ; D i = t i ; . . . } → t i reduction is not strictly speaking a rewriting system and we cannot use Newman’s lemma asusual. Because we don’t know (yet) that reduction is confluent, we write t → ∗ t (cid:48) for “thereexists a reduction from t to t (cid:48) .” First, we prove Fact 4.11.
We have t = iff t ≥ iff t → ∗ .The first equivalence follows from the fact that is the greatest element, and the rightto left implication of the second equivalence follows from fact that t → t (cid:48) implies t ≥ t (cid:48) . HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 31
For the left to right implication, it is enough to prove that for all the inequalities t ≤ t (or t = t ) generating the order, we have “ t → ∗ implies t → ∗ ”. This is obvious formost of the generating inequalities except: • the inequalities involving Ω, • C - C t ≤ t , • contextuality, • Ω { t } ≤ C [ t ].In order to deal with those inequalities, we prove(1) C t → ∗ iff t → ∗ ,(2) { . . . ; D i = t i ; . . . } → ∗ iff t i → ∗ for some i ,(3) Ω { . . . ; t i ; . . . } → ∗ iff t i → ∗ for some i , (this point requires the previous two).Point (3) takes care of all inequalities of the form Ω θ ≥ and of Ω { t } ≤ C [ t ], point (1)takes care of C - C t ≤ t . For contextuality, we need one additional fact. Fact 4.12. If C t ≤ t , then either t → ∗ or t → ∗ C t (cid:48) with t ≤ t (cid:48) ; and similarly,if { . . . ; D i = t ,i ; . . . } ≤ t , then either t → ∗ or t → ∗ { . . . ; D i = t ,i ; . . . } with t ,i ≤ t ,i for all i = 1 , . . . , n .To prove confluence, we need to prove that each t has a single normal form. Wedistinguish 2 cases: • t (cid:54) = . Because of fact 4.11, none of the reductions from t can involve . Those reductionform a confluent rewriting system (the side condition “no t i = ” is always true) which isstrongly normalizing. The only critical pairs are C - Ω { C (cid:48) t, θ } C - Ω { {D = t , . . . } , θ } C - Ω { Ω { θ (cid:48) } , θ } .D Ω { C (cid:48) t, θ } .D Ω { {D = t , . . . } , θ } .D Ω { Ω { θ (cid:48) } , θ } Ω { Ω { C (cid:48) t, θ } , θ (cid:48) } Ω { Ω { {D = t , . . . } , θ } , θ (cid:48) } Ω { Ω { Ω { θ (cid:48) } , θ } , θ (cid:48) } and inspection readily shows that the system is locally confluent. By Newman’s lemma, itis confluent, and each t (cid:54) = has a unique normal form. • t = . In that case, t has one reduction to (by the previous lemma) and one reductionto a non term. The only reduction that allows to decrease (for the order ≤ ) a termis .D i { . . . ; D i = t i ; . . . } → t i . But in this case, the left side of the rule is equal to ,which implies that one of the t i is also equal to by fact 4.12. This is forbidden by theside condition.Reduction removes all destructors ( C - and .D ) that are directly above constructors ( C and { . . . } ). It also remove any constructor directly below Ω and destructors directlyabove Ω. This is exactly what the given grammar does.Because of the property t = iff t → ∗ , the easiest to way to compute the normal form ofa term is to reduce “bottom-up”, i.e. reduce all the t i before reducing .D i { . . . ; D i = t i ; . . . } .Unfortunately, F isn’t a sup semi-lattice, or, since is a greatest element, a sup-lattice.We thus need to formally add least upper-bounds before taking the ideal completion. Definition 4.13. F is obtained as the Smyth power construction (without empty sums) ofthe ideal completion of the free sup-lattice generated by F .The free sup-lattice F ( O ) generated from an order ( O, ≤ ) is obtained as the set of non-emptysubsets of the form U ↓ ordered by inclusion. The fact that this is a free construction meansthat defining a (sup preserving) function from F ( F ) to another sup-lattice L is equivalent to defining an increasing function from F to L . In particular, by proposition 4.1, to define alinear continuous function from F to another domain D , it is enough to define an increasingfunction from F to D (as is done in definitions 4.14, 4.17 and 4.30).Since is a top element, it can implicitly be added to all sums without changing theirmeaning. Because of that, can, a posteriori, be identified with the empty sum and wedon’t need to add it explicitly as we did when defining A .The ideal completion introduces infinite elements like “ CCCC · · · = (cid:70) ↑ { Ω , C Ω , CC Ω , . . . } ”but also like “ · · · .D.D.D.D x = (cid:70) ↑ { Ω , Ω .D x , Ω .D.D x , . . . } . Notice however that thereis no real infinite element of the form “ .D.D.D · · · = (cid:70) ↑ { Ω , .D Ω , .D.D Ω , . . . } ” becauseeach .D · · · .D Ω is equal to Ω. Note also that, just like V , F contains some infinite sums.The constructions “ .D ” and “ C - ” have natural interpretations as continuous functions: v (cid:55)→ .D ( v ) = ⊥ if v = ⊥ u if v is of the form { . . . ; D = u ; . . . } otherwiseand v (cid:55)→ C - ( v ) = ⊥ if v = ⊥ u if v is of the form C u otherwise Definition 4.14.
Given an environment ρ associating functions to names, and t (cid:54) = anelement of F , we define {| t |} ρ : A → A with • {| C t |} ρ ( v ) = C ◦ {| t |} ρ , • {| { . . . ; D i = t i ; . . . } |} ρ = v (cid:55)→ { . . . ; D i = {| t i |} ρ ( v ); . . . } , • {| Ω { . . . , t i , . . . }|} ρ = max i (cid:0) Ω ◦ {| t i |} (cid:1) , or more concretely – {| Ω |} ρ = Ω, – {| Ω { . . . , t i , . . . }|} ρ ( v ) = if one of {| t i |} ρ ( v ) = , and ⊥ otherwise, • {| C - t |} ρ = C - ◦ {| t |} ρ , • {| .D t |} ρ = .D ◦ {| t |} ρ , • {| x |} ρ = u (cid:55)→ u , • {| |} ρ = u (cid:55)→ , • {| f t |} ρ = ρ ( f ) ◦ {| t |} ρ ,We extend {| _ |} ρ to the whole of F with • {| (cid:87) t |} ρ = (cid:87) {| t |} ρ (pointwise), • {| (cid:80) t |} ρ = (cid:80) {| t |} ρ (pointwise), and in particular, {| |} ρ ( u ) = , • (cid:8)(cid:12)(cid:12)(cid:70) ↑ T (cid:12)(cid:12)(cid:9) ρ ( u ) = (cid:70) ↑ (cid:8) {| t |} ρ ( u ) | t ∈ T (cid:9) (pointwise). Lemma 4.15. (1) If t ≤ t , then {| t |} ρ ≤ {| t |} ρ . (2) If ρ ( f ) is continuous for any f , then {| t |} ρ is also continuous. (3) T (cid:55)→ {| T |} is continuous as a function from F to [ A → A ] . (4) If ρ ( f ) ≥ Ω (in [ A → A ] ) for all function names, then {| T |} ρ ≥ Ω . (5) For all terms t , t ∈ F and environment ρ , we have (cid:8)(cid:12)(cid:12) t [ x := t ] (cid:12)(cid:12)(cid:9) ρ = {| t |} ρ ◦ {| t |} ρ . recall that we used the ideal completion of the free sup-lattice generated by F HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 33
Sketch of proof.
Checking the first points amounts to checking that all inequations fromdefinition 4.9 hold semantically in [
A → A ]. This is immediate. The functions C - , .D and Ωare easily shown continuous, (cid:74) t (cid:75) ρ is continuous as a composition of continuous functions.Continuity of (cid:74) _ (cid:75) follows from the definition of (cid:113) (cid:70) ↑ . . . (cid:121) . The only thing that really needschecking is that (cid:74) _ (cid:75) is monotonic. This is an easy induction. Points (4) and (5) are provedby immediate induction. Definition 4.16.
We identify a special function name “ f ” for the recursive function beingdefined and we assume given an environment ρ for all the other names. Then each T ∈ A gives rise to an operator (cid:74) T (cid:75) from [ A → A ] to itself: (cid:74) T (cid:75) ρ : f (cid:55)→ (cid:74) T (cid:75) ρ ( f ) = {| T |} ρ, f := f All other functions will be called g , h etc.. The typical environment ρ is given inductively, itwill be omitted in the rest of the paper. A consequence of point (4) from lemma 4.15 is thatif ρ ( g ) ≥ Ω for all function names, then (cid:74) T (cid:75) (Ω) ≥ Ω, and we can thus use the formula forthe least fixed point of (cid:74) T (cid:75) ρ greater than Ω.4.3.2. Composition.
Given two terms t and t , we want to find a term representing thecomposition (cid:74) t (cid:75) ◦ (cid:74) t (cid:75) . The idea is to replace each “ f u ” inside t by “ t u ”, i.e. by t [ x := u ]. Definition 4.17. If t (cid:54) = ∈ F and T ∈ F , we define t ◦ T by induction on t where • ( C t ) ◦ T = C ( t ◦ T ), • { . . . ; D i = t i ; . . . } ◦ T = { . . . ; D i = t i ◦ T ; . . . } , • (cid:0) Ω { . . . , t i , . . . } (cid:1) ◦ T = Ω { t i ◦ T ) } , • ( C - t ) ◦ T = C - ( t ◦ T ), • ( .D t ) ◦ T = .D ( t ◦ T ), • x ◦ T = x , • ( f t ) ◦ T = T [ x := t ◦ T ].This is extended to T ∈ F by commutation with (cid:87) , (cid:80) and (cid:70) ↑ .Only the last case is interesting, and because of it, we sometimes use the less formalnotation T ◦ T = T (cid:2) f t := T [ x := t ] (cid:3) , or even T [ f := T ]. This definition of ◦ generalizesdefinition 3.8 on page 22. Note that because the definition is by induction on t , compositionis automatically linear in its left argument but not necessarily on its right argument. Lemma 4.18.
For any t , t , t ∈ F , t ◦ ( t ◦ t ) = ( t ◦ t ) ◦ t .Proof. We first prove that t [ x := t ] ◦ t = ( t ◦ t )[ x := t ◦ t ] by induction on t : • if t = x , this is immediate, • if t starts with a constructor, record, destructor or Ω, the result follows by induction, • if t = f t (cid:48) , we have( f t (cid:48) )[ x := t ] ◦ t = ( f t (cid:48) [ x := t ]) ◦ t = t [ x := t (cid:48) [ x := t ] ◦ t ] definition of ◦ = t [ x := ( t (cid:48) ◦ t )[ x := t ◦ t ]] induction= t [ x := t (cid:48) ◦ t ][ x := t ◦ t ] substitution lemma= ( f t (cid:48) ◦ t )[ x := t ◦ t ] definition of ◦ We can now prove that t ◦ ( t ◦ t ) = ( t ◦ t ) ◦ t by induction on t : • if t = x , this is immediate, • if t starts with a constructor, record, destructor or Ω, it follows by induction, • if t = f t (cid:48) , we need to show that t [ x := t ◦ t ] ◦ t = ( t ◦ t )[ x := t ◦ ( t ◦ t )]. Byinduction, it is enough to show that t [ x := t ◦ t ] ◦ t = ( t ◦ t )[ x := ( t ◦ t ) ◦ t )]. Thisfollows from the previous lemma, with t = t , t = t ◦ t , and t = t . Lemma 4.19.
For any T , T ∈ F , (cid:74) T ◦ T (cid:75) = (cid:74) T (cid:75) ◦ (cid:74) T (cid:75) . When T doesn’t contain f , wealso have {| T ◦ T |} = (cid:74) T (cid:75) (cid:0) {| T |} (cid:1) . In particular, (cid:8)(cid:12)(cid:12) T ◦ · · · ◦ T (cid:124) (cid:123)(cid:122) (cid:125) n ◦ Ω (cid:12)(cid:12)(cid:9) = (cid:74) T (cid:75) n (Ω) Proof.
The first point is proved by induction. The crucial case is ( f t ) ◦ t = t [ x := t ◦ t ]: (cid:113) ( f t ) ◦ t (cid:121) ρ = f (cid:55)→ (cid:8)(cid:12)(cid:12) ( f t ) ◦ t (cid:12)(cid:12)(cid:9) ρ, f = f definition of (cid:74) _ (cid:75) = f (cid:55)→ (cid:8)(cid:12)(cid:12) t [ x := t ◦ t ] (cid:12)(cid:12)(cid:9) ρ, f = f definition of ◦ = f (cid:55)→ {| t |} ρ, f = f ◦ {| t ◦ t |} ρ, f = f point (5) of lemma 4.15= f (cid:55)→ {| t |} ρ, f = f ◦ {| t |} ρ, f = {| t |} ρ, f = f induction= f (cid:55)→ {| f t |} ρ, f = {| t |} ρ, f = f definition of {| _ |} = (cid:74) f t (cid:75) ρ ◦ (cid:74) t (cid:75) ρ definition of (cid:74) _ (cid:75) Interpreting recursive definitions.
We can now replace the operator φ f (obtainedfrom a recursive definition) by the interpretation of an element of F . Consider a singleclause “ f p = u ” of the recursive definition of f . The pattern p allows to “extract” someparts of the argument of f to be used in u . We can mimics that in F : Definition 4.20.
Given a pattern p , define the substitution σ p (a function from variablesto terms) as follows: (also in definition 3.7 on page 21) • σ y = [ y := x ], • σ C p = C - ◦ σ p , • σ { ... ; D i = p i ; ... } = (cid:83) i ( .D i ◦ σ p i ) (note that because patterns are linear, the union is disjoint).where ◦ represents composition functions. For example, C - ◦ σ p = [ . . . , y := C - σ p ( y ) , . . . ]. Lemma 4.21. If v ∈ V matches p , then σ p ( y )[ x := v ] (cid:54) = for all variables y in p . In thatcase, σ p ◦ [ x = v ] is the unifier for p and v .Proof. The proof is a simple induction on the pair pattern / value. (Refer to definition ofthe matching unifier on page 28).An example should make that clearer. Consider the pattern
Cons{Fst=n; Snd=l} (simply“ n::l ” in Caml), we get the substitution (cid:104) n := .Fst Cons - x , l := .Snd Cons - x (cid:105) which precisely describes how to get n and l from a value ( x ).A part of a pattern that doesn’t contain variables isn’t recorded in σ p . For example, thepattern Cons{Fst=Zero; Snd=l} would only give the subsitution [ l := .Snd Cons - x ] andwould thus match any non-empty list. HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 35
Definition 4.22.
Given a recursive definition of f , define T f with T f = (cid:88) f p = u u [ σ p ]where the sum ranges over all clauses defining f .Each summand of this sum is a simple term (a non element of F ) and we interpret inthis way any recursive definition as a compact element of F . The previous lemma makes iteasy to show Corollary 4.23. If T f is defined as above for a definition of f , we have (cid:74) T f (cid:75) ρ ≤ φ f , wherethe environment ρ associates to each previously defined function, its interpretation (liftedto A → A ). One reason T f is generally smaller than φ f is that patterns may overlap. In that case, φ f only uses the first matching clause while T f sums over all matching clauses. The other reasonis that we forget about the patterns without variables (like Zero above). By lemma 4.8,totality of fix ( (cid:74) T f (cid:75) ) implies totality of fix ( φ f ). Note that nothing in this corollary requires ρ to be the interpretation of previously defined functions, we only need to interpret each g bya total function! Because of lemma 4.19, we have Lemma 4.24.
To check that fix ( φ f ) is total, is is enough to check that (cid:71) ↑ n (cid:117)(cid:118) T f ◦ . . . T f (cid:124) (cid:123)(cid:122) (cid:125) n ◦ Ω (cid:125)(cid:126) is total. From now on, we will omit the semantics brackets and write T f for (cid:74) T f (cid:75) ρ . We will alsowrite T n f (Ω) for T f ◦ · · · ◦ T f ◦ Ω and the notation “ fix ( T n )” will refer to (cid:70) ↑ n T f ◦ . . . T f ◦ Ω.4.5.
Removing finite path.
During evaluation, or when using the formula for fix ( T ), somecomputations are finite. Since the size-change principle only deals with infinite path, suchfinite computations are ignored. In simple cases, this is justified by the following. Lemma 4.25.
Suppose T f doesn’t contain Ω and is of the form T + T , where all summandsof T contains a single occurrence of f , and all summands of T contain no occurrence of f . Then fix ( T + T ) is total iff fix ( T ) is total.Sketch of proof. We have T + T ≤ T , which proves the left to right implication. For theother direction, note that T ( t + t (cid:48) ) = T ◦ ( t + t (cid:48) ) by lemma 4.19. Since each summand of T contains a single occurrence of f , its semantics is linear: we have T ◦ ( t + t (cid:48) ) = T ( t ) + T ( t (cid:48) ).This implies that ( T + T ) ( t ) = T ( t ) + T ( T ) + T , and more generally:( T + T ) n ( t ) = n − (cid:88) i =0 T i ( T ) + T n ( t ) Many everyday recursive function are of this form. The first real counter example that comes to mind isthe Ackermann function.
We now have fix ( T + T ) = (cid:71) ↑ n ≥ ( T + T ) n (Ω)= (cid:71) ↑ n ≥ (cid:32) n − (cid:88) i =0 T i ( T ) + T n (Ω) (cid:33) = (cid:88) n> T n ( T ) + (cid:71) ↑ n ≥ T n (Ω) (*)= (cid:88) n> T n ( T ) + fix ( T ) (1)where ( ∗ ) follows from basic properties of unions (+) and intersections ( (cid:116) ↑ ). Each T n ( T ) isa finite composition of total functionals and is thus total. Since fix ( T ) is total by hypothesis,we can conclude.When T contains nested calls, the previous lemma is false! The following ad-hocdefinition provides a counter example: val f : prod(nat, nat) -> nat| f {Fst=0; Snd=s} = s| f {Fst=n+1; Snd=s} = f {Fst=n; Snd=f {Fst=n+1; Snd=s}} This definition yields a non total T f : it is undefined whenever the first projection of its inputis strictly greater than 0. However, removing the base case, or replacing it with | f {Snd=0; Snd=s} = 3 yields a total function, at least in call-by-name. To derive a general formula analogous to (1),we start by indexing the occurrences of f in T : if T is ffx , we write f f x . Substituting f by g + h gives ggx + ghx + hgx + hhx , i.e. each occurrence of f is substituted either by g or h .Since substituting a single occurrence of f is linear, substituting all of them is multilinear. Lemma 4.26.
We have T ◦ ( t + · · · + t n ) = (cid:88) σ : occ ( f ,T ) →{ t ,...,t n } T [ σ ] where occ ( f , T ) represents the set of occurrences of f in T , and the substitution occurs atthe given occurrences. More precisely, T [ σ ] = T (cid:2) f i t := σ ( f i )[ x := t ] (cid:3) as in definition 4.17. In particular, if T = (cid:80) i t i is a sum of simple terms, then T n is a sum of simple termsobtained in the following way: • start with a simple term t i , • replace each occurrence of f by one of the t i , • repeat n − Definition 4.27.
Given T = t + · · · + t n a sum of simple terms, a path for T is asequence ( s k , σ k ) k ≥ such that: • s = f x , Our semantics corresponds to call-by-name, but the fact that this definition is total can also be checkedusing the formula for fix ( T f ), i.e. without referring to the operational semantics of the language. HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 37 • s k +1 = s k [ σ k ] where σ k replaces occurrences of f inside s k by t , . . . , or t n .If some s k doesn’t contain any occurrence of f , then all latter s k + i are equal to s k . We callsuch a path finite .We usually don’t write the substitution and talk about the path ( s k ). Note that s is just one of the summands of T . We can now state and prove a general version of theformula (1). Lemma 4.28.
Suppose T = t + · · · + t n is a sum of simple terms, then fix ( T ) = (cid:88) s path of T (cid:71) ↑ i ≥ s i (Ω) Proof.
Let s be a simple term in fix ( T ) = (cid:70) ↑ T n (Ω). We want to show that s is greater thansome (cid:70) ↑ i ≥ s i (Ω). For each i , T i (Ω) is a finite sum of elements of F . Define the followingforest: • nodes of depth i are those summands t in T i satisfying t (Ω) ≤ s , • a node s at depth i is related to a node s (cid:48) at depth i + 1 if s (cid:48) = s [ σ ], where σ substituteall occurrences of f in s by one of t , . . . , t n .This forest is finitely branching (there are only finitely many possible substitutions froma given node) and infinite (because T n (Ω) ≤ fix ( T ) ≤ s , each T n (Ω) contains some term t such that t (Ω) ≤ s ). It thus contains an infinite branch (K¨onig’s lemma) s , s , . . . . Thissequence satisfies all the properties of definition 4.27 and its limit is less than s (becauseall s i (Ω) are less than s by construction). We thus have (cid:71) ↑ T n (Ω) ≥ (cid:88) s path of T (cid:71) ↑ i ≥ s i (Ω)For the converse, it is enough to show that for each path ( s k ) and natural number n , thelimit of s k (Ω) is greater than T n (Ω). This is immediate because each s k (Ω) is a summandof T k (Ω). Corollary 4.29. If T doesn’t contain Ω and fix ( T ) is non-total, then there is an infinitepath ( s k ) for T such that (cid:70) ↑ s i (Ω) is non total.Proof. If fix ( T ) is non total, then by the previous lemma, there is a path of T that isnon total. Since every finite path is total as a finite composition of total operators, therenecessarily exists a non total infinite path.4.6. The Call-Graph.
In an infinite non total path ( s k ), each s k must contain at least oneoccurrence of f that leads to non totality. The call-graph allows to keep that occurrencealive. All other occurrences are either removed or replaced by Ω. Definition 4.30.
Let T = t + · · · + t n be a sum of simple terms that do not contain Ω.Define G ( T ) = (cid:80) β f t ∈ T β Ω f u Ω where • β is a branch (i.e. a term where records have a single field), • β f t ∈ T means that T contains the subterm f t at position β , • β Ω is equal to β where all function names ( f , g , h , etc.) have been replaced by Ω, andsimilarly for t Ω .A more pedestrian inductive definition is (1) G ( f t ) = f t if f doesn’t occur in t ,(2) G ( f t ) = f (cid:0) t Ω (cid:1) + Ω G ( t ) if f occurs in t , (note that there is no recursive call to G in theleft summand)(3) G ( g t ) = Ω G ( t ),(4) G ( x ) = x ,(5) G ( C t ) = C G ( t ),(6) G (cid:0) { . . . ; D i = t i ; . . . } (cid:1) = (cid:80) i {D i = G ( t i ) } ,(7) G ( C - t ) = C - G ( t ),(8) G ( .D t ) = .D G ( t ),extended by commutation with (cid:87) , (cid:80) and (cid:70) ↑ .In particular, G ( t ) = whenever t doesn’t depend on f . In general, T and G ( T ) are notcomparable. However, we have Proposition 4.31. If fix ( G ( T )) is total then so is fix ( T ) .Proof. Suppose fix ( T ) is non-total. By corollary 4.29, it implies there is a path ( s k ) and anelement u ∈ V with (cid:70) ↑ s i (Ω)( u ) ∈ V non-total, i.e. contains a non total branch (either afinite branch ending with ⊥ , or an infinite branch with odd principal priority). In particular,no s i (Ω)( u ) is equal to . Denote this branch with β .We index occurrences of f in T f by a natural number and extend that indexing tooccurrences of f in ( s k ). The occurrences of f in s k are indexed by lists of length k :(1) the only occurrence of f in s = f x is indexed by the empty list(2) occurrences of f in s are indexed using the list with a single number corresponding tothe index of this occurrence in T f .(3) given k >
1, suppose the original substitution σ k replaces occurrence f i in s k by somesummand t of T f . The new substitution replaces occurrence f L,i by the same t , butwhere each f j is instead indexed by f L,i,j .An example should make this clearer: suppose f , t occurs in s , corresponding initiallyto f t in s . If this occurrence was originally replaced by σ ( f ) = f Cf x , we now replace itwith σ ( f , ) = f , , Cf , , x . The new s will thus contain f , , Cf , , u . These lists recorda kind of genealogy of each occurrence of f by keeping track of which previous occurrencesintroduced it.An occurrence f L ∈ s k is called non-total if the path s (cid:48) = f L x , s (cid:48) = σ k ( f L ) , s (cid:48) = s (cid:48) [ σ k +1 ] , . . . is non-total. In other words, an occurrence is non-total if it “converges to a non-total term”.We now construct a path ( s (cid:48) k ) of G ( T ): suppose we have constructed σ (cid:48) , . . . σ (cid:48) k − sothat each s (cid:48) i is of the form β (cid:22) i γ Ω i f L t Ω i where • β (cid:22) i γ i f L t i is a subterm of s i , with f L being non-total, • β (cid:22) i is a prefix of β (it contains only C and {D = _} ), • γ i is either empty or starts with a function name ( f or some g ) and only contains unaryrecords.Since s (cid:48) k contains a single occurrence of f , the substitution σ (cid:48) k only need to act on f L .Suppose f L was replaced (by σ k ) by the summand t of T . Since f L was chosen non-total, t necessarily contains non-total occurrences f L,i . HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 39 • If γ k was non empty, we replace f L by any γ (cid:48) Ω f L,i t (cid:48) Ω where γ (cid:48) f L,i t (cid:48) corresponds to anon-total occurrence of f in t . This is indeed a summand of G ( T ), and s (cid:48) k +1 is equal to (cid:0) β (cid:22) k γ Ω k f L t Ω k (cid:1)(cid:2) f := γ (cid:48) Ω f L,i t (cid:48) Ω (cid:3) = β (cid:22) k γ Ω k γ (cid:48) Ω f L,i t (cid:48) Ω [ x := t Ω k ]= β (cid:22) k ( γ k γ (cid:48) ) Ω f L,i ( t (cid:48) [ x := t k ]) Ω • If γ k was empty, the summand t starts with part of the branch β : there is a sub-term β (cid:22) k,k +1 γ (cid:48) f L,i t (cid:48) of t such that – β (cid:22) k β (cid:22) k,k +1 is a prefix of β , – γ (cid:48) is either empty or starts with a function name, – f L,i is a non-total occurrence.In that case, we replace f L by β (cid:22) k,k +1 γ Ω k +1 f t Ω k +1 , which is indeed a summand in G ( T ).The term s (cid:48) k +1 is then equal to (cid:0) β (cid:22) k f L t Ω k (cid:1)(cid:2) f := β (cid:22) k,k +1 γ (cid:48) Ω f L,i t (cid:48) Ω (cid:3) = β (cid:22) k β (cid:22) k,k +1 γ (cid:48) Ω f L,i t (cid:48) Ω [ x := t Ω k ]= β (cid:22) k β (cid:22) k,k +1 γ (cid:48) Ω f L,i ( t (cid:48) [ x := t k ]) Ω In both cases, the resulting s (cid:48) k +1 as a shape compatible with the invariant given above. Fact 4.32.
This path ( s (cid:48) k ) of G ( T ) is non-total.We started by supposing that (cid:70) ↑ s i (Ω)( u ) is a non-total element of V containingthe non-total branch β . In particular, it implied that no s i (Ω)( u ) was equal to . Thelimit (cid:70) ↑ s (cid:48) k (Ω)( u ) is thus a limit of the form (cid:70) ↑ β k γ k Ω t ( u ) where t ( u ) is never equal to .This means that Ω t ( u ) = ⊥ . Since γ starts with a Ω (or is empty), the limit is of the form (cid:70) ↑ β k ⊥ . Because β is non-total, this limit is also non-total.Note that this is only a soundness result and doesn’t say anything about the strength ofreducing totality for T to totality for G ( T ). (The same holds trivially of G (cid:48) ( T ) = Ω, which isnever total!) The only argument presented in this paper about that is of a practical nature:experimenting with chariot shows that G ( T ) is quite powerful. General results like “allstructurally recursive definitions are total” or “all syntactically guarded definitions are total”are certainly provable, but they are left as an exercise to the reader.Note that since summands in G ( T f ) contain exactly one occurrence of f , an infinite pathfor G ( t ), usually given by a sequence of substitutions ( σ n ) is simply given by a sequence ( t n )of summands of G ( T f ). Such a path is total if (cid:70) ↑ ( t ◦ · · · ◦ t n )(Ω) is total.4.7. Weights.
Before proving correctness of the size-change principle for recursive definitions,we need to define the terms (cid:104) W (cid:105) t ∗ · · · ∗ (cid:104) W n (cid:105) t n that were used for collapsing in section 3.4. Definition 4.33.
We write ∆ for an element of F inductively built from∆ ::= C p ∆ | {D = ∆ ; . . . ; D k = ∆ k ; . . . } p | δ | Ω δδ ::= x i | C p - δ | .D p δ where k >
0. Given a branch leading to one x i , its weight is an element of W definedinductively: | C p β | = (cid:104) κ p (cid:105) + | β || {D = β } p | = (cid:104) κ p (cid:105) + | β || x i | = (cid:104)(cid:105)| Ω β | = Ω | C p - β | = (cid:104)− κ p (cid:105) + | β || .D p β | = (cid:104)− κ p (cid:105) + | β | Given some W i ∈ W , we put (cid:104) W (cid:105) ↓ x ∗ · · · ∗ (cid:104) W n (cid:105) ↓ x n = (cid:80) ∆ where for each ∆, the branchesleading to x i have weight less than (cid:104) W i (cid:105) . Given t , . . . , t n in F , we write (cid:104) W (cid:105) ↓ t ∗· · ·∗(cid:104) W n (cid:105) ↓ t n for the corresponding (cid:80) ∆[ x := t , . . . ].A summand of (cid:104) W (cid:105) ↓ x ∗ · · · ∗ (cid:104) W n (cid:105) ↓ x n looks like: Ω x x β | β | ≤ h W i , etc.Ω x Lemma 4.34.
The infinite sum from the previous definitions is finitely generated.Sketch of proof.
This relies on the fact that there only are finitely many constructor anddestructor names: given some weights W j ∈ W , write Ξ for (cid:104) W (cid:105) ↓ x ∗ · · · ∗ (cid:104) W n (cid:105) ↓ x n . Wewant to show that Ξ can be obtained as the limit of a chain of finite sums of elements of F .Given d ∈ N , define Ξ (cid:22) d ⊂ F as the set of all those ∆ obtained as collapses of elements of Ξof “syntactical depth” d . Collapsing an element ∆ is done by introducing some Ω inside ∆and normalizing. For example, Succ Succ Succ Succ - x has several collapses at depth 3: • Succ Succ Ω x , • Succ Ω Succ - x .Because there are only finitely many different constructors and destructors, each one of theset Ξ (cid:22) d is finite. Moreover, Ξ is the limit of the chainΞ (cid:22) ≤ Ξ (cid:22) ≤ · · · Indeed, each element of Ξ (cid:22) d +1 is either in Ξ (cid:22) d (when its syntactical depth is less than d ), orgreater than an element of (cid:0) (cid:104) W (cid:105) ↓ x ∗ · · · ∗ (cid:104) W n (cid:105) ↓ x n (cid:1) i (when its syntactical depth is strictlygreater than d ). This shows that (cid:104) W (cid:105) ↓ x ∗ · · · ∗ (cid:104) W n (cid:105) ↓ x n is a limit of compact elementsof F .Those new terms are “compatible” with the reduction of generalized patterns containingapproximations (c.f. definition 3.4 in the previous section). Lemma 4.35.
We have, where each P denotes a product (cid:104) W (cid:105) ↓ s ∗ · · · ∗ (cid:104) W n (cid:105) ↓ s n : (1) distribution: (cid:104) W (cid:105) ↓ ( t + t ) ∗ P = ( (cid:104) W (cid:105) ↓ t ∗ P ) + ( (cid:104) W (cid:105) ↓ t ∗ P ) , (2) (cid:104) W (cid:105) ↓ ∗ P = P , HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 41 (3) (cid:104) W (cid:105) ↓ = for a unary product, (4) (cid:104) W (cid:105) ↓ C p t ∗ P = (cid:104) W + κ p (cid:105) ↓ t ∗ P , (5) (cid:104) W (cid:105) ↓ { . . . ; D i = t i ; . . . } p ∗ P = (cid:81) i (cid:104) W i + κ p (cid:105) ↓ t i ∗ P if the record is not empty, (6) C p - (cid:81) i (cid:104) W i (cid:105) ↓ t i = (cid:81) i (cid:104) W − κ p (cid:105) ↓ t i , (7) .D p (cid:81) i (cid:104) W i (cid:105) ↓ t i = (cid:81) i (cid:104) W − κ p (cid:105) ↓ t i , (8) (cid:0) (cid:104) V (cid:105) ↓ ( (cid:81) i (cid:104) W i (cid:105) ↓ t i ) (cid:1) ∗ P = (cid:0) (cid:81) i (cid:104) V + W i (cid:105) ↓ t i (cid:1) ∗ P .We also have: • (cid:104) (cid:105) ↓ ( t ) ≤ t , • if W ≤ W (cid:48) in W , then (cid:104) W (cid:48) (cid:105) ↓ t ≤ u (cid:104) W (cid:105) ↓ t .Proof. We only look at one case, the other being treated similarly.(4) Suppose ∆[ x := C p t , . . . ] is a summand in (cid:104) W (cid:105) ↓ C p t ∗ P . We construct ∆ (cid:48) by replacingeach occurrence of x in ∆ by C p x . We have that ∆ (cid:48) [ x := t , . . . ] = ∆[ x := C p t , . . . ] isa summand in (cid:104) W + κ p (cid:105) ↓ t ∗ P . This shows that (cid:104) W (cid:105) ↓ C p t ∗ P ≥ (cid:104) W + κ p (cid:105) ↓ t ∗ P .For the converse, let ∆[ x := t , . . . ] be a summand in (cid:104) W + κ p (cid:105) ↓ t ∗ P . We construct ∆ (cid:48) by replacing each x by C p - x . The term ∆ (cid:48) [ x := C p t , . . . ] ≥ ∆[ x := t , . . . ] is then asummand in (cid:104) W (cid:105) ↓ C p t ∗ P .Formally speaking, we also need to introduce terms (cid:104) W (cid:105) ↑ t ∗· · ·∗(cid:104) W n (cid:105) ↑ t n to approximatethe output. This is done in exactly the same way, except we start from Z ∪ {−∞} and theorder on weights (definition 3.1 on page 19) satisfies • (cid:104) w (cid:105) p ↑ ≤ (cid:104) w (cid:105) p ↑ whenever w ≤ w in Z ∞ In other words, while (cid:104) (cid:105) ↓ removes at least one constructor (good one an argument), (cid:104) (cid:105) ↑ adds at least one constructor (good on top of a recursive call). We then have the sameproperties (lemma 4.35).4.8. The Size-Change Principle.
Putting everything together (proposition 4.31, corol-lary 4.29 and lemma 4.24), we get
Corollary 4.36.
If all infinite path in G ( T f ) are total, then (cid:74) f (cid:75) ρ is total for every totalenvironment ρ . This is where the size-change principle comes into play. We first prove a variant ofcombinatorial lemma at the heart of the size-change principle.
Lemma 4.37.
Suppose ( O, ≤ ) is a partial order, and F ⊆ O is a finite subset. Supposemoreover that ◦ is a binary, associative and monotonic operation on O × O and that (cid:5) is abinary, monotonic operation on F × F satisfying ∀ o , o ∈ F, ( o (cid:5) o ) ≤ ( o ◦ o ) then every infinite sequence o , o , . . . of elements of F can be subdivided into o , . . . , o n − , (cid:124) (cid:123)(cid:122) (cid:125) initial prefix o n , . . . , o n − , (cid:124) (cid:123)(cid:122) (cid:125) r o n , . . . , o n − , (cid:124) (cid:123)(cid:122) (cid:125) r . . . where: • all the ( . . . ( o n k (cid:5) o n k +1 ) (cid:5) · · · ) (cid:5) o n k +1 − are equal to the same r ∈ F , • r is coherent : there is some o ∈ O such that r, ( r (cid:5) r ) ≤ o . In particular, (cid:16) o n ◦ · · · ◦ o n − ◦ o n ◦ · · · ◦ o n − ◦ · · · ◦ o n k − ◦ · · · ◦ o n k − (cid:17) ≥ o ◦ o ◦ · · · ◦ o (cid:124) (cid:123)(cid:122) (cid:125) k times Proof.
This is a consequence of the infinite Ramsey theorem. Let ( o n ) n ≥ be an infinitesequence of elements of F . We associate a “color” c ( m, n ) to each pair ( m, n ) of naturalnumbers where m < n : c ( m, n ) def = ( ... ( o m (cid:5) o m +1 ) (cid:5) · · · ) (cid:5) o n − Since F is finite, the number of possible colors is finite. By the infinite Ramsey theorem,there is an infinite set I ⊆ N such all the ( i, j ) for i < j ∈ I have the same color o ∈ F .Write I = { n < n < · · · < n k < · · · } . If i < j < k ∈ I , we have: o = ( ... ( o i (cid:5) o i +1 ) (cid:5) · · · ) (cid:5) o j − = ( ... ( o j (cid:5) o j +1 ) (cid:5) · · · ) (cid:5) o k − = ( ... (( ... ( o i (cid:5) o i +1 ) (cid:5) · · · ) (cid:5) o j ) (cid:5) · · · ) (cid:5) o k − The first two equalities imply that o (cid:5) o = (cid:0) ( ... ( o i (cid:5) o i +1 ) (cid:5) · · · ) (cid:5) o j − (cid:1) (cid:5) (cid:0) ( ... ( o j (cid:5) o j +1 ) (cid:5) · · · ) (cid:5) o k − (cid:1) If (cid:5) is associative, this implies that o (cid:5) o = o . If not, we only get that both o and o (cid:5) o aresmaller than o i ◦ · · · ◦ o j − ◦ o j ◦ · · · ◦ o k − We can now mimic what was done in section 3:(1) terms with weights are elements of F (definition 4.33) and combine just like in section 3(lemma 4.35)(2) collapsing decreases information, almost by definition (collapsing weights decreases theweight, and collapsing depth inserts (cid:104) (cid:105) at some strategic places)There is one subtlety when collapsing the output: terms in G ( T f ) are of the form β f t where f doesn’t appear in u . We want to have a lower bound on the number of constructorsin β , and an upper bound on the number of constructors in u (or equivalently, a lower boundon the number of destructors). For that reason, collapsing on the u part is done (as insection 3) by introducing (cid:104) W (cid:105) ↓ , while collapsing on the β part is done by introducing (cid:104) W (cid:105) ↑ .The implementation used (cid:104)− W (cid:105) ↓ instead, which behaves similarly.With all that, we can define the transitive closure G ∗ of G as in the previous section. By construction, it satisfies:
Lemma 4.38.
For every finite sequence s , s = s [ f := t ] , . . . , s k = s k − [ f := t k − ] in G , wehave t ≤ t ◦ · · · t k − for some simple term t in G ∗ . We can now state and prove correctness of the size-change principle here in the case ofa single function. (The definition of p -norm for a branch is given on page 25.) Theorem 4.39 (size-change principle) . Suppose every simple term t = β f u in G ∗ thatsatisfies t ¨ t (cid:5) t also satisfies one of the following two conditions: • either the maximal priority p appearing in β is even and positive ( | β | p > ) Note that G ∗ is not an element of F as it may contain weights, which are not compact in F . HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 43 • or there is a subterm β (cid:81) (cid:104) W i (cid:105) ↓ λ i of v where the maximal priority p of each β (cid:104) W i (cid:105) ↓ λ i isodd, with negative weight (i.e. | β (cid:104) W i (cid:105) ↓ λ i | p < )then fix ( G ) is total. The proof is nothing more than a rephrasing of the intuition given on page 25.
Proof.
By lemma 4.28, we only need to check that infinite paths are total. Let ( s k ) be aninfinite path of G . By the lemma 4.37, we know that such a path can be decomposed into s . . . s n = s [ t ◦ · · · ◦ t n − ] . . . s n = s n [ t n ◦ · · · ◦ t n − ] . . . s n . . . where: • all the t n k +1 − (cid:5) . . . (cid:5) t n k are equal to the same t , • t is coherent : t (cid:5) t ¨ t .Suppose that t satisfies the first condition. If we write init for t ◦ · · · ◦ t n − , we have (cid:71) ↑ k s k (Ω) = (cid:71) ↑ k t ◦ t ◦ · · · ◦ t k (Ω) ≥ (cid:71) ↑ j t ◦ · · · ◦ t n − ◦ t j (Ω)= (cid:71) ↑ j init ◦ β j f u (Ω) ≥ init ◦ (cid:71) ↑ j β j ΩNow, for any simple value v , β k Ω( v ) is either or has at least k constructors of priority p = 2 q coming from β k above any constructor coming from v . At the limit, there will be infinitelymany constructors of priority p = 2 q , all coming from β . Because β doesn’t involveconstructors of priority greater than p = 2 q , the limit will be total.Similarly, if t satisfies the second condition. We have (cid:71) ↑ k s k (Ω) = (cid:71) ↑ k t ◦ t ◦ · · · ◦ t k (Ω) ≥ (cid:71) ↑ j init ◦ t j (Ω) ≥ init ◦ (cid:71) ↑ j Ω u j By hypothesis, u k = u [ x := u k − ] contains a subterm β (cid:81) (cid:104) W i (cid:105) ↓ λ i with | β (cid:104) W i (cid:105) ↓ λ i | p < i , p being the maximal priority appearing in β (cid:81) (cid:104) W i (cid:105) ↓ λ i . Since u contains approximations,it is in fact an infinite sum of elements of F . By definition of approximations, each summandof u k necessarily has a branch of the form ββ i λ i ββ i λ i . . . ββ i k λ i k where, by hypothesis, each | ββ i j λ i j | p <
0. Such a branch globally removes at least k constructors of priority p = 2 q + 1 and doesn’t involve greater priorities. If v is a total value,then each u k ( v ) can only be non- if v contains at least k constructors of priority p = 2 q + 1and no constructors of greater priority. At the limit, the only values such that (cid:70) ↑ k u k ( v )are non- are values that contain a branch with an infinite number of constructors of priority p = 2 q + 1 and no constructor of priority greater than p . This is impossible for totalvalues!4.9. Back to the Previous Section.
We can now recast all of section 3: • generalized patterns (definition 3.2) are just elements of F incorporating weights (defini-tion 4.33), • generalized patterns decrease along reduction (definition 3.4) because it consists of reduc-tions in F and equalities in F (lemma 4.35), • the call-graph of section 3.3 is a smaller than G ( T f ) of section 4.6: comparing the definitions,we see that the call graph can be obtained from G ( T f ) by – replacing the output branch β by its weight, for example by taking (cid:104) (cid:105) β (cid:104) (cid:105) , which issmaller than β , – in the arguments, replacing each Ω u by Ω, which is smaller than Ω u .None of these simplifications is really necessary in the implementation. • Composition of calls (definition 3.8) is an instance of composition on F (definition 4.17). • Collapsing and the rest of the criterion is then copied verbatim from sections 3.4 and 3.5to section 4.8.
Concluding Remarks
Complexity.
Since this totality test extends the termination test described in [Hyv14] andthus the usual size-change termination principle, its complexity is at least as bad: P-spacehard. The extensions presented here do not make it any harder. As a result, the complexityof this totality test is P-space complete. However, it seems to work really well in practice.Letting the user choose the bounds B and D (with sane default values ) allows to limit thecombinatorial explosion to the definitions that really need it. Several other implementationtricks described in previous works [Hyv14] also contribute to a more than reasonable practicalcomplexity. Rewrite rules vs pattern matching.
The choice of presenting the language in Haskell stylewith rewriting rules rather than using a “ match ” construction as in ML isn’t very important.The approach taken here is mixed: • the language itself uses rewriting rules, • the semantics (the domain F ) uses C - and .D which are closer to (partial) match expressions.The reason is that the prototype was developed with clauses, but the theory is simpler withpattern matching: the semantics of C - and .D is very simple, while the semantics of rewritingrules would require introducing formally unification on sums of values and make for an evenmore verbose definition of F .The advantage pattern matching is that it allows direct analysis of definitions like val f x = ...... match f v withC y -> u by producing a term u [ y := C - f v ]. With this approach, the function B = 2 and D = 2 is a good choice HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 45 val f x = Succ (match f x withZero -> Zero| Succ n -> Succ Zero) could be seen as total. For such a definition, rewriting rules would hide the match withan external function doing the pattern matching, and by doing so, would loose all theinformation about this external function: val m Zero = Zero| m (Succ _) = Succ Zeroval f x = Succ (m (f x)) (Recall that the analysis is local and that nothing is assumed of previously defined functionsbut their totality).Such definitions are rare since their results depend on the evaluation mechanism: theCaml version doesn’t terminate, but the corresponding Haskell version does, with the(expected) value
Succ (Succ Zero) . On the other hand, keeping rewriting rules allows the test to see that val f Zero = Succ Zero| f (Succ n) = f Zero is total. In this paper, this definition is interpreted by f Zero + Succ Zero which will betagged “non-total”. The reason is that the recursive call f Zero doesn’t use the n variableand the interpretation thus forgets about the corresponding left pattern.Those two examples are rather ad-hoc and seldom appear in practice. The choice isthus mostly a matter of taste. Copatterns.
A. Abel has advocated the use of “copatterns” while writing coinductivedefinitions. This syntactical “trick” amounts to replacing the definition val all_nats : nat -> stream(nat)| all_nats n = { Head=n; Tail=all_nats (Succ n)} by val all_nats : nat -> stream(nat)| (all_nats n).Head = n| (all_nats n).Tail = all_nats (Succ n) This doesn’t change the semantics of the program in any way and has the nice side effectthat as rewriting rules the definition is terminating. The drawback is that writing functionssuch as sums (page 17) involves additional functions and is very tedious.
Operational Semantics.
We have voluntarily refrained from giving the operational semanticsof the language. The idea is that totality is a semantical property that is checked syntactically.The operational semantics has to guarantee that evaluating a total function on a total valueis well defined, in particular that it should terminate. For example, head reduction thatstops on records guarantees that a total value has a normal form: it cannot contain ⊥ andcannot start with infinitely many inductive constructors (their priority is odd). Evaluationmust reach a record (coinductive) at some point. Simpler definitions where, for example, the matched call has a decreasing argument would still beaccepted in their rewriting rules form. This syntax is in fact supported by the chariot prototype.
Of course, a real programming language could introduce two kinds of records: coinductiveones and finite ones. The later could be evaluated during head reduction. Even better,destructors themselves could be coinductive (like
Tail for streams) or finite (like
Head forstreams.)In a similar vein, the language could have coinductive constructors to deal with coinduc-tive types like finite or infinite lists. At the moment, the only way to introduce this type iswith data list_aux(’a, ’b) whereNil : unit -> list_aux(’a, ’b)| Cons : prod(’a, ’b) -> list_aux(’a, ’b)codata inf_list(’a) whereunfold : inf_list(’a) -> list_aux(’a, inf_list(’a))
Needless to say, using this quickly gets tiring.
Call-by-Value.
Our semantics is “lazy” in the sense that values containing ⊥ are notnecessarily equal to ⊥ themselves. The fact that value constructors are lazy is crucial whenapplying the size-change principle. This is what guarantees that a C p corresponds exactlyto one constructor of priority p . With the strict version, a C p corresponds either to oneconstructor (when its argument is different from ⊥ ), to (which is total), or nothing (whenits argument is ⊥ ).However, because the call-graph contains all the recursive calls appearing in the definition,it seems like it cannot see the difference between call-by-name and call-by-value. For example,examples like val f {Fst=0; Snd=s} = 3| f {Fst=n+1; Snd=s} = f {Fst=n; Snd=f {Fst=n+1; Snd=s}} from page 36 are always rejected as the call-graph contains the call f {Fst=n+1; Snd=s} → Ω f {Fst=n+1; Snd=s} The way the call-graph is constructed is reminiscent of the concept of dependency pairs [AG00]from term rewriting, where we replace a rule f l . . . l k → r by the f l . . . l k → g u . . . u l where g u . . . u l are subterms of r . This new rewriting system is terminating if and only ifthe original one is terminating. Note that “terminating” for a rewriting system is independentof the reduction strategy.If the analogy holds, it would make the criterion as described a criterion that wouldwork unchanged for call-by-value. Higher order types.
The theory should extend to account for some higher order datatypes.Defining T -branching trees as (coinductive) codata tree(’b, ’n) wherechild : tree(’b, ’n) -> (’b -> tree(’b, ’n)) or (inductive) data tree(’b, ’n) whereroot : unit -> tree(’b, ’n)| fork : (’b -> tree(’b, ’n)) -> tree(’b, ’n) should for example make the corresponding map function pass the totality test. HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 47
Dependent Types.
Dealing with dependent types is easy: tag dependent functions as “non-total”. While this sounds like a joke, it illustrates the fact that even without any theoryfor dependent types, this totality checker can be used for dependently typed languages. Ofcourse, the idea would be to extend it to actually do something interesting on dependenttypes.Many useful dependent types like “lists of size n ” can in fact be embedded in biggernon dependent datatypes like (“lists” in this case). The totality checker can, at least inprinciple, be used for those types. That, and the extension to some higher order as describedabove would go a long way to provide a theoretically sound totality checker for dependentlanguages like Agda or Coq. Sized types.
Just like in Agda, it seems using sized-types for termination and totality ismostly orthogonal to this totality checker. Considering the type of sizes to be a datatype isprobably enough to make the totality checker “size aware”. Adding sized types would helpdealing with examples that the current totality test ignores, like val nats = {Head = 0; Tail = map_stream Succ nats}
We could have the information that
Succ as type nat α → nat α +1 . Even purely inductivefunctions like val sum_list : list(nat) -> nat| sum_list [] = 0| sum_list n::l = n + sum_list(l)data rose_tree(’a) whereNode : list(rose_tree(’a)) -> rose_tree(’a)val sum_rose_tree : rose_tree(nat) -> nat| sum_rose_tree (Node(l)) = sum_list (map_list sum_rose_tree l) would benefit from sized types. References [AA02] Andreas Abel and Thorsten Altenkirch. A predicative analysis of structural recursion.
Journal ofFunctional Programming , 12:1–41, January 2002.[Abe10] Andreas Abel. Miniagda: Integrating sized and dependent types. In
In Partiality and Recursion(PAR 2010) , 2010. arXiv:1012.4896.[Abe12] Andreas Abel. Type-based termination, inflationary fixed-points, and mixed inductive-coinductivetypes. In
Proceedings 8th Workshop on Fixed Points in Computer Science, FICS 2012, Tallinn,Estonia, 24th March 2012. , pages 1–11, 2012.[AD12] Thorsten Altenkirch and Nils Anders Danielsson. Termination checking in the presence of nestedinductive and coinductive types. In Ekaterina Komendantskaya, Ana Bove, and Milad Niqui,editors,
PAR-10. Partiality and Recursion in Interactive Theorem Provers , volume 5 of
EasyChairProceedings in Computing , pages 101–106. EasyChair, 2012.[AG00] Thomas Arts and J¨urgen Giesl. Termination of term rewriting using dependency pairs.
Theor.Comput. Sci. , 236(1-2):133–178, 2000.[Ahn14] Ki Yung Ahn.
The Nax Language: Unifying Functional Programming and Logical Reasoning in aLanguage based on Mendler-style Recursion Schemes and Term-indexed Types . PhD, PortlandState University, December 2014.[AJ94] Samson Abramsky and Achim Jung. Domain theory. In Samson Abramsky, Dov M. Gabbay, andT. S. E. Maibaum, editors,
Handbook of Logic in Computer Science (Vol. 3) , chapter DomainTheory, pages 1–168. Oxford University Press, Inc., New York, NY, USA, 1994. [Bar92] Michael Barr. Algebraically compact functors.
J. Pure Appl. Algebra , 82(3):211–231, 1992.[Ber93] Ulrich Berger. Total sets and objects in domain theory.
Annals of Pure and Applied Logic ,60(2):91–117, 1993.[CBGB16] Ranald Clouston, Ales Bizjak, Hans Bugge Grathwohl, and Lars Birkedal. The guarded lambda-calculus: Programming and reasoning with guarded recursion for coinductive types.
LogicalMethods in Computer Science , 12(3), 2016.[CF92] Robin Cockett and Tom Fukushima. About Charity. Yellow Series Report No. 92/480/18, Depart-ment of Computer Science, The University of Calgary, June 1992.[Cla13] Pierre Clairambault. Strong functors and interleaving fixpoints in game semantics.
RAIRO -Theor. Inf. and Applic. , 47(1):25–68, 2013.[Coc96] Robin Cockett. Charitable thoughts, 1996. (draft lecture notes, ).[Coq93] Thierry Coquand. Infinite objects in type theory. In H. Barendregt and T. Nipkow, editors,
Typesfor Proofs and Programs , pages 62–78. Springer, Berlin, Heidelberg, 1993.[Dou17a] Amina Doumane. Constructive completeness for the linear-time µ -calculus. In , pages 1–12, 2017.[Dou17b] Amina Doumane. On the infinitary proof theory of logics with fixed points. (Th´eorie de lad´emonstration infinitaire pour les logiques `a points fixes) . PhD thesis, Paris Diderot University,France, 2017.[For14] J´erˆome Fortier.
Expressive Power of Circular Proofs . PhD, Aix Marseille Universit´e ; Universit´edu Qu´ebec `a Montr´eal, December 2014.[FS14] J´eˆome Fortier and Luigi Santocanale. Cuts for circular proofs. In Nikolaos Galatos, AlexanderKurz, and Constantine Tsinakis, editors,
TACL 2013. Sixth International Conference on Topology,Algebra and Categories in Logic , volume 25 of
EasyChair Proceedings in Computing , pages 72–75.EasyChair, 2014.[Gua18] Adrien Guatto. A generalized modality for recursion. In
Proceedings of the 33rd Annual ACM/IEEESymposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018 , pages482–491, 2018.[Hyv14] Pierre Hyvernat. The size-change termination principle for constructor based languages.
LogicalMethods in Computer Science , 10(1), 2014.[LJBA01] Chin Soon Lee, Neil D. Jones, and Amir Ben-Amram. The size-change principle for programtermination. In
Symposium on Principles of Programming Languages , volume 28, pages 81–92.ACM press, january 2001.[LR18] Rodolphe Lepigre and Christophe Raffalli. Practical subtyping for curry-style languages, 2018. ac-cepted for publication in ACM Transactions on Programming Languages and Systems (TOPLAS).[Men91] Nax Paul Mendler. Inductive types and type constraints in the second-order lambda calculus.
Annals of Pure and Applied Logic , 51(1-2):159–172, 1991.[Mil78] Robin Milner. A theory of type polymorphism in programming.
Journal of Computer and SystemSciences , 17:348–375, 1978.[Nak00] Hiroshi Nakano. A modality for recursion. In , pages 255–266, 2000.[Nor08] Ulf Norell. Dependently typed programming in agda. In
In Lecture Notes from the Summer Schoolin Advanced Functional Programming , 2008.[PJ87] Simon Peyton Jones.
The Implementation of Functional Programming Languages . Prentice Hall,January 1987.[Plo83] Gordon Plotkin. Domains, 1983. Pisa Notes.[San02a] Luigi Santocanale. A calculus of circular proofs and its categorical semantics. In Mogens Nielsenand Uffe Engberg, editors,
FoSSaCS , volume 2303 of
Lecture Notes in Computer Science , pages357–371. Springer, 2002.[San02b] Luigi Santocanale. From parity games to circular proofs.
Electr. Notes Theor. Comput. Sci. ,65(1):305–316, 2002.[San02c] Luigi Santocanale. µ -bicomplete categories and parity games. Theoretical Informatics and Appli-cations , 36:195–227, 2002.
HE SIZE-CHANGE PRINCIPLE FOR MIXED INDUCTIVE AND COINDUCTIVE TYPES 49 [SHGL94] Viggo. Stoltenberg-Hansen, Edward R. Griffor, and Ingrid. Lindstrom.
Mathematical Theory ofDomains . Cambridge University Press Cambridge ; New York, 1994.[Smy78] Michael B. Smyth. Power domains.
Journal of Computer and System Sciences , 16(1):23–36, 1978.[Smy83] Michael B. Smyth. Power domains and predicate transformers: A topological view. In
ICALP ,volume 154 of
Lecture Notes in Computer Science , pages 662–675. Springer, 1983.[The04] The Coq development team.
The Coq proof assistant reference manual . LogiCal Project, 2004.[Tur36] Alan Mathison Turing. On computable numbers, with an application to the entscheidungsproblem.
Proceedings of the London Mathematical Society , s2-42(1):230–265, 1936.
This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit https://creativecommons.org/licenses/by/4.0/https://creativecommons.org/licenses/by/4.0/