Proofs as stateful programs: A first-order logic with abstract Hoare triples, and an interpretation into an imperative language

We introduce an extension of first-order logic that comes equipped with additional predicates for reasoning about an abstract state. Sequents in the logic comprise a main formula together with pre- and postconditions in the style of Hoare logic, and the axioms and rules of the logic ensure that the assertions about the state compose in the correct way. The main result of the paper is a realizability interpretation of our logic that extracts programs into a mixed functional/imperative language. All programs expressible in this language act on the state in a sequential manner, and we make this intuition precise by interpreting them in a semantic metatheory using the state monad. Our basic framework is very general, and our intention is that it can be instantiated and extended in a variety of different ways. We outline in detail one such extension: A monadic version of Heyting arithmetic with a wellfounded while rule, and conclude by outlining several other directions for future work.


Introduction
The Curry-Howard correspondence lies at the heart of theoretical computer science.Over the years, a multitude of different techniques for extracting programs from proofs have been developed, the majority of which translate formal proof systems into lambda calculi.As such, programs extracted from proofs are typically conceived as pure functional programs.
Everyday programmers, on the other hand, often think and write in an imperative paradigm, in terms of instructions that change some underlying global state.This is reinforced by the fact that many of the most popular programming languages, including C and Python, lean towards this style.Imperative programs are nevertheless highly complex from a mathematical perspective, and while systems such as Hoare logic [Hoa69] or separation logic [Rey02] have been designed to reason about them, the formal extraction of imperative programs from proofs has received comparatively little attention.
In this paper, we propose a new idea in this direction, developing a formal system SL that enriches ordinary first-order logic with Hoare triples for reasoning about an abstract global state.Sequents will have the form Γ ⊢ {α • A • β}, where A is a formula and α, β assertions about the state, and proofs in the logic will include both ordinary introduction and elimination rules for predicate logic, together with special rules for reasoning about the state.We then construct a stateful realizability interpretation (based on Kreisel's modified realizability [Kre59]) that relates formulas in SL to terms in a mixed functional/imperative language ST.Our main result is a soundness theorem, which confirms that whenever a formula is provable in SL, we can extract a corresponding stateful realizing term in ST.While our initial soundness theorem focuses on pure predicate logic, we subsequently show that it can be extended to arithmetic, where in particular we are then able to extract programs that contain both recursion and controlled while loops.
We are not the first to adapt traditional methods to extract imperative programs: A major achievement in this direction, for example, is the monograph [PCW05], which sets up a variant of intuitionistic Hoare logic alongside a realizability translation into a standard imperative language.Other relevant examples include [Atk09, CMM + 09, DF89, Fil03, NAMB07, YHB07].However, these and almost all other prior work in this direction tend to focus on formal verification, with an eye towards using proof interpretations as a method for the synthesis of correct-by-construction software.In concrete terms, this means that the formal systems tend to be quite detailed and oriented towards program analysis, while the starting point is typically a program for which we want to construct a verification proof, rather than a proof from which we hope to extract a potentially unfamiliar program.
Our approach, on the other hand, is much more abstract, with an emphasis on potential applications in logic and proof theory.Our basic system SL makes almost no assumptions about the structure of the state and what we are allowed to do with it.Rather, we focus on producing a general framework for reasoning about 'stateful formulas', which can then be instantiated with additional axioms to model concrete scenarios.The simplicity and generality of our framework is its most important feature, and we consider this work to be a first step towards a number of potentially interesting applications.For this reason, we include not only an extension of our system to a monadic theory of arithmetic, but conclude by sketching out some additional ways in which we conjecture that our logic and interpretation could be used and expanded, including the computational semantics of proofs and probabilistic logic.
We take ideas from three main sources.The first is a case study of Berger et al. [BSW14], in which a realizability interpretation is used to extract a version of in-place quicksort, and where the imperative nature of the extracted program is presented in a semantic way using the state monad.While their program behaves imperatively "by-chance", terms extracted from our logic are forced to be imperative, and thus our framework offers one potential solution to their open problem of designing a proof calculus which only yields imperative programs.Indeed, an implementation of the insert sort algorithm is formally extracted in Section 6 below.Our second source of inspiration is the thesis of Birolo [Bir12], where a general monadic realizability interpretation is defined and then used to give an alternative, semantic presentation of learning-based interactive realizability [Asc11,Bd09].However, our work goes beyond this in that it also involves a monadic extension of the target logic, whereas Birolo's applies to standard first-order logic.Finally, a number of ideas are taken from the author's previous work [Pow18] on extracting stateful programs using the Dialectica interpretation.While there the state is used in a very specific and restricted way, here we use an analogous call-by-value monadic translation on terms.
It is important to stress that we do not claim that our work represents an optimal or complete method for extracting imperative programs from proofs, nor do we claim that it is superior to alternative methods, including the aforementioned works in the direction of verification, or, for instance, techniques based on Krivine's classical realizability [Kri09], • A novel extension SL of predicate logic with abstract Hoare triples, which can be extended with additional axioms for characterising the state (Section 2).• A standard calculus ST for lambda terms with imperative commands, which can again be extended with additional constants for interacting with the state (Section 3).• A metalanguage S ω into which both SL and ST can be embedded (Section 4), which is used to formulate the realizability relation and prove its soundness (Section 5).• An instantiation of SL as a theory of arithmetic, with programs extracted into an extension of ST with recursion and while loops (Section 6).
Concrete examples are given, and potential applications surveyed in Section 7.

The system SL: First-order logic with state
We begin by introducing our target theory SL from which stateful programs will be extracted.This is an extension of ordinary first-order logic in the sense that the latter can always be embedded into SL (we will make this precise in Proposition 2.1 below).Ultimately, we are interested not so much in SL on its own, but in theories of the form SL + ∆ H + ∆ S , where ∆ H and ∆ S are collections of (respectively non-computational and computational) axioms that together characterise the state.Several concrete examples will be given to illustrate this, and in Section 6 we present a variant of SL that represents a theory of first-order arithmetic with state.Before defining SL, we give a standard presentation of first-order intuitionistic predicate logic PL, which serves as an opportunity to fix our basic style of formal reasoning.The language of PL consists of the logical constants ∧, ∨, ⇒, ∀, ∃, ⊤, ⊥, variables x, y, z, . .., along with function symbols f, g, h, . . .and predicate symbols P, Q, R, . .., each with a fixed arity.We assume the existence of at least one constant c.Terms are built from variables and function symbols as usual, and formulas are built from prime formulas P (t 1 , . . ., t n ), ⊤ and ⊥ using the logical constants.We use the usual abbreviation ¬A :≡ A ⇒ ⊥.We work in a sequent style natural deduction calculus, where sequents have the form Γ ⊢ I A for some context Γ and formula A, and a context is a set of labelled assumptions of the form A u 1 1 , . . ., A un n for pairwise distinct labels u i .The axioms and rules of PL are as in Figure 1.
2.1.Stateful first-order logic.We now define our new logical system SL, which is an extension of ordinary first-order logic with new state propositions.To be more precise, we extend the language of PL with a ternary operation {− • − • −}, together with special state predicate symbols p, q, r, . .., which also have a fixed arity.Terms of SL are the same as those of PL.On the other hand, there are two kinds of formulas in SL: state formulas and main formulas.A state formula is defined using state predicate symbols and propositional connectives as follows: for ∀I, y ≡ x or y not free in A, and y not free in Γ for ∃E, y ≡ x or y not free in A, and y not free in C or Γ.The notions of free and bound variables, along with substitution α[t/x] and A[t/x] can be easily defined for both state and main formulas.Analogous to the construction of formulas, our basic proof system uses the auxiliary notion of a state proof in order to define a main proof.A state sequent has the form Γ ⊢ H α where α is a state formula and Γ a set of labelled state formulas.A proof of Γ ⊢ H α in SL is built from the axioms and rules of classical propositional logic i.e. the propositional axioms and rules as set out in Figure 1 plus the law of excluded middle Γ ⊢ H α ∨ ¬α, together with a set ∆ H of as yet unspecified state axioms of the form Γ ⊢ H α.
A main sequent of SL has the form Γ ⊢ S {α • A • β}, where A is a formula and α, β state formulas, and Γ is a set of labelled main formulas.A proof of Γ ⊢ S {α • A • β} in SL uses the axioms and rules given in Figure 2, together with a set ∆ S of additional axioms.
We now make precise what we mean when we characterise SL as an extension of standard first-order logic.The following is provable with an easy induction over derivations in PL: Proposition 2.1.For any formula A of PL and state formula α, define the main formula where ∆ is arbitrary and Γ α := (A 1 ) u 1 α , . . ., (A n ) un α for Γ := A u 1 1 , . . ., A un n .
2.2.The intuition behind SL.The intended semantic meaning of Γ ⊢ H α is that α can be inferred from the assumptions Γ for any fixed state.More specifically, if we imagine a semantic variant [α](π) of each state formula where now the dependency on an underlying state π is made explicit, the semantics of Γ ⊢ H α is just On the other hand, the intended meaning of Γ ⊢ S {α • A • β} is that from assumptions Γ, if α holds with respect to some initial state, then we can infer that A is true and β holds with respect to some modified state, or more precisely: In particular, the computational interpretation of (2.1) above will be a program that takes some input state π satisfying [α](π) and returns a realizer-state pair ⟨x, π ′ ⟩ such that x realizes A and [β](π ′ ) holds.Our semantic interpretation [•] will be properly defined in Section 4. Crucially, in SL the state is implicit, and so there are no variables or terms of state type.The state will rather be made explicit in our metatheory S ω .The main axioms and rules of SL simply describe how this semantic interpretation propagates in a call-by-value manner through the usual axioms and rules of first-order logic.The state itself is brought into play through the Hoare rules along with the additional axioms ∆ H and ∆ S .
To give a more detailed explanation, consider the introduction rule ∧ S I. Semantically, the idea is that if both hold, then we can infer and this can be regarded as a 'stateful' version of the usual conjunction introduction rule.In particular, we note that this is no longer symmetric: Informally speaking, [A] is 'proven first', followed by [B].Under our realizability interpretation, this rule will correspond to realizer for {α • A • β} being sequentially composed with a realizer for {β • B • γ}.
for ∀ S I, y ≡ x or y not free in A, α, β, and y not free in Γ for ∃ S E, y ≡ x or y not free in A, and y not free in C, α, β, γ or Γ.

Basic Hoare rules
Similarly, for the stateful quantifier rule ∀ S I, the premise {α and so by the standard quantifier rule of ordinary predicate logic we would have From this we can directly infer for arbitrary γ, and the above now this has the right form, namely the semantic interpretation We note that the traditional rules of Hoare logic correspond to certain simple cases of our rules.For example, the composition rule could be viewed as special case of ∧ S I for A = B = ⊤, more specifically the derivation: In a similar spirit, the two Hoare rules of SL correspond to the consequence and conditional rules of ordinary Hoare logic, with the traditional conditional rule falling out as a special case of ours since we assume Γ ⊢ H α ∨ ¬α.In Section 6 we extend this further by adding a controlled while loop to our logic.But for now, we illustrate our logic with some very straightforward scenarios.
Example 2.2 (Simple query and return).Consider a very simple state, on which we can perform the following actions: (1) Store any value from our domain of discourse in some query location.
(2) For the current value x in the query location, return a suitable answer y such that P (x, y) holds for some fixed binary predicate system of the logic, and store this value.(3) Retrieve the computed value y from the state.
We formalise those three actions by including two unary state predicates query and return P , where query(x) denotes that x is currently stored in the query location, and return P (x) denotes that some y satisfying P (x, y) has been returned.We would then add the following axioms to ∆ S , which intuitively represent each of the above actions: (1) Γ ⊢ S {α • ⊤ • query(x)} where α ranges over all state formulas, (2 The second rule should be regarded as representing an abstract updating of the state where the return value is stored somewhere, and the third the act of retrieval, where following the update we can now formally prove ∃y P (x, y).Note that the computational aspects of this interpretation will only become apparent under the realizability interpretation, where a realizer for {return P (x) • ∃y P (x, y) • ⊤} will be a function that accesses any state satisfying return P (x) and produces as output the y satisfying P (x, y) (See Example 5.6).

7:8 T. Powell
Vol. 20:1 We can now, for example, derive the following theorem in SL + ∆ H + ∆ S (for ∆ H = ∅), where α, β are any state formulas: The derivation below is essentially a proof of ∀x∃y P (x, y) that, necessarily, utilising properties of the state: We note that while state formulas and actions are used in the proof, if we set α = β = ⊤ then the components of the theorem itself are just formulas in ordinary first-order logic.A program corresponding to this derivation will be formally extracted in Example 5.6, but referring to the semantic explanations above, we can view each instance of ∧ S I in the proof as a sequential composition of state actions (with ∧ S E just cleaning up the central logical formula), and finally ∀ S I is just the stateful version of the usual ∀-introduction rule.
Example 2.3 (Fixed-length array sorting).Let us now consider our state as an array of length three, and elements in that array as having some order structure.We formalise this in SL by introducing 1, 2, 3 as constants representing our three locations, along with two state predicates: a binary predicate ≤ for comparing elements at locations l and l ′ , and a nullary predicate sorted that declares that the state is sorted.These can be characterised by adding the following axiom schemes, but to ∆ H rather than ∆ S as they do not represent state actions: where l, l ′ range over {1, 2, 3} We then allow a single action on our array, namely the swapping of a pair of elements in the list.Suppose that α is a state formula of the form where l i , l i range over locations {1, 2, 3}.Now for l, l ′ ∈ {1, 2, 3} let α[l ↔ l ′ ] denote α where all instances of l and l ′ are swapped, so that if e.g.
We axiomatise the swapping of the values in locations of some arbitrary pair l, l ′ ∈ {1, 2, 3} by adding to ∆ S all instances of where α ranges over state formulas of the form (2.2).The statement that all arrays of length three can be sorted is then formulated as Let us now give a proof of this statement in SL + ∆ H + ∆ S .As with the previous example, we emphasise that the underlying computation represented by this proof will only become visible through the realizability interpretation.
First, let α := 1 ≤ 2 ∧ 1 ≤ 3, and define D 1 as where for the left instance of cons we use 2 and for the final instance of cond we use Then we have D 3 : where here cond uses ⊢ H 2 ≤ 1 ∨ 1 ≤ 2, and finally In contrast to Example 2.2 above, this is an example of a purely imperative proof that involves no propositional formulas other than ⊤.As we will see in Example 5.6, the proof corresponds to a purely imperative program.

The system ST: A simple functional/imperative term calculus
We now define our calculus ST + Λ S whose terms will represent realizers for proofs in SL+∆ H +∆ S .This is a standard typed lambda calculus for mixed functional and imperative programs, and is defined to include basic terms together with additional constants in some set Λ S , where the latter are intuitively there to realize the axioms in ∆ S .Semantics for the terms will be given via a monadic translation into the metalanguage defined in the next section.Types are defined by the grammar is a set of typed variables.Note that the types of constants c ∈ Λ S are also left unspecified.
The type C should be interpreted as a type of commands that act on the state but don't return any values.
A denotational semantics of ST + Λ S , which is what we require for our realizability interpretation, will be specified in detail in Section 4 below.Operationally, the idea is that terms t : X of ST + Λ S take some input state π and evaluates to some value v and final state π 1 in a call-by-value way.We choose our notation to reflect the underlying stateful computations: For example, s • t is used instead of what would normally be a pairing operation, because this plays the role of simulating composition in the stateful setting.Indeed, it will be helpful to consider a derived operator for sequential composition that also incorporates the 'cleanup' seen in the examples above, and corresponds to an instance of ∧ S I followed by an instance of ∧ S E L : A full exploration of the operational semantics of ST + Λ S along with correctness with respect to the denotational semantics defined in Section 4.3 is left to future work, but we provide some further insight in Remark 4.8 below, including a more detailed discussion of the relationship between • and pairing.

A monadic embedding of SL and ST into a metatheory S ω
We now give a semantic interpretation of both state formulas of SL + ∆ H + ∆ S and terms in ST + Λ S into a standard higher-order, many sorted logic S ω + Λ S ω .4.1.The system S ω .This logic contains typed lambda terms along with equational axioms for reasoning about them, together with the usual axioms and rules of many-sorted predicate logic.Because most aspects of the logic are completely standard, and in any case it is purely a verifying system, we are less detailed in specifying it.Types are defined as follows: where D represents objects in the domain of SL (just as in ST), Bool a type of booleans, and states are now explicitly represented as objects of type S. Our metatheory is an equational calculus, with an equality symbol = X for all types.Typed terms include: • variables x, y, z, . . .for each type, where we denote state variables by π, π 1 , π 2 , . . .• a constant f : D n → D for each n-ary function symbol of SL, • additional, as yet unspecified constant symbols c : X for interpreting objects in Λ S , along with axioms that characterise them, • a unit element () : 1 along with the axiom x = (), • boolean constants t and f, with the axiom x = Bool t ∨ x = Bool f, • pairing ⟨s, t⟩ and projection proj 0 (t), proj 1 (t) operators, with the usual axioms, • terms formed by lambda abstraction and application, with the rule (λx.t)s = t[s/x], • for each type X a case operator case (b) (s) (t) for b : Bool and s, t : X, with axioms case f x y = x and case t x y = y.
We sometimes write x X instead of x : X, and we use abbreviations such as ⟨x, y, z⟩ for ⟨x, ⟨y, z⟩⟩.Atomic formulas of S ω include all ordinary predicate symbols P, Q, R, . . . of SL as atomic formulas, where an n-ary predicate P in SL takes arguments of type D n in S ω , along with predicates p, q, r, . . .for each state predicate symbol of SL, but now, if p is an n-ary state predicate in SL, p takes arguments of type D n × S in S ω .General formulas are built using the usual logical connectives, including quantifiers for all types.The axioms and rules of S ω include the axioms of rules of predicate logic (now in all finite types), axioms for the terms, along with the usual equality axioms (including full extensionality).Because S ω acts as a verifying theory, we freely use strong axioms (such as extensionality), without concerning ourselves with the minimal such system that works.

The embedding [•]
on state formulas of SL.The main purpose of our metalanguage is to allow us to reason semantically about SL and ST.To do this, we introduce an embedding of state formulas of SL and terms of ST into S ω .We use the same notation [•] for both, as there is no danger of ambiguity.An informal explanation of the meaning of [•] on formulas is given in Section 2.2.An important point to highlight here is that under the semantics, the arity of state formulas change: For any state formula α, the interpreted formula [α] now contains a single additional free variable π : S representing the underlying state.As mentioned earlier, state is implicit in our logic and term languages, but needs to be made explicit under the semantics.Definition 4.1.For each term t of SL, there is a natural interpretation of t as a term of type D in ST, namely x → x : D and f (t 1 , . . ., Similarly, there is a natural interpretation of t into S ω , this time with f (t 1 , . . ., t n ) → f (⟨t 1 , . . ., t n ⟩).We use the same notation for t in each of the three systems, as there is no risk of ambiguity.Definition 4.2.For each state formula α of SL, we define a formula [α](π) of S ω , whose free variables are the same as those of α (but now typed with type D) with the potential addition of a single state variable π, as follows: , and similarly for α ∨ β and α ⇒ β.
The following Lemma is easily proven using induction over propositional derivations.
for Γ := α 1 , . . ., α n .This extends to proofs in SL + ∆ H provided that the embedding of any axiom in ∆ H is provable in S ω + Λ S ω .
We are now in a position to make the semantic meaning of main formulas of SL precise.Note that, technically speaking, this is not necessary in what follows, neither to formulate our realizability interpretation nor to prove our soundness theorem.This is because our main realizability relation (Definition 5.2) is of the form (x sr A) for main formulas A of SL: This relation is basically equivalent to (x mr [A]) for [A] as defined below and a standard modified realizability relation mr, but our realizability interpretation essentially acts as a simultaneous inductive definition of both standard realizability and the embedding [•], and so neither of the latter need to be separately defined.
Definition 4.4.main formula A of , we define a formula [A] of S ω , whose free variables are the same as those of A (but now typed with type D), as follows: Similarly to Lemma 4.3, we can now prove the following by induction over derivations in SL.We omit the proof, because it is straightforward and in any case not necessary in what follows.
This extends to proofs in SL + ∆ H + ∆ S provided that the embedding of any axiom in ∆ H and ∆ S is provable in S ω + Λ S ω .

The embedding [•]
on terms of ST.Our translation on terms is a call-by-value monadic translation using the state monad S → X × S, which, intuitively speaking, gives a denotational interpretation of a standard call-by-value operational semantics of terms of ST.A full treatment of the corresponding operational semantics and its adequacy with respect to the and denotational semantics will be left to future work, as we only require the latter for the realizability interpretation.However, to help motivate the definitions that follow, and also justify our claim that [t] can be viewed as an imperative program, we give an informal intuition in Remark 4.8 below.7:13 We first define a translation on types of ST as follows: Lemma 4.6.For any type X of SL, the type [X] is inhabited, in the sense that we can define a canonical closed term 0 X : [X].
Proof.Induction on types, letting 0 D := c for a constant symbol which is assumed to exist in SL.The only other nonstandard case is 0 X→Y , which can be defined as λx, π .⟨0 Y , π⟩.
Finally, before introducing our translation on terms, we need to add characteristic functions to S ω for all state formulas (analogous to the characteristic functions for quantifierfree formulas in [GK05]).For any state formula α[x 1 , . . ., x n ] of SL, where x 1 , . . ., x n are the free variables of α, we introduce constants • [skip]π := ⟨(), π⟩, • [f ]π := ⟨λx D n , π .⟨f x, π⟩, π⟩, • [c]π is appropriately defined for each additional constant in Λ S , i.e. we evaluate first the function t, then the argument s, then the function application itself.This order of evaluation along with the behaviour of the state is represented semantically by [ts].Finally, we note that the main interactions with the state for terms of ST + Λ S are driven by the constants c ∈ Λ S , whose semantic interpretation as stateful programs will need to be specified in each case.
Our monadic semantics and its relationship with the intended call-by-value operational semantics is very similar in spirit to the monadic denotational semantics used in [DLR15] and related papers (but with the state monad instead of the complexity monad).We leave a formal definition and detailed exploration of the operational semantics of extracted imperative programs to future work, where it is anticipated that existing work on the operational semantics of imperative languages could be useful and revealing (e.g.[CLM13,McC10,Red96]), particularly in extending our realizability interpretation to incorporate richer imperative languages.
The following lemmas will be useful when verifying our realizability interpretation in the next section.The first is by a simple induction on terms.Lemma 4.9.For any term t of SL, we have [t]π = ⟨t, π⟩ (cf.Definitions 4.1 and 4.7).

A realizability interpretation of SL into ST
We now come to the main contribution of the paper, which is the definition of a realizability relation between terms of ST and formulas of SL, along with a soundness theorem that shows us how to extract realizers from proofs.Our metatheory S ω is used to define the realizability relation and prove the soundness theorem.
Definition 5.1 (Types of realizers).To each main formula A of SL we assign a type τ S (A) of ST as follows: Definition 5.2 (Realizability relation).For each main formula A of SL we define a formula x sr A of S ω , whose free variables are contained in those of A (now typed with type D) together with a fresh variable x : [τ S (A)], by induction on the structure of A as follows: where for x : S → [τ S (A)] × S we define The following substitution lemma is easily proven by induction on formulas of SL.
Lemma 5.3.For any term t of SL and s : [τ S (A)] we have s sr A[t/x] = (s sr A)[t/x], where x is not free in s and on the right hand side we implicitly mean the natural interpretation of t in S ω (cf.Definition 4.1).The extension of the soundness theorem to SL+∆ H +∆ S is straightforward, as the soundness proof is modular and so any axioms along with their realizers can be added.The first condition is needed so that Lemma 4.3 (needed for the cons rule) continues to apply.

• (⇒
For the free variable condition that the free variables of t are contained in those of Γ, {α • A • β} and τ S (Γ), if this were not the case, we could simply ground those variables with a canonical constant c : D and we would still have t sr {α • A • β} for the resulting term t. provably in S ω + Λ S ω .5.1.Simplification and removal of unit types.In presentations of modified realizability that use product types instead of type sequences, it is common to introduce the notion of a Harrop formula (a formula that does not contain disjunction or existential quantification in a positive position) and define realizability in a way that all Harrop formulas have unit realizability type, so that e.g.τ S (∀x (P ∧ Q)) = 1 for atomic predicates P and Q, rather than τ S (∀x (P ∧ Q)) = D → 1 × 1 as for us.We have avoided this simplification earlier on, as it would have added additional cases and bureaucracy to our soundness theorem.However, we can compensate retroactively for this choice by introducing equivalences on types that eliminate unit types, namely the closure under contexts of along with corresponding equivalences on terms, also closed under contexts: For example, in Corollary 5.5 we would then have For us, the equivalence relation ≃ will not play a formal role in the paper, but will be used to provide simplified descriptions of extracted programs.In particular, we do not rely on it in any way for the main results.To incorporate the simplifications formally into our framework, the most obvious route would involve defining a more elaborate realizability relation as indicated above, with the interpretation of Harrop formulas treated separately (as in the recent and related paper [BT21]), which would then also generate many new (but routine) cases in the soundness proof.Given that we are already introducing a new and nonstandard realizability relation, in this article we prefer to work with a simple interpretation and use the equivalences above in an informal way to more concisely describe the meaning of extracted programs.

Examples of program extraction.
We now continue the short illustrative examples we outlined in Section 2.2.
Example 5.6 (Simple read-write).In Example 2.2 we considered a state where three actions were possible (writing to the state, performing a calculation, and reading the output from the state).We can formalise these three actions semantically in the metatheory S ω by including three constants in Λ S ω , namely c 1 : D → S → S, c 2 : S → S and c 3 : S → D, along with the characterising axioms: (1) query(x, c 1 xπ), (2) query(x, π) ⇒ return P (x, c 2 π), (3) return P (x, π) ⇒ P (x, c 3 π).
While we are able to use these constants to form terms in S ω such as λπ, π 1 , x .⟨c 1 xπ, c 2 π 1 ⟩, which could be viewed as non-sequential in the sense that we take two input states as arguments, we can force them to be applied in a sequential, call-by-value manner by adding three corresponding constants to our term calculus ST, namely including write : D → C, calc : C and read : D × C in Λ S , along with the embedding rules and then restricting out attention to terms of the form [t] for t ∈ ST + {write, calc, read}.We can then prove the following in S ω i.e. that all axioms in ∆ S can be realised: • [read] sr {return P (x) • ∃y P (x, y) • ⊤}. and thus Theorem 5.4 applies to SL + ∆ H + ∆ S for ∆ H = ∅.In particular, we have Example 5.7 (Fixed-length array sorting).In Example 2.3 we considered a situation where we are allowed a single action on our state, namely to swap elements.Analogously to the previous example, we can formalise this in our semantic environment S ω by adding to Λ S ω constants c l,l ′ : S → S for each pair l, l ′ ∈ {1, 2, 3} along with the axiom ranging over state formulas α of the form (2.2) and locations l, l ′ ∈ {1, 2, 3} of SL, together with axioms corresponding to those of ∆ H i.e. [1 Similarly, for each l, l ′ ∈ {1, 2, 3} we add a term swap l,l ′ : C to Λ S and define [swap l,l ′ ]π := ⟨(), c l,l ′ π⟩ so that

An extension to arithmetic
We now present an extension of our framework to a stateful version of first-order intuitionistic arithmetic.On the logic side, we will add not only a stateful induction rule, but also a Hoare-style while rule for iteration over the natural numbers.On the computational side, these will be interpreted by stateful recursion in all finite types, along with a controlled while loop.The addition of these constants will allow us to extract programs that are more interesting than those obtainable from proofs in pure predicate logic, and which can be clearly compared to well-known stateful algorithms.To exemplify this, we will present a formally synthesised version of insertion sort, and we stress that by further extending our framework with additional rules and terms, we would be able to extract an even richer variety of combined functional/stateful programs.
6.1.The system SA: First-order arithmetic with state.Our system of stateful intuitionistic arithmetic SA builds on SL just as ordinary first-order Heyting arithmetic builds on first-order predicate logic.In both cases, we introduce a constant 0, a unary successor symbol succ, symbols for all primitive recursive functions, and our predicate symbols now include an equality relation =.In what follows we write x + 1 instead of succ(x).The axioms and rules of SA are, in turn, analogous to the additional axioms and rules we would require in ordinary first-order arithmetic: They include all axioms and rules of SL (based now on the language of SA), along with a collection of additional axioms and rules.These comprise not only basic axioms and rules for equality and the successor, and an induction rule (all now adapted to incorporate the state), but also a new while rule for stateful iteration, which now exploits our state and, as we will see, allows us to extract programs that contain while loops.These additional axioms and rules are given in Figure 4. Our formulation of stateful arithmetic follows the same basic idea as the construction of stateful predicate logic, incorporating standard rules but keeping track of an ambient state in a call-by-value manner, and adding new rules that explicitly correspond to stateful constructions.In particular, Proposition 2.1 clearly extends to SA, as the usual axioms and rules of arithmetic can be embedded into those of SA: Proposition 6.1.For any formula A of HA and state formula α, define the main formula A α of SA as in Proposition 2.1.Then whenever Γ ⊢ I A is provable in HA, we have that Γ α , ∆ ⊢ S {α • A α • α} is provable in SA, where ∆ is arbitrary and Γ α := (A 1 ) u 1 α , . . ., (A n ) un α for Γ := A u 1 1 , . . ., A un n .We can also derive a natural extensionality rule from our stateful equality rules, which assures us that whenever s = t in ordinary Heyting arithmetic, then we can replace s by t for stateful formulas:

Figure 1 :
Figure 1: Axioms and rules of PL

Figure 2 :
Figure 2: Axioms and rules of SL

Figure 3 :
Figure 3: Typing derivations for ST + Λ S Γ ⊢ f : D n → D where f has arity n Γ ⊢ c : X
where {x 1 , ..., x n } are the free variables of α.With this intuition in mind, each component of Definition 4.7 corresponds to a natural operational interpretation of the corresponding term forming rule.For example, the intended operational semantics of s • t would be⟨s, π⟩ ⇓ ⟨u, π 1 ⟩ ⟨t, π 1 ⟩ ⇓ ⟨v, π 2 ⟩ ⟨s • t, π⟩ ⇓ ⟨⟨u, v⟩, π 2 ⟩and this behaviour is embodied by the denotation [s • t], which maps π to ⟨a, b, π 2 ⟩ where a can be interpreted as the denotation of the value u, and b as the denotation of v. Similarly, the call-by-value operational semantics of function application would be expressed by the rule ⟨t, π⟩ ⇓ ⟨u, π 1 ⟩ ⟨s, π 1 ⟩ ⇓ ⟨v, π 2 ⟩ ⟨uv, π 2 ⟩ ⇓ ⟨w, π 3 ⟩ ⟨ts, π⟩ ⇓ ⟨w, π 3 ⟩ t : X of ST would have operational behaviour ⟨t, π⟩ ⇓ ⟨v, π 1 ⟩, where we imagine that t in state π evaluates to a value v and returns a state π 1 .We view [X] as the set of denotations of values of type X, and [t] : S → [X] × S accordingly as a function with [t]π = ⟨[v], π 1 ⟩.The interpretation of fully typed terms [Γ ⊢ t : X] correspond to mappings [Γ] → S → [X] × S where free variables of t can be instantiated by values of the corresponding type.