algebra of programming in agda
TRANSCRIPT
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Algebra of Programming in AgdaDependent Types for Relational Program Derivation
Shin-Cheng Mu, Hsiang-Shang Ko, and Patrik Jansson
To appear in Journal of Functional Programming
Algebra of Programming in Agda 1/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Terms
Algebra of Programming A semi-formal approach to derivingfunctional programs from relational specifications.
Agda A dependently-typed functional programminglanguage being actively developed.
Dependent types A family of type systems capable of expressingvarious correctness properties.
Algebra of Programming in Agda 2/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
In this introductory presentation
introductory serving as an introduction to a subject ortopic [...] intended to persuade someone to purchasesomething for the first time
— Oxford American Dictionaries
I will (casually) introduce how squiggolists treat algorithm design,
and report an experiment that faithfully encodes AoP-stylederivations in Agda.
By “faithfully” I mean correctness of a derivation is guaranteed byAgda’s type system, while certain degree of readability is retained.
Algebra of Programming in Agda 3/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive datatypes
The most natural datatypes in functional programming areinductive datatypes.
data N : Set where
zero : Nsuc : N→ N
data [ ] (A : Set) : Set where
[ ] : [ A ]
:: : A→ [ A ]→ [ A ]
Algebra of Programming in Agda 4/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Pattern matching
Functions on inductive datatypes can be defined by patternmatching.
+ : N→ N→ Nzero + n = n
(suc m) + n = suc (m + n)
sum : [ N ]→ Nsum [ ] = zero
sum (x :: xs) = x + sum xs
Algebra of Programming in Agda 5/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Fold
The pattern of inductive definitions is captured in a higher-orderfunction foldr .
foldr : (A→ B → B)→ B → [ A ]→ B
foldr f e [ ] = e
foldr f e (x :: xs) = f x (foldr f e xs)
Then alternatively sum can be defined as foldr + zero.
Algebra of Programming in Agda 6/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Fold-Fusion Theorem
It is natural to state theorems about functional programs. One ofthe most useful theorems is the Fold-Fusion Theorem.
Theorem (Fold-Fusion)
Let f : A→ B → B, e : B, g : A→ C → C , and h : B → C . If
h (f x y) = g x (h y),
thenh · foldr f e = foldr g (h e).
Algebra of Programming in Agda 7/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Proof of the Fold-Fusion Theorem
The theorem can be inductively proved by simple equationalreasoning.
Base case.
h (foldr f e [ ])
= { definition of foldr }h e
= { definition of foldr }foldr g (h e) [].
Algebra of Programming in Agda 8/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive case
h (foldr f e (x :: xs))
= { definition of foldr }h (f x (foldr f e xs))
= { fusion condition }g x (h (foldr f e xs))
= { induction hypothesis }g x (foldr g (h e) xs)
= { definition of foldr }foldr g (h e) (x :: xs). �
Algebra of Programming in Agda 9/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive case
h (foldr f e (x :: xs))
= { definition of foldr }h (f x (foldr f e xs))
= { fusion condition }g x (h (foldr f e xs))
= { induction hypothesis }g x (foldr g (h e) xs)
= { definition of foldr }foldr g (h e) (x :: xs). �
Algebra of Programming in Agda 9/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive case
h (foldr f e (x :: xs))
= { definition of foldr }h (f x (foldr f e xs))
= { fusion condition }g x (h (foldr f e xs))
= { induction hypothesis }g x (foldr g (h e) xs)
= { definition of foldr }foldr g (h e) (x :: xs). �
Algebra of Programming in Agda 9/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive case
h (foldr f e (x :: xs))
= { definition of foldr }h (f x (foldr f e xs))
= { fusion condition }g x (h (foldr f e xs))
= { induction hypothesis }g x (foldr g (h e) xs)
= { definition of foldr }foldr g (h e) (x :: xs). �
Algebra of Programming in Agda 9/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inductive case
h (foldr f e (x :: xs))
= { definition of foldr }h (f x (foldr f e xs))
= { fusion condition }g x (h (foldr f e xs))
= { induction hypothesis }g x (foldr g (h e) xs)
= { definition of foldr }foldr g (h e) (x :: xs). �
Algebra of Programming in Agda 9/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Sketch of a derivation of radix sort
Gibbons, J. 1999. A Pointless Derivation of Radix Sort. J. Funct. Program. 9, 3
(May. 1999), 339–346.
Imagine a datatype Composite consisting of a fixed number ofFields, where the type Field is finite and totally-ordered.
The function
mktree : [ Composite → Field ]→[ Composite ]→ Tree [ Composite ]
receives a significance order of fields and classifies the inputlist first by the most significant field, and for each bucketclassifies the elements by the second-most significant field,and so on.
Algebra of Programming in Agda 10/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Sketch of a derivation of radix sort
Gibbons, J. 1999. A Pointless Derivation of Radix Sort. J. Funct. Program. 9, 3
(May. 1999), 339–346.
Imagine a datatype Composite consisting of a fixed number ofFields, where the type Field is finite and totally-ordered.
The function
mktree : [ Composite → Field ]→[ Composite ]→ Tree [ Composite ]
receives a significance order of fields and classifies the inputlist first by the most significant field, and for each bucketclassifies the elements by the second-most significant field,and so on.
Algebra of Programming in Agda 10/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Sketch of a derivation of radix sort
Gibbons, J. 1999. A Pointless Derivation of Radix Sort. J. Funct. Program. 9, 3
(May. 1999), 339–346.
Imagine a datatype Composite consisting of a fixed number ofFields, where the type Field is finite and totally-ordered.
The function
mktree : [ Composite → Field ]→[ Composite ]→ Tree [ Composite ]
receives a significance order of fields and classifies the inputlist first by the most significant field, and for each bucketclassifies the elements by the second-most significant field,and so on.
Algebra of Programming in Agda 10/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Sketch of a derivation of radix sort
It is apparent that
treesort : [ Composite → Field ]→ [ Composite ]→ [ Composite ]
treesort ds = flatten ·mktree ds
correctly sorts a list, where flatten : Tree A→ [ A ] collectselements stored in the leaves in order.
By writing mktree as a (higher-order) fold, we get
treesort = (flatten ·) ·mktree.
The Fold-Fusion Theorem is now applicable and radix sort isimmediately derived. Moreover, the fusion condition is astatement of stability.
Algebra of Programming in Agda 11/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Sketch of a derivation of radix sort
It is apparent that
treesort : [ Composite → Field ]→ [ Composite ]→ [ Composite ]
treesort ds = flatten ·mktree ds
correctly sorts a list, where flatten : Tree A→ [ A ] collectselements stored in the leaves in order.
By writing mktree as a (higher-order) fold, we get
treesort = (flatten ·) ·mktree.
The Fold-Fusion Theorem is now applicable and radix sort isimmediately derived. Moreover, the fusion condition is astatement of stability.
Algebra of Programming in Agda 11/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Richard Bird
Unlike other formalisms, functional programming offers aunique opportunity to exploit a compositional approachto Algorithm Design, and to demonstrate theeffectiveness of the mathematics of program constructionin the presentation of many algorithms[.]
Functional Algorithm Design. Sci. Comput. Program. 26, 1-3 (May. 1996), 15–31.
Algebra of Programming in Agda 12/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Relations
Relations can be regarded as potentially partial andnon-deterministic functions. Then the usual deterministic, totalfunctions become a special case.
A relation R mapping values of A to values of B is denoted byR : B ← A. We write “b R a” if R maps a to b.
For example, ≤ : N← N maps a natural number to itself or asmaller natural number, and ∈ : A← ℘A maps a set of A’s to oneof its elements.
Algebra of Programming in Agda 13/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations
Relation composition c (R · S) a ≡ ∃b. c R b ∧ b S a
Converse a R◦ b ≡ b R a
Power transpose ΛR a = { b | b R a }
Meet b (R ∩ S) a ≡ b R a ∧ b S a
Join b (R ∪ S) a ≡ b R a ∨ b S a
Product relator (b, d) (R × S) (a, c) ≡ b R a ∧ d S c
Left/right division Division introduces a form of universalquantification into the relational language. We willskip its definition and expand relations defined withdivision to pointwise formulas in this presentation.
Algebra of Programming in Agda 14/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Relational fold
Relational fold is a generalisation of functional fold, and the formercan be defined in terms of the latter.
Given R : B ← A× B and s : ℘B, define
foldR R s = ∈ · foldr (Λ(R · (id × ∈))) s,
where id is the identity function. Its type is B ← [ A ].
Algebra of Programming in Agda 15/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
An operational explanation
foldR R s = ∈ · foldr (Λ(R · (id × ∈))) s
The set s records possible base cases.
Given a new element a : A and an inductively-computed setbs : ℘B, id ×∈ chooses an element b from bs and then R (a, b) isnon-deterministically computed. All results that can be generatedfrom such a process are collected by the Λ operator into a set.
Finally ∈ takes one result from the inductively-computed set.
Compare this procedure with the powerset (subset) constructionthat converts a non-deterministic finite automaton into adeterministic one.
Algebra of Programming in Agda 16/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Example: subsequence
The relation
subseq : [ A ]← [ A ]
subseq = foldR (outr ∪ cons) nil
maps a list to one of its subsequences, where nil = {[ ]} and
outr : B ← A× B
outr (a, b) = b
cons : [ A ]← A× [ A ]
cons (x , xs) = x :: xs.
Algebra of Programming in Agda 17/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Example: orderedness
The relation
ordered : [ A ]← [ A ]
ordered = foldR (cons · lbound) nil
maps a list to itself if it is increasingly sorted, where lbound mapsa pair (x , xs) to itself if x is a lower bound of xs.
If a relation R satisfies R ⊆ id , it is called a coreflexive relation ora coreflexive for short. Coreflexives are used in specifications tofilter out those values with some particular property. One can seethat both ordered and lbound are coreflexives.
Algebra of Programming in Agda 18/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The activity-selection problem
Suppose we have a set S = {a1, a2, . . . , an} of n proposed activities that
wish to use a resource, such as a lecture hall, which can be used by only
one activity at a time. Each activity ai has a start time si and a finish
time fi , where 0 ≤ si < fi <∞. If selected, activity ai takes place during
the half-open time interval [si , fi ). Activities ai and aj are compatible if
the intervals [si , fi ) and [sj , fj ) do not overlap (i.e., ai and aj are
compatible if si ≥ fj or sj ≥ fi ). The activity-selection problem is to
select a maximum-size subset of mutually compatible activities.
Cormen, T. H., Leiserson, C. E., Rivest, R. L., and Stein, C. 2001 Introduction to
Algorithms. MIT Press.
If the activities are decreasingly sorted by finish time, there is asimple algorithm.
Algebra of Programming in Agda 19/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Maximum
Given an order R : A← A, the relation max R : A← ℘A maps aset to one of its maximum elements with respect to R:
max R = ∈ ∩ (R◦/3).
Expanding the point-free definition,
x (max R) s ≡ x ∈ s ∧ ∀y . y ∈ s ⇒ y R x .
Algebra of Programming in Agda 20/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Specification
We can give a relational specification for the activity-selectionproblem:
max ≤` · Λ(mutex · subseq).
Generate an arbitrary plan by subseq.
Ensure the plan is legitimate by the coreflexive mutex .
Collect all such plans by the Λ operator.
Choose one of the longest plans by max ≤`.
Any function contained in this relation is considered a correctimplementation.
Algebra of Programming in Agda 21/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Greedy Theorem
Theorem (Bird and de Moor)
Let R : A← A be a preorder and S : A← FA be monotonic on R,i.e.,
S · FR ⊆ R · S .
Thenmax R · Λ([S ]) ⊇ ([max R · ΛS ]).
Bird, R. and de Moor, O. 1997 Algebra of Programming. Prentice-Hall, Inc.
Algebra of Programming in Agda 22/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Specialisation to lists
Corollary
Let R : A← A be a preorder, S : A← B × A be monotonic on R,i.e.,
S · (id × R) ⊆ R · S ,
and s : ℘A be a set. Then
max R · Λ(foldR S s) ⊇ foldR (max R · ΛS) (Λ(max R) s).
Algebra of Programming in Agda 23/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Fusing mutex · subseq into a fold
The coreflexive mutex is defined by
mutex = foldR (cons · compatible) nil
where the coreflexive compatible lets a pair (x , xs) of typeActivity × [ Activity ] go through if x does not overlap with any ofthe activities in xs.
By relational fold-fusion, mutex · subseq can be fused intofoldR R nil if we can find a relation R such that
mutex · (outr ∪ cons) = R · (id ×mutex).
Algebra of Programming in Agda 24/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Synthesis of R
We calculate:
mutex · (outr ∪ cons)
= { composition distributes over join }(mutex · outr) ∪ (mutex · cons)
= { product relator; catamorphisms }(outr · (id ×mutex)) ∪ (cons · compatible · (id ×mutex))
= { composition distributes over join }(outr ∪ (cons · compatible)) · (id ×mutex).
So mutex · subseq = foldR (outr ∪ (cons · compatible)) nil .
Algebra of Programming in Agda 25/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Synthesis of R
We calculate:
mutex · (outr ∪ cons)
= { composition distributes over join }(mutex · outr) ∪ (mutex · cons)
= { product relator; catamorphisms }(outr · (id ×mutex)) ∪ (cons · compatible · (id ×mutex))
= { composition distributes over join }(outr ∪ (cons · compatible)) · (id ×mutex).
So mutex · subseq = foldR (outr ∪ (cons · compatible)) nil .
Algebra of Programming in Agda 25/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Synthesis of R
We calculate:
mutex · (outr ∪ cons)
= { composition distributes over join }(mutex · outr) ∪ (mutex · cons)
= { product relator; catamorphisms }(outr · (id ×mutex)) ∪ (cons · compatible · (id ×mutex))
= { composition distributes over join }(outr ∪ (cons · compatible)) · (id ×mutex).
So mutex · subseq = foldR (outr ∪ (cons · compatible)) nil .
Algebra of Programming in Agda 25/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Synthesis of R
We calculate:
mutex · (outr ∪ cons)
= { composition distributes over join }(mutex · outr) ∪ (mutex · cons)
= { product relator; catamorphisms }(outr · (id ×mutex)) ∪ (cons · compatible · (id ×mutex))
= { composition distributes over join }(outr ∪ (cons · compatible)) · (id ×mutex).
So mutex · subseq = foldR (outr ∪ (cons · compatible)) nil .
Algebra of Programming in Agda 25/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Checking the monotonicity condition
Now we wish to apply the Greedy Theorem. That means we needto check the monotonicity condition
(outr ∪ (cons · compatible)) · (id ×≤`)
⊆ ≤` · (outr ∪ (cons · compatible)),
which says for two partial plans xs and ys withlength xs ≤ length ys, no matter which complete plan xs ′ iscomputed from xs, there is always a complete plan ys ′ computedfrom ys such that length xs ′ ≤ length ys ′.
This is not true, however.
Algebra of Programming in Agda 26/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Strengthening the order
A typical strategy is to refine the order ≤` to a stronger one. Sincethe problematic case happens when the two partial plans underconsideration are of the same length, we define
E = <` ∪ (=` ∩ (post-compatible\post-compatible))
where post-compatible : Activity ← [ Activity ] maps a plan to acompatible activity that finishes later than all activities in the plan.
Now the monotonicity condition with respect to E holds and theGreedy Theorem gives us
foldR (max E · Λ(outr ∪ (cons · compatible))) nil .
Algebra of Programming in Agda 27/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Cleaning up
Take a closer look at
max E · Λ(outr ∪ (cons · compatible)).
Given a partial plan xs and an incoming activity x , the relationpicks a best plan with respect to E from, depending on whetherx is compatible with xs, the set {xs, x :: xs} or the set {xs}.
In the first case x :: xs should be chosen since it is strictly longerthan xs. In the second case there is only one candidate.
Since x finishes later than xs, it suffices to check whether x startslater than xs.
Algebra of Programming in Agda 28/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The final program
Define
compatible-cons : Activity → [ Activity ]→ [ Activity ]
compatible-cons x [ ] = x :: [ ]
compatible-cons x (y :: xs) =
if start x ≥ finish y then x :: y :: xs else y :: xs.
The final program is a simple fold:
foldr compatible-cons [ ].
Algebra of Programming in Agda 29/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The derivation
max ≤` · Λ(mutex · subseq)
= { fusion }max ≤` · Λ(foldR (outr ∪ (cons · compatible)) nil)
⊇ { strengthening }max E · Λ(foldR (outr ∪ (cons · compatible)) nil)
⊇ {Greedy Theorem }foldR (max E · Λ(outr ∪ (cons · compatible))) nil
= { cleaning up }foldr compatible-cons [ ].
Algebra of Programming in Agda 30/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Donald E. Knuth
Science is knowledge which we understand so well thatwe can teach it to a computer; and if we don’t fullyunderstand something, it is an art to deal with it. [...] weshould continually be striving to transform every art intoa science: in the process, we advance the art.
Computer Programming as an Art. Commun. ACM 17, 12 (Dec. 1974), 667–673.
Algebra of Programming in Agda 31/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Curry-Howard correspondence
Observe the following two logic inference rules:
ϕ ∧ ψ(∧E)
ψ
ϕ→ ψ ϕ(→E)
ψ
The left one resembles the type of outr : A× B → B, and theright one looks like the types involved in function application.
Curry-Howard correspondence is a family of formal correspondencesbetween logic deduction systems and computational calculi. Itsfamous slogan is “propositions are types, and proofs are programs”.
Thus writing proofs is no different from writing programs! All weneed is an expressive enough programming language.
Algebra of Programming in Agda 32/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Roadmap
We will go through the following:
1 first-order intuitionistic logic,
2 preorder reasoning combinators,
3 modelling of sets and relations,
4 the specification (in detail),
5 the Partial Greedy Theorem, and
6 finally, the derivation.
More complicated proofs cannot be explained in this presentation since
more background is required. However it is worth noting that important
theorems such as Fold-Fusion Theorem and Greedy Theorem can be
proved in an “equational” style close to the proofs in the AoP book.
Algebra of Programming in Agda 33/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Encoding first-order intuitionistic logic in Agda
absurdity data ⊥ : Set where
truth data > : Set where
tt : >
conjunction data × (A B : Set) : Set where
, : A→ B → A× B
disjunction data ] (A B : Set) : Set where
inj1 : A→ A ] B
inj2 : B → A ] B
implication A→ B
Algebra of Programming in Agda 34/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Encoding first-order intuitionistic logic in Agda
exists data ∃ {A : Set} (P : A→ Set) : Set where
, : (witness : A)→ P witness → ∃ P
forall (x : A)→ P x or ∀ x → P x
equality data ≡ {A : Set} : A→ A→ Set where
refl : {x : A} → x ≡ x
For example, the type
(n : N)→ (n ≡ zero ] ∃ (λm→ n ≡ suc m))
says every natural number is either zero or a successor of somenatural number.
Algebra of Programming in Agda 35/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
More on products
In fact, × and ∃ are special cases of the following Σ-type:
data Σ (A : Set) (B : A→ Set) : Set where
, : (a : A)→ B a→ Σ A B
which can be seen as a kind of generalised products whose secondcomponent’s type depends on the first component. We can defineextractor functions
proj1 : {A : Set} {B : A→ Set} → Σ A B → A
proj1 (a , b) = a
proj2 : {A : Set} {B : A→ Set} → (σ : Σ A B)→ B (proj1 σ)
proj2 (a , b) = b.
Algebra of Programming in Agda 36/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
More on equality
≡ is reflexive by definition, and can be proven to be transitiveand symmetric. It is also a congruence with respect to functionapplication.
trans : {A : Set} {x y z : A} → x ≡ y → y ≡ z → x ≡ z
trans refl refl = refl
sym : {A : Set} {x y : A} → x ≡ y → y ≡ x
sym refl = refl
cong : {A B : Set} (f : A→ B) {x y : A} → x ≡ y → f x ≡ f y
cong f refl = refl
Algebra of Programming in Agda 37/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Equational reasoning
We can write a chain of equality in Agda as
expression1
≡〈 exp1≡exp2 〉expression2
≡〈 exp2≡exp3 〉. . .
≡〈 expn−1≡expn 〉expressionn �
Algebra of Programming in Agda 38/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Equational reasoning
We can write a chain of equality in Agda as
expression1
≡〈 exp1≡exp2 〉expression2
≡〈 exp2≡exp3 〉. . .
≡〈 expn−1≡expn 〉expressionn �
Algebra of Programming in Agda 38/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Equational reasoning
We can write a chain of equality in Agda as
expression1
≡〈 exp1≡exp2 〉expression2
≡〈 exp2≡exp3 〉. . .
≡〈 expn−1≡expn 〉expressionn �
Algebra of Programming in Agda 38/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Equational reasoning
We can write a chain of equality in Agda as
expression1
≡〈 exp1≡exp2 〉expression2
≡〈 exp2≡exp3 〉. . .
≡〈 expn−1≡expn 〉expressionn �
Algebra of Programming in Agda 38/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Equational reasoning
We can write a chain of equality in Agda as
expression1
≡〈 exp1≡exp2 〉expression2
≡〈 exp2≡exp3 〉. . .
≡〈 expn−1≡expn 〉expressionn �
Algebra of Programming in Agda 38/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Preorder reasoning combinators
Concretely,
≡〈 〉 : {A : Set} (x : A) {y z : A} → x ≡ y → y ≡ z → x ≡ z
x ≡〈 x≡y 〉 y≡z = trans x≡y y≡z
� : {A : Set} (x : A)→ x ≡ x
x � = refl .
The same technique works for any preorder.
Algebra of Programming in Agda 39/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Proving the Fold-Fusion Theorem
foldr -fusion : {A B C : Set}(h : B → C) {f : A→ B → B} {g : A→ C → C} {e : B} →
(∀ x y → h (f x y) ≡ g x (h y))→∀ xs → h (foldr f e xs) ≡ foldr g (h e) xs
foldr -fusion h {f } {g} {e} fusion-condition [ ] = refl
foldr -fusion h {f } {g} {e} fusion-condition (x :: xs) =
h (foldr f e (x :: xs))
≡〈 refl 〉h (f x (foldr f e xs))
≡〈 fusion-condition x (foldr f e xs) 〉g x (h (foldr f e xs))
≡〈 cong (g x) (foldr -fusion h fusion-condition xs) 〉g x (foldr g (h e) xs)
≡〈 refl 〉foldr g (h e) (x :: xs) �
Algebra of Programming in Agda 40/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Modelling sets
A set of A’s can be specified by its characteristic function of typeA→ Set. Concretely, if s : A→ Set, then x : A is considered amember of s if s x has a proof, i.e., there is a term that hastype s x . Thus we define
℘A = A→ Set.
For example, define
singleton : {A : Set} → A→ ℘A
singleton x = λ y → x ≡ y .
Then singleton x is the set containing a single element x .
Algebra of Programming in Agda 41/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Modelling relations
Set-theoretically, a relation of type B ← A is a subset of A× B, sowe may define B ← A as ℘ (A×B) = A×B → Set. But we foundthe following isomorphic representation more convenient:
B ← A = B → A→ Set.
For example, an Agda function is lifted to a relation by thecombinator
fun : {A B : Set} → (A→ B)→ (B ← A)
fun f = λ y x → f x ≡ y .
Algebra of Programming in Agda 42/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations revisited
composition · : {A B C : Set} →(C ← B)→ (B ← A)→ (C ← A)
( R · S ) c a = ∃ (λ b → c R b × b S a)
converse◦ : {A B : Set} → (B ← A)→ (A← B)
(R ◦) a b = R b a
power transpose Λ : {A B : Set} → (B ← A)→ (A→ ℘B)
Λ R a = λ b → b R a
join t : {A B : Set} →(B ← A)→ (B ← A)→ (B ← A)
(R t S) b a = R b a ] S b a
Algebra of Programming in Agda 43/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations revisited
composition · : {A B C : Set} →(C ← B)→ (B ← A)→ (C ← A)
( R · S ) c a = ∃ (λ b → c R b × b S a)
converse◦ : {A B : Set} → (B ← A)→ (A← B)
(R ◦) a b = R b a
power transpose Λ : {A B : Set} → (B ← A)→ (A→ ℘B)
Λ R a = λ b → b R a
join t : {A B : Set} →(B ← A)→ (B ← A)→ (B ← A)
(R t S) b a = R b a ] S b a
Algebra of Programming in Agda 43/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations revisited
composition · : {A B C : Set} →(C ← B)→ (B ← A)→ (C ← A)
( R · S ) c a = ∃ (λ b → c R b × b S a)
converse◦ : {A B : Set} → (B ← A)→ (A← B)
(R ◦) a b = R b a
power transpose Λ : {A B : Set} → (B ← A)→ (A→ ℘B)
Λ R a = λ b → b R a
join t : {A B : Set} →(B ← A)→ (B ← A)→ (B ← A)
(R t S) b a = R b a ] S b a
Algebra of Programming in Agda 43/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations revisited
composition · : {A B C : Set} →(C ← B)→ (B ← A)→ (C ← A)
( R · S ) c a = ∃ (λ b → c R b × b S a)
converse◦ : {A B : Set} → (B ← A)→ (A← B)
(R ◦) a b = R b a
power transpose Λ : {A B : Set} → (B ← A)→ (A→ ℘B)
Λ R a = λ b → b R a
join t : {A B : Set} →(B ← A)→ (B ← A)→ (B ← A)
(R t S) b a = R b a ] S b a
Algebra of Programming in Agda 43/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Operators on relations revisited
composition · : {A B C : Set} →(C ← B)→ (B ← A)→ (C ← A)
( R · S ) c a = ∃ (λ b → c R b × b S a)
converse◦ : {A B : Set} → (B ← A)→ (A← B)
(R ◦) a b = R b a
power transpose Λ : {A B : Set} → (B ← A)→ (A→ ℘B)
Λ R a = λ b → b R a
join t : {A B : Set} →(B ← A)→ (B ← A)→ (B ← A)
(R t S) b a = R b a ] S b a
Algebra of Programming in Agda 43/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Inclusion
We can define set inclusion
⊆ : {A : Set} → ℘A→ ℘A→ Set
s1 ⊆ s2 = ∀ x → (s1 x → s2 x)
and relational inclusion
v : {A B : Set} → (B ← A)→ (B ← A)→ Set
R v S = ∀ b a→ (R b a→ S b a).
Both can be shown to be reflexive and transitive, so we can buildpreorder reasoning combinators for them.
Algebra of Programming in Agda 44/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Encoding the specification
Our goal is to build up the relation
act-sel-spec : [ Activity ]← [ Activity ]
act-sel-spec = max ≤` • Λ(mutex · subseq).
If we can construct a term of type
∃ (λ f → f · fin-ordered v act-sel-spec · fin-ordered)
where fin-ordered is a coreflexive explicitly stating that the inputlist is required to be sorted by finish time, the witness to thisexistential proposition is an algorithm solving the activity-selectionproblem, correctness guaranteed by the type checker.
Algebra of Programming in Agda 45/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The “maximum” part
Maximum is easily defined:
max : {A : Set} → (A← A)→ (A← ℘A)
(max R ) a s = s a × (∀ a′ → s a′ → a′ R a).
In our library it is defined in point-free style.
Assuming ≤ : N← N is given,
≤` : {A : Set} → ([ A ]← [ A ])
xs ≤` ys = length xs ≤ length ys.
Algebra of Programming in Agda 46/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Fold, the third time
Define
foldR : {A B : Set} → (B ← A× B)→ ℘B → (B ← [ A ])
foldR R s = ∈ • foldr (Λ(R · (idR × ∈))) s
where • is a special type of composition defined by
• : {A B C : Set} → (C ← ℘B)→ (A→ ℘B)→ (C ← A)
(R • f ) c a = R c (f a).
The reason we need such composition is due to predicativity, anissue we will ignore in this presentation.
Algebra of Programming in Agda 47/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Subsequence, identically
Define
subseq : {A : Set} → ([ A ]← [ A ])
subseq = foldR (outr t cons) nil
where
cons : {A : Set} → (A← (A× [ A ]))
cons = fun (uncurry :: )
outr : {A B : Set} → (B ← (A× B))
outr = fun proj2
nil : {A : Set} → ℘A
nil = singleton [ ].
Algebra of Programming in Agda 48/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Junctional check
Recall that
mutex = foldR (cons · compatible) nil
where compatible is a coreflexive which, given a pair (x , xs) oftype Activity × [ Activity ], checks whether x is disjoint from everyactivity in xs. The relation fin-ordered has the same structure.Define
check C = foldR (cons · C ) nil
to capture this pattern. Then mutex = check compatible.
The only component we haven’t constructed is compatible.
Algebra of Programming in Agda 49/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Compatibility between an activity and a plan
Define
compatible-set : ℘ (Activity × [ Activity ])
compatible-set (a , [ ]) = >compatible-set (a , x :: xs) = disjoint a x × compatible-set (a , xs)
where
disjoint : Activity ← Activity
disjoint a x = finish x ≤ start a ] finish a ≤ start x .
Then
compatible : (Activity × [ Activity ])← (Activity × [ Activity ])
compatible (y , ys) (x , xs) =
(y , ys) ≡ (x , xs) × compatible-set (x , xs).
Algebra of Programming in Agda 50/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Partial Greedy Theorem
Since the domain of act-sel-spec = max ≤` • Λ(mutex · subseq)is restricted by the coreflexive fin-ordered , we need a variant of theGreedy Theorem to deal with partiality of input.
partial-greedy -thm : {A B : Set}{S : B ← (A× B)} {s : ℘B} {R : B ← B}{C : (A× [ A ])← (A× [ A ])} {D : (A× B)← (A× B)} →
R · R v R → C v idR → D v idR →S · (idR × R) · D v R · S →(idR × foldR S s) · C v D · (idR × foldR S s)→
foldR (max R • ΛS) (Λ(max R) s) · check C
v (max R • Λ(foldR S s)) · check C
Algebra of Programming in Agda 51/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Partial Greedy Theorem
Since the domain of act-sel-spec = max ≤` • Λ(mutex · subseq)is restricted by the coreflexive fin-ordered , we need a variant of theGreedy Theorem to deal with partiality of input.
partial-greedy -thm : {A B : Set}{S : B ← (A× B)} {s : ℘B} {R : B ← B}{C : (A× [ A ])← (A× [ A ])} {D : (A× B)← (A× B)} →
R · R v R → C v idR → D v idR →S · (idR × R) · D v R · S →(idR × foldR S s) · C v D · (idR × foldR S s)→
foldR (max R • ΛS) (Λ(max R) s) · check C
v (max R • Λ(foldR S s)) · check C
Algebra of Programming in Agda 51/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Partial Greedy Theorem
Since the domain of act-sel-spec = max ≤` • Λ(mutex · subseq)is restricted by the coreflexive fin-ordered , we need a variant of theGreedy Theorem to deal with partiality of input.
partial-greedy -thm : {A B : Set}{S : B ← (A× B)} {s : ℘B} {R : B ← B}{C : (A× [ A ])← (A× [ A ])} {D : (A× B)← (A× B)} →
R · R v R → C v idR → D v idR →S · (idR × R) · D v R · S →(idR × foldR S s) · C v D · (idR × foldR S s)→
foldR (max R • ΛS) (Λ(max R) s) · check C
v (max R • Λ(foldR S s)) · check C
Algebra of Programming in Agda 51/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Partial Greedy Theorem
Since the domain of act-sel-spec = max ≤` • Λ(mutex · subseq)is restricted by the coreflexive fin-ordered , we need a variant of theGreedy Theorem to deal with partiality of input.
partial-greedy -thm : {A B : Set}{S : B ← (A× B)} {s : ℘B} {R : B ← B}{C : (A× [ A ])← (A× [ A ])} {D : (A× B)← (A× B)} →
R · R v R → C v idR → D v idR →S · (idR × R) · D v R · S →(idR × foldR S s) · C v D · (idR × foldR S s)→
foldR (max R • ΛS) (Λ(max R) s) · check C
v (max R • Λ(foldR S s)) · check C
Algebra of Programming in Agda 51/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The Partial Greedy Theorem
Since the domain of act-sel-spec = max ≤` • Λ(mutex · subseq)is restricted by the coreflexive fin-ordered , we need a variant of theGreedy Theorem to deal with partiality of input.
partial-greedy -thm : {A B : Set}{S : B ← (A× B)} {s : ℘B} {R : B ← B}{C : (A× [ A ])← (A× [ A ])} {D : (A× B)← (A× B)} →
R · R v R → C v idR → D v idR →S · (idR × R) · D v R · S →(idR × foldR S s) · C v D · (idR × foldR S s)→
foldR (max R • ΛS) (Λ(max R) s) · check C
v (max R • Λ(foldR S s)) · check C
Algebra of Programming in Agda 51/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
The main derivation
(Let S = outr t (cons · compatible).)
activity -selection-derivation :
∃ (λ f → fun f · fin-ordered v act-sel-spec · fin-ordered)
activity -selection-derivation = ,
(max ≤` • Λ(mutex · subseq)) · fin-ordered
w〈 comp-monotonic-l (minΛ-cong -w mutex ·subseq-is-fold) 〉(max ≤` • Λ(foldR S nil)) · fin-ordered
w〈 comp-monotonic-l (max-monotonic E-refines-≤`) 〉(max E • Λ(foldR S nil)) · fin-ordered
. . .
Algebra of Programming in Agda 52/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Applying the Partial Greedy Theorem
(Assume fin-ordered = check fin-ubound .)
. . .
(max E • Λ(foldR S nil)) · fin-ordered
w〈 fin-ubound-promotion 〉(max E • Λ(foldR (S · fin-ubound) nil)) · fin-ordered
w〈 partial-greedy -thm E-trans fin-uboundvidR fin-uboundvidR
monotonicity fin-ubound-homo 〉foldR (max E • Λ(S · fin-ubound)) (Λ(max E ) nil) · fin-ordered
w〈 comp-monotonic-l (foldR-monotonic v-refl max-E-nil⊇nil) 〉foldR (max E • Λ(S · fin-ubound)) nil · fin-ordered
. . .
Algebra of Programming in Agda 53/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Cleaning up
. . .
foldR (max E • Λ(S · fin-ubound)) nil · fin-ordered
w〈 comp-monotonic-l algebra-refinement 〉foldR (fun (uncurry compatible-cons) · fin-ubound) nil · fin-ordered
w〈 fin-ubound-demotion 〉foldR (fun (uncurry compatible-cons)) nil · fin-ordered
w〈 comp-monotonic-l (foldR-to-foldr compatible-cons [ ]) 〉fun (foldr compatible-cons [ ]) · fin-ordered
�
Algebra of Programming in Agda 54/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Advantages of program derivation
Insights are reified as theorems, which can be discovered,proved, collected, and systematically studied.
These theorems then provide hints and directions to solveother problems.
A derivation is fun to read, shows the connection between thespecification and the derived algorithm, and can likely pointout why the algorithm works.
Beautiful theories about structures and semantics of programsare built up along with development of program derivation.
Algebra of Programming in Agda 55/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Disadvantages of program derivation
The theory is not yet rich enough to cover all classicaltextbook algorithms.
The work of laying problems in suitable forms and discoveringtheorems is extremely hard, and perhaps too abstract for ayoung field like Algorithm Design.
That perhaps explains partially why the community isshrinking.
Relations are inherently harder to manipulate, since there area great number of operators and associated laws, andinequational reasoning is less deterministic. Even when westep back to functional derivation, low-level calculations canstill be very tedious.
Algebra of Programming in Agda 56/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Jeremy Gibbons
We are interested in extending what can be calculatedprecisely because we are not that interested in thecalculations themselves.
Calculating Functional Programs. In Keiichi Nakata, editor, Proceedings of
ISRG/SERG Research Colloquium. School of Computing and Mathematical Sciences,
Oxford Brookes University, November 1997. Technical Report CMS-TR-98-01.
Algebra of Programming in Agda 57/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Advantages of mechanised formalisation
Proving theorems by hand is prone to errors. Automatictheorem proving does not make human readers gain intuitionand thus confidence. Machine-assisted theorem proving strikesa balance between the two.
That is, we still write proofs ourselves and become confidentabout the theorem, while the machine assists us to ensure nota single detail is overlooked, making the proof practicallyinfallible.
Algebra of Programming in Agda 58/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Disadvantages of mechanised formalisation
Formalisation is difficult.
“Not a single detail is overlooked” means every detail needsto be taken care about, including, say, associativity of naturalnumber addition.
Formal proofs are unlikely to be written in the traditionalessay-like style and often harder to read.
Algebra of Programming in Agda 59/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Leslie Lamport
The proof style I advocate is a refinement of one, callednatural deduction, [..., which] has been viewed primarilyas a method of writing proofs in formal logic. What I willdescribe is a practical method for writing the less formalproofs of ordinary mathematics. It is based onhierarchical structuring — a successful tool for managingcomplexity.
How to Write a Proof. American Mathematical Monthly 102, 7 (August–September
1993) 600–608. Also appeared in Global Analysis in Modern Mathematics, Karen
Uhlenbeck, editor. Publish or Perish Press, Houston. Also appeared as SRC Research
Report 94.
Algebra of Programming in Agda 60/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Robert Pollack
Many people who pursue formal mathematics are seekingthe beauty of complete concreteness, which contributesto their own appreciation of the material beingformalised, while to many outside the field formalisationis “just filling in the details” of conventionalmathematics. But “just” might be infeasible unlessserious thought is given to representation of both thelogic of formalisation and the mathematics beingformalised.
How to Believe a Machine-Checked Proof. In G. Sambin and J. Smith, editors,
Twenty-Five Years of Constructive Type Theory. Oxford University Press, 1998.
Algebra of Programming in Agda 61/62
Warming up Switching to relations Solving an optimisation problem Formalisation in Agda Conclusions
Immanuel Kant
Now it does indeed seem natural that, as soon as wehave left the ground of experience, we should, throughcareful enquiries, assure ourselves as to the foundationsof any building that we propose to erect, not making useof any knowledge that we possess without firstdetermining whence it has come, and not trusting toprinciples without knowing their origin.
Critique of Pure Reason, 1929, Trans. N. Kemp Smith, New York: St. Martin’s Press.
Algebra of Programming in Agda 62/62