An Imperative Language for Verified Exact Real-Number Computation
Andrej Bauer, Sewon Park, Alex Simpson
TL;DR
A domain-theoretic denotational semantics that uses a variant of Plotkin powerdomain construction tailored to the authors' specific version of nondeterminism is devised, and formally verify parts of the development, notably the soundness of specification logic, in the Coq proof assistant.
Abstract
We introduce Clerical, a programming language for exact real-number computation that combines first-order imperative-style programming with a limit operator for computation of real numbers as limits of Cauchy sequences. We address the semidecidability of the linear ordering of the reals by incorporating nondeterministic guarded choice, through which decisions based on partial comparison operations on reals can be patched together to give total programs. The interplay between mutable state, nondeterminism, and computation of limits is controlled by the requirement that expressions computing limits and guards modify only local state. We devise a domain-theoretic denotational semantics that uses a variant of Plotkin powerdomain construction tailored to our specific version of nondeterminism. We formulate a Hoare-style specification logic, show that it is sound for the denotational semantics, and illustrate the setup by implementing and proving correct a program for computation of $π$ as the least positive zero of $\sin$. The modular character of Clerical allows us to compose the program from smaller parts, each of which is shown to be correct on its own. We provide a proof-of-concept OCaml implementation of Clerical, and formally verify parts of the development, notably the soundness of specification logic, in the Coq proof assistant.