Denotational Semantics of Typed Lambda Calculus IV — CPO Model for PCF

In this article, we consider the domain-theoretic semantics of PCF. This provides some insight into the properties of CPOs, and also provides the basis for semantic reasoning about PCF.

We show soundness of the PCF equational axioms system, and therefore the reduction rules, for our CPO model, called $A_{PCF}$ . It is impossible for the PCF equational proof system to be complete for proving all equations between PCF terms that hold in PCF. The reason is that, as shown in Easy Foundations for Programming Languages V — PCF Iteration and Recursion, every partial recursive function is definable in PCF.

By soundness, and the fact that all the numerals denote distinct elements of the model, two expressions of type $n a t \to n a t$ will be equal in PCF iff they operationally define the same partial recursive function. Since equality between partial recursive functions is not recursively enumerable, no recursive axiom system could be complete for $A_{PCF}$ .

CPO Model for PCF

The model $A_{PCF}$ is the full continuous hierarchy over $A_{PCF}^{n a t} = N_{⊥}$ and $A_{PCF}^{b o o l} = B_{⊥}$ , with constants of PCF interpreted as described below.

Since the type constants of PCF are interpreted as pointed CPOs, and cartesian product and continuous function constractors preserve pointedness, all of the type of PCF are interpreted as pointed CPOs. This gives us least-fixed-point operators at all types, allowing us to interpret the fixed-point constants of PCF according to Lemma 1 in the last article.

We interpret constants $0, 1, 2, \dots$ and $t r u e, f a l s e$ as the standard natural numbers and boolean elements of the lifted set $N_{⊥}$ and $B_{⊥}$ . If we choose continuous functions for basic PCF operations $+$ , $E q ?$ and conditional, then every term of PCF will have a meaning in $A_{PCF}$ . It follows that every term in PCF has a fixed point.

We interpret $+$ and $E q ?$ in $A_{PCF}$ as the lifted versions, $+_{⊥}$ and $E q ?_{⊥}$ , of the standard functions. In other words, we interpret $+$ as the extension of addition that is strict in both arguments, so that for every $x \in A_{PCF}^{n a t}$ ,

⊥_{n a t} + x = x + ⊥_{n a t} = ⊥_{n a t}

We treat the PCF equality test similarly, so that the PCF expression $E q ? M N$ has value $t r u e$ if $M$ and $N$ denote the same element of $N_{⊥}$ different from $⊥$ , value $f a l s e$ if $M$ and $N$ denote different non- $⊥$ elements of $N_{⊥}$ , and value $⊥$ if either $M$ and $N$ denotes $⊥$ .

The interpretation of conditional in $A_{PCF}$ is a little subtle. You may guess that we could also interpret conditional as a strict function, with value $⊥$ of the appropriate type whenever any of its arguments is $⊥$ of some type. However, this does not work, since in the case that $M$ denotes $⊥$ but $N$ does not, we would have

if f a l s e then M else N = ⊥,

which contradicts an equational axiom of PCF.

Recall that we have the following equational axioms for conditional discussed in Easy Foundations for Programming Languages III — The Language PCF & Its Syntax.
$\begin{array}{r} (if t r u e then M else N) = M \\ (if f a l s e then M else N) = N \end{array}$

An interpretation of conditional that satisfies the equational axioms of PCF is the following.

A_{PCF} [[if P then M else N]] η = {\begin{cases} A_{PCF} [[M]] η & if A_{PCF} [[P]] η = t r u e \\ A_{PCF} [[N]] η & if A_{PCF} [[P]] η = f a l s e \\ ⊥ & otherwise \end{cases}

Since the equational axioms of PCF only mention conditional expressions when the first argument is $t r u e$ or $f a l s e$ , it is easy to see that the axioms are satisfied. This completes the definition of $A_{PCF}$ .

Now we have the following immediate consequences of the general soundness theorem for Henkin models.

(Theorem 1.) Let $M$ and $N$ be expressions of PCF over typed variables from $Γ$ . If $Γ ▹ M = N : σ$ is provable from the axioms for PCF, then the CPO model $A_{PCF}$ satisfies the equation $Γ ▹ M = N : σ$ .

(Corollary 1.) If $Γ ▹ M : σ$ is a well-typed term of PCF, and $M ↠ N$ , then the CPO model $A_{PCF}$ satisfies the equation $Γ ▹ M = N : σ$ .

These soundness results show that the denotational semantics given by $A_{PCF}$ has the minimal properties required of any denotational semantics. Specifically, if we can prove $M = N$ , or reduce one term to the other, then these two terms will have the same meaning in $A_{PCF}$ . It follows that if two terms have different meanings, then we cannot prove them equal or reduce one to the other. Therefore, we can use $A_{PCF}$ to reason about unprovability or the non-existence of reductions.

Examples

In this section, we will use two examples to illustrate how to work out the meaning of some expressions in $A_{PCF}$ and make some comments about the difference between the least fixed point of a function and other fixed points.

Ex.1 Factorial Function

Recall that the factorial function may be written $f a c t \overset{def}{=} f i x_{n a t \to n a t} F$ , where $F$ is the expression

F \overset{def}{=} λ f : n a t \to n a t . λ y : n a t . (if E q ? y 0 then 1 else y * f (y - 1)) .

We will work out the meaning of this closed term assuming that $*$ and $-$ denote multiplication and subtraction functions which are strict extensions of the standard ones. In other words, we assume that multiplication and subtraction have their standard meaning on non-least elements of $N_{⊥}$ , but have value $⊥$ if either of their arguments is $⊥$ .

Following the definition of $f i x$ in a CPO, we can see that the meaning of factorial is the least upper bound of a directed set. Specifically, $A_{PCF} [[f a c t]]$ is the least upper bound $⋁ {{\bar{F}}^{n} (⊥) ∣ n \geq 0}$ , where $\bar{F} = A_{PCF} [[F]]$ . We will work out the first few cases of ${\bar{F}}^{n} (⊥)$ to understand what this means.

Since all of the lambda terms involved are closed, we will dispense with the formality of writing $A_{PCF} [[]]$ and use lambda terms as names for elements of the appropriate domains.

\begin{aligned} {\bar{F}}^{0} (⊥) & = ⊥_{n a t \to n a t} \\ {\bar{F}}^{1} (⊥) & = λ y : n a t . if E q ? y 0 then 1 else y * ({\bar{F}}^{0} (⊥)) (y - 1) \\ = λ y : n a t . if E q ? y 0 then 1 else y * (⊥_{n a t \to n a t}) (y - 1) \\ = λ y : n a t . if E q ? y 0 then 1 else ⊥_{n a t} \\ {\bar{F}}^{2} (⊥) & = λ y : n a t . if E q ? y 0 then 1 else y * ({\bar{F}}^{1} (⊥)) (y - 1) \\ = λ y : n a t . if E q ? y 0 then 1 else y * \\ (λ x : n a t . if E q ? x 0 then 1 else ⊥_{n a t}) (y - 1) \\ = λ y : n a t . if E q ? y 0 then 1 else y * \\ (if E q ? (y - 1) 0 then 1 else ⊥_{n a t}) \end{aligned}

Continuing in this way, we can see that ${\bar{F}}^{n} (⊥)$ is the function which computes $y!$ whenever $0 \leq y < n$ and has value $⊥_{n a t}$ otherwise. Since $⊥_{n a t}$ represents “undefined,” this means that ${\bar{F}}^{n} (⊥)$ is defined for $0 \leq y < n$ and undefined otherwise.

A property of this collection of functions is that for a particular argument $y \neq⊥$ , there are two possible values for ${\bar{F}}^{n} (⊥) y$ — if $n \leq y$ , then the value is $⊥$ , while if $n > y$ , the value is $y!$ .

As spelled out in the statement of Lemma 4 in the CPO article, the least upper bound of ${{\bar{F}}^{n} (⊥) ∣ n \geq 0}$ is the function mapping any $y \in N_{⊥}$ to the least upper bound of the set ${{\bar{F}}^{n} (⊥) y ∣ n \geq 0}$ . The set contains only $⊥$ , if $y =⊥$ , and has two elements $⊥$ and $y!$ otherwise. Therefore $A_{PCF} [[f a c t]]$ is the function from $N_{⊥}$ to $N_{⊥}$ which maps $⊥$ to $⊥$ , and any other $y \in N$ to $y!$ .

Such strictness of factorial agrees with our computational intuition and experience, since we do not expect any computation of $f a c t$ $M$ to terminate if the expression $M$ cannot be simplified to a numeral. But in the case $M$ reduces to a numeral for $y$ , we can reduce $f a c t$ $M$ to the numeral for $y!$ .

In general, the least fixed point of a function is the fixed point that is “computed in practice.” Later we will formally show that the PCF operational and denotational semantics coincide. Simply put, the least fixed point of a function $f$ has all the properties of $f i x$ $f$ that we can determine by applying $f i x$ -reduction some number of times.

Ex.2 Function with Many Fixed Points

This example illustrates the difference between the least fixed point of a function and other fixed points.

Consider the function $F : (n a t \to n a t) \to (n a t \to n a t)$ defined by

F \overset{def}{=} λ f : n a t \to n a t . λ x : n a t . (if E q ? x 1 then 1 else f (x - 2))

where subtraction $x - y$ yields $0$ if $y \geq x$ .

In contrast to the function used to define factorial, we will see that $F$ has many fixed points. The reason is that $F$ is a function mapping even arguments to $⊥$ . This allows us to find greater fixed points (in the point-wise order) which map even arguments to natural numbers other than $⊥$ .

Before discussing alternate fixed points further, we will work out the meaning of $f i x$ $F$ .

As in factorial, we let $\bar{F} = A_{PCF} [[F]]$ . The least fixed point of $\bar{F}$ is the least upper bound of the set ${{\bar{F}}^{n} (⊥) ∣ n \geq 0}$ . The simplest way to understand this set is to begin by working out the first few functions.

\begin{aligned} {\bar{F}}^{0} (⊥) & = ⊥_{n a t \to n a t} \\ {\bar{F}}^{1} (⊥) & = λ x : n a t . if E q ? x 1 then 1 else ({\bar{F}}^{0} (⊥)) (x - 2) \\ = λ x : n a t . if E q ? x 1 then 1 else ⊥_{n a t} \\ {\bar{F}}^{2} (⊥) & = λ x : n a t . if E q ? x 1 then 1 else ({\bar{F}}^{1} (⊥)) (x - 2) \\ = λ x : n a t . if E q ? x 1 then 1 else \\ (λ y : n a t . if E q ? y 1 then 1 else ⊥_{n a t}) (x - 2) \\ = λ x : n a t . if E q ? x 1 then 1 else \\ (if E q ? (x - 2) 1 then 1 else ⊥_{n a t}) \end{aligned}

Continuing in this way, we can see that ${\bar{F}}^{n} (⊥)$ is the function which maps any odd $x < 2 n$ to $1$ and has value $⊥_{n a t}$ otherwise. The least upper bound $f$ of all such functions is the function mapping all odd $x$ to $1$ , and any other natural number to $⊥$ .

This corresponds to the fact that if we try to compute the value of $(f i x F) x$ by reduction, we will succeed after a finite number of reduction steps iff $x$ is odd. If $x$ is even, we can reduce the expression indefinitely, but will never produce a numeral.

It is not hard to see that the fixed points of $F$ above are precisely the functions $g : n a t \to n a t$ satisfying the two conditions:

\begin{aligned} g (1) & = 1 \\ g (x + 2) & = g (x) \end{aligned}

Since these two equations do not determine a value for even $x$ , any function mapping all even $x$ (and $0$ ) to some number $n$ will be a fixed point of $F$ . All of these alternatives are greater than $f$ since any natural number $n$ is greater than $⊥$ in the ordering on the lifted CPO of natural numbers. However, none of these alternative fixed points is the function computed by reduction.

Fixed-Point Induction

The equational proof system for PCF is sound for the CPO model and other semantic models of PCF. It is adequate to specify the result of any program — if $P : n a t$ is closed, and $P$ denotes a number $n$ in the CPO model $A_{PCF}$ , then we can prove $P = n$ .

However, the equational proof system is not very powerful when it comes to proving equations between parts of programs, such as terms defining functions. This is illustrated in the example below.

In this section, we study an extension to the equational proof system that has been found, in practice, to be sufficient for proving many equations between PCF terms.

Ex. 3 Equation of Function Terms

If $f : D \to D$ and $g : D \to D$ are continuous functions on some CPO $D$ , then it is not hard to see that $f i x (f \circ g) = f (f i x (f \circ g))$ . The reason is that

\begin{aligned} f i x (f \circ g) & = ⋁ {(f \circ g)^{i} (⊥) ∣ i \geq 0} \\ = ⋁ {(f \circ g) (⊥), (f \circ g \circ f \circ g) (⊥), (f \circ g \circ f \circ g \circ f \circ g) (⊥), . . .} \\ = ⋁ {(f \circ (g \circ f)^{i}) (⊥) ∣ i \geq 0} \\ = f (f i x (f \circ g)) \end{aligned}

by monotonicity, general facts about least upper bound, and the associativity of composition.

In the rest of this example, we show that there is no equational proof of $f i x (f \circ g) = f (f i x (f \circ g))$ , treating $f$ and $g$ as variables of type $σ \to σ$ , for any type $σ$ , using only the equational proof system of PCF.

There are two facts about PCF:

The reduction rules of PCF are confluent;
The reduction rules of PCF are exactly directed versions of the equational axioms, plus symmetry, transitivity and congruence rules.

Based on these, we know that the equation $f i x (f \circ g) = f (f i x (f \circ g))$ is provable iff both terms reduce to a common term. However, an easy induction shows that any term obtained by reducing $f i x (f \circ g)$ will have an equal number of $f$ ’s and $g$ ’s, while terms obtained from $f (f i x (f \circ g))$ will have more $f$ than $g$ . Therefore, we cannot prove $f i x (f \circ g) = f (f i x (f \circ g))$ using the equational proof system.

Extended Proof System

The extended proof system is based on the CPO interpretation of terms. In addition to equations, we will use formulas which assert that the meaning of one term is an approximation of another. More specifically, we use assertions of the form $M \leq N$ or, written out with type assignments, $Γ ▹ M \leq N : σ$ . To be precise, an approximation $Γ ▹ M \leq N : σ$ is satisfied at environment $η ⊨ Γ$ for CPO model $A$ if $A [[M]] η \leq A [[N]] η$ .

The proof system given in this section is sound for deriving assertions that hold in all CPO models. A common way of reading $M \leq N$ is, “ $M$ is an approximation of $N$ .”

One obvious inference rule is

\begin{matrix} (e q) & \frac{Γ ▹ M = N : σ}{Γ ▹ M \leq N : σ} \end{matrix}

which allows us to derive approximations from equations. This rule may be used to derive versions of the $(β)$ and $(η)$ axioms using approximation in place of equality.

A “converse” to this rule is

\begin{matrix} (a s y m) & \frac{Γ ▹ M \leq N : σ, Γ ▹ N \leq M : σ}{Γ ▹ M = N : σ} \end{matrix}

which is sound since a partial order is anti-symmetric. This rule lets us derive equations from approximations.

Since $\leq$ is transitive, we also have the rule

\begin{matrix} (t r a n s) & \frac{Γ ▹ M \leq N : σ, Γ ▹ N \leq P : σ}{Γ ▹ M \leq P : σ} \end{matrix}

If we add a constant $⊥_{σ}$ to the language, for each type $σ$ , then we write the axiom scheme

\begin{matrix} (b o t) & Γ ▹ ⊥_{σ} \leq M : σ \end{matrix}

since $⊥_{σ}$ is the least element of type $σ$ . The tag “bot” stands for the “bottom” element.

We also know that the least element of a function type is the function mapping each argument to $⊥$ . This gives us the equational axiom scheme

\begin{matrix} (b o t f) & Γ ▹ ⊥= λ x : σ . ⊥: σ \to τ \end{matrix}

We also have a congruence rule for each syntactic form. For application, the rule

\begin{matrix} (a c o n g) & \frac{Γ ▹ M_{1} \leq M_{2} : σ \to τ, Γ ▹ N_{1} \leq N_{2} : σ}{Γ ▹ M_{1} N_{1} \leq M_{2} N_{2} : τ} \end{matrix}

tells us that every continuous function is monotonic. The congruence rule for lambda abstraction

\begin{matrix} (f c o n g) & \frac{Γ, x : σ ▹ M \leq N : τ}{Γ ▹ λ x : σ . M \leq λ x : σ . N : σ \to τ} \end{matrix}

is sound since we order functions point-wise.

The final rule is an induction rule for fixed points. From the equational axiom for fixed points, we can prove that $f (f i x f) \leq f i x f$ , and similar properties that follow from $f i x f$ being a fixed point of $f$ . However, in the standard equational proof system, there is no obvious way to make use of the fact that $f i x f$ is the least fixed point of $f$ . With approximations instead of equations, we could write a rule

\frac{Γ ▹ M N = N : σ}{Γ ▹ f i x M \leq N : σ}

saying that $f i x M$ is an approximation to any fixed point of $M$ . This follows from the more powerful rule of “fixed point induction”, also called Scott induction after Dana Scott.

In stating the rule of fixed point induction, we write $Φ ⊢ A$ to mean that the equation or approximation $A$ is provable from the set $Φ$ of equations and approximations using the axioms and inference rules given here, combined with the equational axioms and inference rules of typed lambda calculus with fixed points and any additional equational hypotheses (such as axioms for algebraic datatypes).

If $A$ has the form $Γ, x : σ ▹ M \leq N : τ$ , then we write $[P / x] A$ for the result $Γ ▹ [P / x] M \leq [P / x] N : τ$ of removing variable $x$ from the type assignment and substituting $P$ for $x$ in both terms, assuming $Γ ▹ P : σ$ . If $A$ is an equation, we define $[P / x] A$ similarly.

Using this notation, the rule to find the fixed point is written as follows.

\begin{matrix} (f p f i n d) & \frac{Φ ⊢ [⊥ / x] A, Φ, [c / x] A ⊢ [F (c) / x] A}{Φ ⊢ [f i x F / x] A} constant c not in Φ \end{matrix}

If we think of $A$ as a way of saying that the variable $x$ has some property, then $[⊥ / x] A$ says that this property holds for $⊥$ . The second hypothesis, $Φ, [c / x] A ⊢ [F (c) / x] A$ , is a way of saying that if this property holds for some arbitrary $c$ . then it holds for $F (c)$ . If follows that this property holds for every element of ${F^{n} (⊥) ∣ n \geq 0}$ , by induction on $n$ . Using the fact that the value of any term depends continuously on each of its free variables, we can easily verify that the property $A$ holds for the least upper bound of this set, namely $f i x F$ . This gives us the conclusion of the fixed point induction rule.

A feature of fixed-point induction is that we reason implicitly about sets of form ${F^{i} (⊥) ∣ i \geq 0}$ without introducing natural numbers into the formal system. While the soundness proof for fixed-point induction uses induction on the integers, the proof system only uses formulas such as approximation or equality.

Ex 4. Fixed-Point Induction Example

To illustrate the use of fixed-point induction, we will show that if $N$ is a fixed point of $M$ , then $f i x M \leq N$ .

We assume $Γ ▹ M N = N : σ$ (according to the definition of fixed point), which gives us

Γ ▹ M N \leq N : σ

since equality implies approximation. This will be useful at a later step of the proof.

Let us now think about how we can use the fixed point induction rule. The conclusion of the rule has the form $[f i x F / x] A$ , which matches the statement we wish to prove if we take

A \equiv Γ, x : σ ▹ x \leq N : σ,

with $x$ not free in $N$ , and let $F$ be $M$ . Reading the fixed point induction rule from the bottom up, we can see that it suffices to prove

[⊥ / x] A \equiv Γ ▹ ⊥\leq N : σ,

which is an axiom, and to show that we can prove

[M c / x] A \equiv Γ ▹ M c \leq N : σ

if we take $[c / x] A \equiv Γ ▹ c \leq N : σ$ as an additional hypothesis.

If we begin with $c \leq N$ , then by monotonicity (the “congruence rule” for application), we have

Γ ▹ M c \leq M N : σ

But since we have already proved $M N \leq N$ above, this gives us

Γ ▹ M c \leq N : σ

which is exactly what we need in order to finish the proof by fixed point induction. $◼$

Denotational Semantics of Typed Lambda Calculus IV — CPO Model for PCF

CPO Model for PCF

Examples

Ex.1 Factorial Function

Ex.2 Function with Many Fixed Points

Fixed-Point Induction

Ex. 3 Equation of Function Terms

Extended Proof System

Ex 4. Fixed-Point Induction Example

Further Reading

Easy Foundations for Programming Languages VII — Simply-Typed Lambda Calculus

Easy Foundations for Programming Languages VIII — Proof Systems

Easy Foundations for Programming Languages IX — Universal Algebra and Algebraic Data Types