Page 1
Semantics of a Sequential Language for Exact
Real-Number Computation
J. Raymundo Marcial-Romeroa,∗,1,
Mart´ ın H. Escard´ oa
aUniversity of Birmingham, Birmingham B15 2TT, England
Abstract
We study a programming language with a built-in ground type for real numbers. In order
for the language to be sufficiently expressive but still sequential, we consider a construction
proposed by Boehm and Cartwright. The non-deterministic nature of the construction sug-
gests the use of powerdomains in order to obtain a denotational semantics for the language.
We show that the construction cannot be modelled by the Plotkin or Smyth powerdomains,
but that the Hoare powerdomain gives a computationally adequate semantics. As is well
known, Hoare semantics can be used in order to establish partial correctness only. Since
computations on the reals are infinite, one cannot decompose total correctness into the
conjunction of partial correctness and termination as it is traditionally done. We instead in-
troduce a suitable operational notion of strong convergence and show that total correctness
can be proved by establishing partial correctness (using denotational methods) and strong
convergence (using operational methods). We illustrate the technique with a representative
example.
Key words: exact real-number computation, sequential computation, semantics,
non-determinism, PCF.
1 Introduction
This is a contribution to the problem of sequential computation with real numbers,
where real numbers are taken in the sense of constructive mathematics [2]. It is fair
∗Corresponding author.
Email addresses: jrm@cs.bham.ac.uk(J. Raymundo Marcial-Romero),
mhe@cs.bham.ac.uk(Mart´ ın H. Escard´ o).
1Present address: Divisi´ on de Computaci´ on, UAEM, Ciudad Universitaria S/N, 50040,
Toluca, Estado de M´ exico, M´ exico
Preprint submitted to Elsevier Science20 November 2006
Page 2
to say that the computability issues are well understood [35]. Here we focus on the
issue of designing programming languages with a built-in, abstract data type of real
numbers. Recent research, discussed below, has shown that it is notoriously diffi-
cult to obtain sufficiently expressive languages with sequential operational seman-
tics and corresponding denotational semantics which articulate the data-abstraction
requirement. Based on ideas arising from constructive mathematics, Boehm and
Cartwright [3], however, proposed a compelling operational solution to the prob-
lem. Yet, theirproposalfalls shortof providingafull solutionto thedata abstraction
problem, as it is not immediately clear what the corresponding denotational inter-
pretation would be. A partially successful attempt at solving this problem has been
developed by Potts [29] and Edalat, Potts and S¨ underhauf [6], as discussed below.
In light of the above, the purpose of this paper is two-fold: (1) to establish the
intrinsic difficulties of providing a denotational model of Boehm and Cartwright’s
operationalapproach,and (2)to showhowitispossibleto copewiththedifficulties.
Before elaborating on this research programme, we pause to discussprevious work.
Di Gianantonio [14], Escard´ o [11], and Potts et al. [28] have introduced various
extensions of the programming language PCF with a ground type for real num-
bers. Each of these authors interprets the real numbers type as a variation of the
interval domain introduced by Scott [30]. In the presence of a certain parallel con-
ditional [26], all computable first-order functions on the reals are definable in the
languages [14,8]. By further adding Plotkin’s parallel existential quantifier [26], all
computable functions of all orders become definable in the languages [14,7,10]. In
the absence of the parallel existential quantifier, the expressivity of the languages
at second-order types and beyond is not known. Partial results in this direction are
developed by Normann [24].
It is natural to ask whether the presence of such parallel constructs is an artifact of
the languages or whether they are needed for intrinsic reasons. Escard´ o, Hofmann
and Streicher [9] have shown that, in the interval domain models, the parallelism
is in fact unavoidable: weak parallel-or is definable from addition and other mani-
festly sequential unary functions, which indicates that addition, in these models, is
an intrinsically parallel operation. Moreover, Farjudian [12] has shown that if the
parallel conditional is removed from the language, only piecewise affine functions
on the reals are definable.
Essentially, the problem is as follows. Because computable functions on the reals
are continuous (see e.g. [35]), and because the real line is a connected space, any
computable boolean-valued function on the reals is constantly true or constantly
false unless it diverges for some inputs. Hence, definitions using the sequential
conditionalproduceeitherconstanttotalfunctionsorpartialfunctions.Ifoneallows
the boolean-valued functions to diverge at some inputs, then non-trivial predicates
are obtained, and this, together with the parallel conditional, allow us to define the
non-trivial total functions [11].
2
Page 3
This phenomenon had been anticipated by Boehm and Cartwright [3], who also
proposed a solution to the problem. In this paper we develop the proposed solution
and study its operational and denotational semantics. The idea is based on the fol-
lowing observations. In classical mathematics, the trichotomylaw “x < y, x = y or
x > y” holds for any pair of real numbers x and y, but, as is well known, it fails in
constructive(and in classical recursive) mathematics. However, the followingalter-
native cotransitivity law holds in constructive settings: for any two numbers a < b
and any number x, at least one of the relations a < x or x < b holds. Equivalently,
one has that (−∞,b) ∪ (a,∞) = R. Boehm and Cartwright’s idea is to consider a
language construct rtesta,b, for a < b rational, such that:
(1) rtesta,b(x) evaluates to true or to false for every real number x,
(2) rtesta,b(x) may evaluate to true iff x < b, and
(3) rtesta,b(x) may evaluate to false iff a < x.
It is important here that evaluation never diverges for a convergent input. If the real
number x happens to be in the interval (a,b), then the specification of rtesta,b(x)
allows it to evaluate to true or alternatively to false. The particular choice will de-
pend on the particular implementation of the real number x and of the construct
rtesta,b(cf. [20]), and is thus determined by the operational semantics.
As application of the construction, we givean example of a recursive definition of a
sequential program for addition, which is single-valued at total inputs, as required,
but multi-valued at partial inputs. Thus, by allowing the output to be multi-valued
at partial inputs, we are able to overcome the negative results of Escard´ o, Hofmann
and Streicher mentioned above.
We take the view that the denotational value of rtesta,b(x) lives in a suitable pow-
erdomain of the booleans. Thus (1) if a < x < b then the denotational value would
be the set {true,false}, (2) if a ?< x and x < b then it would be the set {true}, and
(3) if a < x and x ?< b then it would be the set {false}. Technically, one has to be
careful regarding which subsets of the powerset are allowed, but this is tackled later
in the body of the paper. One of our main results is that the Hoare powerdomain
gives a computationally adequate denotational semantics. We also show that the
Plotkin and Smyth powerdomains do not render the rtest construction continuous
and hence cannot be used as models. These and other examples of powerdomains
are discussed in the body of the paper.
As is well known, Hoare semantics can be used in order to establish partial correct-
ness only. Because computations on the reals are infinite, one cannot decompose
total correctness into the conjunction of partial correctness and termination, as is
usually done for discrete data types. Instead, we introduce a suitable operational
notion of strong convergence and show that total correctness can be proved by es-
tablishing partial correctness (using denotational methods) and strong convergence
(using operational methods). The technique is illustrated by a proof of total correct-
3
Page 4
ness of our sequential program for addition. Further applications are discussed in
the concluding section.
1.1 Related work.
Potts [29] considers a redundant if operator (rif) for his programming language
LAR (an extension of PCF with linear fractional transformations), defined as
rif : ICK × ICF2× (ICK → t)2→ t
rif x < (I,J); then f else g =
f(x),
g(x),
if I ≪ x;
if J ≪ x.
where K ∈ ICR∞and F is a dense subset of K. He uses the Hoare powerdomain
to develop a denotational semantics for his language and prove computational ad-
equacy. Our work justifies this choice. Potts considers a deterministic one-step re-
duction relation, while we consider a non-deterministicrelation so as to have a pre-
cise match as possible with the denotational semantics in the case of multi-valued
terms.
Edalat, Potts and S¨ underhauf [6] had previously considered the denotational coun-
terpart of Boehm and Cartwright’s operational solution. However, they restrict at-
tentionto what can be referred to as single-valued,total computations.In particular,
their computational adequacy result for their denotational semantics is restricted to
this special case. Although it is indeed natural to regard this case as the relevant
one, we have already met compelling examples, such as the fundamental opera-
tion of addition, in which sequentiality cannot be achieved unless one allows, for
example, multi-valued outputs at partial inputs.
For their denotational semantics, they consider the Smyth powerdomain of a topo-
logical space of real numbers (which they refer to as the upper powerspace). Thus,
they consider possibly non-deterministic computations of total real numbers, re-
stricting their attention to those which happen to be deterministic. In the work re-
ported here, we insteadconsidernon-deterministiccomputationsof totaland partial
real numbers. In other words, instead of considering a powerdomain of a space of
real numbers, we consider a powerdomain of a domain of partial real numbers. Our
computational adequacy result holds for general computations, total or partial, and
whether deterministic or not. For our domain of partial real numbers, we consider
the interval domain proposed by Scott [30], but the present findings are expected to
apply to many possible notions of domain of partial real numbers.
Farjudian [13] has developed a programming language, which he called SHRAD,
which satisfies the three requirements mentioned at the beginning of the paper: se-
4
Page 5
quentiality, data abstraction and expressivity. In his work, he defines a sequential
language in which all computable first order functions are definable. However ex-
tensionalityistradedoffforsequentiality,inthesensethatallcomputablefirst order
functions are extensional over total real numbers but not over partial real numbers.
Hence functions such as the rounding functions, which are frequently used in prac-
tice, cannot be defined in SHRAD.
Di Gianantonio [15] also discusses the problem of sequential real-number compu-
tation in the presence of data abstraction, with some interesting negativeresults and
translations of parallel languages into sequential ones.
In order to characterize computable functions on the real numbers, Brattka [4] in-
troduces a class of relations that includes a contruction which is essentially the
same as Boehm and Cartwright’s multi-valued test discussed above. The main dif-
ference is that we articulate relations as functions with values on a powerdomain.
With this, we are able to capture higher-type computation. Moreover, as discussed
above, we take a powerdomain of the interval domain, not of the real line, and
hence we are able to distinguish partiality from multi-valuedness: an interval gives
a partially specified real number, and a set of intervals collects the possible (total
or partial) outputs of a non-deterministic computation.
1.2Organization.
Section 2 presents a running example that motivates the technical development that
follows. Section 3 introduces some background. Section 4 studies the rtest con-
struction from the point of view of powerdomains. Section 5 develops a program-
ming language with the rtest construction and establishes computational adequacy
for the denotational semantics developed in Section 4. Section 6 applies this to de-
velop techniques for correctness proofs and gives sample applications. Section 7
summarizes the main results and discusses open problems and further work.
2 Running example
In order to motivate the use of the multi-valued construction discussed in the in-
troduction, we give an example showing how it can be used to avoid the parallel
constructions used in previous works on real-number computation. We take the
opportunity to introduce some basic concepts and constructions studied in the tech-
nical development that follows.
In the programming language considered in [11], the average operation
(− ⊕ −): [0,1] × [0,1] → [0,1]
5
Page 6
defined by
x ⊕ y = (x + y)/2
can be implemented as follows:
x ⊕ y= pif x < c
then pif y < c
then consL(tailL(x) ⊕ tailL(y))
else consC(tailL(x) ⊕ tailR(y))
else pif y < c
then consC(tailR(x) ⊕ tailL(y))
else consR(tailR(x) ⊕ tailR(y)).
Here
c = 1/2,L = [0,c],C = [1/4,3/4],R = [c,1],
the function consa: [0,1] → [0,1] is the unique increasing affine map with image
the interval a, i.e.,
consL(x) = x/2,
consC(x) = x/2 + 1/4,
consR(x) = x/2 + 1/2,
and the function taila: [0,1] → [0,1] is a left inverse, i.e.
taila(consa(x)) = x.
More precisely, the following left inverse is taken, where κais the length of a and
µais the left end-point of a:
taila(x) = max(0,min(κax + µa,1)).
Because equality on real numbers is undecidable, the relation x < c is undefined
(or diverges, or denotes ⊥) if x = c. In order to compensate for this, one uses a
parallel conditional such that
pif ⊥ then z else z = z.
The intuition behind the above program is the following. If both x and y are in the
interval L, then we know that x ⊕ y is in the interval L, if both x and y are in the
interval R, then we know that x ⊕ y is in the interval R, and so on. The boundary
cases are taken care of by the parallel conditional. For example, 1/2 is both in L
and R, and an unfolding of the program for x = y = 1/2 gives
6
Page 7
1/2 ⊕ 1/2 = pif ⊥
then pif ⊥
then consL(1 ⊕ 1)
else consC(1 ⊕ 0)
else pif ⊥
then consC(0 ⊕ 1)
else consR(0 ⊕ 0).
All branches of the conditionals evaluate to 1/2, but in an infinite number of steps.
This can be seen as follows. A repeated unfolding of 1⊕1 gives the infinite expres-
sion consR(consR(consR(...))). Denotationally speaking, the program computes
the unique fixed point of consR, which is 1. Operationally speaking, the first un-
folding says that the result of the computation, whatever it is, lives in the interval
R, because, by definition, the image of consRis R; the second unfolding says that
the result is in the right half of the interval R, i.e. in the interval [3/4,1]; the third
unfolding tells us that the result is in the interval [7/8,1], and so on. Thus, the
operational semantics applied to 1 ⊕ 1 produces a shrinking sequence of intervals
converging to 1. The other cases are analogous.
Of course, a drawback of such a recursive definition is that, during evaluation, the
number of parallel processes grows exponentially in the number of unfoldings. In
order to overcome this, we switch back to the usual sequential conditional, and we
replace the partial less-than test by the multi-valued test discussed in the introduc-
tion:
Average(x,y)= if rtestl,r(x)
then if rtestl,r(y)
then consL(Average(tailL(x),tailL(y)))
else consC(Average(tailL(x),tailR(y)))
else if rtestl,r(y)
then consC(Average(tailR(x),tailL(y)))
else consR(Average(tailR(x),tailR(y))),
where c of the previous program splits into two points
l = 1/4,r = 3/4.
and this time we choose
L = [0,r],C = [1/8,7/8],R = [l,1].
The intuition behind this program is similar. What is interesting is that, despite the
use of the multi-valued construction rtest, the overall result of the computation
is single valued. In other words, different computation paths will give different
shrinking sequences of intervals, but all of them will shrink to the same number. A
7
Page 8
proof of this fact and of correctness of the program is provided in Section 6, using
the techniques developed below. For further examples see [22].
3 Background
For domain-theoretic concepts, the reader is referred to [1,27], and for topological
concepts to [33,34] (see also [16]). Here we briefly summarize thenotions and facts
that are relevant to our purposes.
3.1Continuous Domains
Let P be a set with a preorder ⊑. For a subset X of P and an element x ∈ P we
write
↓X = {y ∈ P | y ⊑ x for some x in X},
↑X = {y ∈ P | x ⊑ y for some x in X},
↓x = ↓{x},↑x = ↑{x}.
We also say that X is a lower set iff X = ↓X, and that X is an upper set iff
X = ↑X.
Let x and y be elements of a directed complete partial order (dcpo) D. We say that
x is way-below or approximates y, denoted x ≪ y, if for every directed subset A of
D,y ⊑?Aimplies∃a ∈ Awithx ⊑ a. Wesaythatxiscompact ifitapproximates
{x ∈ D | x is compact}. We say that a subset B of a dcpo D is a basis for D, if for
every element x of D the set↓↓x ∩ B contains a directed subset with supremum x.
A dcpo is called a continuous domain or simply a domain if it has a basis. A dcpo
is called an algebraic domain if it has a basis of compact elements. An example
of an algebraic domain is the domain T⊥= {⊥,false,true} of booleans, ordered
by ⊥ ⊑ false,⊥ ⊑ true. A function f from a domain D to a domain E is Scott
continuos if it is monotone and f(?A) =?f(A) for all directed subset A of D. A
We say that a Scott closed set is finitely generated if it is the lower set of a finite
set. The following is easily established:
itself. We define↑↑x = {y ∈ D | x ≪ y},↓↓x = {y ∈ D | y ≪ x} and K(D) =
Scott closed subset of a domain D is a lower set closed under directed supremum.
Lemma 3.1 If D is a continuousdomain,C a finitelygeneratedScott closed subset
of D and f : D → D Scott continuous then
↓{f(x) | x ∈ C} = cl{f(x) | x ∈ C}.
where cl denotes topological (Scott) closure.
8
Page 9
3.2 The Interval Domains R and I
The set R of non-empty compact subintervals of the Euclidean real line ordered by
reverse inclusion,
x ⊑ y iff x ⊇ y,
is a continuous domain, referred to as the interval domain. Here intervals are re-
garded as “partial numbers”, with the singleton intervals playing the role of “total
numbers”. If we add a bottom element to R, then R becomes a bounded complete
continuous domain R⊥. For any interval x ∈ R, we write
x = inf x and x = sup x
so that x = [x,x]. Its length is defined by
κx= x − x.
A subset A ⊆ R has a least upper bound iff it has non-empty intersection, and in
this case
?A =
The way-below relation of R is given by
?A =
?
sup
a∈Aa, inf
a∈Aa
?
.
x ≪ y iff x < y and y < x.
A basis for R is given by the intervals with distinct rational (alternatively dyadic)
end-points.
The set I of all non-empty closed intervals contained in the unit interval [0,1]
is a bounded complete, countably based continuous domain, referred as the unit
interval domain. The bottom element of I is the interval [0,1].
3.3 Powerdomains
Powerdomains[25,31,32]areusuallyconstructedas idealcompletions[18]offinite
subsets of basis elements. For our purposes, it is more convenient to work with
their topological representations [27,1,19], which we now summarize. It is enough
for our purposes to restrict attention to ω-continuous dcpos, which we refer to as
domains in this subsection.
A subset A of a dcpo D is called Scott closed if it is closed in the Scott topology,
that is, if it is a lower set and is closed under the formation of suprema of directed
subsets. We use the notation cl(A) for the topological closure of A, i.e. the smallest
9
Page 10
Scott closed set containing A. A lense is a non-empty set that arises as the intersec-
tion of a Scott-closed set and a Scott compact upper subset.Here the notionof Scott
compact set is to be understood in the topological sense (every cover consisting of
Scottopen setshasafinitesubcover).On thesetoflensesofadcpoD,wedefinethe
topological Egli-Milner ordering, ⊑TEMby K ⊑TEML if L ⊆ ↑K and K ⊆ cl(L).
Notice that in a finite domain such as the flat domain of booleans, the lenses are
just order-convex sets, and that the topological Egli-Milner order coincides with
the usual order-theoretical one [16]. This is because in a finite domain the closed
sets are precisely the lower sets, and all sets are compact.
The Plotkin powerdomain PPD of a domain D consists of the lenses of D under
the Egli-Milner order, and the formal-union operation A ∪ B is given by actual
union A ∪ B followed by topological convex closure (intersection of all convex
closed sets containing it). There is a natural topological embedding η: D → PPD
given by x ?→ {x}.
The Smyth powerdomain PSD consists of the set of non-empty Scott-compact up-
per subsets ordered by reverse inclusion, with formal union given by actual union.
In this case, we have a natural topological embedding η: D → PSD given by
x ?→ ↑x
The Hoare powerdomain PHD consists of all non-empty Scott-closed subsets of
D ordered by inclusion. Because we use this to obtain a denotational model of our
language, we consider it in more detail. Least upper bounds are given by
?
i∈I
Ai= cl
?
i∈I
Ai.
The construction is the functor part of a monad, with action on continuous maps
given by
?f : PHD → PHE
A ?→ clf[A]
for any f : D → E. Its unit is given by
ηD: D → PHD
x ?→ ↓x,
which is also a topological embedding. Instead of considering multiplication, one
can equivalently consider the extension operator [21, Proposition 2.14], in this case
given by
¯f : PHD →
?→ cl?
for any continuous map f : D → PHE. Finally, formal unions are given by actual
PHE
A
a∈Afa
10
Page 11
unions as in the case of the Smyth powerdomain:
A ∪ B = A ∪ B.
4 Semantics of the Multi-valued Construction
In orderto makethedevelopmentoftheintroductionprecise, weassumethatweare
given a functorial powerdomain construction P, in a suitable category of domains,
with a natural embedding
ηD: D → PD
and a continuous formal-union operation
(− ∪ −): PD × PD → PD
for every domain D. Then the definition of the function rtesta,b: R → PT, where
a < b are real numbers, can be formulated as
rtesta,b(x) =
η(true),
η(true) ∪ η(false),
η(false),
if x ∈ (−∞,a],
if x ∈ (a,b),
if x ∈ [b,∞).
Because in our language there will be computations on the reals that diverge or
fail to fully specify a real number, we need to embed the real line into a domain
of total and partial real numbers. We choose to work with the domain R⊥, where
R is the interval domain introduced in Section 3. Similarly, as usual, we enlarge
the domain T of booleans with a bottom element. Hence we have to work with an
extension R⊥→ PT⊥of the above function, which we denote by the same name:
R
?
R⊥
rtesta,b
− − − − → PT
?
rtesta,b
− − − − → PT⊥
For the moment, we do not insist on any particular extension. However, in order for
a powerdomain construction to qualify for a denotational model of the language,
the minimum requirement is that it makes the rtesta,bfunction continuous.
Lemma 4.1 If rtesta,b: R⊥ → PT⊥ is a continuous extension of the function
rtesta,b: R → PT, then the inequalities
η(true) ⊑ η(true) ∪ η(false),
η(false) ⊑ η(true) ∪ η(false)
11
Page 12
must hold in the powerdomain PT⊥
PROOF. Because the embedding R ֒→ R⊥is continuous when R is endowed
with its usual topology and R⊥with its Scott topology, so is its composition with
the function rtesta,b: R⊥ → PT⊥, which we denote by r: R → PT⊥. (This is
the diagonal of the above commutative square). In any dcpo, the relation d ⊑ e
holds if and only if every neighbourhood of d is a neighbourhood of e. Let V be a
neighbourhood of t := η(true). We have to show that n := η(true) ∪ η(false) ∈ V .
The set U := r−1(V ) is open in R by continuity of r : R → PT. Because r(a) =
t ∈ V , we have that a ∈ r−1(V ) = U. Hence, because U is open in R, there is
an open interval (u,v) with a ∈ (u,v) ⊆ U. Choose x such that a < x < v and
x < b, that is, such that x ∈ (a,b) ∩ (u,v) ⊆ U. By construction, r(x) = n. But
x ∈ r−1(V ), which shows that n ∈ V and hence that t ⊑ n, which amounts to the
first inequality. The second inequality is obtained in the same way.
2
Thus, any powerdomain not satisfying the above two inequalities does not qualify
for a model. In particular, this rules out the Plotkin and Smyth powerdomains. In
fact, for the Plotkin powerdomain one has that η(true) = {true} and η(false) =
{false}, and their formal union is {true,false} because this set is order-convex,
but the sets {true} and {true,false} are incomparable in the Egli-Milner order.
For the Smyth powerdomain, the same sets are obtained by the embedding, formal
union is given by actual union, and hence the inequalities do not hold because the
order is given by reverse inclusion. We omit routine proofs of the fact that e.g. the
mixed [17] and the sandwich [5] powerdomains also fail to satisfy the inequalities
and hence to make the rtesta,bconstruction continuous.
On the other hand, for the Hoare powerdomain, the inequalities do hold. In fact,
η(true) = {true,⊥} and η(false) = {false,⊥}, their formal union is their actual
union {true,false,⊥}, and the ordering is given by inclusion. Moreover:
Proposition 1 There is a continuous extension rtestH
tion rtesta,b: R → PT.
a,b: R⊥→ PHT⊥of the func-
PROOF. The functions f,g: R⊥→ PT⊥defined by
f(x) =
η(true),
⊥,
if x ⊆ (−∞,b),
otherwise,
g(x) =
η(false),
⊥,
if x ⊆ (a,∞),
otherwise,
12
Page 13
{true,false, }
{true, }{false, }
{ }
{true,false, }
{true, }{false, }
{ }
{false}
{true,false}
{true}
Smyth:
(Reverse Inclusion order)
{true,false, }
(Egli−Milner order)
{true,false}
{true}{false}
(Inclusion order)
Plotkin:
Hoare:
Fig. 1. Powerdomains of T⊥.
areeasilyseentobecontinuous,andtheyareconsistentbecauseη(true)andη(false)
are consistent elements. Hence their join
rtestH
a,b= f ⊔ g
is well-defined and continuous. An easy verification shows that this function has
the required extension property.
2
As we want to match our model with the operational semantics of the construction,
it would be desirable to distinguish between the elements {true} and {true,⊥} in
themodel.However,theHoare powerdomaindoes notdistinguishthem, and,on the
other hand, as we have just seen, other powerdomains do not give a continuous in-
terpretation of our construction. In order to overcome this problem when the Hoare
powerdomain is used as a denotational model, one usually decomposes proofs of
program correctness into partial correctness and termination. A related approach is
considered in Section 6.
From now on, we denote rtestH
cations, we are only interested in the situation 0 < a < b < 1 and the restriction
of this function to the domain I of closed subintervals of the interval [0,1], again
written rtesta,b: I → PT⊥.
a,b: R⊥→ PHT⊥simply by rtesta,b. In our appli-
4.0.0.1
main goal of this paper, we briefly digress to discuss a natural variation rtest′
Remark on the boundary cases of rtest.
Before proceeding to the
a,b:
13
Page 14
R → PT of the rtesta,bconstruction, defined by
rtest′
a,b(x) =
η(true),
η(true) ∪ η(false),
η(false),
if x ∈ (−∞,a),
if x ∈ [a,b],
if x ∈ (b,∞).
With a proofsimilarto that of Lemma4.1, we conclude that if rtest′
then
a,bis continuous
η(true) ∪ η(false) ⊑ η(true)
η(true) ∪ η(false) ⊑ η(false).
This rules out the Plotkin and Hoare powerdomains, but not the Smyth powerdo-
main. However, it is not clear what the operational counterpart of this function
would be. The function rtesta,bis operationally computable because, for any argu-
ment x given intensionally as a shrinking sequence of intervals, the computational
rules systematicallyestablishone of thesemidecidableconditionsa < x and x < b.
However, the conditions a ≤ x and x ≤ b are not semi-decidable, and hence it is
not immediately apparent what a computationally adequate operational semantics
for rtest′would be. But it is interesting, as pointed out by one of the referees, that
thecotransitivitylawgivenintheintroductionasaconstructivejustificationofrtest
can be equivalently formulated as “a ≤ x or x ≤ b whenever a < b”. In any case,
it is not clear to us, at the time of writing, whether or how this reformulation of the
cotransitivity law would lead to a computational mechanism for rtest′.
5A Programming Language for Sequential Real-Number Computation
We introduce the language LRT for the rtest construction, which amounts to the
language considered by Escard´ o [11] with the parallel conditional removed and a
constantfor rtesta,badded. Weremark that thisis acall-by-namelanguage. Because
real-number computations are infinite, and there are no canonical forms for partial
real-numbercomputations,itisnotclearwhatacall-by-valueoperationalsemantics
ought to be. We leave this as an open problem.
5.1Syntax
The language LRT is an extension of PCF with a ground type for real numbers and
suitable primitive functions for real-number computation. Its raw syntax is given
by
14
Page 15
x ∈ V ariable,
t::=nat | bool | I | t → t,
P ::=x | n | true | false | (+1)(P) | (−1)(P) |
(= 0)(P) | ifP thenP elseP | consa(P) |
taila(P) | rtesta,b(P) | λx : t.P | PP | YP,
where the subscripts of the constructs cons, tail are rational intervals and those
of rtest are rational numbers. (We apologize for using the letters a and b to denote
numbers and intervals in different contexts.) Terms of ground type I are intended
to compute real numbers in the unit interval.
It is convenient for our purposes to first define the denotational and then the opera-
tional semantics.
5.2Denotational Semantics.
The ground types bool,nat and I are interpreted as the Hoare powerdomainof the
domains of booleans, natural numbers and intervals, respectively. Function types
are interpreted as function spaces in the category of dcpos:
?bool? = PHT⊥,?nat? = PHN⊥,?I? = PHI,
?σ → τ? = ?σ? → ?τ?.
This reflects the fact that we are considering a call-by-name language.
The interpretation of constants in LRT is defined as follows:
?true? = η(true),?false? = η(false),?n? = η(n),
?(+1)? =?
(+1),?(−1)? =?
(−1),?(= 0)? =?
(= 0),
?consa? = ?
consa,?taila? =?
?Y?(F) =
taila,
?
?rtesta,b? = rtesta,b,
n≥0
Fn(⊥),
?if?(B,X,Y ) =
X,
Y,
X ∪ Y,
⊥,
if B = η(true),
if B = η(false),
if B = η(true) ∪ η(false),
if B = ⊥.
Herethesymbolsη,?,
are defined in Section 2, and the function rtesta,bis defined in Section 4.
aredefinedasinSection3.3,thefunctions(+1),(−1),(= 0)
are the standard interpretations in the Scott model of PCF, the functions consa,taila
15
Page 16
5.3Operational Semantics
We consider a small-step style operational semantics for our language. We define
the one-step reduction relation → to be the least relation containing the one-step
reduction rules for evaluation of PCF [26] together with those given below.
We first need some preliminaries. For intervals a and b in I, we define
ab = consa(b),
where cons is the extension to the interval domain of the function defined in Sec-
tion 2. This operation is associative, and has the bottom element of I as its neutral
element [11]:
(ab)c = a(bc),a⊥ = ⊥a = a.
Moreover,
a ⊑ b ⇐⇒ ∃c ∈ I. ac = b,
and this c is unique if a has non-zero length, i.e. it is not maximal, and in this case
we denote c by
b \ a.
For intervals a and b, we define
a ≤ b ⇐⇒ a ≤ b
and
a ↑ b ⇐⇒ ∃c. a ⊑ c and b ⊑ c.
With this notation, the rules for Real PCF as defined in [11] are:
16
Page 17
(1) consa(consbM) → consabM
(2) consaM → consaM′
if M → M′& (1) is not
applicable
if b ≤ a
if b ≥ a
if a ⊑ b and a ?= b
if a ↑ b,a ?⊑ b,b ?⊑ a,
b ? a and a ? b
if M → M′& (3)-(6) are
not applicable
(3) taila(consbM) → YconsL
(4) taila(consbM) → YconsR
(5) taila(consbM) → consb\aM
(6) taila(consbM) → cons(a⊔b)\a(tail(a⊔b)\bM)
(7) taila(M) → taila(M′)
(8) if true M N → M
(9) if false M N → N
(10) if M N1N2→ if M′N1N2
if M → M′& (8),(9) are
not applicable
For our language LRT, we add:
(11) rtestb,c(consaM) → true if a < c,
(12) rtestb,c(consaM) → false if b < a,
(13) rtestb,cM → rtestb,cM
′if M → M
′.
Remark 5.1
(1) Rule 1 plays a crucial role and amounts to the associativity law. The idea is
that both a and b give partial information about a real number, and ab is the
result ofgluingthepartialinformationtogetherin an incrementalway. See the
paper [11] for a further discussion, including a geometrical interpretation.
(2) Notice that if the interval a is contained in the interval [b,c], rules 11 and 12
can be applied.
(3) Rules 11-13 cannot be made deterministic given the particular computational
adequacy formulation which is proved in Section 5.4. We shall show that the
set of rewrite rules is rich enough to allow one to derive operationally every-
thing that the denotational semantics suggests. This does not mean that we
are giving a specification for an implementation of LRT. In the absense of
rtestb,c, the rules 1-10 are deterministic without loss of computational ade-
quacy. See Section 6 for a further discussion.
(4) In practice, one would like to avoid divergent computations by considering
a strategy for application of the rules. This is the topic of Section 6 where
we study total correctness. For the purposes of this section, we consider the
non-deterministic view.
We now introduce a notion of operational meaning of a term, where the operational
17
Page 18
values are taken in a powerdomain too. The difference between this operational
semantics and the denotational semantics given above is that the former is obtained
by reduction but the latter is obtained, as usual, by compositional means.
Definition 5.2 Firstly, we define the operational meaning of closed terms M of
ground types γ in i steps of computation, written [M]i, which is to be an element of
the domain ?γ?.
If M : I, then we define
[M]i= ∪ {η(a) | ∃M′∃k ≤ i,M
k→ consaM′}.
(If this set is empty, then of course [M]i = ⊥.) Here the relation
k-fold composition of the relation →.
k→ denotes the
If M : nat, then we define
[M]i= ∪ {η(n) | ∃k ≤ i,M
k→ n}
if this set is non-empty, and [M]i = ⊥ otherwise. The operational meaning of
M : bool is defined similarly.
It is immediate that [M]i⊑ [M]i+1. Hence we can define
[M] =
?
i
[M]i.
Of course, only in the case of the ground type of real numbers this definition is
non-trivial, but it is convenient to have a uniform treatment for all types.
5.4 Computational Adequacy.
In our setting, computational adequacy amounts to the equation [M] = ?M? for all
closed terms M of ground type, where [M] is the operational meaning of M and
?M? is the denotational meaning of M defined above.
For a deterministic language such as PCF, soundness of the denotational semantics
follows from the fact that M → N implies ?M? = ?N?. For our non-deterministic
language, we rely on the following:
Lemma 5.3 ?M? =∪ {?N? | M → N} (notice that this is a finite union).
PROOF. The proof is by structural induction on M.
If M is a value, there is nothing to prove.
18
Page 19
SupposeM ≡ (−1)M′andM → N, therearethreerulesthatapplytopredecessor.
First case: M ≡ (−1)k0and (−1)k0→ k0≡ N,
?(−1)k0?=?
(−1)?k0? =?
=cl{0,⊥} = {0,⊥} = ?k0? = ?N?.
(−1){0,⊥} = cl{(−1)0,(−1)⊥}
Second case: M ≡ (−1)kn+1→ kn≡ N,
?(−1)kn+1?=?
(−1)(?kn+1?) =?
=cl{n,⊥} = {n,⊥} = ?kn? = ?N?.
(−1){n + 1,⊥} = cl{(−1)n + 1,(−1)⊥}
Third case: M ≡ (−1)M′and M → (−1)N′if M′→ N′. By the induction
hypothesis, ?M′? = ∪ {?N′? | M′→ N′}, applying?
equation:
(−1) to both sides of the
?M? = ?(−1)M′?=?
(−1)?M′? =?
=∪ {?
(−1)?N′? | M′→ N′}
=∪ {?(−1)N′? | M′→ N′},
(−1)(∪ {?N′? | M′→ N′})
as we wanted.
The proof for the other constants follows similarly, except for rtesta,b, whose
proof we include below.
Suppose M = rtestp,q(M′). There are three possible cases:
First case: M is of the form rtestp,q(M′) where M′is not a consaterm. Hence,
the only single-step reductions available are of the form M → rtestp,qN′where
M′→ N′. As the semantics of rtestp,qis rtestp,q, we get
?M?=rtestp,q(∪ {?N′? | M′→ N′})
=∪ {rtestp,q?N′? | M′→ N′}
=∪ {?rtestp,qN′? | M′→ N′}
Since the last expression exhausts the terms that are single-step derivable from M,
we are done with this case.
19
Page 20
Second case: M is of the form rtestp,q(consa(M′′)). Note that the above equality
still holds but the last ∪ does not exhaust the single-step derivations. Furthermore,
?M? = rtestp,q( ?
consa(M′)) ⊒ rtestp,q(a).
As ∪ is inflationary, we can throw smaller terms into the above equation:
?M?=∪ {rtestp,qN′| M′→ N′}
=rtestp,q(a) ∪
??{?rtestp,qN′? | M′→ N′}
?
Now rtestp,q(a) is exactly the set
?{?b? | M → b and b ∈ {true,false}}.
2
Hence, by induction on the length j of the evaluation using the previous lemma, for
every j, ?M? = ∪ {?N? | M
j→ N}.
Lemma 5.4 (Soundness) For all closed terms M of ground type,
[M] ⊑ ?M?.
PROOF. It suffices to show that, for all closed terms M of ground type,
[M]i⊑ ?M?.
Let b ∈ [M]i,b ?= ⊥. By definition, b ⊑ a for some a and M′such that M
consaM′.Because ?
consa?M′? = ?consaM′?,Lemma5.3showsthatb ∈ ↓?consaM′?.
Therefore b ∈ ?M? because a ⊑ consa(x) for all x ∈ I, and in particular for all
x ∈ ?M′?.
2
i→
In order to establish completeness, we proceed as in [26,11].
Definition 5.5 We define a notion of computability for closed terms by induction
on types as follows:
(1) A closed term M of ground type is computable whenever ?M? ⊑ [M],
(2) A closed term M : σ → τ is computable whenever MQ : τ is computable for
every closed computable term Q of type σ,
An opentermM : σ withfree variablesx1,...,xnoftypeσ1,...,σniscomputable
whenever [N1/x1]···[Nn/xn]M is computable for every family Ni: σiof closed
computable terms.
20
Page 21
Because PH(D) is a continuous domain if D is, we have:
Lemma 5.6 A closed term M of ground type is computable iff for every X ≪ ?M?
there is i with X ⊑ [M]i.
PROOF. (⇒) Suppose that M is computable and let X ≪ ?M?. We have that
[M]1⊑ [M]2⊑ ··· is a chain whose supremum is [M], and hence there is i with
X ⊑ [M]i. (⇐) By continuity of the Hoare powerdomain of a continuous domain,
in order to show that ?M? ⊑ [M], it suffices to show that for all X ≪ ?M?,
X ⊑ [M]. But this holds by hypothesis.
2
Recall the following from domain theory [1,16].
Lemma 5.7 For any continuous function f : D → E of continuous dcpos, if y ≪
f(x) then there is x′≪ x with y ≪ f(x′).
Lemma 5.8 (Completeness) Every term is computable.
PROOF. The proof is by structural induction on the formation rules of terms.
Constants: (1) rtestp,qis computable:
We have to show that
?rtestp,qM? ⊑ [rtestp,qM]
for computable M. So
?rtestp,qM?=rtestp,q?M?
⊑rtestp,q[M]
=rtestp,q
?
i
[M]i
=
?
?
?
?
i
rtestp,q[M]i
=
i
rtestp,q
??
η(a) | ∃M′∃k ≤ i.M →kconsaM′?
rtestp,q(η(a)) | ∃M′∃k ≤ i.M →kconsaM′?
rtestp,q(a) | ∃M′∃k ≤ i.M →kconsaM′?
=
i
??
??
=
i
.
But when M →kconsaM′holds, so does rtestp,q(a) ⊑ [rtestp,qM]k+1 ⊑
[rtestp,qM]. So the directed sup of formal joins also lies below [rtestp,qM].
21
Page 22
(2) if is computable:
We have to show that
?if L M N? ⊑ [if L M N].
Suppose η(true) ⊑ ?L?. By the induction hypothesis, ?L? ⊑ [L], so L →ltrue
for some l. Thus if L M N →l+1M. Hence, ?M? ⊑ [if L M N]. Similarly,
if η(false) ⊑ ?L?, then ?M? ⊑ [if L M N]. Now, we need the four cases of
the proof: if ?L? = η(⊥), then ?if L M N? = η(⊥); if ?L? = η(true), then
?if L M N? = ?M?; if ?L? = η(false), then ?if L M N? = ?N?; and if ?L? =
η(true) ∪ η(false), then ?if L M N? = ?M? ∪ ?N?. Because ∪ is inflationary
(and η(⊥) is the identity for it); in all four cases ?if L M N? ⊑ [if L M N].
(3) consais computable:
We have to show that if M is computable, then so is consaM.
Assume that ?consaM? ?= ⊥ for a computable term M of type I. Let Y ≪
?consaM? = ?
such that X ⊑ [M]j. Because Y ⊑ ?
Let m ∈ ?
M
Hence we can take i = j + 1.
consa?M?. We need to show that there is i with Y ⊑ [consaM]i. By
Lemma 5.7, there is X ≪ ?M? with Y ≪ ?
that Y ⊑ ?
Because there is t ∈ [M]j, we deduce that there is M′such that the reduction
k→ constM′, k ≤ j holds, and so consaM
consaX. As M is computable, there is j
consaX and by monotonicity of ?
consa, we have
consa[M]j. So for every y ∈ Y , there is m ∈ ?
consa[M]j, with y ⊑ m.
consa[M]j, by Lemma 3.1 there is t ∈ [M]jwith m ⊑ consa(t) = at.
k→ consa(constM′)
1→ consatM′.
(4) tailais computable:
We have to show that if M is computable, then so is tailaM. Assume that
?tailaM? ?= ⊥ for a computable term M of type I. Let Y ≪ ?tailaM? =
?
X ⊑ [M]j. Because Y ?= {⊥}, it follows that [M]j?⊑ {a} in the Egli–Milner or-
der, and if [M]j⊑ {a} then Y ≪?
(a) [M]j≤ {a}: Then since X ⊑ [M]j, we have that?
with y ⊑ m. Let m ∈?
j holds. Because [M]j≤ {a} we conclude that tailaM
YconsL. Hence we can take i = k + 1.
taila?M?. We need to show that there is i with Y ⊑ [tailaM]i. By lemma 5.7,
there is X ≪ ?M? with Y ≪?
tailaX ⊑?
tailaX. As M is computable, there is j such that
taila[M]j⊑?
taila{a} = cl{⊥} = {⊥}.
Then exactly one of the following four cases holds:
tailaX ⊑?
taila[M]jand since
Y ⊑?
Because there is t ∈ [M]jit follows that there is M′such that M
tailaX, we have Y ⊑?
taila[M]j. So for every y ∈ Y , there is m ∈?
taila[M]j
taila[M]j, so by lemma 3.1 there is t ∈ [M]jwith m ⊑ tailat.
k→ constM′,k ≤
k→ taila(constM′)
1→
(b) {a} ≤ [M]jSimilar to 1.
22
Page 23
(c) {a} ⊑ [M]j: Then since X ⊑ [M]j, we have that?
there is m ∈?
M
tailmM′. Hence we can take i = k + 1.
tailaX ⊑?
taila[M]j, so there is t ∈ [M]jwith
taila[M]j= {b\a |
b ∈ [M]j} and since Y ⊑?
m ⊑ tailat = t \ a. Because there is t ∈ [M]jit follows that there is M′such that
k→ constM′,k ≤ j holds. We conclude that tailaM
tailaX, we have that Y ⊑?
taila[M]j. So for every y ∈ Y ,
taila[M]jwith y ⊑ m. Let m ∈?
k→ taila(constM′)
1→
(d) {a} ↑ [M]j: Then since X ⊑ [M]j, we have that?
every y ∈ Y , there is m ∈?
there is M′such that the reduction M
tailaM
tailaX ⊑?
taila[M]j= {(a ⊔
b) \ a | b ∈ [M]j} and since Y ⊑?
t ∈ [M]jwith m ⊑ tailat = (a ⊔ t) \ a. Because there is t ∈ [M]jit follows that
k→ constM′,k ≤ j holds. We conclude that
k→ taila(constM′)
tailaX, we have that Y ⊑ taila[M]j. So for
taila[M]jwith y ⊑ m. Let m ∈?
taila[M]j, so there is
1→ tailmM′. Hence we can take i = k + 1.
(5) For M ≡ (+1),(−1),(= 0) the proof is similar to the if case.
(6) If M is computable so is λαM:
WemustshowthatLN1,...NniscomputablewheneverN1,...Nnareclosedcom-
putable terms and L is a closed instantiation of λαM by computable terms. Here L
must have the form λαM′where M′is an instantiation of all free variables of M,
except α, by closed computable terms.
If P ≪ ?LN1...Nn? then we have P ≪ ?[N1/α]M′N2...Nn? = ?LN1...Nn?.
But [N1/α]M′is computable and so therefore [N1/α]M′N2...Nn. Hence there
is j with P ⊑ [[N1/α]M′N2...Nn]j. Since LN1...Nn → [N1/α]M′N2...Nn
and the reduction relation preserves meanings, in order to evaluate LN1...Nnit
suffices to evaluate [N1/α]M′N2...Nn. Hence we can take i = j.
(7) Yσis computable:
In order to prove that Yσis computable it suffices to show that the term
Y(σ1,...,σk,PI)N1···Nk
is computable whenever N1: σ1,...,Nk: σkare closed computable terms. It fol-
lows from (6) above that the terms Y(n)
σ
the proof of computability of Y(n)
σ
depends only on the fact that variables are com-
putable and that the combination and abstraction formation rules preserve com-
putability.
:= λf.fn(⊥) are computable, because
Let P ≪ ?YN1···NK? be different from ⊥. Because ?Y? =
sic property of the way-below relation of any continuous dcpo, there is some n
such that P ≪ ?Y(n)N1···NK?. Since Y(n)is computable, there is j with P ⊑
[Y(n)N1···Nk]j. Since there is a term M with Y(n)N1···Nk
??Y(n)?, by a ba-
j→ conscM. Using
23
Page 24
the syntactic information order (see [26,11]), and Lemma 5.9 below, Y(n)? Y we
have that YN1···Nk
j→ conscM for some M and therefore i = j.
2
As in the last part of the above proof, we denote the syntactic order by ? (see [26]
or [11]).
Lemma 5.9 If M ? N and M → M1,M → M2,··· ,M → Mnthen either
∀i,Mi? N,1 ≤ i ≤ n or else for some terms N1,N2,...,Nm,N → N1,N →
N2,··· ,N → Nm, and ∀Mi,∃Nj,Mi? Nj,1 ≤ i ≤ n,1 ≤ j ≤ m
PROOF. The case that we must consider is the one that involves rtesta,b. The
other cases are treated as in Real PCF.
(1) rtesta,bM ? rtesta,bM holds by definition.
(2) M ≡ rtesta,bM′? rtesta,bM′′≡ N and M → true. These conditions
hold if rtesta,bM → rtesta,b(conscM′′′) and c < b. By the induction hy-
pothesis, M′→ M′′so rtesta,bM′′→ rtesta,b(consdMiv) where d < b so
rtesta,bM′′→ true and true ? true.
(3) M ≡ rtesta,bM′? rtesta,bM′′≡ N and M → false. Similar to the
previous case.
(4) M ≡ rtesta,bM′? rtesta,bM′′≡ N and M → true,M → false. These
follows if rtesta,bM → rtesta,b(conscM′′′) and a < c < b. By the induction
hypothesis, M′→ M′′so rtesta,bM′′→ rtesta,b(consdMiv) where a < d <
b so rtesta,bM′′→ true,rtesta,bM′′→ false and true ? true,false ?
false.
2
In summary:
Theorem 5.10 Computational adequacy holds; that is, for every closed term M of
ground type, the operational and denotational meanings of M coincide:
[M] = ?M?.
6 Program Correctness
We now develop tools for establishing correctness of LRT programs. In order to
show that a given program is correct with respect to a given specification, we show
that
24
Page 25
(1) if it converges, then it satisfies the specification, and
(2) it in fact converges.
In our examples, condition 1 will be achieved by applying the denotational seman-
tics with the aid of computational adequacy, and condition 2 will be achieved using
the operational semantics directly. Hence our first task is to define a suitable oper-
ational notion of convergence for terms of real-number type.
Firstly, notice that the operational semantics defined in Section 5.3 allows diver-
gence when rule 13 for rtesta,bis applied infinitely often. But the only purpose of
this rule is to get a sufficiently precise approximation of the argument, so that rules
11 and/or 12 can be eventually applied, provided such an approximation exists.
Hence we agree that
we do not apply rule 13 for rtesta,binfinitely often unless rules 11-12 are never
applicable.
Definition 6.1 The subrelation of the reduction relation → that arises in this way
will be denoted by ⇒.
Secondly, in the case of a term of the form rtesta,b(M), after finitely many appli-
cations of rule 13 to compute an approximation of the argument M, we will have
three situations:
(1) Both rules 11 and 12 become applicable.
(2) One and only one of the rules 11 and 12 becomes applicable.
(3) It is still not possible to apply rules 11 and 12, and hence one should keep
applying rule 13, getting better and better approximations of M, either
(a) for ever, or
(b) so that we eventually arrive at one of the previous situations (1) or (2),
and the computation converges to a truth value.
If the situation (3a) may take place, we say that the term may diverge, and other-
wise, that it must converge. If the situation (1) takes place, we may imagine that
the computation bifurcates into two subcomputations, each of which will give an
answer or diverge. For our definition of strong convergence, to be given below,
we require that both converge. In practice, an implementation of the language will
typically choose one of the branches, according to some strategy, which will not
necessarily be known to the programmer, and such a branch will then lead to an
answer or divergence. In this case, the programmer has to ensure that any possible
answer satisfies the desired specification, or that both branches will in fact lead to
the same answer (as will be the case with our running example).
In theory, if situation (2) takes place, one can carry on with the computation pro-
duced by the corresponding branch, and, at the same time, repeatedly apply rule 13
in parallel so that maybe the other rule becomes applicable too and one has two
25
Page 26
computations as in situation (1). This corresponds to the relation ⇒ defined above.
In practice, we work with a deterministic, but unspecified strategy, as follows:
Definition 6.2 A strategy is a subrelation ⇛ of ⇒ such that
(1) ⇛ is singled-valued, i.e. for any M there is at most one N such that M ⇛ N,
(2) if there is an N such that M ⇒ N, then there is also an N such that M ⇛ N.
Notice that the only reason the relation ⇒ is multi-valued is the presence of rules
11 and 12. In summary, the relation ⇒ removes inessential infinite computations
from →, and ⇛ gives a deterministic strategy for the application of →.
(⇛) ⊆ (⇒) ⊆ (→).
Here are some examples of deterministic relations ⇛
(1) At each stage of the reduction of a term, apply the first applicable rule, for the
ordering of the rules given in Section 5.3.
(2) The same strategy as 1, but swapping the order of the first two rules for
rtesta,b.
(3) Fix a stream of binary digits.Whenevermore than one of thefirst two rules for
rtesta,bis applicable, use the next digit of the stream to decide which should
be applied.
(4) Fix a stream of binary digits and a stream of natural numbers. Whenever a
term of the form rtesta,b(M) is found, read a natural number n from the
second stream, then apply rule 13 for rtesta,bn times. If only one of the two
rules 11 and 12 become applicable, apply it. If both are applicable, use the
next digit from the first stream to decide which of them to apply. If neither is
applicable, repeat the same procedure.
It is easy to see that for any closed term M of real-number type, there is at least
one term N such that M ⇒ N, and hence there is at least one term N such that
M ⇛ N. Hence, because the relation ⇛ is assumed to be single valued, there is a
unique infinite reduction sequence M = M0⇛ M1⇛ M2⇛ M3⇛ ···. By the
following lemma, if Miis of the form consai(M′
consai+1M′
such a reduction may be finite, leading to a truth valueor natural number, or infinite
leading to divergence.
i) then Mi+1must be of the form
i+1with ai⊑ ai+1. For a closed term M of ground type other than I,
Lemma 6.3 If a term M is of the form consaM′and M ⇛∗N then N is of the
form consbN′with a ⊑ b.
PROOF. By case analysis of the reduction rules for consa. According to the com-
plete set of rules that define the operational semantics [11], if the reduction is in
zero steps we are done, otherwise there are two cases:
26
Page 27
(1): If consa(consbN′) ⇛ consabN′, then M′is of the form consbN′with a ⊑ ab.
Hence N is of the form consabN′,
(2): If consaM′⇛ consaM′′and M′⇛ M′′, then N has to be of the form
consaM′′for M′⇛ N′, and hence we can take b = a.
2
We modify the definition of operational meaning (Definition 5.2) as follows.
Definition 6.4 For a strategy ⇛ and closed term M of type I, we define
[M]⇛=
?{a ∈ I | ∃M′.M ⇛∗consaM′}.
If this set is non-empty, then Lemma 6.3 shows that it is an increasing chain, and
hence the supremum exists. Notice that this is not a subset of I, as in Definition 5.2,
but rather an element of I.
By a value of type Bool or Nat we mean a constant for a truth value or a natural
number, and values are ranged over by the letter v. For a closed term of any of
these two types, we define
[M]⇛=
?{v | M ⇛∗v}.
The set of which the supremum is taken is either empty or a singleton because ⇛ is
single valued.
Definition 6.5 We define strong convergence, for closed terms, by induction on
types as follows:
(1) A closed term M of ground type is strongly convergent if for every strategy ⇛
as in Definition 6.2, its operational meaning [M]⇛is total (i.e. a singleton
interval, a truth-value, or a natural number).
(2) A closed term M of type σ → τ is strongly convergent whenever MN is
strongly convergent for every strongly convergent closed term N of type σ.
We henceforth refer to strong convergence simply as convergence for the sake of
brevity.
The following observation is immediate.
Lemma 6.6
(1) A term M : I is convergent iff for every strategy ⇛ and every ǫ > 0 there are
an interval a of length smaller than ǫ and a term N such that M ⇛∗consaN.
(2) A term M is convergent iff N is convergent whenever M ⇛∗N.
Lemma 6.7 A term consc(M) is convergent iff M is convergent.
27
Page 28
PROOF. (⇒) Let M = M1 ⇛ M2 ⇛ M3 ⇛ ··· be an infinite reduction se-
quence and let ǫ > 0. We must find n such that Mnis of the form consdN′with
κd< ǫ. Consider the reduction
consc(M) = N1⇛ N2⇛ N3⇛ ··· ,
and δ = ǫ×κc. By hypothesis consc(M) is convergent so there is i such that Niis
of the form consbN′′with κb< δ. Hence there should be j such that Mjis of the
form conseN′′′and consc(Mj) ⇛ consbN′′, which means that κcκe= κb< δ and
hence κe<
κc
= ǫ.
δ
κc=ǫ×κc
(⇐) Let consc(M) = N1⇛ N2⇛ N3⇛ ··· be an infinite reduction sequence
and let ǫ > 0. We must find n such that Nnis of the form consdN′with κd< ǫ.
Consider the reduction M = M1⇛ M2⇛ M3⇛ ··· and δ = ǫ/κa. Because M
is convergent, there is i such that Miis of the form consb(M′) with κb< δ. Hence,
there should be j such that Njis of the form conse(M′′) with κe≤ κaκband
κe≤ κaκb< κa· δ = κa· (ǫ/κa) = ǫ.
2
To show that tailais convergent, we need some lemmas. Whenever we talk about
rules in the following lemmas, we assume that these rules are taken from the oper-
ational semantics.
Lemma 6.8
(1) For all a,b ∈ I, if b ?⊑ a then one of the conditions in rules 3–6 holds.
(2) For any a ∈ I and any convergent M : I there are b ?⊑ a and N such that
M ⇛∗consb(N).
PROOF. The first item is easily verified. For the second, let ǫ = κa/2. Because M
isconvergent,thereareboflengthsmallerthanǫandN suchthatM ⇛∗consb(N).
If we had b ⊑ a, then the length of b would be bigger than that of a, which is not
the case by construction.
2
Lemma 6.9 If M is convergent then,
(1) taila(M) ⇛∗L for some convergent term L, by finitely many applications
of rule 7 followed by an application of one of the rules 3–5, or
(2) M ⇛∗consb(N) and taila(M) ⇛∗cons(a⊔b)\a(tail(a⊔b)\b(N)) for some
convergent term N, by finitely many applications of rule 7 followed by an
application of rule 6.
28
Page 29
PROOF. By Lemma 6.8, after finitely many applications of rule 7 to the term
taila(M), we will have reductions M ⇛∗consb(N) and
tailaM ⇛∗taila(consb(N)),
and one of the rules 3–6 will apply to the resulting term. If one of the rules 3–5
applies then taila(M) reduces to one of the terms YconsL, YconsR, consb\a(N),
which are convergent, and we can let L be the corresponding term. Otherwise it
reduces byrule6to thetermcons(a⊔b)\a(tail(a⊔b)\b(N)). Because M ⇛∗consbN
and M is convergent, so are consbN and N.
2
Lemma 6.10 The term tailais convergent.
PROOF. Let M be convergent, consider the reduction
taila(M) = N0⇛ N1⇛ N2⇛ ··· ,
and let ri be the label of the rule that justifies the reduction Ni ⇛ Ni+1. By
Lemma 6.9, if there is i such that riis one of 3–5, then taila(M) is convergent,
and otherwisethesequence (ri)ibelongsto theset ofwords 7∗6(7∗61)ω. Wehaveto
argue that in the second case taila(M) is also convergent. Let nibe the sequence
such that the sequence rican be written as 7n06
?
i(7ni+161).
By hypothesis, the term M0= M is convergent, and if Miis convergent then
Mi⇛∗consci(Mi+1)
for a unique interval ciand a unique term Mi+1by finitely many applications of
rule 2, and Mi+1must also be convergent. This inductively defines sequences ci
and Mi, and it is easy to see that, for any i,
M ⇛∗consc0c1...ci(Mi+1).
Now, using the sequence ci, inductively define
β0= (a ⊔ c0) \ c0,
βi+1= (βi⊔ ci+1) \ ci+1,
α0= (a ⊔ c0) \ a,
αi+1= (βi⊔ ci+1) \ βi.
A routine argument by induction on i shows that
taila(M) ⇛∗consα0α1···αi(tailβi(Mi+1)),
29
Page 30
as illustrated below:
taila(M) = N0
7
⇛∗Mn0= taila(consc0(M1))
6
⇛ Nn0+1= consα0(tailβ0(M1))
7
⇛∗Nn1= consα0(tailβ0consc1(M2))
6
⇛ Nn1+1= consα0consα1(tailβ1(M2))
1
⇛ Nn1+2= consα0α1(tailβ1(M2))
...
1
⇛ Nni+2= consα0α1···αi(tailβi(Mi+1)).
Now let ǫ > 0, and define ǫ′= κa/ǫ. Because M is convergent, there is i such that
κc0c1...ci< ǫ′and hence κa/κc0c1...ci< ǫ. An easy proof by induction on i shows
that κa/κc0c1...ci= κα0α1···αi, which shows that taila(M) is convergent.
2
As application, we show how the program Average, defined in Section 2 can be
proved to be correct using the denotational semantics and the notion of strong con-
vergence. More examples, including multiplication, division, and absolute value,
among others, are developed in the first-named author’s PhD thesis [22] using the
same techniques.
Lemma 6.11 The term rtestb,cis convergent.
PROOF. Let N : I be a convergent term. Consider ǫ = (c − b)/2. Because N is
convergent, there are an interval a of length smaller than ǫ and a term M such that
N ⇛∗consaM. For such an interval, at least one of the conditions needed to apply
the rules (11) or (12) holds, and hence rtestb,c(N) ⇒+v for some truth value v.
6.1Total Correctness of the Average Program
In view of computational adequacy, partial correctness of the program can be for-
mulated as follows:
Lemma 6.12 ?Average?(η(x),η(y)) = η(x ⊕ y) for all total x,y ∈ I.
To prove this, we use the following lemma. As usual, a recursive program is inter-
preted as the least fixed point of a functional extracted from the program. For the
program Average, we denote this functional by Φ : D → D where, according to
the denotational interpretation of types, D has to be the domain (PHI × PHI →
PHI). Then ?Average? =?
nAveragen, where Averagen= Φn(⊥).
30
Page 31
Lemma 6.13 For all total x,y ∈ I, the following conditions hold:
(1) ?Averagen?(η(x),η(y)) is of the form ↓Fnfor Fn⊆ I finite,
(2) κz≤
3
(3) Fn⊑ η(x ⊕ y).
?4
?−n+1for each z ∈ Fn,
PROOF. The proof is by induction on n.
1. n = 0. We know that Average0(η(x),η(y)) = {⊥} = ↓{⊥} for any x,y ∈ [0,1].
Take z ∈ Fn= {⊥}, so κz= 1 < (4/3)−n+1= (4/3), and {⊥} ⊑Hη(x ⊕ y) for
all x,y ∈ [0,1].
2. Assume that it holds for n. To show that it holds for n+1, we proceed according
to the position of x and y relative to the points l = 1/4 and r = 3/4 used in
the definition of the average program. All cases are handled in a similar way. We
consider the case x ≤ 1/4 and y ≤ 1/4 as a representative example.
Averagen+1(η(x),η(y)) = ?
and by the induction hypothesis, Averagen(η(t),η(s)) is of the form ↓Fnfor Fn
finite, t = tailL(x) and s = tailL(y). Take Fn+1= ?
Averagen+1(η(x),η(y))
consL(Averagen(?
tailL(η(x)),?
tailL(η(y))))
= ?
consL(Averagen(η(tailL(x)),η(tailL(y)))),
consL(Fn). Then
is of the form ↓ ?
To show that κz≤ (4
the induction hypothesis κt≤ (4
consL(Fn). Because Fnis finite, so is Fn+1.
3)−nfor any z ∈ Fn+1, let t ∈ Fnsuch that z = consL(t). By
3)−n+1. We have z = consL(t) =3t
?4
3
3
4t −3
43
4, and hence
t − t ≤
?−n+1
?−n+1
4t ≤
?3
??4
=
?4
3
?−n
and so κz≤ (4
3)−n.
To show that Fn+1⊆ η(x ⊕ y), again let z ∈ Fn+1and t ∈ Fnsuch that such that
z = consL(t). By the induction hypothesis t ∈ η(tailL(x) ⊕ tailL(y)), hence
z = consL(t) ∈ ?
consL(η(tailL(x) ⊕ tailL(y)))
?
3
= η
consL
?x + y
2
= ?
consL
?
= η
η
?4x
?4x + 4y
?
⊕4y
3
??
??
= ?
= η
consL
??3
?
? ?4x + 4y
η
?4x + 4y
6
??
646
??
= η(x ⊕ y).
31
Page 32
as required.
2
To conclude, we establish convergence of Average.
Lemma 6.14 For any two convergent terms N1,N2 : I, there are an interval a
of length 3/4 and two convergent terms N′
consa(Average(N′
1,N′
2such that Average(N1,N2) ⇛+
1,N′
2)).
PROOF. Toreduce Average(N1,N2), wemustfirst unfoldthedefinition,and then
reduce rtest1/4,3/4(N1), repeatedly applying rule 10, until we get a truth value,
which is possible by Lemma 6.11 because N1has been assumed to be convergent.
At this point, we have to apply one of the rules 8 or 9. In either case, we will next
have to reduce rtest1/4,3/4(N2) until it becomes a truth value. Then again one of
the two rules 8 and 9 will have to be applied, which clearly leads to a term of the
form consaAverage(tailb1N1,tailb2N2) with κa= 3/4. By Lemma 6.10, we can
take N′
1= tailb1N1and N′
2= tailb2N2.
2
Lemma 6.15 The term Average is convergent.
PROOF. Let N1and N2be convergent terms of type I. By repeatedly applying
Lemma 6.14 and rules 1 and 2, we conclude that for every n there are an interval a
of length (3/4)nand a term M such that Average(N1,N2) ⇛+consa(M). Here
we use the fact that the length of the interval concatenation bc is the product of the
lengths of the intervals b and c in connection with rule 1.
2
Lemma 6.12 amounts to commutativity of the diagram
I × I⊂-I × I⊂-PHI × PHI
I
⊕
?
⊂
-I⊂
-PHI,
?Average?
?
where I = [0,1] and the horizontal arrows are the obvious inclusions. The results
of Escard´ o, Hofmann and Streicher [9] show that the diagram cannot be completed
with a sequentially computable down arrow I × I → I. Thus, we overcome the
problem by allowing our program to be multi-valued at partial inputs. Lemma 6.13
shows that the single-valued output of the program at a total input arises as the
least upperbound of multi-valuedpartial outputs.In otherwords, there are different
computation paths that give different, but consistent partial results at finite stages,
but all of them converge to the same total real number.
32
Page 33
Several other examples of recursive definitions, including multiplication and di-
vision, are developed in [22], with total correctness proofs following the above
pattern.
7Conclusion and Further Work
Our running example illustrates two important ideas discussed in the introduction:
(1) By considering a multi-valued or non-deterministicconstruction, it is possible
to have sequential programs for important functions that only admit parallel
realizations in the (singled-valued) interval-domain model, overcoming the
problem identified by Escard´ o, Hofmann and Streicher [9].
(2) In order to obtaintotal correctness from partial correctness, a generalization of
the notion of termination is needed in the case of real-number computations.
Regarding 1, we conjecture that all computable first-order functions are definable
in the language. We have some partial results regarding definability of second-
order computable functionals such as definite integration. This will be reported
elsewhere, but we remark that the ideas regarding 2 are applied for that purpose.
It is an open problem to find a denotational semantics that would allow to prove
totalcorrectnesswithouttheneed ofresortingtooperationalmethodssuchas strong
convergence. As we have seen, the Plotkin and Smyth powerdomains cannot be
used for that purpose either. In fact, the results of Section 4 immediately imply that
even otherpowerdomainssuch as thesandwich and themixedpowerdomaincannot
be used. Moreover, it is easy to verify that any of the known powerdomains which
do not arise as the composition of powerdomains with the Hoare powerdomain as
the last component in the composition are ruled out.
Acknowledgements.
drew Moshier for comments and suggestions.
We thank Achim Jung, Paul Levy, Steve Vickers and An-
References
[1] Samson Abramsky and Achim Jung, Domain Theory, in: S. Abramsky and D. Gabbay
and T.S.E.Maibaum, eds., Handbook ofLogic inComputer Science Volume3(Oxford
University Press, 1994) 1–168.
[2] E. Bishop, and D. Bridges, Constructive Analysis (Springer, Berlin, 1985).
33
Page 34
[3] H. J. Boehm and R. Cartwright, Exact Real Arithmetic: Formulating Real Numbres
as functions, in: Turner. D., editor, Research Topics in Functional Programming
(Addison-Wesley 1990) 43–64.
[4] V. Brattka, Recursive characterization of computable real-valued functions and
relations, Theoretical Computer Science 162 (1996) 45–77.
[5] Peter Buneman and Susan Davidson and Aaron Watters, A semantics for complex
objects and approximate queries, JCSS 43 (1991) 170–218.
[6] Abbas Edalat and Peter John Potts and Philipp S¨ underhauf, Lazy Computation with
Exact Real Numbers, International Conference on Functional Programming (1998)
185–194.
[7] M. H. Escard´ o, Real PCF extended with ∃ is universal, in: A. Edalat and S. Jourdan
and G. McCusker, eds., Advances in Theory and Formal Methods of Computing:
Proceedings of the Third Imperial College Workshop (Christ Church, Oxford, 1996)
13–24.
[8] M. H. Escard´ o PCF extended with real numbers: A domain-theoretic approach to
higher-order exact real number computation, PhD thesis at Imperial College of the
University of London 1997.
[9] M. H. Escard´ o and M. Hofmann and Th. Streicher, On the non-sequential nature of the
interval-domain model of exact real-number computation, Mathematical Structures in
Computer Science Accepted for publication (2002).
[10] M. H. Escard´ o and Th. Streicher, Induction and recursion on the partial real line with
applications to Real PCF, Theoretical Computer Science 210 (1) (1999) 121–157.
[11] M. H. Escard´ o, PCF Extended with Real Numbers, Theoretical Computer Science
162 (1) (1996) 79–115.
[12] A. Farjudian, Sequentiality and Piece-wise affinity in Segments of Real-PCF,
Electronic Notes in Theoretical Computer Science 73 (2004) 3–4
[13] A. Farjudian, Sequentiality in Real Number Computation, PhD thesis at the University
of Birmingham 2004.
[14] Pietro Di Gianantonio, A Functional Approach to Computability on Real Numbers
PhD thesis (Udine, 1993).
[15] Pietro DiGianantonio, An Abstract Data Type for real numbers, Theoretical Computer
Science 221 (1999) 295-326
[16] G. Gierz and et al., Continuous lattices and domains, (Cambridge University Press,
2003).
[17] C. A. Gunter, The Mixed Powerdomain, Theoretical Computer Science 103 (2) (1992)
311–334.
[18] C. A. Gunter and D. S. Scott, Semantic Domains, in: J. van Leeuwen, editor,
Handbook of Theoretical Computer Science B (1990) 633–674.
34
Page 35
[19] Reinhold Heckmann, Power Domain Constructions,
Programming 17 (1-3) (1991) 77–117
Science of Computer
[20] H. Luckhardt, A fundamental effect in computations on real numbers, Theoretical
Computer Science 5 (3) (1977/78) 321–324.
[21] E. Manes Monads of Sets in: M. Hazewinkel, editor, Handbook of Algebra 3 (Elsevier
Science, 2003) 67–153.
[22] Jos´ e R. Marcial-Romero, Semantics of a sequential language for exact real-number
computation, PhD thesis (Birmingham, December, 2004).
[23] N. Th. M¨ uller, The iRRAM: Exact Arithmetic in C++, in: Blanck, Jens and Brattka,
Vasco and Hertling, Peter, Computability and Complexity in Analysis 2064 (LNCS,
2001) 222–252.
[24] D. Normann, Exact real number computations relative to hereditarily total functionals,
Theoretical Computer Science 284 (2) (2002) 437–453.
[25] G.D.Plotkin, APowerdomain Construction, SIAM Journal on Computing 5(3)(1976)
452–487.
[26] G. D. Plotkin, LCF Considered as a Programming Language, Theoretical Computer
Science 5 (1) (1977) 223–255.
[27] G. D. Plotkin, Domains Post-graduate Lecture in Advanced Domain Theory Univesity
of Edinburgh, Departament of Computer Science. Available from the author’s web
page (1983), pages 116.
[28] Peter John Potts and Abbas Edalat and Mart´ ın H¨ otzel Escard´ o, Semantics of Exact real
arithmetic, Proceedings 12thIEEE Symposium on Logic in Computer Science (1997)
248–257.
[29] Peter John Potts, Exact real arithmetic using M¨ obius Transformations, PhD thesis at
Imperial College of the University of London 1998.
[30] Dana Scott, Lattice theory, data type and semantics, in: Randall Rustin, editor, eds.,
Formal Semantics of Algorithmic Languages (Prentice Hall, 1972) 65–106.
[31] M. B. Smyth, Power Domains, Journal of Computer and System Science 16 (1978)
23–36.
[32] M. B. Smyth, Powerdomains and predicate transformers: A topological view ICALP
’83, LNCS 154 (Springer, 1983) 662–675.
[33] M. B. Smyth, Topology, in: S. Abramsky, D. M. Gabbay, and T.S.E Maibaum, eds.,
Handbook on Logic in Computer Science 1 (1992) 641–761.
[34] S. Vickers, Topolgy via Logic (Cambridge University Press, Cambridge, 1989).
[35] K. Weihrauch, Computable Analysis (Springer-Verlag, 2000) .
35
Download full-text