Page 1
Theoretical Computer Science 379 (2007) 120–141
www.elsevier.com/locate/tcs
Semantics of a sequential language for exact real-number
computation
J. Raymundo Marcial-Romero∗, Mart´ ın H. Escard´ o
University of Birmingham, Birmingham B15 2TT, England, United Kingdom
Received 30 May 2005; received in revised form 7 November 2006; accepted 24 January 2007
Communicated by G.D. Plotkin
Abstract
We study a programming language with a built-in ground type for real numbers. In order for the language to be sufficiently
expressive but still sequential, we consider a construction proposed by Boehm and Cartwright. The non-deterministic nature
of the construction suggests the use of powerdomains in order to obtain a denotational semantics for the language. We show
that the construction cannot be modelled by the Plotkin or Smyth powerdomains, but that the Hoare powerdomain gives a
computationally adequate semantics. As is well known, Hoare semantics can be used in order to establish partial correctness only.
Since computations on the reals are infinite, one cannot decompose total correctness into the conjunction of partial correctness
and termination as is traditionally done. We instead introduce a suitable operational notion of strong convergence and show that
total correctness can be proved by establishing partial correctness (using denotational methods) and strong convergence (using
operational methods). We illustrate the technique with a representative example.
c ? 2007 Elsevier B.V. All rights reserved.
Keywords: Exact real-number computation; Sequential computation; Semantics; Non-determinism; PCF
1. Introduction
This is a contribution to the problem of sequential computation with real numbers, where real numbers are taken
in the sense of constructive mathematics [2]. It is fair to say that the computability issues are well understood [34].
Here we focus on the issue of designing programming languages with a built-in, abstract data type of real numbers.
Recent research, discussed below, has shown that it is notoriously difficult to obtain sufficiently expressive languages
with sequential operational semantics and corresponding denotational semantics which articulate the data-abstraction
requirement. Based on ideas arising from constructive mathematics, Boehm and Cartwright [3], however, proposed
a compelling operational solution to the problem. Yet, their proposal falls short of providing a full solution to the
data abstraction problem, as it is not immediately clear what the corresponding denotational interpretation would
be. A partially successful attempt at solving this problem has been developed by Potts [28] and Edalat, Potts and
S¨ underhauf [6], as discussed below.
∗Corresponding address: Facultad de Ingenier´ ıa, Divisi´ on de Computaci´ on, Cerro de Coatepec s/n, Ciudad Universitaria, C.P. 50100, Toluca,
Edo. de M´ exico, M´ exico. Tel.: +52 722 2 140855x202.
E-mail addresses: jrm@cs.bham.ac.uk (J.R. Marcial-Romero), mhe@cs.bham.ac.uk (M.H. Escard´ o).
0304-3975/$ - see front matter c ? 2007 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2007.01.021
Page 2
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141121
In light of the above, the purpose of this paper is twofold: (1) to establish the intrinsic difficulties of providing a
denotational model of Boehm and Cartwright’s operational approach, and (2) to show how it is possible to cope with
the difficulties. Before elaborating on this research programme, we pause to discuss previous work.
Di Gianantonio [14], Escard´ o [11], and Potts et al. [27] have introduced various extensions of the programming
languagePCFwithagroundtypeforrealnumbers.Eachoftheseauthorsinterpretstherealnumberstypeasavariation
of the interval domain introduced by Scott [29]. In the presence of a certain parallel conditional [25], all computable
first-order functions on the reals are definable in the languages [14,8]. By further adding Plotkin’s parallel existential
quantifier [25], all computable functions of all orders become definable in the languages [14,7,10]. In the absence of
the parallel existential quantifier, the expressivity of the languages at second-order types and beyond is not known.
Partial results in this direction are developed by Normann [23].
It is natural to ask whether the presence of such parallel constructs is an artifact of the languages or whether they
are needed for intrinsic reasons. Escard´ o, Hofmann and Streicher [9] have shown that, in the interval domain models,
the parallelism is in fact unavoidable: weak parallel-or is definable from addition and other manifestly sequential
unary functions, which indicates that addition, in these models, is an intrinsically parallel operation. Moreover,
Farjudian [12] has shown that if the parallel conditional is removed from the language, only piecewise affine functions
on the reals are definable.
Essentially, the problem is as follows. Because computable functions on the reals are continuous (see e.g. [34]), and
because the real line is a connected space, any computable boolean-valued function on the reals is constantly true or
constantly false unless it diverges for some inputs. Hence, definitions using the sequential conditional produce either
constant total functions or partial functions. If one allows the boolean-valued functions to diverge at some inputs, then
non-trivial predicates are obtained, and this, together with the parallel conditional, allows us to define the non-trivial
total functions [11].
This phenomenon had been anticipated by Boehm and Cartwright [3], who also proposed a solution to the problem.
In this paper we develop the proposed solution and study its operational and denotational semantics. The idea is based
on the following observations. In classical mathematics, the trichotomy law “x < y, x = y or x > y” holds for any
pair of real numbers x and y, but, as is well known, it fails in constructive (and in classical recursive) mathematics.
However, the following alternative cotransitivity law holds in constructive settings: for any two numbers a < b and
any number x, at least one of the relations a < x or x < b holds. Equivalently, one has that (−∞,b) ∪ (a,∞) = R.
Boehm and Cartwright’s idea is to consider a language construct rtesta,b, for a < b rational, such that:
(1) rtesta,b(x) evaluates to true or to false for every real number x,
(2) rtesta,b(x) may evaluate to true iff x < b, and
(3) rtesta,b(x) may evaluate to false iff a < x.
It is important here that evaluation never diverges for a convergent input. If the real number x happens to be in the
interval (a,b), then the specification of rtesta,b(x) allows it to evaluate to true or alternatively to false. The particular
choice will depend on the particular implementation of the real number x and of the construct rtesta,b(cf. [20]), and
is thus determined by the operational semantics.
Asapplicationoftheconstruction,wegiveanexampleofarecursivedefinitionofasequentialprogramforaddition,
which is single valued at total inputs, as required, but multi-valued at partial inputs. Thus, by allowing the output to
be multi-valued at partial inputs, we are able to overcome the negative results of Escard´ o, Hofmann and Streicher
mentioned above.
We take the view that the denotational value of rtesta,b(x) lives in a suitable powerdomain of the booleans. Thus
(1) if a < x < b then the denotational value would be the set {true,false}, (2) if a ?< x and x < b then it would be
the set {true}, and (3) if a < x and x ?< b then it would be the set {false}. Technically, one has to be careful regarding
which subsets of the powerset are allowed, but this is tackled later in the body of the paper. One of our main results is
that the Hoare powerdomain gives a computationally adequate denotational semantics. We also show that the Plotkin
and Smyth powerdomains do not render the rtest construction continuous and hence cannot be used as models. These
and other examples of powerdomains are discussed in the body of the paper.
As is well known, Hoare semantics can be used in order to establish partial correctness only. Because computations
on the reals are infinite, one cannot decompose total correctness into the conjunction of partial correctness and
termination, as is usually done for discrete data types. Instead, we introduce a suitable operational notion of strong
convergence and show that total correctness can be proved by establishing partial correctness (using denotational
Page 3
122 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
methods) and strong convergence (using operational methods). The technique is illustrated by a proof of total
correctness of our sequential program for addition. Further applications are discussed in the concluding section.
1.1. Related work
Potts [28] considers a redundant if operator (rif) for his programming language LAR (an extension of PCF with
linear fractional transformations), defined as
rif : ICK × ICF2× (ICK → t)2→ t
rif x < (I, J);
g(x),
if J ? x.
where K ∈ ICR∞and F is a dense subset of K. He uses the Hoare powerdomain to develop a denotational semantics
for his language and prove computational adequacy. Our work justifies this choice. Potts considers a deterministic one-
step reduction relation, while we consider a non-deterministic relation so as to have as precise a match as possible
with the denotational semantics in the case of multi-valued terms.
Edalat,PottsandS¨ underhauf[6]hadpreviouslyconsideredthedenotationalcounterpartofBoehmandCartwright’s
operational solution. However, they restrict attention to what can be referred to as single-valued, total computations.
In particular, their computational adequacy result for their denotational semantics is restricted to this special case.
Although it is indeed natural to regard this case as the relevant one, we have already met compelling examples, such
as the fundamental operation of addition, in which sequentiality cannot be achieved unless one allows, for example,
multi-valued outputs at partial inputs.
For their denotational semantics, they consider the Smyth powerdomain of a topological space of real numbers
(which they refer to as the upper powerspace). Thus, they consider possibly non-deterministic computations of
total real numbers, restricting their attention to those which happen to be deterministic. In the work reported
here, we instead consider non-deterministic computations of total and partial real numbers. In other words, instead
of considering a powerdomain of a space of real numbers, we consider a powerdomain of a domain of partial
real numbers. Our computational adequacy result holds for general computations, total or partial, and whether
deterministic or not. For our domain of partial real numbers, we consider the interval domain proposed by Scott [29],
but the present findings are expected to apply to many possible notions of domain of partial real numbers.
Farjudian [13] has developed a programming language, which he called SHRAD, which satisfies the three
requirements mentioned at the beginning of the paper: sequentiality, data abstraction and expressivity. In his work,
he defines a sequential language in which all computable first order functions are definable. However extensionality
is traded off for sequentiality, in the sense that all computable first order functions are extensional over total real
numbers but not over partial real numbers. Hence functions such as the rounding functions, which are frequently used
in practice, cannot be defined in SHRAD.
Di Gianantonio [15] also discusses the problem of sequential real-number computation in the presence of data
abstraction, with some interesting negative results and translations of parallel languages into sequential ones.
In order to characterize computable functions on the real numbers, Brattka [4] introduces a class of relations that
includes a construction which is essentially the same as Boehm and Cartwright’s multi-valued test discussed above.
The main difference is that we articulate relations as functions with values on a powerdomain. With this, we are able
to capture higher-type computation. Moreover, as discussed above, we take a powerdomain of the interval domain,
not of the real line, and hence we are able to distinguish partiality from multi-valuedness: an interval gives a partially
specified real number, and a set of intervals collects the possible (total or partial) outputs of a non-deterministic
computation.
then f else g =
?
f (x),
if I ? x;
1.2. Organization
Section 2 presents a running example that motivates the technical development that follows. Section 3 introduces
some background. Section 4 studies the rtest construction from the point of view of powerdomains. Section 5 develops
a programming language with the rtest construction and establishes computational adequacy for the denotational
semantics developed in Section 4. Section 6 applies this to develop techniques for correctness proofs and gives sample
applications. Section 7 summarizes the main results and discusses open problems and further work.
Page 4
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141123
2. Running example
In order to motivate the use of the multi-valued construction discussed in the introduction, we give an example
showing how it can be used to avoid the parallel constructions used in previous works on real-number computation.
We take the opportunity to introduce some basic concepts and constructions studied in the technical development that
follows.
In the programming language considered in [11], the average operation
(− ⊕ −): [0,1] × [0,1] → [0,1]
defined by
x ⊕ y = (x + y)/2
can be implemented as follows:
x ⊕ y = pif x < c
then pif y < c
then consL(tailL(x) ⊕ tailL(y))
else consC(tailL(x) ⊕ tailR(y))
else pif y < c
then consC(tailR(x) ⊕ tailL(y))
else consR(tailR(x) ⊕ tailR(y)).
Here
c = 1/2,
L = [0,c],
C = [1/4,3/4],
R = [c,1],
the function consa: [0,1] → [0,1] is the unique increasing affine map with image the interval a, i.e.,
consL(x) = x/2,
consR(x) = x/2 + 1/2,
and the function taila: [0,1] → [0,1] is a left inverse, i.e.
taila(consa(x)) = x.
More precisely, the following left inverse is taken, where κais the length of a and µais the left end-point of a:
consC(x) = x/2 + 1/4,
taila(x) = max(0,min(κax + µa,1)).
Because equality on real numbers is undecidable, the relation x < c is undefined (or diverges, or denotes ⊥) if x = c.
In order to compensate for this, one uses a parallel conditional such that
pif ⊥ then z else z = z.
The intuition behind the above program is the following. If both x and y are in the interval L, then we know that
x ⊕ y is in the interval L, if both x and y are in the interval R, then we know that x ⊕ y is in the interval R, and
so on. The boundary cases are taken care of by the parallel conditional. For example, 1/2 is both in L and R, and an
unfolding of the program for x = y = 1/2 gives
1/2 ⊕ 1/2 = pif ⊥
then pif ⊥
then consL(1 ⊕ 1)
else consC(1 ⊕ 0)
else pif ⊥
then consC(0 ⊕ 1)
else consR(0 ⊕ 0).
Page 5
124 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
All branches of the conditionals evaluate to 1/2, but in an infinite number of steps. This can be seen as follows.
A repeated unfolding of 1 ⊕ 1 gives the infinite expression consR(consR(consR(...))). Denotationally speaking,
the program computes the unique fixed point of consR, which is 1. Operationally speaking, the first unfolding says
that the result of the computation, whatever it is, lives in the interval R, because, by definition, the image of consR
is R; the second unfolding says that the result is in the right half of the interval R, i.e. in the interval [3/4,1]; the third
unfolding tells us that the result is in the interval [7/8,1], and so on. Thus, the operational semantics applied to 1 ⊕ 1
produces a shrinking sequence of intervals converging to 1. The other cases are analogous.
Of course, a drawback of such a recursive definition is that, during evaluation, the number of parallel processes
grows exponentially in the number of unfoldings. In order to overcome this, we switch back to the usual sequential
conditional, and we replace the partial less-than test by the multi-valued test discussed in the introduction:
Average(x, y) = if rtestl,r(x)
then if rtestl,r(y)
then consL(Average(tailL(x),tailL(y)))
else consC(Average(tailL(x),tailR(y)))
else if rtestl,r(y)
then consC(Average(tailR(x),tailL(y)))
else consR(Average(tailR(x),tailR(y))),
where c of the previous program splits into two points
l = 1/4,
r = 3/4
and this time we choose
L = [0,r],
The intuition behind this program is similar. What is interesting is that, despite the use of the multi-valued
construction rtest, the overall result of the computation is single valued. In other words, different computation
paths will give different shrinking sequences of intervals, but all of them will shrink to the same number. A proof of
this fact and of the correctness of the program is provided in Section 6, using the techniques developed below. For
further examples see [22].
C = [1/8,7/8],
R = [l,1].
3. Background
For domain-theoretic concepts, the reader is referred to [1,26], and for topological concepts to [32,33] (see
also [16]). Here we briefly summarize the notions and facts that are relevant to our purposes.
3.1. Continuous domains
Let P be a set with a preorder ?. For a subset X of P and an element x ∈ P we write
↓X = {y ∈ P | y ? x for some x in X},
↑X = {y ∈ P | x ? y for some x in X},
↓x = ↓{x},
We also say that X is a lower set iff X = ↓X, and that X is an upper set iff X = ↑X.
Let x and y be elements of a directed complete partial order (dcpo) D. We say that x is way-below or approximates
y, denoted x ? y, if for every directed subset A of D, y ?
x is compact if it approximates itself. We define↑ ↑x = {y ∈ D | x ? y},↓ ↓x = {y ∈ D | y ? x} and
K(D) = {x ∈ D | x is compact}. We say that a subset B of a dcpo D is a basis for D, if for every element x
of D the set↓ ↓x ∩ B contains a directed subset with supremum x. A dcpo is called a continuous domain or simply a
domain if it has a basis. A dcpo is called an algebraic domain if it has a basis of compact elements. An example of an
algebraic domain is the domain T⊥= {⊥,false,true} of booleans, ordered by ⊥ ? false,⊥ ? true. A function f
from a domain D to a domain E is Scott continuous if it is monotone and f (?A) =?f (A) for all directed subsets
↑x = ↑{x}.
?A implies ∃a ∈ A with x ? a. We say that
Page 6
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141125
A of D. A Scott closed subset of a domain D is a lower set closed under a directed supremum. We say that a Scott
closed set is finitely generated if it is the lower set of a finite set. The following is easily established:
Lemma 3.1. If D is a continuous domain, C a finitely generated Scott closed subset of D and f : D → D Scott
continuous then
↓{ f (x) | x ∈ C} = cl{ f (x) | x ∈ C}.
where cl denotes topological (Scott) closure.
3.2. The interval domains R and I
The set R of non-empty compact subintervals of the Euclidean real line ordered by reverse inclusion,
x ? y iff x ⊇ y,
is a continuous domain, referred to as the interval domain. Here intervals are regarded as “partial numbers”, with the
singleton intervals playing the role of “total numbers”. If we add a bottom element to R, then R becomes a bounded
complete continuous domain R⊥. For any interval x ∈ R, we write
x = inf x
so that x = [x,x]. Its length is defined by
κx= x − x.
A subset A ⊆ R has a least upper bound iff it has non-empty intersection, and in this case
?
The way-below relation of R is given by
x ? y iff x < y and y < x.
A basis for R is given by the intervals with distinct rational (alternatively dyadic) end-points.
The set I of all non-empty closed intervals contained in the unit interval [0,1] is a bounded complete, countably
based continuous domain, referred as the unit interval domain. The bottom element of I is the interval [0,1].
3.3. Powerdomains
andx = sup x
A =
?
A =
?
sup
a∈A
a, inf
a∈Aa
?
.
Powerdomains [24,30,31] are usually constructed as ideal completions [18] of finite subsets of basis elements.
For our purposes, it is more convenient to work with their topological representations [26,1,19], which we now
summarize. It is enough for our purposes to restrict attention to ω-continuous dcpos, which we refer to as domains in
this subsection.
A subset A of a dcpo D is called Scott closed if it is closed in the Scott topology, that is, if it is a lower set and
is closed under the formation of suprema of directed subsets. We use the notation cl(A) for the topological closure
of A, i.e. the smallest Scott closed set containing A. A lense is a non-empty set that arises as the intersection of a
Scott-closed set and a Scott compact upper subset. Here the notion of Scott compact set is to be understood in the
topological sense (every cover consisting of Scott open sets has a finite subcover). On the set of lenses of a dcpo D,
we define the topological Egli–Milner ordering, ?TEMby K ?TEML if L ⊆ ↑K and K ⊆ cl(L). Notice that in
a finite domain such as the flat domain of booleans, the lenses are just order-convex sets, and that the topological
Egli–Milner order coincides with the usual order-theoretical one [16]. This is because in a finite domain the closed
sets are precisely the lower sets, and all sets are compact.
The Plotkin powerdomain PPD of a domain D consists of the lenses of D under the Egli–Milner order, and the
formal-union operation A ∪ B is given by actual union A ∪ B followed by topological convex closure (intersection
of all convex closed sets containing it). There is a natural topological embedding η: D → PPD given by x ?→ {x}.
Page 7
126 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
The Smyth powerdomain PSD consists of the set of non-empty Scott-compact upper subsets ordered by reverse
inclusion, with formal union given by actual union. In this case, we have a natural topological embedding η: D →
PSD given by x ?→ ↑x.
The Hoare powerdomain PHD consists of all non-empty Scott-closed subsets of D ordered by inclusion. Because
we use this to obtain a denotational model of our language, we consider it in more detail. Least upper bounds are
given by
?
The construction is the functor part of a monad, with action on continuous maps given by
? f : PHD → PHE
for any f : D → E. Its unit is given by
ηD: D → PHD
x ?→ ↓x,
which is also a topological embedding. Instead of considering multiplication, one can equivalently consider the
extension operator [21, Proposition 2.14], in this case given by
¯f : PHD → PHE
A ?→ cl
a∈A
for any continuous map f : D → PHE. Finally, formal unions are given by actual unions as in the case of the Smyth
powerdomain:
i∈I
Ai= cl
?
i∈I
Ai.
A ?→ cl f [A]
?
f a
A ∪ B = A ∪ B.
4. Semantics of the multi-valued construction
In order to make the development of the introduction precise, we assume that we are given a functorial
powerdomain construction P, in a suitable category of domains, with a natural embedding
ηD: D → PD
and a continuous formal-union operation
(− ∪ −): PD × PD → PD
for every domain D. Then the definition of the function rtesta,b: R → PT, where a < b are real numbers, can be
formulated as
need to embed the real line into a domain of total and partial real numbers. We choose to work with the domain R⊥,
where R is the interval domain introduced in Section 3. Similarly, as usual, we enlarge the domain T of booleans with
a bottom element. Hence we have to work with an extension R⊥→ PT⊥of the above function, which we denote by
the same name:
rtesta,b
− − − − → PT
?
rtesta,b(x) =
η(true),
η(true) ∪ η(false),
η(false),
if x ∈ (−∞,a],
if x ∈ (a,b),
if x ∈ [b,∞).
Because in our language there will be computations on the reals that diverge or fail to fully specify a real number, we
R
?
R⊥
rtesta,b
− − − − → PT⊥
Page 8
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141 127
Fig. 1. Powerdomains of T⊥.
For the moment, we do not insist on any particular extension. However, in order for a powerdomain construction
to qualify for a denotational model of the language, the minimum requirement is that it makes the rtesta,bfunction
continuous.
Lemma 4.1. If rtesta,b: R⊥ → PT⊥ is a continuous extension of the function rtesta,b : R → PT, then the
inequalities
η(true) ? η(true) ∪ η(false),
η(false) ? η(true) ∪ η(false)
must hold in the powerdomain PT⊥.
Proof. Because the embedding R ?→ R⊥is continuous when R is endowed with its usual topology and R⊥with its
Scott topology, so is its composition with the function rtesta,b: R⊥→ PT⊥, which we denote by r : R → PT⊥.
(This is the diagonal of the above commutative square.) In any dcpo, the relation d ? e holds if and only if every
neighbourhood of d is a neighbourhood of e. Let V be a neighbourhood of t := η(true). We have to show that
n := η(true) ∪ η(false) ∈ V. The set U := r−1(V) is open in R by continuity of r : R → PT. Because
r(a) = t ∈ V, we have that a ∈ r−1(V) = U. Hence, because U is open in R, there is an open interval (u,v) with
a ∈ (u,v) ⊆ U. Choose x such that a < x < v and x < b, that is, such that x ∈ (a,b)∩(u,v) ⊆ U. By construction,
r(x) = n. But x ∈ r−1(V), which shows that n ∈ V and hence that t ? n, which amounts to the first inequality. The
second inequality is obtained in the same way.
?
Thus, any powerdomain not satisfying the above two inequalities does not qualify for a model. In particular,
this rules out the Plotkin and Smyth powerdomains, Fig. 1. In fact, for the Plotkin powerdomain one has that
η(true) = {true} and η(false) = {false}, and their formal union is {true,false} because this set is order-convex,
but the sets {true} and {true,false} are incomparable in the Egli–Milner order. For the Smyth powerdomain, the same
sets are obtained by the embedding, formal union is given by actual union, and hence the inequalities do not hold
because the order is given by reverse inclusion. We omit routine proofs of the fact that e.g. the mixed [17] and the
sandwich [5] powerdomains also fail to satisfy the inequalities and hence to make the rtesta,bconstruction continuous.
Page 9
128 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
On the other hand, for the Hoare powerdomain, the inequalities do hold. In fact, η(true) = {true,⊥} and
η(false) = {false,⊥}, their formal union is their actual union {true,false,⊥}, and the ordering is given by inclusion.
Moreover:
Proposition 4.2. There is a continuous extension rtestH
a,b: R⊥→ PHT⊥of the function rtesta,b: R → PT.
Proof. The functions f,g: R⊥→ PT⊥defined by
?
⊥,
?
⊥,
are easily seen to be continuous, and they are consistent because η(true) and η(false) are consistent elements. Hence
their join
f (x) =
η(true),
if x ⊆ (−∞,b),
otherwise,
g(x) =
η(false),
if x ⊆ (a,∞),
otherwise,
rtestH
a,b= f ? g
is well-defined and continuous. An easy verification shows that this function has the required extension property.
?
As we want to match our model with the operational semantics of the construction, it would be desirable to
distinguish between the elements {true} and {true,⊥} in the model. However, the Hoare powerdomain does not
distinguish them, and, on the other hand, as we have just seen, other powerdomains do not give a continuous
interpretation of our construction. In order to overcome this problem when the Hoare powerdomain is used as a
denotational model, one usually decomposes proofs of program correctness into partial correctness and termination.
A related approach is considered in Section 6.
From now on, we denote rtestH
the situation 0 < a < b < 1 and the restriction of this function to the domain I of closed subintervals of the interval
[0,1], again written rtesta,b: I → PT⊥.
a,b: R⊥→ PHT⊥simply by rtesta,b. In our applications, we are only interested in
4.0.0.1. Remark on the boundary cases of rtest. Before proceeding to the main goal of this paper, we briefly digress
to discuss a natural variation rtest?
a,b: R → PT of the rtesta,bconstruction, defined by
rtest?
a,b(x) =
η(true),
η(true) ∪ η(false),
η(false),
if x ∈ (−∞,a),
if x ∈ [a,b],
if x ∈ (b,∞).
With a proof similar to that of Lemma 4.1, we conclude that if rtest?
a,bis continuous then
η(true) ∪ η(false) ? η(true)
η(true) ∪ η(false) ? η(false).
This rules out the Plotkin and Hoare powerdomains, but not the Smyth powerdomain. However, it is not clear what the
operational counterpart of this function would be. The function rtesta,bis operationally computable because, for any
argument x given intensionally as a shrinking sequence of intervals, the computational rules systematically establish
one of the semidecidable conditions a < x and x < b. However, the conditions a ≤ x and x ≤ b are not semi-
decidable, and hence it is not immediately apparent what a computationally adequate operational semantics for rtest?
would be. But it is interesting, as pointed out by one of the referees, that the cotransitivity law given in the introduction
as a constructive justification of rtest can be equivalently formulated as “a ≤ x or x ≤ b whenever a < b”. In any
case, it is not clear to us, at the time of writing, whether or how this reformulation of the cotransitivity law would lead
to a computational mechanism for rtest?.
Page 10
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141129
5. A programming language for sequential real-number computation
We introduce the language LRT for the rtest construction, which amounts to the language considered by
Escard´ o [11] with the parallel conditional removed and a constant for rtesta,badded. We remark that this is a call-
by-name language. Because real-number computations are infinite, and there are no canonical forms for partial real-
number computations, it is not clear what a call-by-value operational semantics ought to be. We leave this as an open
problem.
5.1. Syntax
The language LRT is an extension of PCF with a ground type for real numbers and suitable primitive functions for
real-number computation. Its raw syntax is given by
x ∈ Variable,
t ::= nat | bool | I | t → t,
P ::= x | n | true | false | (+1)(P) | (−1)(P) |
(= 0)(P) | if P then P else P | consa(P) |
taila(P) | rtesta,b(P) | λx : t.P | PP | YP,
where the subscripts of the constructs cons, tail are rational intervals and those of rtest are rational numbers. (We
apologize for using the letters a and b to denote numbers and intervals in different contexts.) Terms of ground type I
are intended to compute real numbers in the unit interval.
It is convenient for our purposes to first define the denotational and then the operational semantics.
5.2. Denotational semantics
The ground types bool,nat and I are interpreted as the Hoare powerdomain of the domains of booleans, natural
numbers and intervals, respectively. Function types are interpreted as function spaces in the category of dcpos:
?bool? = PHT⊥,
This reflects the fact that we are considering a call-by-name language.
The interpretation of constants in LRT is defined as follows:
?nat? = PHN⊥,
?I? = PHI,
?σ → τ? = ?σ? → ?τ?.
?true? = η(true),
?consa? = ?
?false? = η(false),
?taila? =?
if B = η(true),
if B = η(false),
X ∪ Y,
⊥,
are defined as in Section 3.3, the functions (+1),(−1),(= 0) are the standard interpretations
in the Scott model of PCF, the functions consa,tailaare defined in Section 2, and the function rtesta,bis defined in
Section 4.
?n? = η(n),
?(+1)? =?
?rtesta,b? = rtesta,b,
(+1),
consa,
?(−1)? =?
?Y?(F) =
X,
Y,
(−1),
?(= 0)? =?
Fn(⊥),
(= 0),
taila,
?
n≥0
?if?(B, X,Y) =
Here the symbols η,?,
if B = η(true) ∪ η(false),
if B = ⊥.
5.3. Operational semantics
We consider a small-step style operational semantics for our language. We define the one-step reduction relation
→ to be the least relation containing the one-step reduction rules for evaluation of PCF [25] together with those given
below.
Page 11
130 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
We first need some preliminaries. For intervals a and b in I, we define
ab = consa(b),
where cons is the extension to the interval domain of the function defined in Section 2. This operation is associative,
and has the bottom element of I as its neutral element [11]:
(ab)c = a(bc),
Moreover,
a⊥ = ⊥a = a.
a ? b ⇐⇒ ∃c ∈ I. ac = b,
and this c is unique if a has non-zero length, i.e. it is not maximal, and in this case we denote c by
b \ a.
For intervals a and b, we define
a ≤ b ⇐⇒ a ≤ b
and
a ↑ b ⇐⇒ ∃c. a ? c and b ? c.
With this notation, the rules for Real PCF as defined in [11] are:
(1) consa(consbM) → consabM
(2) consaM → consaM?
(3) taila(consbM) → YconsL
(4) taila(consbM) → YconsR
(5) taila(consbM) → consb\aM
(6) taila(consbM) → cons(a?b)\a(tail(a?b)\bM)
if M → M?and (1) is not applicable
if b ≤ a
if b ≥ a
if a ? b and a ?= b
if a ↑ b,a ?? b,b ?? a,
b ? a and a ? b
if M → M?and (3)–(6) are not applicable
(7) taila(M) → taila(M?)
(8) if true M N → M
(9) if false M N → N
(10) if M N1N2→ if M?N1N2
For our language LRT, we add:
(11) rtestb,c(consaM) → true if a < c,
(12) rtestb,c(consaM) → false if b < a,
(13) rtestb,cM → rtestb,cM
Remark 5.1. (1) Rule 1 plays a crucial role and amounts to the associativity law. The idea is that both a and b
give partial information about a real number, and ab is the result of gluing the partial information together in an
incremental way. See the paper [11] for a further discussion, including a geometrical interpretation.
(2) Notice that if the interval a is contained in the interval [b,c], rules 11 and 12 can be applied.
(3) Rules 11–13 cannot be made deterministic given the particular computational adequacy formulation which is
proved in Section 5.4. We shall show that the set of rewrite rules is rich enough to allow one to derive operationally
everything that the denotational semantics suggests. This does not mean that we are giving a specification for an
implementation of LRT. In the absence of rtestb,c, rules 1–10 are deterministic without loss of computational
adequacy. See Section 6 for a further discussion.
(4) In practice, one would like to avoid divergent computations by considering a strategy for application of the rules.
This is the topic of Section 6 where we study total correctness. For the purposes of this section, we consider the
non-deterministic view.
if M → M?and (8), (9) are not applicable
?if M → M
?.
Page 12
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141131
We now introduce a notion of operational meaning of a term, where the operational values are taken in a
powerdomain too. The difference between this operational semantics and the denotational semantics given above
is that the former is obtained by reduction but the latter is obtained, as usual, by compositional means.
Definition 5.2. Firstly, we define the operational meaning of closed terms M of ground types γ in i steps of
computation, written [M]i, which is to be an element of the domain ?γ?.
[M]i= ∪ {η(a) | ∃M?∃k ≤ i, M
(If this set is empty, then of course [M]i= ⊥.) Here the relation
If M : nat, then we define
[M]i= ∪ {η(n) | ∃k ≤ i, M
if this set is non-empty, and [M]i= ⊥ otherwise. The operational meaning of M : bool is defined similarly.
It is immediate that [M]i? [M]i+1. Hence we can define
[M] =
i
If M : I, then we define
k
→ consaM?}.
k
→ denotes the k-fold composition of the relation →.
k
→ n}
?
[M]i.
Of course, only in the case of the ground type of real numbers this definition is non-trivial, but it is convenient to have
a uniform treatment for all types.
5.4. Computational adequacy
In our setting, computational adequacy amounts to the equation [M] = ?M? for all closed terms M of ground type,
For a deterministic language such as PCF, soundness of the denotational semantics follows from the fact that
M → N implies ?M? = ?N?. For our non-deterministic language, we rely on the following:
Proof. The proof is by structural induction on M.
If M is a value, there is nothing to prove.
Suppose M ≡ (−1)M?and M → N, there are three rules that apply to the predecessor.
First case: M ≡ (−1)k0and (−1)k0→ k0≡ N,
?(−1)k0? =?
Second case: M ≡ (−1)kn+1→ kn≡ N,
?(−1)kn+1? =?
Third case: M ≡ (−1)M?and M → (−1)N?if M?→ N?. By the induction hypothesis, ?M?? = ∪ {?N?? | M?→
?M? = ?(−1)M?? =?
= ∪ {?(−1)N?? | M?→ N?},
The proof for the other constants follows similarly, except for rtesta,b, whose proof we include below.
Suppose M = rtestp,q(M?). There are three possible cases:
where [M] is the operational meaning of M and ?M? is the denotational meaning of M defined above.
Lemma 5.3. ?M? =∪ {?N? | M → N} (notice that this is a finite union).
(−1)?k0? =?
(−1){0,⊥} = cl{(−1)0,(−1)⊥}
= cl{0,⊥} = {0,⊥} = ?k0? = ?N?.
(−1)(?kn+1?) =?
(−1){n + 1,⊥} = cl{(−1)n + 1,(−1)⊥}
= cl{n,⊥} = {n,⊥} = ?kn? = ?N?.
(−1) to both sides of the equation:
(−1)?M?? =?
N?}, applying?
(−1)?∪ {?N?? | M?→ N?}?
= ∪ {?
(−1)?N?? | M?→ N?}
as we wanted.
Page 13
132 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
First case: M is of the form rtestp,q(M?) where M?is not a consaterm. Hence, the only single-step reductions
available are of the form M → rtestp,qN?where M?→ N?. As the semantics of rtestp,qis rtestp,q, we get
?M? = rtestp,q
= ∪??rtestp,qN?? | M?→ N??
Second case: M is of the form rtestp,q(consa(M??)). Note that the above equality still holds but the last ∪ does
not exhaust the single-step derivations. Furthermore,
?∪??N?? | M?→ N???
= ∪?rtestp,q?N?? | M?→ N??
Since the last expression exhausts the terms that are single-step derivable from M, we are done with this case.
?M? = rtestp,q(?
?M? = ∪?rtestp,qN?| M?→ N??
Now rtestp,q(a) is exactly the set
???b? | M → b and b ∈ {true,false}?.
j
→ N}.
Lemma 5.4 (Soundness). For all closed terms M of ground type,
consa(M?)) ? rtestp,q(a).
As ∪ is inflationary, we can throw smaller terms into the above equation:
= rtestp,q(a) ∪
????rtestp,qN?? | M?→ N???
?
Hence, by induction on the length j of the evaluation using the previous lemma, for every j, ?M? = ∪ {?N? |
M
[M] ? ?M?.
[M]i? ?M?.
?consaM??, Lemma 5.3 shows that b ∈ ↓?consaM??. Therefore b ∈ ?M? because a ? consa(x) for all x ∈ I, and
In order to establish completeness, we proceed as in [25,11].
Proof. It suffices to show that, for all closed terms M of ground type,
Let b ∈ [M]i,b ?= ⊥. By definition, b ? a for some a and M?such that M
in particular for all x ∈ ?M??.
Definition 5.5. We define a notion of computability for closed terms by induction on types as follows:
(1) A closed term M of ground type is computable whenever ?M? ? [M],
of type σ,
An open term M : σ with free variables x1,...,xnof type σ1,...,σnis computable whenever [N1/x1]···[Nn/xn]M
is computable for every family Ni: σiof closed computable terms.
Because PH(D) is a continuous domain if D is, we have:
Lemma 5.6. A closed term M of ground type is computable iff for every X ? ?M? there is i with X ? [M]i.
supremum is [M], and hence there is i with X ? [M]i. (⇐) By continuity of the Hoare powerdomain of a continuous
domain, in order to show that ?M? ? [M], it suffices to show that for all X ? ?M?, X ? [M]. But this holds by
Recall the following from domain theory [1,16].
i→ consaM?. Because ?
consa?M?? =
?
(2) A closed term M : σ → τ is computable whenever MQ : τ is computable for every closed computable term Q
Proof. (⇒) Suppose that M is computable and let X ? ?M?. We have that [M]1? [M]2? ··· is a chain whose
hypothesis.
?
Page 14
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141133
Lemma 5.7. For any continuous function f : D → E of continuous dcpos, if y ? f (x) then there is x?? x with
y ? f (x?).
Lemma 5.8 (Completeness). Every term is computable.
Proof. The proof is by structural induction on the formation rules of terms.
Constants: (1) rtestp,qis computable:
We have to show that
?rtestp,qM? ? [rtestp,qM]
?rtestp,qM? = rtestp,q?M?
= rtestp,q
for computable M. So
? rtestp,q[M]
?
i
[M]i
=
?
?
?
?
i
rtestp,q[M]i
=
i
rtestp,q
??
η(a) | ∃M?∃k ≤ i.M →kconsaM??
rtestp,q(η(a)) | ∃M?∃k ≤ i.M →kconsaM??
rtestp,q(a) | ∃M?∃k ≤ i.M →kconsaM??
=
i
??
??
=
i
.
But when M →kconsaM?holds, so does rtestp,q(a) ? [rtestp,qM]k+1? [rtestp,qM]. So the directed sup of
formal joins also lies below [rtestp,qM].
(2) if is computable:
We have to show that
?if L M N? ? [if L M N].
M. Hence, ?M? ? [if L M N]. Similarly, if η(false) ? ?L?, then ?M? ? [if L M N]. Now, we need the four
Because ∪ is inflationary (and η(⊥) is the identity for it); in all four cases ?if L M N? ? [if L M N].
Assume that ?consaM? ?= ⊥ for a computable term M of type I. Let Y ? ?consaM? = ?
Y ? ?
there is t ∈ [M]jwith m ? consa(t) = at. Because there is t ∈ [M]j, we deduce that there is M?such that the
reduction M
→ constM?, k ≤ j holds, and so consaM
i = j + 1.
(4) tailais computable:
We have to show that if M is computable, then so is tailaM. Assume that ?tailaM? ?= ⊥ for a computable term
follows that [M]j ?? {a} in the Egli–Milner order, and if [M]j ? {a} then Y ??
Suppose η(true) ? ?L?. By the induction hypothesis, ?L? ? [L], so L →ltrue for some l. Thus if L M N →l+1
?L? = η(false), then ?if L M N? = ?N?; and if ?L? = η(true) ∪ η(false), then ?if L M N? = ?M? ∪ ?N?.
(3) consais computable:
We have to show that if M is computable, then so is consaM.
cases of the proof: if ?L? = η(⊥), then ?if L M N? = η(⊥); if ?L? = η(true), then ?if L M N? = ?M?; if
consa?M?. We need
consa[M]j, by Lemma 3.1
to show that there is i with Y ? [consaM]i. By Lemma 5.7, there is X ? ?M? with Y ? ?
consa[M]j. So for every y ∈ Y, there is m ∈ ?
consaX. As M is
consa, we have thatcomputable, there is j such that X ? [M]j. Because Y ? ?
consaX and by monotonicity of ?
consa[M]j, with y ? m. Let m ∈ ?
kk
→ consa(constM?)
1
→ consatM?. Hence we can take
M of type I. Let Y ? ?tailaM? =?
cl{⊥} = {⊥}. Then exactly one of the following four cases holds:
taila?M?. We need to show that there is i with Y ? [tailaM]i. By Lemma 5.7,
there is X ? ?M? with Y ??
tailaX. As M is computable, there is j such that X ? [M]j. Because Y ?= {⊥}, it
tailaX ??
taila[M]j ??
taila{a} =
Page 15
134 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
(a) [M]j ≤ {a}: Then since X ? [M]j, we have that?
t ∈ [M]jwith m ? tailat. Because there is t ∈ [M]jit follows that there is M?such that M
Because [M]j≤ {a} we conclude that tailaM
(b) {a} ≤ [M]jSimilar to 1.
(c) {a} ? [M]j: Then since X ? [M]j, we have that?
t ∈ [M]jwithm ? tailat = t\a.Because thereist ∈ [M]jitfollowsthatthere is M?suchthat M
holds. We conclude that tailaM
→ taila(constM?)
(d) {a} ↑ [M]j: Then since X ? [M]j, we have that?
so there is t ∈ [M]jwith m ? tailat = (a ? t) \ a. Because there is t ∈ [M]jit follows that there is M?such that the
reduction M
→ constM?,k ≤ j holds. We conclude that tailaM
can take i = k + 1.
(5) For M ≡ (+1),(−1),(= 0) the proof is similar to the if case.
(6) If M is computable so is λαM:
We must show that LN1,... Nnis computable whenever N1,... Nnare closed computable terms and L is a closed
instantiation of λαM by computable terms. Here L must have the form λαM?where M?is an instantiation of all free
variables of M, except α, by closed computable terms.
If P ? ?LN1... Nn? then we have P ? ?[N1/α]M?N2... Nn? = ?LN1... Nn?. But [N1/α]M?is computable
evaluate [N1/α]M?N2... Nn. Hence we can take i = j.
(7) Yσis computable:
In order to prove that Yσis computable it suffices to show that the term
tailaX ??
taila[M]j and since Y ??
tailaX, we have
Y ??
taila[M]j. So for every y ∈ Y, there is m ∈?
taila[M]jwith y ? m. Let m ∈?
k
→ taila(constM?)
taila[M]j, so by Lemma 3.1 there is
k
→ constM?,k ≤ j holds.
→ YconsL. Hence we can take i = k + 1.
1
tailaX ??
taila[M]j= {b \ a | b ∈ [M]j} and since Y ??
tailaX,
we have that Y ??
taila[M]j. So for every y ∈ Y, there is m ∈?
k
taila[M]jwith y ? m. Let m ∈?
→ tailmM?. Hence we can take i = k + 1.
tailaX ??
k
→ taila(constM?)
taila[M]j, so there is
k
→ constM?,k ≤ j
1
taila[M]j = {(a ? b) \ a | b ∈ [M]j} and since
taila[M]jwith y ? m. Let m ∈?
Y ??
tailaX, we have that Y ? taila[M]j. So for every y ∈ Y, there is m ∈?
taila[M]j,
k
1
→ tailmM?. Hence we
and so therefore [N1/α]M?N2... Nn. Hence there is j with P ? [[N1/α]M?N2... Nn]j. Since LN1... Nn →
[N1/α]M?N2... Nn and the reduction relation preserves meanings, in order to evaluate LN1... Nn it suffices to
Y(σ1,...,σk,PI)N1··· Nk
is computable whenever N1: σ1,..., Nk: σkare closed computable terms. It follows from (6) above that the terms
Y(n)
σ
are computable and that the combination and abstraction formation rules preserve computability.
Let P ? ?YN1··· NK? be different from ⊥. Because ?Y? =??Y(n)?, by a basic property of the way-below relation
P ? [Y(n)N1··· Nk]j. Since there is a term M with Y(n)N1··· Nk
order (see [25,11]), and Lemma 5.9 below, Y(n)? Y we have that YN1··· Nk
i = j.
As in the last part of the above proof, we denote the syntactic order by ? (see [25] or [11]).
:= λf. fn(⊥) are computable, because the proof of computability of Y(n)
σ
depends only on the fact that variables
of any continuous dcpo, there is some n such that P ? ?Y(n)N1··· NK?. Since Y(n)is computable, there is j with
j
→ conscM. Using the syntactic information
j
→ conscM for some M and therefore
?
Lemma 5.9. If M ? N and M → M1, M → M2,..., M → Mnthen either ∀i, Mi? N,1 ≤ i ≤ n or else for some
terms N1, N2,..., Nm, N → N1, N → N2,..., N → Nm, and ∀Mi,∃Nj, Mi? Nj,1 ≤ i ≤ n,1 ≤ j ≤ m.
Proof. The case that we must consider is the one that involves rtesta,b. The other cases are treated as in Real PCF.
(1) rtesta,bM ? rtesta,bM holds by definition.
(2) M ≡ rtesta,bM?? rtesta,bM??≡ N and M → true. These conditions hold if rtesta,bM” →
rtesta,b(conscM???) and c < b. By the induction hypothesis, M?→ M??so rtesta,bM??→ rtesta,b(consdMiv)
where d < b so rtesta,bM??→ true and true ? true.
(3) M ≡ rtesta,bM?? rtesta,bM??≡ N and M → false. Similar to the previous case.
(4) M ≡ rtesta,bM?? rtesta,bM??≡ N and M → true, M → false. These follow if rtesta,bM →
rtesta,b(conscM???) and a
<
c
<
b. By the induction hypothesis, M?
→
M??so rtesta,bM??
→
Page 16
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141135
rtesta,b(consdMiv) where a < d < b so rtesta,bM??→ true,rtesta,bM??→ false and true ?
true,false ? false.
?
In summary:
Theorem 5.10. Computational adequacy holds; that is, for every closed term M of ground type, the operational and
denotational meanings of M coincide:
[M] = ?M?.
6. Program correctness
We now develop tools for establishing correctness of LRT programs. In order to show that a given program is
correct with respect to a given specification, we show that
(1) if it converges, then it satisfies the specification, and
(2) it in fact converges.
In our examples, condition (1) will be achieved by applying the denotational semantics with the aid of computational
adequacy, and condition (2) will be achieved using the operational semantics directly. Hence our first task is to define
a suitable operational notion of convergence for terms of real-number type.
Firstly, notice that the operational semantics defined in Section 5.3 allows divergence when rule 13 for rtesta,bis
applied infinitely often. But the only purpose of this rule is to get a sufficiently precise approximation of the argument,
so that rules 11 and/or 12 can be eventually applied, provided such an approximation exists. Hence we agree that
we do not apply rule 13 for rtesta,binfinitely often unless rules 11–12 are never applicable.
Definition 6.1. The subrelation of the reduction relation → that arises in this way will be denoted by ⇒.
Secondly, in the case of a term of the form rtesta,b(M), after finitely many applications of rule 13 to compute an
approximation of the argument M, we will have three situations:
(1) Both rules 11 and 12 become applicable.
(2) One and only one of the rules 11 and 12 becomes applicable.
(3) It is still not possible to apply rules 11 and 12, and hence one should keep applying rule 13, getting better and
better approximations of M, either
(a) for ever, or
(b) so that we eventually arrive at one of the previous situations (1) or (2), and the computation converges to a
truth value.
If the situation (3a) may take place, we say that the term may diverge, and otherwise, that it must converge. If the
situation (1) takes place, we may imagine that the computation bifurcates into two subcomputations, each of which
will give an answer or diverge. For our definition of strong convergence, to be given below, we require that both
converge. In practice, an implementation of the language will typically choose one of the branches, according to some
strategy, which will not necessarily be known to the programmer, and such a branch will then lead to an answer or
divergence. In this case, the programmer has to ensure that any possible answer satisfies the desired specification, or
that both branches will in fact lead to the same answer (as will be the case with our running example).
In theory, if situation (2) takes place, one can carry on with the computation produced by the corresponding branch,
and, at the same time, repeatedly apply rule 13 in parallel so that maybe the other rule becomes applicable too and
one has two computations as in situation (1). This corresponds to the relation ⇒ defined above.
In practice, we work with a deterministic, but unspecified strategy, as follows:
Definition 6.2. A strategy is a subrelation ? of ⇒ such that
(1) ? is single valued, i.e. for any M there is at most one N such that M ? N,
(2) if there is an N such that M ⇒ N, then there is also an N such that M ? N.
Page 17
136 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
Notice that the only reason the relation ⇒ is multi-valued is the presence of rules 11 and 12. In summary, the relation
⇒ removes inessential infinite computations from →, and ? gives a deterministic strategy for the application of →.
(?) ⊆ (⇒) ⊆ (→).
Here are some examples of deterministic relations ?
(1) At each stage of the reduction of a term, apply the first applicable rule, for the ordering of the rules given in
Section 5.3.
(2) The same strategy as (1), but swapping the order of the first two rules for rtesta,b.
(3) Fix a stream of binary digits. Whenever more than one of the first two rules for rtesta,bis applicable, use the
next digit of the stream to decide which should be applied.
(4) Fix a stream of binary digits and a stream of natural numbers. Whenever a term of the form rtesta,b(M) is found,
read a natural number n from the second stream, then apply rule 13 for rtesta,bn times. If only one of the two
rules 11 and 12 become applicable, apply it. If both are applicable, use the next digit from the first stream to decide
which of them to apply. If neither is applicable, repeat the same procedure.
It is easy to see that for any closed term M of real-number type, there is at least one term N such that M ⇒ N, and
hence there is at least one term N such that M ? N. Hence, because the relation ? is assumed to be single valued,
there is a unique infinite reduction sequence M = M0? M1? M2? M3? ···. By the following lemma, if Mi
is of the form consai(M?
ground type other than I, such a reduction may be finite, leading to a truth value or natural number, or infinite leading
to divergence.
i) then Mi+1must be of the form consai+1M?
i+1with ai ? ai+1. For a closed term M of
Lemma 6.3. If a term M is of the form consaM?and M ?∗N then N is of the form consbN?with a ? b.
Proof. By case analysis of the reduction rules for consa. According to the complete set of rules that define the
operational semantics [11], if the reduction is in zero steps we are done, otherwise there are two cases:
(1)Ifconsa(consbN?) ? consabN?,then M?isoftheformconsbN?witha ? ab.Hence N isoftheformconsabN?,
(2) If consaM?? consaM??and M?? M??, then N has to be of the form consaM??for M?? N?, and hence we
can take b = a.
We modify the definition of operational meaning (Definition 5.2) as follows.
?
Definition 6.4. For a strategy ? and closed term M of type I, we define
[M]?=
If this set is non-empty, then Lemma 6.3 shows that it is an increasing chain, and hence the supremum exists. Notice
that this is not a subset of I, as in Definition 5.2, but rather an element of I.
By a value of type Bool or Nat we mean a constant for a truth value or a natural number, and values are ranged
over by the letter v. For a closed term of any of these two types, we define
[M]?=
The set of which the supremum is taken is either empty or a singleton because ? is single valued.
Definition 6.5. We define strong convergence, for closed terms, by induction on types as follows:
(1) A closed term M of ground type is strongly convergent if for every strategy ? as in Definition 6.2, its operational
meaning [M]?is total (i.e. a singleton interval, a truth-value, or a natural number).
(2) A closed term M of type σ → τ is strongly convergent whenever MN is strongly convergent for every strongly
convergent closed term N of type σ.
We henceforth refer to strong convergence simply as convergence for the sake of brevity.
?
{a ∈ I | ∃M?.M ?∗consaM?}.
?
{v | M ?∗v}.
The following observation is immediate.
Lemma 6.6. (1) A term M: I is convergent iff for every strategy ? and every ? > 0 there are an interval a of length
smaller than ? and a term N such that M ?∗consaN.
Page 18
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141137
(2) A term M is convergent iff N is convergent whenever M ?∗N.
Lemma 6.7. A term consc(M) is convergent iff M is convergent.
Proof. (⇒) Let M = M1? M2? M3? ··· be an infinite reduction sequence and let ? > 0. We must find n such
that Mnis of the form consdN?with κd< ?. Consider the reduction
consc(M) = N1? N2? N3? ··· ,
and δ = ? × κc. By hypothesis consc(M) is convergent so there is i such that Ni is of the form consbN??with
κb< δ. Hence there should be j such that Mjis of the form conseN???and consc(Mj) ? consbN??, which means
that κcκe= κb< δ and hence κe<
κc
(⇐) Let consc(M) = N1? N2? N3? ··· be an infinite reduction sequence and let ? > 0. We must find n such
that Nnis of the form consdN?with κd< ?. Consider the reduction M = M1? M2? M3? ··· and δ = ?/κa.
Because M is convergent, there is i such that Miis of the form consb(M?) with κb< δ. Hence, there should be j
such that Njis of the form conse(M??) with κe≤ κaκband
κe≤ κaκb< κa· δ = κa· (?/κa) = ?.
To show that tailais convergent, we need some lemmas. Whenever we talk about rules in the following lemmas,
we assume that these rules are taken from the operational semantics.
δ
κc=?×κc
= ?.
?
Lemma 6.8. (1) For all a,b ∈ I, if b ?? a then one of the conditions in rules 3–6 holds.
(2) For any a ∈ I and any convergent M: I there are b ?? a and N such that M ?∗consb(N).
Proof. The first item is easily verified. For the second, let ? = κa/2. Because M is convergent, there are b of length
smaller than ? and N such that M ?∗consb(N). If we had b ? a, then the length of b would be bigger than that
of a, which is not the case by construction.
?
Lemma 6.9. If M is convergent then,
(1) taila(M) ?∗L for some convergent term L, by finitely many applications of rule 7 followed by an application
of one of the rules 3–5, or
(2) M ?∗consb(N) and taila(M) ?∗cons(a?b)\a(tail(a?b)\b(N)) for some convergent term N, by finitely many
applications of rule 7 followed by an application of rule 6.
Proof. By Lemma 6.8, after finitely many applications of rule 7 to the term taila(M), we will have reductions
M ?∗consb(N) and
tailaM ?∗taila(consb(N)),
and one of the rules 3–6 will apply to the resulting term. If one of the rules 3–5 applies then taila(M) reduces
to one of the terms YconsL, YconsR, consb\a(N), which are convergent, and we can let L be the corresponding
term. Otherwise it reduces by rule 6 to the term cons(a?b)\a(tail(a?b)\b(N)). Because M ?∗consbN and M is
convergent, so are consbN and N.
?
Lemma 6.10. The term tailais convergent.
Proof. Let M be convergent, consider the reduction
taila(M) = N0? N1? N2? ··· ,
and let ribe the label of the rule that justifies the reduction Ni? Ni+1. By Lemma 6.9, if there is i such that riis one
of 3–5, then taila(M) is convergent, and otherwise the sequence (ri)ibelongs to the set of words 7∗6(7∗61)ω. We
have to argue that in the second case taila(M) is also convergent. Let nibe the sequence such that the sequence ri
can be written as 7n06?
Mi?∗consci(Mi+1)
i(7ni+161).
By hypothesis, the term M0= M is convergent, and if Miis convergent then
Page 19
138 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
for a unique interval ci and a unique term Mi+1by finitely many applications of rule 2, and Mi+1must also be
convergent. This inductively defines sequences ciand Mi, and it is easy to see that, for any i,
M ?∗consc0c1...ci(Mi+1).
Now, using the sequence ci, inductively define
β0= (a ? c0) \ c0,
βi+1= (βi? ci+1) \ ci+1,
A routine argument by induction on i shows that
α0= (a ? c0) \ a,
αi+1= (βi? ci+1) \ βi.
taila(M) ?∗consα0α1···αi(tailβi(Mi+1)),
as illustrated below:
7
?∗Mn0= taila(consc0(M1))
6
? Nn0+1= consα0(tailβ0(M1))
7
?∗Nn1= consα0(tailβ0consc1(M2))
6
? Nn1+1= consα0consα1(tailβ1(M2))
1
? Nn1+2= consα0α1(tailβ1(M2))
...
taila(M) = N0
1
? Nni+2= consα0α1···αi(tailβi(Mi+1)).
Now let ? > 0, and define ??= κa/?. Because M is convergent, there is i such that κc0c1...ci< ??and hence
κa/κc0c1...ci< ?. An easy proof by induction on i shows that κa/κc0c1...ci= κα0α1···αi, which shows that taila(M) is
convergent.
?
As application, we show how the program Average, defined in Section 2 can be proved to be correct using the
denotational semantics and the notion of strong convergence. More examples, including multiplication, division, and
absolute value, among others, are developed in the first-named author’s Ph.D. thesis [22] using the same techniques.
Lemma 6.11. The term rtestb,cis convergent.
Proof. Let N : I be a convergent term. Consider ? = (c − b)/2. Because N is convergent, there are an interval a of
length smaller than ? and a term M such that N ?∗consaM. For such an interval, at least one of the conditions
needed to apply the rules (11) or (12) holds, and hence rtestb,c(N) ⇒+v for some truth value v.
?
6.1. Total correctness of the average program
In view of computational adequacy, partial correctness of the program can be formulated as follows:
Lemma 6.12. ?Average?(η(x),η(y)) = η(x ⊕ y) for all total x, y ∈ I.
a functional extracted from the program. For the program Average, we denote this functional by Φ : D → D
where, according to the denotational interpretation of types, D has to be the domain (PHI × PHI → PHI). Then
?Average? =?
(1) ?Averagen?(η(x),η(y)) is of the form ↓Fnfor Fn⊆ I finite,
To prove this, we use the following lemma. As usual, a recursive program is interpreted as the least fixed point of
nAveragen, where Averagen= Φn(⊥).
Lemma 6.13. For all total x, y ∈ I, the following conditions hold:
Page 20
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141139
(2) κz≤
(3) Fn? η(x ⊕ y).
Proof. The proof is by induction on n.
1. n = 0. We know that Average0(η(x),η(y)) = {⊥} = ↓{⊥} for any x, y ∈ [0,1]. Take z ∈ Fn = {⊥}, so
κz= 1 < (4/3)−n+1= (4/3), and {⊥} ?Hη(x ⊕ y) for all x, y ∈ [0,1].
2. Assume that it holds for n. To show that it holds for n +1, we proceed according to the position of x and y relative
to the points l = 1/4 and r = 3/4 used in the definition of the average program. All cases are handled in a similar
way. We consider the case x ≤ 1/4 and y ≤ 1/4 as a representative example.
Averagen+1(η(x),η(y)) = ?
= ?
and by the induction hypothesis, Averagen(η(t),η(s)) is of the form ↓Fnfor Fnfinite, t = tailL(x) and s = tailL(y).
Take Fn+1= ?
Averagen+1(η(x),η(y))
is of the form ↓?
To show that κz ≤ (4
κt≤ (4
?4
3
4t −3
433
?
4
3
?−n+1
for each z ∈ Fn,
consL(Averagen(?
tailL(η(x)),?
tailL(η(y))))
consL(Averagen(η(tailL(x)),η(tailL(y)))),
consL(Fn). Then
consL(Fn). Because Fnis finite, so is Fn+1.
3)−nfor any z ∈ Fn+1, let t ∈ Fnsuch that z = consL(t). By the induction hypothesis
3)−n+1. We have z = consL(t) =3t
?−n+1
?3
and so κz≤ (4
To show that Fn+1⊆ η(x ⊕ y), again let z ∈ Fn+1and t ∈ Fnsuch that such that z = consL(t). By the induction
hypothesis t ∈ η(tailL(x) ⊕ tailL(y)), hence
z = consL(t) ∈ ?
η
33
?
= η
2
as required.
?
4, and hence
t − t ≤
3
4t ≤
??4
?−n+1
=
?4
?−n
3)−n.
consL(η(tailL(x) ⊕ tailL(y)))
= ?
?4x + 4y
?x + y
consL
??4x
⊕4y
??
??
= ?
??3
consL
?
??4x + 4y
η
?4x + 4y
6
??
= η
consL
6
= η
46
??
?
= η(x ⊕ y).
To conclude, we establish convergence of Average.
Lemma 6.14. For any two convergent terms N1, N2 : I, there are an interval a of length 3/4 and two convergent
terms N?
1, N?
2such that Average(N1, N2) ?+consa(Average(N?
Proof. To reduce Average(N1, N2), we must first unfold the definition, and then reduce rtest1/4,3/4(N1), repeatedly
applying rule 10, until we get a truth value, which is possible by Lemma 6.11 because N1has been assumed to be
convergent. At this point, we have to apply one of the rules 8 or 9. In either case, we will next have to reduce
rtest1/4,3/4(N2) until it becomes a truth value. Then again one of the two rules 8 and 9 will have to be applied,
which clearly leads to a term of the form consaAverage(tailb1N1,tailb2N2) with κa= 3/4. By Lemma 6.10, we
can take N?
?
1, N?
2)).
1= tailb1N1and N?
Lemma 6.15. The term Average is convergent.
2= tailb2N2.
Page 21
140 J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141
Proof. Let N1and N2be convergent terms of type I. By repeatedly applying Lemma 6.14 and rules 1 and 2, we
conclude that for every n there are an interval a of length (3/4)nand a term M such that Average(N1, N2) ?+
consa(M). Here we use the fact that the length of the interval concatenation bc is the product of the lengths of the
intervals b and c in connection with rule 1.
?
Lemma 6.12 amounts to commutativity of the diagram
I × I⊂-I × I⊂-PHI × PHI
⊕
?
⊂
where I = [0,1] and the horizontal arrows are the obvious inclusions. The results of Escard´ o, Hofmann and
Streicher [9] show that the diagram cannot be completed with a sequentially computable down arrow I × I → I.
Thus, we overcome the problem by allowing our program to be multi-valued at partial inputs. Lemma 6.13 shows that
the single-valued output of the program at a total input arises as the least upper bound of multi-valued partial outputs.
In other words, there are different computation paths that give different, but consistent partial results at finite stages,
but all of them converge to the same total real number.
Several other examples of recursive definitions, including multiplication and division, are developed in [22], with
total correctness proofs following the above pattern.
I
-I⊂
-PHI,
?Average?
?
7. Conclusion and further work
Our running example illustrates two important ideas discussed in the introduction:
(1) By considering a multi-valued or non-deterministic construction, it is possible to have sequential programs for
important functions that only admit parallel realizations in the (single-valued) interval-domain model, overcoming
the problem identified by Escard´ o, Hofmann and Streicher [9].
(2) In order to obtain total correctness from partial correctness, a generalization of the notion of termination is needed
in the case of real-number computations.
Regarding (1), we conjecture that all computable first-order functions are definable in the language. We have some
partial results regarding definability of second-order computable functionals such as definite integration. This will be
reported elsewhere, but we remark that the ideas regarding (2) are applied for that purpose.
Itisanopenproblemtofindadenotationalsemanticsthatwouldallowtoprovetotalcorrectnesswithouttheneedof
resorting to operational methods such as strong convergence. As we have seen, the Plotkin and Smyth powerdomains
cannotbeusedforthatpurposeeither.Infact,theresultsofSection4immediatelyimplythatevenotherpowerdomains
such as the sandwich and the mixed powerdomain cannot be used. Moreover, it is easy to verify that any of the known
powerdomains which do not arise as the composition of powerdomains with the Hoare powerdomain as the last
component in the composition are ruled out.
Acknowledgements
We thank Achim Jung, Paul Levy, Steve Vickers and Andrew Moshier for comments and suggestions.
References
[1] S. Abramsky, A. Jung, Domain theory, in: S. Abramsky, D. Gabbay, T.S.E. Maibaum (Eds.), Handbook of Logic in Computer Science,
vol. 3, Oxford University Press, 1994, pp. 1–168.
[2] E. Bishop, D. Bridges, Constructive Analysis, Springer, Berlin, 1985.
[3] H.J. Boehm, R. Cartwright, Exact real arithmetic: Formulating real numbres as functions, in: D. Turner (Ed.), Research Topics in Functional
Programming, Addison-Wesley, 1990, pp. 43–64.
[4] V. Brattka, Recursive characterization of computable real-valued functions and relations, Theoretical Computer Science 162 (1996) 45–77.
[5] P. Buneman, S. Davidson, A. Watters, A semantics for complex objects and approximate queries, Journal of Computer and System Science
43 (1991) 170–218.
[6] A. Edalat, P.J. Potts, P. S¨ underhauf, Lazy computation with exact real numbers, International Conference on Functional Programming (1998)
185–194.
Page 22
J.R. Marcial-Romero, M.H. Escard´ o / Theoretical Computer Science 379 (2007) 120–141141
[7] M.H. Escard´ o, Real PCF extended with ∃ is universal, in: A. Edalat, S. Jourdan, G. McCusker (Eds.), Advances in Theory and Formal Methods
of Computing: Proceedings of the Third Imperial College Workshop, Christ Church, Oxford, 1996, pp. 13–24.
[8] M.H. Escard´ o, PCF extended with real numbers: A domain-theoretic approach to higher-order exact real number computation, Ph.D. Thesis
at Imperial College of the University of London, 1997.
[9] M.H. Escard´ o, M. Hofmann, Th. Streicher, On the non-sequential nature of the interval-domain model of exact real-number computation,
Mathematical Structures in Computer Science 14 (6) (2004) 803–814.
[10] M.H. Escard´ o, Th. Streicher, Induction and recursion on the partial real line with applications to Real PCF, Theoretical Computer Science
210 (1) (1999) 121–157.
[11] M.H. Escard´ o, PCF extended with real numbers, Theoretical Computer Science 162 (1) (1996) 79–115.
[12] A. Farjudian, Sequentiality and piece-wise affinity in segments of real-PCF, Electronic Notes in Theoretical Computer Science 73 (2004) 3–4.
[13] A. Farjudian, Sequentiality in real number computation, Ph.D. Thesis at the University of Birmingham, 2004.
[14] P. Di Gianantonio, A functional approach to computability on real numbers, Ph.D. Thesis, Udine, 1993.
[15] P. Di Gianantonio, An abstract data type for real numbers, Theoretical Computer Science 221 (1999) 295–326.
[16] G. Gierz, et al., Continuous Lattices and Domains, Cambridge University Press, 2003.
[17] C.A. Gunter, The mixed powerdomain, Theoretical Computer Science 103 (2) (1992) 311–334.
[18] C.A. Gunter, D.S. Scott, Semantic domains, in: J. van Leeuwen (Ed.), Handbook of Theoretical Computer Science B, 1990, pp. 633–674.
[19] R. Heckmann, Power domain constructions, Science of Computer Programming 17 (1–3) (1991) 77–117.
[20] H. Luckhardt, A fundamental effect in computations on real numbers, Theoretical Computer Science 5 (3) (1977/78) 321–324.
[21] E. Manes, Monads of sets, in: M. Hazewinkel (Ed.), Handbook of Algebra, vol. 3, Elsevier Science, 2003, pp. 67–153.
[22] J.R. Marcial-Romero, Semantics of a sequential language for exact real-number computation, Ph.D. Thesis, Birmingham, December, 2004.
[23] D. Normann, Exact real number computations relative to hereditarily total functionals, Theoretical Computer Science 284 (2) (2002) 437–453.
[24] G.D. Plotkin, A powerdomain construction, SIAM Journal on Computing 5 (3) (1976) 452–487.
[25] G.D. Plotkin, LCF considered as a programming language, Theoretical Computer Science 5 (1) (1977) 223–255.
[26] G.D. Plotkin, Domains Post-graduate Lecture in Advanced Domain Theory Univesity of Edinburgh, Departament of Computer Science.
Available from the author’s web page, 1983, p. 116.
[27] P.J. Potts, A. Edalat, M.H. Escard´ o, Semantics of Exact real arithmetic, in: Proceedings 12th IEEE Symposium on Logic in Computer Science,
1997, pp. 248–257.
[28] P.J. Potts, Exact real arithmetic using M¨ obius Transformations, Ph.D. Thesis at Imperial College of the University of London, 1998.
[29] D. Scott, Lattice theory, data type and semantics, in: R. Rustin (Ed.), Formal Semantics of Algorithmic Languages, Prentice Hall, 1972,
pp. 65–106.
[30] M.B. Smyth, Power domains, Journal of Computer and System Science 16 (1978) 23–36.
[31] M.B. Smyth, Powerdomains and predicate transformers: A topological view, in: ICALP’83, in: LNCS, vol. 154, Springer, 1983, pp. 662–675.
[32] M.B. Smyth, Topology, in: S. Abramsky, D.M. Gabbay, T.S.E. Maibaum (Eds.), Handbook on Logic in Computer Science, vol. 1, 1992,
pp. 641–761.
[33] S. Vickers, Topology via Logic, Cambridge University Press, Cambridge, 1989.
[34] K. Weihrauch, Computable Analysis, Springer-Verlag, 2000.
Download full-text