Fast and Loose Reasoning is Morally Correct ∗
Nils Anders Danielsson John Hughes
Patrik Jansson
Chalmers University of Technology
[email protected]
{nad,rjmh,patrikj}@cs.chalmers.se
Abstract
Functional programmers often reason about programs as if
they were written in a total language, expecting the results
to carry over to non-total (partial) languages. We justify
such reasoning.
Two languages are defined, one total and one partial,
with identical syntax. The semantics of the partial language
includes partial and infinite values, and all types are lifted,
including the function spaces. A partial equivalence relation
(PER) is then defined, the domain of which is the total
subset of the partial language. For types not containing
function spaces the PER relates equal values, and functions
are related if they map related values to related values.
It is proved that if two closed terms have the same
semantics in the total language, then they have related
semantics in the partial language. It is also shown that the
PER gives rise to a bicartesian closed category which can be
used to reason about values in the domain of the relation.
Categories and Subject Descriptors F.3.1 [Logics and
Meanings of Programs]: Specifying and Verifying and Rea-
soning about Programs; D.3.2 [Programming Languages]:
Language Classifications—Applicative (functional) lan-
guages
General Terms Languages, theory, verification
Keywords Equational reasoning, partial and total lan-
guages, non-strict and strict languages, partial and infinite
values, lifted types, inductive and coinductive types
1. Introduction
It is often claimed that functional programs are much easier
to reason about than their imperative counterparts. Func-
tional languages satisfy many pleasing equational laws, such
as
curry ◦ uncurry = id , (1)
∗ This work is partially funded by the Swedish Foundation for
Strategic Research as part of the research programme “Cover —
Combining Verification Methods in Software Development,” and
by the Royal Swedish Academy of Sciences’ funds.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies
are not made or distributed for profit or commercial advantage and
that copies bear this notice and the full citation on the first page. To
copy otherwise, to republish, to post on servers or to redistribute to
lists, requires prior specific permission and/or a fee.
POPL’06 January 11–13, 2006, Charleston, South Carolina, USA.
Copyright c 2006 ACM 1-59593-027-2/06/0001. . . $5.00.
Jeremy Gibbons
Oxford University Computing Laboratory
(fst x, snd x) = x, and (2)
fst (x, y) = x, (3)
and many others inspired by category theory. Such laws
can be used to perform very pleasant proofs of program
equality, and are indeed the foundation of an entire school
of program transformation and derivation, the Squiggolers
[BdM96, Jeu90, BdBH+ 91, MFP91]. There is just one prob-
lem. In current real programming languages such as Haskell
[PJ03] and ML [MTHM97], they are not generally valid.
The reason these laws fail is the presence of the undefined
value ⊥, and the fact that, in Haskell, ⊥, λx.⊥ and (⊥, ⊥)
are all different (violating the first two laws above), while in
ML, ⊥, (x, ⊥) and (⊥, y) are always the same (violating the
third).
The fact that these laws are invalid does not prevent
functional programmers from using them when developing
programs, whether formally or informally. Squiggolers hap-
pily derive programs from specifications using them, and
then transcribe the programs into Haskell in order to run
them, confident that the programs will correctly implement
the specification. Countless functional programmers happily
curry or uncurry functions, confident that at worst they are
changing definedness a little in obscure cases. Yet is this
confidence justified? Reckless use of invalid laws can lead
to patently absurd conclusions: for example, in ML, since
(x, ⊥) = (y, ⊥) for any x and y, we can use the third law
above to conclude that x = y, for any x and y. How do we
know that, when transforming programs using laws of this
sort, we do not, for example, transform a correctly termi-
nating program into an infinitely looping one?
This is the question we address in this paper. We call the
unjustified reasoning with laws of this sort “fast and loose”,
and we show, under some mild and unsurprising conditions,
that its conclusions are “morally correct”. In particular,
it is impossible to transform a terminating program into
a looping one. Our results justify the hand reasoning that
functional programmers already perform, and can be applied
in proof checkers and automated provers to justify ignoring
⊥-cases much of the time.
In the next section we give an example showing how it
can be burdensome to keep track of all preconditions when
one is only interested in finite and total values, but is rea-
soning about a program written in a partial language. Sec-
tion 3 is devoted to defining the language that we focus
on, its syntax and two different semantics: one set-theoretic
and one domain-theoretic. Section 4 briefly discusses par-
tial equivalence relations (PERs), and Section 5 introduces
a PER on the domain-theoretic semantics. This PER is used
to model totality. In Section 6 a partial surjective homomor-
phism from the set-theoretic semantics to the quotient of the
domain-theoretic semantics given by the PER is exhibited,
and in Section 7 we use this homomorphism to prove our
main result: fast and loose reasoning is morally correct. Sec-
tion 8 provides a more abstract result, showing how the PER
gives rise to a category with many nice properties which
can be used to reason about programs. We go back to our
earlier example and show how it fits in with the theory in
Section 9. We also exhibit another example where reasoning
directly about the domain-theoretic semantics of a program
may be preferable (Section 10). Section 11 recasts the the-
ory for a strict language, Section 12 discusses related work,
and Section 13 concludes with a discussion of the results and
possible future extensions of the theory.
Most proofs needed for the development below are only
sketched; full proofs are available from Danielsson’s web
page [Dan05].
2. Propagating preconditions
Let us begin with an example. Say that we need to prove
that the function map (λx.y + x) ◦ reverse :: [Nat] → [Nat]
has a left inverse reverse ◦ map (λx.x − y). (All code in
this section uses Haskell-like syntax.) In a total language we
would do it more or less like this:
(reverse ◦ map (λx.x − y)) ◦ (map (λx.y + x) ◦ reverse)
= {map f ◦ map g = map (f ◦ g), ◦ associative}
reverse ◦ map ((λx.x − y) ◦ (λx.y + x)) ◦ reverse
= {(λx.x − y) ◦ (λx.y + x) = id }
reverse ◦ map id ◦ reverse
= {map id = id }
reverse ◦ id ◦ reverse
= {id ◦ f = f , ◦ associative}
reverse ◦ reverse
= {reverse ◦ reverse = id}
id .
Note the lemmas used for the proof, especially
(λx.x − y) ◦ (λx.y + x) = id , and (4)
reverse ◦ reverse = id . (5)
Consider now the task of repeating this proof in the
context of some language based on partial functions, such
as Haskell. To be concrete, let us assume that the natural
number data type Nat is defined in the usual way,
data Nat = Zero | Succ Nat. (6)
Note that this type contains many properly partial values
that do not correspond to any natural number, and also a
total but infinite value. Let us also assume that (+) and (−)
are defined by
(+) = fold Succ, and (7)
(−) = fold pred , (8)
where fold :: (a → a) → a → Nat → a is the fold over
natural numbers (fold s z n replaces all occurrences of Succ
in n with s, and Zero with z), and pred :: Nat → Nat is
the predecessor function with pred Zero = Zero. The other
functions and types are all standard [PJ03]; this implies
that the list type also contains properly partial and infinite
values.
Given these definitions the property proved above is no
longer true. The proof breaks down in various places. More
to the point, both lemmas (4) and (5) fail, and they fail due
to both properly partial values, since
(Succ Zero + Succ ⊥) − Succ Zero = ⊥ = 6 Succ ⊥ and (9)
reverse (reverse (Zero : ⊥)) = ⊥ =6 Zero : ⊥, (10)
and infinite values, since
(fix Succ + Zero) − fix Succ = ⊥ =
6 Zero and (11)
reverse (reverse (repeat Zero)) = ⊥ =6 repeat Zero. (12)
(Here fix is the fixpoint combinator, i.e. fix Succ is the
“infinite” lazy natural number. The application repeat x
yields an infinite list containing only x.) Note that id ◦f = f
also fails, since we have lifted function spaces and id ◦ ⊥ =
λx.⊥ 6= ⊥, but that does not affect this example since
reverse 6= ⊥.
These problems are not surprising; they are the price you
pay for partiality. Values that are properly partial and/or in-
finite have different properties than their total, finite coun-
terparts. A reasonable solution is to stay in the partial lan-
guage but restrict our inputs to total, finite values.
Let us see what the proof looks like then. We have to η-
expand our property, and assume that xs :: [Nat] is a total,
finite list and that y :: Nat is a total, finite natural number.
(Note the terminology used here: if a list is said to be total,
then all elements in the list are assumed to be total as well,
and similarly for finite values. The concepts of totality and
finiteness are discussed in more detail in Sections 5 and 9,
respectively.) We get
((reverse ◦ map (λx.x − y))
◦ (map (λx.y + x) ◦ reverse)) xs
= {map f ◦ map g = map (f ◦ g), definition of ◦}
reverse (map ((λx.x − y) ◦ (λx.y + x)) (reverse xs))
• map f xs = map g xs if xs is total and f x = g x>
8 9
>
< for all total x,
> >
=
= • reverse xs is total, finite if xs is,
: • ((λx.x − y) ◦ (λx.y + x)) x = id x for total x and>
>
> >
;
total, finite y
reverse (map id (reverse xs))
= {map id = id }
reverse (id (reverse xs))
= {definition of id }
reverse (reverse xs)
= {reverse (reverse xs) = xs for total, finite xs}
xs.
Comparing to the previous proof we see that all steps
are more or less identical, using similar lemmas, except for
the second step, where two new lemmas are required. How
did that step become so unwieldy? The problem is that,
although we know that (λx.x−y)◦(λx.y+x) = id given total
input, and also that xs only contains total natural numbers,
we have to manually propagate this precondition through
reverse and map.
One view of the problem is that the type system used
is too weak. If there were a type for total, finite natural
numbers, and similarly for lists, then the propagation would
be handled by the types of reverse and map. The imaginary
total language used for the first proof effectively has such a
type system.
On the other hand, note that the two versions of the
program are written using identical syntax, and the semantic
rules for the total language and the partial language are
probably more or less identical when only total, finite (or Γ(x) = σ Γ[x 7→ σ] ` t : τ
even total, infinite) values are considered. Does not this
imply that we can get the second result above, with all Γ`x:σ Γ ` λx.t : σ → τ
preconditions, by using the first proof? The answer is yes, Γ ` t1 : σ → τ Γ ` t2 : σ
with a little extra effort, and proving this is what many of Γ ` t 1 t2 : τ
the sections below will be devoted to. In Section 9 we come Γ ` seq : σ → τ → τ Γ ` fix : (σ → σ) → σ
back to this example and spell out in full detail what “a Γ`?:1 Γ ` (,) : σ → τ → (σ × τ )
little extra effort” boils down to in this case. Γ ` fst : (σ × τ ) → σ Γ ` snd : (σ × τ ) → τ
Γ ` inl : σ → (σ + τ ) Γ ` inr : τ → (σ + τ )
3. Language
Γ ` case : (σ + τ ) → (σ → γ) → (τ → γ) → γ
This section defines the main language discussed in the text. Γ ` inµF : F µF → µF Γ ` outµF : µF → F µF
It is a strongly typed, monomorphic functional language
with recursive (polynomial) types and their corresponding Γ ` inνF : F νF → νF Γ ` outνF : νF → F νF
fold and unfold operators. Having only folds and unfolds is Γ ` foldF : (F σ → σ) → µF → σ
not a serious limitation; it is e.g. easy to implement primitive Γ ` unfoldF : (σ → F σ) → σ → νF
recursion over lists or natural numbers inside the language.
Since we want our results to be applicable to reasoning
about Haskell programs we include the explicit strictness Figure 1: Typing rules for L1 and L2 .
operator seq, which forces us to have lifted function spaces in
the domain-theoretic semantics given below. The semantics
of seq is defined in Figure 6. We discuss the most important ◦ 7→ λf g x.f (g x)
differences between Haskell and this language in Section 13.
Id 7→ λf x.f x
3.1 Static semantics Kσ 7→ λf x.x
The term syntax of the language, L1 , is inductively defined F × G 7→ λf x.seq x (F f (fst x), G f (snd x))
by
F + G 7→ λf x.case x (inl ◦ F f ) (inr ◦ G f )
t ::= x | t1 t2 | λx.t
| seq | ?
Figure 2: Syntactic sugar for terms.
| (,) | fst | snd (13)
| inl | inr | case
| inµF | outµF | inνF | outνF | foldF | unfoldF . Id σ 7→ σ
The pairing function (,) can be used in a distfix style, as in Kτ σ 7→ τ
(t1 , t2 ). The type syntax is defined by (F × G) σ 7→ F σ × G σ
σ, τ, γ ::= σ → τ | σ × τ | σ + τ | 1 | µF | νF (14) (F + G) σ 7→ F σ + G σ

and
F, G ::= Id | Kσ | F × G | F + G.
The letters F and G range over functors; Id is the identity
functor and Kσ is the constant functor with Kσ τ = σ (in-
formally). The types µF and νF are inductive and coinduc-
tive types, respectively. As an example, in the set-theoretic
semantics introduced below µ(K1 + Id ) represents finite nat-
ural numbers, and ν(K1 + Id ) represents natural numbers
extended with infinity. The type constructor → is sometimes
used right associatively, without explicit parentheses.
In order to discuss general recursion we define the lan-
guage L2 to be L1 extended with
t ::= . . . | fix.
However, whenever fix is not explicitly mentioned, the lan-
guage discussed is L1 (or the restriction L01 of L1 introduced
below).
We only consider well-typed terms according to the typ-
ing rules in Figure 1. To ease the presentation we also intro-
duce some syntactic sugar for terms and types, see Figures 2
and 3.
3.2 Dynamic semantics
Before we define the semantics of the languages we need
to introduce some notation. We will use both sets and
Figure 3: Syntactic sugar for types.
(15)
pointed ω-complete partial orders (CPOs). For CPOs ·⊥ is
the lifting operator, and h· → ·i is the continuous function
space constructor. Furthermore, for both sets and CPOs, ×
is cartesian product, and + is separated sum; A+B contains
elements of the form inl (a) with a ∈ A and inr (b) with
b ∈ B. The one-point set/CPO is denoted by 1, with ? as
the only element. The constructor for the (set- or domain-
theoretic) semantic domain of the recursive type T , where
T is µF or νF , is denoted by in T , and the corresponding
destructor is denoted by out T (often with omitted indices).
(16) For more details about in and out, see below. Since we
use lifted function spaces, we use special notation for lifted
function application,
(
⊥, f = ⊥,
f @x = (17)
f x, otherwise.
(This operator is left associative with the same precedence
as ordinary function application.) Many functions used on
the meta-level are not lifted, though, so @ is not used very
much below. Finally note that we are a little sloppy, in that
we do not write out liftings explicitly; we write (x, y) for a
non-bottom element of (A × B)⊥ , for instance.
 Now, two different denotational semantics are defined for
the languages introduced above, one domain-theoretic (J·K)
and one set-theoretic (hh·ii). (Note that when t is closed we
sometimes use JtK as a shorthand for JtK ρ, and similarly
for hh·ii.) The domain-theoretic semantics is modelled on
languages like Haskell and can handle general recursion. The
set-theoretic semantics is modelled on total languages and
is only defined for terms in L1 . In Section 7 we will show
how results obtained using the set-theoretic semantics can
be transformed into results on the domain-theoretic side.
The semantic domains for all types are defined in Fig-
ure 4. We define the semantics of recursive types by appeal-
ing to category-theoretic work [BdM96, FM91]. For instance,
the set-theoretic semantic domain of µF is the codomain of
the initial object in F -Alg(SET). Here SET is the category
of sets and total functions, and F -Alg(SET) is the category
of F -algebras (in SET) and homomorphisms between them.
The initial object, which is known to exist given our limita-
tions on F , is a function in µF ∈ hhF µF → µF ii. The inverse
of in µF exists and, as noted above, is denoted by out µF . Ini-
tiality of in µF implies that for any function f ∈ hhF σ → σii
there is a unique function fold F f ∈ hhµF → σii satisfying
the universal property
∀h ∈ hhµF → σii . h = fold F f ⇔ h ◦ in µF = f ◦ F h. (18)
This is how hhfoldF ii is defined. To define hhunfoldF ii we go
via the final object out νF in F -Coalg(SET) (the category of
F -coalgebras) instead. The semantics of all terms are given
in Figure 6.
The domain-theoretic semantics lives in the category
CPO of CPOs and continuous functions. To define JµF K,
the category CPO⊥ of CPOs and strict continuous functions
is also used. We want all types in the domain-theoretic
semantics to be lifted (like in Haskell). To model this we
lift all functors using L, which is defined in Figure 5.
If we were to define JfoldF K using the same method as
for hhfoldF ii, then that would restrict its arguments to be
strict functions. An explicit fixpoint is used instead. The
construction still satisfies the universal property associated
with folds if all functions involved are strict [FM91]. For
symmetry we also define JunfoldF K using an explicit fixpoint;
that does not affect its universality property.
The semantics of fix is, as usual, given by a least fixpoint
construction.
We have been a little sloppy above, in that we have
not defined the action of the functor Kσ on objects. When
working in SET we let Kσ A = hhσii, and in CPO and CPO⊥
we let Kσ A = JσK. Otherwise the functors have their usual
meanings.
4. Partial equivalence relations
In what follows we will use partial equivalence relations, or
PERs for short.
A PER on a set S is a symmetric and transitive binary
relation on S. For a PER R on S, and some x ∈ S with xRx,
define the equivalence class of x as
[x]R = { y y ∈ S, xRy } . (19)
(The index R is omitted below.) Note that the equivalence
classes partition dom(R) = { x ∈ S xRx }, the domain of
R. Let [R] denote the set of equivalence classes of R.
For convenience we will use the notation {c} for an
arbitrary element x ∈ c, where c is an equivalence class of
some PER R ⊆ S 2 . This definition is of course ambiguous,
but the ambiguity disappears in many contexts, including
Jσ → τ K = hJσK → Jτ Ki⊥ hhσ → τ ii = hhσii → hhτ ii
Jσ × τ K = (JσK × Jτ K)⊥ hhσ × τ ii = hhσii × hhτ ii
Jσ + τ K = (JσK + Jτ K)⊥ hhσ + τ ii = hhσii + hhτ ii
J1K = 1⊥ hh1ii = 1

The codomain of the initial object in
JµF K = L(F )-Alg(CPO⊥ ).

The codomain of the initial object in
hhµF ii =
F -Alg(SET).

The domain of the final object in
JνF K =
L(F )-Coalg(CPO).
hhνF ii = { The domain of the final object in F -Coalg(SET).
Figure 4: Semantic domains for types.
all those in this paper. For example, given the PER defined
in Section 5, we have that [inl ({c})] denotes the same
equivalence class no matter which element in c is chosen.
5. Moral equality
We will now inductively define a family of PERs ∼σ `on the´
domain-theoretic semantic domains; with Rel (σ) = ℘ JσK2
we will have ∼σ ∈ Rel (σ). (Here ℘(X) is the power set of X.
The index σ will sometimes be omitted.)
If two values are related by ∼, then we say that they are
morally equal. We use moral equality to formalise totality:
a value x ∈ JσK is said to be total iff x ∈ dom(∼σ ). The
intention is that if σ does not contain function spaces, then
we should have x ∼σ y iff x and y are equal, total values.
For functions we will have f ∼ g iff f and g map (total)
related values to related values.
The definition of totality given here should correspond to
basic intuition. Sometimes another definition is used instead,
where f ∈ Jσ → τ K is total iff f @x = ⊥ implies that x = ⊥.
That definition is not suitable for non-strict languages where
most semantic domains are not flat. As a simple example,
consider JfstK; we will have JfstK ∈ dom(∼), so JfstK is total
according to our definition, but JfstK@(⊥, ⊥) = ⊥.
Given the family of PERs ∼ we can relate the set-
theoretic semantic values with the total values of the
domain-theoretic semantics; see Sections 6 and 7.
5.1 Non-recursive types
The PER ∼σ→τ is a logical relation, i.e. we have the follow-
ing definition for function spaces:
f ∼σ→τ g ⇔
f 6= ⊥ ∧ g 6= ⊥ ∧ (20)
∀x, y ∈ JσK . x ∼σ y ⇒ f @x ∼τ g @y.
We need to ensure explicitly that f and g are non-bottom
because some of the PERs will turn out to have ⊥ ∈ dom(∼)
or dom(∼) = ∅.
Pairs are related if corresponding components are related:
x ∼σ×τ y ⇔ ∃x1 , y1 ∈ JσK , x2 , y2 ∈ Jτ K .
x = (x1 , x2 ) ∧ y = (y1 , y2 ) ∧ (21)
x1 ∼σ y1 ∧ x2 ∼τ y2 .
 Similarly, sums are related if they are of the same kind with
related components:
L(Id ) = Id
x ∼σ+τ y ⇔
L(Kσ ) = Kσ (∃x1 , y1 ∈ JσK .
L(F × G) = (L(F ) × L(G))⊥ x = inl (x1 ) ∧ y = inl (y1 ) ∧ x1 ∼σ y1 ) ∨ (22)
L(F + G) = (L(F ) + L(G))⊥ (∃x2 , y2 ∈ Jτ K .
x = inr (x2 ) ∧ y = inr (y2 ) ∧ x2 ∼τ y2 ) .
Figure 5: Lifting of functors.
The value ? of the unit type is related to itself and ⊥ is not
related to anything:
x ∼1 y ⇔ x = y = ?. (23)
JxK ρ = ρ(x) hhxii ρ = ρ(x) It is easy to check that what we have so far yields a family
Jt1 t2 K ρ = (Jt1 K ρ) @ (Jt2 K ρ) hht1 t2 ii ρ = (hht1 ii ρ) (hht2 ii ρ) of PERs.
Jλx.tK ρ = λv. JtK ρ[x 7→ v] hhλx.tii ρ = λv. hhtii ρ[x 7→ v]
 5.2 Recursive types
⊥, v1 = ⊥
JseqK = λv1 v2 . hhseqii = λv1 v2 .v2 The definition for recursive types is trickier. Consider lists.
v2 , otherwise
F∞ i When should one list be related to another? Given the in-
JfixK = λf. i=0 f @⊥ hhfixii is not defined. tentions above it seems reasonable for xs to be related to
J?K = ? hh?ii = ? ys whenever they have the same, total list structure (spine),
and elements at corresponding positions are recursively re-
J(,)K = λv1 v2 .(v1 , v2 ) hh(,)ii = λv1 v2 .(v1 , v2 ) lated. In other words, something like

⊥, v = ⊥
JfstK = λv. hhfstii = λ(v1 , v2 ).v1 xs ∼µ(K1 +(Kσ ×Id)) ys ⇔
v1 , v = (v1 , v2 )
“(xs = in (inl (?)) ∧ ys = in (inl (?)))

⊥, v = ⊥
JsndK = λv. hhsndii = λ(v1 , v2 ).v2 ∨ ∃x, y ∈ JσK , xs 0 , ys 0 ∈ Jµ(K1 + (Kσ × Id ))K . (24)
v2 , v = (v1 , v2 )
JinlK = λv.inl (v) hhinlii = λv.inl (v) xs = in (inr ((x, xs 0 ))) ∧ ys = in (inr
” ((y, ys 0
)))
JinrK = λv.inr (v) hhinrii = λv.inr (v) ∧ x ∼σ y ∧ xs 0 ∼µ(K1 +(Kσ ×Id)) ys 0 .
8
<⊥, v =⊥ We formalise the intuition embodied in (24) by defining
JcaseK = λv f1 f2 . f1 @v1 , v = inl (v1 ) a relation transformer RT (F ) for each functor F ,
:f @v , v = inr (v )
2 2 2
 RT (F ) ∈ Rel (µF ) → Rel (µF )
f v , v = inl (v1 )
hhcaseii = λv f1 f2 . 1 1 RT (F
˘ )(X) = (25)
f2 v2 , v = inr (v2 )
(in x, in y) (x, y) ∈ RT 0µF (F )(X) .
¯

JinµF K = The initial object in L(F )-Alg(CPO⊥ ),
viewed as a morphism in CPO. The helper RT 0σ (F ) is defined by

hhinµF ii = The initial object in F -Alg(SET), viewed as RT 0σ (F ) ∈ Rel (σ) → Rel (F σ)
a morphism in SET.
 RT 0σ (Id )(X) =X
JoutνF K = The final object in L(F )-Coalg(CPO), RT 0σ (Kτ )(X) = ∼τ
viewed as a morphism in CPO.
 RT0σ (F1 × F2 )(X) =
(x1 , y1 ) ∈ RT 0σ (F1 )(X),
ff
The final object in F -Coalg(SET), viewed (26)
hhoutνF ii = ((x1 , x2 ), (y1 , y2 )) 0
as a morphism in SET. (x2 , y2 ) ∈ RT σ (F2 )(X)
JfoldF K = λf. JfixK@(λg.f ◦ JF K@g ◦ JoutµF K) RT 0σ (F1 + F2 )(X) =
( { (inl (x1 ) , inl (y1 )) (x1 , y1 ) ∈ RT 0σ (F1 )(X) } ∪
The unique morphism in F -Alg(SET)
hhfoldF ii = λf. from hhinµF ii to f , viewed as a morphism { (inr (x2 ) , inr (y2 )) (x2 , y2 ) ∈ RT 0σ (F2 )(X) } .
in SET.
The relation transformer RT (F ) is defined for inductive
JunfoldF K = λf. JfixK@(λg. JinνF K ◦ JF K@g ◦ f ) types. However, replacing µF with νF in the definition is
enough to yield a transformer suitable for coinductive types.
(
The unique morphism in F -Coalg(SET)
hhunfoldF ii = λf. from f to hhoutνF ii, viewed as a Now, note that RT (F ) is a monotone operator on the
morphism in SET. complete lattice (Rel (µF ) , ⊆). This implies that it has both
least and greatest fixpoints [Pri02], which leads to the fol-
Figure 6: Semantics of well-typed terms, for some context lowing definitions:
ρ mapping variables to semantic values. The se- x ∼µF y ⇔ (x, y) ∈ µRT (F ) and (27)
mantics of inνF and outµF are the inverses of the
semantics of outνF and inµF , respectively. x ∼νF y ⇔ (x, y) ∈ νRT (F ) . (28)
These definitions may not be entirely transparent. If we
go back to the list example and expand the definition of
RT (K1 + (Kσ × Id )) we get
RT (K1 + (Kσ × Id ))(X) =
{ (in (inl (?)), in (inl (?))) } ∪
(29)

(in (inr ((x, xs))), x, y ∈ JσK , x ∼ y,
ff
in (inr ((y, ys)))) (xs, ys) ∈ X
. holds for any term t in L01 : if ρ(x) ∼ ρ0 (x) for all free
The least and greatest fixpoints of this operator correspond
to our original aims for ∼µ(K1 +(Kσ ×Id)) and ∼ν(K1 +(Kσ ×Id)) .
(Note that we never consider an infinite inductive list as
being total.)
It is still possible to show that what we have defined
actually constitutes a family of PERs, but it takes a little
more work. First note the two proof principles given by the
definitions above: induction,
∀X ⊆ JµF K2 . RT (F )(X) ⊆ X ⇒ µRT (F ) ⊆ X, (30)
and coinduction,
∀X ⊆ JνF K2 . X ⊆ RT (F )(X) ⇒ X ⊆ νRT (F ) . (31)
Many proofs needed for this paper proceed according to
a scheme similar to the following one, named IIICI below
(Induction-Induction-Induction-Coinduction-Induction):
• First induction over the type structure.
• For inductive types, induction according to (30) and then
induction over the functor structure.
• For coinductive types, coinduction according to (31) and
then induction over the functor structure.
Using this scheme it is proved that ∼ is a family of PERs
[Dan05].
5.3 Properties
We can prove that ∼ satisfies a number of other properties
as well. Before leaving the subject of recursive types, we note
that
x ∼F µF y ⇔ in x ∼µF in y (32)
and
x ∼νF y ⇔ out x ∼F νF out y (33)
hold, as well as the symmetric statements where µF is
replaced by νF and vice versa. This is proved using a method
similar to IIICI, but not quite identical. Another method
similar to IIICI is used to verify that ∼ satisfies one of
our initial goals: if σ does not contain function spaces, then
x ∼σ y iff x, y ∈ dom(∼σ ) and x = y.
Continuing with order related properties, it is proved
using induction over the type structure that ∼σ is monotone
when seen as a function ∼σ ∈ JσK2 → 1⊥ . This implies that
all equivalence classes are upwards closed. We also have (by
induction over the type structure) that ⊥ ∈ / dom(∼σ ) for
almost all types σ. The only exceptions are given by the
grammar
χ ::= νId | µKχ | νKχ . (34)
Note that JχK = { ⊥ } for all these types.
The (near-complete) absence of bottoms in dom(∼) gives
us an easy way to show that related values are not al-
ways equal: at most types JseqK ∼ Jλx.λy.yK but JseqK 6=
Jλx.λy.yK. This example breaks down when seq is used at
type χ → σ → σ (unless dom(∼σ ) = ∅). To be able to prove
the fundamental theorem below, let L01 denote the language
consisting of all terms from L1 which contain no uses of seq
at type χ → σ → σ.
Now, by using induction over the term structure instead
of the type structure, and then following the rest of IIICI, it
is shown that the fundamental theorem of logical relations
variables x in a term t, then
JtK ρ ∼ JtK ρ0 . (35)
The fundamental theorem is important because it implies
that JtK ∈ dom(∼σ ) for all closed terms t : σ in L01 . In
other words, all closed terms in L01 denote total values.
Note, however, that JfixK ∈
/ dom(∼) (at most types) since
Jλx.xK ∈ dom(∼) and Jfix (λx.x)K = ⊥.
5.4 Examples
With moral equality defined we can prove a number of laws
for ∼ which are not true for =. As an example, consider
η-equality (combined with extensionality):
∀f, g ∈ Jσ → τ K .
(36)
(∀x ∈ JσK . f @x = g @x) ⇔ f = g.
This law is not valid, since the left hand side is satisfied by
the distinct values f = ⊥ and g = λv.⊥. On the other hand,
the following variant follows immediately from the definition
of ∼:
∀f, g ∈ dom(∼σ→τ ) .
(37)
(∀x ∈ dom(∼σ ) . f @x ∼ g @x) ⇔ f ∼ g.
As another example, consider currying (1). The cor-
responding statement, Jcurry ◦ uncurryK ∼ Jid K, is easily
proved using the fundamental theorem (35) and the η-
law (37) above. We can also prove surjective pairing. Since
p ∈ dom(∼σ×τ ) implies that p = (x, y) for some x ∈
dom(∼σ ) and y ∈ dom(∼τ ) we get J(fst t, snd t)K ρ = JtK ρ,
given that JtK ρ ∈ dom(∼).
6. Partial surjective homomorphism
For the main theorem (Section 7) we need to relate values
in hhσii to values in [∼σ ], the set of equivalence classes of ∼σ .
Due to cardinality issues there is in general no total bijection
between these sets; consider σ = (Nat → Nat) → Nat with
Nat = µ(K1 + Id ), for instance. We can define a partial
surjective homomorphism [Fri75] from hhσii to [∼σ ], though.
This means that for each type σ there is a partial, surjective
function jσ ∈ hhσii → ˜ [∼σ ], which for function types satisfies
(jτ1 →τ2 f ) (jτ1 x) = jτ2 (f x) (38)
whenever f ∈ dom(jτ1 →τ2 ) and x ∈ dom(jτ1 ). (Here → ˜ is
the partial function space constructor and dom(f ) denotes
the domain of the partial function f . Furthermore we define
[f ] [x] = [f @x], which is well-defined.)
The functions jσ ∈ hhσii →
˜ [∼σ ] are simultaneously proved
to be well-defined and surjective by induction over the
type structure plus some other techniques for the (omitted)
recursive cases. The following basic cases are easy:
jσ×τ ∈ hhσ × τ ii →
˜ [∼σ×τ ]
(39)
jσ×τ (x, y) = [({jσ x} , {jτ y})] ,
jσ+τ ∈ hhσ + τ ii →
˜ [∼σ+τ ]
jσ+τ inl (x) = [inl ({jσ x})] (40)
jσ+τ inr (y) = [inr ({jτ y})] ,
and
j1 ∈ hh1ii →
˜ [∼1 ]
(41)
j1 ? = [?] .
Note the use of {·} to ease the description of these functions.
It turns out to be impossible in general to come up
with a total definition of j for function spaces. Consider
the function isInfinite ∈ hhCoNat → Bool ii (with CoNat =
ν(K1 + Id ) and Bool = 1 + 1) given by
( Equation (46) above is useful partly because SET is a well-
True, j n = [ω] ,
isInfinite n = (42)
False, otherwise.
(Here ω = JunfoldK1 +Id inr ?K is the infinite “natural num-
ber”, True = inl (?) and False = inr (?).) Any surjective
homomorphism j must be undefined for isInfinite.
Instead we settle for a partial definition. We employ a
technique, originating from Friedman [Fri75], which makes it
easy to prove that j is homomorphic: if possible, let jτ1 →τ2 f
be the element g ∈ [∼τ1 →τ2 ] satisfying
∀x ∈ dom(jτ1 ) . g (jτ1 x) = jτ2 (f x). (43)
If a g exists, then it can be shown to be unique (using
surjectivity of jτ1 ). If no such g exists, then let jτ1 →τ2 f
be undefined. To show that jτ1 →τ2 is surjective we use a
lemma stating that hhσii is empty iff [∼σ ] is.
The definition of j for inductive and coinductive types
follows the idea outlined for the basic cases above, but is
more involved, and we omit it here due to space constraints.
7. Main theorem
Now we get to our main theorem. Assume that t is a term
in L01 with contexts ρ and ρ0 satisfying
ρ(x) ∈ dom(∼) ∧ j ρ0 (x) = [ρ(x)] (44)
for all variables x free in t. Then we have that j (hhtii ρ0 ) is
well-defined and
j hhtii ρ0 = [JtK ρ] .
` ´
(45)
This result can be proved by induction over the structure
of t, induction over the size of values of inductive type and
coinduction for coinductive types. The case where t is an
application relies heavily on j being homomorphic. Note
that the proof depends on the particular definition of j given
in Section 6; if we wanted to use a different partial surjective
homomorphism then the proof would need to be modified.
As a corollary to the main theorem we get, for any two
terms t1 , t2 : σ in L01 with two pairs of contexts ρ1 , ρ01 and
ρ2 , ρ02 both satisfying the conditions of (44) (for t1 and t2 ,
respectively), that
hht1 ii ρ01 = hht2 ii ρ02 ⇒ Jt1 K ρ1 ∼ Jt2 K ρ2 . (46)
In other words, if we can prove that two terms are equal in
the world of sets, then they are morally equal in the world of
domains. When formalised like this the reasoning performed
using set-theoretic methods, “fast and loose” reasoning, is
no longer loose.
If j had been injective, then (46) would have been an
equivalence. That would mean that we could handle un-
equalities (6=). The particular j defined here is not injec-
tive, which can be shown using the function isIsInfinite ∈
hh(CoNat → Bool ) → Bool ii given by
( function composition as composition of morphisms. The ob-
True, f = isInfinite,
isIsInfinite f = (47)
False, otherwise.
(CoNat, isInfinite etc. are defined in Section 6.) We get
j isIsInfinite = j (λf.False) (both defined), so j is not
injective. In fact, no j which satisfies the main theorem (45)
and uses the definition above for function spaces (43) can
be injective.
8. Category-theoretic approach
understood category. For those who prefer to work ab-
stractly instead of working in SET, the following result may
be a useful substitute. We define the category PER∼ as fol-
lows:
Objects The objects are types σ (without any restrictions).
Morphisms The morphisms of type σ → τ are the elements
of [∼σ→τ ], i.e. equivalence classes of total functions.
Composition [f ] ◦ [g] = [λv.f @(g @v)].
This category is bicartesian closed, with initial algebras and
final coalgebras for (at least) polynomial functors. All the
laws that follow from this statement can be used to reason
about programs. For instance, it should not be hard to
repeat the total proofs from this paper using such laws.
For this method to be immediately useful, the various
constructions involved should correspond closely to those in
the underlying language. And they do:
Initial object The initial object is µId , with the unique
morphism of type µId → σ given by [λv.⊥].
Final object The final object is 1, with the unique mor-
phism of type σ → 1 given by [λv.?]. Note that νId is
isomorphic to 1.
Products The product of σ and τ is σ × τ . The projections
are [JfstK] and [JsndK], and given [f ] : γ → σ and
[g] : γ → τ the unique morphism which “makes the
diagram commute” is [λv.(f @v, g @v)].
Coproducts The coproduct of σ and τ is σ + τ . The
injections are [JinlK] and [JinrK], and given [f ] : σ → γ
and [g] : τ → γ the unique morphism which “makes the
diagram commute” is [λv. JcaseK@v @f @g].
Exponentials The exponential of τ and σ is σ → τ . The
apply morphism is [λ(f, x).f @x], and currying is given
by the morphism [λf x y.f @(x, y)].
Initial algebras For a polynomial functor F the corre-
sponding initial F -algebra is (µF, [JinµF K]). Given the
F -algebra [f ] : F σ → σ, the unique homomorphism
from [JinµF K] is [JfoldF K@f ].
Final coalgebras For a polynomial functor F the corre-
sponding final F -coalgebra is (νF, [JoutνF K]). Given the
F -coalgebra [f ] : σ → F σ, the unique homomorphism
to [JoutνF K] is [JunfoldF K@f ].
The proofs of these properties are rather easy, and do not
require constructions like j.
The partial surjective homomorphism j fits into the
category-theoretic picture anyway: it can be extended to
a partial functor to PER∼ from the category which has
types σ as objects, total functions between the correspond-
ing set-theoretic domains hhσii as morphisms, and ordinary
ject part of this functor is the identity, and the morphism
part is given by the function space case of j.
9. Review of example
After having introduced the main theoretic body, let us now
revisit the example from Section 2.
We verified that revMap = reverse ◦ map (λx.x − y) is
the left inverse of mapRev = map (λx.y + x) ◦ reverse in a
total setting. Let us express this result using the language
introduced in Section 3. The type of the functions becomes
ListNat → ListNat, where ListNat is the inductive type
µ(K1 + (KNat × Id )) of lists of natural numbers, and Nat is
the inductive type µ(K1 + Id ). Note also that the functions
reverse, map, (+) and (−) can be expressed using folds, so
the terms belong to L1 . Finally note that seq is not used at
a type χ → σ → σ with ⊥ ∈ dom(∼χ ), so the terms belong
to L01 , and we can make full use of the theory.
Our earlier proof in effect showed that
hhrevMap ◦ mapRev ii [y 7→ n] = hhid ii (48)
a list of numbers and calculates their running sum, and diffs
performs the left inverse operation, along the lines of
sums [3, 1, 4, 1, 5] = [3, 4, 8, 9, 14], and (51)
diffs [3, 4, 8, 9, 14] = [3, 1, 4, 1, 5] (52)
(using standard syntactic sugar for lists and natural num-
bers). The aim is to prove that
hhdiffs ◦ sumsii = hhid ii . (53)
We do that in Section 10.1. Alternatively, we can implement
the functions in L2 and prove that
Jdiffs ◦ sumsK@xs = xs (54)
for all total, finite lists xs ∈ JListNatK containing total,
finite natural numbers. That is done in Section 10.2. We
then compare the experiences in Section 10.3.

for an arbitrary n ∈ hhNatii, which by (46) implies that 10.1 Using total reasoning
JrevMap ◦ mapRev K y 7→ n0 ∼ListNat→ListNat Jid K (49) First let us implement the functions in L01 . To make the
ˆ ˜
development easier to follow, we use some syntax borrowed
whenever n0 ∈ dom(∼Nat ) and [n0 ] = j n for some n ∈ from Haskell. We also use the function foldr , modelled on
hhNatii. By the fundamental theorem (35) and the main its Haskell namesake:
theorem (45) we have that JtK satisfies the conditions for
n0 for any closed term t ∈ L01 of type Nat. This includes all foldr : (σ → (τ → τ )) → τ
total, finite natural numbers. → µ(K1 + (Kσ × Id )) → τ
It remains to interpret ∼ListNat→ListNat . Denote the left foldr f x = (55)
hand side of (49) by f . The equation implies that f @xs ∼ foldK1 +(Kσ ×Id) (λy.case y (λ .x)
ys whenever xs ∼ ys. By using the fact (mentioned in (λp.f (fst p) (snd p))).
Section 5.3) that xs ∼ListNat ys iff xs ∈ dom(∼ListNat ) and
xs = ys, we can restate the equation as f @xs = xs whenever The following is a simple, albeit inefficient, recursive
xs ∈ dom(∼ListNat ). implementation of sums:
We want xs ∈ dom(∼ListNat ) to mean the same as “xs sums : ListNat → ListNat
is total and finite”. We defined totality to mean “related (56)
sums = foldr add [ ],
according to ∼” in Section 5, so xs ∈ dom(∼ListNat ) iff xs
is total. We have not defined finiteness, though. However, where
with any reasonable definition we can be certain that x ∈
dom(∼σ ) is finite if σ does not contain function spaces or add : Nat → ListNat → ListNat
(57)
coinductive types; in the absence of such types we can define add x ys = x : map (λy.x + y) ys.
a function size σ ∈ dom(∼σ ) → N which has the property
that size x0 < size x whenever x0 is a structurally smaller Here (+) and (−) (used below) are implemented as folds, in
part of x, such as with x = inl (x0 ) or x = in (x0 , x00 ). a manner analogous to (7) and (8) in Section 2. The function
Hence we have arrived at the statement proved by the map can be implemented using foldr :
more elaborate proof in Section 2: for all total and finite map : (σ → τ ) → µ(K1 + (Kσ × Id ))
lists xs and all total and finite natural numbers n, → µ(K1 + (Kτ × Id )) (58)
J(revMap ◦ mapRev ) xsK [y 7→ n] = JxsK . (50) map f = foldr (λx ys.f x : ys) [ ].
This means that we have proved a result about the partial The definition of diffs uses similar techniques:
language without having to manually propagate precondi-
diffs : ListNat → ListNat
tions. At first glance it may seem as if the auxiliary argu- (59)
ments spelled out in this section make using total methods diffs = foldr sub [ ],
more expensive than we first indicated. However, note that
where
the various parts of these arguments only need to be car-
ried out at most once for each type. They do not need to be sub : Nat → ListNat → ListNat
repeated for every new proof. (60)
sub x ys = x : toHead (λy.y − x) ys.
The helper function toHead applies a function to the first el-
10. Partial reasoning is sometimes ement of a non-empty list, and leaves empty lists unchanged:
preferable
toHead : (Nat → Nat) → ListNat → ListNat
This section discusses an example of a different kind from
toHead f (y : ys) = f y : ys (61)
the one given in Section 2; an example where partial rea-
soning (i.e. reasoning using the domain-theoretic semantics toHead f [ ] = [ ].
directly) seems to be more efficient than total reasoning. Now let us prove (53). We can use fold fusion [BdM96],
We define two functions sums and diffs, both of type
ListNat → ListNat, with the inductive types ListNat and g ◦ foldr f e = foldr f 0 e0
(62)
Nat defined just like in Section 9. The function sums takes ⇐ g e = e0 ∧ ∀x, y. g (f x y) = f 0 x (g y).
(For simplicity we do not write out the semantic brackets
hh·ii, or any contexts.) We have
diffs ◦ sums = id
⇔ {definition of sums, id = foldr (:) [ ]}
diffs ◦ foldr add [ ] = foldr (:) [ ]
⇐ {fold fusion}
diffs [ ] = [ ] ∧
∀x, ys. diffs (add x ys) = x : diffs ys.
The first conjunct is trivial, and the second one can be
proved by using the lemmas
(λy.y − x) ◦ (λy.x + y) = id (63)
and
diffs ◦ map (λy.x + y) = toHead (λy.x + y) ◦ diffs. (64)
To prove the second lemma we use fold-map fusion [BdM96],
foldr f e ◦ map g = foldr (f ◦ g) e. (65)
We have
diffs ◦ map (λy.x + y)
= {definition of diffs}
foldr sub [ ] ◦ map (λy.x + y)
= {fold-map fusion}
foldr (sub ◦ (λy.x + y)) [ ]
= {fold fusion, see below}
toHead (λy.x + y) ◦ foldr sub [ ]
= {definition of diffs}
toHead (λy.x + y) ◦ diffs.
To finish up we have to verify that the preconditions for fold
fusion are satisfied above,
toHead (λy.x + y) [ ] = [ ], (66)
and
∀y, ys. toHead (λy.x + y) (sub y ys) =
(67)
(sub ◦ (λy.x + y)) y (toHead (λy.x + y) ys).
The first one is yet again trivial, and the second one can be
proved by using the lemma
λz.z − y = (λz.z − (x + y)) ◦ (λy.x + y). (68)
10.2 Using partial reasoning
Let us now see what we can accomplish when we are not
restricted to a total language. Yet again we borrow some
syntax from Haskell; most notably we do not use fix directly,
but define functions using recursive equations instead.
The definitions above used structural recursion. The pro-
grams below instead use structural corecursion, as captured
by the function unfoldr , which is based on the standard un-
fold for lists as given by the Haskell Report [PJ03]:
unfoldr : (τ → (1 + (σ × τ ))) → τ
→ µ(K1 + (Kσ × Id ))
unfoldr f b = case (f b) (69)
(λ .[ ])
(λp.fst p : unfoldr f (snd p)).
Note that we cannot use unfold here, since it has the wrong
type. We can write unfoldr with the aid of fix, though.
In total languages inductive and coinductive types cannot
easily be mixed; we do not have the same problem in partial
languages.
The corecursive definition of sums,
sums : ListNat → ListNat
(70)
sums xs = unfoldr next (0, xs),
with helper next,
next : (Nat × ListNat)
→ (1 + (Nat × (Nat × ListNat)))
(71)
next (e, [ ]) = inl ?
next (e, x : xs) = inr (e + x, (e + x, xs)),
should be just as easy to follow as the recursive one, if not
easier. Here we have used the same definitions of (+) and (−)
as above, and 0 is shorthand for inNat (inl ?). The definition
of diffs,
diffs : ListNat → ListNat
(72)
diffs xs = unfoldr step (0, xs),
with step,
step : (Nat × ListNat)
→ (1 + (Nat × (Nat × ListNat)))
(73)
step (e, [ ]) = inl ?
step (e, x : xs) = inr (x − e, (x, xs)),
is arguably more natural than the previous one.
Now we can prove (54) for all total lists containing total,
finite natural numbers; we do not need to restrict ourselves
to finite lists. To do that we use the approximation lemma
[HG01],
xs = ys ⇔ ∀n ∈ N. approx n xs = approx n ys, (74)
where the function approx is defined by
approx ∈ N → Jµ(K1 + (Kσ × Id ))K
→ Jµ(K1 + (Kσ × Id ))K
approx 0 =⊥
(75)
approx (n + 1) ⊥ =⊥
approx (n + 1) [ ] = []
approx (n + 1) (x : xs) = x : approx n xs.
Note that this definition takes place on the meta-level, since
the natural numbers N do not correspond to any type in our
language.
We have the following (yet again ignoring semantic brack-
ets and contexts and also all uses of @):
∀ total xs containing total, finite numbers.
(diffs ◦ sums) xs = xs
⇔ {approximation lemma}
∀ total xs containing total, finite numbers.
∀n ∈ N. approx n ((diffs ◦ sums) xs) = approx n xs
⇔ {predicate logic, definition of diffs, sums and ◦}
∀n ∈ N. ∀ total xs containing total, finite numbers.
approx n (unfoldr step (0, unfoldr next (0, xs))) =
approx n xs
⇐ {generalise, 0 is total and finite}
 ∀n ∈ N. ∀ total xs containing total, finite numbers.
∀ total and finite y.
approx n (unfoldr step (y, unfoldr next (y, xs))) =
approx n xs.
We proceed by induction on the natural number n. The
n = 0 case is trivial. For n = k + 1 we have two cases,
xs = [ ] and xs = z : zs (with z being a total, finite natural
number, etc.). The first case is easy, whereas the second one
requires a little more work:
approx (k + 1)
(unfoldr step (y, unfoldr next (y, z : zs)))
= {definition of unfoldr , next and step}
approx (k + 1)
((y + z) − y :
unfoldr step (y + z, unfoldr next (y + z, zs)))
= {(y + z) − y = z for y, z total and finite}
approx (k + 1)
(z : unfoldr step (y + z, unfoldr next (y + z, zs)))
= {definition of approx }
z : approx k
(unfoldr step (y + z, unfoldr next (y + z, zs)))
= {inductive hypothesis, y + z is total and finite}
z : approx k zs
= {definition of approx }
approx (k + 1) (z : zs).
Note that we need a lemma stating that y + z is total and
finite whenever y and z are.
10.3 Comparison
The last proof above, based on reasoning using domain-
theoretic methods, is arguably more concise than the pre-
vious one, especially considering that it is more detailed. It
also proves a stronger result since it is not limited to finite
lists.
When we compare to the example in Section 2 we see
that we were fortunate not to have to explicitly propagate
any preconditions through functions in the domain-theoretic
proof here, except in the penultimate step in the last case
above. Notice especially the second step in the last case.
The variables y and z were assumed to be finite and total,
and hence the lemma (y + z) − y = z could immediately be
applied.
There is of course the possibility that the set-theoretic
implementation and proof are unnecessarily complex. Note
for instance that the domain-theoretic variants work equally
well in the set-theoretic world, if we go for coinductive
instead of inductive lists, and replace the approximation
lemma with the take lemma [HG01]. Using such techniques
in a sense leads to more robust results, since they never
require preconditions of the kind above to be propagated
manually.
However, since inductive and coinductive types are not
easily mixed we cannot always go this way. If we for example
want to process the result of sums using a fold, we cannot use
coinductive lists. In general we cannot use hylomorphisms
[MFP91], unfolds followed by folds, in a total setting. If we
want or need to use a hylomorphism, then we have to use a
partial language.
11. Strict languages
We can treat strict languages (at least the somewhat odd
language introduced below) using the framework developed
so far by modelling strictness using seq, just like strict
data type fields are handled in the Haskell Report [PJ03].
For simplicity we reuse the previously given set-theoretic
semantics, and also all of the domain-theoretic semantics,
except for one rule, the one for application.
More explicitly, we define the domain-theoretic, strict
semantics J·K⊥ by JσK⊥ = JσK for all types. For terms we
let application be strict,
(` ´ ` ´
Jt1 K⊥ ρ @ Jt2 K⊥ ρ , Jt2 K⊥ ρ 6= ⊥,
Jt1 t2 K⊥ ρ = (76)
⊥, otherwise.
Abstractions are treated just as before,
Jλx.tK⊥ ρ = λv. JtK⊥ ρ[x 7→ v] , (77)
and whenever t is not an application or abstraction we let
JtK⊥ ρ = JtK ρ.
We then define a type-preserving syntactic translation ∗
on L1 , with the intention of proving that JtK⊥ ρ = Jt∗ K ρ.
The translation is as follows:
8
∗ ∗ ∗
<seq t2 (t1 t2 ), t = t1 t2 ,
>
∗ ∗
t = λx.t1 , t = λx.t1 , (78)
>
:t, otherwise.
The desired property follows easily by induction over the
structure of terms. It is also easy to prove that hhtii ρ =
hht∗ ii ρ.
Given these properties we can easily prove the variants
of the main theorem (45) and its corollary (46) that result
from replacing J·K with J·K⊥ . The category-theoretic results
from Section 8 immediately transfer to this new setting since
the category is the same and JtK⊥ = JtK for all closed terms
t not containing applications.
12. Related work
The notion of totality used above is very similar to that
used by Scott [Sco76]. Aczel’s interpretation of Martin-Löf
type theory [Acz77] is also based on similar ideas, but
types are modelled as predicates instead of PERs. That
work has been extended by Smith [Smi84], who interprets
a polymorphic variant of Martin-Löf type theory in an
untyped language which shares many properties with our
partial language L2 ; he does not consider coinductive types
or seq, though. Beeson considers a variant of Martin-Löf
type theory with W -types [Bee82]. W -types can be used
to model strictly positive inductive and coinductive types
[Dyb97, AAG05]. Modelling coinductive types can also be
done in other ways [Hal87], and the standard trick of coding
non-strict evaluation using function spaces (force and delay)
may also be applicable. Furthermore it seems as if Per
Martin-Löf, in unpublished work, considered lifted function
spaces in a setting similar to [Smi84].
The method we use to relate the various semantic models
is basically that of Friedman [Fri75]; his method is more
abstract, but defined for a language with only base types,
natural numbers and functions.
Scott mentions that a category similar to PER∼ is bi-
cartesian closed [Sco76].
There is a vast body of literature written on the subject
of Aczel interpretations, PER models of types, and so on,
and some results may be known as folklore without having
been published. This text can be seen as a summary of
some results, most of them previously known in one form
or another, that we consider important for reasoning about
functional programs. By writing down the results we make
the details clear. Furthermore we apply the ideas to the
problem of reasoning about programs, instead of using them
only to interpret one theory in another. This is quite a
natural idea, so it is not unreasonable to expect that others
have made similar attempts. We know about [Dyb85], in
which Dybjer explains how one can reason about an untyped
partial language using total methods for expressions that are
typeable (corresponding to our total values). We have not
found any work that discusses fast and loose reasoning for
strict languages.
Another angle on the work presented here is that we want
to get around the fact that many category-theoretic isomor-
phisms are missing in categories like CPO. For instance, one
cannot have a cartesian closed category with coproducts and
fixpoints for all morphisms [HP90]. In this work we disallow
all fixpoints except well-behaved ones that can be expressed
as folds and unfolds. Another approach is to disallow recur-
sion explicitly for sum types [BB91]. The MetaSoft project
(see e.g. [BT83, Bli87]) advocated using “naive denotational
semantics”, a denotational semantics framework that does
not incorporate reflexive domains. This means that some fix-
points (both on the type and the value level) are disallowed,
with the aim that the less complex denotational structures
may instead simplify understanding.
A case can be made for sometimes reasoning using a con-
servative approximate semantics, obtaining answers that are
not always exactly correct [DJ04, discussion]. Programmers
using languages like Haskell often ignore issues related to
partiality anyway, so the spirit of many programs can be
captured without treating all corner cases correctly. The
methods described in this paper in a sense amount to us-
ing an approximate semantics, but with the ability to get
exactly correct results by translating results involving ∼ to
equalities with preconditions.
There is some correspondence between our approach and
that of total and partial correctness reasoning for imperative
programs, for example with Dijkstra’s wp and wlp predi-
cate transformers [Dij76]. In both cases, simpler approxi-
mate methods can be used to prove slightly weaker results
than “what one really wants”. However, in the w(l)p case,
conjoining partial correctness with termination yields total
correctness. In contrast, in our case, there is in general no
(known) simple adjustment of a fast and loose proof to make
a true proof of the same property. Nevertheless, the fast and
loose proof already yields a true proof of a related property.
Sometimes it is argued that total functional programming
should be used to avoid the problems with partial languages.
Turner does that in the context of a language similar to
the total one described here [Tur96], and discusses methods
for circumventing the limitations associated with mandatory
totality.
13. Discussion and future work
We have justified reasoning about functional languages con-
taining partial and infinite values and lifted types, including
lifted functions, using total methods. Two total methods
were described, one based on a set-theoretic semantics and
one based on a bicartesian closed category, both using a par-
tial equivalence relation to interpret results in the context
of a domain-theoretic semantics.
We have focused on equational reasoning. However,
note that, by adding and verifying some extra axioms, the
category-theoretic approach can be used to reason about
unequalities (6=). Given this ability it should be possible
to handle more complex logical formulas as well; we have
not examined this possibility in detail, though. Since the
method of Section 7 (without injective j) cannot handle
unequalities, it is in some sense weaker.
It should be clear from the examples above that using
total methods can sometimes be cheaper than partial ones,
and sometimes more expensive. We have not performed any
quantitative measurements, so we cannot judge the relative
frequency of these two outcomes. One reasonable conclusion
is that it would be good if total and partial methods could be
mixed without large overheads. We have not experimented
with that, but can still make some remarks.
First it should be noted that ∼ is not a congruence:
we can have x ∼ y but still have f @x 6∼ f @y (if f ∈ /
dom(∼)). We can still use an established fact like x ∼ y
by translating the statement into a form using preconditions
and equality, like we did in Section 9. This translation is easy,
but may result in many nontrivial preconditions, perhaps
more preconditions than partial reasoning would lead to.
When this is not the case it seems as if using total reasoning
in some leaves of a proof, and then partial reasoning on the
top-level, should work out nicely.
Another observation is that, even if some term t is written
in a partial style (using fix), we may still have JtK ∈ dom(∼).
This would for example be the case if we implemented foldr
(see Section 10.1) using fix instead of fold. Hence, if we
explicitly prove that JtK ∈ dom(∼) then we can use t in a
total setting. This proof may be expensive, but enables us to
use total reasoning on the top-level, with partial reasoning
in some of the leaves.
Now on to other issues. An obvious question is whether
one can extend the results to more advanced languages
incorporating stronger forms of recursive types, polymor-
phism, or type constructors. Adding polymorphism would
give us an easy way to transform free theorems [Rey83,
Wad89] from the set-theoretic side (well, perhaps not set-
theoretic [Rey84]) to the domain-theoretic one. It should be
interesting to compare those results to other work involving
free theorems and seq [JV04].
However, the main motivation for treating a more ad-
vanced type system is that we want the results to be ap-
plicable to languages like Haskell, and matching more fea-
tures of Haskell’s type system is important for that goal.
Still, the current results should be sufficient to reason about
monomorphic Haskell programs using only polynomial re-
cursive types, with one important caveat: Haskell uses the
sums-of-products style of data type definitions. When sim-
ulating such definitions using binary type constructors, ex-
tra bottoms are introduced. As an example, Jµ(K1 + Id )K
contains the different values in (inl (⊥)) and in (inl (?)),
but since the constructor Zero is nullary the Haskell data
type Nat from Section 2 does not contain an analogue of
in (inl (⊥)). One simple but unsatisfactory solution to this
problem is to restrict the types used on the Haskell side to
analogues of those discussed in this paper. Another approach
is of course to rework the theory using sums-of-products
style data types. We foresee no major problems with this,
but some details may require special attention.
Acknowledgments
Thanks to Thierry Coquand and Peter Dybjer for pointing
out related work and giving us feedback. Thanks also to
Koen Claessen, Jörgen Gustavsson, Ulf Norell, Ross Pater- Letters, 79(4):197–201, 2001.
son, K. V. S. Prasad, David Sands and Josef Svenningsson [HP90] Hagen Huwig and Axel Poigné. A note on
for participating in discussions and/or giving feedback. inconsistencies caused by fixpoints in a cartesian
closed category. Theoretical Computer Science,
73(1):101–112, 1990.
References
[Jeu90] J. Jeuring. Algorithms from theorems. In
[AAG05] Michael Abbott, Thorsten Altenkirch, and Neil Programming Concepts and Methods, pages 247–
Ghani. Containers: Constructing strictly positive 266. North-Holland, 1990.
types. Theoretical Computer Science, 342(1):3–27, [JV04] Patricia Johann and Janis Voigtländer. Free
2005. theorems in the presence of seq. In POPL’04,
[Acz77] Peter Aczel. The strength of Martin-Löf’s intuition- pages 99–110. ACM Press, 2004.
istic type theory with one universe. In Proceedings of [MFP91] E. Meijer, M. Fokkinga, and R. Paterson. Functional
Symposia in Mathematical Logic, Oulu, 1974, and programming with bananas, lenses, envelopes and
Helsinki, 1975, pages 1–32, University of Helsinki, barbed wire. In FPCA’91, volume 523 of LNCS,
Department of Philosophy, 1977. pages 124–144. Springer-Verlag, 1991.
[BB91] Marek A. Bednarczyk and Andrzej M. Borzyszkowski. [MTHM97] Robin Milner, Mads Tofte, Robert Harper, and
Cpo’s do not form a cpo and yet recursion works. David MacQueen. The Definition of Standard ML
In VDM ’91, volume 551 of LNCS, pages 268–278. (Revised). MIT Press, 1997.
Springer-Verlag, 1991.
[PJ03] Simon Peyton Jones, editor. Haskell 98 Language
[BdBH+ 91] R.C. Backhouse, P.J. de Bruin, P. Hoogendijk, and Libraries, The Revised Report. Cambridge
G. Malcolm, T.S. Voermans, and J.C.S.P. van der University Press, 2003.
Woude. Relational catamorphisms. In Constructing
Programs from Specifications, pages 287–318. [Pri02] Hilary A. Priestley. Ordered sets and complete
North-Holland, 1991. lattices, a primer for computer science. In Algebraic
and Coalgebraic Methods in the Mathematics of
[BdM96] Richard Bird and Oege de Moor. Algebra of Program Construction, volume 2297 of LNCS,
Programming. Prentice Hall, 1996. chapter 2, pages 21–78. Springer-Verlag, 2002.
[Bee82] M. Beeson. Recursive models for constructive set [Rey83] John C. Reynolds. Types, abstraction and para-
theories. Annals of Mathematical Logic, 23:127–178, metric polymorphism. In Information Processing
1982. 83, pages 513–523. Elsevier, 1983.
[Bli87] Andrzej Blikle. MetaSoft Primer, Towards a [Rey84] John C. Reynolds. Polymorphism is not set-
Metalanguage for Applied Denotational Semantics, theoretic. In Semantics of Data Types, volume 173
volume 288 of LNCS. Springer-Verlag, 1987. of LNCS, pages 145–156. Springer-Verlag, 1984.
[BT83] Andrzej Blikle and Andrzej Tarlecki. Naive [Sco76] Dana Scott. Data types as lattices. SIAM Journal
denotational semantics. In Information Processing of Computing, 5(3):522–587, 1976.
83, pages 345–355. North-Holland, 1983.
[Smi84] Jan Smith. An interpretation of Martin-Löf’s type
[Dan05] Nils Anders Danielsson. Personal web page, theory in a type-free theory of propositions. Journal
available at http://www.cs.chalmers.se/~nad/, of Symbolic Logic, 49(3):730–753, 1984.
2005.
[Tur96] David Turner. Elementary strong functional
[Dij76] Edsger W. Dijkstra. A Discipline of Programming. programming. In FPLE’95, volume 1022 of LNCS,
Prentice Hall, 1976. pages 1–13. Springer-Verlag, 1996.
[DJ04] Nils Anders Danielsson and Patrik Jansson. Chasing [Wad89] Philip Wadler. Theorems for free! In FPCA’89,
bottoms, a case study in program verification in pages 347–359. ACM Press, 1989.
the presence of partial and infinite values. In MPC
2004, volume 3125 of LNCS, pages 85–109. Springer-
Verlag, 2004.
[Dyb85] Peter Dybjer. Program verification in a logical
theory of constructions. In FPCA’85, volume
201 of LNCS, pages 334–349. Springer-Verlag,
1985. Appears in revised form as Programming
Methodology Group Report 26, University of
Göteborg and Chalmers University of Technology,
1986.
[Dyb97] Peter Dybjer. Representing inductively defined
sets by wellorderings in Martin-Löf’s type theory.
Theoretical Computer Science, 176:329–335, 1997.
[FM91] Maarten M Fokkinga and Erik Meijer. Program
calculation properties of continuous algebras. Tech-
nical Report CS-R9104, Centre for Mathematics
and Computer Science, Amsterdam, The Nether-
lands, 1991.
[Fri75] Harvey Friedman. Equality between functionals.
In Logic Colloquium: Symposium on Logic held at
Boston, 1972-73, number 453 in Lecture Notes in
Mathematics, pages 22–37. Springer, 1975.
[Hal87] Lars Hallnäs. An intensional characterization of the
largest bisimulation. Theoretical Computer Science,
53(2–3):335–343, 1987.
[HG01] Graham Hutton and Jeremy Gibbons. The generic
approximation lemma. Information Processing