Programming modulo representations

Marco Benini
Marco BeniniResearcher at Università dell'Insubria - Como
Programming modulo representations Correctness by Construction Research Project Dr M Benini Università degli Studi dell’Insubria Visiting JAIST until 16th June 2014 marco.benini@uninsubria.it 5th June 2014
A bizarre idea to discuss The aim of this talk is to show, through an elementary example, how one can change the point of view on (functional) programming. The idea has a philosophical motivation: is it possible to conceive a programming system which does not allow to inspect its output and, at the same time, is able to ensure that the result of a computation is correct? This talk will provide a positive answer, but its consequences are still work-in-progress. This talk extends the one I gave in Genoa, so I have to apologise to those who have already listened to the first part as it will be a repetition. (2 of 18)
Concrete and abstract lists Usually, lists are defined as the elements of the free algebra over the signature 〈{E,L},{nil:L,cons:E ×L → L}〉. And, in the standard practice of traditional programming, they are represented as follows: a cell is a record in the computer memory which contains two fields: the head which is an element in E; the tail of the list which is a list; in turn, a list is a pointer (memory address) to a cell; the empty list, nil, becomes the null pointer. Thus, cons is a procedure that allocates a cell, fills the head with its first parameter, and the tail with the second one, finally returning its address. Evidently, up to the ability to read computer memory, the result of any computation on lists can be inspected. (3 of 18)
Concrete manipulation of a list As an example of program, we consider the concatenate function. Its specification is: “Given the lists [x1,...,xn] and [y1,...,ym], concatenate has to return the list [x1,...,xn,y1,...,ym]”. Usually, it is implemented as concatenate(x,y) ≡ if x = nil then return y else q := x while q = nil do p := q q := q → tail p → tail := y return x (4 of 18)
Correctness The previous algorithm is correct. In fact, when x = nil, it returns y, satisfying the specification. When x = nil, x = [x1,...,xn]. So, at the end of the i-th iteration step, p = [xi ,...,xn] and q = [xi+1,...,xn], as it is immediate to prove by induction. Also, the cycle terminates after n iterations, and p = [xn]. But, in the concrete representation of x, p → tail must be nil and the assignment p → tail := y substitutes nil with y. So x becomes [x1,...,xn,y1,...,ym], as required. The proof sketched above uses in an essential way the concrete representation of the x list, because the algorithm uses “list surgery”. The algorithm, as one deduces from the proof, computes in O (|x|) steps, and uses a constant amount of memory, apart the one used the represent the input. (5 of 18)
A functional derivation Dropping list surgery, we can use the abstract formalisation of lists directly: concatenate(x,y) ≡ if x = nil then return y else return cons (hdx) (concatenate(tlx,y)) where hd and tl return the head and the tail of its argument, respectively. Of course, this is a functional program, and it is justified by the following reasoning, which can be immediately converted into a formal correctness proof by induction on the structure of x: 1. we want that concatenate([x1,...,xn],[y1,...,ym]) = [x1,...,xn,y1,...,ym], 2. as before, if x = nil, the result is just y 3. when x = nil, concatenate([x1,...,xn],[y1,...,ym]) yields the same result as consx1 (concatenate([x2,...,xn],[y1,...,ym])); 4. in the line above, the recursive application decreases the length of the first argument, so recursion terminates after n steps, yielding the result. (6 of 18)
Recursion versus induction In the functional implementation of concatenate, we may interpret the recursive schema as the computational counterpart of an inductive schema. It is immediate to see that such an inductive schema becomes the skeleton of the correctness proof. So, the functional program “carries” with itself its proof of correctness, in some sense. Usually, the functional implementation of concatenate is regarded as inefficient because it recursively constructs a number of intermediate lists before yielding the final results. That is, the functional program computes in O (|x|) steps, but it uses O |x|2 memory cells in a plain implementation of the language. To inspect the result we need to know that nil and cons are the constructors of the data type of lists, a piece of knowledge that is shared between the user and the programmer. (7 of 18)
Abstracting over lists We formalised a list [x1,...,xm] as consx1 (consx2 (...(consxm nil)...)). We can use a slightly different representation1: λn,c. c x1 (c x2 (...(c xm n)...)) . The key idea is to abstract over the structure of the data type, making it part of the representation of the datum. Alternatively, we can interpret this representation A as the abstract datum, and the concrete one, C can be obtained by passing the instances of the constructors to A. For example, the standard formalisation is obtained by (Anilcons). 1As far as I know, the general algorithm to derive such a representation is due to Böhm and Berarducci, and it can be traced back to Church. But the paper of Böhm and Berarducci is subtle as it relies on a typed λ-system. (8 of 18)
Abstracting one step further In fact, it is possible, by assuming that the λ-calculus (type theory) we are using has pairs, to abstract a bit further, so to completely hide the data type. Instead of writing [x1,...,xm] as λn,c. c x1 (c x2 (...(c xm n)...)) , we may substitute the constructors with the data type a, which is a 2-tuple, the first element being the concrete representation for nil, the second being the concrete representation for cons: λa. π2 ax1 (π2 ax2 (...(π2 axm (π1 a))...)) , where π1 and π2 are the standard projections. In this way, the programmer does not know how the list is concretely represented, but simply that the first element of a is how to interpret nil and the second element of a is how to represent cons. (9 of 18)
Interpreting abstract lists An abstract list can be thought of as representing a term in the first-order logical language with the equality relation symbol, and the signature of the data type of lists. The λ-term standing for the abstract list realises the mapping from the logical term — the list, the body of the abstraction — into some model, which is specified when we apply to the λ-term the way to interpret the function symbols, which, in turn, are not specified. If we fix this point of view, we can write a “correct by construction” implementation of concatenate: concatenate ≡ λx,y,a. x (y a),(π2 a) . (10 of 18)
Correctness by construction I concatenate ≡ λx,y,a. x (y a),(π2 a) It is worth explaining the construction of this program: 1. it is a function, which takes two argument x and y; 2. it returns an abstract list, so a λ-term of the form λa. L, with L a logical term in the language of lists, the constructors represented as projections from the signature a; 3. the y abstract list gets interpreted in the same model as the result of concatenate — and this is rendered by (y a); 4. the x abstract list gets interpreted in a model which has the same interpretation for cons, (π2 a), but it interprets nil as the ‘concrete’ y. We should remark that, in fact, this abstract implementation is, in essence, the very same algorithm we have shown in the beginning, deprived from the irrelevant details about the concrete data structure of lists. So, it is an efficient functional implementation. (11 of 18)
Correctness by construction II concatenate ≡ λx,y,a. x (y a),(π2 a) The above definition is a direct coding of the explanation. In turn, the explanation can be converted into a correctness proof by observing that the structure depicted in point (4) is a model for the theory of lists; there is a mapping that preserves the meaning between the standard term model and the model above; this mapping is just the function concatenate. The idea behind this proof is that the function concatenate, intended as a program, is nothing but a morphism between models of the same theory. A non-evident aspect of the explanation of concatenate is that it correctly operates in any model for the theory of lists. (12 of 18)
One program, many meanings For example, natural numbers, described as the structure generated by zero and successor, are a model for lists: cons ≡ λe,l. sucl and nil ≡ 0. And concatenate becomes just the usual addition. For example, interpreting cons as the Cartesian product and nil as the terminal object in a category with products, we get another model for lists. And concatenate becomes just the Cartesian product of two products. For example, interpreting cons as function application and nil as the identity function, we get another model for lists. And concatenate becomes function composition. And, in all these cases, the programmer is not aware of what his program is actually computing. But, still, as far as he assumes that there is morphism between the standard representation of lists and the intended concrete structure the program will operate on, he will be able to prove that his program is correct. (13 of 18)
Interpretations and computing Suppose to have three actors: the real user of the program; the programmer; and a malicious user of the program. Since the real user can invoke the program by providing the inputs x and y, but not the concrete interpretation, he will obtain an abstract result which is a program that takes as input just the concrete representation a, something he can use locally and privately. The programmer knows that the purpose of the program is to concatenate lists, and he is able to write a correct implementation, even if he does not know how lists are concretely represented. So, he cannot inspect the output of the user, but he is able to test the program in the usual way by employing a standard representation for lists. The malicious user, who wants to steal the result of the real user, can inspect x and y, as well as the program, but he does not know a, as the real user does not provide it. So he can inspect the abstract result, but he will be unable to understand its meaning in the world of the real user. (14 of 18)
Generalising Does it work only for lists? The theory behind the abstract representation for data types has been developed by Böhm and Berarducci, and it directly applies to all the data structures that can be formalised as free algebras of terms over a first-order signature. This holds for a large number of the elementary structures which are used in the current practice of programming. In a similar way, co-inductive data structures can be modelled as well. For data structures which are not free (co-)algebras, there are still some open problems, but, to some extent, they can be modelled in the same spirit — essentially, most data types used in programming are quotients of free (co-)algebras, so the inductive pattern still works, that is, recursion on the structure of the free (co-)algebra is a correct way to perform computation, even if not necessarily efficient. Does it work in a “real” programming language? As far as the programming language supports the dynamic creation of functions, e.g., by providing abstraction, the technique can be immediately used. This is the case for any functional language. (15 of 18)
A philosophical remark Any program which takes as input the description of the data types it uses, in the abstract sense we introduced earlier, automatically computes modulo a concrete representation. Nothing prevents to use arbitrary representations: as far as one can provide a morphism from the free (co-)algebra of terms to the intended model, the result will be correctly computed. Using a bizarre representation hides the result to the programmer and to any other user who does not know the morphism that maps the abstract result into its concrete representation. So, this technique, in principle, may provide a way to perform anonymous correct computations. On another side, nothing prevents from using a non-computable concrete representation: in this way, the result cannot be inspected even by the user, although he perfectly knows, by means of a mathematical proof, that it is correct. So, inspectability and computability are distinct concepts and, in particular, the latter does not imply the former. (16 of 18)
Conclusions In the previous slide there is a hidden assumption: that the logical theory has a canonical model which can be transformed into a any other model via a suitable mapping. This is not true in general. So the presented point of view can be stretched only when considering logical theories having such a classifying model — which is the case for free (co-)algebras of terms, for example. In my recent research (and my previous talk here), I’ve shown a semantics for first-order intuitionistic logical theories, based on a categorical setting, which has classifying models. So, every such a theory could, in principle, be regarded as a “data type” in the sense of this talk. Of course, much work has to be done... so any hint, suggestion, critique, question is mostly welcome! (17 of 18)
The end Harmony — © Marco Benini (2014) (18 of 18)
1 of 18

Programming modulo representations

Download to read offline
ScienceTechnology

This talk aims at introducing, through a very simple example, a way to represent data types in the λ-calculus, and thus, in functional programming languages, so that the structure of the data types itself becomes a parameter. This very simple technical trick allows to reconsider programming as a way to express morphisms between models of a logical theory. As an application, it allows to realise a way to perform anonymous computations. From a philosophical point of view, the presented approach shows how it is possible to conceive a real programming system where properties like correctness of programs can be proved, but data cannot be inspected, not even in principle.

Marco Benini
Marco BeniniResearcher at Università dell'Insubria - Como

Recommended

Programming modulo representations by
Programming modulo representationsProgramming modulo representations
Programming modulo representationsMarco Benini
292 views18 slides
05 dataflow by
05 dataflow05 dataflow
05 dataflowali Hussien
167 views10 slides
Recursion(Advanced data structure) by
Recursion(Advanced data structure)Recursion(Advanced data structure)
Recursion(Advanced data structure)kurubameena1
1.4K views16 slides
Recursion | C++ | DSA by
Recursion | C++ | DSARecursion | C++ | DSA
Recursion | C++ | DSASumit Pandey
74 views11 slides
Ch10 Recursion by
Ch10 RecursionCh10 Recursion
Ch10 Recursionleminhvuong
1.8K views38 slides
Recursion by
RecursionRecursion
RecursionMalainine Zaid
1.6K views60 slides

More Related Content

What's hot

Recursion by
RecursionRecursion
RecursionNalin Adhikari
3.1K views10 slides
Recursion - Algorithms and Data Structures by
Recursion - Algorithms and Data StructuresRecursion - Algorithms and Data Structures
Recursion - Algorithms and Data StructuresPriyanka Rana
2.9K views15 slides
Matlab quickref by
Matlab quickrefMatlab quickref
Matlab quickrefArduino Aficionado
913 views12 slides
3 recursion by
3 recursion3 recursion
3 recursionNguync91368
85 views25 slides
(Recursion)ads by
(Recursion)ads(Recursion)ads
(Recursion)adsRavi Rao
170 views16 slides
Applied parallel coordinates for logs and network traffic attack analysis by
Applied parallel coordinates for logs and network traffic attack analysisApplied parallel coordinates for logs and network traffic attack analysis
Applied parallel coordinates for logs and network traffic attack analysisUltraUploader
476 views29 slides

What's hot(20)

Recursion by Nalin Adhikari
RecursionRecursion
Recursion
Nalin Adhikari3.1K views
Recursion - Algorithms and Data Structures by Priyanka Rana
Recursion - Algorithms and Data StructuresRecursion - Algorithms and Data Structures
Recursion - Algorithms and Data Structures
Priyanka Rana2.9K views
Matlab quickref by Arduino Aficionado
Matlab quickrefMatlab quickref
Matlab quickref
Arduino Aficionado913 views
3 recursion by Nguync91368
3 recursion3 recursion
3 recursion
Nguync9136885 views
(Recursion)ads by Ravi Rao
(Recursion)ads(Recursion)ads
(Recursion)ads
Ravi Rao170 views
Applied parallel coordinates for logs and network traffic attack analysis by UltraUploader
Applied parallel coordinates for logs and network traffic attack analysisApplied parallel coordinates for logs and network traffic attack analysis
Applied parallel coordinates for logs and network traffic attack analysis
UltraUploader476 views
Dag representation of basic blocks by Jothi Lakshmi
Dag representation of basic blocksDag representation of basic blocks
Dag representation of basic blocks
Jothi Lakshmi19.1K views
I1803014852 by IOSR Journals
I1803014852I1803014852
I1803014852
IOSR Journals223 views
Algorithms and Complexity: Cryptography Theory by Alex Prut
Algorithms and Complexity: Cryptography TheoryAlgorithms and Complexity: Cryptography Theory
Algorithms and Complexity: Cryptography Theory
Alex Prut92 views
Data Structures- Part5 recursion by Abdullah Al-hazmy
Data Structures- Part5 recursionData Structures- Part5 recursion
Data Structures- Part5 recursion
Abdullah Al-hazmy9.4K views
Recursion and looping by xcoolanurag
Recursion and loopingRecursion and looping
Recursion and looping
xcoolanurag2.7K views
Iterations and Recursions by Abdul Rahman Sherzad
Iterations and RecursionsIterations and Recursions
Iterations and Recursions
Abdul Rahman Sherzad1.8K views
Adobe by manpreetduggal88
AdobeAdobe
Adobe
manpreetduggal88591 views
Lecture 12 intermediate code generation by Iffat Anjum
Lecture 12 intermediate code generationLecture 12 intermediate code generation
Lecture 12 intermediate code generation
Iffat Anjum9.5K views
Matlab1 by guest8ba004
Matlab1Matlab1
Matlab1
guest8ba004916 views
Csc1100 lecture14 ch16_pt2 by IIUM
Csc1100 lecture14 ch16_pt2Csc1100 lecture14 ch16_pt2
Csc1100 lecture14 ch16_pt2
IIUM238 views
C interview-questions-techpreparation by Kushaal Singla
C interview-questions-techpreparationC interview-questions-techpreparation
C interview-questions-techpreparation
Kushaal Singla2.7K views
Ch8a by kinnarshah8888
Ch8aCh8a
Ch8a
kinnarshah8888749 views
L1803016468 by IOSR Journals
L1803016468L1803016468
L1803016468
IOSR Journals217 views
Recursion Pattern Analysis and Feedback by Sander Mak (@Sander_Mak)
Recursion Pattern Analysis and FeedbackRecursion Pattern Analysis and Feedback
Recursion Pattern Analysis and Feedback
Sander Mak (@Sander_Mak)1K views

Similar to Programming modulo representations

CORCON2014: Does programming really need data structures? by
CORCON2014: Does programming really need data structures?CORCON2014: Does programming really need data structures?
CORCON2014: Does programming really need data structures?Marco Benini
461 views17 slides
Lambda Calculus by
Lambda CalculusLambda Calculus
Lambda CalculusK. N. Toosi University
2.9K views36 slides
B02402012022 by
B02402012022B02402012022
B02402012022inventionjournals
226 views11 slides
Master Thesis on the Mathematial Analysis of Neural Networks by
Master Thesis on the Mathematial Analysis of Neural NetworksMaster Thesis on the Mathematial Analysis of Neural Networks
Master Thesis on the Mathematial Analysis of Neural NetworksAlina Leidinger
96 views121 slides
Statistics lab 1 by
Statistics lab 1Statistics lab 1
Statistics lab 1University of Salerno
305 views19 slides
Csit77406 by
Csit77406Csit77406
Csit77406csandit
35 views14 slides

Similar to Programming modulo representations(20)

CORCON2014: Does programming really need data structures? by Marco Benini
CORCON2014: Does programming really need data structures?CORCON2014: Does programming really need data structures?
CORCON2014: Does programming really need data structures?
Marco Benini461 views
Lambda Calculus by K. N. Toosi University
Lambda CalculusLambda Calculus
Lambda Calculus
K. N. Toosi University2.9K views
B02402012022 by inventionjournals
B02402012022B02402012022
B02402012022
inventionjournals226 views
Master Thesis on the Mathematial Analysis of Neural Networks by Alina Leidinger
Master Thesis on the Mathematial Analysis of Neural NetworksMaster Thesis on the Mathematial Analysis of Neural Networks
Master Thesis on the Mathematial Analysis of Neural Networks
Alina Leidinger96 views
Statistics lab 1 by University of Salerno
Statistics lab 1Statistics lab 1
Statistics lab 1
University of Salerno305 views
Csit77406 by csandit
Csit77406Csit77406
Csit77406
csandit35 views
Introduction to R by University of Salerno
Introduction to RIntroduction to R
Introduction to R
University of Salerno478 views
Quantum Computation and the Stabilizer Formalism for Error Correction by Daniel Bulhosa Solórzano
Quantum Computation and the Stabilizer Formalism for Error CorrectionQuantum Computation and the Stabilizer Formalism for Error Correction
Quantum Computation and the Stabilizer Formalism for Error Correction
Daniel Bulhosa Solórzano274 views
Introduction to complexity theory assignment by tesfahunegn minwuyelet
Introduction to complexity theory assignmentIntroduction to complexity theory assignment
Introduction to complexity theory assignment
tesfahunegn minwuyelet1.3K views
Algoritmic Information Theory by Willy Marroquin (WillyDevNET)
Algoritmic Information TheoryAlgoritmic Information Theory
Algoritmic Information Theory
Willy Marroquin (WillyDevNET)173 views
Algorithmic Thermodynamics by Sunny Kr
Algorithmic ThermodynamicsAlgorithmic Thermodynamics
Algorithmic Thermodynamics
Sunny Kr1K views
Lecture 5 – Computing with Numbers (Math Lib).pptx by jovannyflex
Lecture 5 – Computing with Numbers (Math Lib).pptxLecture 5 – Computing with Numbers (Math Lib).pptx
Lecture 5 – Computing with Numbers (Math Lib).pptx
jovannyflex2 views
Lecture 5 – Computing with Numbers (Math Lib).pptx by jovannyflex
Lecture 5 – Computing with Numbers (Math Lib).pptxLecture 5 – Computing with Numbers (Math Lib).pptx
Lecture 5 – Computing with Numbers (Math Lib).pptx
jovannyflex3 views
AI Lesson 29 by Assistant Professor
AI Lesson 29AI Lesson 29
AI Lesson 29
Assistant Professor616 views
Lesson 29 by Avijit Kumar
Lesson 29Lesson 29
Lesson 29
Avijit Kumar226 views
INTEGRATION-1.pptx by SayanSen36
INTEGRATION-1.pptxINTEGRATION-1.pptx
INTEGRATION-1.pptx
SayanSen3637 views
MMath Paper, Canlin Zhang by canlin zhang
MMath Paper, Canlin ZhangMMath Paper, Canlin Zhang
MMath Paper, Canlin Zhang
canlin zhang219 views
Theory of computing by Bipul Roy Bpl
Theory of computingTheory of computing
Theory of computing
Bipul Roy Bpl3K views
03 Data Representation by Valerii Klymchuk
03 Data Representation03 Data Representation
03 Data Representation
Valerii Klymchuk474 views
Scala. Introduction to FP. Monads by Kirill Kozlov
Scala. Introduction to FP. MonadsScala. Introduction to FP. Monads
Scala. Introduction to FP. Monads
Kirill Kozlov1.1K views

More from Marco Benini

Point-free semantics of dependent type theories by
Point-free semantics of dependent type theoriesPoint-free semantics of dependent type theories
Point-free semantics of dependent type theoriesMarco Benini
432 views20 slides
The Graph Minor Theorem: a walk on the wild side of graphs by
The Graph Minor Theorem: a walk on the wild side of graphsThe Graph Minor Theorem: a walk on the wild side of graphs
The Graph Minor Theorem: a walk on the wild side of graphsMarco Benini
319 views27 slides
Explaining the Kruskal Tree Theore by
Explaining the Kruskal Tree TheoreExplaining the Kruskal Tree Theore
Explaining the Kruskal Tree TheoreMarco Benini
557 views33 slides
The Graph Minor Theorem: a walk on the wild side of graphs by
The Graph Minor Theorem: a walk on the wild side of graphsThe Graph Minor Theorem: a walk on the wild side of graphs
The Graph Minor Theorem: a walk on the wild side of graphsMarco Benini
293 views31 slides
Dealing with negative results by
Dealing with negative resultsDealing with negative results
Dealing with negative resultsMarco Benini
242 views58 slides
Variations on the Higman's Lemma by
Variations on the Higman's LemmaVariations on the Higman's Lemma
Variations on the Higman's LemmaMarco Benini
518 views30 slides

More from Marco Benini(20)

Point-free semantics of dependent type theories by Marco Benini
Point-free semantics of dependent type theoriesPoint-free semantics of dependent type theories
Point-free semantics of dependent type theories
Marco Benini432 views
The Graph Minor Theorem: a walk on the wild side of graphs by Marco Benini
The Graph Minor Theorem: a walk on the wild side of graphsThe Graph Minor Theorem: a walk on the wild side of graphs
The Graph Minor Theorem: a walk on the wild side of graphs
Marco Benini319 views
Explaining the Kruskal Tree Theore by Marco Benini
Explaining the Kruskal Tree TheoreExplaining the Kruskal Tree Theore
Explaining the Kruskal Tree Theore
Marco Benini557 views
The Graph Minor Theorem: a walk on the wild side of graphs by Marco Benini
The Graph Minor Theorem: a walk on the wild side of graphsThe Graph Minor Theorem: a walk on the wild side of graphs
The Graph Minor Theorem: a walk on the wild side of graphs
Marco Benini293 views
Dealing with negative results by Marco Benini
Dealing with negative resultsDealing with negative results
Dealing with negative results
Marco Benini242 views
Variations on the Higman's Lemma by Marco Benini
Variations on the Higman's LemmaVariations on the Higman's Lemma
Variations on the Higman's Lemma
Marco Benini518 views
Dealing with negative results by Marco Benini
Dealing with negative resultsDealing with negative results
Dealing with negative results
Marco Benini390 views
Well Quasi Orders in a Categorical Setting by Marco Benini
Well Quasi Orders in a Categorical SettingWell Quasi Orders in a Categorical Setting
Well Quasi Orders in a Categorical Setting
Marco Benini590 views
Proof-Theoretic Semantics: Point-free meaninig of first-order systems by Marco Benini
Proof-Theoretic Semantics: Point-free meaninig of first-order systemsProof-Theoretic Semantics: Point-free meaninig of first-order systems
Proof-Theoretic Semantics: Point-free meaninig of first-order systems
Marco Benini377 views
Point-free foundation of Mathematics by Marco Benini
Point-free foundation of MathematicsPoint-free foundation of Mathematics
Point-free foundation of Mathematics
Marco Benini583 views
Fondazione point-free della matematica by Marco Benini
Fondazione point-free della matematicaFondazione point-free della matematica
Fondazione point-free della matematica
Marco Benini394 views
Numerical Analysis and Epistemology of Information by Marco Benini
Numerical Analysis and Epistemology of InformationNumerical Analysis and Epistemology of Information
Numerical Analysis and Epistemology of Information
Marco Benini747 views
L'occhio del biologo: elementi di fotografia by Marco Benini
L'occhio del biologo: elementi di fotografiaL'occhio del biologo: elementi di fotografia
L'occhio del biologo: elementi di fotografia
Marco Benini731 views
Constructive Adpositional Grammars, Formally by Marco Benini
Constructive Adpositional Grammars, FormallyConstructive Adpositional Grammars, Formally
Constructive Adpositional Grammars, Formally
Marco Benini491 views
Marie Skłodowska Curie Intra-European Fellowship by Marco Benini
Marie Skłodowska Curie Intra-European FellowshipMarie Skłodowska Curie Intra-European Fellowship
Marie Skłodowska Curie Intra-European Fellowship
Marco Benini463 views
Algorithms and Their Explanations by Marco Benini
Algorithms and Their ExplanationsAlgorithms and Their Explanations
Algorithms and Their Explanations
Marco Benini509 views
June 22nd 2014: Seminar at JAIST by Marco Benini
June 22nd 2014: Seminar at JAISTJune 22nd 2014: Seminar at JAIST
June 22nd 2014: Seminar at JAIST
Marco Benini411 views
Fondazione point-free della matematica by Marco Benini
Fondazione point-free della matematicaFondazione point-free della matematica
Fondazione point-free della matematica
Marco Benini1K views
Adgrams: Categories and Linguistics by Marco Benini
Adgrams: Categories and Linguistics Adgrams: Categories and Linguistics
Adgrams: Categories and Linguistics
Marco Benini541 views
Intuitionistic First-Order Logic: Categorical semantics via the Curry-Howard ... by Marco Benini
Intuitionistic First-Order Logic: Categorical semantics via the Curry-Howard ...Intuitionistic First-Order Logic: Categorical semantics via the Curry-Howard ...
Intuitionistic First-Order Logic: Categorical semantics via the Curry-Howard ...
Marco Benini531 views

Recently uploaded

DEVELOPMENT OF FROG.pptx by
DEVELOPMENT OF FROG.pptxDEVELOPMENT OF FROG.pptx
DEVELOPMENT OF FROG.pptxsushant292556
11 views21 slides
Exploring the nature and synchronicity of early cluster formation in the Larg... by
Exploring the nature and synchronicity of early cluster formation in the Larg...Exploring the nature and synchronicity of early cluster formation in the Larg...
Exploring the nature and synchronicity of early cluster formation in the Larg...Sérgio Sacani
910 views12 slides
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...ILRI
5 views6 slides
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor... by
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...Trustlife
100 views17 slides
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F... by
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...SwagatBehera9
5 views36 slides
ALGAL PRODUCTS.pptx by
ALGAL PRODUCTS.pptxALGAL PRODUCTS.pptx
ALGAL PRODUCTS.pptxRASHMI M G
5 views17 slides

Recently uploaded(20)

DEVELOPMENT OF FROG.pptx by sushant292556
DEVELOPMENT OF FROG.pptxDEVELOPMENT OF FROG.pptx
DEVELOPMENT OF FROG.pptx
sushant29255611 views
Exploring the nature and synchronicity of early cluster formation in the Larg... by Sérgio Sacani
Exploring the nature and synchronicity of early cluster formation in the Larg...Exploring the nature and synchronicity of early cluster formation in the Larg...
Exploring the nature and synchronicity of early cluster formation in the Larg...
Sérgio Sacani910 views
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI5 views
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor... by Trustlife
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...
Trustlife100 views
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F... by SwagatBehera9
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...
Effect of Integrated Nutrient Management on Growth and Yield of Solanaceous F...
SwagatBehera95 views
ALGAL PRODUCTS.pptx by RASHMI M G
ALGAL PRODUCTS.pptxALGAL PRODUCTS.pptx
ALGAL PRODUCTS.pptx
RASHMI M G 5 views
Light Pollution for LVIS students by CWBarthlmew
Light Pollution for LVIS studentsLight Pollution for LVIS students
Light Pollution for LVIS students
CWBarthlmew9 views
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy... by Anmol Vishnu Gupta
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Anmol Vishnu Gupta7 views
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe... by Anmol Vishnu Gupta
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...
Anmol Vishnu Gupta26 views
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana... by jahnviarora989
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...
Structure of purines and pyrimidines - Jahnvi arora (11228108), mmdu ,mullana...
jahnviarora9896 views
scopus cited journals.pdf by KSAravindSrivastava
scopus cited journals.pdfscopus cited journals.pdf
scopus cited journals.pdf
KSAravindSrivastava10 views
plasmids by scribddarkened352
plasmidsplasmids
plasmids
scribddarkened35213 views
Open Access Publishing in Astrophysics by Peter Coles
Open Access Publishing in AstrophysicsOpen Access Publishing in Astrophysics
Open Access Publishing in Astrophysics
Peter Coles1.2K views
Conventional and non-conventional methods for improvement of cucurbits.pptx by gandhi976
Conventional and non-conventional methods for improvement of cucurbits.pptxConventional and non-conventional methods for improvement of cucurbits.pptx
Conventional and non-conventional methods for improvement of cucurbits.pptx
gandhi97620 views
Pollination By Nagapradheesh.M.pptx by MNAGAPRADHEESH
Pollination By Nagapradheesh.M.pptxPollination By Nagapradheesh.M.pptx
Pollination By Nagapradheesh.M.pptx
MNAGAPRADHEESH19 views
ELECTRON TRANSPORT CHAIN by DEEKSHA RANI
ELECTRON TRANSPORT CHAINELECTRON TRANSPORT CHAIN
ELECTRON TRANSPORT CHAIN
DEEKSHA RANI10 views
MILK LIPIDS 2.pptx by abhinambroze18
MILK LIPIDS 2.pptxMILK LIPIDS 2.pptx
MILK LIPIDS 2.pptx
abhinambroze188 views
vitamine B1.pptx by ajithkilpart
vitamine B1.pptxvitamine B1.pptx
vitamine B1.pptx
ajithkilpart27 views
A Ready-to-Analyze High-Plex Spatial Signature Development Workflow for Cance... by InsideScientific
A Ready-to-Analyze High-Plex Spatial Signature Development Workflow for Cance...A Ready-to-Analyze High-Plex Spatial Signature Development Workflow for Cance...
A Ready-to-Analyze High-Plex Spatial Signature Development Workflow for Cance...
InsideScientific78 views
NUTRITION IN BACTERIA.pdf by NandadulalSannigrahi
NUTRITION IN BACTERIA.pdfNUTRITION IN BACTERIA.pdf
NUTRITION IN BACTERIA.pdf
NandadulalSannigrahi32 views

Programming modulo representations

  • 1. Programming modulo representations Correctness by Construction Research Project Dr M Benini Università degli Studi dell’Insubria Visiting JAIST until 16th June 2014 marco.benini@uninsubria.it 5th June 2014
  • 2. A bizarre idea to discuss The aim of this talk is to show, through an elementary example, how one can change the point of view on (functional) programming. The idea has a philosophical motivation: is it possible to conceive a programming system which does not allow to inspect its output and, at the same time, is able to ensure that the result of a computation is correct? This talk will provide a positive answer, but its consequences are still work-in-progress. This talk extends the one I gave in Genoa, so I have to apologise to those who have already listened to the first part as it will be a repetition. (2 of 18)
  • 3. Concrete and abstract lists Usually, lists are defined as the elements of the free algebra over the signature 〈{E,L},{nil:L,cons:E ×L → L}〉. And, in the standard practice of traditional programming, they are represented as follows: a cell is a record in the computer memory which contains two fields: the head which is an element in E; the tail of the list which is a list; in turn, a list is a pointer (memory address) to a cell; the empty list, nil, becomes the null pointer. Thus, cons is a procedure that allocates a cell, fills the head with its first parameter, and the tail with the second one, finally returning its address. Evidently, up to the ability to read computer memory, the result of any computation on lists can be inspected. (3 of 18)
  • 4. Concrete manipulation of a list As an example of program, we consider the concatenate function. Its specification is: “Given the lists [x1,...,xn] and [y1,...,ym], concatenate has to return the list [x1,...,xn,y1,...,ym]”. Usually, it is implemented as concatenate(x,y) ≡ if x = nil then return y else q := x while q = nil do p := q q := q → tail p → tail := y return x (4 of 18)
  • 5. Correctness The previous algorithm is correct. In fact, when x = nil, it returns y, satisfying the specification. When x = nil, x = [x1,...,xn]. So, at the end of the i-th iteration step, p = [xi ,...,xn] and q = [xi+1,...,xn], as it is immediate to prove by induction. Also, the cycle terminates after n iterations, and p = [xn]. But, in the concrete representation of x, p → tail must be nil and the assignment p → tail := y substitutes nil with y. So x becomes [x1,...,xn,y1,...,ym], as required. The proof sketched above uses in an essential way the concrete representation of the x list, because the algorithm uses “list surgery”. The algorithm, as one deduces from the proof, computes in O (|x|) steps, and uses a constant amount of memory, apart the one used the represent the input. (5 of 18)
  • 6. A functional derivation Dropping list surgery, we can use the abstract formalisation of lists directly: concatenate(x,y) ≡ if x = nil then return y else return cons (hdx) (concatenate(tlx,y)) where hd and tl return the head and the tail of its argument, respectively. Of course, this is a functional program, and it is justified by the following reasoning, which can be immediately converted into a formal correctness proof by induction on the structure of x: 1. we want that concatenate([x1,...,xn],[y1,...,ym]) = [x1,...,xn,y1,...,ym], 2. as before, if x = nil, the result is just y 3. when x = nil, concatenate([x1,...,xn],[y1,...,ym]) yields the same result as consx1 (concatenate([x2,...,xn],[y1,...,ym])); 4. in the line above, the recursive application decreases the length of the first argument, so recursion terminates after n steps, yielding the result. (6 of 18)
  • 7. Recursion versus induction In the functional implementation of concatenate, we may interpret the recursive schema as the computational counterpart of an inductive schema. It is immediate to see that such an inductive schema becomes the skeleton of the correctness proof. So, the functional program “carries” with itself its proof of correctness, in some sense. Usually, the functional implementation of concatenate is regarded as inefficient because it recursively constructs a number of intermediate lists before yielding the final results. That is, the functional program computes in O (|x|) steps, but it uses O |x|2 memory cells in a plain implementation of the language. To inspect the result we need to know that nil and cons are the constructors of the data type of lists, a piece of knowledge that is shared between the user and the programmer. (7 of 18)
  • 8. Abstracting over lists We formalised a list [x1,...,xm] as consx1 (consx2 (...(consxm nil)...)). We can use a slightly different representation1: λn,c. c x1 (c x2 (...(c xm n)...)) . The key idea is to abstract over the structure of the data type, making it part of the representation of the datum. Alternatively, we can interpret this representation A as the abstract datum, and the concrete one, C can be obtained by passing the instances of the constructors to A. For example, the standard formalisation is obtained by (Anilcons). 1As far as I know, the general algorithm to derive such a representation is due to Böhm and Berarducci, and it can be traced back to Church. But the paper of Böhm and Berarducci is subtle as it relies on a typed λ-system. (8 of 18)
  • 9. Abstracting one step further In fact, it is possible, by assuming that the λ-calculus (type theory) we are using has pairs, to abstract a bit further, so to completely hide the data type. Instead of writing [x1,...,xm] as λn,c. c x1 (c x2 (...(c xm n)...)) , we may substitute the constructors with the data type a, which is a 2-tuple, the first element being the concrete representation for nil, the second being the concrete representation for cons: λa. π2 ax1 (π2 ax2 (...(π2 axm (π1 a))...)) , where π1 and π2 are the standard projections. In this way, the programmer does not know how the list is concretely represented, but simply that the first element of a is how to interpret nil and the second element of a is how to represent cons. (9 of 18)
  • 10. Interpreting abstract lists An abstract list can be thought of as representing a term in the first-order logical language with the equality relation symbol, and the signature of the data type of lists. The λ-term standing for the abstract list realises the mapping from the logical term — the list, the body of the abstraction — into some model, which is specified when we apply to the λ-term the way to interpret the function symbols, which, in turn, are not specified. If we fix this point of view, we can write a “correct by construction” implementation of concatenate: concatenate ≡ λx,y,a. x (y a),(π2 a) . (10 of 18)
  • 11. Correctness by construction I concatenate ≡ λx,y,a. x (y a),(π2 a) It is worth explaining the construction of this program: 1. it is a function, which takes two argument x and y; 2. it returns an abstract list, so a λ-term of the form λa. L, with L a logical term in the language of lists, the constructors represented as projections from the signature a; 3. the y abstract list gets interpreted in the same model as the result of concatenate — and this is rendered by (y a); 4. the x abstract list gets interpreted in a model which has the same interpretation for cons, (π2 a), but it interprets nil as the ‘concrete’ y. We should remark that, in fact, this abstract implementation is, in essence, the very same algorithm we have shown in the beginning, deprived from the irrelevant details about the concrete data structure of lists. So, it is an efficient functional implementation. (11 of 18)
  • 12. Correctness by construction II concatenate ≡ λx,y,a. x (y a),(π2 a) The above definition is a direct coding of the explanation. In turn, the explanation can be converted into a correctness proof by observing that the structure depicted in point (4) is a model for the theory of lists; there is a mapping that preserves the meaning between the standard term model and the model above; this mapping is just the function concatenate. The idea behind this proof is that the function concatenate, intended as a program, is nothing but a morphism between models of the same theory. A non-evident aspect of the explanation of concatenate is that it correctly operates in any model for the theory of lists. (12 of 18)
  • 13. One program, many meanings For example, natural numbers, described as the structure generated by zero and successor, are a model for lists: cons ≡ λe,l. sucl and nil ≡ 0. And concatenate becomes just the usual addition. For example, interpreting cons as the Cartesian product and nil as the terminal object in a category with products, we get another model for lists. And concatenate becomes just the Cartesian product of two products. For example, interpreting cons as function application and nil as the identity function, we get another model for lists. And concatenate becomes function composition. And, in all these cases, the programmer is not aware of what his program is actually computing. But, still, as far as he assumes that there is morphism between the standard representation of lists and the intended concrete structure the program will operate on, he will be able to prove that his program is correct. (13 of 18)
  • 14. Interpretations and computing Suppose to have three actors: the real user of the program; the programmer; and a malicious user of the program. Since the real user can invoke the program by providing the inputs x and y, but not the concrete interpretation, he will obtain an abstract result which is a program that takes as input just the concrete representation a, something he can use locally and privately. The programmer knows that the purpose of the program is to concatenate lists, and he is able to write a correct implementation, even if he does not know how lists are concretely represented. So, he cannot inspect the output of the user, but he is able to test the program in the usual way by employing a standard representation for lists. The malicious user, who wants to steal the result of the real user, can inspect x and y, as well as the program, but he does not know a, as the real user does not provide it. So he can inspect the abstract result, but he will be unable to understand its meaning in the world of the real user. (14 of 18)
  • 15. Generalising Does it work only for lists? The theory behind the abstract representation for data types has been developed by Böhm and Berarducci, and it directly applies to all the data structures that can be formalised as free algebras of terms over a first-order signature. This holds for a large number of the elementary structures which are used in the current practice of programming. In a similar way, co-inductive data structures can be modelled as well. For data structures which are not free (co-)algebras, there are still some open problems, but, to some extent, they can be modelled in the same spirit — essentially, most data types used in programming are quotients of free (co-)algebras, so the inductive pattern still works, that is, recursion on the structure of the free (co-)algebra is a correct way to perform computation, even if not necessarily efficient. Does it work in a “real” programming language? As far as the programming language supports the dynamic creation of functions, e.g., by providing abstraction, the technique can be immediately used. This is the case for any functional language. (15 of 18)
  • 16. A philosophical remark Any program which takes as input the description of the data types it uses, in the abstract sense we introduced earlier, automatically computes modulo a concrete representation. Nothing prevents to use arbitrary representations: as far as one can provide a morphism from the free (co-)algebra of terms to the intended model, the result will be correctly computed. Using a bizarre representation hides the result to the programmer and to any other user who does not know the morphism that maps the abstract result into its concrete representation. So, this technique, in principle, may provide a way to perform anonymous correct computations. On another side, nothing prevents from using a non-computable concrete representation: in this way, the result cannot be inspected even by the user, although he perfectly knows, by means of a mathematical proof, that it is correct. So, inspectability and computability are distinct concepts and, in particular, the latter does not imply the former. (16 of 18)
  • 17. Conclusions In the previous slide there is a hidden assumption: that the logical theory has a canonical model which can be transformed into a any other model via a suitable mapping. This is not true in general. So the presented point of view can be stretched only when considering logical theories having such a classifying model — which is the case for free (co-)algebras of terms, for example. In my recent research (and my previous talk here), I’ve shown a semantics for first-order intuitionistic logical theories, based on a categorical setting, which has classifying models. So, every such a theory could, in principle, be regarded as a “data type” in the sense of this talk. Of course, much work has to be done... so any hint, suggestion, critique, question is mostly welcome! (17 of 18)
  • 18. The end Harmony — © Marco Benini (2014) (18 of 18)