Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

Sewon Park; Franz Brauße; Pieter Collins; SunYoung Kim; Michal Konečný; Gyesik Lee; Norbert Müller; Eike Neumann; Norbert Preining; Martin Ziegler

doi:10.48550/arxiv.1608.05787

Park, Sewon;Brauße, Franz;Collins, Pieter;Kim, SunYoung;Konečný, Michal;Lee, Gyesik;Müller, Norbert;Neumann, Eike;Preining, Norbert;Ziegler, Martin

2016-08-20 00:00:00

SEMANTICS, SPECIFICATION LOGIC, AND HOARE LOGIC OF EXACT REAL COMPUTATION SEWON PARK, FRANZ BRAUßE, PIETER COLLINS, SUNYOUNG KIM, MICHAL KONEČNÝ, GYESIK LEE, NORBERT MÜLLER, EIKE NEUMANN, NORBERT PREINING, AND MARTIN ZIEGLER School of Computing, KAIST, Daejeon, Republic of Korea e-mail address: [email protected] University of Manchester e-mail address: [email protected] Maastricht University, Maastricht, The Netherlands e-mail address: [email protected] Yonsei University, Seoul, Republic of Korea e-mail address: [email protected] Aston University, Birmingham, UK e-mail address: [email protected] Hankyong National University, Anseong, Republic of Korea e-mail address: [email protected] Universität Trier, Trier, Germany e-mail address: [email protected] Swansea University, Swansea, UK e-mail address: [email protected] Fujitsu Ltd., Japan e-mail address: [email protected] KAIST, Daejeon, Republic of Korea e-mail address: [email protected] Key words and phrases: Computable Analysis, Reliable Numerics, Imperative Programming, Turing- Completeness, Decidability, Hoare Logic, Kleene Logic. © Park, Brauße, Collins, Kim, Konecný, ˇ Lee, Müller, Neumann, Preining, and Ziegler Preprint submitted to Logical Methods in Computer Science CC Creative Commons arXiv:1608.05787v7 [cs.NA] 21 Apr 2022 2 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Abstract. We propose a simple imperative programming language, ERC, that features arbitrary real numbers as primitive data type, exactly. Equipped with a denotational semantics, ERC provides a formal programming language-theoretic foundation to the algorithmic processing of real numbers. In order to capture multi-valuedness, which is well-known essential to real number computation, we use a carefully designed Plotkin powerdomain. This makes our programming language semantics computable and complete: all and only real functions computable in computable analysis can be realized in ERC. The base programming language supports real arithmetic as well as implicit limits; expansions support additional primitive operations (such as a user-deﬁned exponential function). By restricting integers to Presburger arithmetic and real coercion to the ‘precision’ embedding Z 3 p 7! 2 2 R, we arrive at a ﬁrst-order theory which we prove to be decidable, model- complete, and expressive for the base programming language. Based on said logic as speciﬁcation language for preconditions and postconditions, we extend Hoare logic to a sound (w.r.t. the denotational semantics) and expressive system for deriving correct total correctness predicates. Various examples demonstrate the practicality and convenience of our language and proof rules. Contents 1. Introduction 3 1.1. Kleenean-valued Comparison and Nondeterminism 4 1.2. Main Contributions and Overviews 5 2. Preliminaries 7 2.1. Representations and Computable Partial Functions 8 2.2. Computable (Inﬁnite) Multi-functions 9 2.3. Computable (Finite) Multi-functions and Plotkin Powerdomain 10 3. Formal Syntax and Typing Rules of Exact Real Computation 12 3.1. Syntax 12 3.2. Typing Rules 14 4. Denotational Semantics of Exact Real Computation 16 4.1. Denotations of Terms 16 4.2. Denotations of Commands 18 4.3. Denotations of Programs 20 5. Programming in Exact Real Computation 21 5.1. Programming Abbreviations 22 5.2. Example Programs 23 5.3. Turing-Completeness 30 6. Logic of Exact Real Computation 32 6.1. Three-Sorted Structure with Decidable Theory 32 6.2. Speciﬁcation Language 35 6.3. Hoare Logic 37 7. Example Formal Veriﬁcation in Exact Real Computation 39 8. Conclusion and Future work 40 Acknowledgement 41 References 41 Appendix A. Proof of the Soundness of the Hoare Logic of ERC 44 EXACT REAL COMPUTATION 3 1. Introduction In computable analysis, real numbers are expressed and computed over exactly by using inﬁnite representations [Wei00, PER89]. For example, a real number x is represented by n n an inﬁnite sequence of integers x such that jx x 2 j 2 holds for all n. That n n means, when we have correctly computed a real number x we automatically get access to the real number x via any arbitrarily accurate precision, making this approach well-suited for domains where high precision numerical results are required. There are several implementations demonstrating the practicality of this approach for + + + exact real number computation: AERN [KTD 13], Ariadne [CGC 20], Core2 [YYD 10], Cdar [Bla], iRRAM [Mül01], and realLib [Lam05]. They provide their own data types of real numbers to their users such that the users can deal with real numbers as they were abstract algebraic entities without being concerned with how the inﬁnite representations are implemented in their back-ends. Together with the property that primitive operations are computed exactly without causing any rounding errors, real numbers that the users observe closely resemble the classical mathematical structure of real numbers. According to this observation, it is expected that reasoning programs’ behaviours in this approach becomes more intuitive as the accuracy of computations becomes not an interesting question anymore; cf. [KMP 08, Mel08, BFM09, BM11]. Imperative programming, a ubiquitous style of expressing computation that is widely adopted in numerical computation software, admits rich theories of precondition-postcondition- based program veriﬁcation [Hoa69, AO19, Rey02, NMB06] and their applications including [FP13]. Hence, it is a natural desire to extend them with exact real number computation in order to conveniently achieve (provably) correct arbitrary accurate numerical computations. To make such an extension rigorous, we ﬁrst need to have a formal programming language on which the extended veriﬁcation methodologies are based. However, extending an existing formal programming language with exact real number computation, which is a seemingly simple quest, fails when it is done naïvely with the classical model-theoretic structure of real numbers as it is not identical, though resembles much, to the computational structure of real numbers [Her99, Section 3]. For example, real number comparison x < y is only partially computable causing non-termination when x = y [Wei00, Theorem 4.1.16] resulting nondeterminism for multi-valued functions to become essential [Luc77]. (It is explained in more detail in Section 1.1.) The aim of this paper is as follows. We formalize exact real number computation as an imperative programming language that correctly deals with the partial and nondeterministic nature. It means that the language’s formal (domain-theoretic denotational) semantics makes our language deﬁne precisely the computable partial real functions and integer multi-valued functions in computable analysis. Based on the formal programming language, we devise a speciﬁcation logic for exact real number computation which is then used in our extended Hoare logic which is sound with regard to the denotational semantics. The language is rich enough to model core fragments of existing software and simple enough to stand as a design guideline for future exact real number computation software developments which wish to adopt the theory developed in this paper. We develop our language and theory relative to primitive operator extensions such that other frameworks that provide richer sets of primitive operators can still rely on our theoretical language and analyze their real number computations. 4 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER In terms of formalizing exact real number computation, this work is deeply inﬂuenced by the following related works. Real PCF [Esc96] is a pure functional language that is an extension of PCF [Plo77] with real numbers, computable real number operations, and a parallel conditional construct for nondeterminism. Its application in expressing integration demonstrated usefulness of formalizing exact real number computation [EE00]. In [MRE07], a domain-theoretic denotational semantics of a variant language is deﬁned but using the Hoare powerdomain which cannot express termination. There, it is observed that nondeterminism in computable analysis becomes continuous only with the Hoare powerdomain. In this paper, we avoid the continuity problem and use the Plotkin powerdomain such that we do not need to have a separate tool for reasoning programs’ termination. (Later in Remark 2.6, we discuss about using diﬀerent powerdomains.) Speaking of imperative languages, Feasible real RAM [BH98] is a computable variant of real RAM where the infeasible total real comparison test [Bra03] is replaced with a nondeterministic approximation to it. Its operational semantics inﬂuenced the design of [Mül01]. Amongst further related works including [BC88, DGE13, ES14], WhileCC [TZ04], a simple imperative language extended with the computational structure of real numbers and a (countable) nondeterminism construct, which is suggested with its algebraic operational semantics, is close to our design. We proceed from there, suggest a diﬀerent set of primitives, and further devise domain-theoretic computable denotational semantics, speciﬁcation logic, and reasoning principles. 1.1. Kleenean-valued Comparison and Nondeterminism. As an inevitable side-eﬀect of using inﬁnite representations, the ordinary order relation of real numbers as a Boolean- valued function is only partially computable. More speciﬁcally, whichever inﬁnite represen- tation of reals underlies, the comparison test of real numbers x < y does not terminate when x = y if we want it to be correct at least in elsewhere [Wei00, Theorem 4.1.16]. That means dealing with possibly non-terminating Boolean expressions becomes essential, to the extent some frameworks, including AERN and iRRAM, introduce the concept of Kleenean, a lazy extension of Boolean, in their core design. (See [KST20b, Example 3] for an example formulation.) A variable of type Kleenean can store a non-terminating Boolean expression safely, deferring the non-termination to the moment when it is eagerly required to check if the stored value is true or false. Denoting the non-termination as unknown (standing for the third truth-value in Kleene three-value logic), an admissible value that variables can store, Kleenean-valued comparison test l : R R ! K (:= ftrue; false; unknowng) deﬁned by >true if x < y; x l y := (1.1) false if y < x; unknown otherwise if x = y; replaces the partially computable ordinary Boolean-valued comparison test. Due to the non-termination in comparisons, multi-valued functions (multi-functions in short) and nondeterministic computations realizing multi-functions become essential [Luc77] to compose a total but nondeterministic procedure from possibly non-terminating sub-procedures. For example, when we have two Kleenean-valued comparisons x l y + 2 n n n and y l x + 2 , which return unknown when x = y + 2 and y = x + 2 respectively, we can evaluate them in parallel until one returns true. And, if it was the ﬁrst, we return true. Otherwise, we return false. As at least one of the two tests must evaluate EXACT REAL COMPUTATION 5 to true, the overall procedure safely approximates the partial test x < y. However, when n n y 2 < x < y + 2 , the procedure is nondeterministic that it can be both true or false depending on the representations of the real numbers and the implementation of the parallel procedure which we abstract away. This nondeterministic computation is modelled by the multi-function whose value is ftrue; falseg at such inputs. As nondeterministic computation becomes essential, exact real number computation frameworks provide their users with various primitive constructs for nondeterminism. For example, iRRAM oﬀers an operator choose that receives multiple Kleenean expressions and returns the index (counting from 0) of some expression which evaluates to true. See that the above example can be expressed by n n choose(x l y + 2 ; y l x + 2 ) = 0. For a formalization of exact real number computation software to be useful, it must correctly deal with the diﬀerence between the classical and computational structures of real numbers. It includes that real number comparison becomes partial Boolean-valued or total Kleenean-valued, and provide expressive enough functionality for generating interesting nondeterministic computations. 1.2. Main Contributions and Overviews. In this paper, we deﬁne an imperative pro- gramming language Exact Real Computation (ERC) providing three data types K, Z, and R that ideally model the Kleene three-valued logic K = ftrue; false; unknowng, the set of integers Z, and the set of real numbers R, respectively. It is a simple imperative language with a strict hierarchy posed between its term language and command language where only the latter contains unbounded loops. Our language is carefully designed to ensure the computability (in the sense of computable analysis) of its domain-theoretic denotational semantics by adopting the Kleenean typed real number comparison l replacing the total comparison and oﬀering the nondeterminism construction choose(b ; b ; : : :). We deﬁne the 0 1 denotations of terms and commands to be functions to Plotkin powerdomains [Plo76] to model nondeterministic computations. The deﬁnition of computable partial (multi-)functions is reviewed in Section 2. Construction of limits, which is an essential feature that brings ERC’s expressive power beyond algebraic computations [Bra03], is available in a restricted way. Instead of introducing an explicit operator for computing limits, which then requires the language to support constructions of nontrivial inﬁnite sequences within its term language, we only let limits be computed at the level of “programs” another layer over commands representing (multi- )functions. More speciﬁcally, a real-valued program is provided with access to an integer variable p such that when the program computes (possibly multi-valued) 2 approximation(s) to a real number for any p, the single-valued real number, which is the limit of the program as p ! 1, becomes the function value that of the program denotes. (A similar approach can be found in [TZ99, Section 9] and [TZ04, Deﬁnition 4.5.1].) Hence, in ERC, commands compose either an integer program expressing a partial integer multi-function or a real program expressing a partial real function where limit operations are taken. (Later in Remark 5.5, we discuss more about this design choice by introducing a straightforward way to ease this restriction which is to let the users decide whether to take the program-level limit operation.) ERC is deﬁned relative to primitive operator extensions such that it can be extended easily to other languages that provide further primitive operators. More formally, for each ﬁnite sets F of computable partial real functions and G of computable partial (ﬁnite) integer 6 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER multi-functions, we deﬁne a programming language ERC(F;G). We simply write ERC if the underlying extension sets are obvious or irrelevant. Beyond modelling primitive operator extensions, the sets F and G provide a trick on reasoning user-deﬁned function calls (but without recursive calls) from some richer exact real computation software. Instead of equipping ERC with a feature of calling programs within programs, which then makes ERC’s strict distinction between its term language and command language vague, in order to keep our term language as simple as possible, when the users want to model a program calling another program, they can use ERC(F;G) with F or G extended with the denotations of the programs. We introduce a ﬁrst-order logic over the three types (sorts) expanded with the (multi- )functions in (F;G) as a speciﬁcation language which is used to specify the behaviours of ERC programs. We show that the ﬁrst-order logic can deﬁne the semantics of the term language. Moreover, by not allowing integer multiplications and any integer-to-real coercion other than the precision embedding { : Z 3 p ! 2 2 R in our term language, we show that the speciﬁcation language of our base language ERC = ERC(;;;), whose design is inﬂuenced by the structure suggested in [Dri86], is model-complete and decidable with regard to its canonical interpretation. Although this looks like a bit of restriction at a ﬁrst glance, since integer multiplication is expressible using a while loop in our command language, we claim that our programming language is still expressive enough by showing its Turing-completeness (in Theorem 5.3). However, the speciﬁcation language for ERC is not expressive enough to deﬁne the semantics of the command language due to the fundamental trade-oﬀ: Remark 1.1. Consider the following three desirable features: i) a programming language being Turing-complete over integers, and thus able to realize an algorithm whose termination is co-r.e. hard ii) a logic suﬃciently rich to express the termination of said algorithm iii) a sound and complete r.e. deductive system of said logic. Obviously, not all three are simultaneously feasible. For instance integer WHILE programs / Peano arithmetic satisfy (i) / (ii), but not (iii) [Coo78, §6]. Though we propose choosing (i) and (iii) over (ii) as the base design aiming for further developments of automatic reasoning of exact real number computations using the decidability property, since our language is deﬁned relative to primitive operator extensions, those who are not happy with this trade-oﬀ can take the other direction of the trade-oﬀ by adding, for example, the integer multiplication or the usual integer embedding Z 3 z 7! z 2 R in (F;G). The other parts of this work including computable denotational semantics and sound veriﬁcation rules remain valid. To summarize our main contributions: A choice of operations over real numbers and their computable semantics. A small imperative programming language with three basic data types R and Z and K that fully coincide with R and Z and K with respect to the said semantics. Examples demonstrating programming with these operations and semantics, such as: multi-valued integer rounding, determinant via Gaussian elimination with full pivoting (subject to full-rank promise), and root ﬁnding. Proof that this programming language is Turing-complete: those and only those real functions and integer multi-functions that can be realized in ERC are computable in the sense of computable analysis. EXACT REAL COMPUTATION 7 A many-sorted structure for the formal speciﬁcation of ERC whose ﬁrst-order theory is decidable and model-complete in the case of ERC . An extended Hoare logic to enable formal veriﬁcation of ERC programs’ behaviours including their terminations. 1.2.1. Overviews. In Section 2, we review the deﬁnition of computable partial (multi-)function in computable analysis and the deﬁnition of Plotkin powerdomain (over ﬂat domains). In this section, we specify several computable partial (multi-)functions that constitute our primitive operators. Section 3 deﬁnes the formal deﬁnition of our language syntax which is a simple imperative language. There, we also deﬁne typing rules. In Section 4, we deﬁne domain-theoretic denotational semantics using Plotkin powerdomain and prove that for any well-typed terms, well-formed commands, and well-typed programs, their denotations are computable partial multi-functions (or partial real functions in the case of real programs) in Theorem 4.9. Section 5 deﬁnes some programming abbreviations and introduces various example programs: square root using Heron’s methods, exponential function via Taylor expansion and iterative, integer rounding, matrix determinants via Gaussian elimination, and root ﬁnding. Later in the section, based on the integer rounding example, we prove the Turing-completeness of ERC saying that any computable partial real functions and integer multi-functions are realizable in ERC (in Theorem 5.3). We introduce in Section 6 a three-sorted structure and its ﬁrst-order logic for rigorously specifying nondeterministic programs in ERC. Theorem 6.2 shows that its ﬁrst-order theory is decidable and model-complete in the case of ERC . Section 6.3 extends classical Hoare logic from Z to (K and) R and prove its soundness in Theorem 6.13. Section 7 demonstrates our veriﬁcation method by proving the correctness of the aforementioned trisection program for root ﬁnding. We conclude this work with Section 8 suggesting future research, such as extending ERC from operating on real numbers in order to realize function to operating on functions in order to realize operators and other higher types. 2. Preliminaries ERC provides unbounded loops. To devise their sound mathematical semantics, we take a traditional domain-theoretic approach [Rey09, Chapter 2.4] and deﬁne the denotations of loops as the least ﬁxed points of some continuous operators. To model nondeterministic computations, we use the Plotkin powerdomain (which is reviewed later in this section) P(Y ) on ﬂat domains Y . An element of the domain p 2 P(Y ) ? ? ? is a subset of Y [f?g. Hence, a function f : X ! P(Y ), which is a multi-function, models a nondeterministic computation resulting values in Y where f (x) Y [f?g denotes the set of all possible return values of the computation at input x. When f (x) contains ?, it denotes the case where there is a nondeterministic branch that fails. In this sense, we say f is a partial multi-function properly deﬁned only at x where ? 62 f (x). In this section, we review the deﬁnitions of computable partial functions f : X ! Y and computable partial multi-functions f : X ! P(Y ). We specify some computable partial (multi-)functions that later constitute the set of primitive operators in ERC . Instead of deﬁning the computability of domain-theoretic functions by relating them with the ordinary computability deﬁnitions from computable analysis, we deﬁne the computability of functions to ﬂat domains and powerdomains directly such that we do not have to handle 8 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER many diﬀerent computability notions simultaneously. Remark 2.3 may help the readers who are already familiar with computable analysis to translate the settings back and forth. 2.1. Representations and Computable Partial Functions. For a set X, a representa- tion of it is a partial surjective function from the set of inﬁnite sequences of integers to X. (Recall that the domains of representations can be any Cantor or Baire space where type 2 computability theory can be built on; cf. [Wei00, Exercise 3.2.17].) When (') = x 2 X, we say ' 2 Z is a -name of x. We often omit the preﬁx if it is obvious from the X X context or if it is irrelevant which speciﬁc representation underlies. We work with the following representations of Z;R;K: (') = k , '(n) = k for all n 2 N. n n (') = x , jx '(n) 2 j 2 for all n 2 N. (00 011 ) = true, (00 0(1)(1) ) = false, and (00 00 ) = unknown. K K K Though we present speciﬁc representations of the sets Z;R;K, the theory of admissibility [Wei00, Chapter 3.2] ensures their universality with regard to the topologies: the discrete topology of Z, the standard topology of R, and the generalized Sierpinski topology of K: ;;ftrueg;ffalseg;ftrue; falseg;funknown; true; falseg : As we are yet only interested in computability, the underlying representations can be replaced with any other computably equivalent representations. When we have a function to a ﬂat domain f : X ! Y , we consider it as a partial function which is properly deﬁned at dom(f ) = fx 2 X j f (x) 6= ?g. When X and Y are represented by and , respectively, f is ( ; )-computable if there is a (function) oracle X Y X Y machine such that for any x 2 dom(f ), when it is equipped with a -name of x as the oracle, there is a -name of f (x) such that the machine, given n 2 N as its input, computes the n’th entry of the -name; see [KC96] for an example description of such oracle machines used in type-2 computability. (It also can be deﬁned equivalently via type-2 machines instead of oracle machines; cf. [Wei00, Chapter 2.1].) We drop the preﬁx ( ; )- if it is obvious or X Y irrelevant which speciﬁc representations underlie. We often call a function f : X ! Y partial to emphasize that ? may be a function value. Often we call f which does not admit ? as its function value total when we want to emphasize the fact. To make our notation more informative, let us write f : X ! Y in the case f : X ! Y is total. For a multivariate function f : X X ! Y , its computability is deﬁned by a 1 d ? machine with d oracles. Or, equivalently, it is deﬁned with regard to the product representation on its domain: (') = (x ; ; x ) if and only if (n 7! '(d n + j 1)) = x X X 1 d X j 1 d j for each j. Again, other computably equivalent representations of products can replace. The followings are examples of computable (partial) functions: Examples 2.1 (Primitive partial operations). (1) For any represented set X, its identity function id : X ! X is computable. (2) The constants true; false; unknown 2 K and k 2 Z are computable as constant functions from any represented set. ^ ^ (3) The logic operations for Kleene three-valued logic : ^ : K ! K, _;^ : K K ! K whose deﬁnitions are EXACT REAL COMPUTATION 9 ^ ^ ^ true false unknown _ true false unknown true true false unknown true true true true false false false false false true false unknown unknown unknown false unknown unknown true unknown unknown : ^ true false unknown false true unknown are computable. Note that unknown stands for indeterminacy. (4) The operators of Presburger arithmetic + : Z Z ! Z, : Z ! Z, and the K-valued order comparisons =;: Z Z ! K are computable. (5) The ﬁeld operators +; : R R ! R, : R ! R, and : R ! R where the multiplicative inversion is not deﬁned at 0, i.e., 0 = ?, are computable. (6) The precision embedding { : Z 3 p 7! 2 2 R is computable. (7) The K-valued real number comparison l : R R ! K from Equation 1.1 is computable. (8) A partial projection map proj : X Z ! X deﬁned by x if 0 n < d; proj((x ; ; x ); n) := 0 d1 ? otherwise; d d and a partial updating map update : X Z X ! (X ) deﬁned by (x ; ; x ; x; x ; ; x ) if 0 n < d; 0 n1 n+1 d1 update((x ; ; x ); n; x) := 0 d1 ? otherwise; are computable. (9) A total projection map proj : X X ! X deﬁned by proj (x ; ; x ) = x 1 d i 1 d i i i and a total updating map update : X X X ! X X deﬁned by 1 d i 1 d update ((x ; ; x ); y) = (x ; ; x ; y; x ; ; x ) updating the i’th entry x with 1 d 1 i1 i+1 d i y, are computable. 2.2. Computable (Inﬁnite) Multi-functions. Partial multi-functions, which are non- empty set-valued functions f : X ! P (Y ), model nondeterministic computations; for an input x, f (x) is the set of all possible nondeterministic values that the computation modelled by f can yield, including ? if there is a computation that fails. We say a function of type f : X ! P (Y ) a (partial) multi-function which is properly deﬁned at dom(f ) := fx j ? 62 f (x)g. We also often say a partial multi-function total when its function values never contain ?; i.e., dom(f ) = X. For a partial multi-function f : X ! P (Y ), when the underlying sets X; Y are represented by and respectively, we say that f is ( ; )-computable if there is an X Y X Y oracle machine such that when a -name of any x 2 dom(f ) is equipped as the oracle, there is some y 2 f (x) and its -name such that on the machine’s input n, it returns the n’th entry of the -name of y. (Again, type-2 machines can replace in the deﬁnition.) We omit the preﬁx ( ; )- if it is not necessary to explicitly specify the underlying representations. X Y Note that nondeterminism happens due to the fact that when a diﬀerent name of the same x is given, it is allowed to compute diﬀerent y 2 f (x). 10 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER 2.3. Computable (Finite) Multi-functions and Plotkin Powerdomain. However, us- ing the entire non-empty power-set P (Y ) causes the same problem that motivated [Plo76, Section 2] that it does not give us a nice order theoretic property in deﬁning denotational semantics. Reminding that ERC only provides ﬁnite nondeterminism, and that as long as only real numbers and integers are possible inputs there is no necessarily inﬁnite integer multi-function (see Fact 2.5), we safely restrict to Plotkin powerdomain [Plo76]. For any set X, the powerdomain on its ﬂat domain X is deﬁned by P(X ) := fp X [f?g j p 6= ;; and p is ﬁnite or contains ?g P (X ) ? ? endowed with Egli-Milner ordering: p v q , (8x 2 p9y 2 q: x y)^ (8y 2 q9x 2 p: x y) : Recall that x y if and only if x = ? or x = y for x; y 2 X . The constructed powerdo- main for any ﬂat domain X is known to be a !-cpo with the least element f?g [Rey09, Chapter 7.2]. For a function to a ﬂat-domain f : X ! Y , let us write f : X ! P(Y ) for the ? ? embedding f (x) := ff (x)g. For a multivariate partial multi-function f : X X ! 1 d P(Y ), its extension f : P((X ) ) P((X ) ) ! P(Y ) is deﬁned by ? 1 ? d ? ? ff (x ; ; x )g if 8i: x 6= ?; 1 d i f (p ; ; p ) = f?g otherwise. x 2p ; ;x 2p 1 1 d d And, the extension by one argument f : X P((X ) ) X ! P(Y ) is deﬁned 1 i ? d ? ff (x ; ; x ; x )g if x 6= ?; 1 i d i f (x ; ; p; ; x ) := 1 d f?g otherwise. x 2p Though the embedding and extensions are more naturally understood in the setting of category theory [BVS93, AJ95], we deﬁne them separately in this independent context. The composition of two partial multi-functions f : X ! P(Y ) and g : Y ! P(Z ) ? ? is expressed by g f : X ! P(Y ). Recall that this composition is continuous in both arguments [Plo76, Section 6]. In other words, given f; f : X ! P(Y ) and g; g : Y ! P(Z ) i ? i ? where f and g are increasing chains with regard to the point-wise orderings, it holds that i i G G G G y y y (g f ) = g f and (g f ) = g f: i i i i2N i2N i2N i2N Also, the partial composition is continuous: Consider a multivariate multi-function f : X X ! P(Y ), a list of functions g : X ! X for j 6= i, and a chain of multi- 1 j j d ? functions g : X ! P((X ) ) in k. Then, i;k ? G G y y i i f hg ; ; g ; g i = f hg ; ; g ; g i : 1 i;k d 1 i;k d k2N k2N Here, for a ﬁnite collection of functions f ; ; f sharing their domains, hf ; ; f i denotes 1 1 d d x 7! (f (x); ; f (x)). 1 d For each set X, deﬁne Cond : K P(X ) P(X ) ! P(X ) by ? ? ? p if b = true; Cond(b; p; q) := q if b = false; f?g otherwise; EXACT REAL COMPUTATION 11 a conditional combinator of K. For any b : X ! P(K ) and S : X ! P(X ), due to the ? ? continuity of compositions, the following operator can be seen continuous: y y z W(b; S)(f : X ! P(X )) = Cond hb; f S; id i : The continuity ensures the existence of the least ﬁxed point lfp W(b; S) : X ! P(X ) which is used to deﬁne the denotations of loops later in Section 4. The followings are examples of computable (ﬁnite) multi-functions: Examples 2.2 (Primitive multi-valued operations). (1) When f : X ! Y is a computable partial/total function, its embedding f : X ! P(Y ) ? ? is a computable partial/total multi-function. (2) When f : X ! P(Y ) and g : Y ! P(Z ) are computable partial multi-functions, their ? ? composition g f : X ! P(Z ) is a computable partial multi-function. (3) When f : X ! P((Y ) ) and g : Y Y ! Z are computable multi-functions, their i i ? 1 d composition g hf ; ; f i : X ! P(Z ) is a computable multi-function. 1 d ? (4) For each n 2 N, the nondeterministic selection function choose : K ! P(Z ) deﬁned n ? by fi j b = trueg if there is i s.t. b = true; i i choose (b ; ; b ) = n 0 n1 f?g otherwise, is a computable partial multi-function. (5) For any computable f : X ! P(K ) and g; h : X ! P(Y ), the composite multi-function ? ? Cond hf; g; hi : X ! P(Y ) is computable. (6) Deﬁne Kond : K P(R ) P(R ) ! P(R ), a continuous extension of Cond by ? ? ? >p if b = true; q if b = false; Kond(b; p; q) = fxg if b = unknown ^ p = q = fxg; f?g otherwise; with regard to the topology of K; cmp. [Wei00, Theorem 2.3.8] and “parallel if” from PCF [Plo77]. For any computable f : X ! P(K ) and g; h : X ! P(R ), the composition ? ? Kond hf; g; hi : X ! P(R ) is a computable partial multi-function. The formulations of computable partial (multi-)functions in this paper diﬀer from how they are traditionally dealt with. The following remark states how they are related. Remark 2.3. In the traditional setting of computable analysis: (1) The computability of a partial function presented by f : X ! Y is equivalent to the computability of f : X ! Y deﬁned by x 7! f (x) if x 2 dom(f ) and ? if x 62 dom(f ). ? ? Similarly, the computability of f : X ! Y is equivalent to the computability of f : X ! Y . Here, is a notation for the domain restriction and recall that dom(f ) dom(f ) = fx j f (x) 6= ?g. (2) The computability of a partial multi-function presented by f : X Y , which is a partial non-empty set-valued function, is equivalent to the computability of f : X ! P (Y ). f?g Similarly, the computability of f : X ! P (Y ) is equivalent to the computability of f : X Y . Recall that dom(f ) = fx j ? 62 f (x)g. dom(f ) 12 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Observe from the deﬁnitions that a machine computing a partial (multi-)function can be seen to compute some other partial (multi-)functions as (1) for a partial (multi-)function, the out-of-domain behaviour of its realizer is not speciﬁed and (2) for a partial multi-function, its realizer only has to compute some of the possible function values. Speciﬁcally: Fact 2.4. If a partial function f : X ! Y is computable, any domain restriction of it is computable; g : X ! Y such that 8x: g(x) f (x) is computable by the same machine computing f. And, if a multi-function f : X ! P (Y ) is computable, any domain restriction of it and function value enlargement, i.e. g : X ! P (Y ) such that 8x: g(x) v f (x) or f (x) g(x) is computable by the same machine computing f. For any real number or integer, the set of its names is compact with regard to the standard Baire space topology on Z . Hence, for any realizer, an oracle machine, computing an integer partial multi-function f : X X ! P(Z ) where X = Z or R, for ﬁxed 1 d ? i inputs (x ; ; x ), when we range over their names, the set of machine outputs is also 1 d compact as machines’ semantics is continuous. That means even when f (x ; ; x ) is 1 d inﬁnite, there are only ﬁnitely many diﬀerent integers that the machine actually computes; see [Bra95, Theorem 4.2]. Fact 2.5. Any computable multi-function f : X X ! P (Z ) where X = Z or 1 i d ? R, admits ﬁnite reﬁnement in the sense that there is a computable (ﬁnite) multi-function g : X X ! P(Z ) such that 8(x ; ; x ): g(x ; ; x ) f (x ; ; x ) holds. 1 1 1 1 d ? d d d In addition to the above justiﬁcation of our use of Plotkin powerdomain, the following is a note on the continuity issue for nondeterminism: Remark 2.6. Note that choose : K ! P(Z ) is not (domain-theoretic) continuous n ? when K is ordered by b b iﬀ b = b or b = unknown. It is observed in [MRE07] 1 2 1 2 1 and there it is suggested Hoare powerdomain be used instead. However, our approach distinguishes (domain-theoretic) continuity and computability of primitives: we do not use (domain-theoretic) continuity as a criterion for computability. As long as we have a fact that choose : K ! P(Z ) is computable, there is no need to make it (domain-theoretic) n ? continuous by giving an order on K. This way we still use Plotkin powerdomain in deﬁning our semantics such that we do not need to have separate operational semantics to express termination as in [MRE07]. 3. Formal Syntax and Typing Rules of Exact Real Computation In this section, we provide the formal syntax and typing rules of ERC(F;G) for any F and G according to the above convention: Convention 3.1. For the sequel ﬁx a (possibly empty) ﬁnite set F of computable functions to R from products of Z, R, and R for any n 1, as well as a (possibly empty) ﬁnite set F of computable multi-functions to P(Z) from products of Z, R, and R for any n 1. 3.1. Syntax. ERC is an imperative programming language comprising of the following axiomatized constituents: data types (Section 3.1.1), terms (Section 3.1.2), commands (Section 3.1.3), and programs (Section 3.1.4). EXACT REAL COMPUTATION 13 3.1.1. Data Types. The data types that ERC provides are as follow: :: = K j Z j R j R[n] for each n = 1; 2; See that ERC provides countably many data types: for each natural number n 1, there is a data type R[n], which represents the set of arrays of real numbers of ﬁxed length n. Note n here is a meta-level expression which is not a ERC “term” from Section 3.1.2. 3.1.2. Terms. Although the type of a term is not determined syntactically, we here follow the following conventions for convenience: Write z; z to denote terms which should be typed Z, x; y; x ; y to denote terms which should be typed R, and b; b to denote terms which should i i i be typed K. Arbitrary terms are denoted by t; t . For some ﬁxed countable set of variables V, the term language of ERC is deﬁned as follows. :: t; t ; z; z ; x; y; b; b = i i i k k 2 Z; Z literal j true j false j unknown K literal j [t ; ; t ] array literal 1 n j v v 2 V ; variable j t[z] array access j t + t j t addition and additive inversion 1 2 j z z j z = z integer comparison and equality test 1 2 1 2 j x y j x real multiplication and multiplicative inversion j x l y real comparison j (z) precision embedding ^ ^ j : ^ b j b ^ b j b _ b Kleene logic 1 2 1 2 j f (t ; ; t ) (f : X X ! R ) 2 F ; primitive function call 1 d 1 d ? j g(t ; ; t ) (g : X X ! P(Z )) 2 G; primitive multi-function call 1 d 1 d ? j choose (b ; b ; ; b ) n 2 N; multi-valued choice n 0 1 n1 j b ? x : y continuous conditional Note that we do not provide integer multiplication and any other coercion than unless they are provided through F;G. Though for each natural number n, choose is a distinct term construct, since the n is determined syntactically by the number of the arguments, we may omit it and instead simply refer to choose(). We introduce z = z as a term construct 1 2 instead of as an abbreviation for z z ^ z z ; see Remark 4.3(7). 1 2 2 1 3.1.3. Commands. ERC provides strict distinction between its term language and command language where loops belong only to the command language. Commands in ERC are inductively constructed as follow. :: S; S = skip skip j v := t variable assignment j v[z] := t array assignment 14 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER j let v : = t variable declaration j S ; S sequential composition 1 2 j if b then S else S end branching 1 2 j while b do S end loop Although we use the identiﬁer let, it is not the usual ‘let-in binding’ for creating a local variable. 3.1.4. Programs. Having data types, terms, and commands deﬁned, we can ﬁnally deﬁne what a program in ERC is. A program in ERC is in one of the following forms: input v : ; v : ; ; v : input v : ; v : ; ; v : 1 1 2 2 n n 1 1 2 2 n n S S return t return t as p ! 1 Here, v and p are variables varying over V and varies over fZ; R; R[1]; R[2];g. The i i variable p that is separated from the other input variables is the precision parameter which should not be misunderstood as an input variable. The intended behaviour of a program in the right kind is, taking v ; ; v as inputs, to compute the limit of the command S and 1 n the return term t as p goes to 1. This is formally deﬁned later in Section 4. 3.2. Typing Rules. Here we deﬁne well-typedness of terms (Section 3.2.1), well-formedness of commands (Section 3.2.2), and well-typedness of programs (Section 3.2.3) under a context. A context is a mapping from a ﬁnite set of variables to their corresponding types represented by a list of assignments := v : ; v : ; ; v : denoting the context 1 1 2 2 n n mapping variable v to its data type for i = 1; : : : ; n. i i 3.2.1. Well-Typed Terms. Well-typedness of a term t in ERC to under a context is written as ` t : . Figure 1 shows ERC’s type inference rules. Note that + and are used both in integer operations and real number operations. 3.2.2. Well-formed Commands. Unlike terms, a command in ERC may modify contexts. Let us denote a command S under a context being well-formed and yielding a new context as ` S . : The Well-formedness of commands is deﬁned by the inference rules in Figure 2. See that the only construct that modiﬁes a context is let v : = t (variable declaration). When it is executed under a context , the command is well-formed if v is not already included in and the type of the initializing term t is of the declared type . After the execution, we get the new context ; v : . Note also that even if a context changes inside of a branch or a loop, it gets restored once the block is ﬁnished. In other words, the variables created inside of a branch or a loop only survive locally (as common for example in C++). EXACT REAL COMPUTATION 15 Figure 1: Typing rules for terms ` k : Z ` true : K ` false : K ` unknown : K ` t : R (for i = 1; ; n) ` z : Z ` t : R[n] ` [t ; ; t ] : R[n] ; v : ; ` v : ` t[z] : R 1 n 1 2 0 0 ` t : ` t : 1 2 ` t : 0 0 ( ; ; ) 2 BinTy (?; ; ) 2 UnTy ` t t : ` ? t : 1 2 (f : X X ! R ) 2 F ` t : hX i (for i = 1; ; d) 1 d ? i i ` f (t ; ; t ) : R 1 d (g : X X ! P(Z )) 2 G ` t : hX i (for i = 1; ; d) 1 d ? i i ` x : R ` g(t ; ; t ) : Z ` x : R 1 d ` b : K (for i = 0; 1; ; n 1) ` b : K ` x : R ` y : R ` choose (b ; b ; ; b ) : Z ` (b ? x : y) : R n 0 1 n1 ^ ^ BinTy := f(+; R; R); (+; Z; Z); (; K; Z); (=; K; Z); (l; K; R); (; R; R); (^; K; K); (_; K; K)g UnTy = f(; R; R); (; Z; Z); ({; R; Z); (: ^; K; K)g hZi := Z hRi := R hR i := R[n] (for n = 1; 2; ) Figure 2: Typing rules for commands ` t : (v) = ` z : Z ` t : R (T ) = R[n] : : ` skip . ` v = t . ` T [z] = t . v 62 dom() ` t : ` S . ` S . 1 1 1 2 2 ` let v : = t . ; v : ` S ; S . 1 2 2 ` b : K ` S . ` S . 1 1 2 2 ` b : K ` S . ` if b then S else S end . ` while b do S end . 1 2 3.2.3. Well-Typed Programs. Consider the two diﬀerent kinds of ERC programs: : : P = input v : ; v : ; ; v : P = input v : ; v : ; ; v : Z 1 1 2 2 d d R 1 1 2 2 d d S S return t return t as p ! 1 The ﬁrst program P has type ! Z if there is a context such that Z 1 d 0 0 v : ; v : ; ; v : ` S . and ` t : Z : 1 1 2 2 d d 16 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Similarly, P has type ! R if there is a context such that R 1 d 0 0 p : Z; v : ; ; v : ` S . and ` t : R : 1 1 d d Note once again here that p : Z is not regarded as an input variable. Recall also that varies over fZ; R; R[1]; R[2];g and cannot be K. We call an ERC program an integer program if it is of the ﬁrst kind (P ) and a real program if it is of the second kind (P ). 4. Denotational Semantics of Exact Real Computation We deﬁne a multi-valued semantics for well–typed terms (Section 4.1), well-formed commands (Section 4.2), and well-typed programs (Section 4.3). In this semantics, the objects of ERC are assigned mathematical meanings that are arguably (i) closest possible to the intuition of real numbers as entities to be operated on exactly while simultaneously featuring (ii) Turing-completeness. We start with denotations for data types and the deﬁnition of states. Deﬁnition 4.1. (1) Data types are interpreted as intended: JKK = K; JZK = Z; JRK = R; JR[n]K = R : Recall that n above is a natural number greater than 0 which is not to be confused with an integer typed term in ERC. (2) Contexts are interpreted as sets of assignments. Formally, given a context = v : ; : : : ; v : , then 1 n JK = J K J K : 1 d (3) Given a context , an element 2 JK is called state. That is, states are speciﬁc assignments of variables contained in the domain of a context. 4.1. Denotations of Terms. A (well-typed) term’s meaning under a state is, considering the nondeterminism in ERC, the set of all possible values that the term can evaluate to. For example, a well-typed term ` t : R can evaluate to multiple values under a state : Its denotation contains a subset of R. Moreover, if 0 is among these values, then the compound term t could be undeﬁned—in addition to its deﬁned values derived from non-zero values of t. This is reﬂected by including ? in the denotation, which is thus an element of P(JRK ): Deﬁnition 4.2. Recall the (multi-)functions speciﬁed in Example 2.1 and 2.2. Given a well-typed term t such that ` t : , we deﬁne its denotation as a partial multi-function J ` t : K : JK ! P(JK ) inductively as follows: J ` k : ZK = 7! fkg J ` true : KK := 7! ftrueg J ` false : KK := 7! ffalseg J ` unknown : KK := 7! funknowng J ` [t ; ; t ] : R[n]K := id hJ ` t : RK ; ;J ` t : RKi 1 n 1 n EXACT REAL COMPUTATION 17 Jv : ; ; v : ; ; v : ` v : K := proj 1 1 i i d d i i J ` t[z] : RK := proj hJ ` t : R[n]K ;J ` z : ZKi q y q y z 0 0 J ` t t : K := h ` t : ; ` t : i 1 2 1 2 for ( ; ; ) 2 BinTy q y z 0 J ` ? t : K := ? ` t : for (?; ; ) 2 UnTy q y 1 (1) ` x : R := J ` x : RK J ` f (t ; : : : ; t ) : RK := f hJ ` t : hX iK ; ;J ` t : hX iKi 1 d 1 1 d d where (f : X X ! R ) 2 F 1 d ? J ` g(t ; : : : ; t ) : ZK = g hJ ` t : hX iK ; ;J ` t : hX iKi 1 d 1 1 d d where (g : X X ! P(Z )) 2 G 1 d ? J ` choose (b ; ; b ) : ZK := choose hJ ` b : KK ; ;J ` b : KKi n 0 n1 0 n1 J ` (b ? x : y) : RK = Kond hJ ` b : KK ;J ` x : RK ;J ` y : RKi We often simply write JtK and JtK instead of J ` t : K and J ` t : K , respectively, omitting and when they are obvious or irrelevant. We also synonymously say t evaluates to x under , or t has/contains the element x 2 JtK . We add some explanation: Remark 4.3. (1) Note that choose() and functions from G constitute atomic constructs that yield multi- valuedness, all other atomic constructs do not generate any multi-valuedness. (2) Although the denotations of terms are multi-valued, every variable only stores one speciﬁc value: in an assignment possibly selected non-deterministically, see Section 4.2. (3) The denotations of arithmetical operations are deﬁned naturally by lifting the intended mathematical functions with regard to the powerdomain. (Recall Section 2.) (4) Well-typedness in ERC does not prevent ?: The sources of the ill-deﬁnition ? are (i) an array accessed by a wrong index (proj), (ii) the multiplicative inverse of 0 (0 ), (iii) function calls to partial (multi-)functions at out of their domains, (iv) a choice operation without any choosable argument (choose), and (v) a continuous conditional when the two arguments x; y do not match in Kond(unknown; x; y). (5) The denotation of [t ; ; t ] contains? if at least one of the denotations of the arguments 1 n contains ?. This is what the postcomposed id does. (6) The denotation of comparison “x l y” between real terms x; y formalizes the return value true if the value of x is smaller than the value y, return value false if the value of x is bigger than the value y, and ‘return’ value unknown when their values are equal: indicating constructive indeﬁniteness. Independently, the comparison is ill-deﬁned (?) if any of its sub-terms is. 18 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER (7) Due to multi-valuedness, the denotation of integer equality “z = z ” is subtly diﬀerent 1 2 from that of “z z ^ z z ”: Consider a state where Jz K = f0; 2g and Jz K = 1 2 2 1 1 2 q y f1; 3g. Then, z z ^ z z = ftrue; falseg whereas Jz = z K = ffalseg. 1 2 2 1 1 2 (8) Though P(X ) allows inﬁnite sets (as long as they contain ?), the case does not occur in the denotational semantics of our term language. The denotation of any well-typed term at any state is ﬁnite unless the case is provided by functions in G. However, we still use the powerdomain for our term language to use the same setting with the denotational semantics of our command language where indeed ?-containing inﬁnite sets arise. See that our denotational semantics uses only the constructions that are already speciﬁed to be yielding computable partial multi-functions from Section 2: Lemma 4.4. The denotation of any well-typed term is computable. In other words, for any well-typed term ` t : , the function J ` t : K : JK ! P(JK ) is a computable partial multi-function. Proof. It is direct from the computability of the primitive operations and of the compositions stated in Example 2.1 and Example 2.2. 4.2. Denotations of Commands. As the denotation of a well-typed term under a state was the set of all possible values that the term may evaluate to, considering multi-valuedness in ERC, the denotation of a well-formed command under a state is the set of all possible resulting states that the command may result in. Hence, we let a well-typed command denote a function from the set of states to the restricted power-set of the resulting states: Deﬁnition 4.5. Recall the (multi-)functions speciﬁed in Example 2.1 and 2.2. Given a well-formed command S such that ` S . , we deﬁne its denotation to be a partial 0 0 multi-function J ` S . K : JK ! P(J K ) inductively as follows: J ` skip . K := id J ` v := t . K := update hid ;JtKi where = v : ; ; v : ; ; v : 1 1 i i d d z z z z J ` v [z] := t . K := update hid ; update hproj ;JzK ;JtKii i i where = v : ; ; v : ; ; v : 1 1 i i d d q y 0 z z ` let v : = t . = id hid ;JtKi q y q y 0 0 ` S ; S . = ` S . J ` S . K 1 2 2 1 q y q y y y z z y 0 00 J ` if b then S else S end . K = Cond hJbK ; ` S . ; ` S . i 1 2 1 2 q y J ` while b do S end . K = lfp W(JbK ; ` S . ) Here, : J; K ! JK for any contexts ; when = x : ; ; x : is deﬁned by 1 1 d d (x ; ; x ; y ; ; y ) 7! (x ; ; x ): 1 d 1 m 1 d 0 0 Again, we simply write JSK and JSK instead of J ` S . K and J ` S . K , respec- tively, omitting and when they are obvious or irrelevant. EXACT REAL COMPUTATION 19 Remark 4.6. (1) Regarding assignment “v := t”: Note that instead of having a single state where v stores i i multiple values, it generates multiple states where each v stores diﬀerent single values. For each value in JtK for some state , the command creates where its value at u updated with the value unless it is ?. (2) Regarding assignment “v[z] := t”: It generates ? when the index z is not acceptable. For each value in the denotation of z at a state , if it is either negative or larger than the dimension of v, it creates ?. (3) “if b then S else S end”: It naturally extends the conditional statement. Though new 1 2 variables can be created in S and S , they get removed by the restriction operator at 1 2 the end. (4) “while b do S end”: By the least ﬁxed point theorem, the least ﬁxed point is the limit of the chain: (0) (n+1) (n) y z W := 7! f?g and W := Cond hJbK ;W ( JSK); id i: b;S b;S b;S The sequence, intuitively, represents the process of unrolling the loop. For any two states ; 2 JK, is in J ` while b do S end . K if and only if there (n) is a natural number n where 2 W . Hence, instead of working with the subtle b;S (n) ﬁxed point for the denotation of a while loop, one can do reasoning on W when an b;S appropriate n is found. Though new variables can be created in S, at the end of each iteration, they get removed by the restriction operator . Following up on Lemma 4.4, we establish the computability result for our command language: Lemma 4.7. The denotation of any well-formed command is a computable partial multi- function. In other words, for any well-formed command ` S., its denotation J ` S . K : JK ! P(JK ) is computable. Proof. The restriction operations are computable. Due to the computability of the primitives and the compositions, we only need to show that for any computable b : X ! P(K ) and S : X ! P(X ), the least ﬁxed point lfp(W(b; S)) is computable. Due to Fact 2.4, we only need to consider an arbitrary where ? 62 lfp(W(b; S))(). (n) Note that from Remark 4.6(4) this happens only when there is n 2 N such that ? 62 W (). b;S Consider the following intuitive description of a type-2 machine that computes on its input ' , a name of , with accesses to the other machines computing b and computing b S S: (1) Repeat: (2) ' := () b b (3) Iterate n := 0; 1; 2; until ' (n) = 1 or 1 (4) If ' (n) = 1: (5) ' := () (6) If ' (n) = 1: (7) return ' 20 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER The machine may diverge when at line (2) when (' ) diverges, at line (3) when ' does b b not contain either 1 or 1, and at line (5) when (' ) diverges. The claim is that this machine realizes lfp(W(b; S)). Consider another machine for each i as the machine with the following line added at the beginning of each iteration: “if i = 0, diverge. i := i 1”. Note that simulates the ﬁrst i iterations of the loop of then diverges unless the simulation returns within the i (i) iterations. We can easily see that by induction on i, computes W for each i. Note also b;S that when (' ) does not fail, it prints the same stream that (' ) prints. (n) Hence, for an initial and its name ' such that lfp(W(b; S))() = W () 63 ?, b;S (n) (' ) prints a name of y 2 W () which is what (' ) prints. b;S 4.3. Denotations of Programs. Having deﬁned the meanings of terms and commands, we are now ready to deﬁne denotations of well-typed ERC programs. Deﬁnition 4.8. The denotation of the well-typed integer program P = input v : ; v : ; ; v : Z 1 1 2 2 d d return t is a partial integer multi-function JP K : J K J K ! P(Z ) Z 1 d ? deﬁned by JP K = JtK JSK. And, the denotation of the well-typed real program P = input v : ; v : ; ; v : R 1 1 2 2 d d return t as p ! 1 is a partial real function JP K : J K J K ! R that is deﬁned by R 1 d ? x if 8p 2 Z: 8y 2 JtK JSK (p; x ; ; x ): y 6= ?^jy xj 2 ; 1 d JP K (x ; ; x ) := R 1 d ? otherwise. In words, a real program P denotes a single-valued function f whose function value f (x ; ; x ) is the limit of the multi-valued sequence JtK JSK (p; x ; ; x ) as p ! 1 1 d 1 d in the sense that for each i 2 N, whichever y is picked from JtK JSK (i; x ; ; x ) i 1 d nondeterministically, y is a 2 approximation to f (x ; ; x ) and not ?. The obligated i 1 d rate of convergence 2 is chosen to make it coincide with the precision embedding { : Z 3 p 7! 2 2 R. Theorem 4.9. For any well-typed ERC program, its denotation is either a computable partial real function or a computable partial integer multi-function. Proof. The computability of terms, commands, and compositions directly yields the com- putability of the denotations of integer programs. For P , note that JtK JSK : ZJ KJ K ! P(R ) is a computable multi-function. R 1 d ? We provide an informal description of a machine computing JP K as follows. Suppose it R EXACT REAL COMPUTATION 21 receives names ' ; ; ' of x ; ; x . For each i’th entry of its output tape, we let the 1 d 1 d machine to simulate a machine computing JtK JSK on the name of ((i + 2); x ; ; x ) 1 d constructed by the name of (i + 2) 2 Z and ' ; ; ' . The simulation either returns an d d inﬁnite sequence or does not terminate. When the simulation succeeds resulting in an inﬁnite sequence ', we let our machine print the closest integer of '(i + 2)=4 at the i’th output entry. Of course, it does wait forever if the simulation runs forever. (Note that getting the closet integer here only requires discrete rational arithmetic which is diﬀerent from rounding real numbers discussed in Section 5.2.4.) We only need to check that for any (x ; ; x ) and x 2 R s.t. 1 d 8p 2 Z: 8y 2 JtK JSK (p; x ; ; x ): y 6= ?^jy xj 2 1 d i i holds, the i’th entry what the above machine prints is z 2 Z s.t. jx z 2 j 2 holds. For the i’th entry, it simulates JtK JSK ((i + 2); x ; ; x ). By the assumption that ? is 1 d not in it, the simulation must succeed and return an inﬁnite sequence ' which is a name (i+2) of some y 2 JtK JSK ((i + 2); x ; ; x ) s.t. jy xj 2 holds. Recall that since z is obtained by rounding '(i + 2)=4, it holds that jz '(i + 2)j 2 . And, since ' is a (i+2) (i+2) i name of y, it holds that jy '(i + 2) 2 j 2 . Therefore, we have jx z 2 j (i+2) i 2 (i+2) (i+2) (i+1) i jx yj +jy '(i + 2) 2 j + 2 j'(i + 2) 2 zj 2 + 2 + 2 2 . Recall from Fact 2.4 that in computable analysis, a machine computing a (multi-)function can be seen to compute some other (multi-)functions at the same time. Therefore, reﬂecting this property, we add one more layer on the denotations of programs: Deﬁnition 4.10. (1) A well-typed real program P realizes a partial function f : X X ! R if 1 d ? 8(x ; ; x ): f (x ; ; x ) JPK (x ; ; x ) holds. Recall that x y if and only if 1 d 1 d 1 d x = ? or x = y for x; y 2 R . (2) A well-typed integer program P realizes a partial (possibly inﬁnite) multi-function f : X X ! P (Z ) if 8(x ; ; x ): f (x ; ; x ) v JPK (x ; ; x ) or 1 d ? 1 d 1 d 1 d JPK (x ; ; x ) f (x ; ; x ) holds. 1 d 1 d Note that though the denotations of integer programs are ﬁnite multi-functions, it is deﬁned such that they can realize inﬁnite multi-functions. Directly from Fact 2.5, we get the computability of realizable partial (multi-)functions: Corollary 4.11. Realizable partial (multi-)functions are computable. 5. Programming in Exact Real Computation Based on programming abbreviations deﬁned in Section 5.1, in Section 5.2 we collect several examples of (multi-)functions that are realizable in ERC. They illustrate the purpose of ERC which is to allow and justify naïvely implementing numerical algorithms, with computable analysis as the rigorous but hidden theoretical foundation. They demonstrate how (naturally) the classical algorithms can be modiﬁed to incorporate the Kleenean-valued comparisons and the nondeterministic choose. The examples are square root using Heron’s method, exponential function via two diﬀerent ways, integer rounding, matrix determinants via Gauss elimination, and root ﬁnding. 22 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Heron’s method, as an intuitive and eﬃcient way to compute square roots of real numbers, is often expressed in other frameworks [Mül01, FB18, KST20a]. Through the example, the readers can easily compare ERC with the others; similarly, for Gauss elimination [TZ04, Section 2.2]. The example of realizing the exponential function shows that the base language ERC can realize transcendental functions; this leads to a more detailed discussion of our speciﬁcation language later in Section 6. Integer rounding, on the other hand, shows that ERC can nondeterministically extract names of real numbers. This later forms a core routine in the proof of Turing-completeness in Section 5.3. Root ﬁnding, a computational version of intermediate value theorem is often picked as an example in computable or constructive analysis. The example demonstrate a trick of using the extension sets F and G to model function calls to arbitrary external functions. This example is chosen to be formally veriﬁed later in Section 7. The examples have been implemented using a shallow embedding of ERC into Haskell: https://github.com/michalkonecny/aern2/blob/master/aern2-erc/src/ERC/Examples. hs . 5.1. Programming Abbreviations. Throughout this paper, the following abbreviations are used for example programs: Deﬁnition 5.1. (1) For any two term t and t , we write t t as an abbreviation for t + t , t =t as an 1 2 1 2 1 2 1 2 abbreviation for t t , t t as an abbreviation for t t , t mt as an abbreviation 1 1 2 2 1 1 2 for t l t . t > t as an abbreviation of :(t t ), and t < t as an abbreviation of 2 1 1 2 2 1 1 2 t > t . For any term t, we write 2 as an abbreviation for {(t). 2 1 (2) For an integer typed term j and a constant integer d 2 Z, d j and j d both mean j + j + + j in case d 0, (j) (d) otherwise. (3) For an integer k 2 Z, when it is used as a real typed term, it is an abbreviation for 0 0 0 2 + + 2 , the k-times repeated addition of 2 , when k > 0, (k) when k < 0, and 0 0 2 2 when k = 0. (4) For any real typed terms x; y; z, max(x; y) is an abbreviation for y l x ? x : y and abs(z) is an abbreviation for 0 l z ? z : z. (5) For any integer terms k; l and a command S, for n : Z = k to l do S end is short for let n : Z = k; let m : Z = l; while (n m) do S; n := n + 1 end with n; m not modiﬁed in S. (6) For a real typed term x and an integer typed term j, x is short for the result y of the following command: let y : R = 1; let x : R = x; let z : Z = j; for n : Z = 1 to z do y := y x end; for n : Z = 1 to z do y := y=x end (7) For a Kleenean typed term b and a command S, if b then S end is an abbreviation for if b then S else skip end Recall that skip is an instruction for doing nothing. EXACT REAL COMPUTATION 23 (8) Arrays in ERC are one-dimensional of constant size with indices starting at 0. We implicitly simulate and identify a two-dimensional array A[] = (A[i; j]) , having ﬁrst i;j dimension of size d > i 0, with the one-dimensional array A[i + j d]; similarly for higher dimensions. (9) Recall that the programming language ERC(F;G) is deﬁned relative to the sets of functions F and G. When we want to extend the set F with the denotation of a real program P (in ERC(F;G)), we write ERC(F[fPg;G) for ERC(F[fJPKg;G). Similarly, when we have an integer program P in ERC(F;G), we denote the extension with its denotation by ERC(F;G [fPg). These notations are well-deﬁned due to the fact that the denotation of a real program is a computable partial real function from a product of either Z or R and the denotation of an integer program is a computable integer multi-function from a product of either Z or R. Recall Convention 3.1 and Theorem 4.9. When the sets are extended by the denotation of a program P , let us write P (t ; ; t ) 1 d for JPK (t ; ; t ) in the extended term language. 1 d 5.2. Example Programs. In this subsection, we introduce some ERC programs. We annotate assertions next to commands in order to convey the behaviours, including the domains (preconditions), of the introduced programs. (we do not impose any obligation to programs on their behaviours when the preconditions are not met.) However, note that the annotations are not part of ERC. 5.2.1. Square Root Function via Heron’s Method. Heron’s method approximates the square root of a given real number x 0 up to any desired absolute error 2 , p 2 Z. To this end calculate a contracting sequence of upper and lower approximations y x x=y =: z n n n by iteratively taking the average y = (y + z )=2. n+1 n n The ERC program HeronSqrt illustrated in Figure 3 realizes the square root function via Heron’s method. Recall that the arguments to choose are indexed from 0, so choose(b ; b ) = 1 0 1 means that the second argument b must evaluate to true. Figure 3: HeronSqrt : R ! R input x : R // x 0 let y : R = 1; let z : R = x=y; // y x z p p1 while choose 2 m y z ; y z m 2 = 1 do : : y = (y + z)=2; z = x=y // y x z end return y as p ! 1 // jy xj < 2 The ERC program employs the multi-valued choose() operation applied to two Kleenean- p p1 valued tests “ 2 m y z” and “y z m 2 ”. Note that at least one of both inequalities p p1 “ 2 m y z” and “y z m 2 ” is always true (and in particular not unknown), resulting in a total condition for the while loop. And when the loop terminates, the ﬁrst test (corresponding to return value 0) must (while the second test, corresponding to return value 24 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER 1, may or may not) be true: guaranteed to return an approximation y to x up to absolute error 2 . 5.2.2. Exponential Function via Taylor Expansion. The exponential function has a globally converging Taylor expansion exp(x) = x =j! (5.1) j=0 A ERC real program computing it must return, given a dedicated precision parameter p 2 Z and argument x 2 R, an approximation to exp(x) up to error 2 . For jxj 1 and positive n 2 N, the tail bound X X X j j j+1 n+1 x =j! jxj =j! 2 = 2 (5.2) j>n j>n j>n justiﬁes the straightforward algorithm as in Figure 4. Figure 4: pExp : R ! R input x : R // 1 x 1 let j : Z = 1; let j : R = 1 let f : R = 1; // j j ; f j! r r let y : R = 1; let z : R = x; // z x while j p + 1 do y = y + z=f; j = j + 1; j = j + 1; r r z = z x; f := f j end return y as p ! 1 // jy exp(x)j 2 Observe that the two variables j : Z and j : R in Figure 5 retain identical values but have carefully distinguished types. The following wrapper posExp for pExp in Figure 5, which is a program in ERC(fpExpg;;) (Recall Deﬁnition 5.1 (9)), removes the restriction jxj 1 and instead works for all x 1. Figure 5: posExp : R ! R input x : R // 1 x let z : R = pExp(1=2); let y : R = 1; while choose(x l 1; x m 1=2) = 1 do y := y z; x := x 1=2 end return y pExp(x) as p ! 1 EXACT REAL COMPUTATION 25 Like Heron’s method, the loop employs “choose()” with overlapping conditions x < 1 and x > 1=2 in order to guarantee totality. Also, since for x < 0 it holds that exp(x) = 1= exp(x), and exp(y) = 1= exp(y) at y = 0, we can construct a procedure that computes exp(x) for all x 2 R simply by ‘x m 0 ? posExp(x) : 1= posExp(x)’. 5.2.3. Exponential Function via Iteration. pExp in Section 5.2.2 employs unbounded sums, which leave the realm of the ﬁrst-order logic considered in Section 6 for formal speciﬁcation and veriﬁcation purposes. Here we consider an alternative, iterative approach to realize the exponential function in ERC. To this end recall for every x 2 [0; 2] it holds [Mit70, §3.6.3]: n!1 n n+1 n!1 x x exp(x) 1 + exp(x) 1 + ! exp(x) n n This suggests the following iterative ERC program: Figure 6: iExp : R ! R input x : R // 0 x 2 let n : Z = 1; let n : R = 1; let c : R = 1 + x; let a : R = c; let b : R = a c; p p1 while choose 2 m b a; b a m 2 = 1 do n = n + n; n = 2 n ; r r : : : c = 1 + x=n ; a = c ; b = a c end return a as p ! 1 Note that, similarly to Figure 4, variables n n of diﬀerent types are maintained to coincide in value. Moreover “a := c ” is to be understood as abbreviating a loop of n real multiplications. (Recall Deﬁnition 5.1.) The program in Figure 6 supposes 0 x 2, but can be extended to the entire real line similar to Section 5.2.2. Note that the while loop is guaranteed to terminate since b a converges to 0 as n grows. The while condition is total: At least one of ‘2 m b a’ and p1 ‘b a m 2 ’ is always true. And when the while loop terminates, then it must hold p p 2 > b a, hence ja exp(x)j jb aj 2 . 5.2.4. Integer Rounding Multi-function. All real-to-integer rounding functions (up, down, to nearest) are discontinuous and therefore not computable. We thus relax the speciﬁcation and instead consider the following multi-function with ‘overlap’: Round : R 3 x 7! fk 2 Z j x 1 < k < x + 1g Z (5.3) The ERC program Round in Figure 7 realizes Round. It returns, given a (not necessarily positive) real x, some integer k such that jx kj < 1. 26 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Figure 7: Round : R ! Z 1: input x : R 2: let k : Z = 0; 3: while choose(x l 1; x m 1=2) = 1 do : : 4: k = k + 1; x = x 1 5: end; 6: while choose(x m1; x l1=2) = 1 do 7: k := k 1; x := x + 1 8: end 9: return k Intuitively, the ‘number of steps made’ by Round are proportional to the value of the argument x, that is, exponential in its binary (output) length’: because Round essentially counts up to x. Recovering the rounded integer bitwise via binary search seems exponentially more eﬃcient, but fails due to lack of continuity: Extracting any digit of ‘the’ binary expansion (or one of the at most two possible ones) of a given real number is uncomputable [Tur37]. Instead, BinRound in Figure 8 realizes the idea that some signed-digit expansion [Wei00, Deﬁnition 7.2.4] of a given real number x 2 R can be determined computably: Figure 8: BinRound : R ! Z 1: input x : R 2: let k; j; b : Z = 0; let y : R = x; 3: while choose(jyj l 1;jyj m 1=2) = 1 do // x = y 2 : : 4: j = j + 1; y = y=2 5: end; // jyj l 1 6: while j > 0 do // x = (y + k) 2 ^jyj < 1 7: y := y 2 8: b := choose(y l 0;1 l y l 1; y m 0) 1; // b =most-signiﬁcant signed binary digit of y 9: y := y b; k := 2 k + b; j := j 1 10: end // jx kj < 1 11: return k Loop invariants have been included into the code as informal comments in order to convey partial correctness with respect to the speciﬁed postcondition; separate work will expand these for formal veriﬁcation. Due to multi-valuedness of the test, after the real number while loop (lines 3 to 5) has ended, the second argument “y m ” may still be true, whereas the ﬁrst “jyj l 1” must be true; but always at least one of both is valid, thus guaranteeing total correctness. In the integer loop (lines 6 to 10), multi-valuedness ‘strikes’ only at line 8 which EXACT REAL COMPUTATION 27 employs choose() with trinary argument. “yb” in line 9 is to be understood as abbreviation of the following code: if b = 1 then y := y + 1 end; if b = 1 then y := y 1 end 5.2.5. Determinant Function via Gaussian Elimination. The determinant of a d d matrix A = (a ) is given by Leibniz’ formula ij i;j X Y det(A) = sign() a (5.4) j;(j) j=1 where the sum ranges over all d! permutations : f1; : : : ; dg ! f1; : : : ; dg. Since ERC conveniently relieves the programmer from numerical issues like cancellation, this formula gives rise to a straight-forward ERC program. However one executing a number of arithmetic operations exponential in d. Common numerical approaches therefore transform A to triangular form, whose deter- minant is simply the product of its diagonal elements [PTVF07, §2.3.3]. More formally, following Turing [Tur48], apply Gaussian Elimination in order to determine a LU factorization with full pivoting “P A Q = L U” of A, where P; Q denote permutation matrices and L and U are lower and upper triangular matrices, respectively. Error propagation through Gaussian Elimination with its variants are non-trivial topics in numerical analysis [TB97, §IV] that hamper rigorous speciﬁcation when implemented in ﬂoating point arithmetic. Exact arithmetic in ERC on the other hand eliminates the need for such considerations—except for pivot search, which involves real comparisons that are only partially deﬁned. In Gauss’ original algorithm, such search either (i) returns the index of a non-zero entry in the given sub-matrix or (ii) asserts that said sub-matrix is identically zero. By iterating this process, dd Gaussian Elimination determines the rank k 2 N of the original matrix A 2 R — which depends discontinuously on A’s entries and hence cannot be computed. Remark 5.2. We thus change the speciﬁcation of the determinant (and of the LUPQ factorization it builds on): with the promise for the argument matrix A to have full rank—otherwise its determinant will vanish, anyway. det(A) if det(A) 6= 0; Det : GL(R ) 3 A 7! (5.5) ? otherwise: We also relax pivot search (within the lower-right submatrix) to become a partial multi-function: dd 2 Pivot (A; k) = (i; j) : A 2 R ^ k i; j < d^ A 6= 0 2 P(Z ) (5.6) d i;j f?g Here, X := X if X =6 ; and f?g if X = ;. So the argument is a real d d matrix A and f?g an integer k, indicating that a pivot is to be sought for in the (d k) (d k) non-zero sub-matrix A[k : : : d 1; k : : : d 1] := A[i; j] . ki;j<d The pair (i ; j ) of return values here is thus understood as abbreviation of the single 0 0 integer i + j d, similarly to the two-dimensional array access A[i; j] as abbreviation of 0 0 A[i + j d]. Recall Deﬁnition 5.1(8). Based on Pivot , the ERC program in Figure 10 computes the non-zero determinant Det from Equation (5.5) via LUP decomposition with full pivoting. Note that the precision LUPQ factorization A 7! (L; U; P; Q) is not unique, hence a real matrix-tuple-valued multi-function. 28 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Figure 9: Pivot : R[d d] Z ! Z 1: input A : R[d d]; k : Z 2: let i : Z = k; let j : Z = k; let x : R = 0; 0 0 3: for i : Z = k to d 1 do 4: for j : Z = k to d 1 do 5: x := max x; abs(A[i; j]) end end; 6: for i : Z = k to d 1 do 7: for j : Z = k to d 1 do 8: if choose(abs(A[i; j]) l x; abs(A[i; j]) m x=2) = 1 then i := i; j := j end 0 0 9: end end 10: return (i ; j ) 0 0 parameter p 2 Z is present but ignored since the result gets computed exactly. Again, formally speaking the program Det is a program in ERC(;;fPivot g). d d Figure 10: Det : R[d d] ! R 1: input A : R[d d] // A invertible, p ignored 2: let i : Z = 0; let j : Z = 0; let k : Z = 0; 3: let p : Z = 0; let p : Z = 0; let det : R = 1; // ret.val i j 4: for k = 0 to d 2 do 5: // Convert A[k::d 1; k::d 1] to reduced row echelon form: 6: (p ; p ) = Pivot(A; k); // pi; pj k s.t. A[p ; p ] 6= 0. i j i j 7: det = detA[p ; p ]; i j 8: for j = 0 to d 1 do swap(A[k; j]; A[p ; j]) end; // Exchange rows #k and #pi. 9: if k 6= p then det := det; // ﬂip sign 10: for i := 0 to d 1 do swap(A[i; k]; A[i; p ]) end; // Exchange columns #k and #p . 11: if k 6= p then det := det; // ﬂip sign 12: for j := k + 1 to d 1 do // Scale row #k by 1=A[k; k] and 13: A[k; j] := A[k; j]=A[k; k]; // and subtract the A[i; k]-fold from 14: for i := k + 1 to d 1 // from rows #i = k + 1 : : : d 1. 15: do A[i; j] := A[i; j] A[i; k] A[k; j] end 16: end; A[k; k] := 1; for i := k + 1 to d 1 do A[i; k] := 0 end 17: end; 18: det := detA[d 1; d 1]; 19: return det as p ! 1 Note that pivot search in line 6 of program Det is guaranteed to succeed in that the (d k) (d k) submatrix A[k : : : d 1; k : : : d 1] under consideration will indeed contain EXACT REAL COMPUTATION 29 at least one — usually non-unique — non-zero element due to the promise/restriction that A 2 GL(R ) according to Remark 5.2. 5.2.6. Simple Unique Root Finding Functional. The problem of ﬁnding (i.e. approximating) a root to a given real function f occurs ubiquitously in numerics under various hypotheses. Here we consider algorithmic versions of the Intermediate Value Theorem, that is, ﬁnding a root to a given continuous f : [a; b] ! R satisfying f (a) < 0 < f (b). This case is commonly treated using Bisection: Determine the sign of f (x) at the interval mid point x = (a + b)=2 and recurse to either [a; x] or to [x; b] accordingly. However, since equality is undecidable, the sign test fails in case f (x) = 0. Trisection [Her96, p. 336] instead considers the signs of f at 0 00 : : both one third x = (2a + b)=3 and at two third x = (a + 2b)=3 of the interval, in parallel; 00 0 and recurses to either [a; x ] or to [x ; b] accordingly: Now at most one of the two sign tests 0 00 at f (x ) and f (x ) can fail, provided that f’s root is unique and f (a) f (b) < 0. These hypotheses also avoid common counterexamples like [Spe59] or [Wei00, Theorem 6.3.2]. To summarize, we consider the (single-valued) root ﬁnding problem Root : f 7! x with f (x) = 0 for f satisfying the following ﬁrst-order predicates: cont(f; a; b) : 0 0 0 8 > 0: 9 > 0: 8x; x : a x x x + b ) jf (x) f (x )j uniq(f; a; b) : cont(f; a; b)^ f (a) f (b) < 0^9!x: a < x < b^ f (x) = 0 See that cont(f; a; b) says f is continuous in the usual sense on the interval [a; b] and uniq(f; a; b) says f is continuous in the interval [a; b], admits a unique root in the interval (a; b), and the signs of f (a) and f (b) are diﬀerent. The ERC program in Section 11 annotated with precondition uniq(f; a; b) and postcon- dition uniq(f; a; b)^jb aj 2 , as well as loop invariant uniq(f; a; b). Formally speaking, as ERC does not accept function arguments, the program is deﬁned in ERC(ffg;;). Given p, the postcondition guarantees that Trisection indeed returns an approximation to the root up to error 2 when uniq(f; a; b) holds. Figure 11: Trisection : R R ! R in ERC(ffg;;) for any f : R ! R 1: input a : R; b : R // uniq(f; a; b) p p1 p1 2: while choose 2 m b a; b a m 2 = 1 do // uniq(f; a; b)^ b a > 2 3: if choose(0 m f (b=3 + 2 a=3) f (b); 0 m f (a) f (2 b=3 + a=3)) = 1 4: then b := 2 b=3 + a=3 5: else a := b=3 + 2 a=3 end 6: end // uniq(f; a; b)^jb aj 2 7: return a as p ! 1 Recall the abbreviations b=3 and 2 a=3 form Deﬁnition 5.1. This program is chosen later in Section 7 to be formally proved for its correctness. 30 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER 5.3. Turing-Completeness. Extending and building on the above examples of program- ming in ERC, we now establish that ERC is expressive enough to deal with any computable real functions and integer multi-functions. In other words, it is Turing-complete in the following sense. Theorem 5.3. (1) Every computable partial real function f from integers and reals can be realized in ERC . (2) Similarly, every computable partial integer multi-function g from integers and reals can be realized in ERC . Proof. Note that though ERC does not provide integer multiplications in its term language, as its command language provides loops, when we restrict ERC with integers only, without real numbers or nondeterminism, the expressive power of the command language of ERC is equivalent to the ordinary Turing machine. Our command language, being powerful enough to simulate Turing machines, can also implement ﬁnite integer map structures; we can have integer variables which encode a ﬁnite maps (a : b ; ; a : b ) with the functionality of searching by key a and adding key-value 1 1 n n i pairs (a : b ). Also note that by repeated addition or subtraction, the ordinary integer i i embedding Z 3 z 7! z 2 R is expressible through the command language. By deﬁnition, for a computable partial function f : X X ! R , there 1 d ? is an oracle machine such that when it is equipped with oracles ' ; ; ' , which are 1 d names of x ; ; x s.t. f (x ; ; x ) 6= ?, there is a name ' of the function value s.t. 1 d 1 d i i 8i: jf (x ; ; x ) '(i) 2 j 2 such that when the machine receives an integer m as 1 d its input, returns '(m). We can modify the oracle machine to deﬁne a ERC program with input variables x ; ; x and a precision parameter p. In the beginning, let an integer variable m which is 1 d recognized as the input of the oracle machine be initialized with p by let m : Z = p. For each real and real array input variable, we create an empty map. For the rest of the program, we simulate the oracle machine with the initialized variable m. For each oracle query asking for the n’th entry of its i’th oracle, which is meant to be a name of the i’th input x , we make the following replacement: If x is an integer variable, we replace (the answer of) the query with x . i i If x is a real variable, (1) check if (n : z) is in the map of x for some z, (2) if so replace i i (the answer of) the query with z, and (3) otherwise perform the multi-valued rounding on x 2 (from Section 5.2.4) and store the pair (n; z) where z is the resulting term of the rounding, in the map of x . (Since a map is essentially variables, at this moment, it creates multiple states for each possible rounding of x 2 .) Then, perform (1) above. If x is an array R[k] variable, (1) check if (n : z) is in the map of x for some z, (2) if so i i replace (the answer of) the query with z, and (3) otherwise, we ﬁrst using the command language, ﬁnd the indices 0 j < k; 0 l such that k l + j = n, (note that this is the decoding of the index embedding for product representation in Section 2) and (4) perform the multi-valued rounding on x [j] 2 and store the pair (n; z) where z is the resulting term of the rounding, in the map of x . (Again, since a map is essentially variables, at this moment, it creates multiple states for each possible rounding of x [j] 2 .) Then, perform (1) above. When the oracle machine terminates, when an integer term t is about to be returned, 0 0 p ﬁrst embed the integer term t to reals t using our command language, then return t 2 . EXACT REAL COMPUTATION 31 Observe that for any input x , the replacement of accessing the n’th entry of the corresponding oracle as above correctly but nondeterministically provides the n’th entry of names of x . Thanks to the maps, once an oracle is accessed ' (n), the future access with i i the same query gets consistent. For example, when a query is made for the n’th entry of x for the ﬁrst time, it may create two diﬀerent states f ; g where in , the map for x stores (n : ' (n)) and in , 1 2 1 i i 2 0 0 the map for x stores (n : ' (n)) such that ' and ' are diﬀerent names of x . However, for i i i i i either or , when the same query is made, the answer is consistent in the sense that for 1 2 , it accesses ' (n) and for , it accesses ' (n). 1 i 2 Note that the representations we use are deﬁned in a way that the entries of names are independent in the sense that for any x 2 Z;R, or R , and for any partial function h :N ! Z such that for all j 2 dom h, there exists a name ' of x such that h(j) = ' (j), j j there is a name ' of x such that 8j 2 dom h: h(j) = '(j). In words, for any x, choosing a name ' of x, the choices of each entry of ' are independent. Hence, the replacement results in multiple states where in each 2 and each real or real array input x, there is a name ' of x where the map of x stores a segment of '. It means there are names ' ; ; ' of x ; ; x such that the computation leading to is 1 d 1 d equivalent to the oracle machine equipped with ' ; ; ' as its oracles. 1 d Therefore, the denotation of the original integer return term t is a subset of the oracle machine’s return values over all possible oracles (names) ' ; ; ' for x ; ; x : a set 1 d 1 d p p of integer z such that z 2 approximates the function value by 2 . (Recall that we make m := p in the beginning of the program.) Therefore, after embedding it in reals and multiplying it by 2 at the end, the denotation of the return term is a set of real numbers that are 2 approximations to the function value. Therefore, the denotation of the program at any (x ; ; x ) when f (x ; ; x ) 6= ? is f (x ; ; x ); the program realizes f according 1 d 1 d 1 d to Deﬁnition 4.10. The integer multi-function case can be proved identically except for that we do not need to get bothered with the type casting at the end. Remark 5.4. The completeness of WhileCC*’s algebraic semantics [TZ04] is obtained in a similar way: using nondeterminism to obtain discrete approximation then proceed ordinary computation. However, their countable choice construct is not necessary for our case as we only consider real numbers; using the total order of reals, we can rely on our ﬁnite choice construct to extract names. ERC deﬁnes integer multi-functions but not a real multi-function. Real programs are forced to take limit operations and compute single-valued real numbers. This is our design choice that can be chosen diﬀerently. Here, we state a possible alternative and explain our choice: Remark 5.5. One straightforward way to allow real multi-functions is to ease our typing rule such that we let the program P := input v : ; v : ; ; v : 1 2 2 2 d d return t have type ! R if there is a context such that 0 0 v : ; v : ; ; v : ` S . and ` t : R : 1 1 2 2 d d 32 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER And, we let its denotation be JPK := JtK JSK : J K J K ! P(R ) as it was an 1 d ? integer programs. From Lemma 4.4 and 4.7, it can be seen immediately that the denotations of such real programs are computable multi-functions. We can also extend the notion of “realization” in Deﬁnition 4.10 accordingly. However, this extension does not carry the completeness in Theorem 5.3 over. Recall that the denotations of programs are ﬁnite multi-functions. Hence, a computable inﬁnite multi-function is realizable in ERC only if it admits point-wise ﬁnite reﬁnement that is computable. In the integer case, it was ﬁne as any inﬁnite integer multi-function admits point-wise ﬁnite reﬁnement. (Recall Fact 2.5.) However, it does not hold for real multi- functions. Therefore, when we extend ERC with real multi-functions as above, we end up with a restricted completeness theorem. As easing the restriction as above is straightforward, we choose to keep the restriction and achieve a more natural completeness theorem. Recall that the ordinary (single-valued) limit operation was essential in having complete- ness for (single-valued) real functions. Multi-valued limit is still under debate [FB18, Kon18] and we leave it as future work to equip multi-valued limit operation in ERC and make it complete even for partial computable multi-valued real functions. 6. Logic of Exact Real Computation In this section, we devise a speciﬁcation language and based on the language devise an extended Hoare logic for formal veriﬁcation of ERC programs. Section 6.1 proposes a three-sorted structure for rigorously specifying (multi-)functions with real arguments in Section 6.2. It is carefully designed rich enough to allow arguing about computations in ERC yet restricted such as to assert logical decidability as a guarantee to formal program veriﬁcation; recall Remark 1.1. Section 6.3 extends the classical Hoare logic which is sound with regard to our denotational semantics. 6.1. Three-Sorted Structure with Decidable Theory. ERC natively supports three basic data types and operations: Z coinciding with the Presburger structure Z, R co- inciding with the ordered ﬁeld R, and K coinciding with the three-valued Kleene logic K = ftrue; false; unknowng extending Boolean B = ftrue; falseg. Deﬁnition 6.1. The Structure of ERC (without any extension) is the three-sorted struc- ^ ^ ture S combining the Kleene Algebra (K; false; true; unknown;^;_;: ^ ) with Presburger Arithmetic (Z; 0; 1; +;;; 2Z; 3Z; 4Z; : : :) and ordered ﬁeld (R; 0; 1; +;;; <). They are connected via the binary precision embedding { : Z 3 p 7! 2 2 R and its partial half-inverse blog absc : Rnf0g ! Z. Here kZ denotes the predicate on Z which is true precisely for all integer multiples of k 2 N. The logic of ERC is the ﬁrst-order language L of the structure S ; the theory of ERC 0 0 0 0 is the complete ﬁrst-order theory T of the structure S . 0 0 We take the inequality on Z as non-strict , but that on R strict < as in [Mar17]. This classical predicate < R R is not to be confused with the computational, Kleenean-valued comparison l : RR ! K. The symbol ? which represents ill-deﬁniteness in our denotational semantics is not an element of the structure of ERC. Theorem 6.2(a) shows that the theory of our base language T is decidable: every ﬁrst-order sentence about S can be formally either veriﬁed or refuted. This applies for 0 EXACT REAL COMPUTATION 33 example to pre/post conditions or loop invariants of ‘plain’ ERC programs; see Remarks 6.6 and 6.10. This is a signiﬁcant advantage of ERC, compared to traditional programming languages for discrete data: Classical While programs over integers with multiplication for instance do suﬀer from Gödel undecidability [Coo78, §6]. Theorem 6.2. a) The Theory T of ERC is decidable. 0 0 b) T is also ‘model complete’ in that it admits elimination of quantiﬁers up to one (by choice either existential or universal) block ranging over integers. c) Each of the following expansions destroys the decidability of the ﬁrst-order theory of the structure S : expanding with integer multiplication expanding with the unary predicate Z on R, or with ‘type casting’ Z ,! R replacing the binary precision embedding { with its unary counterpart | : N 3 n 7! 1=n 2 R expanding simultaneously with the real exponential and sine function and with tran- scendental constants and ln 2 Proof. c) Including integer multiplication recovers Peano arithmetic and Gödel undecidability via Robinson’s Theorem [Rob59]. A unary predicate Z on R allows to express integer multiplication via the reals; similarly for (any total extension of) the unary precision embedding |. Finally, the real transcendental functions and constants make the theory undecidable according to Richardson’s Theorem [Ric68]. a)+b) A celebrated result of van den Dries [Dri86] extends classical Tarski-Seidenberg quantiﬁer elimination from the ﬁrst-order theory of real-closed ﬁelds to the expanded structure kZ blog absc (R; 0; 1; +;;; <; 2 : k 2 N; 2 ) (6.1) kZ with axiomatized additional predicates 2 ; k 2 N, and truncation function to binary powers blog absc 2 , see also [AY07]. Note that both the real-closed ﬁeld (R; 0; 1; +;;; <) and Presburger Arithmetic can be embedded into the expanded structure from Equation (6.1); the latter interpreted as its Z kZ multiplicative variant (2 ; 1; 2;; <; 2 : k 2 N) is called Skolem Arithmetic [Bés02]: kZ Replace quantiﬁers over Skolem integers with real quantiﬁers subject to the predicate 2 for k := 1; Consider { : Z ! R as the restricted identity id in R. Then every formula ' with or without parameters in our two-sorted structure translates signature by signature to an equivalent one ' ~ over the expanded theory where quantiﬁers can be eliminated, yielding equivalent decidable (which may involve binary truncation blog absc 2 ). To translate this back to some equivalent over the two-sorted structure, while re- introducing only one type of quantiﬁers, observe that for real x: kZ x 2 2 , 9z 2 Z: z 2 kZ ^ x = {(z); kZ x 62 2 , 9z 2 Z: z 2 kZ ^ {(z) < x < {(z + k) : blog abs(x)c Similarly, replace real binary truncation 2 with “{(z)” for some/every z 2 Z s.t. {(z) jxj < {(z) + 1 in case x > 0, with 0 otherwise. The Kleene Algebra K as the third sort is ﬁnite and does not aﬀect decidability. 34 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER We want to beneﬁt from these nice properties of S by using it in formally specifying the behaviour of ERC programs. For the purpose, there is a need to deal with the array variables from ERC in S . We take the following straightforward translation, to express R 0 0 sorted variable with n diﬀerent R sorted variables, implicitly: Remark 6.3. Consider S expanded with, for each n = 1; 2; 3; : : :: a sort R , a n-ary function id : R R ! R such that id(x ; ; x ) = (x ; ; x ), and 0 n1 0 n1 the following predicates proj := f((x ; ; x ); k; y) j x = yg R Z R; 0 n1 k update := f((x ; ; x ); k; y; (z ; ; z )) j z = y ^8i: i 6= k ) x = z g 0 n1 0 n1 k i i n n R Z R R : Observe that these are the graphs of the partial projection and updating from Example 2.1 discarding inputs yielding ?. We translate each ﬁnite set of sorted variables in the extended logic as follows: We translate the empty set to the empty set; [;] := ;. For a variable v 2 V and a ﬁnite set of sorted variables , we deﬁne [v : s; ] := v : s; [] for each s 2 fK;Z;Rg and [v : R ; ] := v : R; ; v : R; [] where v ; ; v 2 V are fresh variables that 0 n1 0 n1 do not appear in []. See that the set of variable assignments JK for any in this extended structure is isomorphic to the J[]K in the original structure. Let [] : JK ! J[]K denote the isomorphism. For each R sorted term t with free variables , there are n terms [t] ; ; [t] of sort 0 n1 R with free variables [] such that for each variable assignment 2 JK, the interpretation JtK of t is (J[t] K []; ;J[t] K []). To see this, we only need to consider the case when 0 n1 t is a R sorted variable or a term of the form id(x ; ; x ). When t is a variable v 0 n1 of sort R in , in [] we have v ; ; v for the desired components. When t is of the 0 n1 form id(x ; ; x ) where x is a term of sort R, we have x ; ; x for the desired 0 n1 i 0 n1 components. Consider any well-formed proposition P with free variables in the extended language. We can translate it to be a well-formed proposition [P ] in L with free variables in [] as follows: [P ] = P when P does not use any R sort. [t = t ] = [t ] = [t ] ^^ [t ] = [t ] when t ; t are terms of sort R . 1 2 1 0 2 0 1 n1 2 n1 1 2 [proj(x; k; y)] = (k = 0 ) y = [x] )^^ (k = n 1 ) y = [x] ) when x is of sort R . 0 n1 [update(x; k; y; z)] = (k = 0 ) [z] = y ^ [z] = [x] ^^ [z] = [x] )^^ (k = 0 1 1 n1 n1 d 1 ) [z] = [x] ^ [z] = [x] ^^ [z] = y) when x; z are of sort R . 0 0 1 1 n1 : : : [P _ Q] = [P ]_ [Q], [P ^ Q] = [P ]^ [Q], and [P ) Q] = [P ] ) [Q]. [8v: P ] := 8v: [P ] when v is of sort K;Z or R. When v is of sort R , [8v: P ] := 8v ; ; v : [P ] where v ; ; v are variables of sort R that are added in translating 0 n1 0 n1 variable v in [P ]. [9v: P ] := 9v: [P ] when v is of sort K;Z or R. When v is of sort R , [9v: P ] := 9v ; ; v : [P ] where v ; ; v are variables of sort R that are added in translating 0 n1 0 n1 variable v in [P ]. EXACT REAL COMPUTATION 35 By structural induction on propositions, we can see that for any proposition P with free variables , 2 JK validates P if and only if [] 2 J[]K validates [P ]. Taking this translation implicitly, we use R sorted variables, partial projections, and updating. 6.2. Speciﬁcation Language. Since we can express ﬁxed length arrays in the three-sorted structure, we can express (multi-)functions that appear in the primitive extensions F;G. (Recall that the domains of (multi-)functions there can be a product of R .) We deﬁne a speciﬁcation language for each ERC(F;G) by expanding the structure of ERC as follows: Deﬁnition 6.4. The Structure of ERC(F;G) is the expansion S (F;G) of S with the partial real functions f 2 F of various arities and with the partial integer multi-functions g 2 G, also of various arities. More formally, the expansion is done with the graphs: f(x ; ; x ; y) j f (x ; ; x ) = y 6= ?g for each f 2 F and 1 d 1 d f(x ; ; x ; y) j y 2 g(x ; ; x )^? 62 g(x ; ; x )g for each g 2 G. 1 d 1 d 1 d The Logic of ERC(F;G) is the ﬁrst-order language L(F;G) of S (F;G) and the Theory of ERC(F;G) is the complete ﬁrst-order theory T (F;G) of S (F;G). Let us write simply S, T , and L when the underlying F and G are obvious or not so relevant. Though, formally, we only add “graphs” of the (multi-)functions, we may still have their function application in the term language as an appropriate abbreviation where the last argument of the predicate for the graph is quantiﬁed over. We take the logic of ERC(F;G) to formally specify ERC(F;G) programs. The following lemma shows that our speciﬁcation logic are ‘adequate’ for the term language of ERC. Deﬁnition 6.5. Consider any data types ; in ERC. A partial function f : J K i 1 J K ! JK is deﬁnable in the logic of ERC if there is a formula (x ; ; x ; y) deﬁning d 1 d the graph (as in Deﬁnition 6.4) of f in the structure of ERC. Similarly, a partial multi- function g : J K J K ! P(JK ) is deﬁnable in the logic of ERC if there is a formula 1 d (x ; ; x ; y) deﬁning the graph of g. 1 n Lemma 6.6. For each well-typed term ` t : in ERC, its denotation J ` t : K : JK ! P(JK ) is deﬁnable in the logic of ERC. Proof. Let X; Y ; Z 2 fJK j is a data typeg. Suppose f : X ! P((Y ) ) and g : i i i Y Y ! P(Z ) are deﬁnable partial multi-functions where (x; y ) deﬁnes f 1 i i i d ? and (y ; ; y ; z) deﬁnes g. Then, its composition g hf ; ; f i : X ! P(Z ) is 1 d 1 d ? deﬁnable by (x; z) : 9y ; ; y : (x; y )^^ (x; y )^ (y ; ; y ; z) : 1 d 1 1 d d 1 d Also, if a partial function f : X ! Z is deﬁnable by (x; z), its embedding f is deﬁnable by the same . Hence, we only need to check the nontrivial cases, the deﬁnability of primitive functions that are absent in the structure ERC: (1) choose and (2) Kond: (1) See that choose : K ! Z is deﬁnable by (x ; ; x ; y) : (y = 0^ x = true )__ (y = n 1^ x = true ) : 1 n 1 n1 36 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER (2) Suppose (x; y) deﬁnes b : X ! P(K ), (x; y) deﬁnes f : X ! P(R ), and (x; y) b ? f ? g deﬁnes g : X ! P(R ). Then, the composition Kond hb; f; gi is deﬁnable by (x; z) : (x; true ) ) 9y: (x; y) b f ^ (x; false ) ) 9y: (x; y) b g ^ (x; unknown ) ) 9y: (x; y)^ (x; y)^8y ; y : (x; y )^ (x; y ) ) y = y f g 1 2 f 1 g 2 1 2 ^ ( (x; true )^ (x; z))_ ( (x; false )^ (x; z))_ ( (x; unknown )^ (x; z)) b f b g b f Deﬁnition 6.7. For a well-typed term ` t : in ERC, let us write L ` t : M for the formula deﬁning J ` t : K according to Lemma 6.6. Let us write simply LtM for L ` t : M when the particular context is obvious or irrelevant. Also, we let the free variables representing the input values in LtM be synchronized with and omit them in the notation; i.e., LtM(y) := Lx : ; ; x : ` t : M(x ; ; x ; y). 1 1 d d 1 d Note however that when we go beyond the term language of ERC , there are real functions that can be deﬁned in the programming language but not in our logic: Example 6.8. The restricted exponential function exp : I = [0; 1] ! R is uniquely charac- terized by the following formula: 8x; y 2 I: x + y 2 I ) exp(x + y) = exp(x) exp(y) (6.2) 8x; y 2 I: j exp(x) exp(y)j 3jx yj exp(1) = lim(1 + 1=n) = 1=n! (6.3) n n The ﬁrst line is the well-known functional equation, and the second one captures Lipschitz- continuity. Although exp can be realized as in Section 5.2.2, the deﬁning Formula (6.3) exceeds the logic of ERC by involving the transcendental constant e, which cannot be characterized algebraically. In other words, our logic is not expressive enough for the command language of ERC. More generally, propositional formulas in the Logic of ERC can only deﬁne semi-algebraic subsets of Euclidean space; and, according to Tarski-Seidenberg, real quantiﬁcation does not increase the expressive power. Integer quantiﬁcation can deﬁne countable unions of semi-algebraic subsets, but no more according to Theorem 6.2(b). According to Lindemann- Weierstrass, the graph of exp : [0; 1] ! R is no countable union of semi-algebraic Euclidean sets, hence impossible to deﬁne in S . The expansion S fexpg;; on the other hand makes exp trivial to deﬁne—but its ﬁrst-order theory may violate decidability. Such trade-oﬀs are unavoidable according to Remark 1.1. On the other hand, speciﬁcation and formal veriﬁcation may suﬃce with less than deﬁnability of the function under consideration: applications tend to be interested in solutions that satisfy given algebraic properties expressible in ERC—such as the exponential functional Equation 6.2—but do not necessarily make them unique, particularly transcendental or multi-valued ones. EXACT REAL COMPUTATION 37 6.3. Hoare Logic. Hoare logic is a well-known tool for formally proving the total correctness of a program and agreement with the problem speciﬁcation. The following considerations are guided by [Rey09, §3], adapted and extended to ERC with its three-sorted structure and multi-valued semantics. Both complicate matters since, for instance, a real guard variable in a while loop may strictly decrease during each iteration yet remain bounded forever; furthermore merely evaluating the loop condition can cause lack of termination when real equality occurs; see Remark 6.12 below. Since our language is simple imperative, we adopt the following notion of “(total correctness) speciﬁcation”: Deﬁnition 6.9. For a well-typed command S in ERC(F;G) with ` S . , a (total correctness) speciﬁcation is of the following form: S . where , are formulae in the logic of ERC(F;G). In the precondition , only the variables in appear free and in the postcondition , only the variables in appear free. The notation says, for any 2 JK which validates (i) ? 62 JSK and (ii) any 2 JSK validates . Note that the deﬁnition of our speciﬁcation does not publish any obligation to S when the precondition is not met; see Fact 2.4. The purpose of (Hoare) logic is to replace ‘semantic’ arguments with formal proofs: sequences of purely syntactic manipulations, starting with the axioms and following certain inference rules, that for example, a computer can verify. Classical Hoare logic contains one exception: Remark 6.10. The rule of consequence for precondition-strengthening and postcondition- weakening 0 0 0 ` S . 0 0 ) and ) ` S . 0 0 depends on the semantic side-conditions ) and ) which may or may not be feasible to verify algorithmically. Over integers, algorithmic veriﬁability can fail according to Gödel [Coo78, §6], but not in the logic of ERC according to Theorem 6.2(a). A side condition is also present in the rule for while loop termination. Deﬁnition 6.11. A Hoare triple for ERC(F;G) is of the form ` S . where S is a well-typed command in ERC(F;G) such that ` S . , and ; are formulae in the logic of ERC(F;G) such that only the variables in are free in and only the variables in are free in . Hoare logic of ERC(F;G) is a formal system which consists of the inference rules and axioms for constructing Hoare triples deﬁned in Figure 12. Remark 6.12. (1) In the axiom for assignments, recall from Deﬁnition 6.7 that the precondition 9w: LtM(w) ensures that the denotation of t is well-deﬁned. And, 8w: LtM(w) ) [w=v] says that for each value in the denotation of t, holds when we replace the variable v with the value. (2) In the while loop case, (a) the formula I is the loop invariant and the term V is the loop variant. The term L is some invariant quantity that bounds by how much V decreases in each iteration. (b) ; are ghost variables that do not appear in . They can be understood as meta-level universally quantiﬁed variables. 38 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER Figure 12: The Hoare logic of ERC(F;G) 0 0 0 ` S . 0 0 ) and ) ` S . ` skip . ` 9w: LtM(w)^8w: LtM(w) ) [w=v] v := t fff ggg . ` fffArrPre( ; v; z; t)ggg v[z] := t fff ggg . ` 9w: LtM(w)^8w: LtM(w) ) [w=v] let v : = t . ; v : f g f g f g ` ffgg S ffgg . ` S ff gg . 1 1 1 2 2 ` S ; S . 1 2 2 ` fff^ LbM(true )ggg S fff ggg . ` fff^ LbM(false )ggg S fff ggg . 1 1 2 2 ` fff^ (LbM(true )_ LbM(false ))^:LbM(unknown )ggg if b then S else S end fff ggg . 1 2 0 0 0 0 00 ` fffLbM(true )^ I ^ V = ^ L = ggg S fffI ^ V ^ L = ggg . ` fffIggg while b do S end fffI ^ LbM(false )ggg . 0 0 In the rule for loops, = ; ; : R. And, the rule has the side-conditions: I ^ LbM(true ) ) L > 0 ; I ) (LbM(true )_ LbM(false ))^:LbM(unknown ) ; I ^ V 0 ) 8k: LbM(k) ) k = false ; and ; do not appear free in I; V; L : In the case of array assignment ArrPre(P; v; z; t) is deﬁned as follows: ArrPre(P; v; z; t) : 9w; m: LtM(w)^ LzM(m) ^ 8m: (LzM(m) ) 0 m < d) 0 0 0 ^ 8w; m: (LtM(w)^ LzM(m)^8v : update(v; m; w; v ) ) P [v =v]) assuming ` v[z] := t . and ` v : R[d]. (c) The side condition says (i) each loop decreases V by some positive invariant quantity L; (ii) as long as I holds, the evaluation of b is either true or false (but not unknown); and (iii) when V is negative, it is guaranteed that the evaluation of b is false. (3) In the rule of if conditionals, the precondition (LbM(true )_ LbM(false ))^:LbM(unknown ) says that the evaluation of b is either true or false (but not unknown). Theorem 6.13. The Hoare logic of ERC(F;G) is sound; i.e., for any Hoare triple ` 0 0 S . , it holds that S . . Proof. See Appendix A. EXACT REAL COMPUTATION 39 7. Example Formal Verification in Exact Real Computation The present section picks up from Section 5.2.6 to illustrate formal veriﬁcation in ERC. To emphasize, our purpose here is not to actually establish correctness of the long-known Trisection method, but to demonstrate the extended Hoare logic from Section 6.3 using a toy example. Since Trisection relies on the Intermediate Value Theorem, any correctness proof must make full use of real (as opposed to, say, ﬂoating point, rational, or algebraic) numbers. Let us deﬁne some abbreviations such that the algorithm in Figure 11, which is a program in ERC(ffg;;) for some continuous f becomes of the form input a : R; b : R S return a as p ! 1. p p1 ~ ~ t : 2 m b a ; t = b a m 2 1 2 t : 0 m f (b=3 + 2 a=3) f (b) ; t : 0 m f (a) f (2 b=3 + a=3) 1 2 ~ ~ b : choose(t ; t ) = 1; b := choose(t ; t ) = 1 1 1 2 2 1 2 S : while b do S end 1 1 S : if b then S else S end 1 2 2 3 S : b := 2 b=3 + a=3 S : a := b=3 + 2 a=3 We work with the logic ofT (ffg;;) which contains sentences saying that f is a continuous function. We want to verify that the program’s denotation at its inputs a; b which isolate a root of f uniquely with a sign change: uniq(f; a; b) : cont(f; a; b)^ f (a) f (b) < 0^9!x: a < x < b^ f (x) = 0 : Considering the limit taken at the end of every real programs, we need to prove the speciﬁcation: 0 p 0 p = p ^ uniq(f; a; b) S 9!z: f (z) = 0^ a < z < b^ja zj 2 . 0 0 0 0 where = p; p : Z; a; b : R and = p; p : Z; a; b : R. The ghost variable p captures the initial value that the variable p stores, considering that the value p stores may throughout the computation (though it does not in this speciﬁc example.) ~ ~ To simplify our presentation, let us write t ; t ; t ; t as valid formulae in our speciﬁcation 1 2 1 2 language where their occurrences of l are implicitly replaced with <. See that Lb M(true ) , t , 1 2 Lb M(false ) , t , :Lb M(unknown ), Lb M(true ) , t , Lb M(false ) , t , and :Lb M(unknown ) 1 1 1 2 2 2 1 2 hold. Let us deﬁne I := p = p ^ uniq(f; a; b) as a candidate for the loop invariant, p1 p2 V := b a 2 as a candidate for the loop variant, L := 2 be a candidate for a lower 0 0 0 ~ ~ bound decrements, P := t ^ I ^ V = ^ L = , and Q := I ^ V ^ L = in our 0 0 0 speciﬁcation language with variables ; of the sort R. Let := p; p : Z; a; b; ; : R. From the axiom for assignments, we have the triples: ~ ~ ` 9!: La=3 + 2 b=3M(!)^8!: La=3 + 2 b=3M(!) ) Q[!=b] S Q . ~ ~ ` 9!: L2 a=3 + b=3M(!)^8!: L2 a=3 + :b=3M(!) ) Q[!=a] S Q . See that we can apply the rule of precondition weakening to get the following triples derived: ~ ~ ~ ~ ` Q[(a=3 + 2 b=3)=b] C Q . ; ` Q[(2 a=3 + b=3)=a] C Q . : 2 3 When we unwrap abbreviations, we can verify the following equivalences: Q[(2 a=3 + b=3)=a] , p = p ^ uniq(f; (2 a=3 + b=3); b) p1 0 ^ b (2 a=3 + b=3) 2 40 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER p2 0 ^ 2 = P ^ t , p = p ^ uniq(f; a; b)^ f (b=3 + 2 a=3) f (b) < 0 p1 p1 ^ 2 < b a^ b a 2 = p2 0 ^ 2 = Due to intermediate value theorem, if an interval (a; b) contains a root of f uniquely, and if f (x) f (y) < 0 for a x < y b, then (x; y) also contains the root of f uniquely. Hence, ~ ~ ~ ~ P ^ t ) Q[(2 a=3 + b=3)=a] holds. And, similarly, P ^ t ) Q[(a=3 + 2 b=3)=b] holds. 1 2 Therefore, by the rule of precondition strengthening on the triples of S ; S , and the rule 2 3 for conditionals, we get the triple: 0 0 0 ` t ^ I ^ V = ^ L = S I ^ (V )^ L = . 2 1 The side-conditions of the rule for while loops are quite trivial. Hence, assuming that they are proven, we apply the rule of while loops, and we get the following triple: ` I S I ^ t . Using the rule of pre/postcondition strengthening/weakening, we can get the originally desired speciﬁcation. 8. Conclusion and Future work We have formalized exact real number computation as an imperative programming language. Its domain-theoretic denotational semantics, based on the Plotkin powerdomain modelling multi-valued computations, is carefully designed to be computable and complete, matching the intuition of operating on continuous data exactly without rounding errors and in agreement with (proofs in) calculus. This enables a natural approach to formal program veriﬁcation by adding real number axioms to Hoare logic. The following considerations naturally suggest future further investigations: Computational Cost: After the design of an algorithm comes its analysis, in terms of computational cost as quantitative indicator of its practical performance. For realistic predictions, real complexity theory [Ko91, Wei03] employs bit-cost, as opposed to unit cost common in algebraic complexity theory [BCS97]. In [BH98, Deﬁnition 2.4] it is suggested that a logarithmic cost measure where each operation is supposed to take time according to the binary length of the integer (part of the real) to be processed. More accurate predictions take into account the precision parameter p for real programs and for real number comparisons “x m y” the logarithm of the diﬀerence jx yj. Full Mixed Data Types: ERC as introduced here formalizes computing with data types Z, R, and K as counterparts to mathematical Z;R;K where K is permitted only for expressions and local variables. A future extension will include also (multi-)functions with K type arguments and return values as well as arrays and a dedicated limit operator. Multi-valued Real Functions: The present version of ERC formalizes computing mappings from reals to integers in the multi-valued sense because any single-valued, and necessarily continuous [Wei00, Theorems 4.3.1+3.2.11], function with connected domain and discrete range must be constant. On the other hand, computing real values is deliberately restricting to the single-valued case. Deﬁning approximate computation of real multi-valued functions is delicate and still under exploration [FB18, Kon18]. EXACT REAL COMPUTATION 41 Functionals and Operators: The algorithm in Figure 11 mimics a functional that receives a continuous function f as argument, accessible by point-wise blackbox evaluation. Extending ERC with function arguments enriched with quantitative continuity information, such as a modulus of continuity [KC12], is necessary to extend Theorem 5.3 (Turing- completeness of ERC) from functions to functionals. Automated Formal Veriﬁcation: The decidability of the theory of the base language ERC according to Theorem 6.2 includes its complete (and actually elegant) axiomatization: Guaranteed to yield convenient automated formal veriﬁcation. This includes formalizing ERC itself in a formal system for example in the Coq proof assistant [KST20a, STT21] and further development of annotated ERC and veriﬁcation condition extraction mechanisms. Continuous Data Types beyond the Reals: Real computability theory has been extended to topological T spaces, real complexity theory to co-Polish spaces [KSZ16, Sch04]. Current and future works similarly extend ERC to continuous data types beyond real numbers/functions, such as the Grassmannian, tensors [SAL 18] and groups [SZ18]. As it is hinted in Remark 5.4, this may require extending our language with countable nondeterminism for the extended language to be complete as well. Acknowledgement This work was supported by the National Research Foundation of Korea (grants NRF- 2017R1E1A1A03071032 and NRF-2017R1D1A1B05031658), by the International Research & Development Program of the Korean Ministry of Science and ICT (grant NRF-2016K1A3A7A03950702), by the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant agreement No 731143, and by the German Research Foundation (DFG) Grant MU 1801/5-1. We thank Andrej Bauer, Cyril Cohen, Jeehoon Kang, Johannes Kanig, Alex Simpson, and Hongseok Yang for seminal discussions. Anonymous referees have provided valuable feedback to an earlier version. References [AJ95] Samson Abramsky and Achim Jung. Domain theory. In Handbook of Logic in Computer Science, volume III, pages 1–168. Oxford University Press, Oxford, United Kingdom, 1995. [AO19] Krzysztof R Apt and Ernst-Rüdiger Olderog. Fifty years of hoare’s logic. Formal Aspects of Computing, 31(6):751–807, 2019. [AY07] Jeremy Avigad and Yimu Yin. Quantiﬁer elimination for the reals with a predicate for the powers of two. Theor. Comput. Sci., 370(1-3):48–59, 2007. doi:10.1016/j.tcs.2006.10.005. [BC88] Hans-Juergen Karl Hermann Boehm and Robert Cartwright. Exact real arithmetic: Formulating real numbers as functions. Rice University, Department of Computer Science, 1988. [BCS97] Peter Bürgisser, Michael Clausen, and Mohammad Amin Shokrollahi. Algebraic complexity theory, volume 315 of Grundlehren der mathematischen Wissenschaften. Springer-Verlag Berlin Heidelberg, Berlin, Heidelberg, 1997. [Bés02] Alexis Bés. A survey of arithmetical deﬁnability. Soc. Math. Belgique, A tribute to Maurice Boﬀa:1–54, 2002. [BFM09] Sylvie Boldo, Jean-Christophe Filliâtre, and Guillaume Melquiond. Combining coq and gappa for certifying ﬂoating-point programs. In Jacques Carette, Lucas Dixon, Claudio Sacerdoti Coen, and Stephen M. Watt, editors, Intelligent Computer Mathematics, pages 59–74, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg. [BH98] Vasco Brattka and Peter Hertling. Feasible real random access machines. Journal of Complexity, 14(4):490–526, 1998. 42 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER [Bla] Jens Blanck. cdar – Reals based on Centred Dyadic Approximations. https://github.com/ jensblanck/cdar. [BM11] Sylvie Boldo and Guillaume Melquiond. Flocq: A uniﬁed library for proving ﬂoating-point algorithms in coq. In 2011 IEEE 20th Symposium on Computer Arithmetic, pages 243–252. IEEE, [Bra95] Vasco Brattka. Computable selection in analysis. In Proc. of the Workshop on Computability and Complexity in Analysis, Informatik Berichte, FernUniversit at Hagen, volume 190, pages 125–138, [Bra03] Vasco Brattka. The emperor’s new recursiveness: The epigraph of the exponential function in two models of computability. In Masami Ito and Teruo Imaoka, editors, Words, Languages & Combinatorics III, pages 63–72, Singapore, 2003. World Scientiﬁc Publishing. ICWLC 2000, Kyoto, Japan, March 14–18, 2000. [BVS93] Stephen Brookes and Kathryn Van Stone. Monads and comonads in intensional semantics. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA DEPT OF COMPUTER SCIENCE, 1993. [CGC 20] Pieter Collins, Luca Geretti, Alberto Casagrande, Ivan Zapreev, and Sanja Zivanovic. Ariadne. http://www.ariadne-cps.org/, 2005-20. [Coo78] Stephen A Cook. Soundness and completeness of an axiom system for program veriﬁcation. SIAM Journal on Computing, 7(1):70–90, 1978. [DGE13] Pietro Di Gianantonio and Abbas Edalat. A language for diﬀerentiable functions. In Frank Pfenning, editor, Foundations of Software Science and Computation Structures, pages 337–352, Berlin, Heidelberg, 2013. Springer Berlin Heidelberg. [Dri86] Lou van den Dries. The ﬁeld of reals with a predicate for the powers of two. Manuscripta mathematica, 54:187–196, 1986. URL: http://eudml.org/doc/155108. [EE00] Abbas Edalat and Martın Hötzel Escardó. Integration in real pcf. Information and Computation, 160(1-2):128–166, 2000. [ES14] Martín Hötzel Escardó and Alex Simpson. Abstract datatypes for real numbers in type theory. In Gilles Dowek, editor, Rewriting and Typed Lambda Calculi, pages 208–223, Cham, 2014. Springer International Publishing. [Esc96] Martín Hötzel Escardó. PCF extended with real numbers. Theoretical Computer Science, 162:79– 115, 1996. [FB18] Robert Rettinger Franz Brausse, Norbert Müller. Intensionality and multi-valued limits. In Proc. 15th Internat. Conf. on Computability and Complexity in Analysis (CCA), page 11, 2018. [FP13] Jean-Christophe Filliâtre and Andrei Paskevich. Why3 — where programs meet provers. In Matthias Felleisen and Philippa Gardner, editors, Programming Languages and Systems, pages 125–128, Berlin, Heidelberg, 2013. Springer Berlin Heidelberg. [Her96] Peter Hertling. Topological complexity with continuous operations. Journal of Complexity, 12:315– 338, 1996. doi:10.1006/jcom.1996.0021. [Her99] Peter Hertling. A real number structure that is eﬀectively categorical. Mathematical Logic Quarterly, 45(2):147–182, 1999. [Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576–580, oct 1969. URL: https://doi.org/10.1145/363235.363259, doi:10.1145/363235.363259. [KC96] Bruce M. Kapron and Steven A. Cook. A new characterization of type-2 feasibility. SIAM Journal on Computing, 25(1):117–132, 1996. [KC12] Akitoshi Kawamura and Stephen Cook. Complexity theory for operators in analysis. ACM Trans. Comput. Theory, 4(2):5:1–5:24, May 2012. doi:10.1145/2189778.2189780. [KMP 08] Lutz Kettner, Kurt Mehlhorn, Sylvain Pion, Stefan Schirra, and Chee-Keng Yap. Classroom examples of robustness problems in geometric computations. Comput. Geom., 40(1):61–78, 2008. doi:10.1016/j.comgeo.2007.06.003. [Ko91] Ker-I Ko. Complexity Theory of Real Functions. Progress in Theoretical Computer Science. Birkhäuser, Boston, 1991. [Kon18] Michal Konecny. Veriﬁed exact real limit computation. In Proc. 15th Internat. Conf. on Com- putability and Complexity in Analysis (CCA), pages 9–10, 2018. [KST20a] Michal Konecný, Florian Steinberg, and Holger Thies. Computable analysis for veriﬁed exact real computation. In Nitin Saxena and Sunil Simon, editors, 40th IARCS Annual Conference on EXACT REAL COMPUTATION 43 Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2020, December 14-18, 2020, BITS Pilani, K K Birla Goa Campus, Goa, India (Virtual Conference), volume 182 of LIPIcs, pages 50:1–50:18. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2020. doi:10.4230/LIPIcs.FSTTCS.2020.50. [KST20b] Michal Konečný, Florian Steinberg, and Holger Thies. Computable analysis for veriﬁed exact real computation. In 40th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2020). Schloss Dagstuhl-Leibniz-Zentrum für Informatik, [KSZ16] Akitoshi Kawamura, Florian Steinberg, and Martin Ziegler. Complexity theory of (functions on) compact metric spaces. In Proc. 31st Ann. Symposium on Logic in Computer Science, pages 837–846, New York, NY, United States, 2016. ACM/IEEE, Association for Computing Machinery. [KTD 13] M. Konecny, W. Taha, J. Duracz, A. Duracz, and A. Ames. Enclosing the behavior of a hybrid system up to and beyond a zeno point. In Proc. 1st IEEE Int. Conf. on Cyber-Physical Systems, Networks, and Applications, pages 120–125, New York, NY, United States, 2013. Association for Computing Machinery. [Lam05] Branimir Lambov. Reallib: an eﬃcient implementation of exact real arithmetic. In CCA 2005 - Second International Conference on Computability and Complexity in Analysis, August 25-29, 2005, Kyoto, Japan, pages 169–175, 2005. [Luc77] Horst Luckhardt. A fundamental eﬀect in computations on real numbers. Theoretical Computer Science, 5(3):321–324, 1977. [Mar17] David Marker. Model Theory of Fields. Lecture Notes in Logic. Cambridge University Press, Cambridge, United Kingdom, 2017. doi:10.1017/9781316716991. [Mel08] Guillaume Melquiond. Proving bounds on real-valued functions with computations. In Alessandro Armando, Peter Baumgartner, and Gilles Dowek, editors, Automated Reasoning, pages 2–17, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg. [Mit70] Dragoslav S. Mitrinović. Analytic Inequalities, volume 165 of Die Grundlehren der mathematischen Wissenschaften. Springer, 1970. [MRE07] J Raymundo Marcial-Romero and Martin H Escardo. Semantics of a sequential language for exact real-number computation. Theoretical Computer Science, 379(1-2):120–141, 2007. [Mül01] Norbert Th. Müller. The iRRAM: Exact arithmetic in C++. In Jens Blanck, Vasco Brattka, and Peter Hertling, editors, Computability and Complexity in Analysis, volume 2064 of Lecture Notes in Computer Science, pages 222–252, Berlin, 2001. Springer. 4th International Workshop, CCA 2000, Swansea, UK, September 2000. [NMB06] Aleksandar Nanevski, Greg Morrisett, and Lars Birkedal. Polymorphism and separation in hoare type theory. In Proceedings of the eleventh ACM SIGPLAN international conference on Functional programming, pages 62–73, 2006. [PER89] Marian B. Pour-El and J. Ian Richards. Computability in Analysis and Physics. Perspectives in Mathematical Logic. Springer, Berlin, 1989. [Plo76] Gordon D. Plotkin. A powerdomain construction. SIAM J. Comput., 5(3):452–487, 1976. [Plo77] Gordon D. Plotkin. Lcf considered as a programming language. Theoretical computer science, 5(3):223–255, 1977. [PTVF07] William H. Press, Saul A. Teukolsky, William T. Vetterling, and Brian P. Flannery. Numerical recipes: The art of scientiﬁc computing. Cambridge university press, Cambridge, United Kingdom, 3 edition, 2007. [Rey02] John C Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pages 55–74. IEEE, 2002. [Rey09] John C Reynolds. Theories of programming languages. Cambridge University Press, Cambridge, United Kingdom, 2009. [Ric68] Daniel Richardson. Some undecidable problems involving elementary functions of a real variable. Journal of Symbolic Logic, 33(4):514–520, 1968. [Rob59] Julia Robinson. The undecidability of algebraic rings and ﬁelds. Proceedings of the American Mathematical Society, 10:950–957, 1959. [SAL 18] Joonhyung Shin, Namjo Ahn, Seungwoo Lee, Chansu Park, and Martin Ziegler. Towards ten- sor calculus in exact real computation. 21st Japan-Korea Joint Workshop on Algorithms and Computation, August 2018. 44 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER [Sch04] Matthias Schröder. Spaces allowing type-2 complexity theory revisited. Mathematical Logic Quarterly, 50(4,5):443–459, 2004. [Spe59] Ernst Specker. Der Satz vom Maximum in der rekursiven Analysis. In A. Heyting, editor, Constructivity in mathematics, Studies in Logic and the Foundations of Mathematics, pages 254–265, Amsterdam, 1959. North-Holland. Proc. Colloq., Amsterdam, Aug. 26–31, 1957. [STT21] Florian Steinberg, Laurent Théry, and Holger Thies. Computable analysis and notions of continuity in coq. Log. Methods Comput. Sci., 17(2), 2021. URL: https://lmcs.episciences.org/7478. [SZ18] Dongseong Seon and Martin Ziegler. Computing haar averages. In Proc. 15th Internat. Conf. on Computability and Complexity in Analysis (CCA), pages 43–44, 2018. [TB97] Lloyd N. Trefethen and David Bau. Numerical Linear Algebra. Society for Industrial and Applied Mathematics, 3600 Market Street, 6th Floor Philadelphia, PA 19104 USA, 1997. [Tur37] Alan M. Turing. On computable numbers, with an application to the “Entscheidungsproblem”. Proceedings of the London Mathematical Society, 42(2):230–265, 1937. [Tur48] Alan M. Turing. Rounding oﬀ errors in matrix processes. Quarterly Journal of Mechanical and Applied Math, 1(1):287–308, 1948. [TZ99] J.V. Tucker and J.I. Zucker. Computation by ‘While’ programs on topological partial algebras. Theoretical Computer Science, 219:379–420, 1999. [TZ04] J.V. Tucker and J.I. Zucker. Abstract versus concrete computation on metric partial algebras. ACM Transactions on Computational Logic, 5(4):611–668, 2004. [Wei00] Klaus Weihrauch. Computable Analysis. Springer, Berlin, 2000. [Wei03] Klaus Weihrauch. Computational complexity on computable metric spaces. Mathematical Logic Quarterly, 49(1):3–21, 2003. [YYD 10] Jihun Yu, Chee Yap, Zilin Du, Sylvain Pion, and Hervé Brönnimann. The design of core 2: A library for exact numeric computation in geometry and algebra. In Komei Fukuda, Joris van der Hoeven, Michael Joswig, and Nobuki Takayama, editors, Mathematical Software – ICMS 2010, pages 121–141, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. Appendix A. Proof of the Soundness of the Hoare Logic of ERC We start the proof with the lemma: Lemma A.1. For a well-typed command ` while b do S end . , deﬁne the sequences of set-valued functions on JK: B () : fg b;S C () : ; b;S 0 0 S S f g if l = true ^ 6= ?; n+1 B () : l2JbK 2B () b;S b;S ; otherwise: 2 JSK fg if l = false; S S n+1 n 0 C () : C ()[ n ; if l = true ^ 6= ?; l2JbK b;S b;S 2B () b;S 2 JSK f?g otherwise: (n) n n Then, for all n 2 N, it holds that W () = C ()[f? j 9x: x 2 B ()g. b;S b;S Intuitively, B () is the set of states that requires further execution after running the b;S while loop on for n times, and C () is the set of states that have escaped from the loop b;S (either because false has been evaluated or ? has occurred) during running the loop for n times. Proof. Let us drop the subscripts b; S for the convenience in the presentation and write S for JSK. EXACT REAL COMPUTATION 45 We ﬁrst prove the following alternative characterization of the sequence of sets: B () if ` = true ^ 6= ?; n+1 B () = ; otherwise: `2JbK 2S It is trivial when n = 0. Now, suppose the equation holds for all and for all n up to m. Then the following derivation shows that the characterization is valid for n = m + 1 as well. [ [ fg if ` = true ^ 6= ?; m+2 B () = ; otherwise: m+1 `2JbK 2B () 2S [ [ fg if ` = true ^ 6= ?; ; otherwise: `2JbK m 0 0 0 S B ( ) if ` = true ^ 6= ?; 2S ` 2JbK ; otherwise: 2S 8 ( >S S fg if ` = true ^ 6= ?; < 0 0 if ` = true ^ 6= ?; m 0 `2JbK 2B ( ) ; otherwise: 2S ` 2JbK ; otherwise: 2S m+1 0 0 0 B ( ) if ` = true ^ 6= ?; ; otherwise: ` 2JbK 2S We now show the following characterization: C () if ` = true ^ 6= ?; n+1 C () = fg if ` = false; `2JbK f?g otherwise: 2S It is easy to show that the equation holds for n = 0. Now, assume the equation holds for all n up to m. Then, fg if ` = false; [ [ m+2 m+1 0 0 C () = C ()[ ; if ` = true ^ 6= ?; 0 : m+1 2B () ` 2JbK f?g otherwise: 2S fg if ` = false; [ [ m+1 0 0 = C ()[ ; if ` = true ^ 6= ?; 0 : ` 2JbK < f?g otherwise: B ( ) if ` = true ^ 6= ?; 2S `2JbK ; otherwise: 2S >fg if ` = false >S S 0 0 if ` = true ^ 6= ?; m ; if ` = true ^ 6= ?; `2JbK m+1 2B ( ) = C ()[ > 2S f?g otherwise: `2JbK> 2S ; otherwise: 46 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER fg if ` = false S S > m 0 0 C ( )[ ; if ` = true ^ 6= ?; if ` = true ^ 6= ?; `2JbK < 2B ( ) 2S f?g otherwise: `2JbK> fg if ` = false; 2S f?g otherwise: m+1 C ( ) if ` = true ^ 6= ?; = fg if ` = false; `2JbK f?g otherwise: 2S (n) n Now, using the suggested characterization, we prove W () = C ()[f? j 9x: x 2 b;S B ()g for all n 2 N. When n = 0, both are f?g. Suppose the equation holds for n = m. b;S Then, (n) >W () if ` = true ^ 6= ?; (n+1) W () = fg if ` = false; `2JbK f?g otherwise: 2S 8 8 m m > > C () if ` = true ^ 6= ?; f?j9 : 2 B ()g if ` = true ^ 6= ? < < [ [ = fg if ` = false; [ ; if ` = false; > > : : `2JbK `2JbK f?g otherwise: ; otherwise: 2S 2S 8 9 > ( > > > < = B () if ` = true ^ 6= ?; m+1 = C ()[ ? 9 : 2 > > ; otherwise: > > : `2JbK ; 2S m+1 m+1 = C ()[f? j 9 : 2 B ()g We now proceed to the proof of Theorem 6.13: Proof. We can prove the statement by checking the soundness of each rule. (1) (Assignment): Consider any state which validates 9w: LtM(w) ^ 8w: LtM(w) ) [w=v]. Then, ? 62 JtK and for any w 2 JtK , [w=v] holds. Now, see that Jv = tK = f[v 7! w]g since ? 62 JtK and for all w 2 JtK , w2JtK [v 7! w] validates . (2) The rule variable declarations and the rule of array assignments can be veriﬁed in very similar manner as above and the rules of pre/postcondition strengthening/weakening, skip, and sequential compositions can be veriﬁed quite trivially. (3) (Conditional): Consider any state which validates ^ (LbM(true ) _ LbM(false )) ^ :LbM(unknown ). Then, JbK = ftrue; falseg;ftrueg, or ffalseg. Let us check the three cases: (a) when JbK = ftrue; falseg: EXACT REAL COMPUTATION 47 Then, validates ^ LbM(true ) and ^ LbM(false ). Therefore, (i) ? 62 JS K , (ii) for all 2 JS K it holds that , (iii) ? 62 JS K , and (iv) for all 2 JS K it holds 1 2 2 that . Since? 62 JbK and unknown 62 JbK , the denotation becomes Jif b then S else S endK = 1 2 (JS K )[ (JS K ). Since the restriction operator does not create ?, the denota- 1 2 tion does not contain ?. Also, since only consists of free variables that are in , each resulting state after the restriction still validates . (b) when JbK = ftrueg: Then, validates ^ LbM(true ). Hence, (i) ? 62 JS K , (ii) each 2 JS K validates 1 1 . Since JbK = ftrueg, the denotation becomes Jif b then S else S endK = 1 2 (JS K ). Again, since the restriction does not create ? and ? 62 JS K , ? is not 1 1 in the denotation. And, since only consists of free variables that are in , each resulting state after the restriction still validates (c) when JbK = ffalseg, it can be done very similarly to the above item. (4) (Loop): Consider any state that validates I. Then, by the side-conditions, it also validates (LbM(true )_ LbM(false ))^:LbM(unknown ). Hence, JbK = ftrue; falseg;ftrueg; or ffalseg for any state that validates I. Now, we ﬁx a state which validates I hence satisﬁes the precondition. The core part of the proof is the statement: for any natural number n, it holds that n n n n (i) ? 62 B (), (ii) ? 62 C (), (iii) all in B () or C () validates I, and (iv) all b;S b;S b;S b;S in C () validates LbM(false ). b;S At the moment, suppose that the above statement is true. Then, all we have to show is that B () becomes empty as m 2 N increases. Let us deﬁne ` = maxfV () j b;S 2 B ()g and show that ` is strictly decreasing by some quantity that is bounded b;S below, as n increases. See that if it holds, there will be some m that for all 2 B (), b;S m+1 JbK = ffalseg and hence B () = ;. b;S In order to prove it, we take the two steps: 1 n (a) If B () 6= ;, then for all n 2 N and for all 2 B (), it holds that L() = b;S b;S L() > 0. In this case, let us write ` = L(). m+1 (b) If B () 6= ;, it holds that ` ` ` . m+1 m 0 b;S Now, we prove each statement: (a) B () 6= ; only if true 2 JbK and there is some non-bottom 2 S. Therefore, by b;S the side-condition, L() > 0. m+1 Suppose any 2 B () for any m 2 N. See that it happens only if there is b;S 0 m 0 0 0 2 B () such that true 2 JbK and 2 S . Together with Item (iii), b;S 0 0 0 0 0 0 ^ ^ validates I and LbM(true ). Let us deﬁne := [ ( 7! V ( )[ 7! L( ). Since ^ ^ ^ validates the precondition in the premise, we have that for any 2 S , validates 0 0 0 0 I and V and L = . Hence, L() = L( ). Since ; are ghost variables, 0 m+1 L() = L() = L( ). In conclusion, for any 2 B (), the quantity L() is b;S 0 0 m 0 identical to the quantity L( ) for some 2 B (). Since, B () = fg, we b;S b;S conclude that they are all identical to L(). m+1 (b) Suppose any 2 B () for any m 2 N. See that it happens only if there b;S 0 m 0 0 0 is 2 B () such that true 2 JbK and 2 S . Together with Item (iii), b;S 48 PARK, BRAUßE, COLLINS, KIM, KONEČNÝ, LEE, MÜLLER, NEUMANN, PREINING, AND ZIEGLER 0 0 0 0 0 validates I and LbM(true ). Consider := [ ( 7! V ( )[ 7! L( ) which validates 0 0 0 the precondition of the premise. Hence, [ ( 7! V ( )[ 7! L( ) validates the 0 0 postcondition. Hence, V () V ( ) L() = V ( ) ` . Hence, ` ` ` . 0 m+1 m 0 m m Now, we need to prove the aforementioned statement on B and C : b;S b;S 0 0 (a) (Base case): Recall that B () = fg =6 f?g and C () = fg. Hence, the four b;S b;S conditions are all satisﬁed. 0 0 S S f g if l = true ^ 6= ? n+1 (b) (Induction step): Recall B () : . l2JbK b;S 2B () b;S 0 ; otherwise: 2S Since all 2 B () validates I, JbK = ftrueg;ffalseg; or ftrue; falseg. In the case b;S of true 2 JbK , validates the precondition of the premise. Hence, for all 2 S, is not ? and also validates I. The case of JbK = ffalseg is not of interest. fg if l = false S S n+1 n Recall C () : C ()[ . n ; if l = true ^ 6= ? l2JbK 2B () b;S b;S b;S 2S f?g otherwise: Since all 2 C () validates I and LbM(false ), we only need to care the rightmost b;S part of the construction. Since all 2 B () validates I, by the side-condition, b;S n+1 unknown and ? are not in JbK . The is added to C () only if false 2 JbK . Therefore, validates both I and LbM(false ). Also, in the case of true 2 JbK , since validates the precondition in the premise, n+1 ? 62 S. Therefore, ? 62 C . b;S This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/ or send a letter to Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105, USA, or Eisenacher Strasse 2, 10777 Berlin, Germany

http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png

Computing Research Repository arXiv (Cornell University)

http://www.deepdyve.com/lp/arxiv-cornell-university/semantics-specification-logic-and-hoare-logic-of-exact-real-jrokheDTid

Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

Loading next page...

References

References for this paper are not available at this time. We will be adding them shortly, thank you for your patience.

eISSN: ARCH-3344
DOI: 10.48550/arxiv.1608.05787
Publisher site: See Article on Publisher Site

Abstract

Journal

Computing Research Repository – arXiv (Cornell University)

Published: Aug 20, 2016

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 7-Day Trial for You or Your Team.

Learn More →

Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 7-Day Trial for You or Your Team.

Learn More →

Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

Semantics, Specification Logic, and Hoare Logic of Exact Real Computation

References

Abstract

Journal

Recommended Articles

There are no references for this article.

Our policy towards the use of cookies