Program Derivation in Type Theory: APartitioning ProblemKent Petersson� Jan M. Smith�AbstractMartin-L�of's type theory is a theory in which one can write both speci�-cations and programs. By interpreting propositions as types, predicate logicis available when formulating a speci�cation. The rules of type theory areformulated as tactics which makes a top down construction of programs pos-sible. These ideas are illustrated by a formal derivation of a program for apartitioning problem.Keywords: type, speci�cation, program derivation, goal, tactic.1 IntroductionMartin-L�of's type theory [4, 5] was originally developed as a foundation of construc-tive mathematics. One of the main reasons for using type theory for programmingis that it is a theory both for writing speci�cations and constructing programs. Intype theory a speci�cation is expressed by a type and an element of that type isa program that satis�es the speci�cation. When formulating speci�cations in typetheory, predicate logic is available through the interpretation of propositions as typesas explained e.g. in [6] This paper will give an example of how the framework oftype theory can be used for actually deriving a program from a speci�cation.The method corresponds to theorem proving in mathematics: the speci�cationplays the role of the proposition to be proved and the program is obtained from theproof. We will here formulate the rules of type theory as tactics, corresponding toconstructing programs top down. The idea of synthesising programs from construc-tive proofs has been used e.g. by Manna and Waldinger [?] Takasu [9] and is alsoextensively used by Constable and his coworkers at Cornell University [1].Our example is Dijkstra's problem of the Dutch national ag [2]: construct aprogram, that given a sequence of objects, each having one of the colours red, whiteor blue, rearranges the objects so that they appear in the order of the Dutch ag.�Programming Methodology Group, Dept. of Computer Sciences, Univ. of G�oteborg, 412 96G�oteborg, Sweden. 1

In type theory, the natural way of formulating this partitioning problem is to uselists. Our solution will then, we think, result in the simplest possible program forthe problem; the program one would write in a functional language like ML or KRC.However, the program will not satisfy Dijkstra's requirements concerning space ef-�ciency, which is one of the main points of his solution. In [7] we solved a similarproblem, using arrays instead of lists and following Dijkstra's more sophisticatedmethod.2 The Program Derivation MethodAs already has been mentioned, programming in type theory is like theorem provingin mathematics. However, since parts of the proofs are used in the actual construc-tion of programs, the proofs have to be more detailed and formal than they usuallyare in mathematics. In this respect, derivations of programs in type theory is sim-ilar to proving mathematical theorems in a formal system. Being formal is also anecessity when dealing with complex problems since one then certainly need com-puter support. For our example the solution is so simple that there are no problemsin doing the derivation informally. But already in the solution in [7] using arrays,there are so many steps and so much book-keeping that it is appropriate to makethe derivation in such a way that it could be checked by a computer. So, in orderto illustrate the method, our example is carried out in such a detail that it shouldbe straightforward to obtain a completely formal derivation. Di�erences betweenproofs in traditional mathematics and program derivations as well as the role offormalization are discussed by Scherlis and Scott [8]The usual way of presenting a formal derivation, e.g. in text books on logic, isto go from axioms and assumptions to the conclusion. When deriving programs intype theory this would mean that you �rst start constructing the smaller parts ofthe program and then build up the program from these parts. This is not a goodprogramming methodology. Instead we want to use the top down approach fromstructured programming [?]. So, instead of starting the derivation from axiomsand assumptions, we will proceed in the opposite direction. We will start withthe speci�cation, split it into subspeci�cations and then compose solutions to thesesubproblems to a solution of the original problem. In the LCF-system [3] there isa goal directed technique for �nding proofs in this style. The proposition to beproved together with a list of assumptions, which can be used in the proof, is calleda goal. The di�erent methods that can be used to split a goal into subgoals arecalled tactics.For example, the introduction rule for conjunctionA;W B;WA & B;Wwhere W is a list of assumptions, becomes, when viewed as a tactic:2

The goal A & B;Wmay be split into the subOBgoalsA;Wand B;WIn type theory there will also be constructed a program during the deriva-tion. We say that a program a achieves a goal A;W if a 2 A under assump-tions in w. So a tactic in type theory not only divides a goal A;W into subgoalsA1;W1; : : : ; An;Wn, but also shows how to construct a program a 2 A;W from pro-grams a1 2 A1;W1; : : : ; an 2 An;Wn. By using the interpretation of propositionsas types, the conjunction tactic can be formulated in the following way:�-introduction tactic:The problem of �nding a program c that achieves the goalA� B;Wcan be split into the problem of �nding a program a that achieves thegoal A;Wand the problem of �nding a program b that achieves the goalB;WThe program c can then be put equal to ha; bi.When deriving a program from a speci�cation, applying a tactic will give a partof the program one is in the process of constructing. In case of the �-introductiontactic, one gets a part of pair-form. The �-introduction tactic can also be describedin the following way: A� B;W ; �-introductionA;Wif achieved by aB;Wif achieved by bthen achieved by ha; bi3

This schematical way of describing a tactic can be extended to full derivations. Itcan also be used when a derivation is not yet complete and then give the structureof the derivation made so far as well as the structure of the program obtained atthat stage. We will use this notation in our derivation of a program for the Dutchnational ag problem.Using the formulation of & -elimination from Schroeder-Heister [?].A & B;W C;W++[A;B]C;Wwhere we use ++ to denote concatenation of assumption lists, we get the following�-elimination tactic in type theory:The problem of �nding a program c that achieves the goalC(x); W++[x 2 A� B]can be replaced by the problem of �nding a program b(x1; x2) thatachieves the goalC(hx1; x2i); W++[x 2 A� B; x1 2 A; x2 2 B]The program c can then be put equal to split(x; b).The constant split is computed according to the rule:split(ha; bi; c)! c(a; b)In this way all rules of type theory may be formulated as tactics. This is alsothe approach taken in the system for type theory developed at Cornell University[1]. We give two more examples of translating rules into tactics by formulating the�-introduction rule and the List-elimination rule as tactics. Both tactics will beused in the derivation of a program for the problem of the Dutch ag.Corresponding to the �-introduction ruleb(x) 2 B(x); W++[x 2 A]�(b) 2 (�x 2 A)B(x); Wwe have the tactic:The problem of �nding a program c that achieves the goal(�x 2 A)B(x); Wcan be replaced by the problem of �nding a program b(x) that achievesthe goal B(x); W++[x 2 A]The program c can then be put equal to �(b).4

We can also express the tactic in our notation for derivations:(�x 2 A)B(x);W ; �-introductionB(x);W ++ [x 2 A]if achieved by b(x)then achieved by �(b)The List-elimination rule,l 2 List(A);Wa 2 C(nil);Wb(x; y; z) 2 C(cons(x; y));W++[x 2 A; y 2 List(A); z 2 C(y)]listrec(l; a; b) 2 C(l);Wcorresponds to induction on lists and is the rule of type theory which introducesrecursion on lists. listrec is computed according to the ruleslistrec(nil; a; b) ! alistrec(cons(x; y); a; b) ! b(x; y; listrec(y; a; b))When formulated as a tactic, the rule becomes:The problem of �nding a program c that achieves the goalC(l); W++[l 2 List(A)]can be split into the problems of �nding a program a that achievesC(nil); W++[l 2 List(A)]and a program b(x; y; z) that achievesC(cons(x; y)); W++[l 2 List(A); x 2 A; y 2 List(A); z 2 C(y)]The program c can then be put equal to listrec(l; a; b).Schematically, the List-elimination tactic is written:C(l);W ++ [l 2 List(A)] ; List-eliminationC(nil);W ++ [l 2 List(A)]if achieved by aC(cons(x; y));W ++ [l 2 List(A); x 2 A; y 2 List(A); z 2 C(y)]if achieved by b(x; y; z)then achieved by listrec(l; a; b)5

3 A Partitioning ProblemIn this section, we will derive a program for the Dutch ag problem [2] using lists.We will use the following general assumptions about the problem: We assume thatA is a type, that Red, White and Blue are type valued functions (propositionalfunctions) de�ned on A and that colour(x) is a (proof-)object of the type (proposi-tion) Red(x) _ (White(x) _ Blue(x)). In other words, we introduce the followingassumptions: A typeRed(x) type [x 2 A]White(x) type [x 2 A]Blue(x) type [x 2 A]colour(x) 2 Red(x) _ (White(x) _ Blue(x)) [x 2 A]We let W denote the list of these assumptions.We start by introducing the following de�nitions.Reds � fx 2 A j Red(x)gWhites � fx 2 A j White(x)gBlues � fx 2 A j Blue(x)gappend(l1; l2) � listrec(l1; l2; (x; y; z) cons(x; z))append3(l1; l2; l3) � append(l1; append(l2; l3))Permutation(l1; l2) � (8x 2 A)Eq(N; occ� in(x; l1); occ� in(x; l2))occ� in(x; l) � listrec(l; 0; (u; v; w) if eqA(x; u) then s(w) else w)We have here used a de�nition of permutation which requires the equality relationon A to be decidable. This restriction can be removed, but the de�nition will thenbe more complicated.The speci�cation can now be given by the proposition(8l 2 List(A))(9s 2 List(Reds)� (List(Whites)� List(Blues)))(Permutation(l; append3(fst(s); snd(s); trd(s))))or, using types instead of propositions,S � (� l 2 List(A)) Part� perm(l)wherePart� perm(l) � fhl0; l00; l000i 2 List(Reds)� (List(Whites)� List(Blues)) jPermutation(l; append3(l0; l00; l000))g6

Note that a program that satis�es this speci�cation will give a triple of lists asoutput. To get a solution to Dijkstra's formulation of the problem, these three listsshould be concatenated.Deriving a program that satis�es the speci�cation is nothing but �nding a pro-gram which is a member of the type expressing the speci�cation, or, if we think ofthe speci�cation as a goal, to �nd a program that achieves the goal. So, the initialgoal is: S;WThe intuitive idea behind the proof is the following: The list l of red, white andblue objects will be partitioned by list recursion. The base case, i.e. that l is equalto nil, is solved by simply putting the partitioning s equal to hnil; nil; nili. For theinduction step, assume that l is cons(x; y) and that we have a partitioning z of l andthen separate the problem into three cases:1. x is red. s is then put equal to hcons(x; fst(z)); snd(z); trd(z)i.2. x is white. s is then put equal to hfst(z); cons(x; snd(z)); trd(z)i.3. x is blue. s is then put equal to hfst(z); snd(z); cons(x; trd(z))i.From this intuitive idea, it would not be much work to get, by informal reasoning,a program in type theory which satis�es the speci�cation. We want, however, forreasons mentioned in section 2, do a derivation which easily could be transformedto a completely formal derivation. In the derivation we will assume a few elemen-tary properties about permutations and these properties will be explicitly stated aslemmas.We begin the derivation by assuming l 2 List(A) and then try to �nd a programof type Part� perm(l). In other words, we apply the �-introduction tactic to G1,getting the subgoal Part� perm(l); W ++ [l 2 List(A)]From this problem we proceed by list induction over l, i.e., we split G2 into twosubgoals G3 and G4, corresponding to the the base and induction step, respectively.Schematically, the derivation we have made so far is:G1 ; �-introductionG2 ; List-eliminationG3if achieved by aG4if achieved by b(x; y; z)then achieved by listrec(l; a; b)then achieved by �((l) listrec(l; a; b))7

Corresponding to the base step, we have the goalPart� perm(nil); W ++ [l 2 List(A)]Following the intuitive idea for the proof, this goal is achieved by hnil; nil; nili. For-mally, then, we have to show that hnil; nil; nili 2 Part� perm(nil).In order to do this, we apply the Subset/Triple introduction tactic (de�ned onpage ??) and show that nil achieves the goalsList(Reds); W ++ [l 2 List(A)];List(Whites); W ++ [l 2 List(A)]List(Blues); W ++ [l 2 List(A)]and then verify the subgoalPermutation(nil; append3(nil; nil; nil)); W ++ [l 2 List(A)]By List-introduction we have nil 2 List(Reds)nil 2 List(Whites)nil 2 List(Blues)Furthermore, from append3(nil; nil; nil) = nil 2 List(A)andLemma 1 Permutation(l; l) true [A type; l 2 List(A)]we get Permutation(nil; append3(nil; nil; nil)) truewhich shows that hnil; nil; nili achieves G3. Sohnil; nil; nili 2 Part� perm(nil) �fhl0; l00; l000i 2 List(Reds)� (List(Whites)� List(Blues)) jPermutation(nil; append3(l0; l00; l000))gand we have solved the subproblem G3.8

G1 ; �-introductionG2 ; List-eliminationG3 ; Subset/Triple-introductionList(Reds); W ++ [l 2 List(A)]achieved by nilList(Whites); W ++ [l 2 List(A)]achieved by nilList(Blues); W ++ [l 2 List(A)]achieved by nilPermutation(nil; apply3(nil; nil; nil)); W ++ [l 2 List(A)]veri�ed assuming Lemma 1achieved by hnil; nil; niliG4if achieved by b(x; y; z)then achieved bylistrec(l; hnil; nil; nili; b)then achieved by�((l) listrec(l; hnil; nil; nili; b))It now remains to achieve G4, i.e. the induction step:Part� perm(cons(x; y));W++[l 2 List(A); x 2 A; y 2 List(A); z 2 Part� perm(y)]We apply the Subset/Triple elimination tactic (de�ned on page ??) on G4 gettingPart� perm(cons(x; y)); W1where W1 � W++ [l 2 List(A); x 2 A; y 2 List(A); z 2 Part� perm(y);z0 2 List(Reds); z00 2 List(Whites); z000 2 List(Blues)Permutation(y; append3(z0; z00; z000)) true]G4 ; Subset/Triple-eliminationG5if achieved by a(z0; z00; z000)then achieved by split3(z; a)The goal G5 says that the problem is to �nd a program of type Part�perm(cons(x; y))under the assumptions inW1. Following the intuitive proof idea, we divide the prob-lem into three cases: when the element x is red, when it is white and when it isblue. One of the assumptions in the assumption list W1 iscolour(x) 2 Red(x) _ (White(x) _ Blue(x))9

so it is appropriate to apply the _ 3-elimination tactic (de�ned on page ??) on G5and split it into the three subgoals:Part� perm(cons(x; y)); W1 ++ [u 2 Red(x)]Part� perm(cons(x; y)); W1 ++ [v 2 White(x)]Part� perm(cons(x; y)); W1 ++ [w 2 Blue(x)]G5; _ 3G6if achieved by d(u)G7if achieved by e(v)G8if achieved by f(w)then achieved by when3(colour(x); d; e; f)That the program hcons(x; z0); z00; z000iachieves G6 is seen by the following derivation. FromLemma 2Permutation(y; append3(l0; l00; l000)) �Permutation(cons(x; y); append3(cons(x; l0); l00; l000)) true[A type; x 2 A; y 2 List(A); l0 2 List(A); l00 2 List(A); l000 2 List(A)]and the assumptions in the assumption list W1 ++ [u 2 Red(x)] we can prove in afew steps x 2 RedsRed(cons(x; z0)) truehcons(x; z0); z00; z000i 2 List(Reds)� (List(Whites)� List(Blues))Permutation(cons(x; y); append3(cons(x; z0); z00; z000)) trueSo, by Subset/Triple-introductionhcons(x; z0); z00; z000i 2 Part� perm(cons(x; y)); W1 ++ [u 2 Red(x)]and hcons(x; z0); z00; z000i therefore achieves G6.10

G6 ; Subset/Triple introductionList(Reds); W1 ++ [u 2 Red(x)]achieved by cons(x; z0)List(Whites); W1 ++ [u 2 Red(x)]achieved by z00List(Blues); W1 ++ [u 2 Red(x)]achieved by z000Permutation(cons(x; y); apply3(cons(x; z0); z00; z000)); W1 ++ [u 2 Red(x)]veri�ed assuming Lemma 2achieved by hcons(x; z0); z00; z000iG7 is solved in the same way as G6: FromLemma 3Permutation(y; append3(l0; l00; l000)) �Permutation(cons(x; y); append3(l0; cons(x; l00); l000)) true[A type; x 2 A; y 2 List(A); l0 2 List(A); l00 2 List(A); l000 2 List(A)]we gethz0; cons(x; z00); z000i 2 Part� perm(cons(x; y)); W1++ [v 2 White(x)]Similarlyhz0; z00; cons(x; z000)i 2 Part� perm(cons(x; y)) W1++ [w 2 Blue(x)]follows fromLemma 4 Permutation(y; append3(l0; l00; l000)) �Permutation(cons(x; y); append3(l0; l00; cons(x; l000))) true[A type; x 2 A; y 2 List(A); l0 2 List(A);l00 2 List(A); l000 2 List(A)]So G8 is achieved by hz0; z00; cons(x; z000)i.Combining the solutions of the last three subproblems gives us that G5 is achievedby when3(colour(x);(u) hcons(x; z0); z00; z000i;(v) hz0; cons(x; z00); z000i;(w) hz0; z00; cons(x; z000)i)We can now form a program that achieves the induction step G4:11

split3(z;(z0; z00; z000)when3(colour(x);(u) hcons(x; z0); z00; z000i;(v) hz0; cons(x; z00); z000i;(w) hz0; z00; cons(x; z000)i))G2 is then achieved bylistrec(l;split3(z;(z0; z00; z000)when3(colour(x);(u) hcons(x; z0); z00; z000i;(v) hz0; cons(x; z00); z000i;(w) hz0; z00; cons(x; z000)i)))And, �nally�((l) listrec(l;listrec(l;split3(z;(z0; z00; z000)when3(colour(x);(u) hcons(x; z0); z00; z000i;(v) hz0; cons(x; z00); z000i;(w) hz0; z00; cons(x; z000)i))))is a program that achieves G1 and consequently also a program that satis�es thespeci�cation.The whole derivation can be described in a condensed form by the schema:G1 ; �-introductionG2 ; List-eliminationG3 ; Subset/Triple-introductionList(Reds); W ++ [l 2 List(A)]achieved by nilList(Whites); W ++ [l 2 List(A)]achieved by nilList(Blues); W ++ [l 2 List(A)]achieved by nilPermutation(nil; apply3(nil; nil; nil)); W ++ [l 2 List(A)]veri�ed assuming Lemma 1achieved by hnil; nil; niliG4 ; Subset/Triple-eliminationG5 ; _ -eliminationG6 ; Subset/Triple-introductionList(Reds); W2 ++ [u 2 Red(x)]achieved by cons(x; z0) 12

List(Whites); W2 ++ [u 2 Red(x)]achieved by z00List(Blues); W2 ++ [u 2 Red(x)]achieved by z000Permutation(cons(x; y); apply3(cons(x; z0); z00; z000));W2 ++ [u 2 Red(x)]veri�ed assuming Lemma 2achieved by hcons(x; z0); z00; z000iG7 ; Subset/Triple-introductionList(Reds); W2 ++ [v 2 White(x)]achieved by z0List(Whites); W2 ++ [v 2 White(x)]achieved by cons(x; z00)List(Blues); W2 ++ [v 2 White(x)]achieved by z000Permutation(cons(x; y); apply3(z0; cons(x; z00); z000));W2 ++ [v 2 White(x)]veri�ed assuming Lemma 3achieved by hz0; cons(x; z00); z000iG8 ; Subset/Triple-introductionList(Reds); W2 ++ [w 2 Blue(x)]achieved by z0List(Whites); W2 ++ [w 2 Blue(x)]achieved by z00List(Blues); W2 ++ [w 2 Blue(x)]achieved by cons(x; z000)Permutation(cons(x; y); apply3(z0; z00; cons(x; z000)));W2 ++ [w 2 Blue(x)]veri�ed assuming Lemma 4achieved by hz0; z00; cons(x; z000)iachieved by when3(colour(x); (u)h: : :i; (v)h: : :i; (w)h: : :i)achieved by split3(z; (z0; z00; z000)when3(: : :))achieved by listrec(l; hnil; nil; nili; (x; y; z) split3(: : :))achieved by �((l) listrec(: : :))References[1] R. L. Constable et al. Implementing Mathematics with the NuPRL Proof Devel-opment System. Prentice-Hall, Englewood Cli�s, NJ, 1986.[2] Edsger W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.13

[3] M. Gordon, R. Milner, and C. Wadsworth. Edinburgh LCF, volume 78 of LectureNotes in Computer Science. Springer-Verlag, 1979.[4] Per Martin-L�of. Constructive Mathematics and Computer Programming. InLogic, Methodology and Philosophy of Science, VI, 1979, pages 153{175. North-Holland, 1982.[5] Per Martin-L�of. Intuitionistic Type Theory. Bibliopolis, Napoli, 1984.[6] Bengt Nordstr�om and Jan Smith. Propositions, Types and Speci�cations inMartin-L�of's Type Theory. BIT, 24(3):288{301, October 1984.[7] Kent Petersson and Jan Smith. Program Derivation in Type Theory: The PolishFlag Problem. PMG report 19, Chalmers University of Technology, G�oteborg,June 1985.[8] W. L. Scherlis and D. Scott. First Steps Toward Inferential Programming. InProceedings IFIP Congress, Paris, 1983.[9] S. Takasu. Proofs and Programs. Proceedings of the 3rd IBM Symposium onMathematical Foundations of Computer Science, 1978.

14