General Recursion via Coinductive Types

A fertile field of research in theoretical computer science investigates the representation of general recursive functions in intensional type theories. Among the most successful approaches are: the use of wellfounded relations, implementation of operational semantics, formalization of domain theory, and inductive definition of domain predicates. Here, a different solution is proposed: exploiting coinductive types to model infinite computations. To every type A we associate a type of partial elements Partial(A), coinductively generated by two constructors: the first, return(a) just returns an element a:A; the second, step(x), adds a computation step to a recursive element x:Partial(A). We show how this simple device is sufficient to formalize all recursive functions between two given types. It allows the definition of fixed points of finitary, that is, continuous, operators. We will compare this approach to different ones from the literature. Finally, we mention that the formalization, with appropriate structural maps, defines a strong monad.


Introduction
Type theory is-we often claim-a rich functional programming language with dependent types and, at the same time, a constructive logical system.This view is consistently adopted in Martin-Löf's type theory [39,48].However, a serious limitation of type theory with respect to standard functional programming languages is that all computations must terminate.This restriction has two reasons.First, to decide type-checking of dependent types, we need to reduce type expressions to normal form (see the work by Barendregt and Geuvers [5] for a good exposition of technical issues of type-theoretic proof assistants).Second, since propositions are represented by types and proofs by programs, according to the Curry-Howard isomorphism [37,28,4,55], we cannot allow non-terminating proofs, because they would lead to inconsistency.
There have been attempts to overcome both problems in the literature, starting from the work of Paulson [50] and Nordström [47].
There are implementation of extensional type theory for which the type-checking problem is undecidable, notably Nuprl [20].In such a system the correctness of a judgment cannot be determined by just analyzing the terms, but a supplementary proof must be given.In principle, a complete type-checkable term can be generated from such proof.Types of partial functions have been devised by Constable and added to Nuprl [21,22].
Geuvers, Poll, and Zwanenburg [29] added a fixed point operator Y to type theory and proved the conservativity of the extension.This means that a judgment derived in the extended system and not containing Y can be derived in the non-extended system.This allows the use of Y for proof search: We construct a proof containing Y, then we reduce it; if we obtain a term not containing Y, we have a valid proof.However, statements about diverging elements cannot be proved, because valid proofs cannot contain Y.
Recent research has tried to find good representations of general recursive functions in type theory following various avenues: Balaa and Bertot used well-founded recursion [3]; Dubois and Donzeau-Gouge and, independently, Bove and Capretta used inductive characterizations of domain predicates [26,14,15,16,17]; Bertot, Capretta, and Das Barman combined the two methods to give a semantics of imperative programming [13] and Bertot extended the work to coinductive types [12]; Barthe and others used type labeling to strengthen termination conditions [7,9]; McBride and McKinna used views, that is, different potential inductive characterizations of data types [41].
The first problem is how to represent partial functions.The most popular way consists in seeing a partial function f : A ⇀ B as a total function defined on a subset of the type A. In intensional type theory, a subset of a type is represented by a predicate D : A → Prop.A partial function is represented by a term f : Πx : A.(D x) → B, provided that the result is not dependent on the proof of the predicate, that is, for x : A, if p 1 and p 2 are two proofs of (D x), then (f x p 1 ) = (f x p 2 ).
This formalization of partial functions has two defects.First, if we want to define the type of partial functions from A to B, we need second order sum types: This requires either an impredicative type theory [31,32,24] or a predicative theory with type universes [40].In the second case, there are some difficulties when we try to define the predicate inductively from the recursive equations of the function: The counterexample Itz in [17] cannot be formalized without impredicativity.Second, diverging elements are not represented.We can apply a partial function only to the elements in its domain, but we cannot translate an expression (f a) if a does not satisfy D. I propose a different approach.The type of partial functions from A to B is defined as A → B ν , where B ν is a type in which B can be embedded and that contains terms representing partial elements.The standard choice in the semantics of programming languages is to put B ν ≡ B + {⊥}, where {⊥} is a one-element set [54,60].This solution does not obtain in type theory.Sum types are decidable, that is, it is decidable whether an element of B + {⊥} is in B or is ⊥.This would imply that we can decide when a function diverges.It is then clear that not all recursive functions are representable.However, adopting ideas of Scott [54] we can constructivize this notion by formalizing finite elements and then take the filter completion.This approach was adopted by Michael Hedberg [35], who formalized constructive domain theory as a step toward a model of partial type theory inside total type theory.
Instead, here we choose as B ν a certain coinductive type.Coinductive types were first introduced in type theory by Hagino [34], their second order implementation was studied by Wraith [61] and Geuvers [27].The version we use here was developed by Coquand [23] and implemented in Coq by Gimenez [30].
Before defining B ν formally, let us see the model of computation on which it is based.We give a description of computable functions that is Turing complete and is as simple as standard formalizations like Kleene's recursive functions, the pure λ-calculus, and Turing machines.It has the advantage that it translates easily in type theory.
We start with a system λ Alg containing algebraic data types with definition by cases and function types with λ-abstraction and application.Then we introduce a new rule Iter to define functions.To define a function f from a type A to a type B we assign to every element x of A either directly a value b in B, and we indicate it by b , or another element a ′ in A, and we indicate it by ⊲ a ′ .In other words, we give a function g : A → A + B and we indicate by ⊲ • and • the left and right injection, respectively.The rule Iter states that we obtain a function f = (iter g) : A → B : The function f has the following computation behavior.The computation of f on input a proceed recursively: If (g a) = inr b, then the computation of (f a) terminates with result b; if (g a) = inl a ′ , we proceed to the computation of (f a ′ ) and let (f a) (f a ′ ): if, continuing in the process, we eventually obtain a result (f a ′ ) = b, then we put (f a) = b; on the other hand, if the evaluation always gives a new element of A on which to compute f , then the computation will continue indefinitely and the value of (f a) will be undetermined: Theorem 1.1.The system λ Alg + Iter is Turing-complete.
Proof.We give just an outline of the proof.A complete version of it, formalized in type theory, is given later (Definition 4.1 and Theorem 4.2).We show that all recursive functions can be programmed.The zero constant, successor, and projections can be defined directly by constructors and cases.Let f be defined by primitive recursion, that is, given g : N n → N and h : . We use a technique called continuation-passing style programming, that consists in seeing programs as maps on functions [53].We add a functional parameter and define a function on N n × (N → N) × N using definition by cases and the rule Iter: x, u, 0 → (u (g x)) x, u, y + 1 → ⊲ x, λz.(u (h x y z)), y .
Call f + the function so defined, f + : Let f be defined by minimization, that is, given g : N n+1 → N, we have f : where min y.(g x y) denotes the least natural number y for which (g x y) = 0 if this value exists, it is undefined otherwise.Also in this case we use the technique of accumulating results by adding a new natural number parameter containing the partial result.We use Iter to define a function f + on N n+1 .

This defines a function f
The definition of a recursive function f : A → B is then given by a map from A to A+B, if we write ⊲ a and b for the left and right injections, respectively.Such a function is a coalgebra for the functor F B X := X + B. (See [38] and [2] for elementary introductions to coalgebras.)We recall the categorical notion of coalgebra: A coalgebra for an endofunctor F is an object A together with a morphism u : A → F A. If the functor F has a final coalgebra νF , γ : νF → F νF , then all coalgebras can be embedded in it.This means that if A and u constitute an F -coalgebra, then there is a unique morphism û : A → νF such that γ • û = F û • u.In type theory, final coalgebras are modeled by coinductive types.Let then B ν be the coinductive type associated to F B .Then, as we have said, every coalgebra u : A → A + B defines a function û : A → B ν .In conclusion, we can model partial recursive functions from a type A to a type B in type theory by elements of A → B ν .
The rest of the paper formalizes this idea and compares it with other formalizations of partial recursive functions.
Section 2 gives a succinct introduction to type theory, with special emphasis on recursive (inductive and coinductive) types.Section 3 presents the type constructor for partial elements, the formal definition of convergence and divergence, and the formal proofs of basic properties.Section 4 contains the representation of general recursive functions in type theory using the type for partial elements.Section 5 tackles the insidious problem of the representation of nested recursive functions.Section 6 shows how to construct least fixed points of function operators.Section 7 discusses a variant of the construct that supports a lazy evaluation order.Finally, Section 8 proves that the constructor for partial elements is a strong monad.
The whole development has been completely formalized using the proof assistant Coq [57], version 8. Specifically, every numbered definition has been formalized and all numbered lemmas and theorems have been proved formally; with the exception of the content of Section 4, that we can see as a consequence of the the more abstract results of Section 6.The main results, both in this article and in the Coq development, are Theorems 6. 19 and 6.20.The examples of nested recursive functions of Sections 5 have also been programmed in Coq.The file of the formalization is available on the author's web site: http://www.science.uottawa.ca/~vcapr396/

Type Theory and Recursive Types
We work in a dependent type theory with inductive and coinductive types.If you are familiar with this kind of system, you can skip this section.See [4], [5], or [6] for a good introduction to dependent type theory.We work in a system λ µν P consisting of the the pure type system λP with the addition of sum types and (co)inductive types.We use a formulation of (co)inductive types as recursive sum types, as in [30].
We use some simplifying notation to make the treatment more intuitive and concise.We write both Type and Prop for the sort of small types, usually denoted by * in λP, to distinguish computational from logical types and to facilitate applications to other type systems in which these sorts are distinguished.If Γ is a valid context and ∆ is a sequence of assignments of types to variables, we write Γ ⊢ ∆ valid to express that Γ, ∆ is also a valid context.We denote by x ∆ the sequence of variables assumed in ∆.
If ∆ ≡ x 1 : A 1 , . . ., x m : A m and d ≡ d 1 , . . ., d m is a sequence of pseudo-terms, then the judgment Γ ⊢ d :: ∆ expresses the conjunction of the judgments We add constant definition to the system, that is, if Γ ⊢ e : T , then we can add a declaration of the form t := e to the context, with the typing rule Γ, t := e ⊢ t : T and the reduction rule t δ e.A constant name can be declared at most once.The classes of names for variables and constants are disjoint.However, sometimes we use the same name in different fonts to denote a variable and a constant.It will then be understood that the variable is automatically substituted with the constant whenever the latter is defined in the context.For example, if we have Γ, t : T ⊢ u : U and Γ ⊢ e : T , we write Γ, t := e ⊢ u : U for Γ, t := e ⊢ u[t/t] : U .
Sum types are specified by a sequence of constructors with arguments of previously defined types.
Definition 2.1.Let Γ be a valid context and assume that the following judgments are derivable: in the context Γ.Let Γ ′ be the extension of Γ with this sum type definition.We have the following rules for T: Formation: Elimination (definition by cases): ; When a function is defined by case analysis, we use a pattern matching notation to facilitate reading.A function We formulate both inductive and coinductive types as recursive sum types.By this we mean that the type T may occur in the types of arguments of the constructors Θ i .The only restriction is that these occurrences must be strictly positive.See [25,30] for the notion of strictly positive occurrence.
Inductive and coinductive types were introduced in typed λ-calculus by Hagino in [33,34] with the name of categorical data types.In [61] and [27] their expression in polymorphic typed λ-calculus was studied.
In our formulation, inductive and coinductive types have the same rules as sum types plus a fixpoint rule for inductive types and a cofixpoint rule for coinductive types allowing the definition of recursive functions.
Inductive types were introduced in dependent type theory in [25] (see also [51], [49], and [59]).Coinductive types were studied in [42,43,23].The version given here comes from [30] and is the one implemented in the proof tool Coq [56].Definition 2.2.We make the same assumptions as in the definition of sum types, except that Γ, T : (∆)Type ⊢ Θ i valid Γ, T : (∆)Type, Θ i ⊢ p i :: ∆ with T occurring only strictly positively in Θ i , for 1 ≤ i ≤ n (see [30], Section 2.2, pg.43, for the definition of strict positivity).Let T and c 1 , . . ., c n be new constant names.Then we can add the definition of the inductive type in the context Γ.Let Γ ′ be the extension of Γ with this inductive type definition.We have the same rules as for sum types, plus the following: Fixpoint: where D{f, t, e} is a side condition defined in [30], Section 3.1, pg.47; Reduction: Definition 2.3.We make the same assumptions as in the definition of inductive types.Let T and c 1 , . . ., c n be new constant names.Then we can add the definition of the coinductive type

CoInductive T [∆] : Type
the extension of Γ with this coinductive type definition.We have the same rules as for sum types, plus the following, where Ξ and Γ ′′ are valid context extensions of Γ ′ : Cofixpoint: where C{f, e} is a side condition defined in [30], Section 4.1, pg.53; We refer to [30] for the definition of the side conditions D and C of the fixpoint and cofixpoint rules.Let us give only an intuitive reminder of their meaning.The side condition D{f, t, e} guarantees that whenever the fixpoint function is applied to an argument in the inductive type, it performs recursive calls only on structurally smaller objects.The side condition C{f, e} guarantees that whenever the cofixpoint function is applied to obtain an element of the coinductive type, this element is productive [23], that is, it can be reduced to constructor form.
We will often use a simpler notation for fixed and cofixed points.We write Which one of the two is meant will be clear from the type.There can be ambiguity when the domain of f is an inductive type and its codomain is a coinductive type.In that case we state explicitly whether a fixed or cofixed point is meant.
When coinductive types are considered categorically as the dual of inductive types, their formulation is different from the one given here.They are not recursive sum types like the inductive ones, but rather recursive record types, since records are the dual of sums.This is the way they are presented in [27].Our formulation conforms to the intuitive conception of coinductive types as types of possibly infinite elements.Objects of coinductive types are built up by constructors as those of inductive types, but while inductive objects must be wellfounded, coinductive ones may be infinitely deep.This formulation is given in [23].The equivalence of the two formulations is proved in [30].

Coinductive types of partial elements
For every type A, we define a coinductive type whose elements can be thought of as possibly undefined elements of A. Definition 3.1.Let A be a type, that is, Γ ⊢ A : Type.Then we define We use the notation a for (return a) and ⊲ x for (step x).
Intuitively, an element of A ν is either an element of A or a computation step followed by an element of A ν .Since in coinductive types it is possible to define infinite elements, there is an object ⊲ ⊲ ⊲ • • • denoting an infinite computation.Formally, it is defined as We want to identify all terms of the form ⊲ k a as equivalent representations of the element a.We do it by defining an equality relation on A ν that is a strengthening of bisimulation (see, for example, [44,1,10,36]).First we define, inductively, when an element of A ν converges to a value in A and, coinductively, when it diverges.We use the notation x ↓ a for (Value x a) and x ↑ for (Diverge x).
Our first example of a proof by coinduction shows that ⊲ ∞ diverges.This is trivial, but we give the proof to illustrate the style of derivation that is used to prove coinductive predicates.
Proof.If we think of coinductive definitions as representing infinite objects, coinductive predicates are proved by infinite proofs.The infinite proof showing the truth of the statement is It consists of an infinite sequence of nested applications of the constructor diverge, always with ⊲ ∞ as first argument.At first sight this may seem a circular proof that doesn't prove anything.However, if we analyze it, we discover that it actually establishes what it alleges.Let us give names to the subterms of x 0 = ⊲ ∞ : Of course, they all coincide: Again, it will be clear that we can use the same proof for every H i .The first step of the proof constructs H 0 from H 1 : . This just says that if x 1 diverges, then x 0 must also diverge because it is obtained by adding one ⊲ to x 1 .In turn the proof H 1 is constructed by and so on, producing the infinite proof, which now doesn't seem purposeless anymore: Every occurrence of diverge shows that the term contains a separate ⊲ constructor.
In practice, we will define this proof H in terms of itself: Formally, this definition is valid because the recursive occurrence of H is an argument of diverge, that is, in coinductive jargon, H is guarded by diverge.This guarantees that H can be expanded to an infinite proof not containing any occurrence of H itself.
Intuitively, A ν contains copies of the elements of A plus a diverging element ⊲ ∞ .However, A ν is not isomorphic to A + 1, where 1 is the one element type, because divergence is undecidable.In fact, the proposition is not provable, while the corresponding is trivially true by case analysis.However, a different property, classically equivalent to the above decidability property, is constructively provable.
Proof.This is our first non-trivial proof by coinduction, so we take care of doing it in detail and explain how such proofs work.We know that a coinductive object can be defined in terms of itself, as long as the definition is productive, that is, it can generate leading constructors to an arbitrary depth.This is true for coinductive proofs as well, leading to the apparently paradoxical fact that we can assume the statement that we want to prove, provided that we use it in such a way that every step of the (infinite) proof can be generated.
Let us see how this works specifically in our case.We give the name H to the proof that we are constructing: We now describe how this function is constructed.Let x be an element of A ν .By case analysis we know that either x = a for some a : A or x = ⊲ x ′ for some other x ′ : A ν .We consider separately the two cases.
If x = a , then trivially ∃a : A.x ↓ a.The premise of the statement is then false and, therefore, the implication is trivially true.
If, on the other hand, x = ⊲ x ′ , let us assume that there is no a : A such that x ↓ a.We have to prove that x diverges.The constructor diverge allows us to deduce this, if we can prove that x ′ diverges.Now we apply the proof H to x ′ : If we can prove ¬∃a : A.x ′ ↓ a, then we can conclude that x ′ diverges.But this assertion is true because, if there were an a such that x ′ ↓ a, then, by value step, also x ↓ a against the assumption.
In conclusion, H allows us to deduce that x ′ diverges and so, by diverge, that x diverges too, as desired.We used the proof H inside the definition of H itself; isn't this circular?No, because we used it to prove an hypothesis (x ′ ↑ ) that was generated by diverge.In the coinduction jargon, the occurrence of H is guarded by the occurrence of diverge.
If you want to convince yourself of the soundness of this proof style, consider what concrete proofs are generated by H in specific cases.For a converging element x = ⊲ ⊲ • • • ⊲ a , the proof is (H x).Let us expand it.Since x = ⊲ x ′ for x ′ = ⊲ • • • ⊲ a , the second case of the proof applies: (H x) = (diverge x ′ (H x ′ )).In turn, the proof (H x ′ ) reduces similarly, and so on, until we reach the proof Finally, (H a ) trivially reduces to a proof by ex falso quodlibet as described in the first case, in which H does not occur.
On the other hand, if x = ⊲ ∞ , the described reduction procedure of (H x) continues indefinitely, generating the infinite proof of Lemma 3.3.This proof also does not contain any occurrence of H.
From now on, proofs of coinductive properties are less prolix.We take it for granted that we can assume the validity of the statement that we are proving.In case of doubt, it can always be checked, intuitively, that the proofs are productive or, formally, that they satisfy the condition C{f, e}.The correctness of the proofs has been checked formally using the proof assistant Coq.Now all the elements are in place for the definition of equality of partial elements: It is also a coinductive relation.Definition 3.5.Let A be a type.We define equality on A ν by CoInductive Eq ν A [x, y : A ν ] : Prop := eq value : (x, y : A ν ; a : A)x ↓ a → y ↓ a → (Eq ν A x y) eq step : (x, y : A ν )(Eq ν A x y) → (Eq ν A ⊲ x ⊲ y) We use the notation x ν = y for (Eq ν A x y).Note that, since convergence and divergence are in general undecidable, the equality x ν = y is not equivalent to the proposition A series of results can be proved easily, stating that the defined operations, relations, and predicates behave as expected.
Lemma 3.6.For all x, y : A ν and a, a 1 , a 2 : A, we have Proof.
1.By eq value.2. Proof by coinduction.Assume H is the proof of the statement: Let x and y be diverging elements.Then they must be in the form x = ⊲ x ′ and y = ⊲ y ′ , where x ′ and y ′ are also diverging.We apply the proof H to x ′ and y ′ to obtain x ′ ν = y ′ .By eq step we also have x ν = y.The recursive application of H is guarded by eq step. 5. Assume x ↓ a.By value return we have that a ↓ a.Thus, by eq value we can conclude that x ν = a .13. Assume that a 1 ↓ a 2 .Any proof H of this statement must be constructed by using value return, since the only other constructor value step gives a conclusion of the wrong form, that is, with a ⊲ constructor in the first argument.Therefore, it must be H = (value return a ′ ) for some a ′ .But, since (value return a ′ ) is a proof of a ′ ↓ a ′ , we may conclude that a ′ = a 1 = a 2 .This is an example of proof by inversion; it consists in proving a goal by reasoning on the possible form of an assumption.6. Assume that x ν = a .We proceed again by inversion on this assumption.If H is a proof of this premise, it must have been obtained by an application of eq value, since the other constructor eq step gives a conclusion with the wrong form, that is, with a ⊲ constructor in the second argument.Therefore, it must be for some x ′ , y ′ : A ν , a ′ : A, h 1 a proof of x ′ ↓ a ′ , and h 2 a proof of y ′ ↓ a ′ .But this is a proof of x ′ ν = y ′ , so we can conclude that x ′ = x and y ′ = a .Then h 2 is a proof of a ↓ a ′ , from which we deduce, by point 13, that a = a ′ .But then h 1 is a proof of x ↓ a, and the conclusion is established.14.By coinduction: Assume that H is the proof of : ∀x : A ν .xν = x.Any element x must be of one of the two forms: If x = a ′ , we must prove that a ′ ν = a ′ .By value return we have that a ′ ↓ a ′ , so, by eq value, we have that a . By H we have that x ′ ν = x ′ , so, by eq step, we have the conclusion.The application of H is guarded by eq step.15.By coinduction: Assume that H is the proof of ∀x, y : A ν .xν = y → y ν = x.Assume x ν = y and let h be a proof of this premise.We proceed by inversion on the proof h.It must have been obtained by applying one of the two constructors eq value or eq step.
If h = (eq value x y a ′ h 1 h 2 ), with h 1 a proof of x ↓ a ′ and h 2 a proof of y ↓ a ′ ; then we just have to apply the same constructor with inverted arguments to obtain the desired goal: (eq value y x a ′ h 2 h 1 ) is a proof of y ν = x.If h = (eq step ⊲ x ′ ⊲ y ′ h ′ ), with x = ⊲ x ′ , y = ⊲ y ′ , and h ′ a proof of x ′ ν = y ′ ; then we apply H to x ′ , y ′ , and h ′ to obtain y ′ ν = x ′ , and then we have y ′ = ⊲ y ′ ν = ⊲ x ′ = x by eq step.The application of H is guarded by eq step.7. By inversion on the proof of the premise ⊲ x ↓ a, which can only have been obtained by using value step on a proof of x ↓ a. 11.By coinduction: Assume that H is the proof of ∀x, y : A ν .xν = y → x ν = ⊲ y.Assume x ν = y and let h be a proof of this premise.We proceed by inversion on h.If h = (eq value x y a ′ h 1 h 2 ), with h 1 a proof of x ↓ a ′ and h 2 a proof of y ↓ a ′ ; then, by value step, from h 2 we can deduce ⊲ y ↓ a ′ .By eq value, we conclude that x ν = ⊲ y.If h = (eq step ⊲ x ′ ⊲ y ′ h ′ ), with x = ⊲ x ′ , y = ⊲ y ′ , and h ′ a proof of x ′ ν = y ′ ; then we apply H to x ′ , y ′ , and h ′ to obtain x ′ ν = ⊲ y ′ .By eq step we then have that The application of H is guarded by eq step.12.By inversion on the proof of the premise ⊲ x ν = y using point 7 in case eq value was used and point 11 in case eq step was used.3. Assume that x ↓ a and let h be a proof of this premise.We proceed by induction on the structure of h.If h = (value return a) : a ↓ a then we have to prove that if a ν = y then y ↓ a.By point 15, y ν = a and, by point 6, y ↓ a.If h = (value step x ′ a h ′ ) with x = ⊲ x ′ and h a proof of x ′ ↓ a, we know by induction hypothesis that ∀y : A ν .x′ ν = y → y ↓ a. Assume now that x ν = y, that is, ⊲ x ′ ν = y.By point 12 we can deduce that x ′ ν = y, and therefore, by induction hypothesis, that y ↓ a. 8.By inversion on the proof of the premise ⊲ x ↑ .9. By induction on the proof h of the premise x ↓ a.

It follows that the pair A ν , Eq ν
A is a total setoid [8].The finite elements of A ν are those that have a value in A. They can be characterized directly by an inductive predicate.Proof.From left to right: by induction on the proof of (Finite x).From right to left: by induction on the proof of x ↓ a.
Hereafter, we use the notation x ↓ for (Finite x).
A partial function from a type A to a type B is seen as a function from A ν to B ν .To be precise, we must require that a function f : A ν → B ν preserves equality: In other words, f must be a setoid function.Using the notation of [18], this is written ([→] is the functionoid constructors: Given two setoids, it constructs the setoid of functions between the two.Its elements are pairs consisting of a function and a proof that it preserves the setoid equality.The equality of the functionoid is the extensional equality on the first component, that is, the underlying function.)Anyway, we will use the simple definition and leave it to the reader to check that all the functions that we define (with one exception) preserve equality.
A function is called strict if it always maps diverging elements to diverging elements.Since a strict function is always determined on the diverging elements and it must preserve equality, its type can be strengthened to A → B ν .
The first partial functions that we define are just the lifting of the total functions.Definition 3.10.If f : A → B, we define its lifting to the partial elements as A special case arises when we consider tuples and projections.The types A ν × B ν and (A × B) ν are not isomorphic.We want to define a strict version of the projection functions.That is, the projection should diverge whenever either of the components of the tuple diverges.To do this, we first map A ν × B ν to (A × B) ν : The function strict pair just moves all the steps outside the pairing constructor.Iterating strict pair n times, we obtain strict tuple n : (A ν ) n → (A n ) ν .We use the notation ⊳x 1 , . . ., x n ⊲ for (strict tuple n x 1 , . . ., x n ).The strict projections are then defined by • strict tuple n where π i : A n → A is the standard projection.Note that (π ν i ⊳x 1 , . . ., x n ⊲) = x i if and only if all the x j s converge or x i diverges.

Representation of partial recursive functions
We show that every partial recursive function f : N n ⇀ N can be implemented in type theory as f ν : (N ν ) n → N ν .We use the notation A ⇀ B to denote partial recursive functions from A to B, that is, any function obtained from the base functions zero, successor, and projections, by composition, primitive recursion, and minimization.Let us define f ν for every basic function and function-forming operations (see [52] or any other generic introduction to recursion theory).Zero: The zero function is the constant 0: Since 0 is a total function definable in type theory, we just put 0 ν = 0 ν .Successor: Since the successor function S is definable in type theory, we just put S ν = S ν .Projections: The projections are the functions π ν i defined in the previous section.Composition: Composition is the standard composition in type theory.If f : N k ⇀ N and g i : ), . . ., (g ν k x) ).Primitive Recursion: Let f : N n ⇀ N and g : N n+2 ⇀ N, and let h be defined by primitive recursion from f and g: We first define a version h ′ of h by recursion (fixpoint) on the natural numbers: and then lift it to the partial elements: Minimization: Let f : N n+1 ⇀ N and let g be defined from f by minimization: g : N n ⇀ N g x = least y such that (f x y) = 0.
To define the type-theoretic version of g we use an auxiliary function that has an extra accumulation parameter, defined by corecursion (cofixpoint) on the result: and then It is routine work, although quite long, to verify that the translations have the correct computational behavior.Theorem 4.2.Let f : N n ⇀ N be a partial recursive function.For every x : N n and y : N, Proof.The proof is a lengthy routine use of the techniques illustrated in the previous section.For a formal proof we should first formalize part of recursion theory.First, we have to define an inductive type of codes of recursive functions generated by constructors corresponding to the base functions, composition, primitive recursion, and minimization.Then, we need to give an operational semantics that associates to every code a relation on natural numbers, the relation being the graph of the recursive function.Finally, we have to interpret the codes as functions on the type of partial elements, as shown above, and prove that this interpretation is sound with respect to the operational semantics.
There are no conceptual problems in doing this, but a lot of technical work.We rather refer to Section 6, where we prove that it is possible to construct fixed points of functional operators.Since it is a known fact that all recursive functions can be realized by such a fixpoint combinator, the present statement will automatically follow.
Let me stress the advantage of this approach in comparison with other methods to formalize general recursion in type theory.
First of all, some of the techniques, for example that of Balaa and Bertot [3] and that of Barthe and others [7,9], do not address the question of partiality but present ways of extending the definition schemes for total recursive functions.The method of Bove and Capretta [14,15,16,17] allows the definition of partial functions by restricting them to their domain of convergence.However, it is still not possible to apply a function freely to an argument, but it is necessary first to prove that the argument satisfies the domain predicate.
With coinductively defined types of partial elements, functions can be freely applied to arguments without the need of extra logical information.

Nested recursion
Theorem 4.2 says that every computable function can be represented in type theory.In this section we look at some specific examples of nested recursive functions.In general we represent a partial function from A to B as an element of A → B ν , since the values on the diverging elements of A must, by strictness, diverge.
We start with the simplest example of nested recursion [15]: It is clear that nest is constantly 0, so we can implement it in type theory as the constant 0. However, we are interested in the form in which the function is defined.More complex nested functions do not have a simple non-nested presentation.We see an example later.We represent nest in type theory by using the method of accumulation of results and tail recursion: It is easy to check that (cnest n, m ) computes the value (nest m n), so the extra parameter m keeps track of the number of nested iteration of nest.Now we can define in type theory Let us look at a more interesting example.We define a class of nested recursive functions, that we nickname the devil's nest.Let A be a type, T a decidable subset of A, representable in type theory by a predicate P : A → Prop such that ∀a : A.(P a) ∨ ¬(P a).Let i : A → A and g : T → A (that is, g : (x : A)(P x) → A).Then the function dev T,i,g is defined as dev T,i,g : A ⇀ A dev T,i,g a = (g a) if a ∈ T (dev T,i,g (dev T,i,g (i a)) otherwise We formalize this function in type theory by using, as before, an extra parameter that keeps track of the number of nested calls to dev T,i,g : We have left the proof argument of g implicit to simplify notation: Rigorously, we should have written (g a h) in place of (g a), in the case where (P a) is true, where h is the proof of (P a) guaranteed by the branch case.Similarly to the previous case, the original function is recovered by specifying an initial value for the accumulation parameter, in this case 0 : dev T,i,g : A → A ν dev T,i,g a = (dev aux a, 0 ).
Another interesting example occurs when a recursive call is followed by a call to another function, as in the definition of primitive recursion but without a decreasing argument.Let h : A → A. We want to formalize the following function: We use a continuation-passing style translation, using an extra functional parameter: ).Finally, we put the two preceding examples together to obtain the most general version of the devil's nest: This function is formalized by if (P a) ⊲(devil aux k • h, (S m), (i a) ) otherwise and then devil T,i,g,h : A → B ν devil T,i,g,h a = (devil aux λx.x , 0, a ).There is another possible generalization: Instead of having just one nested recursive call, we could have a variable number of nestings.It is clear that then we just have to modify the definition by adding the nesting number to the accumulation parameter.

Fixed points of function operators
We want to construct functions defined as fixed points of function operators.Let F : (A → B ν ) → (A → B ν ) be such an operator.Our goal is to define a function Y(F ) : A → B ν such that (F Y(F )) is extensionally equal to Y(F ).Moreover Y(F ) must be minimal with respect to convergence.Some conditions must be imposed on F for the construction to be possible.Since F is supposed to represent a generic recursive scheme, one sensible condition is finitarity: We assume that, to compute a specific result, F uses its arguments only on a finite number of inputs.Definition 6.1.We say that F : (A → B ν ) → (A → B ν ) is finitary if it satisfy the following condition: For every function f : A → B ν and every argument a : A such that (F f a) converges to some value, that is, (F f a) ↓ b for some b : B; there exists a finite number of arguments a 1 , . . ., a n : A such that f converges on each of them, (f a i ) ↓ b i , and In words, F is finitary (or continuous) if its results depend only on the values of the function argument on a finite set of inputs.
Notice that all operators used in recursion theory, for example those needed for the constructions of Section 4, are finitary.
We will use three consequences of finitarity: first, a finitary operator preserves extensional equality; second, it preserves convergence order; third, its least prefixed point can be constructed in a countable number of steps.
In the rest of this section, let F be a finitary operator.Definition 6.2.Extensional equality between two functions f 1 , f 2 : A → B ν is defined as We say that F extensional if Proof.It follows trivially from the stronger Lemma 6.7.
A stronger property holds: F preserves the order on functions given by convergence.The order between functions is defined pointwise on their values, that is, if f 1 , f 2 : A → B ν , then we define It is immediate that equality ν = is a subrelation of the order ⊑ , since the order is defined by three constructors of which the first two correspond to the constructors of equality.It is also easy to prove that ⊑ is a transitive relation and it is reflexive and antisymmetric with respect to ν = .The relation ⊑ is equivalent to implication between convergence statements.Lemma 6.7.The operator F preserves the convergence order, that is, Proof.It is a straightforward consequence of finitarity.
The vice-versa is also true, but we have to be careful to take into account the nonextensionality of fstconv: if, for example, x converges to b, it is not guaranteed that x y also converges to b, because y may converge to a different b ′ in a shorter time.However, if x is lower that y in the convergence order, we know that they cannot converge to different values.We can recursively define an infinitary version of fstconv.Definition 6.12.The operation of computing the first converging element of a sequence is defined corecursively by Infinitary versions of the lemmas that we proved for fstconv hold for parallel search, with corresponding additional hypotheses to take non-extensionality into account.Let us call k i the ith iteration of F on the function that always diverges: Convergence of the k i s is stable with respect to the index i.Proof.We prove by induction on n that k n ⊑ k n+1 , the statement follows by transitivity of ⊑ .The base case is obvious since k 0 has the constant value ⊲ ∞ , the least element of the convergence order.The inductive step follows immediately from Lemma 6.7.
Finally, we can simply define the fixed point of F pointwise as the result of running all of the k i s in parallel.Definition 6.17.Y(F ) = λa : A. If Y(F ) converges on a certain element a, it must give the same result as one of the k i s.Proof.From left to right it follows from Lemma 6.13.From right to left it follows from Lemma 6.14.
The combination of the previous lemmas provides a proof of the soundness of Y(F ) as a least fixed point of F .In the other direction, we prove that Y(F ) ⊑ (F Y(F )).Let a : A, we show that (k n a) ⊑ (F Y(F ) a) for every n; the statement follows by Lemma 6.15.For n = 0 it is trivial because (k 0 a) = ⊲ ∞ .For non-zero values we have (k n+1 a) = (F k n a) and, by Lemma 6.7, we just need to prove (k n a) ⊑ (Y(F ) a).But this follows easily from Lemmas 6.5 and 6.18.
Proof.We prove by induction on n that k n ⊑ f .For n = 0 it is obvious.Assume that k n ⊑ f.Then, by Lemma 6.7, k n+1 = (F k n ) ⊑ (F f ) ⊑ f and we are done.The statement then follows from Lemma 6.15.
A method to construct fixed points of function operators is described by Balaa and Bertot [3], but in their case it is necessary to prove that recursive calls are decreasing with respect to some wellfounded order.The advantage of our method is that it produces fixed points of every finitary operator, without requiring any additional logical information.

Lazy interpretation
The formalization of partial elements of A as terms of type A ν gives a strict interpretation of functions.There cannot be a partial evaluation of a term: If x : A ν , then we can investigate its shape, that is either a result a or a step ⊲ x ′ .In the latter case, we can go on investigating the shape of x ′ .As long as we get step cases, we have no information about the result.When we get a result a we get all the information.
In functional programming, it is useful to be able to compute only partial information about a result.For example, we may need to know that a certain natural number result is a successor, without computing it completely.An instance in which this capacity can be used in computation is the following example of two mutually defined recursive functions: It is easy to see that the computation of (sloth 1 13) diverges, independently of whether the evaluation is strict or lazy.However, if we evaluate it partially, we obtain When computing (sloth 2 14), we need to decide whether (sloth 1 13) ≤ 13.With a strict evaluation strategy, the computation of (sloth 2 14) diverges because the evaluation of (sloth 1 13) diverges.However, with a lazy evaluation strategy, we can determine that (sloth 1 13) = (sloth 1 19) + 19 > 13 and therefore (sloth 2 14) = 0.This shows that a lazy evaluation strategy may converge when a strict one diverges.
To formalize lazy evaluation we have to modify the formalization of partial elements for inductive types.For an inductive type T, we define the type of its partial elements as the coinductive type with the same constructors plus a constructor for a computation step that does not yield any information.
As before, we use the notation ⊲ x for (step x).We make a slight abuse of notation by using the same constructor names for T and ν T.
This was my original formalization of partial elements (see Chapter 7 of [19]).The version A ν is a simplification suggested to me by Herman Geuvers and Peter Aczel.
As an example, let us see how this variant produces the right computation behavior for the sloth 2 function.First of all, the type of lazy natural numbers is Here are the lazy versions of addition and order, addition is defined by corecursion on its result and order is defined as an inductive relation: ν + : ν N → ν N → ν N x ν + 0 = x x ν + (S y) = S (x ν + y) x ν + ⊲ y = ⊲(x ν + y) le 0 : (y : ν N)0 ν ≤ y le S : (x, y : ν N)x ν ≤ y → (S x) ν ≤ (S y) le step,l : (x, y : ν N)x ν ≤ y → (⊲ x) ν ≤ y le step,r : (x, y : ν N)x ν ≤ y → x ν ≤ (⊲ y) This definition of order is not reflexive, because it is not possible to prove ⊲ ∞ ν ≤ ⊲ ∞ , but we adopt it for our example for simplicity.The reader should find it easy to modify it into a reflexive relation.
Returning to our example, the conditioned equation in the definition of sloth 2 produces the the statement (sloth 1 19) ν + 19 ν ≤ 13.Contrary to the strict case, we can now evaluate this statement to a truth value.By the definition of ν + this becomes S 19 (sloth 1 19) ν ≤ S 13 0.
By inversion, if this statement were provable, the only applicable constructor would be ≤ S , so S 18 (sloth 1 19) ν ≤ S 12 0 should also be provable.Repeating this step 13 times, we get S 6 (sloth 1 19) ν ≤ 0. But this statement does not match the conclusion of any constructor of ν ≤, thus it is not provable.We conclude that our original statement was not provable.

Partiality as a monad
The categorical notion of (strong) monad is a useful abstract description of computation.Eugenio Moggi studied this relation in a series of works [45,46,11].We will show that the operator mapping a type A to the type of partial elements A ν gives a computational monad in Moggi's sense.We recall the notion of monad in extension form, or Kleisli triple.The definition is taken from [11], Definition 3, pg.45.The intuitive understanding of a Kleisli triple is that, for a type of values A, T A is the type of computations of elements of type A. The unit η A maps a value a to the trivial computation that just returns a.A function f : A → T B that maps values of type A to computations of type B can be extended to computations: f * : T A → T B is the program that, given a computation x of type A, first computes it and, if it gives a value a, applies f to it.
In the present case, C is the category of setoids in type theory [8].The operator T maps a type A to the type of partial elements A ν .To be precise, we must define this operation on setoids.This is not difficult, it is just necessary to identify elements of A ν that give equal results according to the book equality of the setoid.The details of the definition are left to the reader.Also for the other components of the monad, we define them on types and leave to the reader the routine extension to setoids.The unit of the monad η is simply the return constructor of A ν .If f : A → B ν , then f * : A ν → B ν is defined by The equations for a Kleisli triple are satisfied.The proof of this fact is routine.
A more powerful notion is that of strong monad.This is a monad in which a pair value-computation can be turned into the computation of a pair.The definition is taken from [45].Moggi [45] shows that the pure λ-calculus can be interpreted inside strong monads.
In the present case the natural transformation t can be defined by t A,B : A × B ν → (A × B) ν t A,B a, b := a, b t A,B a, ⊲ x := ⊲ t A,B a, x .
A thorough study of this monad is the subject of a forthcoming article in collaboration with Thorsten Altenkirch and Tarmo Uustalu.
T and c 1 , . . ., c n be new constant names.Then we can add the definition of the sum type Sum T [∆] : Type :=      c 1 : (Θ 1 )(T p 1 ) . . .

Definition 4 . 1 .
By recursion on the definition of a partial recursive function f : N n ⇀ N, we define its type-theoretic version f ν : (N ν ) n → N ν .

Definition 6 . 4 .
The convergence order between partial elements is defined coinductively by CoInductive Le ν A [x, y : A ν ] : Prop :=    le value : (x, y : A ν ; a : A)x ↓ a → y ↓ a → (Le ν A x y) le steps : (x, y : A ν )(Le ν A x y) → (Le ν A ⊲ x ⊲ y) le lstep : (x, y : A ν )(Le ν A x y) → (Le ν A ⊲ x y) We use the notation x ⊑ y for Le ν A x y.Intuitively, x ⊑ y holds if x is obtained from y by adding some (potentially infinite) ⊲ steps.

Proof.
From left to right, by induction on the proof of x ↓ b.From right to left, by coinduction and cases on x.By antisymmetry we can conclude that the following characterization of equality holds.Lemma 6.6.The proposition x ν = y is equivalent to ∀b : B.x ↓ b ↔ y ↓ b.

Lemma 6 . 11 .
Let x, y : B ν and b : B, assume that x ⊑ y; then x ↓ b → (x y) ↓ b.Proof.By induction of the proof of x ↓ b.

Lemma 6 . 16 .
For every n, m : N such that n ≤ m, k n ⊑ k m ; equivalently ∀a : A, b : B.(k n a) ↓ b ⇒ (k m a) ↓ b.

Theorem 6 .
19. Y(F ) is a fixed point of F : (F Y(F )) ext = Y(F ).Proof.We prove that (F Y(F )) ⊑ Y(F ) and Y(F ) ⊑ (F Y(F )).The statement follows from antisymmetry of ⊑ .To prove that (F Y(F )) ⊑ Y(F ) we just have to show, by Lemma 6.5, that for all a : A and b : B, if (F Y(F ) a) ↓ b then also (Y(F ) a) ↓ b.By finitarity of F , (F Y(F ) a) ↓ b implies that there exist a 1 , . . ., a k : A and b 1 , . . ., b k : B such that (Y(F ) a i ) ↓ b i and the result of (F Y(F ) a) depends only on these arguments.By Lemma 6.18, we have that (k n i a i ) ↓ b i for some indexes n i .Let n be the largest of the n i s.By Lemma 6.16, (k n a i ) ↓ b i for every i.Therefore, by finitarity of F , (F k n a) ↓ b.But (F k n ) = k n+1 , so (k n+1 a) ↓ b.By Lemma 6.18, it follows that (Y(F ) a) ↓ b, as desired.

Definition 7 . 1 .
Let T be an inductive type, that is, T is defined in type theory by Inductive T : Type :=c n : (Θ n )T.The type of lazy partial elements of T is CoInductive ν T : Type

Definition 8 . 1 (
Kleisli triple/monad in extension form).A Kleisli triple over a category C is a triple (T, η, * ), where T : |C| → |C|, η A : A → T A for A ∈ |C|, f * : T A → T B for f : A → T B and the following equations hold:• η * A = id T A ; • f * • η A = f for f : A → T B; • g * • f * = (g * • f ) * for f : A → T B and g : B → T C.

Definition 8 . 3 .
A strong monad over a category C with finite products is a monad (T, η, µ) together with a natural transformation t A,B : A × T B → T (A × B) satisfying the following equations:• T (r A ) • t 1,A = r T A ; • T (α A,B,C ) • t A×B,C = t A,B×C • (id A × t B,C ) • α A,B,T C ; • t A,B • (id A × η B ) = η A×B ; • t A,B • (id A × µ B ) = µ A×B • T (t A,B ) • t A,T B .where r and α are the natural isomorphisms• r A : 1 × A → A; • α A,B,C : (A × B) × C → A × (B × C).
∆ ⊢ t : T and Γ ⊢ d :: ∆, we write t[d] for t[d 1 /x 1 , . . ., d m /x m ], leaving it implicit that we are substituting the last n variables in the context of t.To avoid confusion, we may sometimes introduce the term t as t[x 1 , . . ., x n ]..If Γ, ∆ ⊢ B : Type, we write Π∆.B for the successive product of B over each of the variables in ∆: Π∆.B ≡ Πx 1 : A 1 .Πx 2 : A 2 . . .Πx n : A n .B.We also use the notation (∆)B for Π∆.B.