A Scheme for Defining Partial Higher-Order Functions by Recursion

This paper describes a scheme for defining partial higher-order functions as the least fixed points of monotone functionals. The scheme can be used to define both single functions by recursion and systems of functions by mutual recursion. The scheme is implemented in the IMPS Interactive Mathematical Proof System. The IMPS implementation includes an automatic syntactic check for monotonicity that succeeds for many common recursive definitions.


Introduction
Recursion is a powerful technique for defining functions (and other mathematical objects). It is one of the mainstays of formal methods. Defining a function by recursion can facilitate both reasoning and computation performed with the function. Constructing a recursive definition of a function requires care: a faulty definition will not define a bona fide function and may introduce inconsistencies. For example, there is no function f on N (the set of natural numbers) that satisfies the recursive formula ∀ n . f (n) = f (n) + 1, and the assumption that there is such a function implies that 0 = 1.
Various schemes for defining functions by recursion have been proposed. A definition that is admitted by a scheme is called an instance of the scheme. Each scheme has a set of instance requirements that a proposed definition must satisfy in order to be an instance of the scheme. For some schemes a definition is required only to have a certain syntactic form, while for other schemes a definition must possess certain semantic properties. A scheme is proper if every instance of the scheme actually defines a function. The domain of a scheme is the set D of functions such that f ∈ D iff there is some instance of the scheme that defines f .
A popular proper recursive definition scheme is the scheme of primitive recursion (see [10]). An instance of primitive recursion is a pair of equations satisfying certain syntactic requirements. The domain of primitive recursion is a broad, but proper, subset of the computable total 1 functions on N. For example, the following pair of equations constitute a primitive recursive definition of the factorial function f : N → N: 1 The domain of definition of a function f is the set D f of values at which f is defined, and the domain of application of f is the set D * f of values to which f may be applied. A function f is total if D f = D * f and partial if D f ⊆ D * f . Thus a total function is a special case of a partial function.
There is a family of proper recursive definition schemes that are based on well-founded recursion. A definition of a unary function f in this kind of scheme consists of a triple (T , ϕ, ) where T is a theory, ϕ is an formula of the form and is a well-founded relation. The definition is an instance of the scheme if each application of f in the right side of ϕ is always " -simpler" than the application of f on the left side of ϕ, i.e., that, for each i with x holds in T together with the "local context" of assumptions that govern the occurrence of f (a i (x)) in ϕ. The domain of a well-founded recursive definition scheme can be very large including the primitive recursive functions and other computable total functions as well as possibly noncomputable total functions. Normally, the domain will not contain functions that are strictly partial. For example, (A, ϕ, ) constitutes a well-founded recursive definition of the factorial function f : N → N where: (1) A is a standard theory of real arithmetic.
is the usual total order on N.
Mechanized mathematics systems-interactive computer systems for supporting and improving mathematical reasoning-usually provide their users with an implemented scheme for defining functions by recursion. The designers of a mechanized mathematics system generally choose a proper scheme with easily checked instance requirements and a large domain. For example, HOL [9] implements a generalization of primitive recursion and PVS [13] implements a scheme for defining total higher-order functions by wellfounded recursion. Although strictly partial functions are ubiquitous in mathematics and computer science, nearly all implemented schemes for defining functions by recursion admit only total functions. This paper describes a proper scheme for defining partial (as well as total) higher-order functions by recursion. In the scheme a function is defined as the least fixed point of a monotone functional, and a system of functions is defined as the simultaneous least fixed point of a system of monotone functionals. The scheme is derived from an approach to recursion developed by Y. Moschovakis [12]. Moschovakis presents the approach in his paper [12] using an informal second-order logic that admits undefined terms and partial functions. Our scheme is presented within a formal higher-order logic called LUTINS [2,3,4,8] that admits undefined terms and partial functions and that contains a definite description operator.
The scheme has been implemented and tested in the IMPS Interactive Mathematical Proof System [7,8] which has LUTINS as its logic. IMPS is equipped with an automatic mechanism for syntactically checking whether a functional is monotone. Many common functions can be defined in IMPS by functionals on which the monotonicity check succeeds. As a result, defining functions in IMPS by recursion is usually just a matter of writing down the appropriate functional: there are rarely any side conditions that need to be proved. Although the scheme is presented within LUTINS, it will work in other logics that admit partial higher-order functions.
3rd Irish Workshop on Formal Methods, 1999 The rest of the paper is organized as follows. Section 2 briefly introduces LUTINS, the logic of IMPS. Section 3 states some of the key definitions concerning functionals and fixed points. The central theorem underlying the scheme, a fixed point theorem for monotone functionals, is proved in section 4. The notion of a recursive definition is defined in section 5. Section 6 presents some extensions to the basic scheme for defining functions by recursion. How the scheme is implemented in IMPS is the subject of section 7. The IMPS monotonicity check is described in section 8. The paper ends with a short conclusion in section 9 and an appendix which presents a fixed point theorem for continuous functionals.

LUTINS
LUTINS 2 is a nonconstructive version of simple type theory [1]. A formalization of the traditional approach to partial functions [5], it admits undefined terms and partial functions and has a definite description operator I. LUTINS is also equipped with a system of sorts for classifying terms by value which is an extension of the system of types. LUTINS closely corresponds to mathematics practice and has proven to be an effective logic for formalizing traditional mathematics (e.g., see [6]).
The application of a term denoting a partial function to a term that denotes an argument outside of the domain of the partial function is undefined. For example, 2/0 and √ −3 are undefined in a standard theory of real arithmetic. The application of a term denoting a partial function to an undefined term is also undefined. Undefined terms do not denote anything and are indiscernible from one another. The definite description operator I is used to construct definite descriptions, that is, terms of the form (I x . ϕ). A term (I x . ϕ) denotes the unique x that satisfies ϕ if there is such an x and is undefined otherwise.
Although terms may be nondenoting, LUTINS is a bivalent logic: formulas are either true or false. In particular, the application of a term denoting a predicate to an undefined term is always false. Most of the laws of classical simple type theory hold in LUTINS without modification. However, the laws dealing with instantiation and equality substitution are slightly different. For example, universal instantiation holds only for defined terms.
A sort is a syntactic object α that denotes a nonempty domain D α of values. Types are the maximal sorts: every sort is a subtype of some type. Sorts are of either kind ι or kind * . A sort of the form of kind ι where n ≥ 1 denotes the domain of n-ary partial functions from D α 1 × · · · × D αn to D α n+1 . A sort of the form where n ≥ 1 is of kind * and it denotes the domain of n-ary total functions from D α 1 × · · · × D αn to * , the sort denoting the domain {T, F} of truth values. Every term is assigned a sort on the basis of its syntax. If a term t is assigned a sort α, then the value of t is a member of D α provided t is defined. A formula of the form t ↓ asserts t is defined, and (t ↓ α) asserts that t is defined in α, i.e., that t is defined with a value in D α . Sorts are also used to restrict the binding operators of LUTINS: λ, ∀, ∃, and I.
In LUTINS, = is a binary predicate that satisfies the usual axioms of equality. Like any other predicate, if = is applied to an undefined term, the resulting expression is false. Hence, 2/0 = 5 and √ −3 = √ −3 are both false in a standard theory A of real arithmetic. An expression of the form s t is an abbreviation for (s ↓ ∨ t ↓) ⊃ s = t, which asserts that either s and t denote the same value or s and t both denote no value. Hence, 2/0 5 is false and Note that is not a predicate, just part of an abbreviation.
A theory of LUTINS is a pair T = (L, Γ) , where L is a language of LUTINS and Γ is a set of sentences in L which serve as the axioms of T .
For more information about LUTINS, see the references for LUTINS given above.

Preliminary Definitions
Let L be a language of LUTINS. An expression is an term or formula of L. For the rest of the paper, let be a sort of kind ι where n ≥ 1.
A functional of sort α is an expression of sort α α. A functional is in canonical form if it is a lambda-expression. Given functions g and h, g is a subfunction of h if the domain D g of g is a subset of the domain of h and g equals h on D g .
We define the following predicates in L.
An expression g α h asserts that g and h denote functions of sort α such that g is a subfunction of h.
Proposition 3.2 α is a partial order on α.

The Fixed Point Theorem
In this section we prove that every monotone functional has a strong fixed point. We begin by showing that every monotone functional F of sort α is total, i.e., defined for every member of α.
Proof Let F and f be variables of sort α α and α, respectively. We will assume monotone α (F ) and then derive F (f ) ↓. After expanding the definition of monotone α and then instantiating the expanded formula with f and f , we obtain f α f ⊃ F (f ) α F (f ). Since α is a partial order on α (by Proposition 3.2) and f is defined in α, it follows that F (f ) α F (f ). The latter implies F (f ) ↓ since α is a predicate. 2

Theorem 4.2 (Fixed Point Theorem for Monotone Functionals) The sentence
Proof Fix a model M for L, and let X M be the denotation in M of an expression or sort X of L. Let F be a functional of sort α and assume that F M is monotone in M. We must show that there is a strong fixed point of F M in M.
For a function f of sort α in M and an ordinal γ, define F γ M (f ) inductively by: (3) F δ M (f ) for a limit ordinal δ is the function represented by the set of ordered pairs ( a 1 , . . . , a n , F γ M (f )(a 1 , . . . , a n )) where γ < δ, a 1 , . . . , a n ∈ (α 1 ) M × · · · × (α n ) M , and F γ M (f )(a 1 , . . . , a n ) is defined. The definition of F γ M (f ) is well-defined since F M is monotone and hence total by Lemma 4.1. Define α to be the empty function of sort α in M and card(S) to be the cardinality of a given set S.
is not a fixed point of F M for all ordinals γ. By this assumption, the monotonicity of F M , and induction on the ordinals, we can show that card(γ) ≤ card(domain(F γ M ( α ))) for all ordinals γ. Let κ = card((α 1 ) M × · · · × (α n ) M ). Then card(domain(F γ M ( α ))) ≤ κ for all ordinals γ. But then which is a contradiction.
We have thus shown that, for some ordinal γ, F γ M ( α ) is a fixed point of F M . Let δ be the least ordinal such that F δ M ( α ) is a fixed point of F M . We claim that F δ M ( α ) is a strong fixed point of F M . Let g be any function of sort α in M such that F M (g) α g. Clearly, α α g, and so by the monotonicity of F M , This fixed point theorem is related to the Knaster-Tarski fixed point theorem for complete partial orders [11] and the Tarski fixed point theorem for complete lattices [16].
A fixed point theorem with a stronger conclusion can be obtained if "monotone functional" is replaced with "continuous functional". See the appendix for details. Continuous functionals are a popular device in computer science for defining functions by recursion, and in particular, they are a basic component of denotational semantics [14,15].

Recursive Definitions
We can now present our scheme for defining (partial higher-order) functions in LUTINS by recursion.
A recursive definition in the scheme is a triple R = (T , f, F ) where: (1) T = (L, Γ) is a theory of LUTINS.
(2) f is a constant of sort α that is not a member of L.
(3) F is a functional of sort α that is monotone in T .
The defining axiom of R is sfp α (f, F ). The definitional extension resulting from R is the extension of T obtained by adding f to L and the defining axiom of R to Γ.
In the examples below, let A be a standard theory of real arithmetic and N, Z, and R be the sorts in A of the natural numbers, the integers, and the real numbers, respectively.

Example 5.2 The term
The recursive definition (A, Σ, F ) defines the function in A that gives the summation of a function of sort Z R over a finite segment of integers (where Σ is a constant of sort Z × Z × (Z R) R not in L). The theorem below shows that recursive definitions are merely a convenience: they do not allow any new functions to be defined that could not be defined by direct means. 3

Theorem 5.5 Let T be a LUTINS theory. A function can be directly defined in T by a term iff it can be recursively defined in T by a monotone functional.
Proof Let f be a constant of sort α. Assume f is directly defined in T by a term t of sort α. Then t ↓ holds in T , f does not occur in t, and the defining axiom is f = t. Let F be λ f : α . t. F is a monotone functional since t ↓ holds in T and f does not occur in t. Clearly, t is the unique fixed point of F . Hence, f is recursively defined in T by F . Now assume f is recursively defined in T by a monotone functional F . Then the defining axiom is sfp α (f, F ). Let t be Clearly, t ↓ holds in T . Hence, f is directly defined in T by t. 2

Extensions
Our scheme for recursively defining functions in LUTINS can be extended in three ways.
First, the notion of defining a single function by recursion can be straightforwardly generalized to the notion of defining a system of functions by mutual recursion. A recursive definition is redefined to be a triple where: (1) T = (L, Γ) is a theory of LUTINS.
(3) For all i with 1 ≤ i ≤ n: (a) f i is a constant of sort α i that is not a member of L.
(b) F i is an expression of sort α 1 × · · · × α n α i that is monotone with respect to its ith argument in T .
The defining axiom of R says that f 1 , f 2 , . . . , f n is a "simultaneous strong fixed point" of F 1 , F 2 , . . . , F n . The definitional extension resulting from R is the extension of T obtained by adding f 1 , f 2 , . . . , f n to L and the defining axiom of R to Γ.
Second, recursive definitions can be allowed to contain parameters. A recursive definition (of a single function) with parameters of sort π 1 , . . . , π m defines a constant f of sort π 1 × · · · × π m α by means of a "parameterized functional" F of sort α × π 1 × · · · × π m α that is monotone with respect to its first argument. The defining axiom of the definition is the sentence ∀ p 1 : π 1 , . . . , p m : π m . sfp α (f (p 1 , . . . , p m ), λ g : α . F (g, p 1 , . . . , p m )) which says that each instance of f is a strong fixed point of the corresponding instance of F .
is a recursive definition with a parameter over sets(N). Let a be an expression defined in sets(N). Then omega embedding(a) maps the natural numbers to the members of a such that i is mapped to the ith member of a for all i with with 0 ≤ i < card(a). omega embedding(a) is total iff card(a) is infinite.
3rd Irish Workshop on Formal Methods, 1999 Third, a scheme for defining predicates by recursion can be obtained by modifying the scheme for defining functions by recursion described above. Let β = β 1 × · · · × β n → * be a sort of kind * where n ≥ 1. A predicate of sort β is a total function of sort β. In the recursive definition scheme for predicates, the subpredicate relation defined below is used in place of the subfunction relation defined above.

Implementation in IMPS
Suppose that an IMPS user would like to define a new constant f in a theory T to be the function defined by a (presumably monotone) functional F in T . The user will submit the triple (T , f, F ) to IMPS, and then IMPS will perform the following steps: (1) Check that f is a constant of a function sort α that is not currently in T or in a structural supertheory of T .
(2) Check that F is a functional in T in canonical form of sort α.
(3) Check that F is known to be monotone in T .
(4) If the checks above are successful, add the constant f to the language of T , add the formula sfp α (f, F ) to the axioms of T , and install the formula lfp α (f, F ) in T as a theorem.
IMPS knows that F is monotone in T if monotone α (F ) has been installed in T as theorem or if the monotonicity check described in the next section succeeds on F .

The Monotonicity Check
For an expression E and variables x, y, define E[x → y] to be the result of replacing each free occurrence of x in E with y. Let f , g, and h be variables of sort α, and let E be an expression that contains neither g nor h. E is f -stable in an IMPS theory T if Notice also that f itself is not f -stable.

Lemma 8.1 (Stability Lemma) Let
F = λ f : α . λ x 1 : α 1 , . . . , x n : α n . B be a functional of sort α in a theory T . Then Proof Suppose B is f -stable in T , and g and h are variables of sort α not occurring in B. Then is valid in T . This implies The following four lemmas are easy to prove: is constructed such that F = F is valid in T . Second, the application B(x 1 , . . . , x n ) is beta-reduced (in T ), yielding a possibly new expression B . Lastly, the four lemmas above are repeatedly applied to B in a purely syntactic manner until either B is shown to be f -stable in T or else no more applications of the four lemmas are possible. In the former case, the check succeeds and the functional F is then monotone in T by the Stability Lemma. In the latter case, the check fails and nothing is implied about whether or not F is monotone in T . The IMPS monotonicity check succeeds on the functionals given in Examples 5.1, 5.2, 5.3, 5.4, and 6.1 but does not succeed on the functional given in Example 6.2 because the variable f is free in the body of the second definite description. Notice that the functional is the same as the functional F given in Example 6.2 except that F contains a non-beta-reduced lambdaapplication for the form As a result, the variable f is moved into a position so that the monotonicity check succeeds on F . Since is valid in T , F can be used to define omega embedding instead of F . This trick is often useful for transforming a functional on which the monotonicity check fails to an "equivalent" functional on which the check succeeds. In our experience, nearly all recursive definitions that arise naturally have functionals on which the monotonicity check succeeds directly or via a transformation by means of this trick.
There is a monotonicity check for functionals that define predicates by (mutual) recursion which is similar to the monotonicity check described in this section for functionals that define functions by (mutual) recursion.

Conclusion
We have presented in the logic LUTINS a proper scheme for defining partial higher-order functions by recursion. An instance of the scheme is a triple (T , f, F ) where T is a theory of LUTINS, f is a constant of a function sort α, and F is a functional of sort α that is monotone in T . The instance (T , f, F ) defines f to be the strong fixed point of F in T . The domain of the scheme is exactly the set of functions that can be directly defined in LUTINS. We have described three extensions of the scheme and an automatic syntactic check for monotonicity that succeeds for many common recursive definitions. The scheme, with the three extensions and the check for monotonicity, has been implemented in the IMPS Interactive Mathematical Proof System.

Appendix: Continuous Functionals
This appendix presents a fixed point theorem for continuous functionals which has a stronger conclusion than Theorem 4.2, a fixed point theorem for monotone functionals.
Let sets(α) be the sort of sets of elements of α.
Definition 9.1 (Chain) ∀ S : sets(α) . chain α (S) ≡ ∀ g, h : α . (g ∈ S ∧ h ∈ S) ⊃ (g α h ∨ h α g). For a functional F and a nonnegative integer i, let F i (g) be an abbreviation for F (· · · (F (g)) · · ·) where F occurs i times. Since F is monotone, {F i ( α ) : 0 ≤ i} is a chain, and so by the definition of a continuous functional, Hence, f is a fixed point of F . We claim that f is a strong fixed point of F . Let g be any function of sort α such that F (g) α g. Clearly, α α g, and so by the monotonicity of F , F i ( α ) α F i (g) α g for all i with 0 ≤ i. Therefore, f = lub({F i ( α ) : 0 ≤ i}) α g.