LOGIC FOR GRAY CODE COMPUTATION

Transcription

1 LOGIC FOR GRAY CODE COMPUTATION ULRICH BERGER AND KENJI MIYAMOTO AND HELMUT SCHWICHTENBERG AND HIDEKI TSUIKI Abstract. Gray code is a well-known binary number system such that neighboring values differ in one digit only. Tsuiki (00) has introduced Gray code to the field of real number computation. He assigns to each number a unique 1 -sequence, i.e., a (possibly infinite) sequence of { 1, 1, } such that at most one copy of (meaning undefinedness) is contained in the sequence not as the last character. In this paper we take a logical and constructive approach to study real number computation based on Gray code. Instead of Tsuiki s indeterministic multihead Type- machine, we use pre-gray code, which is a relaxed Gray code, to avoid the difficulty due to which prevents sequential access to a stream. We extract real number algorithms from proofs in an appropriate formal theory involving inductive and coinductive definitions. Examples are algorithms transforming pre-gray code into signed digit representations of real numbers, and conversely, the average for pre-gray code and a bounded translator from pre-gray code into Gray code. These examples are formalized in the proof assistant Minlog. Keywords: Gray code, real number computation, inductive and coinductive definitions, program extraction. 010 Mathematics Subject Classification: 03D78, 03F60, 03B70, 03B35 1. Introduction Gray code (also called the reflected binary code) is widely known in digital communication, due to its property that the Hamming distance between adjacent Gray codes is always 1. Based on Gray code, Tsuiki has studied an expansion of real numbers as streams of {0, 1, } each of which contain at most one standing for undefinedness, and called it the modified Gray expansion. Tsuiki has also studied computability of real numbers, and has presented several algorithms to do real number computation via Gray This work was supported by the International Research Staff Exchange Scheme (IRSES) Nr CORCON and Nr COMPUTAL of the European Commission, the JSPS Core-to-Core Program, A. Advanced research Networks and JSPS KAKENHI Grant Number 15K

2 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI code [14]. The motivation of this paper is to shed light on the logical aspect of Gray code computation from the constructive standpoint. We formalize pre-gray code in the Theory of Computable Functionals, TCF in short, and also in the proof assistant Minlog 1, which is an implementation of TCF, by means of inductive and coinductive definitions [1]. In order to make use of Tsuiki s idea in TCF, we introduce pre-gray code which is a modified Gray expansion represented as ordinary streams. Through the realizability interpretation we extract from proofs programs as terms (in an extension T + of Gödel s T ) involving (higher type) recursion and corecursion operators. As case studies we extract real number algorithms in our setting of pre-gray code. The correctness of the extracted programs is automatically ensured by the soundness theorem. The rest of this paper is organized as follows. In Section we describe realizability in our framework TCF. Section 3 introduces two representations of real numbers via signed digits as well as via pre-gray code, respectively. Section 4 describes the domain theory of the term calculus T +. Section 5 describes inductive and coinductive definitions in TCF, within which we prepare a suitable setting to study logical aspects of signed digit streams and pre-gray code. Sections 6, 7, 8 and 9 describe case studies. The corresponding Minlog proof script is available in the official Minlog package. In Section 6 we give translators from signed digit streams into pre-gray code, and vice versa. In Section 7 we study the average of two real numbers in pre-gray code. In Section 8 we study a bounded translation from pre-gray code into Gray code. Section 9 describes experiments with our extracted programs. Section 10 concludes the paper. Related work. There are programming languages which can process modified Gray expansion directly. Tsuiki and Sugihara study an extension of Haskell with the non-deterministic choice operator gamb which works as McCarthy s amb operator [16]. Tsuiki studies a logic programming language with guarded clauses and committed choice [15]. Terayama and Tsuiki study an extension of PCF with parallelism [13]. In this paper we avoid using the above features by adopting pre-gray code. Concerning stream based real arithmetic, signed digit streams are used to study real number computation by Wiedmer [17, 18]. Its corecursive treatment is studied by Ciaffaglione and Di Gianantonio in Coq [5]. Berger and Seisenberger study program extraction to obtain programs dealing with signed digit streams [3]. Some of 1 See See examples/analysis/gray.scm in the home directory of Minlog.

3 LOGIC FOR GRAY CODE COMPUTATION 3 their results are formalized by Miyamoto and Schwichtenberg in TCF and Minlog [8, 9]. Chuang studies the average and the multiplication of real numbers using coinduction in Agda via the Curry-Howard isomorphism [4].. Realizability We now address (in general terms) the issue of extracting computational content from proofs. The method of program extraction is based on modified realizability as introduced by Kreisel [7] and described in detail in [1]. In short, from every constructive proof M of a non-harrop formula A (in natural deduction) one extracts a program et(m) realizing A, essentially by removing computationally irrelevant parts from the proof (proofs of Harrop formulas have no computational content). The extracted program has some simple type τ(a) which depends solely on the logical shape of the proven formula A. In its original form the extraction process is fairly straightforward, but often leads to unnecessarily complex programs. In order to obtain better programs, proof assistants (for instance Coq, Isabelle/HOL, Agda, Nuprl, Minlog) offer various optimizations of program extraction. Below we describe optimizations implemented in Minlog [11], which are relevant for our present case study. Quantifiers without computational content. Besides the usual quantifiers, and, Minlog has so-called non-computational quantifiers, and r, which allow for the extraction of simpler programs. These quantifiers, which were first introduced by Berger in [1], can be viewed as a refinement of the Set/Prop distinction in constructive type systems like Coq or Agda. Intuitively, a proof of x A(x) (A(x) non-harrop) represents a procedure that assigns to any x a proof M(x) of A(x) where M(x) does not make computational use of x, i.e., the extracted program et(m(x)) does not depend on x. Dually, a proof of r xa(x) is a proof of M(x) for some x where the witness x is hidden, that is, not available for computational use (the r stands for right ); in fact, r can be seen as inductively defined by the clause x (A r xa). The types of extracted programs for non-computational quantifiers are τ( x ρa) = τ( r x ρa) = τ(a) as opposed to τ( x ρa) = ρ τ(a) and τ( x ρa) = ρ τ(a). The extraction rules are, for example in the case of -introduction and -elimination, et((λ x M A(x) ) nc x A(x) ) = et(m) and et((m nc x A(x) t) A(t) ) = et(m) as opposed to et((λ x M A(x) ) xa(x) ) = et(λ x M) and et((m xa(x) t) A(t) ) = et(mt). For the extracted programs to be correct the variable condition at -introduction must be strengthened by requiring in addition the abstracted variable x not to occur in the extracted program

4 4 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI et(m), and similarly for r. Note that for a Harrop formula A the formulas x A, x A and also r xa, x A are equivalent. Animation. Suppose a proof of a theorem uses a lemma. Then the proof term contains just the name of the lemma, say L. In the term extracted from this proof we want to preserve the structure of the original proof as much as possible, and hence use a new constant cl at those places where the computational content of the lemma is needed. When we want to execute the program, we have to replace the constant cl corresponding to a lemma L by the extracted program of its proof. This can be achieved by adding computation rules for cl. We can be rather flexible here and enable/block rewriting by using animate/deanimate as desired. 3. Gray code of real number We define binary expansion as the expansion of the unit 3 interval I = [ 1, 1] as infinite sequences of PSD = { 1, 1} (proper signed digits) so that p = a 0 a 1 a... represents (1) i=1 a i 1 i. With binary expansion, a finite sequence a 0... a n 1 denotes the interval C a0 (C a1... (C an 1 I)... ) for C a the function C a (x) = x+a, and a 0a 1... denotes the limit of the intervals denoted by its finite truncations. Signed digit expansion (see Figure 1) is an expansion of the same interval with the same formula (1), but with three digits SD = { 1, 0, 1}. Note that it has a lot of redundancy, and 11 and 0 1 represent the same interval [ 1/, 0] and 1 1 and 01 represent the same interval [0, 1/]. Here, 1 is the notation of 1 in a sequence. We view finite sequences of SD as a free algebra I with a nullary constructor I I and three unary constructors C 1, C 0, C 1 of type I I. Gray expansion is another way of expanding I with PSD which is based on binary reflected Gray code of natural numbers. With Gray expansion, the sequence is flipped after an appearance of 1. That is, we define the functions LR a for a PSD as LR a (x) = a x 1 so that LR 1 = C 1 but LR 1 (x) = C 1 ( x). The number represented by a sequence p = a 0 a 1 a... is the limit of the shrinking intervals LR a0 (LR a1... (LR an 1 I)... ) which is 3 For simplicity we base our study on [ 1, 1] rather than [0, 1].

5 LOGIC FOR GRAY CODE COMPUTATION 5 limit }finite equal to () Figure 1. Signed digit representation. i=1 j<i ( a j) i. With Gray expansion, each dyadic rational number (i.e., k/ i for integers i k i ) is represented in two ways as is the case for the binary expansion. For example, 0 is expanded as 11 1 ω and 11 1 ω. However, the two expansions differ only at one digit and the sequence after the digit they differ is always 1 1 ω. In [14] a modified Gray expansion (see Figure ) was defined, which assigns a unique 1 -sequence to each number. Here, a 1 -sequence is a (possibly infinite) sequence of { 1, 1, } such that at most one copy of (meaning undefinedness) is contained in the sequence not as the last character. It assigns the 1 -sequence s 1 1 ω to a dyadic rational number with the Gray expansions s11 1 ω and s 11 1 ω for s {1, 1}. In this note, we consider its variant that assigns all the three sequences s11 1 ω, s 11 1 ω, and s 1 1 ω to it and call it the modified Gray expansion. A 1 -sequence s { 1, 1} denotes the same interval as in the Gray expansion. The meaning of a 1 -sequence s 1 1 n for s { 1, 1} is the union of the two intervals denoted by s 11 1 n and

6 6 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI U D U D U D U L R FinL FinR R L FinL FinR L R FinR FinL R L L U R D U FinL FinR R L L U R }} limit finite Figure. Modified Gray expansion and pre-gray code. s11 1 n. Note that is not an ordinary character and a machine cannot read or write a on a tape. In [14] an IM-machine (indeterministic multihead Type- machine) was introduced: it has two heads on each input/output tape so that it can skip a and access the rest the sequence. Here, instead of such a direct manipulation of 1 -sequences, we define pre-gray code which is a representation of 1 -sequences as sequences of constructors, and consider computation through usual stream programs instead of IM- machines. One can consider pre-gray code as the signed digit expansion of Gray-code. Before explaining the algebra of pre-gray code, we define the algebra of 1 -sequences. An ordinary binary sequence is generated by two constructors cons a for a { 1, 1} which prepend a to a sequence. On the other hand, a 1 -sequence is generated by, in addition to cons a for a { 1, 1}, two constructors ins a for a { 1, 1} which insert a as the second character to a sequence. For example, both ins 1 (ins 1 (cons 1 (ins 1 []))) and cons 1 (cons 1 (cons 1 (ins 1 []))) denote , and ins 1 (ins 1 (ins 1 (ins 1... ))) denotes 1 1 ω. Here, a finite 1 -sequence is identified with an infinite sequence of {1, 1, } by appending ω to the end of the sequence. If we read

7 LOGIC FOR GRAY CODE COMPUTATION 7 these sequences of applications of the four operations from left to right, then we can consider them as procedures to construct 1 -sequences as follows. We start with an infinite tape with the state ω, and view cons a as the operation to fill the leftmost with a and ins a as the operation to fill the second from the left with a. For example, according to ins 1 (ins 1 (cons 1 (ins 1 []))), we construct as 1 ω 1 1 ω 11 1 ω ω. The set of finite 1 -sequences used for modified Gray expansion is { 1, 1} { 1, 1} 1 1. In order to represent only this set, we define an algebra G of pre-gray code simultaneously with an auxiliary algebra H. Intuitively, the algebra G corresponds to the right end of sequences in { 1, 1} and the algebra H corresponds to the right end of sequences in { 1, 1} 1 1. Both algebras have constructors of the same argument types. The algebra G is given by one nullary constructor I G of type G and three unary constructors L, R of type G G and U of type H G (for undefined ), which correspond to cons 1, cons 1, and ins 1, respectively. The algebra H has a nullary constructor I H of type H and three unary constructors FinL and FinR of type G H (representing a final L or R after delays) and D of type H H (for delay), which correspond to cons 1, cons 1, and ins 1, respectively. Thus, both U(D(FinL(U(I H )))) and L(R(L(U(I H )))) represent the sequence We define the meanings of the constructors of pre-gray code as follows. I G and I H denote the unit interval I. The constructors L, R, FinL, FinR, D, and U denote the functions LR 1, LR 1, Fin 1, Fin 1, D, and U on I defined as follows: LR a (x) = a x 1, D(x) = x, Fin a (x) = a x + 1, U (x) = x. Note that the following equations hold: U Fin a = LR a LR 1, D Fin a = Fin a LR Algebras and their total and cototal ideals Constructor expressions in our free algebras I, G and H can be seen as standard rational intervals. To treat reals as limits of rational intervals we view them as cototal ideals. For the convenience of the reader we repeat here some material from [9].

8 8 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI Rather than working with algebras and coalgebras in a categorical setting (as for instance done in [3]), we just use (free) algebras to generate the basic domains of the Scott-Ershov model of partial continuous functionals. Among the ideals of such a domain we single out the total and cototal ones, which are our well-founded and non-well-founded objects, respectively. We construct domains by information systems, given by a set of tokens, a set of finite consistent sets of tokens, and an entailment relation. As an example, consider the algebra I of standard intervals introduced above, and let C range over its constructors. The following definitions are an adaption of the more general ones in [1] to the present case. (a) The tokens a are the type correct constructor expressions (or trees) Ca 1... a n where a i is an extended token, i.e., a token or the special symbol which carries no information. (b) A finite set U of tokens is consistent if all its elements start with the same constructor C, say of arity τ 1... τ n I, and all U i are consistent (i = 1,..., n), where U i consists of all (proper) tokens at the i-th argument position of some token in U = {Ca 1,..., C a m}. (c) {Ca 1,..., C a m} C a ( entails ) is defined to mean C = C, m 1 and U i a i, with U i as in (b) above (and U taken to be true). These are definitions by recursion on the height (of the syntactic expressions involved), defined by Ca 1... a n := 1 + max{ a i i = 1,..., n }, := 0, { a i i I } := max{ 1 + a i i I }, U a := max{1 + U, 1 + a }. A set of tokens is deductively closed if it contains all tokens entailed from one of its finite subsets. An ideal is defined to be a (possibly infinite) consistent and deductively closed set of tokens. The intuition is that a finite consistent set U of tokens is seen as a formal neighborhood (Kreisel [7]) in a space of abstract points or ideals. To define total and cototal ideals, consider a constructor expression P ( ) with a distinguished occurrence of. Then an arbitrary P (C a ) is called one-step extension of P ( ), written P (C a ) 1 P ( ). For example, writing C n d a for C d(c d (... (C d a)... )), for P ( ) := C 1 C 1 we have P (C 1 ) = C 1 C C 1 C 1 = P ( ). An ideal x is called cototal if every constructor expression P ( ) x has a one-step extension P (C a ) x; it is called total if it is cototal and the relation 1 on x is well-founded.

9 LOGIC FOR GRAY CODE COMPUTATION 9 In our algebras for pre-gray code every total ideal then can be seen as a standard interval I i k,k := [ i k 1 k, i k + 1 k ] for k < i < k whereas the cototal ideals are what we mean by a stream representation of reals. For instance, the cototal ideals include { C n 1 n 0 }, a stream representation of the real 1, and also { C 1 C n 1 n 0 } and { C 1C n 1 n 0 }, which both represent the real 0. Generally, the cototal ideals give us all reals in [ 1, 1], in the (non-unique) stream representation via signed digits 1, 0, 1. Remark 4.1. Notice that the notion of a cototal ideal also makes sense when the underlying algebra does not have nullary constructors. Since we will only be concerned with cototal ideals we take advantage of this fact and from now on omit the nullary constructor I I from our algebra I, and also the nullary constructors I G and I H from our algebras G and H. This will simplify the arguments below considerably (for instance in comparison with [9]). We also redefine our algebras I, G, H so that I has a binary constructor C of type SD I I and G has a binary constructor LR of type PSD G G and a unary constructor U of type H G; the intention is L = LR( 1, ) and R = LR(1, ). Similarly H has a binary constructor Fin of type PSD G H and a unary constructor D of type H H. 5. Inductive and coinductive definitions Recall that our goal is to extract algorithms for real number computation from proofs in an appropriate formal theory involving inductive and coinductive definitions. In particular we want to transform reals in Gray code representation to reals in signed digit representation. Now how should the formal theory deal with real numbers? Here we adopt a proposal by Berger and Seisenberger [3]: one should use an abstract theory of reals. But then the immediate question is: how could one associate computational content with a formula x... where x ranges over abstract reals? By the very idea of abstractness we do (and should) not know the type of x; in fact, it may be a type variable. Therefore the quantifier x should have no computational significance. Following [] we use a non-computational universal quantifier x instead, and move the computational content of our assumption into a predicate, i.e., we consider x (Qx... ) instead. This leaves the exact form of realizers for Qx and hence the data type we use for representing real numbers open. Now, how can we achieve that Qx has cototal ideals of

10 10 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI certain algebras (like I, G or H) as realizers? An obvious way is to take for Q an appropriate coinductively defined predicate. For example, define inductively a set I of (abstract) reals, by the single clause (3) ( x + d) x d Ix I (d, e range over SD). Let Φ be the corresponding operator (or predicate transformer): Φ(X) := { x + d d SD, x X } or more precisely (i.e., using a decorated existential quantifier r ) y Φ(X) r ( x + d) x X d y = ( r x indicates that the existentially quantified variable x is disregarded in the realizability interpretation; cf. Section ). For I we can (as for any inductive predicate) define its companion predicate co I, written co I = ν X Φ(X). This is understood as the greatest fixed point of Φ, expressed by the greatest-fixed-point (or coinduction) axiom X Φ( co I X) X co I. A witness for a proposition co Ir is a stream of signed digits. Such objects can be seen as cototal ideals for the algebra I. Similarly we give a simultaneous inductive definition of the sets G and H of (abstract) reals. Let a, b be variables ranging over PSD. The clauses are x a (Gx G( a x 1 x a (G x H(a x + 1 The corresponding operators Γ, are defined by )), x (Hx G( x )), )), x (Hx H( x )). y Γ(X, Y ) r x X a (y = a x 1 ) r x Y (y = x ), y (X, Y ) r x X a (y = a x + 1 ) r x Y (y = x ) and we have ( co G, co H) = ν (X,Y ) (Γ(X, Y ), (X, Y )). This is understood as the greatest fixed point of (Γ, ), expressed by the simultaneous greatestfixed-point (or simultaneous coinduction) axiom (X, Y ) (Γ( co G X, co H Y ), ( co G X, co H Y )) (X, Y ) ( co G, co H), where inclusion is meant component-wise. Witnesses for co Gr and co Hr are cototal ideals in the algebra G or H, respectively.

11 LOGIC FOR GRAY CODE COMPUTATION 11 Remark 5.1 (Nested definition). As an alternative to the above simultaneous definition of co G and co H, we can take the nested definition co G = ν X Γ(X, co H (X)) where co H X = ν Y (X, Y ). The witnessing algebras would also be changed. In this paper we adopt the simultaneous one, since the extracted programs are simpler and more efficient. 6. Proofs and their extracted terms Now we can formulate the propositions to be proved. The computational content will be the algorithms we are interested in. In each case we sketch an informal proof, and then display the term extracted from a formalization of this proof. We will make use of the following axioms on the abstract real numbers. All these axioms will be (Harrop formulas and hence) without computational content. Their only computational effect will be the way in which they influence the proofs of the propositions below. The axioms are x (1x = x), x (( 1)x = x), a,x,d (a x + d = From these axioms we can easily prove a(bx) = (ab)x, x = x, x + d x d = x + d ax + ad ). = x d,, ( a)x = (ax), a( x) = (ax). When formalizing the proofs below it will be convenient to use all these equations as rewrite rules (from left to right). We first want to prove co G co I. However, to be able to prove this by coinduction we need to generalize our goal to Proposition 6.1 (CoGToCoIGen). x ( a ( co G(ax) co H(ax)) co Ix). Proof. For X := { x a ( co G(ax) co H(ax)) } we must show X co I. By coinduction it suffices to prove X Φ( co I X). Let x 1 X. We show x 1 Φ( co I X): (4) r x co I X d (x 1 = x + d ). Since x 1 X we have a such that co G(ax 1 ) co H(ax 1 ). Case co G(ax 1 ). The co G-clause co G Γ( co G, co H) applied to ax 1 co G gives us r x co G b (ax 1 = b x 1 ) r x co H(ax 1 = x ).

12 1 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI If the left hand side holds, we have x co G and b such that ax 1 = b x 1. Then (4) holds for x := abx and d := ab, since abx X (by x co G and the definition of X), and x 1 = a x 1 = ab x 1 = abx + ab = x + d. If the right hand side holds, we have x co H such that ax 1 = x. Then (4) holds for x := ax and d := 0, since ax X (by x co H and the definition of X), and x 1 = a x 1 = a x = ax + 0 = x + d. Case co H(ax 1 ). The co H-clause co H ( co G, co H) applied to ax 1 co H gives r x co G b (ax 1 = b x + 1 ) r x co H(ax 1 = x ). If the left hand side holds, we have x co G and b such that ax 1 = b x +1. Then (4) holds for x := abx and d := ab, since abx X (by x co G and the definition of X), and = abx + ab = x + d. x 1 = a x 1 = ab x + 1 If the right hand side holds, we have x co H such that ax 1 = x. Then (4) holds for x := ax and d := 0, since ax X (by x co H and the definition of X), and x 1 = a x 1 = a x = ax + 0 = x + d. Extracted term. Here iv, ag and ah denote the base type for the algebra I, G and H, respectively. We use p as variable of type G, and q as variable of type H. Moreover ap is a variable of type PSD G, and apq a variable of type PSD (G + H). The square brackets in [apq] mean lambda abstraction λ apq. Note also that appearing as an argument to the CoRec-operator stands for the type product, and the denotes a product term. [apq](corec psd@@(ag ysum ah)=>iv)apq ([apq0][case (right apq0) (InL p -> [case (Des p) (InL ap -> PsdToSd(left apq0 times left ap)@ InR(inv(left apq0 times left ap)@inl right ap)) (InR q -> Mid@InR(left apq0@inr q))]) (InR q -> [case (Des q)

13 LOGIC FOR GRAY CODE COMPUTATION 13 (InL ap -> PsdToSd(left apq0 times left InR(left apq0 times left right ap)) (InR q0 -> q0))])]) To understand this term recall the type of the corecursion operator for I: (5) co R τ I : τ (τ SD (I + τ)) I with τ := PSD (G + H). The type SD (I + τ) appears since I has the single constructor C of type SD I I. The meaning of co R τ I NM is defined by the conversion rule co R τ I NM C (MN)1 ([id I I, λ y ( co R τ I ym)](mn) ). We have used x 1, x as shorthand for the two projections of x of type ρ σ, and the notation [f, g]: ρ + σ τ (for f : ρ τ and g : σ τ) defined by { f(x) if z = inl(x), [f, g](z) := g(y) if z = inr(y). Let us analyze the particular step function M above, extracted from our proof. When applied to an argument N of type τ = PSD (G + H), M returns a result of type SD (I + τ); it will be in the right part of I + τ (i.e., here we do not use the fact that our coinductive definitions are in strengthened form). Consider the right hand side N of N, of type G+H. Case 1. If N is of the form inl(p) with p of type G, destruct p. Recall that G has two constructors, LR and U. If p is of the form LR b (p ), the result is (ab, inr( ab, inl(p ))). If p is of the form U(q), the result is (0, inr(a, inr(q))). Case. If N is of the form inr(q) with q of type H, destruct q. Recall that H has two constructors, Fin and D. It q is of the form Fin b (p), the result is (ab, inr(ab, inl(p))). If q is of the form D(q ), the result is (0, inr(a, inr(q ))). Hence we can write λ co y R τ I ym as a function defined by [f, g]: PSD G + PSD H I f(a, LR b (p)) = C ab (f( ab, p)), g(a, Fin b (p)) = C ab (f(ab, p)), f(a, U(q)) = C 0 (g(a, q)), g(a, D(q)) = C 0 (g(a, q)). Proposition 6. (CoGToCoI). x a ( co G(ax) co Ix). Extracted term. [a,p]ccogtocoigen(a@inl p) Remark. Before proving Proposition 6.1 and obtaining the extracted term, we wrote a Haskell program to convert pre-gray code to signed digit code,

14 14 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI which consisted of 1 rules corresponding to the cases of a and b. Its correctness is not proved, and moreover, we did not realize that it can be compressed into 4 rules until we had the extracted term. Proposition 6.3 (CoIToCoG). x ( a co I(ax) co Gx), x ( a co I(ax) co Hx). Proof. For X := { x a (ax co I) } we show X co G simultaneously with X co H. By coinduction it suffices to prove (i) X Γ( co G X, co H X) and (ii) X ( co G X, co H X). For (i), let x 1 X. We show x 1 Γ( co G X, co H X): (6) r x co G X a (x 1 = a x 1 ) r x co H X(x 1 = x ). Since x 1 X we have a 1 such that co I(a 1 x 1 ). The co I-clause co I Φ( co I) applied to a 1 x 1 co I gives us r x co I d (a 1 x 1 = x + d ). Hence we have x co I and d such that a 1 x 1 = x +d. Case d = 1. Then the left hand of (6) holds for x := x and a := a 1, since x X (by x co I and the definition of X), and x + d x 1 x 1 = a 1 a 1 x 1 = a 1 = a 1. Case d = 1. Then the left hand of (6) holds for x := x and a := a 1, since x X (by x co I and the definition of X), and x + d x + 1 x 1 x 1 = a 1 a 1 x 1 = a 1 = a 1 = a 1. Case d = 0. Then the right hand of (6) holds for x := a 1 x, since a 1 x X (by x co I and the definition of X), and x + d x 1 = a 1 a 1 x 1 = a 1 = a 1x. This finishes the proof of (i). The proof of (ii) is similar, and we omit it. Extracted term. We use bv as variable of type PSD I. [bv](corec psd@@iv=>ag psd@@iv=>ah)bv ([bv0][case (left Des right bv0) (Lft -> InL(inv left bv0@inr(prht@right Des right bv0))) (Rht -> InL(left bv0@inr(plft@right Des right bv0)))

15 LOGIC FOR GRAY CODE COMPUTATION 15 (Mid -> InR(InR(left Des right bv0)))]) ([bv0][case (left Des right bv0) (Lft -> InL(inv left Des right bv0))) (Rht -> InL(left Des right bv0))) (Mid -> InR(InR(left Des right bv0)))]) To understand this term recall the type of the simultaneous corecursion operators co R (G,H),(τ,τ) G and co R (G,H),(τ,τ) H, or shortly co R G and co R H : co R G : τ δ δ G co R H : τ δ δ H with τ := PSD I and step types δ := τ PSD (G + τ) + (H + τ). The type PSD (G + τ) + (H + τ) appears since G has the two constructors LR: PSD G G and U: H G, and H has the two constructors Fin: PSD G H and D: H H. The meaning of co R G NMM and co R H NMM is defined by the conversion rules { co R G NMM LR u1 ([id G G, λ y ( co R G ymm )]u ) if MN = inl(u) U([id H H, λ y ( co R H ymm )]v) if MN = inr(v) { co R H NMM Fin u1 ([id G G, λ y ( co R G ymm )]u ) if M N = inl(u) D([id H H, λ y ( co R H ymm )]v) if M N = inr(v) We again analyze the particular step functions M, M extracted from our proof. When applied to an argument N of type τ = PSD I, M returns a result of type PSD (G + τ) + (H + τ), in the right part of G + τ or H + τ. Let N = (b, v) with v of type I, of the form C d (v ). The result is inl( b, inr(1, v )) if d = 1, inl(b, inr( 1, v )) if d = 1, inr(inr(b, v )) if d = 0. Similarly, when applied to an argument N of type τ = PSD I, M returns a result of type PSD (G + τ) + (H + τ). Let N = (b, v) with v of type I, of the form C d (v ). The result is inl( b, inr( 1, v )) if d = 1, inl(b, inr(1, v )) if d = 1, inr(inr(b, v )) if d = 0.

16 16 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI Hence we can write the two functions λ y co R G ymm and λ y co R H ymm as g : τ G and h: τ H defined by g(b, C 1 (v)) = LR b (g(1, v)), h(b, C 1 (v)) = Fin b (g( 1, v)), g(b, C 1 (v)) = LR b (g( 1, v)), h(b, C 1 (v)) = Fin b (g(1, v)), g(b, C 0 (v)) = U(h(b, v)), h(b, C 0 (v)) = D(h(b, v)). We add another example, which uses the fact that our coinduction axioms are in strengthened form, i.e., X Φ( co I X) X co I instead of X Φ(X) X co I, for example. Proposition 6.4 (CoGMinus). x ( co G( x) co Gx), x ( co H( x) co Hx). Proof. For X := { x x co G) } and Y := { x x co H) } we show X co G simultaneously with Y co H. By coinduction it suffices to prove (i) X Γ( co G X, co H Y ) and (ii) Y ( co G X, co H Y ). For (i), let x 1 X. We show x 1 Γ( co G X, co H Y ): (7) r x co G X a (x 1 = a x 1 ) r x co H Y (x 1 = x ). The co G-clause applied to x 1 co G gives us r x co G a ( x 1 = a x 1 ) r x co H( x 1 = x ). In the first case we have x co G and a with x 1 = a x 1. Then the left hand side of (7) holds for x and a (here we use that our coinduction axiom is in strengthened form). In the second case we have x co H with x 1 = x. Then the right hand side of (7) holds for x. This finishes the proof of (i). The proof of (ii) is similar, and we omit it. Extracted term. [p](corec ag=>ag ah=>ah)p ([p0][case (Des p0) (InL ap -> InL(inv left ap@inl right ap)) (InR q -> InR(InR q))]) ([q][case (Des q) (InL ap -> InL(inv left ap@inl right ap)) (InR q0 -> InR(InR q0))])

17 LOGIC FOR GRAY CODE COMPUTATION 17 Recall the types of the simultaneous corecursion operators co R (G,H),(σ,τ) and co R (G,H),(σ,τ) H with step types co R (G,H),(σ,τ) G : σ δ G δ H G co R (G,H),(σ,τ) H : τ δ G δ H H δ G := σ PSD (G + σ) + (H + τ), δ H := τ PSD (G + σ) + (H + τ). Here we have σ := G and τ := H. Omitting the upper indices of co R, the terms co R G NMM and co R H N MM are defined by the conversion rules { co R G NMM LR u1 ([id G G, λ y ( co R G ymm )]u ) if MN = inl(u) U([id H H, λ z ( co R H zmm )]v) if MN = inr(v) { co R H N MM Fin u1 ([id G G, λ y ( co R G ymm )]u ) if M N = inl(u) D([id H H, λ z ( co R H zmm )]v) if M N = inr(v) By analyzing the particular step functions M, M extracted from our proof we see that we can write λ y co R G ymm and λ z co R H zmm as functions f : σ G and f : τ H defined by f(lr a (p)) = LR a (p), G f (Fin a (p)) = Fin a (p), f(u(q)) = U(f (q)), f (D(q)) = D(f (q)). 7. Average We now consider the problem to compute the average of two real numbers given in pre-gray code. As said above, our aim here is to extract such a program from a proof of the existence of the average. Since it is easier to give such a proof for reals given as signed digit streams [3, 8, 9], we will do this in a somewhat indirect fashion, by first transforming the Gray coded reals into signed digit streams, dealing with the average there, and then transforming the result back into Gray code. Compared with [8, 9] we use a completely abstract approach here, by eliminating all reference to concrete representations of rationals or reals. To this end we need the axiom x + d + y + e x + y + (d + e) =, where the + in x + y denotes addition of abstract reals, and in d + e addition of signed digits, yielding a result in the extended signed digits

18 18 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI SD := {, 1, 0, 1, }. We also benefit from the omission of the nullary constructor I I from our algebra I (cf. Remark 4.1); this removes non-essential case distinctions. The informal proof in [3] of the existence of the average w.r.t. signed digit stream coded reals proceeds as follows. To prove x,y( co Ix co Iy co I x + y ) consider the sets X := { x + y x, y co I }, Y := { x + y + i x, y co I, i SD }. 4 It suffices to show that Y satisfies the clause coinductively defining co I, for then by the greatest-fixed-point axiom for co I we have Y co I. Since clearly X Y we then have X co I, which is our claim. To understand the program to be extracted from this proof it helps to spell out the two lemmas just used. Let i, j range over SD. Lemma 7.1 (XSubY). ( x + y x,y co I r x,y co I i This follows easily from the clause for co I. = x + y + i 4 Extracted term. [v,v0]left Des v plus left Des v0@right Des v@right Des v0 This term can be read as follows. Given v, v0, destruct both. Both are composed, i.e., of the form dv1 and dv. Take their components d1, v1 and d, v. Then the result is d1 sdplus d pair v1 pair v. For Lemma 7. we need functions J : SD SD SD SD and K : SD SD SD SD such that d + e + i = J(d, e, i) + 4K(d, e, i). They can be defined easily by cases on d, e and i. Using these we can relate our abstract average functions x+d and x+y+i 4 by means of the JK-axiom x+d + y+e + i (8) = 4 Lemma 7. (YSatCoIClause). x+y+j(d,e,i) ( x + y + i i x,y co I r x,y co I j,d 4 ). 4 + K(d, e, i) = x +y +j. 4 + d). The proof is similar to the one for Lemma 7.1 above: it uses the clause for co I and the JK-axiom (8).

19 LOGIC FOR GRAY CODE COMPUTATION 19 Extracted term. [i,v,v0] J left Des v left Des v0 i@ K left Des v left Des v0 i@right Des v@right Des v0 This term can be read as follows. Given i, v, v0, destruct the latter two. Both are composed, i.e., of the form dv1 and dv. Take the components d1, v1 and d, v, and return J d1 d i pair K d1 d i pair v1 pair v. Lemma 7.3 (YSubCoI). ( z ( r x,y co I i z = x + y + i ) co Iz) 4 Proof. By coinduction from Lemma 7.. Theorem 7.4 (CoIAverage). x,y( co Ix co Iy co I x + y ). Proof. Immediate form Lemmata 7.1 and 7.3. Extracted term. After animating Lemma 7.3 we obtain [v,v0](corec sdtwo@@iv@@iv=>iv)(cxsuby v v0) ([ivw][let jdvw (cysatcoiclause left ivw left right ivw right right ivw) (left right jdvw@inr(left jdvw@right right jdvw))]) Here ivw is a variable of type SD I I, and jdvw is a variable of type SD SD I I. To obtain the let expression in the term above, we have used implicitly the identity lemma Id: P P ; its realizer has the form λ f,x (fx). If Id is not animated, the extracted term has the form cid(λ x M)N, which is printed as [let x N M]. This avoids multiple evaluations of the term N, which in our case contains cysatcoiclause, i.e., the computational content of Lemma 7.. We may also animate Lemmata 7.1 and 7., and obtain [v,v0](corec sdtwo@@iv@@iv=>iv) (left Des v plus left Des v0@right Des v@right Des v0) ([ivw][let jdvw (J left Des left right ivw left Des right right ivw left ivw@ K left Des left right ivw left Des right right ivw

20 0 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI left right Des left right right Des right right ivw) (left right right jdvw))]) To understand this term recall the type (5) of the corecursion operator. We analyze the step function M extracted from the proof. When applied to an argument ivw of type τ = SD I I, M gives a result of type SD (I+τ), as follows. Destruct ivw into the form (i, (d, v), (e, w)), and let jdvw be the quadruple (J(d, e, i), K(d, e, i), v, w). Return (K(d, e, i), inr(j(d, e, i), v, w)). Hence we can write λ co y R τ I ym as a function f : τ I defined by f(i, C d (v), C e (w)) = C K(d,e,i) (f(j(d, e, i), v, w)). 8. Transforming pre-gray code into Gray code With pre-gray code, there are many ways of expressing the same real number as we noted in Section 3. In particular, the terms U(D k (Fin a p))) and LR a (LR 1 (LR k 1 p)))) denote the same number. Here, D k and LR k 1 denote k-times repetition of the same constructor. In this section, we extract a program which transfers the former pattern in the first n elements of a pre-gray code into the latter pattern. Similar to G we inductively define a set z G of (abstract) reals, this time with a zero (or initial) clause: x z G(x, 0), x,n a ( z G(x, n) z G( a x 1, n + 1))), x,n( z H(x, n) z G( x, n + 1)) with a separate z H inductively defined by the clauses x z H(x, 0), x,n( z H(x, n) z H( x, n + 1)). The corresponding operators z Γ, z for z G, z Hare defined by (y, m) z Γ(X) m = 0 r (x,n) X a(y = a x 1 r (x,n) z H (y = x m = n + 1), m = n + 1) (y, m) z (X) m = 0 r x X(y = x m = n + 1).

21 LOGIC FOR GRAY CODE COMPUTATION 1 Hence z G = ν X z Γ(X) and z H = ν X z (X). The above predicates carry an additional natural number argument, to be used as a bound. From a proof of { (x, n) co Gx } z G, we extract the desired program to compute a prefix of a pre-gray code of x of length n which does not contain a subsequence of the form UD k Fin a from a pre-gray code of x. The associated algebra for z H it is just the natural numbers N, and for z G it is z G with constructors Nz: z G, LRz: PSD z G z G, Uz: N z G. Additionally, the following axiom is used in the proof of Proposition 8.. x+d + 0 x,d ( = x d + d Lemma 8.1 (GenCoGLR). x a ( co Gx co G( a x 1 )). Proof. Easy by coinduction. Proposition 8. (CoGToBGGen). n x ( co Gx z G(x, n)), n x ( co Hx z H(x, n) r y co G a ( z G(y, n 1) x = a y + 1 )). Proof. We prove both statements simultaneously by induction on n. The case n = 0 is trivial. For the step case, we first assume co Gx 1 and prove (x 1, n + 1) z G. We have r x co G a (x 1 = a x 1 ) r x co H(x 1 = x ). (Case A) Suppose that the left hand side holds. Then, by induction hypothesis applied to x, we have z G(x, n). Therefore (x 1, n+1) z Γ( z G) = z G because r (x,n) z G a(x 1 = a x 1 ). (Case B) Suppose that the right hand side holds. Then, x 1 = x for x co H. Therefore, by induction hypothesis, z H(x, n) r x 3 co G a ( z G(x 3, n 1) x = a x ). (Case B1) Suppose that the left hand side holds. Then, since z H(x, n) and x 1 = x, z G(x 1, n + 1) holds. (Case B) Suppose that the right hand side holds. Then, x 1 = x = a x = a x3 1 1 x = a 3 ).

22 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI for some a 3, x 3 co G and x 4 := x 3 1 x. Since x 1 = a 4 1 3, for our goal z G(x 1, n + 1) it suffices to prove z G(x 4, n). In case n = 0 this follows from the initial clause for z G, and in case n = m + 1 it follows from z G(x 3, n 1) by the first generating clause for z G, since x 4 = x 3 1. Next, we suppose that co Hx 1 and prove z H(x 1, n + 1) r y co G a ( z G(y, n) x 1 = a y + 1 ). The argument is almost the same as above. Since co Hx 1, we have r x co G a (x 1 = a x + 1 ) r x co H(x 1 = x ). x (Case A) Suppose that the left hand side holds. We have x 1 = a +1 for a and x co G. By induction hypothesis, z G(x, n). Therefore r y co G a ( z G(y, n) x 1 = a y + 1 ). (Case B) Suppose that the right hand side holds. We have x 1 = x for x co H. By induction hypothesis, z H(x, n) r x 3 co G a ( z G(x 3, n 1) x = a x ). (Case B1) Suppose that the left hand side holds. Then, since z H(x, n) and x 1 = x, we have z H(x 1, n + 1). (Case B) Suppose that the right hand side holds. Then, x 1 = x x = ax = a = a x for x 4 := x 3 1. We prove the right hand side of our goal for x 4 and a. Since x 1 = a x 4+1 it suffices to prove x 4 co G and z G(x 4, n). From x 3 co G we obtain x 4 co G by Lemma 8.1. To prove z G(x 4, n) we argue by cases on n. In case n = 0 this follows from the initial clause for z G, and in case n = m + 1 it follows from z G(x 3, n 1) by the first generating clause for z G, since x 4 = x 3 1. Extracted term. [n](rec nat=>(ag=>bg)@@(ah=>nat ysum psd@@ag@@bg))n (([p]nz)@([q]inl Zero)) ([n0,psf] ([p][case (Des p) (InL ap -> LRz left ap(left psf right ap)) (InR q ->

23 LOGIC FOR GRAY CODE COMPUTATION 3 [case (right psf q) (InL n -> Uz n) (InR apbg -> LRz left apbg [case n0 (Zero -> Nz) (Succ n1 -> LRz PRht right right apbg)])])])@ ([q][case (Des q) (InL ap -> InR(left ap@right ap@left psf right ap)) (InR q0 -> [case (right psf q0) (InL n1 -> InL(Succ n1)) (InR apbg -> InR (left apbg@ LR PLft left right apbg@ [case n0 (Zero -> Nz) (Succ n1 -> LRz PLft right right apbg)]))])])) Here psf is a variable for a pair of step functions, i.e., of type (G z G) (H N + PSD G z G) and apbg of type PSD G z G. The structure of the extracted term closely mirrors the structure of the proof, hence we do not comment it any further. 9. Experiments We experiment with the extracted programs in the previous sections. Let stog, gtos, av and gtobg be the extracted programs from the proofs of Proposition 6.3, Proposition 6., Theorem 7.4 and the first part of Proposition 8., respectively. Example 9.1 (Flip mode). The signed digit stream C Rht (C Lft (C Rht (C Lft..., which stands for 1, 1, 1, 1,..., is transformed by stog into the pre-gray code LR PRht (LR PRht (LR PRht (LR PRht.... On the other hand, C Rht (C Rht (C Lft (C Rht (C Lft... is transformed into LR PRht (LR PLht (LR PRht (LR PRht (LR PRht.... In pre-gray code the occurrence of PRht outside of a block switches the flip mode. The program gtos works as the inverse.

24 4 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI Example 9. (Block). The signed digit stream C Mid (C Mid (C Rht (C Lft..., which stands for 0, 0, 1, 1,..., is transformed by stog into the pre- Gray code U (D (Fin PRht (LR PLft.... The program gtos works as the inverse. Example 9.3 (Flip mode in a block). The signed digit stream C Mid (C Lft (C Rht (C Rht..., which stands for 0, 1, 1, 1,..., is transformed by stog into the pre-gray code U (Fin PLft (LR PLft (LR PLft.... On the other hand, C Mid (C Rht (C Rht (C Rht... is transformed into U (Fin PRht (LR PRht (LR PLft.... The occurrence of PLft in a block switches the flip mode. The pre-gray code LR PRht (U (D (Fin PRht (LR PRht (LR PLft..., obtained from 1, 0, 0, 1, 1, 1,..., shows that the flip mode started before the block also effects. For both of the above cases, gtos transforms the output to the input. Example 9.4 (Average). Consider the average of 5 8 and 3 4. Feeding LR PRht (U (Fin PLft (U (D (D... and LR PRht (LR PLft (U (D (D... to av, the result LR PRht (LR PLft (U (Fin PRht (U (D (D... is computed. Example 9.5 (Gray code). From 5 and the pre-gray code U (D (Fin PLft (U (Fin PRht..., gtobg computes the Gray-code 1, 1, 1, 1, 1 as LRz PLft (LRz PRht (LRz PLft (LRz PRht (LRz PRht Nz)))). From 5 and U (Fin PLft (U (D (D (..., gtobg computes 1, 1,, 1, 0, 0 as LRz PLft (LRz PRht (Uz )) by interpreting Uz to be and to be 1, 0, Conclusion We studied real number computation based on Gray code, being focused on its logical aspects. The notion of pre-gray code was introduced in order to formulate and prove properties of Gray code within the theory TCF using inductive and coinductive definitions. The case studies were presented to extract from proofs the following algorithms: translators between signed digit stream and pre-gray code, average and a bounded translator from pre- Gray code to Gray code. Furthermore, those case studies were implemented in Minlog as running examples. As for the future work, uniformly continuous functions for (pre-)gray code can be studied with the same motivation. Concerning Gray code computation, the program constructions as gamb and pif used by Tsuiki, Sugihara and Terayama can suggest further development of the program extraction framework.

25 LOGIC FOR GRAY CODE COMPUTATION 5 Extracted programs are provably correct because of the soundness theorem. However, Minlog s feature to automatically generate correctness proofs still needs to be extended to also cover simultaneous coinductive definitions. References [1] U. Berger. Program extraction from normalization proofs. In M. Bezem and J. Groote, editors, Typed Lambda Calculi and Applications, volume 664 of LNCS, pages Springer Verlag, Berlin, Heidelberg, New York, [] U. Berger. From coinductive proofs to exact real arithmetic. In E. Grädel and R. Kahle, editors, Computer Science Logic, volume 5771 of LNCS, pages Springer Verlag, Berlin, Heidelberg, New York, 009. [3] U. Berger and M. Seisenberger. Proofs, programs, processes. In F. Ferreira et al., editors, Proceedings CiE 010, volume 6158 of LNCS, pages Springer Verlag, Berlin, Heidelberg, New York, 010. [4] C. M. Chuang. Extraction of Programs for Exact Real Number Computation Using Agda. PhD thesis, Swansea University, Wales, UK, 011. [5] A. Ciaffaglione and P. D. Gianantonio. A co-inductive approach to real numbers. In Proc. of the workshop Types 1999, volume 1956 of LNCS, pages Springer Verlag, Berlin, Heidelberg, New York, [6] A. Heyting, editor. Constructivity in Mathematics. North-Holland, Amsterdam, [7] G. Kreisel. Interpretation of analysis by means of constructive functionals of finite types. In Heyting [6], pages [8] K. Miyamoto. Program extraction from coinductive proofs and its application to exact real arithmetic. PhD thesis, Mathematisches Institut der Universität München, 013. [9] K. Miyamoto and H. Schwichtenberg. Program extraction in exact real arithmetic. To appear in MSCS, pp. 1 13, 014. [10] S. Sagiv, editor. Programming Languages and Systems, 14th European Symposium on Programming,ESOP 005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 005, Edinburgh, UK, April 4-8, 005, Proceedings, volume 3444 of Lecture Notes in Computer Science. Springer, 005. [11] H. Schwichtenberg. Minlog. In F. Wiedijk, editor, The Seventeen Provers of the World, volume 3600 of LNAI, pages Springer Verlag, Berlin, Heidelberg, New York, 006. [1] H. Schwichtenberg and S. S. Wainer. Proofs and Computations. Perspectives in Logic. Association for Symbolic Logic and Cambridge University Press, 01. [13] K. Terayama and H. Tsuiki. A stream calculus of bottomed sequences for real number computation. Electr. Notes Theor. Comput. Sci., 98:383 40, 013. [14] H. Tsuiki. Real number computation through Gray code embedding. Theoretical Computer Science, 84: , 00. [15] H. Tsuiki. Real number computation with committed choice logic programming languages. J. Log. Algebr. Program., 64(1):61 84, 005. [16] H. Tsuiki and K. Sugihara. Streams with a bottom in functional languages. In Sagiv [10], pages [17] E. Wiedmer. Exaktes Rechnen mit reellen Zahlen und anderen unendlichen Objekten. PhD thesis, ETH Zürich, 1977.

26 6 U. BERGER, K. MIYAMOTO, H. SCHWICHTENBERG AND H. TSUIKI [18] E. Wiedmer. Computing with infinite objects. Theoretical Computer Science, 10: , 1980.