Laboratoire de l'Informatique et du Parallélisme » Linear Arithmetic

\section{Witness function method}

Key features/differences from realisability:

\begin{itemize}

	\item De Morgan normal form: reduces type level to $0$, complementary to double-negation translation that \emph{increases} type level.

	\item Free-cut elimination: allows us to handles formulae of fixed logical complexity throughout the proof. 

	\item Respects logical properties of formulae, e.g.\ quantifier complexity, exponential complexity.

\end{itemize}

\todo{say some more here}

\todo{compare with applicative theories}

\anupam{in particular, need to point out that this argument is actually something in between, since usually the WFM requires programs to be defined by formulae, not equational specifications.}

\newcommand{\type}{\mathtt{t}}

\newcommand{\norm}{\nu}

\newcommand{\safe}{\sigma}

		\subsection{The translation}

		\begin{definition}

			[Typing]

			To each $\Sigma^\nat_1$-formula $A$ we associate a sorted tuple of variables $\type (A)$, intended to range over $\Nat$, as follows:

			\[

			\begin{array}{rcll}

			\type (\nat (t)) & := & (;x^{\nat (t)} ) & \\

			\type(s = t) & := & ( ; x^{s = t}) & \\

			\type (A \lor B)  & : = & (\vec u , \vec v ; \vec x , \vec y) & \text{if $\type(A) = (\vec u ; \vec x)$ and $\type(B) = (\vec v ; \vec y)$.} \\

			\type (A \land B)  & : = & (\vec u , \vec v ; \vec x , \vec y) & \text{if $\type(A) = (\vec u ; \vec x)$ and $\type(B) = (\vec v ; \vec y)$.} \\

			\type (! A) & : = & ( \vec u ,\vec x  ; ) & \text{if $\type(A) = (\vec u ; \vec x )$.} \\

			\type (\exists x^\nat . A) & := & (\vec u ; \vec x , y) & \text{if $\type (A) = (\vec u ; \vec x)$.}

			%	\type (\forall x^N . A) & := & \Nat \to \type(A)

			\end{array}

			\]

			%	where $\nu$ designates that the inputs are normal.

		\end{definition}

		\anupam{need to account for normality and safety somewhere. Attempting inlined and leaving types without this decoration.}

		\begin{remark}

			[Distribution of $!$]

			There is a potential issue that the $!$ contains $\lor$ symbols in its scope, whence we do not in general have $!(A \lor B) \cong !A \lor !B$. However this will not be a problem here by inspection of a convergence statement: there are no $\lor$ symbols in the scope of a $!$. Therefore, after free-cut elimination, no formula in the proof will have this property either.

			On the other hand, since we are working in affine logic, we do in general have $!(A \land B) \cong !A \land !B$.

		\end{remark}

		\begin{definition}

			[Translation]

			We give a translation of free-cut free $\Sigma^\nat_1$-$\pind$ proofs $\pi$ of sequents $\Gamma(\vec a) \seqar \Delta(\vec a)$ to BC-programs for a vector of functions $\vec f^\pi$ with argument of type $\type \left(\bigotimes\Gamma\right)$ such that $|\vec f^\pi | = | \type\left(\bigparr\Delta\right)|$.

			The translation is by induction on the size of a free-cut free proof, so we proceed by analysis of the final step of a proof.

			If $\pi$ is simply an axiom, we construct $\vec f^\pi$ as follows:

			\[

			\begin{array}{ccc}

			\vlinf{\natcntr}{}{\nat(t) \seqar \nat(t) \land \nat(t) }{}

			& : &

			( \id (;x) , \id (;x) )

			\\

			\vlinf{\nat_\epsilon}{}{\seqar \nat (\epsilon)}{}

			& : &

			\epsilon

			\\ 

			\vlinf{\nat_0}{}{\nat(t) \seqar \nat(\succ_0 t)}{}

			& : &

			\succ_0 ( ;x) 

			\\

			\vlinf{\nat_1}{}{\nat(t) \seqar \nat(\succ_1 t)}{}

			& : & 

			\succ_1 (; x)

			\\

			\vlinf{\epsilon^0}{}{ \nat (t)  , \epsilon = \succ_0 t \seqar }{} 

			& : &

			\epsilon

			\\

			\vlinf{\epsilon^1}{}{ \nat (t)  , \epsilon = \succ_1 t \seqar }{}

			& : &

			\epsilon

			\\

			\vlinf{\succ_0}{}{\nat (s) , \nat (t)  , \succ_0 s = \succ_0 t\seqar s = t }{}

			& : &

			\epsilon

			\\

			\vlinf{\succ_1}{}{\nat (s) , \nat (t)  , \succ_1 s = \succ_1 t\seqar s = t }{}

			& : &

			\epsilon

			\\

			\vlinf{\inj}{}{\nat(t), \succ_0 t = \succ_1 t \seqar}{}

			& : &

			\epsilon

			\\

			\vlinf{\surj}{}{\nat (t) \seqar t = \epsilon , \exists y^\nat . t = \succ_0 y , \exists y^\nat . t = \succ_1 y }{}

			&: &

			( \epsilon , \pred (  ;x) , \pred (;x ) )

			\end{array}

			\]

			\anupam{axioms which are true and contain no computational information currently interpreted as constant $\epsilon$. Check this/typing again to make sure plays nice.}

			\anupam{check $\surj$.}

			Suppose $\pi$ ends with a $\rigrul{\land}$ step:

			\[

			\vlderivation{

				\vliin{\land}{}{ \Gamma, \Sigma \seqar \Delta, \Pi, A\land B }{

					\vltr{\pi_1}{ \Gamma \seqar \Delta, A }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

				}{

				\vltr{\pi_2}{ \Sigma \seqar \Pi, B }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

			}

		}

		\]

		By the inductive hypothesis let us suppose we have functions $\vec g (\vec u; \vec x)$ and $\vec h (\vec v ; \vec y)$ from $\pi_1$ and $\pi_2$ respectively, where $\type\left( \bigotimes\Gamma \right) = (\vec u; \vec x)$ and $\type \left( \bigotimes \Sigma \right) = (\vec v ; \vec y)$. Let us write $\vec g = (\vec g^\Delta , \vec g^A)$ and $\vec h = (\vec h^\Pi , \vec h^B)$, to denote the $\Delta$ and $A$ parts of $\vec g$ and the $\Pi$ and $B$ parts of $\vec h$.

		%	So we have $\vec f^{1} (\vec x ; \vec a)$ and $\vec f^2 (\vec y ; \vec b)$ for $\pi_1 $ and $\pi_2$ respectively, by the inductive hypothesis. 

		We simply construct $\vec f^\pi$ by rearranging these tuples of functions:

		\[

		\vec f^\pi (\vec u , \vec v ; \vec x , \vec y)

		\quad := \quad

		\left(

		\vec g^\Delta (\vec u ; \vec x) , \vec h^\Pi (\vec v ; \vec y)  , \vec g^A (\vec u ; \vec x) , \vec h^B (\vec v ; \vec y)

		\right)

		\] 

		We will continue with a similar notational convention as above in the remainder of this argument.

		%	\anupam{bad notation since need to include free variables of sequent too. (also of theory.) Reconsider.}

		The case when $\pi$ ends with a $\lefrul{\lor}$ step is analogous to the $\rigrul{\land}$ case above.

		If $\pi$ consists of a subproof $\pi'$ ending with a $\lefrul{\land}$ or $\rigrul{\lor}$-step, then $\vec f^\pi$ is exactly $\vec f^{\pi'}$.

		Suppose $\pi$ ends with a $\lefrul{\cntr}$ step,

		\[

		\vlderivation{

			\vlin{\lefrul{\cntr}}{}{ !A , \Gamma \seqar \Delta }{

				\vltr{\pi'}{  !A, !A , \Gamma \seqar \Delta}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

			}

		}

		\]

		so we have functions $\vec f ( \vec u^1, \vec u^2 , \vec v ; \vec x)$ with $\vec u^1$ and $\vec u^2$ corresponding to the two copies of $!A$ in the conclusion of $\pi'$, respectively, and $\type (\Gamma) = (\vec v; \vec x)$. (Recall that the typing corresponding to $!$ means that all inputs for each $!A$ are normal). We define $\vec f^\pi$ as expected, duplicating the arguments for $!A$:

		\[

		\vec f^\pi (\vec u , \vec v ; \vec x)

		\quad := \quad

		\vec f (\vec u, \vec u , \vec v ; \vec x)

		\]

		(Notice that this is obtainable in BC by a trivial instance of safe composition.)

		%	cntr right

		%	\[

		%	\vlderivation{

		%	\vlin{\rigrul{\cntr}}{}{\Gamma \seqar \Delta, ?A}{

		%	\vltr{\pi'}{  \Gamma \seqar \Delta, ?A, ?A}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		%	}

		%	}

		%	\]

		%	(need test function against witness predicate?)

		%	

		%	\anupam{problem: how to test even equality of two terms? Maybe treat $?$ as $!$ on left?}

		%	

		%	\anupam{Not a problem by free-cut elimination! Can assume there are no $?$ in the proof! Is this equivalent to treaing $?$ as $!$ on left?}

		%	

		%	\anupam{Yes I think so. We can work in a left-sided calculus. only problem is for induction. But this can never be a problem for modalities since induction formulae are modality-free.}

		%	

		%	\anupam{this is actually the main point.}

		For $\rigrul{\cntr}$, notice that no $?$-symbol occurs in a convergence statement, an initial step or an induction formula, so a free-cut free proof is free of $\rigrul{\cntr}$-steps.

		\anupam{This is important, so expand on this here or in a remark before/after.}

		%	\[

		%	\vlderivation{

		%	\vliin{\rigrul{\laand}}{}{\Gamma \seqar \Delta, A \laand B}{

		%	\vltr{\pi_1}{  \Gamma \seqar \Delta, A}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		%	}{

		%	\vltr{\pi_2}{  \Gamma \seqar \Delta, B}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		%	}

		%	}

		%	\]

		%	

		%	Suppose we have $\vec f^i (\vec x , \vec a ; \vec y , \vec b)$ from $\pi_i$.

		%	

		%	\anupam{problem: does this require many tests, just like for contraction? Can we isolate a different complexity class? e.g.\ PH or Grzegorzyck?}

		%	\anupam{skip this case and consider later.}

		\anupam{commented stuff on additives. To remark later perhaps.}

		Suppose $\pi$ ends with a $\rigrul{\exists}$ step,

		\[

		\vlderivation{

			\vlin{\rigrul{\exists}}{}{ \Gamma, \nat(t) \seqar \Delta , \exists x^\nat . A(x) }{

				\vltr{\pi'}{ \Gamma \seqar \Delta , A(t) }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

			}

		}

		\]

		so by the inductive hypothesis we have functions $\vec f^\Delta , \vec f^{A(t)}$ with arguments $(\vec u ; \vec x )= \type(\bigotimes \Gamma)$. We define $\vec f^\pi$ as follows:

		\[

		\vec f^\pi (\vec u ; \vec x , y)

		\quad := \quad

		\left( \vec f^\Delta (\vec u ; \vec x) , \id (;y), \vec{ f}^{A(t)} (\vec u; \vec x)  \right)

		\]

		(The identity function on $y$ is defined from successor, predecessor and safe composition).

		%Suppose we have functions $\vec f^X (\vec x ; \vec y)$ from $\pi'$ for $X = \Delta$ or $ X=A$. 

		%\[

		%\vec f(\vec x ; \vec y , z) \quad := \quad ( \vec f^\Delta (\vec x ; \vec y)   ,  z , \vec f^A ( \vec x ; \vec y ) )

		%\]

		Suppose $\pi$ ends with a $\lefrul{\exists}$ step:

		\[

		\vlderivation{

			\vlin{\lefrul{\exists}}{}{ \Gamma, \exists x^N . A(x) \seqar \Delta }{

				\vltr{\pi'(a)}{ \Gamma , A(a),  N(a) \seqar \Delta  }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

			}

		}

		\]

		%

		%Suppose we have functions $\vec f' (\vec u , \vec v ; x , \vec y , \vec z)$ from $\pi'$ with $(\vec u ; \vec x )$ corresponding to $\Gamma$, $(;x)$ corresponding to $N(a)$ and $(\vec v ; \vec z)$ corresponding to $A(a)$. We define:

		%\[

		%\vec f ( \vec u , \vec v ;  )

		%\]

		\anupam{should just be same? Consider variable naming, just in case.}

		\anupam{This is probably where the consideration for free variables is.}

		%Suppose we have functions $\vec g (\vec v  , \vec w ; \vec x , y , \vec z)$ where $(\vec v ; \vec x) $ corresponds to $\Gamma$, $y$ corresponds to $\nat(a)$ and $(\vec w ; \vec z) $ corresponds to $A(a)$. Then we define:

		%\[

		%\vec f ( \vec v , \vec w ; \vec x , y , \vec z )

		%\]

		Suppose $\pi$ ends with a $\cut$ step:

		\[

		\vlderivation{

			\vliin{\cut}{}{\Gamma , \Sigma \seqar \Delta , \Pi}{

				\vltr{\pi_1}{ \Gamma \seqar \Delta, A }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

			}{

			\vltr{\pi_2}{\Sigma , A \seqar \Pi}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		}

	}

	\]

	We have two cases. First, if $A$ is free of modalities, then $\type (A)$ consists of only safe inputs. Therefore we have functions $\vec g (\vec u; \vec x)$ and $\vec h (\vec v ; \vec y, \vec z)$ from $\pi_1$ and $\pi_2 $ respectively, such that $\type(\Gamma) = (\vec u ; \vec x)$, $\type(\Sigma) = (\vec v ; \vec y )$ and $\type (A) = (;\vec z)$. Let us write $\vec g = (\vec g^\Delta , \vec g^A)$ as before, and we define $\vec f^\pi$ as follows:

	\[

	\vec f^\pi ( \vec u , \vec v ; \vec x, \vec y)

	\quad := \quad

	\left(

	\vec g^\Delta (\vec u ; \vec x) 

	,

	\vec h ( \vec v ; \vec y , \vec g^A ( \vec u ; \vec x ) )

	\right)

	\]

	(Notice that all safe inputs are hereditarily safe in these expressions, so they are definable by safe composition and projection).

	In the other case, where $A$ may be modal, it must be of the form $!\nat (t)$ since it is a cut formula, and so must directly descend from an induction step or axiom on one side. The only such occurrence of a modality is in the conclusion of an induction step, whence such a formula has the form $!\nat (t)$. By free-cut elimination we can also assume that this cut formula is principal on \emph{both} sides, i.e.\ $\pi$ is of the form:

	\anupam{need to check this assumption against free-cut elimination conditions. To discuss.}

\[

\vlderivation{

	\vliin{\cut}{}{!\Gamma , !\Sigma  , A(\epsilon) \seqar A(t)  }{

%		\vlin{\rigrul{!}}{}{!\Gamma \seqar ?\Delta, !\nat(t)}{

			\vltr{\pi_1}{!\Gamma \seqar  !\nat(t)}{\vlhy{\quad}}{\vlhy{}}{\vlhy{\quad}}

%			}

		}{

		\vltr{\pi_2}{ !\Sigma, !\nat(t) , A(\epsilon)\seqar A(t)  }{\vlhy{\quad}}{\vlhy{}}{\vlhy{\quad}}

		}

	}

\]

where $\pi_1$ ends with a $\rigrul{!}$ step for which $!\nat (t)$ is principal, $\pi_2$ ends with a $\pind$ step where $A(x)$ is the induction formula, and we assume there are no side-formulae on the right of both conclusions for the same reason as $\rigrul{\cntr}$: a free-cut free proof of a convergence statement contains no $?$ symbol.

So by the inductive hypothesis we have functions $ g( \vec u ; )$ and $\vec h ( \vec v , w ; \vec x)$ from $\pi_1$ and $\pi_2$ respectively, where $\vec u$, $\vec v$, $w$ and $\vec x$ correspond to $!\Gamma$, $!\Sigma$, $!\nat(t)$ (in $\pi_2$) and $A(\epsilon)$ respectively. We construct the functions $\vec f^\pi $ as follows:

\[

\vec f^\pi (\vec u , \vec v ; \vec x)

\quad := \quad

\vec h (  \vec v , g(\vec u ; ) ; \vec x)

\]

(Notice that this is definable by safe composition and projection since all safe inputs $\vec x$ are hereditarily safe on the right.)

	Suppose $\pi$ ends with a $\lefrul{!}$ step:

	\[

	\vlderivation{

		\vlin{!}{}{\Gamma, !A \seqar \Delta}{

			\vltr{\pi'}{ \Gamma , A \seqar \Delta  }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		}

	}

	\]

	\todo{finish this case, just passing a safe input to a normal input.}

	Suppose $\pi$ ends with a $\rigrul{!}$ step:

	\todo{finish this case, should not change function at all, but maybe there is a consideration.}

	Suppose $\pi$ ends with a $\lefrul{\wk}$ step:

	\todo{finish this case, just add a dummy input.}

	Suppose $\pi$ ends with a $\rigrul{\wk}$ step:

	\todo{finish this case, just add a dummy function.}

	Suppose $\pi$ ends with a $\pind$ step. For the same reason as $\rigrul{\cntr}$ we can assume there are no $?$ formulae and so no side formulae on the right. Thus a $\pi$ has the following form:

	\[

	\vlderivation{

		\vliin{\pind}{}{ !\nat (t), !\Gamma  ,  A(\epsilon) \seqar A(t) }{

			\vltr{\pi_0}{!\nat(a) , !\Gamma ,  A(a) \seqar A(\succ_0 a)}{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

		}{

		\vltr{\pi_1}{!\nat(a), !\Gamma ,  A(a)\seqar A(\succ_1 a) }{\vlhy{\quad }}{\vlhy{ }}{\vlhy{\quad }}

	}

}

\]

\anupam{is this better with a premiss for the base case?}

By the inductive hypothesis we have functions $\vec g^0 (u , \vec v ; \vec x)$ and $\vec g^1 (u , \vec v ; \vec x)$ with $u$, $\vec v$ and $\vec x$ corresponding to $!\nat(a)$, $!\Gamma$ and $A(a)$ respectively. We define $\vec f^\pi$ by (simultaneous) predicative recursion on notation as follows:

\[

\begin{array}{rcll}

\vec f^\pi ( \epsilon, \vec v ; \vec x ) & := & \vec x & \\

\vec f^\pi ( \succ_i u , \vec v ; \vec x) & := & \vec g^i ( u, \vec v ; \vec f^\pi ( u, \vec v ; \vec x ) )

\end{array}

\]

\anupam{check this}

\todo{simultaneous PRN.}

\end{definition}

\subsection{Witness predicate and extensional equivalence of functions}

Now that we have defined how to extract a function from a proof, we need to show that the function satisfies the appropriate semantic properties.

For this we work in a quantifier-free logic whose atoms are equations between terms of our arithmetic and whose (sound) rules are simply the axioms of our arithmetic.

(This is similar to the role of PV in the witnessing argument for $S^1_2$ and system $T$ for witnessing $I\Sigma_1$.)

		\newcommand{\witness}[2]{\mathit{Witness}^{#1}_{#2}}

		\begin{definition}

			[Witness predicate]

			We define the following `witness' predicate for $\Sigma^\nat_1$-formulae $A$ with free variables amongst $\vec a$:

			\[

			\begin{array}{rcll}

			\witness{\vec a}{A} (w, \vec b) & := & w = t(\vec b) & \text{if $A(\vec a)$ is $\nat (t(\vec a))$.} \\

			\witness{\vec a}{A} (w, \vec b) & := & s(\vec b) = t(\vec b) & \text{if $A(\vec a)$ is $s(\vec a) = t (\vec a)$.} \\

			\witness{\vec a}{A \lor B} ( \vec w^1 , \vec w^2, \vec b ) & := &  \witness{\vec a}{A} (\vec w^1 , \vec b) \cor \witness{\vec a}{B} (\vec w^2 , \vec b) & 

			%			\text{for $\star \in \{ \land, \lor, \laand , \laor\}$.} 

			\\

			\witness{\vec a}{A \land B} ( \vec w^1 , \vec w^2, \vec b ) & := &  \witness{\vec a}{A} (\vec w^1 , \vec b) \cand \witness{\vec a}{B} (\vec w^2 , \vec b) & 

			%			\text{for $\star \in \{ \land, \lor, \laand , \laor\}$.} 

			\\

			\witness{\vec a}{\exists x^\nat . A(x)} ( w, \vec w  , \vec b) & := & \witness{\vec{a}, a}{A(a)}(\vec w , \vec b, w ) & \\

			\end{array}

			\]

			where $|\vec w^1| = |\type (A)|$ and $|\vec w^2| = |\type (B)| $.

		\end{definition}

		%	\todo{problem: what about complexity of checking equality? }

		\todo{Reformulate above later if necessary.}

		%	\todo{What about $\nat (t)$? What does it mean? Replace with true?}

		%	\todo{either use the witness predicate above, or use realizability predicate at meta-level and a model theory, like BH.}

		%	\anupam{Need to check above properly. $N(t)$ should be witnessed by the value of $t $ in the model. For equality of terms the witness should not do anything.}

		\anupam{to consider/remark: formally, is witness predicate checked in model or some logical theory?}

\begin{lemma}

Suppose $\pi$ is a free-cut free $\Sigma^\nat_1$-$\pind$ proof of a sequent $\Gamma (\vec a) \seqar \Delta (\vec a)$, with $\vec f^\pi$ defined as above. Then:

	\[

			\witness{\vec a}{\bigotimes \Gamma} (\vec w , \vec b) \implies \witness{\vec a}{\bigparr \Delta } (\vec f^\pi(\vec w , \vec b), \vec b)

			\]

\end{lemma}

			\anupam{to consider: do we need parameters $\vec a$ in argument of $f$? Or does $\nat$ predicate take care of this?}

			%	We will be explicit about normal and safe inputs when necessary, for the most part we will simply rearrange inputs into lists $(\vec u; \vec a)$ as in BC framework.

%			We often suppress the parameters $\vec a$ when it is not important.	

			\anupam{Is this implication provable in Bellantoni's version of PV based on BC?}

			%	\anupam{for moment try ignore decoration on right? what about negation?}

	\begin{proof}

	By structural induction on $\pi$, again, following the definition of $\vec f^\pi$.

	\todo{}

	\end{proof}	

		\begin{theorem}

		If we can prove a convergence statement for a function $f$ under a specification $\Phi(f)$ then there is a BC-program for a function $\mathbf f$ such that:

		\begin{equation}

		\label{eqn:spec-implies-program}

\Phi(f) \implies f (\vec x) = \mathbf{f} (\vec x)

		\end{equation}

		\begin{equation}

		\label{eqn:program-satisfies-spec}

		\Phi(\mathbf f)

		\end{equation}

		\end{theorem}

			\begin{proof}

			Notice that a convergence statement has the following form:

			\[

			!\Phi(f) , !\nat(\vec a) \seqar \nat(f (\vec a) )

			\]

			By the lemma above, and by inspection of the definition of the witness predicate, this means we have that,

			\[

			(\Phi(f) \cand \vec x = \vec a ) \implies \mathbf f (\vec x) = f(\vec a)

			\]

			whence we arrive at \eqref{eqn:spec-implies-program}.

			Finally, notice that $\Phi(f)$ has \emph{some} model, since it is a monotone inductive definition so some fixed point must exist. Therefore we obtain \eqref{eqn:program-satisfies-spec} as well.

			\end{proof}

			\anupam{rephrase above proof to make more sense.}

\newcommand{\concat}{\mathit{concat}}

\paragraph{Some points on concatenation \anupam{if necessary}}

We can define the concatenation operation by PRN:

\[

\begin{array}{rcl}

\concat (\epsilon ; y) & : = & x \\

\concat (\succ_i x ; y) & := & \succ_i \concat (x ; y)

\end{array}

\]

From here we can define iterated concatenation:

\[

\concat (x_1 , \dots x_n ; y) \quad := \quad \concat (x_n ; \concat (x_{n-1} ; \vldots \concat (x_1 ; y) \vldots ) )

\]

(notice all safe inputs are hereditarily to the right of $;$ so this is definable by safe composition and projection.)