A Programming Logic Based on Type Theory

Proefschrift

te~ v€rkrijgillg Vall de gtaad van doctor aan de Techlli~du' UlIiv('tsitcit Eindhoven, op gezag van d(' Rectot" Magnificus, prof.dr .. J .. H.. van Lint, voor e{~ll ('onlmissi(' aallgcW'c~cn door het College vall Dekancn in het openbaar te verdedigen op

wOf'nsdag 5 oklobcr 1994 om 16 .. 00 uur

door

Erik Poll geboren te IiMrlernrnerme(>~

Dit prodsrhlift i~ goedgekeurd door de promotoren

prof dr, F., E.. J .. Krl1seman Aretz

prof dr H P Bar()norcgt

('11 Of' ('o-promotor

drir C Hemerik

Acknowledgements

The research on which this thesis is based was carried out while I was employed by the Dutch organisation for scientific research NWO, On the SION-project "Typed Lambda Calculi".

I would like to thank Kees Hemenk for his gUidance and stimulation over the past four years, and for always insisting on mOre text between the formulas.

Thanks also go to the other members of the manuscript committee - Henk Barendregt, Marc Bezem, Frans Kruseman Atetz a.nd Rob Nederpelt - for their va.luable suggestions and comments on draft versions of (,hiS theSiS ..

Finally, I want to thank all the people I've enjoyed working with over the past four years, III particular Bert van Benthem JUt/,lng, Tijn Borghuis, Huub ten Eikeldet, Herman Geuvers, and Paula Severi

Contents

Surnlnary

Samenvatting

1 Introduction 11 Background 1..2 Aims and Motivations 1..3 Overview of this thesis

2 Pure Type Systems 2.1 PTS~

2 .. 2 DPTSs. 2 .. 3 Relation lwt.Wff'rI PTSs fl.od DPTSs

I Syntax

3 The Basic System: AwL 3 . .1 ),..,; as a programming language :: Aw. 3 .. 2 AcU a..~ a logic :. Awp 3 .. 3 The programming logic AwL 3..4 Program and Proof Di':v~l(lprni':nt.

3A..1 Coupled derivation rules for function types 3..42 COllpl~d derivation rules for polymorphic types 3..43 Oth(>~ datatypf-COrlstructors

3 5 Comparison with Program Extraction In ,xC

4 Simple Extensionl; 4 . .1 Extending PTSs with +, x and L

4 .. 1..1 Cartesian Products 4 .. 12 Disjoint Sums 4 1 3 Depend€"nt Sums 4 .. 14 Lahelled Products 4 .. L5 Lll.hdlcd Sum,; 4..l6 Propl'rtif'S of (D)PTSs ('xl.t>lldrd \..tth +, X and L

4 .. 2 Exten~iol) of t.h!:' PT()gnl.lnrning Lang\lilg!:,

4 J Extension of the Programmillg Logrc'

iii

v

1 1 2

5

9 10 16 21

25

27 28 33 37 44

45 46 51 M

57 58 59 60 62 65 67 69 71 76

II

4 4 Program alld Pr()()f Di'vililpm!'lIt

5 Recursion 5 1 Extension of tht> Pl"ogl"aznmiIlg Litllt!,llitgi'! 5 2 Extcnsion of til{' ProgralIlmiIlg Logi(

5:3 Pr-ogram and Proof DC\c!OpznCll!.

II Semantics

6 The BaBic System 0 .. 1 GCIlf'ritl Modd DdinitlOn for AW 6,.2 PER-Modcl fOl Aw. 6,.3 Proof-irrelevance Model fot, >,wp

64 Model for AWl

7 Simple Extensions 7 1 Gcw:T,Ll Modl'l Ddill'ltion filT Aw; 7.2 PER-Model for .\w; 7.:1 Tlw Progrilmrnmg Logic

7":U Proof~irrdw,l'~ nl i' model for AW,; 7 .. 32 Proof-lrrdl:'vlut({' mod!:'l for .\v.!·I~

8 Recursion 8l General Mod{'l Dc>finition '\w~'

82 CPO-Model for ).v.!~'

8 .. 2 .. 1 Cati'gory-tbcoTl'tli ~OllltlOll of 1i'lllThlVi dOln<l.ln i'·qll!itlom;

8 2 2 C()II~!.rlldioIl of i1 CPO-IIlodd 8;:) Thc PrOl(falllllllll/:i Log"

9 Conciusioll D .. l l':Vld\li\tioll 9 .. 2 C()mpi\ri~()n wHIt rej~\u'd work 9 .. 3 F\lt\1r1;' Work

Bibliogt'aphy

Curriculum Vitae

CONTENTS

80

85 86 91 99

105

107 108 117

119 122

129

129 137 139 139

139

141 142 149 149 152

157

159 159 HH 1&4

165

175

Summary

T) ped lambda calculi can be l>Cen as fUllctional progtammlng languages or - by the Curry­Howard-dl:! Bruijn isomorphism .. - as logk~ .... The first view provides a solid basis for richly typed programming languages Th(' ~('t(llld view is the basis of several systems for the machine­l:l.~1;IQted construction and vf'rifkl:l.tion of pl""Oofs.... Together, the two points of view offer the poo;~ibllity of using type theory <'\s the basis for progtamming logics, Le, logics in which we can n''''$On about programs and datatypes, and in which we Can prove that a program satisfies a <;ertaln specification ....

Ollf' approach, made possibl<> hy the expressive pow"cr of type systems, is to identify the notion~ of' datatype and specifkation, a.l1d obtain programs Fra.n constructive proofs.... This approach is for iTl~tance taken in the system Coq, where program~ are obtained from construC­tive proofs in t .. he Cak ulu8 of ConstI\lction~, VIa. JOome extraction operation [PM89a), .. From a th~oI'etical point, of vi!;'w this approach 8(>cm~ v~'ry elegant, but ft'''om a pra.<;tical point of view it has the disadvantagf' that a program under tOn!;tw<;tion can only be manipulated indirectly \ia It.S proof .. Ways to avoid the need for an extrattiOTl operation have been considered in Martin-Lof'!:; type theory INPSDOi a.nd In Nuprl [Con86j, uSing ~o-.called subset types, but these have the v!;'ry ~E'rious disadvantage of making typechecking undecidable ...

From a ptattital pomt of view, it seems preferable to have a programming logic in which programs and ('ot'''r('ttn('s~ proofs are separat .. (> nbjects, and which allows the simultaneous development of programs and their correctness proofs, somewhat similar to the method ad­vo(,~t~d by Hoar ..... and Dijkstra Such a programming logic is the subject of this thesIs ...

Starting point of tillS tlJ+>~i~ are the Pme Typ(> Systemo (PTSs) [Bar92], a large class of typ~' l;y~t~ms which ('<"In he d!;'H( nbed ill a UllrfOIIII wa.y .. Apal't from PTSs we al~o use DPTSs, wllich are extensions of PTS~ with a definitioll mechanism The extension with definitions dt)('~ not increase lhi' (1v~rall ~'xpressiv~ po""r!' of a PTS, but it is indispensable for practical \1~e ....

w~! dE'~lgn a PTS AWL, willdl consists of a typed f\lIu.;t..ionaJ programming language and an as~ociatE'd logic in whkh propHt.i!;,8 of programs fall be ",tated and proved ... This programming language 1I:; the system A"", whkh H the PTS cO!'resj)(.Hlciing to Girard's system F"'. The system AWl, provides a single languil,gt> fol' prop"ams, datH.typea, proofs, propositions a.nd specificat.ions, alld integrates il. st.rong tYIW ~ystem for programs with a specification system for" programs .. Vt'dfication of proofs i" II sp~'dal case of typechetking, and is easy to implement ....

Programs and t()Jr('(:tne8~ proof arc ~('jl!l.r,~h~, but related, objects ill AWl, .... They can be (onbtructed hand ltl hi'l.nd, in a compo~it.lollal manner, by stepwi~c refinement... It IS also pORsible to pro\c the forr~ctness of progr,tm t.raIl1;fOrmatioll rules in the system, and use such rules to develop programo and their eorr('dn~:S~ proofs,

An implem('nt.atlon of the system would ofkr a programming environment combining a.

iii

iv

syntax.direct~d editor for well·tYPt'd prnl;n~Jt\s and a goul-dH(::ded proof aJjo;i~t<nlt.

Th~ basic system AWL if; extended with different language conf;t.ruets that are uHdul for programs and datatype~ Fil,·~t it is extended with labelled produ('t~ and sums -- Ie records arld variants - and with abstt"act datatyp~s .. The second exten~i()n is, the inclusion of n'(msion, i e., of recur~ive programs and recur~ivi' datatypes Thi~ (!xt.cnsion with recuro;ion changes the nature c,f the programming langllat;;e, The progra[][,; afe no longer all tetminating, whk;h results in partial objetts To reason about recursive programs, the logic is extE-lncled is the style of LeV, with axioms stal.ing I.hat fccnrsive progr!LrIIS are leMt fixed pOUlts

Tho syntax of AWl, and it:>. cxtension~ i" (h~Cllssed in the jjr~t part of this thesi", along with th~ und~rlying design COmlicl(>rat.ions, and ~()rHE:! ':>implc cxampl~~ to dhl~t.rate the intended use of the sy~tcms .. The main ~ynl.a('!.ical propertleo of t.he systems are givcn .. These establish the so~mdnl'f;s of the type Sy8tE:'lrIS, alld ~omc of tlt~'IIl, n()ULhly strong; norlfla.li~ation, are important for the decidabihly of t.ypecht'( 'king

The ~~~lllantifs of AWL and ltS t,>xU'nsions is treated ill t.he second part of t.his thesis, Of all the 8y8tem~ I.hat have be~'r) illlr()d1l'."('d we giw I'fH)dds, which provl(le th~ jllstification (and the inspirat.ton) of the diffi·rC'IJI. ext('nsi()n~

'These modds provIde d(,llotati()n~1 Mflll;LlJlics for th(l p;Lrt~ of the Sy8t('rn~ ll~(;d as pro­gramming hmgllages First, th(! gi'lH'rill str'll('tUl'e of models for the~(' progrillllming languagi:'~ is dE:!Hc'TilH'cl, by ('xtending tit! I3l'll('e-M('Y('r-MJtdlC'll lllodds II3MMOO:J,. Then we gjve in­stantiations of th(>~C' l;c"llCral model ddiuitlou" For' t h~ langn;lge ~ wlthout recursioll, these instantiation" Me I hI"~ "talldaro PER-ll)(Hli'l~ For the lanpl'Lgc ""ltlt recursion, tlti!'; lllstanti, ation is a CPO-mockl, iu "" hidl datatyp(l.~ ;Lre' illlerpl"(·ted a~ (PO~ amI r'ecursive programs as least fixpoint~ .. Tbis c\olllilin-theoretic modl'l prov'ides the b8,.,i~ for l"casolling about ree'ursive programs and p!l.rti,d obj('('i.S

For the parts of till" systems used as l()gle's, ptoof-irrelevan( ~ models are givE:'Jl, ill which propositions are int/rpretcd as t.ruth vil,ln(~ These simpl" ml.('rpretations aT!' all that is needed to prove' e'ollsist.cncy of t.hE:! lq~le'~, and consi/:lt.~n(::r of any axioms that we may want to include ..

Samenvatting

Getypeerde lambda-calculi kUllnen enerzijds beschouwd worden als functionele programmeer­ta.len, en anderzijds - da.nkzij het Curry-Howard-de Bruijn isomornsme - a.ls logica's" Het et>rste ge~dchtspunt bicdt cen solide ba.sis voor programmeertalen met krachtige typesystemen" Het tWE:'ede is de basis van verf;chillende systemen vOOr computer-ondersteunde constructie cn verdkatie van bewijzen" Samen bieden de twec gezichtspunten de mogelijkheid om type­thcorie te gebruiken als basis VOOr programmalogica's d.w.:l;. logka's voor het redeneren over programma's en datatypen, waarin bewe:l;en kan worden dat een programma. a.a.n een bepaalde specificatie voldoet

Een aanpak, die rnogel~k gemaakt door de expressiviteit van typesystemen, is om de begrippen datatypc erl spedficatie te idf'ntificeren, en programma's te verkrijgen uit con­structiew bewijzen" Deze hena.dering wordt bij\l'oorbeeld gebruikt in het systeem Coq, waa.r programma'S worden V'crkteW~1l \lit constructievc bewijzen in de Calculus van Constructions, via cen f'xt,rll,ctie-operatie [PM89aj. Vanuit theoretisch oogp\lnt is deze aanpak erg elegant, maar praktisch gezhm heeft het als nadce] dat een programma. tijdena cOllstructie alleen in­dirE:'ct gemanipulcerd kan worden via het bcwijs ervan

In Martin-LM's type theorie [NPS90] en in Nuptl [Con86j, is gekeken na.ar de mogelijkheid om :l;o'n extractie"opcl"atic overbodig te maken, door zgn .. subset typen te gebruiken. Deze hl'bben echter het grote nadeel d<lt typering onbeslisbaar wordt,

Voor p.aktlsche programmaconstructie lijkt het betcr om een programmalogica te hebben waarin progra.mma's en en correttheidsbewijzen aparte objecten zijn, die echter wei tegelijker­tijd kunn~n worden geconstru~(,I"J, op een vergelijkbarc manier <lIs voorgesteld door Hoare en Dijkstta .. Zo'n programmalogica if; het onderwerp van dit proef8chrift,

Uitgangspunt v<ln dlt proefschtift zljrl de Pure Type Systems (PTSen) [Bar92], een grote klasse van t,ypesystemen die op uniforme manier beschrcvl'rl kUllllen worden" Behalve PTSen worden ook DPTSen gebruikt, uitbrl'idillgen van PTSen met een definitiemechanisme .. Tbe uitbreiding van N'n PTS met definitics vt"rhoogt de totale expressieve kracht van een PTS niet, maar is onmisbaar in praktisch gcbrnik

We ontwerpcn a PTS AWL, dat bestaat nit f!f!n getypeerde functionele programmeertaal, en e~~n bijbehorendc logica voor \litspraken over progr1;tmma's en datatypen,,, De programmeer­taa} is het systeem AW, het PTS dat overeenkomt met Girard's systeem Fo) .. Ret systeem AWL

biedt Mil taal taal voor programma's, datatypen, lwwlj~en, proposities en specilkaties, en intcgreert een krachtig typcsysteem voor programma's met een specificatietaal VOOr program­ma's Bewi.Jsverificatic is a hljwnder geval van typecontrole, en eenvoudig te implemellteren,

Programma's en corrccthcidsbewljzen zijn apart~\ maar verwante, objecten in AWL, Ze kllllrlen hand in hand geconst.rueerd worden, op cen compositionele manier, door stapagewijze verfijning, Ook is het rrtogehjk om de correcthcid van programmatra.nsformaties aan te tonen

vi

in ).WL, eIl zulke transform8til"':; te gcbl"Uiken bij h~t ontv,ikkelen van prognuIlIlla's en hun cOrrect heidsbewij zen

El'ln implementatie van lH"t. ,:;ystcem zou een programmceromgeving bieden, waarin een ,:;yut.ax-gestuurde editor v,()Or goedgetypeerde programma's wordt ge(.ornblncerd met een doel­gestuurde bewij~-a>;>;i>;t.ant

Het kale Ijyatef'm AWL wordt uitgebn'rd lllCL verschillen<k t,Lilkonstructies die nllthg; zijll voor programma's en datatypen Eer~t w{)nlt. hct uitgebreid met gdabelde product- en som­type!) _. d .. w_z .. records en va,i!l,nt,; l'U met abstracte dat,iLl.ypeIl Daarna word!. heL sys­teem uitgebt'eid met recur8lew programma's en rei..,urhll'vt datatypen .. De prog;rammeertaal ver-andert nogal met de de \llthrl:!idiug nwt. recurs!e IIH, is niet langer het gev;Ll dat aile programma's uie!. tcrmineren Om over ["ccursieve progn\T!lrna'~ en mogelijk niet-eiudigende berekeninger) tl' tedener'en wordt de logita llitgebreid op de >;t.ljl van LCF, met axioma's die uitdrukk~lI ([aL rC('\ll"si€'ve progr!l,rnma'~ kl('inste dekpUJ1t(>ll din.,

The syntax van ).WI" tll haar llitbreiding~u wOfdt. behanddd ill hct. CCl'ste dee! van <lit pT[)(>t~dlrifl. met. de ov{'rwpglllg('u dic hiel"l'll'ln ten E\TOIHl~lag ligg(,ll, en enkl'k ccnv()udige '1001"­

beelden rlm het. b('oogde gebrmk t.l' v('['dllidelijken .. D(> h('b\ngrijkste ~yntlv.:;tisdH~ clgcllschap­pel) Vi;Ul d(' >;yst.e:men k()m~'n 'l,>tll dl' oldc .. Deze t.0[1('11 d!' gc};ondheid van dt.' t.yp('-~ystemen 8-!Lll, tn sommige, in h~,t bij '!CIlH 1('1' s!.fl"ke n()rmali~'l..t.ir, f-ljn bel~llgrlJk VOOT h(~~h~baarheid van typctlng

Tbf! ~l"lll;:ll\llck van '\J.LI," ~'n {II- uitlJlcidinge!l erV8-n komI. aan de ord(' jll bl'( !.v.eede deel Va.ll dit proefschrift .. Vi:!.ll allc ~ystem€'n die gedl'hniecrd zijn wordeJl moddlcn gegeven, die (k rechtvaardiging (~'ll ~nms nok de in~pirat.l(!) "!in de verschillellde Ul1hl'cidingen gevell ..

Voor die ddl'll Vall dc systernen di(' al~ as programmeertaal diuuen, bestaan d~~ze modcllcn uit denotatlek ~('nl!illt.\('k E€'st word!. <](' algcmene ~tructU\lr van modellen voor dcz(' pro­grammeertalel1 he;j(bT('V('ll, dool" dt, Dnl(l'-Mcycr-Mitchell Hlodd~ IBMM90j uit te lm'idcll Daarna worden in~t.alltlat.i('s ·.an d('z(' Id!1/'lnl!ll(~ r\lodd definiti('!:< gCgI'V('I\.. Deze instantlatil's ZljU dC' grbruikelijkt, PER-modl'1lrn V()OI" de tal('I) zolldct recul"sie VOOT (if" pl"ogrammeerta(!.1 met. re(u["~il' wOl'dt. ('cn CPO-ln()d(l ,tis itlo;tantiatie g('gev(CI1,,,,aarin datat.YP(!ll als cpo's en re('llrsleVl' programma's als klE'ln~t.f' dl'·kpull!.cn worden g(:illt.flpretcerd Dtt mod!'l bledt de basis het n,dell('r(,rl over recur~i('v'~' pr(lgril.lllma'S en nOI)-t('THllllil.tif ..

VI)(lT dJ(' d('len van de Sy!<t.l·I1H'll dll" ,lIs logica's die1wll, worden proof-iTTl'kvallC(, modelleD g~g~V('ll, waarin propo~ltieB ~l~ wa~Lrh('idsw/'l.ard~·!1 i'Plllt<'t'plft('(~rd word!'ll Dcze ('('nvoudig~' illl.trpl,'(,t.at.ies volst.aan orn l ()l1~i"t.Clll iE' V~ll logka\ iLiLll I.e t.Ollcn, ('n (oll"i~t.('11t.1C \an axiQm",'~ dic we zouden will('n tOf'VO! g('l1

Chapter 1

Introduction

1.1 Background

There has been a steady evolut.ion in tht type systems used in programming languages., The first programming languages, such as assembly languages and LISP, werc ulltyped" The first higher-order la.nguages prov'idcd a few base types, such as integers and reals.. Later, progrllmming la.ngu!Lges offered incr'casingly powerhll con8truct,ion~ wlt,h which programmers could build their own types .. To n)(wt tlw ll&'t'd fc)r more flexible type systems, features such as subtyping and polymorphism wete Included, and, more recently, object.-oriented languages were introduced

Typed lambda calculi (an be vh'w~~d a~ mdilll/'rtt.!Lry, but very pure and expressive pro­gramming languages This view provldei; a. solid basis for richly typed (functional) program­ming languages .. It offers a framework fOJ thp d&.scrlphon and classification of type syst.ems of programming languages, and often suv;g-est~ improvements and generalisations (see for ex­ample IRey851, [CarS!)], and IBHOOI )

Typed lambda calculi can also be vit'wed a~ (constI\ICt.ivc) logics, by the so.called Curry­Howard-de Bruijn isomorphism .. Typel> aT!:' t.ht'll rcg!LrdNI as propositions, and terma iii; tht>ir proofs .. This is the view taken in AUTOMATH [dB80j, Ma.rtin-Lor's Type Theory IML79], Edinuurgh Logic-al Fram~work (LF) IHHP93j, and th~~ Ca.kuluf; of Constructions ICH88] Impl~m~~nta.tions of AUTO MATH pl"ovided mechanical verification of mathematical proofs .. The ot,h('r syf;!,f'ms hav(' also b~en impl('mented, namely in Nuprl ICon86J, LEGO lLP92j, and CO(j IDow911 Th~se implementations not only verify proofs, hut, also provide some ('Ort1put,('r-assistanct for the construction of pl"o()f~ ..

The two possible interpretation~ of typd lalllLrl,t cakuli - as typed programming la.n­guages and as logics - make t.ype t.heol Y 'l. liuit.<Lhk b!LSIS fol" programming logica, Le .. logics in which specifications can be t'xpr~~~s(!d alld in whlrh it can be proved lor disproved) that a program meets a certain specifh,atiou ..

The best·known example of a progralllllliug logic is Hoar'e's logic., However, Hoare's logic suffers from the mismat.ch uetwem till' Objl~l~t lallgl!!Lgc- fOf pr'ograms and the logicallanguagt, in particalar where it concerns the st.at.u~ of varii:!.bks, iLnd from the very rigid format of the Judgc-nwnl (see IAptSfl) .. Also, the scopes of vadabll~Jj alld <'.~ c.;ulllpt.ion arc not always clear .. Thc-~!' problems makes it difficult to reason about. hlnctiOJ'l~ and procrdures

2 CHAPTER L INTHODUCTION

Th!' advant~Lgc of a single formalism t.hat pnwidl's both the notion':' of progl"am and datatype and the notions of proof and prOpo!;lt,ions, IS that the programming langnage and the logic are more in tunl;' .. Thi!' rrll)l!.n~ we can hope to avoid probkm~ like the ones mentioned above ..

1.2 Aims and Motivations

Our ainl i~ the> design of a programming logl( .... , that is based on typl:' tlwory, but. whose lan­guage constructs and deduction nileJ:; ,U(' gr',lred t.owards practical progr<Llll construction The ~ys! .. ('m should offer the possibility for tlw TIltrhanie--al verification of proofs .. The ultimate goal )0 an iTllplement.at.loll of the system that providl:'~ a. programming enVirODTlWnt fDr (Ollslructing prograwt< and t.hll"" fOrn'f! lle>SS proofs

There ,ir(' s('v('ral t'GISOllS for ilttegrati))g til(" pl"()~l"fLmming laHguag( and logic in one forrnah~rn

One It that .. il Illay help to obtailt a ('Onlpi~( t. iLlld homogeneouo J:>Y",t.~:rn t.hat.. i~ as elegant and p'Ilf'ral a:'; po~sihle .... rl'''O?;r''l'Im~, datO"l.typ('!;' proof:,;, propositlolJ .. " and hW"fififallons can all be handlcd in a uniform way.. ..

Also, certain primitivE'" in till' prop'amming languagp will re>qnir"c matching PrlHllti,co, III the logic. For iIlf;t(1rltC, to I'eason about program" of t.ht form (,\x .... nat .... ), WI probably need \U1iWrf;al <jllanlificat.lOns of the form (1f .. :r .. nOlt.... ..) BY" working In OIW f()rmah~m, V.e can hop~ t.hat the primitives in programming l~ngu,il;t and logic are well-Hl'it .. chtd

All added bonns is that proof (he('kiIll:\ 1~ the-- same as typ~! ChlCkillg, so that tht, ~Hln( algurittml~ Ca.n bt used for lypc checking and proof thl'cking

The:-- most imp0l'tant design consideratiun Ii; thl' cxpressivlty of t..it(' type-- syst.em for pro­grarn~ .... Tbt rtmaillder of this section b rl~'dl('8t .. I'd t .. (] t.he motivation of ()llr choie--e,. We comp8re ~oml:' uf ! .. hi'" al!<'mat.lvl's, and col18idt'r t..h~' difkrtllt kinds of programllling logics they rl:'~\ll! .. IT!....

Then' is", whol(> !;Pl( ! .. rum of type systemo for pmgrfLlllmmg lan!~uage~ .. At Onc end of thl:' spectrum arl;' til(' Ullt'}Pfd programmillg ll'ltlgull.g(!i; HN(, we effectively klV(' jll~l one type, which l~ the typ~: of iLll plograms At the othl;'r (!TId ()f I he Spcctl um au: VNy ('XjHeSiilVe type systems, Buch ao Mart..Hl-LOf's Type> Theory and t11(~ C,tklllns of COllotru(! tOrts .... Here types are complete opf'dflca.ti(Hl~, tLrtd t he type of a program provIdes all t h(~ nkViLrtt information about It.." (f\H1( .. t!ortal) h('haVlOllL Most of tile ((mV{'lltlonal progI'1U1JlU))1l:\ hIIIgu~Lges lie soml:'­where betwel;'n t!w,;( tv.o l'xtreIJH'S The ty~w of Il. pmgralJ\ p;!\i('s some il\forrnatioll about the program, but not an (If il....

III all bllt the most expressive type "y~t(""lll~, a tYl)(' alonc do('~ lIO! ~llJ1k(' a~ the ~pe(..jfi(a­hon of (l, pn)~r'lllL APMt. from the tYPt', J;()lllt ;LddIt.ional informatl()Tl I~ llteded to tell whidl programs of t.JIILl !'J pe havc all th(' r('q(lir('d properties., This infonnRtioll call be regard~d a.~ a prfdi( at(' with that type as domain, whi( h tharacterises a ~ub!:,~,t (If ! hat typc

Regardless of how ('xpre:<;:<;ive the type system of Uw programminp; IlIllg\mgt i~, WI:' can say that a spec~jicatlOn i~ II pair that consists of

• a type, and

• a prNilrale on that typt' .. ,

1.2 AIMS AND MOTIVATIONS 3

A 8oJution of a ~pec~ficat!()n is a pair that consists of

• a prograIn of the tight type, and

• a ptoof that is this program satisfies the predicate ..

It depends on the strength of the type system how much of a specification is expressed by the type, and how much t.hl" leaves to be expressed by the predicate.. In very strong type theories all information we may want to express in a specification can be expressed in the type, so no predicate is needed In untyped languages no information can be expressed in the type, and the whole spedfitation is given by the predicate.. And in most conventional programming language"" SOIne illformation can be expressed by the type, but the larger part of a specification is expressed by the predicate .. In fact, there may be some overlap between the information given by t.he type and the predicate

So we call make a (rough) distinction betw!:'en three kinds of programming logics

(i) An untyped programming language with all information abont programs expressed in predicate~

(ti) A typed programming lallg11<"lgc, with some information about programs expressed in types, and the rest in pn>di'<"It,es ..

tiil) A typed programming langll<"lgc w·jth a very expressive type ~yst.em, ",here all informa­tion about prograIIls is expl"essed in their types ..

In IGir86j the first two are called external programming logiCS and the last kind is called an mttJ.9T1J.t(:d pl"Ogl"amming logiC, We Ube tbe terrIl inkrnal instead of integrated.. In external programming logics, specifications and ('orrectn('SS p['oo£~ live outside of the progra.mming language In intental pl"ogramming logiCS, th~8e notlM1S are internal to the programrning language; the type of a pl"ogl'<"Im is its specification, and type cherking amounts to verification_ A comparison of t,hese different kinds of pl'Ogl'amming logiCS is given in [Dyb90j,

Regardless of how the specification l':> divided Over type and predicate, the total .. moant of work it t,akes to establish COl'rectne~s of all algorithm i~ roughly the same,. From a pragmatic point of view, howf'vcr, there are big difference:; between the different approaches .. The pro­granuning logiCS in this thesis are all of the kind (ii) I3asically, in types as much information i" expre~~NI as can be mechanirltlly vE'rifi!:'d 13dow \\(' mot.ivate our preference for (ii) over (I) and (iii) ..

Why types?

'It explain why we do not favoul" n.ppl"(lltch (i), wc briefly review the reason» for having types ill <"I programming langultge

The essential property of types is that t.hey impose restrictions on th~ interaction between objects The type of an object. COllt.rol~ t.hc access to that object and the ways it can be used .. As a result, some of its propertit.'$ can he hidden fmm the outside world For this it is vital that all t.ypl' constraints can be v!:'rified l1ltcballically by a type checkinp; algorithm

One advantage of types (.(mC~!I"l'lM t,h!' llnplcment.ation of programm)Ilg languages" In a typed language, we can take adVa)lt,llge of ('fficient machine repre8entations for certain base

4 CHAPTER 1 INTRODUCTION

typef;, ~udl !U; illteger!;> or n'al8., or for certain tYP('-con8tructiolllj, '5u(h aJ; arnl.y~ Tlu' rf'~trl(;­tions enforced oJ lht typl' s)!;U"m b.('p I,h(':"'i' r('pr('S('lllatloll~ I\ldd(,1I ftOnl til(' pl'Ogrammer and prevent ill!;'gal operations on them ..

The othi~r advantageo of typf.'~ (O[l(,l:!m the w,e of tbe prognumnillg lallguage" Tlw L) r~

system Imp()~e rt>st.l"lctlifll$ Oil th(~ (omiml(l.lorlal fn'~'dorn Th!'>;!' n'Mritt.ions ("all prevent simple mistakes, e .. g" mult.iplying ,\ boolean", Ith a natutalnumbet"

More important for the construction of programs is the way in which data·~tructuring helps to organise programs.. The classification of programs and data that is provided and enforced by the type syst.em helps t.o ~Irutt,ur(' programs, and makes programs easier to read ..

Finally, there is the possibilitj' of data-abstraction.. In a typed programming language absh'act datatypes call bt> uSf'd 1,0 hide lllformation ahOtlt one patt of a pr'ogram form the rest of the progtam

The type of a pl"ogl"am (all be se~lI as an incomplete specification of a p!'ogram.. For example, if f :: tnt ---l- int, then f is a function that maps integf.'~8 to jntegeTs .. Thi~ is ~)f t01H~C a very incomplete specification - we still have no clue as to wbat, f I~ "bul ':'lldl Ill( Olnplde 8pecifications have th!;' a.d"antage of bf.'ing V('l'y ~'~.sy to wrih' ",nd to mil.d" MOn!OVI'l, t.hi'Y tat!

ea8ily be verified, and It type·dH'ckC'I' (i~ll p;l'Il~ril.Hte(' t.k~t nl(>~(,' lI'H oUlpl!'t!' ~I)PI Innltiolli> aft

met

Why not specifications as types?

Most research on programnHng logl("s bltsC'd Oll type theory CO)lC('l"lB systems of killd (Iii) Here the notions of type and spedficat iOll al(' id()utifi('(l, 1>8 an' till' notton~ of progl !Llll and NrTectne88 proof

This Idea dat!'~ halk to HI'ytl11g'S !ii"lll!LlI!iI'~ of c{)ll~l.rucl i\e proofs a construltjve proof f of'th" E A. lm{r) => 13y G B .. [!lid(..r,!I )jl'j)UI.i\llli; all ,\lgot'ithm w hi('h, given a term x and a prlH)f of lln,{r), r~!tmlls n Iflln if !Iud It proof of p{l,~1 (c", 1/)" Tilt propo~Hlon givc>s all the ri!levant lTlforrnl!.tlOr) abo\lt t1li~ ~lgodt.hl1\ it I~ II~ '::IWflhl"~L11()1\..

This approadl 1.0 pfOgl alii ("()1I~1 ru("I.lOll I~ attractive at fir'st sight However, tbe probkm is that constructive proofs hav(' til.ken till' plan' of programs, (lnd it l~ dHlklllt. to ~epanl,te the algorithmic part of these constrllctivf pr'oofs from the correctne5,~ part T:Y1mally, t.IH" brger part of the constrnctive proof J abov(' will bc> devot.ed not to the c()n~tr\l('tI()n of I hi" witness y, but to the proof of pO$I~ .. !.", i}) Thb proof is Important fol" the ('orrect.n('~!;, b\1t uot for th~~ algorithm"

It I~ pO!;!libh! to ohl"'in prOi\"ril.lll~ flom proof~ hy ,Lll "I'xt.m( t.1()1l" opcrMiotl In IPM89a:1 ~Il('h an i'xlr!LI 11011 pWl"ldlll~ I" di'filwd for Ilu' CiLklllll~ of Cono:1l"lI('tiotls How{'V('r, UII~

leave,:;, t.he probklll t.hal t.hl' progriLlll 1 hal '" ill (vc1l1'.lall> 00:- extl'I<('t.ed from 1\ ploof h nM visible during the COllSt.1' III I.lOll of tllat proof Consequcntly, design ('boke,~ ClW ollly h~' Tll~l.Ik on the basis of lh(' ~p('("ifil~11 lOll, illld 11M Oil IIii"' k'l.SIS of an opC'rational lll)(lf.'l"!;tallding nf t.llt algont.hlll or ('fTi(~II'1l1 y (nll"'ld(I'LllOll~

III Mart.ill-L6f'>; TYJH" Thl:OI} I hl'n' I~ 'til alli'-llliU1V(' 10 program ('x/raction So-call('d 8ubJjet-types can be us('d to db(ard til(' (OITednf.'8S parto of II pronf ("~"I" INI'S'lOll .. However, this has the - ver) high pr'iC'(' of making typing undecidablc Tbb 5bouJd )'lot. ("I)ln(' a~ a surprise" v.e call110t. exp('( t. t.hM, d, I~ d('('l,hl)ll"' v..hct.her a pl'Ogranl sat,isfi!;'s a ~Iw(.jfi< ~Itlon

The ltnd('C'idabild,) of IYIH'-dH'('killg In('all~ t.hal l.hN(, lS lillIe practical differen((' betw~"m t.hl~ approach !LIHI Hppm!ll Ii (I) III fHCI, II call he> fll"g'utd Ulal t.he~e systems aI"(' no longer

1,.3 OVERVIEW OF THIS THESIS 5

internal programming logics, beciLuse, although specifications live inside the system, proofs that programs ha.ve certain types, - correctness proofs - live outside it_

There are an important differences between (ii) and (ill)" When types are complete speci­fications, Borne of the advantages of having types that were mentioned earlier are lost" Types are no longer easy to read and writ,e, and type constraints are no longer easy to verify"

One practkal difference occurs in sit'-;'Itions where we do not have a. complete specification for a program In ptactice, such situations occur frequently, beca.use for large programs complete C;Orrectne,~s proofs a.re not feasible, and not even all that interesting Typically, our only concern is the correctness of relatively small " algorithmic" parts of the program .. Approach (ii) is then mllch mote convenient than (iil) .. It. gives uS the freedom to choose {or which parts of a program we give complete specifications and correctness proofs- FOr the rest of the program we use the incomplete specifications provided by the type system ..

D\lring the construction of a program the opeCificat,ion may change" An advantage of the distinction between type information and th~ logiql illfonna.tion - given by the predicate -in approach (ii) is that any changes in the specific'aUon arc more likely to be in the predicate than in the type .. This also a.ffects the re-usability of prograrn~ alld types The same type can be used in different situations, with diffel"ent predicates .. For e:<:ample, a. type of trees can be used with different, predicates, for instance predicates expressing that t.he trees are sorted or balanced ..

1.3 Overview of this thesis

As ~ta.rting pOillt we usc Pure Type Systems (PT$s), as desctibed for instance in [Bar92j .. In particular, Wf' nsc thc PTSs in Barendregt'8 A-cube, which give the fine-structure of the Calculus of Constructions The nice thing about PTSs is that many type systems can be defined as PT$s, and Iha,t, t.hcsf' rlefinltions are very compact, This makes it easy to compare systems, and is all,n \ISf;'fnl to dc~ign "type ~yst('m for a particular purpose .. Another advantage of using PTSs is that their syntactic t.lwot'y is well-developed.,

Apa.rt from PTSs, we also us~ DPTSs A OPTS is the extension of a PTS with a definition­mechanism .. This extension docs not increase the overall exptessive power of a PTS, but it is indispensa.ble for practical usc ..

We de!;ign a PTS AIN[ that can be used as a programming logic In this PTS both programs and their torrcctness proofs can be handled as relat~!d but distingUishable objects .. There is a strict separation between thl:! pmgrhlllming language and the logic' e;1{pressions in the programming language cannot depend on loglc"l expressions.. Of courSe, logical expressions can depend on expres8ion~ from th~' programming language,

Two extensions of this basic syst~m arC grV(:ll Thf' l"cason for these extensions is prag­matic:: we want to indllde more language constructs that arc useful for programs and datatypes in the programming language,. First the system b extended with more type­constructors (namely +, x and :e), a.nd then it is extended with recursion.. For the logic a.~so('iat('d extensions are needed for reMouiug auout. thes!' new language constructs

Three aspects of the basic ~yst.p.m and it.~ f'xt.cnsions can be distinguished syntax, prag­matics and semantics ..

6 CHAPTER I INTRODUCTION

Syntax

Of all the systems the most important syntacti(' properticl> a~e givrn, ~Il( h il..~ sllbjetL reduction a.nd uniqul:!uei:l!;> of type",,, Th~o~~ pwperti!.'o ltr~' th(! ba>;ic "soundness" criteria for any type i;ystern" For PTS~ rno~t of th\'~(' pr()lwrt,i{'~ itr!' wdl-kno\\n, and for the different exten8Jons they Carl he ptOVI~([ in I.lw same way" Of vital 1mportance for the decidability of typedl(>cking is the ptOperly of strolll; llOm~alii;alion of lype expressions

Pragmatics

Although programs and COtt"CCt.IH'SS proof are separate objects, we want to be 1\bk 10 tOnslrllct programs and their COl"rc('tncss proofs together" For this, syntax-dir~cted (or (ompo,;itlOnal) rules Call h~ us(>(!.. Thf' prograIIIJl)ing langllage pl"ovirles typing rnles that dedu('e th!' type of a program from tilt, typ~b of ltb !.'OmpOIl('lll parts In th(' logic matching proof rule!; Cal) be derived, that deduc(' a prOw'!ty of th~t, prngT<tIIl frOIIl properties of its component paTt~ With these coupled derJvat,toTI ruk~, 1)T(l~rll.m~ iLlld th!">ir tol't"cctness proofs can be (on~tT\l<,tfd hand tn hand"

Instead of using these compositional rU)('8, prop!:'rt.k~ of prog.I"itltl~ (all also be proved u8ing equaUt.Jes bi;'tween progran18, h' \l~iTlg (OTrl'fhl("sli-pl'estrving transformations" The p()wl~rful quantifitat,ionl'; that ,tn" availa.hlr makt it po~siblc to exprcss and proV(' ~1I(h trHIl~f()Tlw,tion t"\11cs im.idc tht fMIIlal ~Y'stC1IlS

Semantics

The semantics of the systems is tleated in the ~e( (1)(1 part of t.il(' ! h( ~i", ill the chapters 6, 7 and 8" It i" aly,ay" dOlle llSUlg Ill(' following tlllee st.ep"

For ea('h of the programll'lillg l~llgll<lW~W(' fir~t glve a general modd ddinit.ioTl, \\ Iuch des(;ribes the g~ne,al ~t.nwt.llI'(' of a lllodel for !.ht pt'Ogl'amming lallguaw' Tll('~(" g('rlcl'al modd definitions art (''X1.()rISiOIl~ of th(' 13MM-environment 1ll0d~~ls gtVNI ill 1:13MMOO]

Then an trl~t.il,llt.l~ti()ll of tlll~ g(,'Ilt'riti lIlodd dcfilllLion is giv('n" For t.Iti~, t,w(J kinds of modeb will be u8t'd, PER-l))odd~ ~lld (PO-IlI(Hlds For t.he programming languag('~ wi!.hout recursion th~ mor~ or l~ss standal"ct PER"l1lodcb an' u~~d F()I" til(' pI'opamming: lang1lage with r("(lln:;i()Il ,L CPO-modl'l l~ Il~('d, ill which all datl'ltY]H'S 1'1,]"(' iut.npr('t,rd ;l~ (POS and I"+l(" \lI'si VI,! prograIll" (lr~: in!l"I"]lll'lI'd iL~ [('it,,!. fix('d-points

Based on the general modd dt'hll]tlOll~ for the pr()graItlIllillg hngllage~, ~impll' modl'lh for thi;' 3880ciated logk~ 1\1"1' gtV('ll Tlll!"( CLn' ~(J-ti\lltd pt'oof-irl"(>k~an((' modl'l .. , 111 \\ IIl('h propol';it.iOI1H arl' ~ilIlply iIlU"qHN('d ;L~ truth values These sil1lpi+' lllodd,; fOJ' til(' logics suffice to ptov'(' the corl&is!.tIlcy of t hI"' logi('s, and of allY axiom~ that an' iLdd("d

Short description of the chapters

WI' ('oIHlll,k tJll~ 1I1tmdll( t.IOll \\ltlt iL sitor! d('s(,l"ipt.ion of the individual (ltiLpl<'I'~

In dl;lp!.t~r 2 M" gIV(' <L "itor!. lIltiOdl.lct10ll 1.0 Pnre Ty])(' Sy~tPll'l;' (PTS~) itIld thl'lr most important prop(,l'tie~ W~ al~o d('hIH~ DPTS~, PTSs !x!('Ild('d '\o\oll.h il denl1ltioll-llH'( h'VI'!"IIl, and givc their maill pr'Opfr!i<'s

ThE' re8t of t.ht, tht'SI~ IS d1\i'I(kd 111 two pill t,:>,,, Th" fltW PMt, (OIl({'rtIH thl~ S}llUtX ,\Ild pragmJ:ttk~ of tlie ddfen')lt ~y~tf'llI~, t h! ,-(,'I olld pill! til(' semanti(,~

13 OVERVIEW OF THIS THESIS 7

In cha.pter 3 the basic 8Y8tem, the PT$ .\oWL, is defined.. It is a PTS that comprises a programming language and an !\J;80dated logic In which properties of programs and datatypes can be expressed and proved.. The programming language is AW, which is the PTS that correspond to Girard's system F"' [Glr72J- It is a. higher-order extet1sion of the Girard­Reynold8 seNnd-order (or polymorphic) lamhda calculus .. The whole system AWL can be reg<l.I:ded a rennE:IIumt of the CalculllS of Constructions ..

In the next two chapters, exten,;ion':> of the programming language and associated exten­sions of th~ programming logic are given ..

The fit,'St extension, given in chapter 4, is the inclusion of so-called +-, x. and E-type~ .... In the progt'''amming language these can be used as labelled products and sums - Le .... records and variants - and abstract datatypes .. , In the logic they can be used for conjunction, disjunction and existential quantification,

The second cx!.(msion, given in chapter 5, is the extension of the programming language with reCurSIve datatypes a.nd rC("\lrsivc progl'ams .... Programs are then no longer guaranteed to terminate Domain theory is used as the bal:ds for reasoning about recursive programs and non-termination, .. So, axioms are introduced in the logic to reason about recursive programs in the style of LCF [GMW791

In the next three dl<l.ptcr,:>, Wf: ((lll,;id!'1 ! .. itt, :';!'lIl<'l..ntic:'; of the different systems that have be~~n Illtrodu(:!:'d

Chapter 6 treats the semantics of the basic system introduced in chapter 3 A general model definition for thl:' p1'ogramlllmg Ill,lIgultg( is given, whkh describes the general structure of a Aw-modeL II IS sitOv.n I. it ai, ! he standard PER-model is indeed an insta.ntiation of this g~ml)ral model definition .... For allY illst,u1tlatlon of the gener"al model definition, a simple proof irrdevance model Jj\lffi(I'S for ! hc logic TIJi~ tnl';'LltS that proposit ions are interpreted as truth valueJj, and all proofs art idcntifit~d This intclpretation of the logic can be used to show consistency of the logIc and of ~)(jom$ tltflt ll.r(, a(\(I('d to ! .. hl' logit, C'g .... the axiom for classical logic.

In chapler 7 t.hf' g(\neral mod(\l ddlnit..ion is extended to incorporate the extensions of the programming language given in chapter 4, i e the type constructors +, x and E .... Aga!n, it is ohown that the standard PER-modf'l provides an instantiation of the general model definition, and a proof-irrelevance !jelnalltk~ of tit!.' logiC is hi' lIs('d to prove consistency of the logic and of axioms that have bel:'n added

In chapter 8 the genend mod!:'! den tIl! iOIl iJ:; ~~xtE'nd(d 1.0 illforpO!'atc the extensions of the programming languagl:' giv!:'n in {'hajlt~!r 5, u l n'Cnr~IO[L W(!; now give a completely different in~tRn! .. iati()Il of !.lli' g!'ni'ral llIod!'1 defiuition, namely a CPO-model, in which datatypes a.r~ interprNcd a.~ Cp08, and the fixed-point operator as the least fixed-pojnt operator On cpos .... As beforl' , a proof-irrelevance semanlirs of the logiC' is used to prove ('()n~is!.(mty of the logiC and of axioms that are added ....

Finally, in chapter 9, we giv!; a (U1)lpC!,ris(lII With rclal.f'd WOI'k, and suggest some directiono for further research

Chapter 2

Pure Type Systems

PUl'e Type Systems (PTSs) pr()vid~ a Wily (Jf describing a large <Jass of type system~ in a uniform way They W('I(' intIoonr,ed by S" IkrMdi [BcrSSi and J Thrlollw [Ter89] as a generalisation of th(> I'ystcms lt1 DarE'ndregt'~ Ifimbda cube [Bar92].. The notion of PTS IS llseful for two reMonl'" Firstly, some nwUHlwor('lital properties can be proved for all PTSs or for large clasl:>e~ ()f PTSs at the sam() Hll!\' S<'condly, many type ~y",t,em~ can be descrjbed as PTSs, and thes!' tompact b\lt very p~(~{ i~!' dcsct"iptions make it pO!;f;iblc to compare a.nd clMslfy them They also mak(' it i'a~y t,o design a type sYl:>tern for a particular pUrp(l.';(', as will be dOll(, in chapt.er 3 ..

Tht' "pureness" of PTS" lit'S in the fact that there i~ Ollly one type constructor, namely the dependent product n (whiCh gcneraJis('s th(' funct.lon space -t), and one reduction rule, na.mely i3-reduction" A a result, PTSs are very bare type SY$t('ms .. In the conroe of this thesis we will extend PTSs wjth rnO!"(' type constructor!; and associated reduction rilles, but the !::SsCrItC of these systeD1~ will iLir"NLdy be contained in t.hrir underlying PTS ..

One shortcoming of PTSs is that they do not provide a way to introd\l('c defin!twn~, ie .. ILbbteIJULttOns for t.erm!; Such a facility do('s !Jot illtrMSe the overall expn>~sive power, but it is essential for practical usc" Indeed, all IlllplE'1l1tntations of PTSs, "l~th as Coq [Dow911, LEOO [LP92] , and CONSTHUCTOR [H('191], d(l pr<lvide a definition rn~(;ha.l1ism, even though thE' fot'mal definitions of the t.ypr ~ystems they impl~llI('llt. do not This in cont.rast to the AUTOMATH system~ [dI380[, whcle' t.lw ddlnition 1Tl(~c!JAlli~rn is explicitly COn$id('red as part of t.ht formal system ..

FOr' this r'eason DPTS~ f'xt,l~ll~iollS of PTSs with a. ddinitjorl mechanism - wCre introduced in [SP93] [SP94] For ('VI'ry PTS thclE' is a C()n('~IJ(llJdiJlg DPTS In some rcspcd,S, these are the same type Qy~t.elll, iLnd dependinr; Oil tit(' Mitlli\tion It may be preferahlr to look at one or the ot her The PT$ providrs a mor'(> ab~t rae! vi('w, which is useful for t.alkillg abo1d a system But for working m ;t system the definiti(lll nH''f'hiUllSm provided by the DPTS is needed

The extension of a PTS wit.h ddjtliti()B~ 1M 11M a~ harmless as it may appear' at first sight .. In particular, it b a)[ Ojlf'll problC'lll whetlH'r tll(> c;':(.('llsion alwll.Ys prest'[vC$ the property of ~trong normalisation" For 01(' PTSs us/xl in t.his t.hesi!;, WI' do prove that the extension with n!-!f1llition preserve strong nOl"l11!{liSH.t.ioll

In section 2 .. 1, the ddinitlon of PTSs and th(~ir IllOSt important properties are given In stctwn 2 2, the definitioll (}f DPTSs II.nd their most important. pt"operties are givcn, Finally, ill ~cttion 23, the relation \)('tW('f'll PTS" and DPTS!; IS discu~~t'd ..

9

10 CHAPTER 2 .. PURE TYPE SYSTEMS

2.1 PTSs

III t.hi~ ~pctl(m WE~ ddin~ Pure Typo:> SystO:>nlS and list t heir most lmport.ant propelties For a more comprehcllsiw' disCllS!liOlI of PTS8 W(~ refel" to [BH90:1, [BarOI] 0[' [Bar92)

A PTS i~ a t.yppd lambda (:akuhl3 It um be defined as a 4"tuple cOllsistlllg of a SE:'t of pseudot.etms, a SI't. of pS~lld()( ()nte)Ct~, a reduction relation on pseudotE:'rms, and _ .. most importantly - a typing r('lat.lOll .. This t.ypillg r~lll.t.ion is dE'fin~d by Il. "E't (}f infH~nc E' rules for deriving judgement.s of the fOlln

r r 11:: A ,

which is read itS" (J hll,J:; tyP(! A in context F" or "a is an inhabitant of A in conto:xt r"

2 .. 1 DF:~'lNlIION A 5peClficalw1/ of a PTS is a triple (S,A, R) with

• 5 IS a set of symbols callNI thr Wlt.~,

• A ~ S x S , a set of ax tom! of the fot'1ll $ :: S' ,

• R;; S x S x S , a sN of 1U!C~ of !.II(" form (.~I,~l, ·'.:d

w~~ writ~ (81·,82) for a rule (8\.,8.,83) E R if 8. = SJ All p"rSs mentioncd ill thi~ thesis will only have rules of t.he lorm \~I, ~2) U

Th~ oort~ in S are the llllhers('~ of t.he type systettl In specificatiolls given htCl these may incl~lde a sort >I< for the UllivcI'S(' of [l,ll types, a sort ~. for thC\ univcrse of all datatypes, or a I,ort *p for th~ universe of all propositions The axioms in A establish a hierarclq between the uniwrscs., The rulcs 111 R (ontrol t.he' dq)(ll(lellfi('~ hC\t.w('(ll illlt[LbltiLtlt.S of tbe different universes, by controlling the [Lh~t.ract.i()ll~ Ilnd qllitllt.dlfallolls that. ilt(' alloWf(L

TIlE' PT$ op('('ified by S = IS, A. R) is denotcd by )"S, Th(' ps('udot('I'll!S of a PTS are defined bdow There is just. Ol1(' (oll('ction of psC'udoterms, ,,0 there b no a priori di~tinction between terms and types (Ol" othct' "levels" of expt'cssions) This is all importallt difference bctw(:("Tj the definition of a t.ype systC'm as a PTS and a more ad"hoc dehnition When a particular PTS is dehno:d, we wIll generally distinguish different sets of p~eudoterms for tho: different l(!velo of ('xpre88ion~

2 .. 2 DEIINI'rloN (P~('lld()t('rlrl' of a PTS) The set of p,~e!ld.()lc'·m.~ T ~s of il PTS AS = >'(S., A, R) i" ddilwd by (Wi'! ll~lliLily JII~t writ.E' T I

T •• = VOlr I S I (TTl I (WarT. T) I (TlV,uT. T) ,

where Var is t.lH' ~d. (If v'lri,~hkh.. Woo i\~~lIm(' t hert' /Ire disjoint s\lh~ets Var" oj VOlr for 1\]]

8eS 0

Doth )" and I1 bll1d vallilbk~ HI (A.1 Ali) !lud ([ LI :: A b) ON lllT('tJN~ of .. r 1tl b [LrC' bound Free and hOllud ~iln<lbkM ,lI(' dchllcd !I~ u~lml FV(A) dCllotCh til( ~d 01 viLriahlt~

OCCut"rillg frt(' III iL t.Erm A We t;;lk(, t)w u~u;;ll '''~loppy'' approadl to bound varil\hl('~:: h'rrnJ; that al"f ('<[ual up 10 thE! r~!lIalr~\tlp; of hnnnd ~i'mhhh'~ are identlfi('d, 0'11](1 we a~~11!XW that m

all ('xpr('s~i(lrIs til(' hound v~tnl\bl~'~ are dbtlllct from the frC'e variabl('~ We write A ;: n If A iLlld n arf! equal up to J'('llamilJg of bOlllHl ~at'iilblc~, ilnd AI..l = fl.1 for' A 'with B ~llb~titllted for t.lH' hpE' (H C II rrell('('~ of .x

2 .. 1 PT5s 11

2 3 DEFINITION (Pseudocontexts of a PTS) The set of pseudocontexts CAS of a PTS )"S = >'(S, A, R) is defined by (we just write C)

• ~ E C,

• r,xA!; C if r!; C, A E T, 1: E Var is r-fresh and x (t FV(A).

Here f denotes the empty context, and a variable x is called r-fresh if x Ii! {y} U FV(B) for all Y'B occurring in r. 0

The prefix " pseudo" is used because only the pseudoterms and pseudo contexts that are in the typing relation (Le that are well-typed) will ultimately be of interest. These pseudoterms and pseudocontexts will be called the terms and the contexts ..

24 CONVENTION

• 8~ s~, 8l, 82, range over S .. . X, y, 2; range over V~r (I, b, and A, n, Titngi' OVi'T T r, r', r j , rflng4:! OW'T C

- Applic~tl()Il iI.'-Cs()('iiLti'S tL) the' Idl., ~() (1.1 (12 .. 11,,, is (( ((<1,1 1t2) a3) .. ) an)

- The scope of a A- or II-abstraction extends to the right as far as the first unma.tched clo8ing parent.1lCi:ii~ .. So (AT . .A b e) i~ (A:rA (b e)), and not ((.\::rA.. /1) c)

o

2 .. 5 DEFINIflON .. The reduction relations ~Il ~ TxT and Dri ~ TxT - (j. and 1)-reduction arc.> dc>fitlf"d as \1J';\1<'l.1 h)

(Ax;A bl a (AxA bx)

and all the compatibility rules

f>a blx = al D,! b if~: f!. FV(b)

"'>,q ~nd ~~ an' tht, rdle){iv(~ il,l)d tril,n~itiv(' dO~llr(~~ of I>,q <\.IHI ~'l .. ~fj and ~T7 arc the T('/:kxivi', tTansitiv(~ and ~yIlL1ndr:1i (]oSme'~ of ~fj and ~".. 0

In thc rest of thi~ th~\pt.('r 11-1('d\I(t11l1l d(l('s Ilot pia) a Toll' WI' only discuss the theory of PTSs with Just (j-r~'duction The tlH'ory of PTS~ with (} aud l/-reductloll, trfated in IGCll93], is considerably more complicawd.. This is beta;use unlike (j·rcductioTI, ry-redultion is lIot Chllr('h-Ro~~('r Oil till' ~N of p~(,Hdot.('t'm~

2 .. 6 TULORt:M l CR(l) U-n'ductioll IJ:; Cli11\(h-lhw~er (or tOlIHU('nt\, i c ..

VA, fJ E T. IA ~/l R::::;. ;JC E T. IA 1»# C /\ B ~>fJ Cli o

12 CHAPTER 2, PURE TYPF. SYSTEMS

2 .. 7 DH'JNJ rJON (Typing rC]aL10ll of a PTS) The typing relation _ t- AS _ _ C;; C )( TxT of a PTS AS = )'(5, A, R) if; t.lH:~ smallest relation clo",~d und~r th~ follow~T1g t.yp~ mff'rnlU' rnh'/' (we just v.tlte t- if it is clear which )"S l~ Illt-ant)

(axiom)

(\I~r )

(weaken)

(Ilform)

(llintro)

(TIellm)

(Ikon v)

~ 1- ~ I .~2

rt-A .~

r,y: Af-,y;::A

Ft-b::B rf-A::s r,a' Af-b IJ

1 t- A :; 81 r"x;; A f- B ': 82

r f- (U:rA..ll) :: 8,1

r, J A t- /) B r f- (ilxA B) 8

r f- (A~ .. A /I) (nrA il)

rf-b {HrkE) rf-a A r t- va nrr = aJ

r t- Ii il r t- 13' :: $ B ~i1 B' ----r~ b :: E'

if $1 s~ E A

if x E V;tr"

if ::, E Var'

wh.ere s ranges over sorts, i f! 8 E S .. Not(' th",t by the d('jlllil.iOll of the set of pSf!\ld()(Olltf~xt.:;; C the variable x is r-frt'5h in th!;' nile" (lI<lr)., (weaken), (fIform) and (illntro) ..

r f- ABC i~ ~bort for r ~ A n 'l1Id r t- B C q

If x does not occur free in B, (ilr.A IJ) i~ writkn ;t~ A ---t B It is easy to ~t'~ thiit thl' following rules are derivable

(---t form)

(---+ Intro)

1 t- .il .. SI r f- B :: $2

r ~. A ---+ n :: .y.~

r,I Af-b B rf-A---+IJ ,~

r t- (A)' A li)'A::' B

rf-b A---+D rI Y I1::A

r F va B -,,---

In a gJven PTS Uwn~ rn8y 1)(' rnlf'~ (~l, 82, 8,) E R fOl'" which the rulE' (DformJ l~ mOn gcneral than needed, and just the rul~' (---+ form) w[)l1!d ~l1ffi('c ..

As a.lrtady 1I1Cllt101l0d, the typing relation seh.;cts th(~ !(-nnS ilud ('Ollt.Cxts from the p~eu­doterTll~ aud pseUdo('(Hltrx t~

2 .. 8 DEFINITION (T('rm~,( ()nt.E'xt~,wdl-typ('dll('S~.,r t- _ :: A, r f- (, .. "I··

I.. A pSi'udot.crTll A lfi a (AS -)/(mn. if r f- A n or r f- [J :: A 1m snlllC r a.nd B

2 .. A p~t'udo(:onti'xt ,.. i~ Il. (..\8- )umlrx/ if r t- A B for ~OHl{' A ~ ud IJ

3. . .A tt'rm A l~ 1,dl-typ".il ill ([)llif'x1 J If r t- A n or r f- n A hr .~Olll(' BET

<1 .. A tfrrn A i,; m/!n/ntui ill ("'olll ext r -lVlitt(,ll r f- _ .. A "If r r- II. A for- SOlll(, (1 E T

21 PTSs 13

5 A term a is typable in context r - written r I- a :: _ - if r f- a.,A for some A E T

So a pseudoterm is a term iff it, i~ well-typed in some context, and a term is well-typed ill SOme context iff it is typable or inhabited in that context There can be well-typed terms that are not typable, namely sorts which ar(l' at the higheljt level in the hierarchy given by the axioms A, (i .. e_ tho!;e 8 E S for which -,(3s1 E 5,. (s ./) E A) ) .. The distinction between well· typed and typahle only plays a role in some technical proofs about PTSs ..

We will sometime8 be interested in the sub-context, cont,airling only the declarations of va.ria.bles that belong to certain sorts"

2,9 DEFINITION, For a. Context rand 81, ,Btl E S, the pseudocontext rill lin is defined by

{ r'! r'! 'n

~n, IX'

Properties of PTSs

A if ,x E Var' j for 80m!' i E {l, other~[sc

.. ,n}

o

Below we list some of the basic properties of PTSlj Proofs of these properties can be found in [GN9lj or [Bad21

The 6rljt two lemmas state that the context beha.ves :u; exp{)(:ted

210 LEMMA (Start) .. Let r be a. ('(Hltext .. Then

1 If s :: $' E A, t,hen r r- 8 51

2, If x A E r, the.n l' t- ::1;' A o

2 11 U:MMA (Weakening) .. If r is a context and r t- a A for ljome r <:;;; r - l..e :;r;:: B E r for all x :: B E r' ,t,hf!n r f- (l A 0

The next lemma is used t.o prove ptop<,rt,i~l'. by induction on the structure of terms.,

212 LEMMA (Generation)

1.. If r I- 8 C then C ~{J s' fOl" somf' (~ :: /) E A ..

2 .. If r I- :t :: C then C ""'8 A for some x :: A in r ..

3,. If r t- (nl::::A.. il) C then C ""'(3 83, r f- A Sl and r, x .. A t- B :: 82 for SOme (51,82,83) E R ..

4 If r I- (Ax.A.. b) C then C ~f;J (IlZ:A .. B), r f.. A 8), r,x: A f- b:; Band r, x .. A I- B S2 for some BET and (81, 82, 53) E R

5 If r t- ba C then C ""'iJ nix .. =; a], r f- b .. (l1zA 13) a~ld r I- (! •• A for some x E Var and kB E T o

If a term is inhabited then it. is a "or!. OJ it j~ typable with a sort..

14 CHAPTER 2.. PUHE TYPE SYSTEMS

213 LEMMA (C()rr~dlltSS of T~ pcs) If r f- a A thE:'l:l A E S [lr r t- A :: s for SOInE:' 13 E S .. 0

The (:oll~dioll of lllhabilants of a type is dosed under H!duClioll

2_14 LEMMA (Subjecl Heduction :: SRp) If r f- b .. IJ alld b 1>{:11/ thcn r f- b' B q

It is possiblE:' to rel:itn('t the pla(('~ in a type derivation where til(> rulc (weaken) can bE' applied"

2,.15 LEMMA (Restricted Weakening) .. If r t- a :: A, thcn there is a d!:!rivat.iotl of this in which all applications of the rule (weaken) are of t.ht form

rf-b::D rt-A::iI

r,x Af-b B x E Var" <Uld I) E S u Var,

II; (weake:n) i~ onl1 used if the subject b is II ~ort (lr a variablc

This lemma will be \1sefullater, wh~'lJ lutnpr!'!"U iOll» afe defined by iJldlH bOll Oh type deriva­tions, as it allows U3 to restrict Ow p()~~lbl<' foun of dcrivatio115

Most - if not all PTSi; that. alf of mto:'j"C'st arE:' Jl!1/.ctwniLl PTS~ ..

216 D~I'lNITlON .. A (sP((Jllfation of al PTS 18 called j1mdiOnal If

(8:: ~') E AA (,,~ $") E A =*'­

(Sj,$2,SJ E RA(SI,~2,83) E R =>

J ,,' n 8 :::""}1

o Tht> distinguishing lH'Operty of the f\\)I('(.I(fll,tl PTSs is t.hat the t.ype of <t !.<'rnl is unique up to B-conversion

2 .. 17 LEMMA (Uniqueness of Type!; - UT fi - for functional PTS) If r t- b :; Band r f- b B' thl'f) n ==;1 13' ..

Pn.OOJo' Set IGN!llJ or [Bar!)21

o

All PTSs mentioned lTl thif; thN;i~ iLu' functional By UT WI' [;tll speak of the ty]W of a term, if we only care about it~ typf' modllio O-rollvcIsion

218 DnINITION .. A PTS lS .B-strongiy nOHrwh~mg v..r"it.t.cn SNCl - If all ih t.('rlll~ are, Le if r f- a A jmphe~ thiLt. (L ,tlld A ate ti-stl"ollgly l)(m[l~di"illg;, '" lurh InC'IUIS t.hat ;til t3-reduction sequences startIng in (! alld A temlillMc D

Together, CR and SN imply 01/1,t (oTlwrt,li>iht.y of typcs is d('( idHhh" which is essential for decidability of type che(kin~ .. Not 1111 PTS~ arC SN, and SN (an))ot IH" ])[o~cd for laq!;~ (Iah"!~ of PTSs, unlike CR, SR and UT. For SN WI' hitvf' to consider partlruhr PTSs

21. PTSs

2 .. 10 D~:FINITION (>.-,.\2,.\W,.\C) ..

>. ...... ie the PTS specified by

.\ ---... is Church 's ~~mply typed lambda calculus, introduced in [Chu40] ..

2 .\2 is the PTS specified by

15

.\2 is the second order Or poiymorpluG typed lambda calculus, also known as system F, introduced in [Gir72] anrl lR.ey74]

3. .\w is the PTS specified b)

.\W is the htgher order typed lambd<t (:a]culu8, and is essentially the system F'", intro­rl\l(;~d in [Gir72]

4 .\C is th~ PT$ J:;pecified by

)"C is the Calculus of Const.ru(t.i()ll~, lntroduced in ICR88] ..

o

The relation bct.w!-'!-'n the JjyJjt~m8 is obvious from their Spetlfitationl;l:: >. ---+ is a subsystem of .\2, .\2 is a subsysttm of >.w, and .\w is a subsystem of ),0. A disa.dvantage of these compact specifications is t.hat. SOme work is needed to get soml' idea of what these type systems are, e .. g .. what. types can be formed and which abstractions are allowed .. In chapter 3 the system .xw arid a refinement of the system .xC will be discussed in depth

Tht PTSs defined above are all str·ongly 110rmah8ing, because )"C - the largest one - is ..

2 .. 20 Tn~OnEM )"C is SNp .. o

This was first proved by Coquanct in [Co{185i An alternative proof is given in [GN01] ..

The type chE:!cking problem - r f- 0. A? - i~ th~ problem of deciding whether r I- aA is derivable for giv~n r, (1, and A The typc JlIfen'llce problem - r f- a . -1 - is the problem of deciding if a I.errn (J i~ typable in ~ contcxt r and, if 80, computing its type In [BJ93] it is proved that typf checkmg is deridablc and I.ype Inference is computable for all strongly normalising PTSs with a finite s~1. of SOl IS, Th~>8e proofs only provide algodthms that are far too inefficient for practical USf.. Effi,i{'nt algorithms for some ch.ssl's of PTSs can be found in IB.]MP93j and IPoW3] ..

16 CHAPTER 2 PURE TYPJ::: SYSTEMS

2.2 DPTSs

DPT$S, illtr()(lllccd in [SP!J4j, are PTSs extend~!d wit.h a definition mechaniJ;lIrl In a DPTS, terms and contexts can contain definitions of t.1l1' fMm x = a A A definitioll ::1.' = (L::A introduces x as an abbreviation for the term a of tYI.H' A. A new reduction relation, tallcd Ii-reduction, j~ defined t() tapt\Il"C th(' notion of unfolding d{'finition~

Like a PTS, a OPTS IS ft 4-t'lIplc consisting of a set of psCudot.cfms, a set of pseUdO(Olll.Cl(ts, a reduction relation, and (i typillg l'dation And like a PTS, a DPTS is specified by It triple S = (S, A, R) .. ThE:! DPTS ~pf'tifJcd by S is denoted ASh

2,,21 DEFINITION (Paeudoterrn,; Df ,I DPTS) The set of pse'lldote1"1118 TAS~ ()f a DPTS ).$6 = A(S, A, R)b i~ defined by (we ju~t write T)

T .. - Var 151 (TTl I CWarT T) I (ilV;trT. T) I (Var=T T in T)

o Like). and il, '" bindi; a variable" in (,T=a A In /1) occunellce~ of ::r ill II afC bound

The notionJ:l of fn!~! variablc~, sllbstitution, find 8- and 'I-l'cdlld.ioll are t'xtend('d to this larger {:ollw,t.i(lIl OfPSClldotCflllS in the obviou~ v,ity Fen dcfinitions the ~flrnp wnVC'llt.ions for omitting pareIlthe~cJj apply (L.~ fOl"'\- and TI·abstraltiol)I:' So (.r~a A In be) I::' C'r=IL::A in (,bCI), and not ((x=a:A in I») ()

2 22 DEFINITION (P8~1~ld(H ()ntr'xt,1; of a DPTS) The set of p8e1!dOGont("Tt~ C}"S~ of i\ DPTS AS~ "" A(S, A, R)~ is dt'fin<:>d by ('.'.(' tlsually just write C)

• € E C,

• r~ r"A E C if r E Co A E T, alld ::1' E Vaf is r-fl"esh and T rt. FV(A)

• I ,1:.=<LA E C if r E C, (t E T <Iud A E T, ~tnd x E Var 'I~ ["-rr('~lt and x 1. FV(ll,)uFV(A)

Here a variabl~ .:r 'I" (alkd r -Fe-!h If 1 1. {y} U FV(B) fOI all if n oftllrtillg in rand x f. {y} u FV(b) U FV(fl) fill ,Ill f) = hB o(cnnillg b, r u

Df'finitions in pseudo('o\)t('xt~., (" g I,.l ~ a. A, r', an' (alke! Hio/Jai definitioTl!; IJcfinition~

in pscudoterms, (O .. g" (.x=r! A In I)), "Ie rall('d local ddiui!.Jons, sonwtillH'h ;Ll~{) tailed le(­expressions

2,.23 DEFINITION (~-r('dll('IIOld

The relation _ f- _ 1>1" <;;; exT x T - called O-)(:dUdJOll - IS tli(' 'Hn(l,ll('~1 relation 8uch t1J<LI

• r I, (x=(IA In b) ~b b if x 1. FV(b)

and that Ii; do:-.cd unde!' the follow]!)!!; (olllpMilnlity rille,

• if r, T=f1 A I- II ~61/ thcll r f- (.1'=004 In b) ~6 (I=a A In 1/)

• if r,1. A f- b [:>6 U th('ll r 1 (11..i. A b) [:>6 (llT A.. Ii)

811<1 r I- (At A. 0) 1>, ().I 4.. //)

22 DPTSs 17

• if r f- a I>~ a' then r r (x ... a:A In b) t>6 (x=al::A in b), r r (':t';;;;Aa In b) t>c (x""Aa' in b),

r f- (a b) h «L' b), r r (b a) ~6 (b (II),

r r (I1x;a .. b) h (flza' .. b), and r f- (\x;a .. b) h ().x:a' .. b) ..

We write r f- a 1>t3~b if r r a 1>6 b or D,l>jjb.. For p E {o5, fib}, r f- -I»p _ is the reAexive and transitive closure of r r _ I>p _, a.nd r I- • ~f) _ is the reflexive, transitive and symmetric closure of r f- _ ~p _" 0

So, for example, (x""-a:AIn b)!»~ (x=a;:A in b[x- aD h orx ::== aJ" The number of steps needed to fi-red\lce (:1'=<1 A in h) to (,x;;;;a::A in b[.T: D,j) is exa.ctly the number of occurrences of x in b

In a b-reduction

rl,·:r=a A, r2 f- x ~~ a

none of the free variables of (J can be captured by definitions or declarations in n This is because if rl>x:;:a:;A,r2 E C, (.h('n by the definition of C there al"C no definitions y=oB or declarations y B in F;, for which !I E FV(a) ..

Expanding all definitions in it AS~-p",eudoterm produces a AS-pseudoterm::

2 24 DEFINITION (6nf) .. For a pseudoterm a E T\S6 and a. pseudocontext r E CAS6 the pseu­doterm on fda) E T"$ is defined as follows;:

6nfr( .. r) ~ { 6nfr, (a) if r = rl>x=a:A,rz :r otherwise

onir( ~) ~ s

Bnfda.b) ~ o5nfr(a)bnfl (b)

bnfd.\xA b) - A:tBnfr(A) .. Onfr"'A(b)

onfdnxA B) - IhbnfdA) onfr,,",A(B)

o5nfrtx","aA In b) - onfr~=1\;A(b)

TIl!> d~finition of onfda) is by mdlltt.ion On tlu' llllrnb4:'r of characters in a plus the number of charact.ers In r (not counting brackets) CI

It is not difficult. to show I.hilt

225 LEMMA" 6nfda} is t.h4:' unique b·normal form of (J. in r

PnQQF .. (Sketch) First we prove that Onfdo.) is a 6-normal form of a in r, by proving tha.t r I- a ~6 bnfda) and t.hat 6nfr(a) i~ ill 6-norm:'l.1 form It then follows from r f- a [>6 a' "* 6nfr(/d :;:; onir((/) that bnfda) is the unlque 6-normal form of a in r 0

From the exj~tence of unique 8-nol'maJ forms it follows that o5-reduction is Church-Rosser and W'l"akly normalising. In fact., 6-1··f'ol1tt.ion has even stronger properties, as given by the next lemma

18 CHAPTER:2 PURH: TYPE SYSTEMS

226 LEMMA.

I.. CRJib .. i3tS-r~duction is Church-Rol;l;4:T, Ie

'ir E C,A,B E T [r I", A ~{Jb B;;;} 3C E T Ir f- A I»-Jl6 C 1\ r f- B I»M Cjl

2 .. SN6. o-reduction 10 ~t.rongly normalising

PROOF (Sketch)

1 .. To prove CRfl6 wI' lise the fact that u!Jiqu~~ O-llOtmal forms exiot

Suppose r f- a I»il{ (~l and r r a ~>N a2 Then (1, (1] and u. reduce to tlwir 6-nmmal forms 6nfr(a), bnfr(atl and linf/ (112), respectively. Dy t.hl' following two j)T/)lwrti0s

(i) if r t- a D-6 a' then bnfr(a) =: hnfJ (a ' )

(ii) if (1 ~fjo: Ihen linfi (a) [»11 hnfr(l1)

it. follov.s that r t- tinf!' I (I) r:» fl onfllill ) and r f- bnfr ((<) 1>:> fj ,-Infl (1<.) Finally, by CR{J there then is a cornm()l1 Ii-n·dud of anfj (al) alld onfr(o,2) rllo:' whol~' pmof J~ best illustra.ted by the followilll; dlagritll\··

weight! (J)

welghtf (s)

weight, (.t:=u A In 0)

welght!'((! Il)

weight l (h A 01

welghtr( II r A. il)

(I.

{weight r, 111) -t- 1 (I

n d~f'S

ot 1l('fwISP

weight; (a) + welghtr(A) + weight, ~=, .. 4Ib)-+

welghtr(o) + weight) (iI)

weight) ~ Alb) + welghtl (A)

weight,.,,, A(!J) + welghtr(k)

D

Note that O-reou{,t\ol1 l!; st.ro!lgly llorma)j~h\g O!l ! IH' p,~'~1!aOWrtns Thi~ HI ('ontrl\~t

to B·redudjo!), which I~ !lot stroll!?,ly llorml\h~illl; 011 t.he p~eudotl'nll~ ,~illce for inotalH i

(Ax 11 x .:r)(kr::y T .. r) i~ i\ pSl'lldotom ,but (iJ.H ouly br :<;t.rongly uonn'l Ii~i!lg OIl i'I SUb8e( of the pseudotf:rml; ({' g t,lit )'C-t.nm~) ..

22 .. DPTSs 19

2 .. 27 DEFINI'lION (Typing reiatiOIl of a DPTS) The typing relation _ t-~S6 _ •• _ ~ ( x TxT of a OPTS ).S~ = ).(5, A, R)~ is the smallest relation closed under the type inf(>t!'nc(' rules listed ill definition 2 .. 7 plus the following rules

(6var)

(8weaken)

(Horm)

(8intro)

(13Iiconv )

rf-a;.A r,x=a..A f- x: A

FI-b B Ff-a'A r,x=aA t- b B

r,x""aA f- B. 8

Ff-(x-aA in B) •• s

r,T=aAf-b n rl-(x=a.A in B) .. 8 r I- (.x=aA in b) ;; (x=a;A in B)

r f- b B r t- 8' •• ,9 r t- B =::'{36 B r

r t- b - B'

where s ranges c>Wr ~ort~, i(, 8 E S o

The P.S6- )t,('rm~, tllI:- (,,\SJ- j(ol)text." and tht' notions of being well· typed , typable and inhahited in a COnt,~xt fire ddlllf'd for thl:' DPTS~ I\..~ for PTSs (see definition 2..8) ..

Properties of DPTSs

It is not difficult t.o show t.hat lll(}~t t h(- pi (}pc'rt.i{'~ tha.t hold for a.rbit.rlJ.ry PTSs a.lso hold for DPTSs .. Proofs of the following properties can he fotll\d in ISP!l3J ..

2 28 LEMMA (Start) .. Let r Iw ,1 (Olltext ... TIII!ll

1.. If 8 •• 8' E A, thE.'n r I- s ~i

2 .. If x A E r, then r f-~" A.

3 If x",u,..A E r tl\(,ll r t- ::1.' •• A (fllld, by SRfM ., alw r I- a .. A)

2 .. 2!l LLMMA (Weakening) If r is /l. context <tno r' f- a A for ~ome r <;;; r, Ih('1\ r t- (I A o

2.30 LEMMA (C'orrect1\rss of Typ(~~) .. If r f- a :; A then A E S (}r r t- A ~ t01 SOlll\' ~ E S o

2 31 U,:MMA (Subject RE'duction SRN) If r t- /) Band r t- b 1>fl6// thml r I- i/ .. fl.. o

Like a PTS, a DPTS is callC'd fUlldlOllill if It. ';]lpdfkat.ion b functional (see definition 2 16)

2 .. 32 LEMMA (Uniqueness of T)-prs - UTil~ - for fUllctiolli\.l OPTS) For functional DPTS if r t- b .. fJ ,llld r I- b .. n' then r f- B ;:;':j.l6 B'

20 CHArn:R 2 PURE TYPE SYSTEMS

2.,33 DEFINITION A DPTS is fjb-strongly normailsmg written SN)36 - if all It~ terms are, Le,. if r f- a ., A implie8 th~t. IZ and A are 6D-strongly norma.lising in context r D

Whf1th~r exlending a PTS with ddJnitionf; preserves strong nonnalisat.ion, ie, whether

is an open problem .. JIf:r€ th!' lotal definitions, i e d~'finitiolls ltl terms (~., r)pp(Jscd to the definitions in contexts), an' the: ma.in complication .. In [SP!l3j SN)36 is proved for many DPTSs, including .\C~, the C~dtulu& of ConstructioD8 E'xtr~Il(kd with definitioml H~'n) wC just give a sketch of th!;! proof ..

PROOF .. (Sketth) This is proved by showing thl'rc is a function whir'll Illaps an infinit!;! (~/)­

redu(:tirm f;cqucn('e in )"C6 to all infinl\(' N-reduction scqu('])C'(' In Luo'~ extended Cl\klllu~ of COH",tru(tio liS , I.he system ECC Stronp; IlC1Trrlalisation of ECC It> pmvcd in [Luob9.1 ..

The function':! {-L E TAS~ x C~S~ --4 T~s illld {_} E CAS~ ---+ CAS lln' drfined as follow",

{ .. r}r {{t,a}n 1f r ~ r],.·."O:::lzA,r2 otherwh~

{,'Ilr s ifsES

{a b}r ,- {a}r{b}r p.:J;'A. I)} r ,- A.x{A} r {b} r l" A

{nx .. A .. B} r r;;; Ill" {A} r .. {nl r z.A

{x= aAm b} r (),.:t{AlJ {b} r~ _'LA){ I!} I

{€} {r,:r •• A} {r, ::~ =lz'A}

{T}.I {A.}r {n,X' {A}l'

Th{> only difference betw('~'!) { } _ illld f,(JfJ_) is iu th~' cll\\IMl for !.CnllS of the form (.:'1:::-(LA In b) Thi!; uiffcr('ll(,(' 1~ (fucial for propert.y 11) brio'.'! ..

For thi!i mapping we prove tIl(> followillg; propert.ies,.

(i) If 11 ~(i Ii I.hcn {«}r l>~ {b}r for all r, whel"e l>J \~ t.h!' It;~ll~itiv() cl()~\lrl.' Df ~/:I

(ii) If r t- a I>~ b then {(I}l' ~(f {/)jl, where l>,# 1'" th!-' rdl('xiV(> closurE' of ~Ii

(iii) If r f- (1," A in )"Co tl)('l1 {r) t- {(J}J {A}r ill r:cC

It follow~ from SNb tha.t any infinih' 8b-r('dlltlion sequence baM an infinite numbl'r of H-stcps So, by (i) and (ii), {-L [naps an iufi1lit.~> Bb-rNlutlion seq\l('l')(l~ to an infinito:> fj-rr~dlltl.lon

sequence, By (Ii!), {.L Ul!I]1S .\Cb-tel"ms to ECC-t.!'TIll~ .. SN86 of .\C~ t.h{'ll follows from SN(i of ECC (1

23 RELATION BETWEEN PTSS AND OPTSS 21

2.3 Relation between PTSs and DPTSs

Apart from the question whether the OPTS ).S~ has all the meta-theoretical properties that the PTS \S has, it is important t.o understand the relationship between the two systems .. In other words, what i$ the rdation betMl'en jjtatements of the form r f- a : A, r f- a ~ or r f- _ ;: A that hold in )"S a.nd )..S~ " To anSwer these questions, the definition of §-normal form is extended to contexts

2 .. 35 DgnNITI()N .. The o-normal form b'nf(r) E C;.s of a pseudocontext r E C,\ss is defined as follows

linf(c)

onf(r,.x :: A)

linf(r,.:r=aA)

onf(r), ~." 6nfr(A)

linf(r)

Definitions can be eliminated in \S6-type dcl"ivations 1.0 ptOdtlCC AS-type derivations:;

236 TUEOREM (Elimination of definitions) .. If r r>,s6 a:: A then bnf(r) f-;.s onfr(a): 6nfrlA)

pn.(lOI' Straightforward induction on the derivation of r f-.\s~ a .. A

D

D

This means that inttoducing dcfirllt.ions dOt~S nOt. inCl"f!l\.~p. th1! expressive power of the system .. An immediate consequence is that the extension of a PTS with definitions is conser­vative In fact, there are three pos.ablc notions of conscrvativit) .. Apat·t from conservativity for statements of the form r f- a A, we also have: conscrvativity for statem~nts of the form r f- a _ or r r _ A, as defined in dC'finition 2 .. 8

237 COROLLARY (Conservativity of \S6 over .\S) L!;!t r be a AS-('ontext and a and A bl;' .\S-terms Then 1 r r >'5. a A =- r r AS iZ :: A 2.. r f- AS~ a_{==} r f-,\$ a ;; _ 3 r f- .>,S~ _ "A {=} r f- AS _ A D

Part 3 of this corollary is the nsnal notion of conset··vat.ivity if we think of types as propositions and their inhabitants as proofs It stat.es that a .\S-tcrm A [s inhabited - i..c .. prova.ble - in a .\S-context r in .\S6 iff A is inhabited in r in )'S,

For functional SySt.(.!HIS, t.h(!1 p is ('Wn Il, I;(,rollger r~,latjon betwe~'l~ ).$ a.nd \$6.. The(1-rem 2 .. 36 says that, rnod~110 6-conVer~]OH, a '\S~-term does not have more types or inhabi­tant.s ill ).$~ than ito; 6-nonnal form hM in .\S.. The following theorem says that, modulo 8-conversion, a )'S6-term does not have fewer types or inhabitant.s in ).S~ than its a-normal form has in )"S, provided S is functional

238 THEOREM (Introduction of definitions) Ld S h~ a f\lllctiona.1 ~pf'dfk8ti(l1l., and II'! Q and A be well· typed in context r in .\S6 (and 1;0 r i~ a )'Sli-cont.~xt.)

If tinf(r) r>.s 8n(d(J·) 8n(r(A) t.hen r I"~S~ (! A

(In examp)!' 240 it i~ ~ho"'J\ wh) UI!' n'sl.lu:tiOll t.o fUW't.ional o;Yjjt.emJj ]Jj needed .. )

22 CHAPTER 2 PURE TYPE SYSTEMS

PROOF First WE;' 8how that, th(' mil'

r t- b .. li r f- B r>p6B'., ({1ARED) r f- /) B'

is a.drni.ssible in ),Sb

Suppose r f- b Band r f- n r> /368' To prove r f- b 8' W~ only have to prove that. r f- B' :: 8 for 80m!:' oort ~., bN',UI~C \\e have the rule (6b,onv) .. I3) conectness of typc>; (230) it follow8 from r~· /) .. B I.hat. r t- B S 01' B E 5, but. r t- li C>f;I/iB', and so B f/. S .. OJ SR~/i

it then follow8 Oil:!.! r t- fl' •• s

Then we show that til(> nIl('

(fj<"CONV) r f- b :: B r f- IJ ~fl6 Bi Bf is well-typ!:'d in r r f- b n' -----

18 ~drnio"lbl!! in AS~ SUPpO$(' r t- Ii E, r t- B ~{I~ il' and tb~\t n' i~ v.dl-typed in r AgHili., It. ~llfficcs to

provc t.hat r t- B' $ for ~onw ~(lrt A W(, dih! iU!;lJi~h two ('as~~

• Case 1 r f-. n' TIH'U bv rOnN! IH'SS of typE'S r I" il' .. ~ Or H' E S If r f- B' .~ \\-e

are dtHI€, and if jj' E S then l' f- B [»66 il' and til(' mle ([J6RED) apph~'~

• Ca..~(.' 2 •• r t- B' C .. r f- b B., ~o by (",(HTI'( I,ll('~~ of types we call di~tlllglli~b two cast'S

- Case 2 . .1 r f- il 8 By SRM Ill( ((JJuIlIOll [cduct of il alld [1' hil'; both type 8 and type C, so by UT i36 r f- C ~iJ6 s [lut th('ll 1't- C [» eM $, and by thf' nih- (65RED) it f(lll(lw~ from r t- B' .. C t btl r f- nl 8

- Case 22:. n == 8' E 5 TIH'1l r t- D' [»06 8', ~o by SR{jb 1 t-~i C Tl[)~ rneH.[\~ that t1J(!r~' i~ !;()HH' (~I ,) E; A such that r f· C ~/jb' By tlt~ nIh' ({:IhRED) it follows from r t- B' :: C t.hat r f- [J' •• ~

We are now ready to prov~' UII' t.h(,OI'(,lll Suppose that (l. >l,wl A MC wcll-typ~'d !l) n.llll('xt.

r in ),Sb and tinf(F) hs linfr(a) bnfr(A) To prove' r t- )..S~ a A we only havE' to prov(' r t-AS~ a _ B~'(;aUhl: if r t- ),Si a B for

Some n, !,h(,11 8nf(f') t-,.,s 5nfrlal bnfrW)., by UT /j hnff (E) '::!~ I>nfr(A)., ~(1 r t- B ':::!~~ A,

and by (d8CONV) r t-AS~ a A It is not difficult. t() prO\-E J t- AS.~ II .•• _ (r is wcll·t.yped 1)1 T, ~(j r t- ),5, (I _ or r 1- ),S~ _ tI, ..

If r f- ~S~ _ ;: a then by corredllE""'~ of lypI';;' r t- ),S~ a s or (! Ii: S .. If (L E S, then it follows (rOIll 6nf(n t-)..s hnfr(rz) f.nfdA) hy tb(' W'lI(~r;t!ioll l(,lllma (2 12) that (11/) E A for some 81 E 5, and hellc~ by I.IH'· "ULI t l('mma (2 10) r f- AS~ (/ ~'.. D

All immediate ('onSN[I1(,II(e of thE~Ol("'lIl~ 2:W ,Lilt! 2 J1) is t.bal for flllH·!iOII~d systelU:j a t.)- ping statement holds ill ),S~ iff It~ ~-lIOl"miLl fOl'm holds ill '\S

2 .. 39 Cm~OLL.i\nY (Eqlllv~Llcn('c of '\S Iud ).,$f)

LE:'t S bE" H fllll(:tion<"li sp('fil1eation, and l<'t (l. ~\l!d 4 1)('" WE'll-typed in context r in >,Sb .. fhen

1 r f-AS~ (l A ~ I!nf(11 t- AS hnfr ((0) bnf,(A) 2 rf-.>.s~(t /~ I!nf(1It-Astinfi((/') _

3 r f-),s~" A = hnf(n t-~s _ bnfr(AI 0

23 23

So, modulo 6-conversion, the OPTS >'S6 and the PTS )"S are the same type system.

Theorem 2_38 does not hold for all (O)PTSs. It is easy to give a counterexample for a system that is not functional:

2 40 COUNTEREXAM!'U~_ Let S be the specification

s "" {~,O,O/}, A == {* 0,* .. D'}, R;;; 0 ..

Then in the context x= .. ;D the term x has type 0, but not type 0',

X""~::O t-).$~ x 0

x=* D Ihs~ X lJ'

whereas the b-norrn<l.1 form OfT - * - do('s have lype 0' o

The pl"oblem is that w~ l"e(:ord types in definit ions .. For fllntt.iollal systems this is harmless, since the types are uniqui' up to cOllversion But for non-functional systems the choice of a particular type for a. dcfillil iOll (~! .. g .. 0 a.s the type of x in the example above) imposes restrictions Theorem 238 (:o11ld Ill:' extended to all systems by having definitions of the form X= a instead of.x =0 a;A.. Howcv('r, in a. t.ypechecker the types of definitions will bc rccorded for the ~ake of efficiency. Othct·wisc to typt~cIl()(.k a term we have to typecheck its 8-normal form, which can be much longer than l.h(' original term .. Another reason to inclllde type information in definitions is that in a. dcfillil.ion ::J; "'" (I A the term a may be a proof of a proposition A .. In this case the definition plays tIl!> roll.' of a lemma or theorem, and the type A is then typically of more interest than tJw proof t.~rm a ..

The definition mechanism of a OPTS leaves ~or:nl.'thing to be de~jred .. Many definitions involvc parameters .. In a DPTS, lambdl\. I\.bstrl\.ct.ions have 1.0 be uscd to parameterJse def1.nl· tions.. For example, an abbreviation fOl· the composition of functions can be introduced by the nefinition

comp "\A, B,C >1< •• V A ...... 8 Agf] --4 c.. A:tA q (j .1:) llA, B, 011< (A --4 IJ) --4 (B --4 C) --4 (A --4 C)

Thcn for J::A --4 nand (J B ---. C we can writf: (wmp A n C f ()) for the composition of f and [J Using lambda abstractions 10 pal"amd.d1tie definitions has two disadvantages

A potential problcm is that ill i;l. given PTS the required lambda ab$tractiorls may not be allowed. For installce, III the ~iTlljlJy t.yped lambda calculus A - ahstractions over types, e.g .. )'A, B, C,. .. in !.hf' I.'xll.rnpl(, above, I\.re not allowed ..

A mOr!.' practln"l problem is that terms i:llch as (camp ABC f g) are cluttered with type information .. This problem docs not only arise with definitions, but it is typical of explicitly typed languages .. Often one would want to leave sOrnc pa.rameter8 implicit, to be inferred by the t.ype checker.. We Ul.llllOt expl'(·t Il. t.ype checker to be able 1.0 reconStrud aJl arguments that arE:' omitted .. Howe.vN, in mal\y ~M!:'~ l·econstruction of missing pal"arneters is computable For example, it is not (\iffi(ult to Bee how the type parameters A, Band C in (camp ABC f g) could be reconstmrtcd if they were omitted For the ~a.kl.' of teadability we will sometimes omit param!'1.!'rs (and \18C infix not.lttion)

Part I

Syntax

25

Chapter 3

The Basic System : AWL

In this cha.pter the type system AWL is int.roduced" It consists of

• a programming la)lg\1ag~, whidl pl"(IV1d~'!; program!'; and t.heir datatypes ..

• a logic, which pl'ovides everything ueected to reason alJout t.hese programs" Properties of programs ((' .. g .... specifications of pl""Ogr"ams) can be expressed in it, and it can be proved that a c~rtain program has a certain pt'''opcrty (e"g" meets a certain specification) or not.

AWL can be concisely described as a PTS It is a refinement of the Calculus of Constructions Instead of having just one univcrsc of types, we diBting\1ish datal,ypes and propositions, and restrkt the dependencie~ bet.wN!ll t,hQ.lll.... Thl~ strict separation between progra.mming lan­guage and logic mahs it (,<'ISiet'" to cxt.cnd the programming language withO\1t disturbing the logic, and vice versa .... This is exploited in later chapters, where p08':1ible extensions of the programming language and of t he logic are considel'ed ....

The prograrnr'rlillg langllagr is AW, t.hr PTS which is essentially Girard's system J1"'" So AWL is a logic for re~()niIlg about .\w.... The ~yJjtem AW is also used as the basis of the programming languages QUEST ICar89j and LEAP [PLSgl.... Lik(' all PTSs, Aw is a very bare type system, providing only a few primitives.... Howeve" these arc very general and powerful ones, making AW a very powct'fltl language .... In the following chapters, more typing con~truct .. qn; will he lllt.l""odl1{!,d i!.~ pl""iUlitiv!'~

In fact, .\W[, 11M t1<'O s\lhl:'y~h~m" t.lPl,t (l,r~ (".op[e~ of Aw Olle of these serves as the programming language.. t~rm", ar~ program" and type~ are datatypes.... The other serves a logic.... terms are p,oofo and tyP(~1:' are prOp()8lti()n~.. TheBe two topif's of Aware called AW$

and .\wp The subsuipls rd~r 10 the fi'\.Ct that types ;<trl;! intf't'prct.ed as §ets in AW$' and as :e.ropositions in AWl'

Of Course, for ('very PTS we inoorlut!' ther!' is an as~ociated OPTS, Depending On which is the best suit.ed, we uSI' Olt(' or 1 hI' ot.her .... The PT$ i" used to cxplatn the expressiveness of the system, the OPTS is used whenever WI;' need the definition l)lechanism

We b~pTl by di"t\I.f>siltg l.hr two ittt.~!pt'rta1.iolt~ of AW - ~ a programming language and as a logic - 111 s~ctiOrt8 3....1 and 3 .. 2, fJ.nJ t.hrn itt ~('ct.i()n l3 th!' programming logic AWL is defined .... In section 3,4 we discuss how progran1$ can h(~ (Ollstructed t,ogf'ther with their correctneSl; proofs .. Section 35 contains a comparil;on wit.h t hi! approl!.th t,o program construction in the Calculus of Constructions using progralll extraction

27

28 CHAPTER 3 THE BASIC SYSTEM AWL

3.1 AW as a programming language: Aws

In this section we disnl~!; t.h~ ~yt;tem .\w considered a~ a programming language The following copy of .\w is reserved (or t,he lTIt!.'rpretation of .\1.1.1 as a prograrnmiug langll!l.gf

3 .. 1 Dr:FINlTION .\w'(J) IS tlw (D)PTS specified by

S={*$,D.}, A=;;{~. D.}, R""{(*.,*.),(D.,*.),(D.,D.)}

D This very compact ddlnitlon of )"w$ is not very enlightening UC']Ow WI' diS(:llSS thf' different

kinds of terms !,ha.t. (an be distinguished in .\w., a.nd the dlff(m"ut forrnto of ab8tractions that are allo\\ cd ..

In a PTS there is jnst OIH' (oll("( tlOIl of (p8~udo)terms, but to understand .>..w. I'<e will distinguish different subSd~ for t.h~~ diHer~nt "l('vels" of .\w.,.

1. Progrom,~ .. Thi", in(']\1de~ ctata snch a~ booltan~, uat,mit! ullrnlwrf; (lr liilt5, and func'tion8 that manipulate these

2_ Datatypes and d(£t(zl1JP(.'.-(,,()1In~tmctors Dat.atypes are the typ<,s of progralll~ They fornt It ~ubl:let of the dataty PC-cou!;tm(torh Th~, ot.h(~r datat.YPE:'-Con8tructors ar'e functions •. hat. Cll,T! be used t.o constrnct dat.atypl'f;, wtlt as "- fnw.tlOlI X t.hat maps two datatypes to their prodm t type, or a function list t.hat. IlI~LpS iL daULl.yp{' a to UI~' d(itatyp~ of (f·lists

An important diffl"'rl'lIl'T b(!tW(,(:~ll til(' datatype~ alld the other datatypc-constmctors is that the fOI'Inrr (<lU be 11lllahHed by programs -, whet'eas thl~ lat.t.er Ci1lJnot.. For' instance, a funct.iou list from d~tatypes t.o datatypes cannot be the t) pc of something ..

3 Kmds The kinds alC tlte tYPl'S of dHt.atyp(~-(on!'tructor~ The kinds ar'e generated by

HI: :: = *. I UI: ---j. PO;

*. IS the type of all datMyp€'s, *. ---. *. is the t.ype- of all flludiolJ}' frolll diLtalype-" to dM.M.ypeto, etc .. For example, list has typ(' *. -> *., alJd x h~~ tyP(> *., ---j. *, ---j. *, In pri'U"" t.itl' , ouly tlie ~impl(,~t kind·cxpr·('ssiollS will evcl" bf' Il~('d .. For a {'oJt\plex kind, for Ir)~tance (*~ ---j. ~.) ---> (*. ---> ~.), it is diffitlllt. t.tl t.hluk elf ~ d(itlltYrH.'-{()Il~tr1H t(lr of that typE:'.

There is a fom·th jf'V('·llll AW., WlllC'h (()ll~bt~ j\lst of the symbol D. D. IS the typr of all the kinds, so ~., "'. -" *" ("tc. all bav(' tyP(' D. It plays an importallt. l"oIr in t.hc d('fmition of .\W. as a PTS, ao; it. illlow~ it \wifol'm d('~(l'ip!i()ll of thr pt'ogt'am~, \liLt,!1t.ypl'-«()u~t.rn("t.ols, and the kinds Apart. from thi!; it i8 [j('V('r u~('d

The kinds, dilUitYP(~-COll~t.ntc:t.()l'S, dat.iltypes, and prngriLllls, iLI(' fOflllally ddllH'd as fol­lows;

3 .. 2 DI:.I'INITION.,

If r f- Jf( i"J. for ~elUI[' (.r)l1t~'xt r, tlWll II: is a kind

2 .. If r f- (! :; II( fot" ~{)IU( klllrl U" ,'lId (Ollt('xt. r, tlH'Il (! i5 a datatype- constructor

31 >"w AS A PIWORAMMlNG LANGUAGE .. ..\ws 29

3.. If r F (T :: *. tor SOm!) COntext, r, then a i~ a. datatype (and a datatype-constructor),

4 .. If r I- M :: (1 for some datM,ypc (T a.nd ront~xt r, thcn M is a program

Later, in definition 3,.4, it is shown that the distinction between these levels can already be made for the pseudoterms.,

Contexts can declare variables from YarD, aJ:l da.tll.type-con~trutt.ors and varia.bles from V:Jr" as programs_ For (>xamplc, the context

list "'. ---t "'. , nat "'., n nat, f .. nat ---t nat, 0' : *~ , x, a

<kda.res a. datatypl'-tOn,:;trud,or list, dat,at.ypes nat and a, and programs (data) n, f and x Here list, nat, a E VarD, and n,j,.;r; E VOIr·' ..

3 3 CONVENTION" If(, B(], B(2 range over kinds .. p, Q, T range over datatypes and the other datatype·constructors., O',!3 range over Varo., Le, variables that are datatype-constructors .. M, N, f range over programs x, y, z range over Var"', ie., program-variable".. CJ

Eat.h of the PTS-tllles enablr$ a rC'rtain kind of abst.raction, by allowing certain product tYI)~::s to be fornwd .. Thrre an' til)"!'!' different. fOI'ms of abstractlotl in ),.w., one for each of its rules .. The tulc (0.,0.) provi<irs a fOlm of abstraction in datatype·constructors. The rules C"., "'.) and (0., "'.) provide two forms of abstraction in programs

The rule (*.,*.) make,:, it. pO~J:;lbh> t.o <tbJ:;t,r<tC't. o'tier (l dat(ltype j'TI a program,. This results in programs Of the form (A::ra .. M), wlll'n' a is ,j, datatype .. Such a pt"ogram expects another ptogram (of type u) as atgument It 1S a program that maps programs to programs ..

The type of SItch an abst.rartion is a Itmctton type of the form ~ ---t 1"., The rule (*~, "") allows the formation of these function types

r t- C! .. "'. r f- "I' :: "'.

r f- cr --4 7" :: *.

A simple example of this form of abstracUon is (A;r;::Q" ,x), the identity on a datatype cr, which has type C! ---t C!

The t;-ule (tJ~, *~) makeo it pooosible tu ab"tratt over a ktnd tn (l progT(1m This results in programs of the form (>,Q::B( M) wherE' B( i8 a kind .. Such a program expects a datatype-­constructor (of type 11(1 as argument,

Most abstractions over a kind will be abstractions over the kind *. This results in programs of the form ("\a::*.,. M), Such a program expects a datatype as argument .. It is <t program that maps datatypes to progl"l'Ims

For E'xample, in the program (Ax Q .. ,x) - the identity on a datatype 0' - we can abstra.ct over all possible datatypes Ct., This result in (,\0':: *. A;r; 0' x), the polymorph~c identity_ DE'pending on the datatype this function gets as argument, it produces the identity on that datatype,.

Programs of the form (..\O'JJo: M) are called paromdrtc polymorphIc programs Depending on the dat.atype(rOtlst.1'·urt.or) ~l1ch a p1ogt"am gN,S as argument., it can have many different typc~.. The tYI){'s of thrsr prog:ra.llI1'. are poly1nmJlbc t'!JP(:,'~ of the form (ITa 11{" ~)., For

30 CHAPTER 3 THE BASIC SYSTEM AWL

example, ('\0':*, .. .\x::o x) (OCf::*. Cf ---> Cf) The rule (0" *.) allows the format)On of UlesE' polYloorphic tYPE!~

(0" ~,) r f- O{ :: D., r,o:: O( f- 7" *,

r f- (ITa::;U( 1");; >1<.

This kind of abstraction in programs can be used to define so-called generic programs - programs that are parameterised by datatypes - that behave uniformly for a whole elMS

of types An example of such a program is polymorphic ide!1tit.y dl:!flned abovE,.. A mOre intcI"csting exampll-! i,; the progra.m reverse :: nO'* .• (lI$to) ---> (lista) whiCh rf!vE"n;('f; a list, and

Can be used for listJ:) of any datat.ype .. Another UBI:! of thlo kiwi of ab~tradion in programs involves abstract datatype8 ThiB is treated in more detail iu ..... hapter 4 ..

Finally, the rule (D., D.) allows the formation of kinds of the form 8{) ---> 8{2

rt- U(l:: D. Tf- 8(. o. r f- lK[ ---; 8(2 :: 0,

For example, this rules allo",!; the fOl'll1atiol1 of ~, --t ~" which lS thc type of fUllction8 from datatypes to datatyp('s sllch as liSt. Th~s(' killd~ mak(' it po~siblc to abstract over a kmd ~n a datatype-(;()T!~tT··I£(.·.·lm Thi!; IT~Il1t.,; ill d!lliLtypl~-I"OH.s!.r \let.ors of thc for'm (\0.::8": 0"), when' ll{ is a kind Such a datat.}p(,-(,oll~tnl('tol ('xp('('ts another dMntYlWo Collstrl1ctor (of tyP(' D()

M argument .. An !~xampl!' nfMIHh all Il.b,;tr!Ht.10l1 1M (A.(~~, (, -0 01 ~,--) ~., Ihl~ d:l.t.at.YP('-(·onstru('tor

thai map~ a datMypE' (} to tilE' <i!ltiltypt, " -. "

Another ",ay t.o lIu(IE"r~lilud litt' l,tkd of au j!ldi~ Hlllal PTS-l'UI(', b to consider tlw depen­

dency bNwN'n progriwlM auf! diLtH.typE·~ it lutrn<iuU'8 .. Thi~ l~ Il~Nl in UMcndrcgt's A-cube [Ba.t'·92j, to charactcril';(' tit(, dtfli.'r['ut. ;I.J('~

• (>1<.,*.) gives proqmm.s that depend on pt'OI}'mns

For example, the progr:un (1,1' (r M)N dl:'lwnd~ 011 thE' plOglillll .IV

• (0$, *.) gives proqrams that depend on dat(ltY]lt,\

For example, the program p.(\~ ... M)(J (h'pend~ Oil the dat!ltYJw fl

• (0" D.) giV('~ d(liatypt.~ that dq)('nd on da,tatype$

Fot ('xamplr, t.h(' dMat.yp(' list a- dl'ptlld" OIl th(' datatypl' (J

In definition J2 tlw different levds of AW$ wen' defiw,d 111 t.('·I"IIl'; of Ihl I) pil* relation ..

This distinction can alrcady b(' mad(' for t'it(' pS('\ldot'('I"III~

Kind

Cons

Prog

>1<, I Kind· ,. Kind Vllr

lJ, I AVaru , Kind Cons I Cons COriS

I Cons ---; Cons I nVaru'Kind .. Cons

Var" I .AVar·' Cons Prog I ?rog Prog I ,Warn, Kind Prog I Prog Cons

o

3 1 >'w AS A PROGRAMMING LANGUAGE AWs 31

Thi~ definition refines the context-free syntax given for arbitra.ry PTSs in chapter 2 Note that these three sets of pseudoterms are disjoint .. The kinds, datatype-c.onstructors and programs, as defined in definition 3,.2 Me elemcmts of Kind, Cons and Prog, respectively:

35 LF;MMA (Classification for .\w,) ..

L If r f- II( D. then 11( I;: Kind .,

2 If r 1- (T Jj( Q. then (J E Cons ..

3, If r f- M (T:: *. then M E; Prog ..

PROOF By induction (HI the derivation of r r- (l, A we prove

{

A;;;; 0 8 '* (I E Kind r f- (t :: A =:> r f- A D. '* (I E Cons

r f- A :: *. =*' (:t E Prog

The only non-trivial ('a.ses at"e (I1forrn), (Uintro) and (I1elim)., Hel'e WI:! ha.v~ to distinguish the different possibilities for th(' sllbt('rms of a, i .. ~ wh€'t.h(,I'· these are kllld~, dat.a.lype-constructors Or programs,.

We show just. the case that. t.hl' kst step is the rule (l1form), i..e the last step in the deriva.tion is

(nform)

fDr SOIne ('~l,s .. il E R There art· t.hree possibilities for (,91,82)::

• (81,82) == (0.,0.) .. Then, by the Ill, A,1:I I;: Kind By t,hf! definition of Kind then a.lso A --4 l] E Kind, so we have to ~how Ihat (Ux A B) is A -> E, i.e that x rt FV(B) .. It follow"" from t.he dcfinition of Kind that all elements of Kind are closed, so x I{. FV(B),

• (81,82);;;; (~., "'.) Then, by tlt(! IH, A, B E; Cons, and 50 A - B E Cons,. Again we have to ~how that (I1.T::A.. B) is A ...... 1:1, i c .. that x i FV(B) .. r r A "'., so x E V;,r·'., It follows from tit" d0finit.ion of Cons th>l.t d('lIH'nts of Cons do not contain va.riables from Var", so x fI FV(ll).,

• (Sf, 82) == (D., "'.) .. Then, by th(;' III, ,4 E Kind and n E Cons r r A D., so x E Varo" and hE:'llt(' (fh::A B) E Cons

Kind, Cons and Prog pl"()vidl' it dl'ar l!H'!iUchy between th(~ diIfct"cnt levels of (p~e\ldo)Lerms" Ku\ds can occur in datat'YlW-(O!tSLt'uctors and datatyp~-tonstructol's can oce\lr in programs, but. programs cannot O(tur III d"!,,t.yp('.eon~tr\ld.or~ ()[ kinds, and datatypr-constructors cannot occur in killd,;

),i,L>. and its o;:(C'tlsion with ddiuit.)Oll>; AW.b ar!' strongly normali~ing

36 THEOREM ),WM 13 SN!.l6

o

32 CHAPTER J THE BASIC SYSTEM .. AwL

Baaic datatypes and datatype-constt"uctors

To llSt .l.w. H1I It pT<)gramming language, some basic datatypes and primitive operations on them an~ n~~I>dfd .. There are representations for many datatypes in )"W~, for example

37 RXAMPLE (Polymorphic Church-numerals) The context

polynat o s

na··~. (a ---t fl') ---t (0: ---t (~)

Aa >I<~ .. ),.j.a ---t 0: .. Ax;a, x An..polynilt .. '\a*. AI·a -4 a .. ).x::Q .. f (n a f x)

11<. ,

polynat, polynat -4 polynilt

defines a rp.preSl'!ntatlon for the natural numbers, the so· called polymorphic Church-nurneralI:L These 1··epre~l')ntatiOIlS b~have !\Jj natural numbers from a computational point of view, i .. e .. if wc COI\~idl~r 1,lu~ir reduction behaviour .. For example, a function plus polyn<lt -4 polynilt -4

polynat Ul,n b(! defined olldl that plus (5" 0) (5 m 0) ~N (5" + "'a') D

In )"W. there arc rcprc~cl\tat.ioll~ for products, sums and ('XI~[.('·llti;Ll typc" (or i1bslI'act datatypes), as 1'.('11 a~ mauy "b;lS(" Iyp(!s, .~ucl! ab I.I!I'! PlUpty t'YIH', a IImt typ(', aud Lool('an~ In fact, ther(' arC rq)rf'S(lltatwn~ for all frtw tt~rrn algehraH, >ll' J:'hown in [OOSS] .. A" rqln'~(:·I1-tations of dat.;LI,yp{>s t,lwsI' ('ncodingl' hil,v(~ w('ll-bHlwn limitation,:, (1'4'< fClr ill~!iLllC(' [CPOO)) .. First of all, their rcductlOlI behavIour (all bl' V('I.> illl"'fficicllL FOl l'x,Llllpll"', for a predecessor function pred :: polynat ---t polynat the r·cduction pred (S,,+1 0) [:»B~ S" 0 requires Oln) steps, alld it, i~ not p08ijible t.o d~fillt' It function pred such t.hat pred tS .r) [:»86 T for vil,riabJe~7 Moreover, III AWL nlllH' of t.hp pmp43rtki:' w~· rl(~4:'d, for t'xamplp t.hp indudlOn prill( ipl<> for polynat, are provable So, if w(' Wall I 1,0 r(a~()JI ,tl)l)ut progr;Llns, II, i~ llot IJclpful to usc these unnatural encodings

In the following chapt!'rs, difl('rtlll, dal <Lt,ypt~ ;md d,\.I.iltYP('-(ou:i;l.nJ( i.l)rs will 1)03 added as primitives, even though thl~Ie Illay bl~ ('Ill odillgs fOl t,!H'lIl ill Aw •.. Thi" giyc" uS difcct connol over their· interprctat.iOlI III tbe Illo<icL FOl txallJph, plodud IYPI~~ c:r x c' ('an thcn be directly interpreted as products m the !lIod!'!, and nN ,t~ ,tr) iuterptd,atiolls of their )"w.-cncodings .. This makes it (,;l.si(,f to ('xll'nd til!' pn)gritlllrrnng Ihllguag<' wil h (('rUl.ln op('rat.ions, 01 the logic with cert.alll aXIOlll>;, Oil 11lE' b,J,J'.is of tht> lIlod('L Another ,~(h<Lutag(' iii I.bat a diff'd,

Implementation of these primitives can be more efficient that 4:'lIwdings ..

32 ;"W AS A LOGIC: ;"wP 33

3.2 AW as a logic: AWp

In this section we discuss the system .>.w considered as a logic The types are now inter­preted as propositions instea.d of datatypes. and the terms M prOOfS instea.d of programs" In comparison with the discussion of .\w., the emphaai$ iJ:! nOw mOre on the types than on the terms"

The following copy of .>.w is reserved for the interpretation of .\W as a logic:

38 DEFINITION .\wl'(6) is th~ (D)PTS specified by

S;;;;;; {*p, Op}, A = {"p ;; Op}, R = {("p, "p), (01" *1')' (01" op)}

o The same levels can be distinguislu.'d as in .>.w., but now their intetpretation is different,

The different levels of .>.wp.terms are called

1.. ProQf!;.. The proot~ are sometimes c~llcd proof terms to stress that they are A-termS that repr!:'~ej)t nat\lrJ:l.1 dtdutt,iou proofs.. For human readers, the usefulness of proof terms is limited, because they becom!:' qui(kly too long to be readable They are useful represenbtions of pI"oofs for machine manipulation Verifying cOrrectMSS of proofs amounts to type-checking them,

2" Proposj'/~01!S and prop"constl'1!ctors .. The propositlon8 arp. thp. types of thc proofs If a proof p has as type the proposition P, this is I"cad as "p is a proof of P" ..

Th!:' propojjitionl; fmm ;t ~uhsct of the prop-constructors The other prop-constn1dors are functions that can be mect to (:ollst.ruC't pr{)p(>~iti{)IIs.. This includes the logical connectives, for example It functiol) ;. th!l.t, rnJ:l.p~ t.wo proposit.ions to theil" conjunction, Or a f\lllct,jon ..., that maps a proposition to its negation ..

3 Prop-bnd$.. The prop· kinds arc t he type of prop-con~tructol"s The prop-kinds are genera.t.ed by

IP :: = *11 I JP --4 JP

"p is the type of all propositions" *r ---+ *1' is the type of all fllIlctions ftom propositions to proposit.ions, etc For example, --, has type *p ---+ *1'> and /\ has type *p - "'I' ...... *p'

The fourth level in .>.wp c0l181!:lts of ju~t th~' $yrnbol 01' Op is the type of all the prop-kinds, e g, *v' *p --4 "'p, etc all hav~' t.y]W 01'''

:3 9 DEFINITION

L If r f- IP: 0) for some ('Ollt.!:'xt r, t.h~'11 JP is A. pmp-kl'll,d

2 .. If r t- p lP fot som(' prop-kind JP and some cont.ext r, t.hen P i8 a prop-Gonstmdor

J, If r t- P *p for some context r, then P is a P7'opos!twn (and a prop-constrnctOl")

4 .. If r t- Ii :: P for some proposition P for some context r, then p io a proof

34 CHAPTER 3 THE BASIC SYSTEM .. AWL

The distinction betwccn th~~(' dlffctl'llt. levcl;;, can ah·cady be made for the pseudoterms, exactly as is done for )"""_ in defiuit.ion 34 .. Thl~ "" III be done latet·· for the whole of AWl,

Contexts can declare prop-const.ructors and proofs The former are variables in VarD~, th!:' latter are variables in Var'~ For example, the context

declatcs prop-Collhtrlldms ~ and [' and a prc)of p.. Ii!··n' ~, P C Vatu. <"!.ltd P E Var" The declaration p :: ...,1' ill t.1l!' ,'Olll!'xl i~ all {I~mmJltuJn (01 an (L:t~om), ,i.r. tlte' assumption that there is a pt·oof p of thl' pmpositicHl ~ P ..

3 10 CONVENTION .. /P, lPI , 1P2 t··attgc ovCt pt··op-kinds .. P, Q, R, S, T range over proposition8 and the other prop-constrIICI()r~ .. p, q rang!' O,l't prO()L~ ..

We do not tC~!'rVr ~pr(ial ,ariable~ for ran~ing O,Ct·· VarD • and Varo. P,. Q, can be elements of VarD", and p, q can be eleml'nts of Var+P D

The rules CoOp, *p) and (D~" "p) provide two ways of forming propo~ition~ Thl.' nil!' (*p, *p) allows the formation of impli('ation

r f- P "I r f- (~" .. ~t r r- P:::::- q "p

H!'rc:::::- iSjllSI all!)! Iter no! a! 1011 for --> I.h!t! l(fipcb Ih illU'lHkd iU!!'rpl('IMiolJ Tit!' associated intr·oductlon i'Lud !'llI11iu,t! 1011 [Ilks !IIT

(=*- intro) r, p [' r- q Q r r- F ",., Q :: "I'

r I (ApP q) P:::::- Q

rr-q ":::::-4 Tr-p··P r f- qp q

A proof of P :::;. 4 i~ H fIlII( 1.1011 witi, h Illilp~ proof~ 1)f J' 1.0 j")l ooCs of q, ... dtich is tit!' DrouwfOT­

H~yting-Kolmop;orov intt'rprdlltJOn of llllphcatiou .. OIllittill~ t1w proof I.! nil" p, if, (,\p P q) and qp leaves the usual ilttrod\\ction and C'linlinl"tt ion r\\le~ for lmpli( i!.t)OI) IJI Ilat llr;l! drd ltttion

Th~ rule (01" *1') /\llow~ higher ordt'r uHjver~l\1 (ju<\lltin( ,Llioll

r 1- JP :: 01' r, l' D' r- Q :: *p r f- ('<IF lP Q) *11

Here't is just anot bet ant;Lt iOIl lor 11 If D' i~ ~p this f·csnlts in Cj\\ant.ifkalioll OV~'l" >l,ll pmpo­

sitions, as in second ordC'r logit TIm m~~ke~ it possjh]o: for !~XJ:l11lpll' to f01111 HI(' proposition (VF::*I' ~~p =*" P!

Finally, the r11I!' (D!;., DJJ I<llow~ (ht, fOIll)II(io)"l of pmp-kiIH!1' 01 till' fOll11 D'I ,0)2

FM· ~xi'Lmpl~, 11. pmvi(kh 1111 prllp-killd *p --> *1" tit!' tJ pc of -', and *1' ---t *p - *J" the type of If and 1\ It also Hll"tkes It possiblt, to a bAn\( t O'Vfr (! prop-hnri m pmp()~dj(m.s and prop· constructors .. For ('xampl(' .. 1 h(' pIopo~itiOlj;d ~()lll)('ctiv~' ~ c,w lw fi!'nfll'd i1~

(AF::*I'·· P =*" False) .. *j, - *J" wlH'IT False i~ tl)(' plOpo~Hio!l rt'pn'"Plltilli-\" f;t\sdlood

32 -\w AS A LOGIC .: >...,;p 35

Basic propositions and prop-conskudors.

To use ),wp as a logic, some bMic logical connectives arid theit properties are needed. These could be declared in the context, but it is well-known that a.ll COrlMctb'es are definable in terms of implication and higher order universa.l quantification_

3 11 DEFINITION,. Tf,oGiG is the context

False True

"" A == V

~ ""

(VP::*» P) ., *p , (VP*p P,* P) *1"

).P"p_ P => Fals!!! *p'-' ~p ,

),P,Q*p .. ('tRillp .. (P => Q --> R) --> R):: *p ---t *p ---t *p ,

',1.1>, Q;"p' ('tRifp, (P ;;;} R) ;;;} (Q ;;;} R) ;;;} R) *j:> --4 *p --4 *1' ,

',I.P, Q *'1' (P => Q) A (Q => P) *).1 ---t *1' --4 *;>

o This context defines the propositional constants truth (True) and falJ:iehood (False) and the logical connectives negation (--,), conjunction (1\.), disjunction (v), and bi-implication (=)­

For a propkind D~ wI' can o('finc

:lu' "" AP IP ---t *p ('IIR *p ('i XlP (P X) =} R) =} R)

(IP --4 "p) --4 *p

Then for a tel'Ul (AX" /P., P) .. IP ---t */.', the term 31P(AX.JP .. P) represf!nt the higher order existential quantifkation "(3XlP .. P)" Th!' dcnllltion of 3jf' is parameterised by a propkind IP WI' cannol, abstract over D~ and define 3 as follows

3 >.lP::01) 3D>

IIff{ 01' (IP --4 *,,) --4 *p ,

because the abstraction AlP Dp is not allowed in ),u,Jp

The Aw.-counterparts of som~ of thl:' ),wj,-encodings given above - Le these I,erms with all subscl"ipts p I"eplaced by thl:' subscript s - can be used to repreoent cHtain data.tY'pe­construttors .. For instance, th~ ('neoding of 1\ can be used to represent product types, a.nd the encoding of V can be used t.o I"epres~lll disjoint sum types At the end of J:i!;'ction 31 il. waJ; already mer\I,I(m~d t.hat. "'lith rllcodiJlg~ of datatype-eonstructors in .\1.1.1$ have some f;hortcOrrlin gf; .. The eucodingf; of I hI' logical (oIlJlI'ct.ivc,," in Awp is less problematic., Firstly, all theIr Ult,ll1t,i~mi$ti(. pWp!'rtl!'~, LP t,h!'i!" iul.rO!illct,IOJl alld elimination principles, are provable In AWp For ('xamplc, III Awp w(' tan prov(' ('tP" p False =} P), (VP, Q *1'" P =} (P V Q)), and ('t P, Q::*p (P A Q) => P) .. Note t.hat the quantification over propositions makes it possible to ('xpr('s~ th~~(' int.rodllct.iOll a.nd rlimination principles tnslde the system ),wp Secondly, it is easy to sho", that t.hl',,"e I"c))t"esentations have the right Il1terpretation in the proof-irrelevance model givC'tl [n thaptcr' G (~('(' example b .. 27J ..

Consistency

When we u~c ),wp as a logiC', '!Nt:' are intel'~st.ed in t.he question whether it is consMtent Awl' is consistent, in the s('nsc that not all propositions arc provable This is equivalent with sa.ying t.hat False, i!.S drfinC'd III .UI, IS not. ptovi~blc.. The definition mechanism does not affect (Ol)Slst(>ncy by corollMY 2 .. 3il AWI;~ is tOII~lst('IH LIT AWp [s consistent

36 CHAPTER 3 THE DASIC SYSTEM A..JL

Of (our':Je, which pl'OpnsitionJ;; are provable depend .. Of) the assumptions in th" C(lntl:'xt .. For ~xample, in a conl,('xt wntaining the as~ulIlptiof) p :: False all propo.sll,inll~ an' provable .. A (cOntext is called COlll';istl'l)t if Hot all Pl"opositions are provable in it Using corolla.ry 239 we call relate consistency of a context in )..wp aud AWN:: a context is consistellt in AWp6 iff its D-nnrml;l.l form is conslstl'nt in AWl'

3,,12 THEOIIFM (Consistency of AWp) False is not pl'ovable in AWp6 in the context TU)GIC'"

By corollary 2 39 this is equivalent with saying th,tt ('<1 P'*v" P) is not provable III AWp in t1u~ empty context.. There a.rl:' two ways to Pl'ov(' !.his theorem .. The syntactic. way I~ tn u~e t.he fact that )..wp is SN .. From SN it follows that False is not provable:: if it were, It. \\ould have it proof in normal-form, and a simple syntact.i<: a.rgument shows that no mhabi1 ant of False

can be in normal form A semant.k pr(IOr can be given using the pl"onf-irrdl'\i'all('f' model of )..wp (sec lelIlma 6 .. 31..) Tlw advall!agp of tb(' SN'Ollcl proof i~ t.hat il III.Tl r~il,J;ily h~' ('X tended to prove consistency of ('('r1.,llll wntexts, for example::

313 THEOREM (Coll:';istf:!Ity of classical logic) .. F~ISe I~ !lot. provablE' in the COHt.I~Xt. FLOOK

('xte!lded with the a.~l';lllllptIOll classIc" ('1P ~p (~~P) '* P)

PROOF" See 1l'IllTll8, 631 o

33 THE PROGRAMMING LOGIC AWL 37

3.3 The programming logic AWL

In this sectiou we introduce the programming logic AWL. which contains both .\"'" and AWp ,.

As mentioned earlier, AIo'h can be divided in two part.,~- a programming language a.nd a logic for reasoning about this programming language, The relationship between the two parts is asymmetric. we want to be able to say things about the programming language in the logic, but we do not want to be able to say things about the logic in the programming language,. Because program~ and datatypes will not be allowed to depend on proofs or propositions, AWL will be a conservative extension of the programming language

AW. serves as the programming lang\IRge and AWp as part of the logic.. AWp alone does not suffice as logic" To reason about Aw.-constructs 4 more PTS-rules will be added" These rules will allow the formation of proofs and propositions that depend on programs and datatypes.,

AWL can be embedded 1)1 t.1l(' Ca\tnlns of Const.ructions, toh" system AC defined in defi­nition 2 .. 19,. In fact, it is a 8\\b~y~tcm of one of the variant8 of the Calculus of Constructions den ned in [PM89bj, as we will see ill sect.ion 3 .. 5

Defore defining AWL, we consider which PTS-rules are required for rei'l.Soning about .\w~­programs and datat.ypes

To express propertie6 of pl"ogl'ams we need predkat.e~ a.nc! relations on datatypea .. Predi­cates can be seen I:\.S propositional-valued functions, ie the type of a predicate on a datatype I)' is I)' --+ "'I''' Similarly, a relation or binary pr~rlkat,e on a datatype I)' is of type a - (j ---. *1'"

For illstance, the ordering ~ on tlw type of nat mal numbers nOit has type nat ---l- nat --+ "'I'''

Equality of programs of tYl)(' (j is ,'\, relation =" (1' --+ (1 --> .... p Like *p, the terms (1' --> *1' a.nd (1 --> (1 --> "'I' ar!' prop-kinds, i e tlwy haw, typ~~ 01' Theil" formation requires the PTS·rule (.,,01')

r r a ~. r f- 1P :: 01' r I- (1 ---> lP Op

For every datatype O! a relation of type (~ - (~ - "'p is needed that h; the notion of equality fur that datatypc .. This can be achieved by having a Single polymorphic equality relation =L of type (Oa::* ... (~ - 0: ---. *1')., Then for all datatypes (1, (=£ cr) (J --+ {1 --+ *", i .. e .. (::::;:L cr) is a relation on (1' .. For all trml~ M and N of t.ype (1', (==[, (1 M N) :: "'P' Le (=L (1 M N) is a. proposition., Like (1' --> "'/' a.nd (T ..... (j ---. *p. the term (lla::"'. 0 - (); ...... *p) is a prop-kind, ic_ It has type 01>" The formation of (nO'", ... u ---. Ct ---. *1') requires the PTS-rule (O~, 01))'

r r D( :: o. r, a .. P( I- lP :: Op

r f- (llO!'ff(. lP) 0"

AWp provides higher-ordef \llllv!'l"l';al quantification This mean!; th(Lt we can quantify over all propositions, e.,g., (V?",,,.. ), Ov('r all functiolls from propositions 1,0 propositions, e .. g .. ('t:IP*'p ---. "'I' ), etc, In )"w" fl)ore p<)!';!';ibiHt.1CS for quantification are [)ccdcd .. For univerSal quant.ln.Ca.t,ion ov('r all elcmcnt$ of a datatype the PTS-rnlc (*' .. *1» is needed::

r f- (J :: *. r, ,J:: :: (1' f-- P "'p

r I- ('i:r .. (1' P) "'p

U~ing this rule, the proposition lix::nat (::; :t'1::) fnn he formed.,

38 CHAPTER 3 THE BASIC SYSTEM AWl.

For universal quanl,ififatiOI1 over all elements of a kind the PTS-rnll' (0" *p) 1$ Jlel:'ded ..

r t- D{ 0, r,o R( f- P ,~_~ r f- (Va .... JlC P) •• *",

Dy taking 1l{ ;;:: *., this rulE;> allow8 universal quantification OV!'I' all ditl.it1.YV(>f> .... For ~!xil.rnple, this Is used in the propo;;;it.ioI1 V(~'" '1::r:o. .... (=[, a x x), which expreo:ses teflcxlvit) of the relation =L for all datatypes c.

We have now discussed all the rulcf> of AWL

3.14 DEF1NifION .... .\Wl.(~) is the (D)PTS specified by

A -R

{(*; .... D,) , (*p .... Dp)}

{ (0.,0,),

(0., ",J, (*., *.),

(0, .. , u"l, (0" *)1),

(*"Dp ),

(*,,, *,), (D1" D1,),

(Dp, *7')'

IJ The levels of tNltIS Wt' dISI,IJlf\lli~h III AWL Hn' thOR(! of AW, 'U)(\ AWl" i e killds, dMatypes

and data!..ypt'-(:IHlhtr\l("to\ .. ~ .. , pl"'ogHun~, pr"op-bll<ls, propositiolls i>lld pl(Jp-con~t.nl< t.ors, und

proofs Th('y 1m' ddhl('d a~ ill (h'hllltions j 2 mld J....!) Observe that wheT! R 1M ]('gard('d as a matrix, we Ollly hit~(, lllk~ b("low Ol DT! ! h(' diagnnal

from the t.op-left I.n ! 11(: hottolll-rwilt Till' ~y~t('m AWf. (,oll~htB of

• .\w, for th£:' programs alld th('ir dat.a1..yp~(., {(o"o,),(o"~,),C,,,,*,)}

• .\wp for t..h~' propo~ltlOn~ atld th('ll' plooh {(o/I ' 0/,), (op, ~p) .. , (~l;'" "I,i} ,

• itll pO&Hble depend(ln('ic~ of plOpO~l1,lOIl~ illld plOoff> Oll progn-l,llll-- ~'lJ(1 t..Y1W--; .. , providi'd

by alll""ule~ of !.II('" forlll C" _II) {(DAI DJ», (D." "p), (*., Dr') (~., ~p)}

.\WL d\wJj rJOt haw all possible PTS-I""llk~ It do('~ llnt hii~" ! Iw ntiPh

• (*., D$) .. As it n~~ult, therE' at'c no dalrdype., I!wl dq)()nd 1m 7lm9mm. .. ~ All t'Xillllpl,' of It dat.il..t .. ypr dcp('l\(lillg (HI a program is tlw type (Iessthan n) that. t'Oll~l~1..~ of iLll lla1..uriLl llUlllbtrS

small('r t.hn..ll "II .. SIHlt datatypc~ ar"c oftctl simpl~ ('ailed dqWJl(itllt. tY]H'S Th('v drasti­

cally dl<'ll\gf" til£' lliltme of (:VP(~ sy~t..em"" it itKT('i\"~(,~ l..h(" ()xplc~~i~t' pO"W('1 ! (I 1..he ("xtfllt.

that.. datatYlw~ U-l,)J ('XI)l('~~ cOlllpl('1<' ~P('Cjfi(it1.1()lJ,~ .. III (llitptc .. r I Wi' idn'''iidv dl.S( u~:;(, .. d why we do not wallt sHch a HI")'" ('XPH'~~jV(' type ~},;ti'lll for prngr~ITll~ II) Jj{'cll<}ll 35 t..Jw maiD ('OBseqnetlc(' of llldlldillg. 1..IH' rule .. (*, .. ,0,) !Iw 11(f .. d for prognllli l'xt..r!t( tinll

- is disfll~~cd

If dat.atype~ nUl <I('I)('][d Oll pt"()gr"atn~, tlietl d(!('ldillg ('(plaId.." of diLt at..~ P('I~ imol\(,~

defHlillg ((IUi\hty of prograllls A !><tsic pl'obl('lll wit.li 1..Ili" i" t hi11..",t' "wall! ('''quality

of datatype~ to bc dcddahk of bl'lW I~r 1..VP('( ltr(~killg I~ 11wli-( Ida bk ,wltrre:.u; fDr programs we typically Witll! all ('(jllilhtJ which I~ f"Xt(ll~IOllfll fllld (hPll{ co") uu{k( id~bh

3,.3 THE PROGRAMMING LOGIC A<.ilL 39

• (*p,Dp) , As a result, there arC no propos~t~ons that depend on pJ"(Jofs With such propositions propertie8 of proofs can be expressed We are only int.erested in proving properties of programs and not in proving properties of proofs.. Hence there is no need for proof­dependent-propOfiitions.,

• (-P' -.) As a result., there an~ nO pro{Jmms or datatypes that df':pend on propOSttlons or proofs The consequences of t.hese dependencies are dloc\lSSNI [n section 3.,5

Because there are no rules of the form (--p, _.), AWL is a conservative extension of the progra.m­ming language AW" i .. ~ in A""'L we have the same kinds, datatypc-constructors and programs as in .\w.::

3,.15 THEOR.EM (Con~('t'vativity of AWL OW1 AW.,) .. Suppose r 1-","1:. (l, A and a is a program, datMypc-('on~tructor or a kind (Le .. r r"ult A *~,

r f-Aw! A Ll~, 0\ A :;;; D. ) Then rO,., f- ;"wg a A

PltOOL Induction on the d~1"lva!loIJ of r r (I :: A I;]

A~ for .\w., the different synt(l.('Iif CI!.t.tgorlcs of AWL can aheady bc distinguished for the ps('udotcrms,. It follows from til(' (onsrrvativity of ),Wf, over AW. that the kinds, datatypc­('onstructors and programs of AWL !tn' clcments of Kind, Cons and Prog: as defined in dcfini­tlOn 3 4 For the prop-kind,:;, prop-constructors and proof~ we dcfine::

316 DEFINITION .. Tht:' sNs of p~eud(lt~nll~ Pkind, peons and Proof aT!' defincd by

Pkind

PCons

Proof

where A E {,\, 'If}

*1' I Pkl nd --. Pki nd I Cons --. Pkind I rrVarD

, Kind Pkind YarD, I A Vay·· Cons., PCons I peons Prog

I AVarD, Kind peons I PCons Cons I AV~ru~ Pklnd .. PCons I PCons peons I PCons ~ PCons

Var·" I ,\Vay"p:;PCons Proof I Proof Proof I .War·· Cons .. Proof I Proof Prog I "\V~rD, Kind Proof I Proof Cons I "\VarDpPklnd .. Proof I Proof peons

o

Note that th~ diffl'rtlll sets of pseudoten11J:\ fOI th!' diffet'·cnt levels of AWL ('an be defined in the follOwing orde!' Kind, Cons, Prog, Pkind, peons and Proof. Ea\h of these sets only dependS on t.he ones that precede it in thi~ Ordf'L This is caused by thf' fact that the set of AWL -rule8 R ill definition 3..14 does not indude (LilY rules above the dia.gonal It will play an important role in (:liapt.(T (), wb('l(' the semalltl(.ooftli!.AwListreated.be(.aus(! it. means that the interpretation of th~' diff(~r(,llt levels (all be defined In the ~amc order

3 . .17 LEMMA (Classific[ttion for .\WI.)

L If r r ][( :. D. then D\- E Kind

40 CHAPTER 3 THE BASIC SYSTEM .•. ),uJL

2 .. If r f- (T :; l/{ •• 0. th('n rr E Cons

3 lfFr-M (T "'. then M E Prog

4 Ifrf-lP Dp t1wn D~ E Pklnd

.'5 Ifrf-p n~ .. CJp t,h~n P E PCons ..

6 Ifrf-p •• P •• .... p t.h~n P E Proof

PROO~·' .. PllrtB 1 to 3 immediately folIo", t./H'[>r~m 3..15 and lemma 3,.5 The proof of the other part.s is then similar to that of l('mma ::3.5 •• by induction on the derivation of r r- 11. A W('

prove

A~{ A == 01' =} a E Pkmd f r- (J rf-A Dp =} (t E peons

rr-A "p :::::. (L E Proof

0

>"WL can be embedded ill >"C, tll[' C;'ilc1'lhl~ of COllstrlldion~, simply by f'laslllg thf' slIh­Sct"I])t!, of ~ <l.Tld D

318 LEMMA., If 1 r- (1. .. A III >"Wf.(b) , tht'll I r I f- I a I •• I A I ill AC("\, wllN( I z II" Z wlt.1l ~ ~mbBtituted for "'. and "p and 0 ~l1hl't.Hnh'd foI' D. and Dp

PROO~·' .. InductiOl) on the dedvatlolL In Citel., II. Mufti( i'~ to ohsi'n!\' I.bllt E~ra.~ing tlw subscripts in the spl'tifinl.tl(lTi of AWUb) prodll(,cs the !'pl'nfi(!Ltl()[1 of AC(b) 0

What makeJj the Bystem AWL a lot simpkr t11!UI >"C i.~ t.h<l.t tll('li' >l,n~ f\'wer dt'pendencies between t,hl;' different levels III AC dIJTl'n'nt, h'v('.Js ~lmdM to tho~r.! of >"4'1-, lan be distin­guished, n<l.mely kinds, constrnrlOl'~ alHl progriUrlJj, but the~t' an' all mnt\lally depPlldent In otlwr words, elements of On(' of t.lw~\, It'v('l~ can occur as subexpr('sslOns of clemcl1t:> of any (lther

lly lemma J,.l1l it fol1()",~ llnlllP(hnll'ly fl(uU th~ fact that 'xCI"] is strongly normalising I.hllt .\wr, and its extension l'.i1.1J ddllllll()llJ; .\wu are

Ba!;ic propositions and PI-OP-CO(l!;trllctors.

In AWL t.lwn' ar!' I.hTl'<' f(lI'm~ of ('xiS1C'll1.litl qlliLllt lliCitt lOll •• ov('r a plop-kill!! lP, mFPr a (!llt.atyp~ (J and Ov('r R ktnrl ll\, i .. {' .. of the fOl'lll (3X •• 11' .. 1'), (3.; (T .. 1') iLlld (Jo TIl: P), rPhp\;C!.ivdy In defilllt.loll 3 .. 11 It. W<l-~ ~howll how III AWp 1.lJ( first. fOlm of r'XI~tplllli!l <[l1HlltifiultjOlI «w ht, defined in l.!'rrnf; of V and =} The oth1:'I" two call b(, drfi[wd ~imllitrl)

3,,20 DEFINIl"toN .. Cxiotential qnllntifi('atlOll 0'1('1 it (l!ttat.yp<'· (:l) ,111(1 over <l. klnd J1( (3./11) arC' dl'fi[l~!d by

3 A(~ .. ~. ),F.n ---> *)1 VR *p ('t,r Cl (F ,:r) =} R) =/ R

n(~ .. * •.. (n ---> "'p) ---> "I" 3/I< == )'P II": ---t "p '1R "'" ('t<1D{ (P (1) :::::. R) :::::. It

(l/": ---t "11) ---t *11

o

3.3 THE PROGRAMMING LOGIC ).w£, 41

In the first definition we have abstracted over all possible data.types 0:. In the second definition we cannot abstract over all possible kinds }[{, because this abstraction is not allowed in AWL ..

To use ),WL as a programming logic, some basic: predicates and their properties are needed .. The!:>e can be declared in the cont.ext, together with the properties we require of them Another option is to define them in AWL In [PPM90j it is shown how inductively defined propOSitions, predicates and relations can be represented in the Calculus of Constructions" The same technique can be used in ).4JL" The lllO!:>t. important rdation - equality of pt··ograms - can be defined in ),(.) r, as follow!;:

321 D~;FINITION (Lribni~' Eqllality) .. TLE1BN1Z is the context

=L ACt *$ '\':r, lro: "IP .. o: --+ *1". (P .x) "*' (Py) no *$ ('f --+ ('f --+ *1'

This cont.ext defines Leibniz' equality for programs" =1, will bl:' wriHen infix, with its first argument as a subscript instead of L So (=1, U M N) I!:> written as M =" N From now on .. we always assume that n,F:1R"i'/Z j~ part of the cor)text, so !.hat w(' can a.lways use =L to express equality of programo in ).4JL"

Despite its asymmetric definition, the predicate ""'L hilS all the requited properties·

• It i~ rrArxivr-, hl'ta.ll!;C' all BIi-C'onwrtiblc pmgrams are Leibniz' equal, as shown below

Suppose r f- M " <7, r f- N (T and r f- M ~1l.5 N .. Thl'n !.here is an inhabitant - Le a proof- of M =" N in COllt.l'xl r As iLll Illustration of a formal pr-oof in the logic, t.his proof and its t.ype d~~l"ivat.ioll iU"f· giv{'n b(··[ow We usc the notation for natural deduction de~cribed in [Ned90j, with "fhg~" d('IlM.lllg !.he SfOp<' of declarations"

1 P (J ---t *p I 2 p PMI 3 p P N 2, M ~66 N, (!36conv)

4 P'r·p M .. p) ;; PM '* P N 3, (Ilintro)

5 (>..p(J --+ *t) ApP M p): ('rfP..u --+ *)1 P M ~ P N) 4, (nlntro)

6 (.\Pa ---t *p .\pP AI.. p) .. M "'" N 5, def =£" (f;l6conv)

• We fan subst.it.ut!' equals for equals in pr'opositions, because

V'(T;;~." "1:1 .. ', IJC! (x"" .. !J):;} 'riQ;;(J ---t *p .. (Q x) :;} (Q y)

i~ provabh> in ).4JL~, a~ l~ !ihOWll [)I'[Ow USillg this ptOpCl"'l.> it can be pl"oved that =r, is symmetric and tran~itive

42 CHAPTER 3 .. THli BASIC SYSTEM·· AWL

1

2

3

4

5

6

7

(P x) =} (P 11))

p Q .. (Q.r) => (Q iI)

pQ'1 (QII)

P(7::*. A.:1;, Y(T.. .\p .. x =" y .. ),Q .. o' ---t "'p >.q;Q :E .. p Q 9)

V(7* •.. 'l:r, 11 (7 (x =() 11 J => '1Qa -, "'/, (Q .1) ::::- (Q 11)

2, dd .. =L, Bbc.onv

5, 3, (TTel 'm )

6, 4, (ilehm)

7, (lIlntro)

In lemma 648 it. i" !;itOWH tbat =L i~ in f~('t Illt.Nprdtd a>; Nlll,·dl1.~ JIl thr· modrl

A>; tlhl!;t~ated above, type dprivatloll>; for proM t('T1lI~ i()rn'~pi\lId I 1()~lly to (ollventional natllra[ ikdudiou proob Proof terltl~ v,dl lli;ll<llly hi ()1l1i1t.r·d 1l1~llch iif.nv,IiIOlIM and In

typing jlldgerru)lIt~ In~tead of r f- p P, \\(~ [h('ll writ.i' r r- _ J>

Then' M(· important differences bC1.W('('ll !1h-for\vi·rsioll iLJI[I IA'timi,.' ('qu,dity WheTe!l.J:) [h'i·comersioll ii; ddined for all (psCUdO)tlrlll>;, L('ihlliz' ('quaMy jlli;1. for progril.m~ (If thE:! 8ame type The UlllSt impOlt!l.ut differl:'ll(c is tlw.!. propeftics of Lcibni/.' equidit¥ CiLll hie Il.~~mued For example, WI' nlll a;,"(lllle that two programs M and N of type () ,u·e Leibniz ('qul;Ll by introducing all ,tS>;Ulllpt 1011 p ... M =" N in t hI:' ('ontc-xt .. A~ will t(' shown later in

example 6..48, =r is intcrprctcd iL~ i'{[\1i\lity in t.ht' model COl1sequ('ntly, any properties that hold for j.!qmtlity of programs ill the> JJHHkl i Il.ll Mitfdy hp !vld('d HH IlXlOrn,:, .. Wi' WIll introduce

axioms for Lelbniz' equality t.hat. lilah, it (ill r~xtel1:oional equallty. A~ (!, (on~equell((', Lelbniz'

eql)ality for functions, c g j ="-T g, willlw Ull(\('d(\abl(' .. On the other hand, db-conversion of all >'w,,-terms is dccic\ablr', b('i a.\lS(' db-n'duction is Church·Rosser and strongly normalising

Consistency

3 .. 22 TI!EOliLM (CC1TlSI"tml(T of >'Wi) False is not pro\aLk III AW, ill tile COlll/'X! I LOGIC

As for AWp , tlH'ri' iLn' two v,i\y~ to IHOv(' ('ou"lslcuq of AWi~ il ';yll!.iLI t.H proof ll~iug UH·· fact that AWL is SN, Or ,I M(··I1I(1I1(.i( proof n~ing th(' proof-itrf[('~~tll(C ItlO([I'1 of AWL giH~u ill (h!l.pt.er 6 (scc lenllJJiL 640) .. A lid IIh for '\wl" thl:' "c('ond pwof ("tu (',t~jlv bf (~x1('lld('d t.o prOv(' conS)~tency of certain cOllh'xl~ ilWI a;d()m~ ..

F(lr instance, W(' v.au1. to II~f· i la~~knl logic, and",c waltt 10 it~~(lIJJ(' tlJat. N[\litht) of functions is cxtcn~ioJl,tl, L(' that

j ="-T r = (v::[ (7 j.J =r l' . .1:)

q =[1«.1/,· "q' ¢::::::. ('f!o::ll\- 0 (~ =" g' (~)

for all j, j' a ---+ T and q, g' (H(I::U\ a) TIH' trllph( at)Oll~ from l('ft to right immediately follow from the d('finitioll of Liihlll~' ('C[l1.dity, but th~ tmpllc;t!.io]J" frOlll nght t.o li·ft. hav(· til be introduced as aXiOllli'!

33 THE PROGRAMMING LOGIC '\u)L

3 23 DEFINtlIoN AX 10M is the set of <u:ioms containing

classIc

AX(f_"

AXn,dK" 17

vP,*1' (~"",P) ~ P,

'V/,9' a --+ T ('1xo', .. (! x) =,. (g :r)) ~ / =(f-T g,

'<I/,g •• (I1alK o) ("10:1[(, (f a),.,;" (9 a)) =*'" f ""n",O( (f 9

for all ~ ---> T, (I1o:::D< ~) E Con~ ....

43

D

We lack the Mccssary quantifications to expre8~ axioms in AX 10M in a finite number of )'wL-axioms, We cO\lld quantify over all datatypes II, T :: >1<. in AX(f_'-, but we cannot qua.ntify over all kinds IK :: D. in AXnulK (f ....

324 LEMMA (Consist .. ency of AX JOM in AWL.! Fals~ is not prova..hh' in a context containing only axIOIll~ from AX 10M

PI!OOF, .. See lemma 649 .... D

So it is safe to use dl!.~sit,\l lO1l.ic in AWL, and to .v;~lllnc that eql\l!.h1.y of programs is f;'xt .. clIsional.

44 CHAPTER 3 TUE BASTC SYSTEM )..WI,

3.4 Program and Proof Development

The ~ystem )",..,£ has been dcfin('d >;0 t.hat t.ll!:' problem of program const.ruction can be stated as follows::

given. a datatype (7, i .. f' (1':: "' •

• a predtcak P Ov('r tbat ((",t.at.ype, ] e P., (J' ---lo *p

find • a pr'O(J7T;-Tn M of type (J', i.,e .. M (J'

• a proof PM t.ht M sat.isfies P, ie, a proof PM PM ..

A pair (7, P) consisting of a datatype and a pr('ditat!:' f()rlll$ (l, J:!pedfication A pair (M,PM) consist.ing of a program M (J' and pl"oof PM P M i>; a solut.ion of tbil; ~P!!C)tWa.tiOI).. We usually refer to t.IH:' predicate P or the proposition PM as the spl~l'ijltat.illIl..

Thf' datatype (J' i~ only a partial speciJ'kat.l()II .. It. givr~ ~OIIl(, iuf()rma.t.I()r) about the program w~ want, for example that it sh()1l1d bl"' a fundiou fmIll nat to n<lt., but not all of it In the predka.te P, however, all th(' rl'quirl'd pr[llwrti~~s of t.h~' program can be expressed It defines a ~\lbset of the datatype a Tlli>; cxpr('·f;~iv!w!~~ ((mH~~ at a prl(e:: ill g~'n!!ral it is not decidable wbether a program M sa!isfi('~ !I. prl'·dici!,t.~ p, wherea~ it is decidable whl:'ther it has type (J

To show that M sat.isfies 1', it proof PM hw to bE' supplied

W~ ("an think of the AWl,.-proof~ aud prediu\!,(>,; a,; il.lluotat.lOn of HI\' .\w,-p~ogrJ'tms and datatypc~ .. pT[)grarn~ i!,!(! a.nnotatE'd with pro()fs t.hat t.ltty' sati:sfy ("('rt.<Liu ]Ho)H"rt,i{>!i., datat'Yllt·,; are annotated ",ith pn'di(at!'~

>.W. AWL annotation

------::d-IL-tll.-t-y-p-~-(J'-, -r=Cf-~d'''' *. predkatc P, r r P :: (1' --> "l>

program M~-' r r 111 (7~. proof PM, r f- PM :: (P M) *j>

Not only til!> dl!.tatyp~~, but al~o the ot.llN dat.a!ype-tOIl~l.rll("!ors {;lll h'· itllllotat(d This wtll b~ discul;sed later, in subs('ct.ion :1..4 3

Despite the fact that. a pl'()gt"am and 1I.M WrI"((tlll.)oo proofo art' ~eparate objt'cts" we should not first have to find a pr()gram aud il.ft~'l wnrd~ prove its ("orrectness Idt"ally, programs and their c()rrectIl('SS pToof~ "bould be constl'ucted hand in hand In t.he I'fIIlaiudl't 111 tlli!' ~ctti()u we look at. a ~t.raUgy fOT t.h~' ('ompo~it.iona[ dcyc[()pml:'nt. of program~ and prooLs.. H('re the program is const,md,NI, top~theI" wit.h it.s correctness proof, by stepwisc t'CfiIlemeIlt. For this, paifs of derivable infcr('ll({~ mh·,; arlo! n!o!!'d!o!d, ~on~iRting of

(i) a >'w.-(I/>riv'l.tlol'l ruk, that ghi'cS the !ype ()f a pl'ogI'alt1 111 t.('rIIl~ of tit(> tyw~ of its comp()nent, parts, i!,lld

(ii) an associated >. ..... L-dl.I .. lvatlOu rllk, t.h!'tt. giv()s a pl'oof lhat this prop'am satl~ncs a spec­ification iu tl'rIIl~ of proof" thil.t it~ wmponent. parts satisfy (ct"taill ~p('tificat.I()Il~

So (i) is it type deTlvat.]oll mIl' f()l pi ()!!,l am>., ,llld (it) if; ,L t} W' df] j-,l'iLt.ioll rule tor proof~ Such pairs ()f dl'[lWltion n!i('s. «)I1~I~tlll/!, of a type derivation nil.:' and all il..%ooall"'d ptoof rule, ",ill IH' (a.II~'d ~'111 c()upled dNiv!'lt i()l1 rule>; Th('~(" t()llpkd dl'rwiL! 1011 nlk~ l iLU Iw us!,d to devel()p a program to~etheI' with its COI'[('ttllf~~ proof. For l"wry Prl)gI',IIIlmiIlJ; lil,ngUH,gl' conslnld there j« usually a uniq\ll:' typl:' tnfcI('llf'1' 1111(' .. Howl'v!'r, t.h!'·rC" ITl!l,Y I", mor" t.hau one assoclat.rd proof rul{', for specificati()ns ()f dliftrl'u!. fOI'Ill>;

3A PROGRAM AND PROOF DEVELOPMENT 45

A specification ma.y have to be of a certain form in order to construct a program and its correctness proof together For .\w.-ndejj for (orming a datatype there are corresponding rules in AWL for forming specific'at.ions on that datatype, which produce specifications of the right form

So we arc interested in pair~ of iuference rules, that can be used to derive types for pa.irs (M,PM), consisting of a program and a correctnes8 proof, Or for pail's (O",P), conjjisting of a datatype and a predicate

Although in .\Wl, program and pr'oof construction both come down to finding an inha.bitant of a ccrtain type, there are important practical differences.. We do care which particular program M we find, wherea.s we do not care (as much) which particular proof PM we find" This means we do not have to be able to read proof t.ermS in the same way we wa.nt to read programs The proof t.Cr!lI PM is usually much longer than the program M .. Indeed, proof I.('rms qUickly become too long t,o \w readable, in which CMe 1,I\(\y will usually be omitted ..

3.4.1 Coupled derivation rulel:i for function types

First we look for .\wf"-proof rules to accompl!.uy t,he Aw.-type derivation rules for the intro­duction and elimination of function typeB .. There are two programming language construct.S involving function types, namely ab!;tri'ittion and application In I.he examples below w('

consider how for programs of a (.~rtltil\ form pr'operties can be proved To Il~akc a clear distin('tlon h!'!,wecn judgements concerning programs and dat.atypes, and

judgements concerning proofs alld propositions, judgement':> r r a :. A, where a and A at'e .\w.-t.errns i .. c .. programs, dat.aIYlw-toni',uuctor·s, or kinds - art writ.ten in boldface for the t.lme being

J 25 t~XAMI'LE (Abstraction) .. Suppose we wallt a program f oftypf:' 0 --4 T satisfying a specificati[lll (\fa; Cf P x=} Q;I; (Ix)), whrre r r P Cf ---t *p and r f- Q rr ---t 1" ---t *p

So we want a program f aud a pt"oof P J such that

r r P f \f:r,;Cf P x =} Q.;r (f x)

We can try a program of r.h(' form (AX:o" M) for som(' M We then have to find a program M and a proof PM 5udl that

(i) r,:1J :: ~ f- M T (li)r,~;:cr,p~:;Pxf-PM QxM

From (i) it follows that (> .. :1" .. 0 M) hIlS the light type and fmm (il) it follows that it satisfies t.hi' spedfication

r I- (.\:1J rr. M) :: ff ---> 7"

r r (AJ(]' APr? ,:r PM)

326 EXAM1'L£ (Application)

'l/x::(]' l' x' =} Q X M

cziJ "Ix 0" P7; => Q X (('\X::O" M)x)

o

Suppose we want. it prugraul M of type T ",at,l~fyiug tltt' speCification Qf M, where r f- T , *~

and r f- Q' 1'" ---t *) So we ""ant ,\ pt ogt"am M and a proof PM such that

rr M T r f- PM :: cl M

46 CHAPTER 3. THE BASIC SYSTEM A(UL

We can try a program of the [orill f N, wit.h N possibly occurring in the specification Q' Then for some a .... , P a''''' >1<1' iLnd Q:: a - T - "'p such that (Q N) '::::.!11i Q' w(' have to find a program N with a proof p" ~uch that

Ii) r!- N (F (ii) r f- Pili P N

anrl a program I wit.h a proof Pi Bueh that

(iii) r !- J u ...... T (iv) r f- P, '/,1;;0 P X => Q x (jx)

From (i) Rnd (iii) It follow", t.hat IN h!l.J:l the right type, and frOm (ii) and (h) it follows that f N satisfies the spE!:CificatioIl Q'::

r!-IN 1" QN(jN) CZjJ6 Q'(fN)

In the previous example, the choice for a pro!';ram of the form (,\x::O" .. M) wM "\lgg~st.!.'d by the type (J ---t T of the program .. The dlOire fm a program of the form If N) is not J:'ugge8t.ed by just the shape of its datatype ( rather like to the choice of proving a prOp()~qtH)Il '1/; hy proving 1> => ¥i and 1> is not snggcwed by the shap,-" of 1> ) 0

In the examples abov(' the plwlicatE:'8 (qwcihcationB) on f\lTlrttoTl tyP(~ (7 .,. T aIr of thr form

>,j 0" ---> r '1.T··(J P.r => Q .:r l!.x) (0" ---+ T1 ---+ *1'

where r r- J> a --. >l<p iLrld r t- Q (7 .. _,. T .~ ,. ~p .. Hl"'r(·· l' is the ptc<:'olldition, and Q the post­condition Not all prrdl('·'I!.(,s OU IL fUIH !.I()U !.) pc a ---> T al·e of this form However, alJ predicatcs that txplr~~ ,,(lIllt llIPlll-Oll!'PUt. Il'liLlion (htl.\\Crll 111lHlt .t and output /.x) arE:' of this fonn Notc that for pl·cdltal.e" of lhls fonn, diffcl'·cnt choices for P and Q are P088ibk (eg pi == A:r::a True aud Q' s: AI::a Ay T P.t => Q .. r (f.:r)).. For the Aw.-dcrivation rule for fOlrnjl)g function tYPC3 there b a (orn'~poHdlng d{,liv",bJ(~ AWI,-dl'riv,ltl('U luil' fo!' forming predicatE:'s of this form::

r f- (T *, r f- T :: '1<,

r I- (F ---> 1" ;: *.

riP 0" ---+ *1' _i'f q :: (f ---+ T ---+ *p

r f- (>,j (1 ---t 1".. '1.T (1 PI' =? QT (f.x)) (cr ---> T) '~1'

For r t- (7 ~.,T ~.,P:: a -. ~p,Q !7 -4 T '''1' +p t.he: following coupl('d derivation rule~ for --->-introduCl.ion and rlimiuali()u M(' del ivable

r,:x CTI-M::T

r I- (.\~ 0' M) - ~ ....... T

rrf CT-r rf-N::CT

-]'!- IN''';;:'

T, ::, :: (1,]1.,. P ::, t- PM .. Q .1 M 1;--~ '(\1<1\1), 'P~XPw--:)----'-(:-V-;:(·-(J-.. --:P=--..r-=>-----'q=--X·--:(--:l.\:-.~-· .. rr-."-M::-;-)-::r'""'))-

r t- jI i ('11 .1 a .. l' t ~ Q.1 (f I ) )

r f- PN P N . r~i;;Np" Q NUN)

3.4 .. 2 Coupled derivation rules for polymorphic types

W·i> n()w di~nl~!l proof ruk~ to Ii( (Olllp~ny t hi' iutmdul t Ion ilud l'lllllll\,ltioll r·nle~ for a poly­morphic typt' (TI{~JT{ .. T)

34 PROGRAM AND PROOF DEVELOPMENT 47

For predicates on polymorphic data.typcs we could consider predicates that have a form similar to that of the predicatf'~ on function types, This would mMn that on a datatype (ITcdJ( r) we have predica.tes of the following form:'

v(no:"gc'r) '1oIB( Po.=> Qo.(fo:) (IT(lD<.,l')---;*p,

whf're P lK ---. *p and Q :: (no.: B(, 'T ..... *p) However, there are few - if any'· irlteresting prC'dkates P on a kind B(, So instead we consider specifications of the form

\/(no:ll(" 1') \;fo.:;//(, Q (fQ) (na:lfC T) -0 "'p , (i)

where a :: B( f- Q :: T --4 *p_ For such specifications we can find proof rules to accompany the introduction and elimini!.t,ion rules for a polymorphic type (no:1K, 'T)

Note that the dependcncy of Q on C\ is left "implicit" It CO\lld be made explicit by considering predkate~ Q with r Q :: (ITer::B\" r ---; *p) instead of /)' :: O{ r Q l' ---. *p This would result in spedfiC'atjol1~ of thl~ fonn of the form \/::(ITa:B(, 7)" Ylo::lfC Q' 0: (fa) Our only reason for not doing tbls IH thitt tIlt· dependency of l' on a is also impliCit,

ror t,hC' Aw.-dcrivation rule fOl" forming polymorphk t,ypcs there is a corresponding deriv­able AWL-derivation t'Ule for forming spe(ificatiom:> of the form (i)::

r,u 1Kt-r *~ r, a :: O( I- Q ' T -. "p r I- (fluE. r) *~ r f- ().j.,(D<)'U{ 7) .. "Il<D .. Q(fex)): (na}l( .. 7) --4 ~p

For r, a::O{ t- T :: "'., Q :: T ... *p the following coupled deriV(l.t,loll ruks for IT-introduction and elimination are derivabll'''

r,o: E I- M "T r, a B\" f- PM Q M r t- (AuJK. M) (II a:lK" r) r f- (.\QO(.. PM) Vo.B( Q M

~{j VexB( Q((),a .. B( .. M)Cl<)

rl-p IK r t- f (flaK .. 7') r I- fp ,..[0:= pj

r f- PI \;/a,.B( QUo:) r r- J!JfI •• Q[n; pl(! p)

The inference rules above (,(l.Tl be i;[l(!ti;tli~Nl fm" specifications of a ('ertain form, namely where ('1o.;;B( Q(!o.)) is of the f(1rm ('~(tOl-" "IP::O)" ,), with IP some prop-kind that possibly depends on Q" Thil:' rn~\allf; thl' f;P1Yifita.tion is of the form

),f(ITa .. ff( T) .. V(dK VPIP .. Q (Jl<) (t1cxB(, ,,-) ---; "'p , (ii)

with (~ 11(, P 1P f- Q r ---t *p Typically, if ff( ,~ *., i e" il<1I( is a quantification over a.ll dat,;ttypes, then 'r/p.]p will be a qnantification over all predi(,(l.tI)S of a certain type

Fo. the Aw~-delivation IIIII' for forming polymorphiC' types then:- is It COtIC'sponding AWL"

derivation rule for forming pred1catfs of f lw fOlm (ii);

r,o: JK I- T *, r t- (flOt lK. r) . *.

r, a ;; B(, P : IP f- Q " T ----0 *L

r r (Af(ITexffl: 1") "laB\" 'rfP,jp Q(fa)) (D(tlfC T) ---. "'p

48 CHAPTER 3., THE BASIC SYSTEM .•. .\<LI[.

For T, 0.:0<', PJP t- 1" "., Q 1" --t "p the following coupll:'d dCrIvat.ion rules for n-introductioll and elimination are derivable

r, u JK f- M :; 'T

r f- (Ao:.K. M) (IIuJl(" T)

r,o. ll{, P /P f- PM Q M r f- ()'Qff(. )"PIP P'>f) "tiOt, 'iP /P Q M

rf-piK r f- f : (1Icr.:lK. T) r f- I p •• 'Tlo,:;;;; pj

~(j "allt VP.:/P Q((AoUC M)ti)

r f- PI ,. '1o.'J/{, VP./P QUo) r f- R lPlCl;= pi

3.,27 EXAMPLE Thl:' polymorphir id~'lll.ll.y

Id = (..\(1 ". Ar nt)

Note that if we JjW<l.P tb('· ~Nolld and t.hird univel'sal ql1'l,ntifica!.lon, this becoml'B (H8)\I<'l.1 to '170""8 'Ix a x =(> (Id 0: :r), wltb =" a:<; d~fined in definition 321.. it. follow's fl''Olll

by thE:! --4- iLnd lI-lll!.lodndion rule~ that Id lia~ tYPI' (IIi,\" ". (t --t a) It follow" frolll

0: "., P (~---> *" :f" (l', PI P X f- PX' P ,r

by the Msociatl:'d proof mil·,; tbM Id oia.t.isfics the SP('< ificat.1011 lIH'111 i011o:'d abovl' .. Thl'!;f' t.wO

derivations arl:'::

0:"*" x:o: f- ~ 0

ex ...... t- (AX" 0,: " :l)) 0: ---+ 0:

f- ld;; (lIe.: * ... 0: ---> 0)

i, *., P (I --t *., 'l' (~,P~p .'.'1" t- p,," P .. t 0: *" p(~ -> ~. t- _ vii(~ p ,r =} r \lAIn :tTiS ~ .. "1(~-~. <( P n ---> *, .. V.·J •• IL J> .• ) :;: P (ld 0: "t:)

o

MmE:! <l.nd largl" hnildlllg hlo('k~ than jllst I!.bstr'l,c tion alld applicatIon wlll hI' used for progrltrn~ .. A:<;sorialf'd type del"ivation l'ul('~ ~r() )lIwlkd to type program» ! oll~tl1l('tcd using UII:'I:l~ bnilding hlocks., and a~~ocia!cct proof rule5 an' lll'i'd('d to prove COrrC(.,illeJ:>Jj of pl"ograms

We will giv(" a ~ilTlpk I'xamplf' of the de~dopllH')'It Df iL pr()!;ram with it~ conI!! I Jl(~~ pl'oof But fir~t two examph'~ 4r!' glVf'll I.hal innod\l((' two ba~il dill.iLlyp('~, bool('IU'l" >l.nd llal.mal

numbers, and coupled deriv<l.t)Ol\ rnh~" fm thl'lll

3,,4 PROGRAM AND PROOF DEVELOPMENT

3 28 EXAMPLE (Booleans)" The following context introduces the booleans"

bool *$ , true bool , fa I st: bool ,

if I1et::* .. " et ---+ Q ---t bool ---t Q ,

Pbool fa Ise #booI true , Pi/ \;Iet::*. VP,.bool---+ 0:' ---> *P"

\;Ix et P true x =}

\;Iy ,et , P false y =}

Vb::bool, P b (if b then x else y)

49

This COntext assumes that the two boolea/IS Me distinct a.nd gives t,he specification of if, We write (if b then x else y) for (If (~.:f,yb), 80 th~ type parameter (l< is left. implicit .. fals@;.i;bool true i~ ShMt for ~(false ""'booI true), with..., and ""'btx>1 as defined in definitions 3.11 and 3,,21. Note that the 8p~dfication of if il:' indeed of the form we disc\lssed earlier

Using P., we can detlne the following proof P:j P:/ Ab, n, Q,l,p"" !/,Py l)i/ (., (ATbool AU, n .. b -boot X '* (Q a)) X p", Y Py

Vb boo I Vet *. '<:IQ;o. ---. *p

V.x::Q (b =b(H.>/ true =} Q .x) =}

\;Iya (b =bool false =} Q y) =} Q (If b then:!." else y)

This gives the following coupled derivation rules for 'if ..

r t- b:: bool Tt-M::(f rt-N::(f r f- if b then Meise N tJ

r,p (b =btx>1 true) f- PM Q M T,p (b ""00<.1 false) f- PN q N r f- (p:, b bool Q M (),P,PM) N (,\p PN}) :: Q(lf b then Meise N)

for r t- q :: "'. and Q :: (]" --> ~p Here the proof terrnJ; have already become too wrnplicated to read

e::.::amples they will be omitted .. In the following

Cl

3,29 EXAMPLE (Natural Numbers)" The following context introduces the natural numbera and a primitive recursor with its specification

nat o S

primrec

Pp~I'M.t

*. , nat, nat --+ nat, I1cc;:* •. , a ---. (nat ---. Q ---. cc) ---. nat ---t Q ,

\;Ia:*. \;IP nat ---. Q --+ *P'

\;IX·,.Q, PO .:r -> \;I j::nat ...... 6 --> (~ .. (V'nnat, y:(~ P n y :>:) P (Sn) (f n y)) => 'in::nat P II (pnmrec Q ::r f n)

50 CHAPTER 3 THE BASIC SYSTEM .. A"-'L

Note that the specification of prlmre~ 11:1 indel::d of the form discussed earlier .. Tlllo', ,;pee1f1cation results in the following Goupled d!'rlvat.l()u mil'S for primrec

nat""' f7

r f- PM PO M r, n ' nat, Tee :: {T, pro" :: P 11 tee f- PH ' P (5 n) N r r .. f=primrec.::r M (Annat .\T€c{T .. N) ;;'ai --> (1

In 'QTi,::nat .. P n (in)

for r r {T :: "'. (Iud P nat --t (j --> "'p

3 30 EXAMPLE U8ing t111~ h()()h'all~ and llatural llumber8 jntrodll( td Jll t he prevIous examplr we now lonBtnKt Ii, program t.ha.t tests if a natural l)Urnl)('r l~ odd Of even For thh; the predkah~,; EI.;fTl. aud Odd a.lld thcit' releH\l)t IWOlwrtks aI'(' declared

We define

<I .. l,.!

<1 .. 11

ILt.

nat --t ~r"

EII'!! 0, I1n nat Even 11. =?' Odd (S n), I1n nat .. Odd 11 .::::;. 1:,1,;(::n (S n),

P Annat All boo!.. (El'l>ll n II II =&QQi true) V ((),l!l Ii j\ II =~ClQ( false)

nat --t bool --4 *"

It is easy to prOv(~ (P?I tru(! <=-"'> El'<'tl n) alld (P 11 false = Odd 11) FOl the llllplic-atton from left to right we n(~··d false :f.b"o/ trLJe

We are looking for Ii. prog,ralll even nat --+ bool thnt SiLtl~fi('s th(' spe( lfinlt.i/)I1 Vn:nat P n (even f).), ~(j w!' af(, looking for a prognull ~ven and a pl'oof p,'",n ,:;udl that

f- even nat ---> bool

r Pc,',", '1'1 nat P 11 (even III

We choo,:,~ to 11>;(' t Itt pnIllltlv(' f(,(Ul't<OI pflmre~ for t111~ pl'ogt'am i~' even v, til hi of the form (pnrnre~ n;lt M (Annat.. AI! bool N)) for ('(1(1111 . .1\1 itlld N By th(' c()lIpkd d('n\ation rule,:, for pnmrec thl~ le~v(',; 1I~ wilh Ill(' ta~k of fiudiug pn)glillll~ AI aud N with I)/nj)r~ pro, and PM such that

r- A!" bool, PM :: I' 0 M

?/ nat, /; .. bool, jii; :: P n '-' f- N .. bool, Vro, P (S n) N

PO M ~f;Jb (EM:)),O f\ M =&",,1 true) v \Odd 0 A. M =i"",j false)., "0 wr (llOosr Ai ~ true Tb("11 w(, itav!' to prove PO trLJe, which foll1>wM fW1l1 E"l'tt 0

W(" ehoo~c N == (if II then N) else /li2) r(l1 ~om(' NI altd N2 Thl~ ,lllii/Unts to dl~tHlg1l1~h­ing the C(l.1lf:'; II I,; true iLIId II is false, and hy r'/l II ! hi~ lll(,fLns dbUlif:>;lli,;hlllg I hr ~a~(>s th~t Tl.

is even and n b odd W~ Owo !t;\V(' 10 find N j and N'2 v,llh l)t"()of~ Vilil aud 1'''l, ~llfh tha.t

on .. n;lt, /):: bool, Jib:: ]' fl. ii, P b ="",,/ true f- NI bool, j)ro,l P \S n) N j

34 PROGRAM AND PROOF DEVELOPMENT 51

and n :: nat, h baal, Pb" P n h, p h --bo<>j false t- N2 baal, PN2 .. P (S n) N2

Finally, if P 'It hand h ""'boo< true, then Even n, and hcnct> Odd (S n)., Similarly, if P n band b =0001 fal$~, then Odd n, and hence E'Uf.'m (S n) .. Odd (S n) is equivalent with P (S n) false, Even (S n) with P (S n) true .. So we t,ake N j :;;;; false and N2 :;;;; tru~, and t.hen proofs PNI and 1'1'>, can be found s\lch t.hat

n :: nat, b baal, PI. :: P n b, p:: b -bcoJ true f- PNI:: P (S n) false 'It nat, b: baal, Pb P n b, p b ""'bool false f- P."i2:: P (S n) true

3.4.3 Other datatype-constructors o

So far, we haw olll)" (,oll~id~~r t.IH' ,tIJnOt.;l! iUII of pJ'()gralll~ a.lld dat.at,ypc~ .. Programs are anno­tated with (coU"ectncss) pt"oofs, datMypes with predicates In AW. there are other datatype­constructors beside~ thE' data!ypes .. We now ('onsider how these can be annotated in ).W[,

These other datatype'constructors are functions for constru(,ting datatypes, such as Ii~t :: *. --> *. and x :: *. --> *. --> *, Tlwy ('8,n be annotated with fUllctions for (;onstnl('t.ing preditat,!:'S.. For illijta.nc~~., th~ da.tatYlH.!-UHl!;tn1ctoro list *. --> *., whkh mapS diLtat.ypes to dat",typeo, could be annot.at.ed with a polymorphic fnn('t.ion LIST, t.hat maps predicat.es to predicates "

LIST .. (Ilc."'. (e. ---t "p) ---t (list Q) ---t *p)

So for any datat.ypf> (}, (LIST n) maps a ptt(lita!t 011 (} t,o a pr(>ditatt Oil (Iistn) The obvious choice for LIST is of cout'se the fnnctioll that maps a predicate P 0: ---t "p on Q to the predicate" P holds for all element.s" on (list a) This function LIST can be seen as a "lifted" version of list Of course, not all interesting predicates on a datatype (list a) are of the form (LIST Q P) for some p, bnt som!;' are For example, we can expect that any polymorphic program f •• (IIQ*$ (list n) --> (list Q)) will "atisfy

';i(},*, .. VPn --> *1' 'it (11~t (~) .. (LIST a PI) =* (LIST ()' P (f I)) (i)

Thi" meaTlS that the h!;t. t.hat i" the output of I can only contain elements that occur in the liM. !,hat i~ ito inp\l!

III t.h!!' remaillder of t.hi~ !;~~ctlO)l., it will be ~hown that .. , for any dosed datatype-constructor list *. --> *, in ).w$' tb~m' eXl!;h a lifted V('r~lOn LIST in AWl, such that all closed programs I (na .. *. (list (~) ---I (list a)) satisfy prop('r!y (i) To do this, lift.ed versions of all datatype· cOllstru(;!ors wlll be defined In gem'ral, a datatype"('onstructor (J ]J( can be annotated by a lifted verl;ioJl., which [" of type type.oj J!jt u.; «(1)

331 DI:I·'INITIQN .. For d(\ta.tYl)('-(on~tnl("tors (1 of kind ]J{, with r f- (1 If{ D., the ).WL­

propkilld lyp{' .• oj.hjtud(T)., with r f- type_ojJ!jtll,(tJ"):: oJ>, is defined ItS follows::

type.oj .hlt •• ((J)

typt._of .ltfto(,_n,.((T)

So type_of ./tft •• _ •• (list)

LIST w!.' gave earlier

(J --> *p

lloll\':1 Iype.o/ .h/tU(1 (n) --> t'YP~"o/ _h/tlf(~(I7C))

o TI(, *. ((~ --> *1') --> (ilst(~) --> *1" whkh il; indeed t.he type for

52 CHAPTER 3 THE BASiC SYSTEM '\WL

332 EXAMI'LE .. Tht annotatiOn of a dat,at .. ,ypc-constt"Uctor x *. --+ *. --+ *~ would hI' of type

I,YPI;:-Of_hft •• _ •• _ •• (x) == TI(~::*. (a .... *p) --t fIB::*. (/3 --+ *p) --+ (0: x 13) --+ *1' '

whcre x is written infix .... So x - a function that maps two datatyp!:,~ to a. dat .. at..ype - can be annotated v.ith a (po\YffiOl"'phic) function that maps two predicates to a preditat,e .... Thc obvious candidate is the function which map~ the predicates P on 0: and Q on (j to the predicate "P holds for the left (.wnp()n~nt. and Q fOf the t"'ight component" on a x fj D

For a closcd datatype-constructor (I, it is possible to define a. "lifted" vtrSion LI/t" I a prop"constructor of type type_of -lIftJl«((I), by induction on the struf"tnrt of a

3 .... 33 DEFINITION .... For It dat at .. yp{'-Nln~t.mct OJ'S (j t.lw prop-constl'uctor 11ft" iH dpfin~'d bl

11ft", ,. P" ,if n is a variable

hftp_u - Alp --> a 'if .. r:p. .. IlftpCl);;;} hjt,,(j, .. r)

itjtn«,O{ (f - )..f(rr(~u\ 0") '<irdK V/P"lypr'_of _LtJtlJ((C:;) Itjt,,(jCl)

Lift"" - It/t" (j Itjt"

hft:..cdJ( " """ '\nJ1( '\Po:twe-of _ltjtU{(O:) h/t"

3 .. 34 EXAMPLE For the di!.ta.tYP!:'H (TIn*. (1) alld (!In· *. 0: ---t 0;) we get

hlt Ila .•• " - ,\J (On*. aJ '1P (! - *» P (f n) (fIn:: ..... a) ---t *1'

I!ftn<:> •• I> .,,<"> .\g(n ... ::*. (, --t a) .. '1Pn ---t *p" l;I,r 0; P r; =} P (q n ::r)

D

(n(~::*. (~--+ 0) ---> "'I' LJ

3,35 EXAMPLE Suppoo~~ list *, --+ *. l,; ~i do~cd datatypc-constructor Let. LIST:;:;: liftlist·, Theil d!:'fillitior) 3 .. 33 r~hlIlth in !.It!' following predicat.e on (TIO',.",. (list n) ---> (list (~))

hft l1a· .•• (list a)-(Iist "J == >./::(TlQ*. (list (~) "'~ (list it)) ~a* .• 'rfPn --+ "'I' 1f/(lisUl:) .. (LIST (}. P l) => (LIST a P (f l))

(TIo *. (list 0) --+ (list (~)) ---> "I' D

FOr all tlo~('(l dat.at1 pc-const.ructors a the prop·cow;t.ru( ton, I!ji" MC of t.he tight type

336 LEMMA If € f- (T fl'; D., thl'll f r hft" :: tW!3j;f -Minda)

PROOF A J:>tra.ightforwa.rd lTldll(tiOU Oil t.11(' sU·ufturc of (] provel:\ th(l,t if r rAW .• a :: Jl{ D.

then /tft(r) f- AWL LI/t" type_of -1lfl Q((o-), wht'n,

l!ji(fl hft (r,xni

Il/t(T, a II';) iI/I(f),.-.r (t,Pr::I~ft"t'· IIj1 (r), nU';, l~,t!Jfi(~ _0/ -/tft JI( ((t)

Here wI' ;:U:;f;nrllC that fOI' all variahlC's (} E Var rJ• and r; E Var" th(>l"f" il.l""i' \-;tl""i,lbks P" E VarL]. and p,. E Var·p D

3-4 PROGRAM AND PROOF DEVELOPMENT 53

Thi~ meanS that, for closed datatypes J, Uft" ': type_ol_l~/t.,(T) ;;;; (T ..... il<p' Le" hIt" is a predicate on (j, We already saw examples of such predicates in examples 3,,34 and 3,35 .. All closed programs of type J satisfy this predicate

337 THEOREM, If € I- M a:: *., then thet'e is a proof PM such that € I- PM (b/t"M)"

PROOI" The proof PM can be found by applying the AWL-derivabon rules coupled to the Aw.-derivation rules used in this derivation of M :: a.. A straightforward induction on the structure of M proves that if r t- ..\""" M .. J :; *. then lift(r) f- AWL liftM :: It/tuM, where

lift", Z~/tQ

lift Az..p M l~ftAcdK M

It/tMN It/t Mp

p", if x io a progra.m variable P", if a, is a datatype-constructor variable Axp, Ap", hjt (OX hjt M

).0.1/\ 'AP",::type_oj _hjt/T«(O:)- l~JtM

hjtMN hit I" hjtMp IIJtp

Here we assume that for all variables a E YarD, and x E Var·' there are variables Pa E VarD~ and PI E Va~·p 0

3,,38 EXAMPLE .. In example 334 we saw that

I~Jtnl)' •• '" - >,!(fIu.:*." a:), VP.:Ct. ---j.. *p P (f 0:)

hjtnOll., I)_I) - 'Ag(T1(n ... n -0 ~,,) VPo: ---. *p 'V"x:.Ct." P ,x => P (g a ,x)

Now by theorem 337, for all do~('d progra!l1S f (no,;*, (11) and 9 :: (na::"'. (} ----> 0) there are proofs of (iP::a ----> *p .... P (f n)) alld (iJ'....n ......... ~p .... 'rIr:: Ct.,. P x=> peg CI' x)) ....

This means that, for 8.. dat,atyp!' 0:, y n docs not just map programs of type Q to programs of type Q, but it 01.)00 map,:; ekmcnts of any subset of Q to elements of that s\lbset.... This is also the case if this ~\lbsl)t i~ a ~ingl!'l.on s\lb~et, so this leaves only one possibility for 9 Ct.,

namely the identity On (~

Similarly, for a datA..t,ypr 0, f (} is not just a program of type 0, but all;io an element of every subset of 0:, including Uw empty subset Clearly, no such j can exist 0

What theorem 3 .... 37 i~ bMkally 81!.yillg l~ that, allY subset of a Aw.-datatype could be allowed as a new datatype.... Tht'orem 3 .... 37 dOf~ not say anything about the relation be­tween programs j P and j r:r that are obtained by applying a single polymorphic program j (Ila"D{" 0-) to different datatypes" like th~ notion of pmY!metl'1.ctty discussed in for instance [Rey8311Wad89]

54 CHAPTER 3 .. THE BASIC SYSTEM .. ALUL

3.5 Comparison with Program Extraction in AC

In [PM8!)h] Pal1hn-Mohting descrlbes an approath 1.0 program constnKtlOIl that uses program extract.ioll .. This approach is quit~ diff~r/~llt. from t.he one we propo,;~, !lS already discussed ill the intt"oduction However, it involv~!~ tlo~dy related type 6y!:,teml';, which is why WI;' dl1';("11'££ it here in a bit more detail

Program extraction 15 u5(!d ill interna.l programming logJ('~.. Here the Curry-Howard­de Bruijn isomorphism is I;'xpl()ih~d by idf'llt.ifying the notions of program and proof a.nd the notions of type and spedtkatlon (to ;1 cf'ttain extent) Tbi!; idNl. dates back to Heyting's semantics of constructive prook: fI. rOllstl"llctive proof p of V:;'(T .. l' x -;;} (3y:'T Q x y) (.Olll.a[ns an algorithm which, given a hmn x; alld a proof h of P x, returllS a term y and a proof Pv of Qxy (together, thh witllN;>; y and proof Py form a proof of (::111::1" Q x V)) The typi-' of p gives all the r!;'h>vant. illformation about this algont.hlll it is its sp('cifkatioll .. S11ffielf'nlly cxpre8S)V4~ type syst.ems, snch as Martin-Lor's TY1W Thf'ory and the Calculus (Jf Construct.ion5, can h(' 11si'd as pl'Ogt··a.mming logics in tld~ way

The main problem with tb)!:> appriliirh J~ that proofs (ontain 1l'(lImdallt informatlolL Tl p­ieaHy, a large part of p i8 d('voh~d t.o t.hr comput.ation of PY' find as prograr[)m~r>; W4' arC only interested in y Ao a rebult, f1 is inefficient and difficult t.o rNul

One way to get rid of tb~~Sf' irr(']f'vant. C'omputatiom, I~ t.O ('xtract progril.TfI'; from proofs In IPM89h] it is described how progr,un~ ran be extracted from proofs in a variant. of the Cakuhls of COll~t.rllC't.ions .. The ('xtrafted profSl ams are Wpath' ill AW, For C'xample, a AW,­program Irr ---> T satisfying '1.:r"(! P T =*'" q ::. (J .1:) i~ extracted from it n)nstt"lKtive proof of '1.x:{1 P T :::> (31FT .. Q.I 1/) The pI'o()f~ hom".. hiI'll pfogranB an' ('xtractl'd arc cons\rllcted ill the folJowmg varian! of the C1l.lculm of C(lI1f;t.rU( !l0rlS::

S = {*.,O.,*p.,Op}, A = {* ... 0"*11 :: 0p}, R = S x S

In [PM89bj the sort *, ()f ),.C/,. is called Spec, ;;!.nd *p IS callf'd Prop [J

In Hus bYotE'U), we ran no IOllger think of alJ !'J pes Ci ". a.> d(!t(!typ~:l" nOr of all term!;! M (! as program8 For PXiLlIlpk, it is possible to form a pt··ogr·am·depel)d('nt-!.l pe such as (~ n m) "., wlwn' ::s nilt ---> nat ..... *., that COllsist, of ((Ollst.t··uc1ive) proof~ tha! n is less than 1TL Inhabit.ants of ". are called mf<nmtdtve propositions, Iwd ill habitants of *1' an' railed 1!on-111Jor"rnatwe proposition~

Thl! dist.inc.tion between *. li.ud *1' il' IH'l'ded to control wbkh pint.; of a proof >\'r(~ pxt.mc.ted to prodll~f' a progum .. The ~xtrarti()11 prnrNhll"f' discards proof,; nf nort·informil.tiv( pl'oposi­tiOllS, alld keeps only the proof5 of intnrm'lt.iv(' Pl"OpositionB For 1I1~l.ancc, in ord4:'r t.(1 I'xtract a. progtam of type (! ---. T from Ii, prlHlf nf 'r:It"(j .. P x=} (311 .. " Q ::1."/11, t.he t.ype!:> (! ami T have to he informativf', i c .. r7, T *~, and th~ t.yp('>; P.I and q:r 11 }PI ... \,' to bf' non·inforrn!ttivl', i .. e Px, Q";1;1):: "'p

The extraction pr(1( pilUl(" IISI'~ t.v-o mappingR, [ I\lld n. ]"hf' [nnct}oll [ 4!Xt rM·l.~ programs and datatypcs from ACtIO-proofs iiud propositions, Ow fUll( I ioll R l~xt ['ad~ t 114 associated (OrrCf'tncss proofs I!.nd pr('di('~tcM

35 COMPARISON WITH PIWGRAM EXTRACTION IN ;"'C

340 THEOREM ([PM89b]) .. There are mappings £ and n such that

• if r f- S *. in >.Cp., then

l(r) f- £(B) *. in >'w,;, and

'R(r) f- 'R(B) £(8) --+ *1) in AWl., extended with the r\lle (*p, elp )

• if r f- s :: B: *. in >.er,;, then

l(r) f- £(,~) :: itS) in AW., and

n(F) t-.\w R(s):: 1<.(B)£(s) in AWL extended with the rule (*",0,,) [,

In iPM89bj the 80rt *. of )."". is ('alled Data.

55

o

So if S i~ 1111 informative proposltioll, thtll £(S) lS a datatype and R(S) is a predicate On that datatype If s is a constructive proof of an informative proposition P, th~;ll E(,~) is a program of type [(8) and R(s) is a proof that. thi", prognl,lrl !jat.iMl~i; !.III' predicate n(s).

The example bdow ~h()Wi; how cOrrt,tll(,SS proof and progr·am are intertwined in a cOn­~tructive proof.

3.41 EXAMPLE Suppose r f- 17 .. T *~, r f- P 17 ----> *)1 and r r Q :: (J ... T - *p in AWL (and hence in >.Cp.). Define th(' informlttive >.CN"propo:oition 8 a.s follows

s = ';fX::u .. P:t;",* (::Iy 1' .. Qxy) *,;

Then itS) 0= et ----> -r n(S) )..fet ----> l' 't~.;o- Px =} Q x (f .x)

Suppose that M is a A41.·term such that r, x 17 f- M T .. S\IPPO~~ that in ACp• we have the following inhabltallt. of 5

where In3!f.~ Q;';!I M PM 15 a proof of (3YT Q x y) p,~ Q X M" Then £(s) == ).,x::a M

R(s) = '\X;17 )..p",.P x .. PM

consisting of a wiOWi>i> M e(S)

and a proof

1?(8)e(s) o

3 42 THEOREM Any program M 0- .. *" and forrectne5S proof PM 5 M :: *p that can be constrllet.ed in .\""'L ran al~o be obtained by pl··ogra.m extraction from a proof of an informative plopo~itlon in >.Cp •

PltOOL Tit!' simplest way is ~o take ~ the >.Cp,;.proposition (3.x::o- .. S .x) *~, and !I.l5 it~

(eonstnlctive) proof the pair ronsisting of the witness M and proof PM that it is indeed a witness ..

Note that this is not the only way, and not the best There are many proofs of different informat.ive pt·oposil.ioni> flOm "" hidl a rettain progr·am and correctness proof can be extracted For example, a program f 17 ---> T oatlbfyiHg \;:;.17 P x * Q.;1; (f :;c) cau be ext.racted from a proof of '13(1 .. P.T: ::::. (311"- Q.J 9) or ::If (1 --+ 1" .. P To;} Q x (J .x) The whole idea behind \Ising program extr(l,tiOll i~ that we prf'ff'r t.o prove thc former, To prove the latter we have t.o providf' a. progriun th" witll~i;S alld a s('parat.!' rotrcct.ness proof, so in t.his case there ii> no rcal necd for an txtr,\/'tion ]wotcdmf' 1.0 obt.ain these from the proof D

56 CHAPTER 3. THE BASIC SYSTEM·· AWL

Not a.1l program~ and correctness proofs that arc obUl.lned by program extraction from a ACp.-proof Ca.n be constructed in AWL .. Thi~ i~ bCiCanse R pwduc·es predicates and correctness prool<; that a.re typeable in AWL extended ",ith (!f<p, Dp) This extra rule allowl; the forma­!.ion of propositions depending on proo£~, ie propo~JtlonB that express properties of proofs .. However, using this rule go('~ a.gain~t the idea that the inhabitants of *p are non"informative propositions, whose proofs do not have allY computational meaning

Chapter 4

Simple Extensions

Like all PTSs, the system~ introrlu("cd ill thc ptcvious chapter- provide only very few primitives for term and type f01"mat.ioll In t hi~ chapter they are extended with mOre type constructors, In addition to the d~pcndcnt product type constructor II, we introd\lce the type constructors x, + and E, for the formation of (labelled) cartesian products, (labelled) disjoint sums, and weak dependent sums, respectively

Especia.lly in the programming language we want more primitive~ for term a.nd type for­mMion than those available in AW. We want more datatypes than just polymorphic types (D(l:lK 0") and fllnnion type~ IY --t 1', and more ways of constructiJlg programs tha.n just la.mbda abstraction and a.pplication.. The extensions provide a richer synta.x for the pro­gramming language .. The labelled prOrllltt$ and Slllns provide record and variant types" The dependent sums provide abstract datatypes ..

In the logic the new type constructor8 provide the logical connectives conjunction, dis­junction and existential quantification M primitive~ .. In the logic there is not such a pressing need for more prlmit..ive~ for !.!'rrllS and t) prs as In the programming language.. Readability of proof t(.'rrns is llot a..~ important lIS readability of programs .... Also, w~ are not interested in the reduction beha.viour of proofs ....

Th!~ strength of the type systems is not really increased by the new type constructors,. Thl'rl' a.re cncodings of all the new types in the original systems, except for the labelled produ<:t~ and ~ums 'fhere are severll.l reasons for introducing +, x and I; as primitive notions.... Having them !\Jj p1"irnitiw~ rnC!\llS tha.t. we tan choose their interpretations in a. model (which may be different from the interp1"(>tatl01lS of their f'ncodings), which makes it easier to introduce specific axioms for them in the logic... Also, if + , x and t are primitives, thf'y tan be implemented morc efficiently, Finally, there is no way to encode labels and labelled products and sllms in AWL

The new primitIves do not intl"oduce new dependencies between the different. l(.'vels, so that the hierarchy formed by these levt'ls does not cha.nge ....

Before we extend the partIcular typf systems with +, x and :8, we first consider in section 4.,1 how the new type constructors can be included in the PTS-fra.mework .... Then in sections 4,,2 and 43 the programming language AW, and the programming logic )..WL are extended with +, x and L The rt'sulting system are ('ailed .\w; and )..wt,.. Fina.lly, in section 44 we consider the construction of programs with their (,.or1"e{tnf)';$ proofs ....

57

58 CHAPTER 1 SIMPLE EXTENSIONS

4.1 Extending PTSs with +~ x and 1::

In t.hiS !:lection the PTS·framework is extended t.o inrlud!' mol'l' I.YP!'s thau Just, t.he depelld('nt product. types (llx:A.. B), namely

• (:artesian product types A x B and labelled cal'tl'sian produdS,

• disjoint. sum types A + B a.nd labelled dIsjoint. SUIllS,

• dcpcnd!'llt Sum type!:l (Y.:.~ A B) (also known as existential or weak sum types)

We do not intend t,o giv'P the most gen~~ral exten!:liOll of PTS!:l with tb~~~e addltionaJ type constructors, only O[ll' t.lI'Lt. is W'[[('[",d enough for our purpO~!':h Tn partiurlar, for 1- iLml ~:-types more powerful elimination rulcs can be giV('IL Th(' diffcc('llt type C(}n~tmctors ate tr!'at",d iUl uniformly as possible .. We compare different not.ations fOI +. and L\typCS, and choose O[le whith ernphll.siz(~1' thr~ similarity b~·tween them Latr.~r w£' )'nay u~r' 0111' of t.b(~ (Jt.ll!~r notations if this is NlSil'[" to ["!'itd III <I. p'l,rlltlllil..! Mit.\lil..lioll

In the specification (S, A, R) of a PTS till' ~('t. of nlles R spedfi('~ ·\\oltich II-t.ypes can bc formed, For evel'·.Y lIe\\ tYP('-tOuSlrlldol ill1 ilddlt.lOU;tl s!'t. of rllk·~ v.rll hI" r('(lulIHl to spcnfy which types can be fot'llwd \\ 11.11 it TIll' ~N of lUIto!; R (()lltl()llill~ I.hl' fO!'lIliltlOU of II-types will be callcd Rll f!"Om no\\ on.. ..

4 1 DEFINITION

A spectficatlOn 0/ (t (D)PTS \\ltlt +, x ~LIHI L: l~ it G-lllp](' (5, A, Rfl, R~, R x, R+) wit.h

• S is a set of symbols c~ll('d I h(' ,~O!t!

.AS;;SxS,

• Rl1, R:t:: £; S x S ,

o

If S = (5., A, Ril, RL, RX, R+) i~ a ~p!'( ifi( atiol!, tlwn AS dl'lJMI'~ 1111' PTS with -t-, x and I:

it specifies, and )'Sc denotcs the DPTS with +, )< and L: it sp{'dhe~ One simplification ("ompa.lwl with thf' ol'iginal definition of a PTS-specifiuttioll (defini­

tion 2 . .1) iiS Ihal Rn t;;; S x S ill~h';Ld nf RrI <;;; S x 5 x 5 .. Fo!' I.bt ~)Sltm wI' are intNcstect in nO ["ulp.s ('~!,~2,R1) wit.h R2 'f:- 81 8n~ 11(~~'dl'd to ('<)lltl"ol t'lt!, j'CH'lliatlOll of II-IYIH~ (01' E-t} pI'S, for that. lIliL!.!.I'·!',') A.~ iL 1"('>;'1111, IIH' dl'fillitioll of fllllClioll;Li «Lll bl' ~J[llplilil'd::

4 .. 2 DLI INI'rION A (1'Y"'tt'lll ~l)£~j lfkd by ~l) Ml)£~( In( ~tJ()1l (5., A, RIl, R1.., R", R+) i}' (allNI /1tnc­hOnld rf A i/o ,L fUlie I iOll., i .. !' if

I.·~ /) E A ,,(,~ /'OJ E: A .::;.. s' ~ 8

o

Extl;:ndmg a PTS or DPTS with +-, x- Itlld L:-tyP('~ (Olll('~ dow)) to

• extending the set of psclId()t.erms with n("w hngl.lage ()llstI'1'1( t~ ..

4 .. 1 EXTENDING PTSs WITH +, x AND ~ 59

• adding new reduction rules, and

• adding new type inference rilles ..

The extension with +, X or ~ can be defined simult.aneously for PTSs and OPTSs In the remainder of this section we give for each individua.l type constructor the new paeudoterrns, reduction rules and inference rules The (binary) cartesia.n products A x B and disjoint sums A + n are special cases of the labelled ones Because they are so much more familiar they an' first treated sepa.rately.

Each new type constructor comes with its (3. and l1-reduction rules As in the definition of PT$S in cha.pter 2, we will only have (3-reduction in the type systems. The reason is that, as in chapter 2, the 1'/-mles complicate matters because they destroy the Church-Rosser property for the pseudot.erms.. AI~o, for Il'tbelh'd products the 1J·rule will turn out to be a conditional rule th\l.t dt~pend~ On the typing relation., The models that are dis<;usscd later will bt' I'xt~'nsiOnal and respect t/-eqllality.,

4.1..1 Cartesian Products

Cartesian product types are of the form A x B .. The t,ype A x B is the type of pairs consisting of a term of type A and a term of type B The !l.8so('lated te,In constructions are pairing and projection .. The pa.ir consist.ing of (I and b is denoted by (a, b). The first, (omponent of a pair 17 is denoted by c . .1, the ~econd by c,,2,. The formation of product types is controlled by a set of rule~ RX

;; S .. The type A x B can be formed only for t.ypes A and B that inhabit a sort 8 E RX ..

4 3 DEFINITION (Extension of (D)PTS with Cartesian Products) .. The extension of a (D)PTS with cnrt4'~lan produtt,s types is specified by a set of rule5 R" ~ S .. The !;et of p1;t:!\ldotHm~ i~ extended as follows

T ...... ,I TxT I IT, T} I T I IT 2

The following reduct10n lule is added

(a1' (/2}"! I>a a,

and the following type inference rules

()( form)

(x Intro)

(x ehml)

(xelim2)

rf-A •• s rf-B.:s Ft-AxB .. $

rf-aA Tf-b.B rf-AxBs r t- {(I, /1) A x B

rf-c AxB rl-c.1 A

Tf-c AxE r I- 172 .. B

if S E RX

o The t/-rulc for products is (c .. l, c,.2} l'>'IC' As is well known, the combination of /J-reduction

with this rule - known as surjective pairing - is not Churco-Ro!;ser for t,he untyped lambda calculus, and so it is also not Chur('h·Rosl:\~r on the set of pS~!lldotf'rms ..

60 CHAPTEH 4.. SlMl'LE EXTENSiONS

4.1.2 Disjoint Sums

Before we give the defilHtion of (D)PTSB with diBjoint Bum types, we first discuss Borne of the possible alternati vf.'~ for tllP. !:iynt a.x

Disjoint sum types ar(' of the fom) A + IJ The formation of disjoint sums is controlled by a set of rules R+ ;; S, in the sam!' way tbe formation of product typ~~ 1~ wutrollE:!d by R" .. The formation rule for +-t.ypt's is

( +form) rf-As rf-B s

Ft-A+B s if s E R+

The diaj(lint 8um O~ discriminated union of two type A and B, A + B, is the union of two disjoint (Copies of A and n .. Inform'l,[ly, its iJlh!\bitl\ut~ can be seen M pairs (1, a) and pair~ (2,&) with a. of type A amI II of lyp~' I3 FOl f;lllll I'YIWf; W(' ba.w! two intnHi1l('tioll rule~::

It-A+lJ::~ I t-o A r f- lnA+nT'r;'""A"+~B-

r t- A + U 8 r 1- /1 U -TI"~n;:·8.','i f;": 'X'+ B--

The subscript A+ n of In is aWKward but n~'( essary for tyP(' infen'llce We willsometlm(;!f; mrnt. thes~ ~mhs(:ript.Jj if it )13 del!.r from tlw context what they should he .. For IllstaJl({'., if w~ kn()w that f : A + B --4 C, then the 5ubscnpt A + B could be omitted in the term f(1n41 n 1 a)

The parameter a m inA+l:1 1 (L (ould hI' l.r!'al.t'd as t.ht' !lrguml'llt. in an ordinary application Then the injection in4+H 1 wonk[ bt' lyp~Lhl(' wit.hout. ils al"gUtl\(\lll of lypt' A, nanwly as

r I- In;l l.I!l A --4 A + JJ

H()wev~r, this is ouly p()~~ibl(' if dlC fUIHt.ioll t.ypc A ---. A + B (an 1)(> fonncd, which ~eqllw':~ (.9,~) E Rn Ol)e could go one ~tcp fmtIH'l'., and treat 1n4 I 1) .. 1 a~ th(> h()lec't.iol'l of tht! fjr~1 tl)mpOrHnt Df 11. p~ir Thf'll t.ltt' illj(>~(.i(l)) il)to tilt> ~UJn tyP(' A + n would 1>1' l.yp,d iL~

r f- InA I 11 •• (A ---+ A + B) X (il--4 A + n)

But this is only po~sjbk if till' pl'odutt Iyp!' (A ---> A + B) x (B ---> A + E) ran bt' formed, which !lot only r('(lulri'~ (H, 8) E Rll, hut. ,t1~o .~ E R" lu 1.I11~ ~ySI.('llIS \\(' «()llside!" it will be

possible to tYPE:! tlH' Ill,kctlon In 4+[) wlthol1t it~ two i\q';Ulll(,llt~

The elimination printiple fo!' a disjoint ~lHn type involv('.~ a ("a~{' dbtlB( 11()11 [wI.Wt·!'·u I t''['[ll~

constructed llsing th(' left illj(\ctiOlI and those' constll1rted using til(' right illJf'cllOn Orll

possibility is to lise a case-()xpl"(>S~iOll, with the infp!"ClKP rl1l(>

(i) r,.or At, c: I :: C r,:If n t- (:2 :: CIt- d A t lJ

r f- (case d of inl .X f-+ CI lin 2 y >-> f2 esa,;:) C

and tedut1.1011 rnk~

(c~se (inA! I) 1 a) of 'in 11 H ('I Iln .. 2 y >-> (2 esac::)

(case (In,Hl>'2 Ii) of m l,x r-> tl I In 21/ r-> c. esac)

(case c of In 1..1' ,-" (In.o1+11 1 !) lin 2 tJ ,. (In.HH 2 y) esac)

!>fl '11, .. --" <1]

D-(j Cilv = b]

41 EXTENDINQ PTSs WITH +, x AND r:: 61

case is a binding operator in the term (C<lSS' C of (in_1 z) - CI I (in .. 2 y) f-t C2 esac) it binds x in CI and y in c~ If we use lambda-abatraction for these bindings, we obtain a less verbose notation for the elimination principle for sum types:

(il) rf-IA-'>C rl-g:B---4C rf-A+B8

r I- l'Ilg : A + B - C

1"79 is the function that maps a term (InA+8..1 a) to 1 a, and a term (InA+B .. l b) to 9 b. The computation rules for 1"79 are

/79 (inA+B..l a) 1>13 1 a

1'Vg (inA+B.2 b) 1>8 9 b

The 1/""rule for /'VB is eAAie6!. !.o stat,t' in !.!-'rrnS or inAHi'.l and inA+8 .. 2;;

(in,j. .. I-B..l 'V InA+n .. 2) C I>~ c

The term (case d of in.l.x f-+ c) 11n .. 2 y f-+ ('2 esac) can eMlly be exprl>:6sed in terms of 9, namely as «>"x:A.. cd'V(>'yJJ· nl) d .. Dep(mding On the situation, the notation using case or V may be preferable .. SOTlJ(;t.im!.'~ tht' cas(!-toJ)~1 tlltt. is a little easier to read, for example in the ry-rule .. On the other ha.nd, tht' more tornpact notation using \l is useful to express some equalitiel5 of function!; on ~\1rn t·yP{·~, !-' .. g ..

where f PI ---j 17, 9 PJ ---t (] and h (] ----\- r

There is subtle difference between the elimination rules (i) and (ll) given above, namely in til!-' r!-'~trictions !.hey impost on the possible choices for C Rule (Ii) is more restrictive than rule (I) In (ii) it follows from the premisses that the types A --4 C and B ---4 C Cl;tn be formed, which means that r I- C .. 8' for some (8,8') E Rn In (I) on thl>: other hand nothing il; required of C .. We will req\lln~ thllt. th{! dOlllllln and the range of jV'g have the same sort:

(iii) rl-/A ..... c rl-g n-c rl-A+B s FI-Cs

r I- 1'V9 :: A + B ..... C

There a.re two wa.y!'; to gt"ll!-'ralis(' !.his t'limination rule, but t.hese generalisations will not be induded One possibility ia to allow thi:' range of l'Ilg to be of another sort than its domain .. Another is to allow j'V9 to have a dependent type.. The most liberal elimination rule for +-types, combining t.hese two po..~sihilitil's, is

r, x ;: A f- CI :; C[z- inA+8.1 xl F, y B I- C2 Ciz:;:: inA+ s 2 !II rl-d::A+B r,z'A+Bf-C::s

Later, in discussion 4 38, we will discuss possible uses of these generalisations and our re~OnS for excluding them.

In~ttad of the bmary operator 7 wI' will ust> iI unary one that takes a pair as argument. Then 1'Il9 is in fact \1{f,g}, il.ud tht eliminat.ioll rule Lecoml.'s

(+elim) r f- h (A ---j C) x (B ---t CJ r f- A + B : srI- C 8

r f- \lit :: A + B ....... C

62 CHAPTER 4 SIMPLE EXTENSIONS

This rule is only equivalent with the rule (tii) If the product (A ---. C) )< (B ---+ C) (~I!.n be formed, which requires 8 E RX Tn t.he !;y!;t,{'ms we consider this will not. be a. prt)hlem, since we will always have R" = R+" T1H' only n'ltson for using the unary \7 ij;; that i1 i~ casy to generalise to n"ary sums and labelled sumo It is also nlO!"f' simHar t.o the notatJOll used for E-t,ypcs

The iJ-reduction rul(' h!'tom('~

The term \l(f,g) hll.8 HI!:' expe("t.~~d n'ductioll bcha'll'ioUl", except that. now two stcps arc needed inBtead One::

\1(/,q) (inA+Jl .... l a) \lU, (I) (lnfll1J 2 /I)

"'ff (f,g) .. J a ~" (I,q),2 b

The I)-rule for \l io e!\Jjw~t t .. O ,,;t.;I.!(' III t.('[Jl)S of InA+U

4....4 DI;I'lNI'T"lON (E){t!,l\~ion of (D)PTS with Diojo)llt SIIHlS)

The extension of It (D)PTS with disjoint S\lm typeJ:\ IS spt'Cifif'd by a set of ruleB R+ ~ 5 The set of pselldol {'I" HIS I~ fXt.f'Il(\C'd as follow~

T .... = 1 T+ T I "'T + TIT IU1T + T 2 T I \7T

Vh (InA+H!' a) ~,:> h ~ a ,for 1 E {1,2)

and the following typc mft'l"o"llct' r\lk'~

(+form)

(+Introl)

( +intro2)

(Hlim)

rl·-A H r"r13 s rf-A+!1::R

If-A+B··s rf-a A r f- inil+B 1 a :: A + H

rf-A+B ~ rf-b B r f- inA~~~2 h A + B

TI-h (A"C)x(B---.C) rf-A+H ~ rf-C.8 . --- rf-Vl> A+B---.C ------

o 4,,5 CONVENTION Of th("" tyP!' cons1.t'tI('t.OI'S ---+ + awl x, till' type constJudor ... " lJil$ the lowest priority and )( tlii;' higlli'~t 0

4.13 Dependent Sums

As fOI' the disjoint sum types, b{{on' w{' givr th(, dffinitioll of PTS~ ("·xknd<',dwith dep('ndcnl sum types, we first discn~s ~()1IW of flU' alt,!'!'na.tlvl's

Dl'pf'nden1. sum typ~s arc of thl' [O!)II (l>::A B) TIl{' tYlH' ('()n~t '·11( 1m L ('/\,]1 lH' 8('.(""T1 as an infinitary version of +. the tY]l(! lh + iJ2 IS "LI E {1.2} D," .. Lib' inhabit.anh of nj !··H.

4 .. 1 EXTENDING PT$s WITH +, x AND ~ 63

are pairs (t, b) consisting of a index i E {I, 2} and a term b: B;, inhabitants of (l:~:A B) are essentially pairs (a, b) consisting of a term a A Mid a term b;; B[x ::= aj

There are (at lellSt) two kinds of E.types, known ~ 'weak and strong ~-types, w'ith different elimination rules The r:-types we Ilse are the weak ones. The difference with the strong ~. tyJW~ a.rc explained at the end of !.his Sf'ttion

In the programming language I;-types can be used as abstract data.types, as explained in [MP84j. Examl)lt>s of this are given in eX$.rnplcs 4 .. 25 and 4.27 As a logical connective, ~ is simply the existential quantifier 3. The niles for E-types look most farniliar if E is read as 3; the introduction arid eilmination rule for E il.n' then the usual iIJtrod\lttion and elimination nile for an existential quantification.

The formation of dependent SUITlS is controlled by a set Rl.:, with RE ~ S X S.. The fonnat.ion rule for E-types is'

Th~~re will be no n('cd to gcnerali!;!' t.his by having rules that ,u~, triplc~ (s], 82,83) instea.d of pairs ('~1"~2) and replacing 82111 UI( conclusion by 83

The introduction nIl!' for E-typcs is

r I- (l. •• Art- b ; B[x= zl r F (L:xA B) 8

r t- inE",A /3 a b (LX:A.. B)

If we read 3 for E, t.hen the rule above b!'f'{lIll(>~ t.he usual introduction rule for existential quantifkl:ttion to prove (3x'A B) we hll.vr~ to providr a witness a A with a pt"oof of B[x .. = a].. The term (inE""A JJ (1. I») tan b(' s('cn I't.q a plI.ir ((I., b). Howcver, the elimination rule for E·types will not allow dirc(:t IItte'SS to the two coml)OII!)[lt~ (I, lind b of an inhabitant (inE,,"A S a b) of a E·type ..

A~ for t.h!:! +-typcs. the injcction hlto a I:-!.vP(' could be typed without its two arguments,

In);" All .. (TIr'A B ---. (E.J A B)) .,

providf'd that. this type CI!.B hI.' fonll('d. If (~.I·:A. B) has been fOnnl"'d using (8115) ERE, thNI w!' !I!'('d (SI,S), (S, 8) E Rn to forn1 the t)l>c (TIx;A.. B --t (E.x:A. 8)) ..

As for +-types, ther!' arf' diffNent ways to t'xpress ! hI' elimination principle for :E-types One way, similar to the caSe-cxI)!'cssion for' +·typea, k a where-exprcssion with the typing rule

r,.1:' A, JI IJ F ( •• C r F d (ETA B) r Fe •• ·s r F (c where (In 1" y) = el) C

and reduction rules

r where (in .x y) = (in~~J'A R (J &) ~{:j dx = ally:= bj c where (in .T !i)"" (inL.A 8.'1' y) (>'1 G

where is a binding operator; ill til!' !.Cnn (r where (in .x y) = d) it hinds:t and y in c. Using lambda-abstraction for t.h~'!;(! hilldlllgs produces an op('rator similar !.o the \j for +·type8, with the following typing rule

r r- f .. (n~.A n ---+ C) r F (BrA B) 8 r t- c •• 8

r t- \l f .. (E'r.A B) ~ •• C

64 CHAPTER 4 SIMPLE EXTENSIONS

Note that if we read :3 for E, 't for II and =:> for --->, tlllO> l~ tit!.' nOl'lllal elimlllation rule for existential qua.ntificatioJ):: if (1f.:r::A 1J "* C) tlt~n (3::r:A B) =:> C. The premise r f- C :: s gua:rantees that x if. FV(C) ..

The a-I'eduction rule fOt \J is

'V! (InB..:A H (I, b) f>{3 f a b

The tf!rm (c wh~re (In 3; y) = d) <'an he expre~i-\ed in tC>rrnS of the mote ptimitive:- \J, namely as 7().,xA ).,1/8 c) d

As in I,ll!> c>lilllinatl(lll ntl(' for +-tyP!'~, wf' havf' I.hf' posslbility of controlling the pOl>8iblE:'

sorts of C in I.hf' f'linlinalion rnks aho.l' As for the +-types, we will only allow plimjnlll,H)rl~ where the type of ta.ng!' C IS th!' ~alllC SOlI. as t.he type of domain IT,.r A D I

46 DEFINI'TI()N (EXt.ell~iclll of (D)PTS ".,II.!J E-lypf'S)

The eXll:!nJ:\H)n of a (D)PTS with r.:-typCf; i>' ~pNifii"d If) ;L ~eI of t\11c~ Rl: ~ S x S The ~et of pSE'lldoterms i8 extE:'nded as follows

T=.. I (I:Var T T) IlnBVarT T TTl \7T

The following reduction rnle is added

and the followillg type lIlfl'relltC mks

(Eform) r r.A ~l 1,.1 ArB '~2

r f- lETA D) :: /I~

r r (l~L!.~~t.£k= oj r r (L.rA B) $

r f- inr; .. A B a b ;; (Eor A. B)

r f.- f •• (fIT A. [J ---> C) r r (~.IA B) $ r f- C s r f- v f (EflA B) ---> C

o The> l'liminal.lon rnl(' 1'0[' l:-typ('~ (;\.ll be' g(,llcralis('d in the ~lI.n)(' dirpdiollf; fl.,'; 11](' onl' for

+-types .. One possillllity is lu allo\'> Illl' li\[lgt' of 'V f to bl:' of allotb~'r ~()rt tllllll lti, dOlJlain

Anot.hct is 10 allow \l! In IJi\~l' i\ (icP('Jldl'llt typc The most lih('ral j~1illlinilt lOll rulc fOl" I:-types., l(Hnbillillg thi.'~(' I.wo p()M~ibjlit.il'~, i~

r,x::A,!J •• Bf-c C[z =InE~.ARxYI rf-d .. (l:.:rA l:l) 1,:: (b. A Elf-e s r r ((. where (in x y) = d) Glz = di

With thi~ elimjnation rlll~' tbl:! Y:-typp>, h~'( om!' ~o-(alkd .~tf(mq S-types, as used in Martill­L6['a type theorieo TIl(' E-I.ypp o> ill ddilliliOll 4 G wilh Ihe eliminat.ion ruli;' (;,el'im) an' known M 1Ve(l,k E-type~ .. Tnh!l,blt!!.nh of fi htr(lllg :f:-t) pI' (Ex' A HI arc pairs (a, b) with (l A

4 .. 1 EXTENDING PTSs WITH +, x AND ~ 65

and b'.'. 81:$ ::"" a] for which we do have dlrl:'ct access to the two components a and b .. Using the inference rule above it (s p08Sible to define functions

71"1 (ExA B) -0 A

71"2 (nz{ExA.. B) B[x:= 1qzD

such that

:rt1(lOl:.o;A B a b) [».fl a

1l"2(inl:rA B a. b) f;;i>,:l b

(i)

(il)

Thif; means that the strong: sums (Ex::A. B) with :i: f FV(B), is just a product type A x B" So strong sums can be ~een as a generalisation of cartesian prod\lcts ..

4 7 REMAiUC EV~ll with the "weak" eliminl!.t1on rule rule (I:elim) given in definition 1 .. 6, it is possible to define th!' projections 1[1 and 11"2 for certain (:E:2;::A B) .. A function 71"( satisfying (1) js definable if ('Ex A B) is formed using a fuJE' (81,82) E Rl: with SI = 82, namely as \7(..\xA.. ..\yJJ. .• ) A function 71"2 satisfying (il) IS defina.ble \Ising (Belim) if x if. FV(8), namely as \7('\x:A >.yE.. y) So, if t.hl' wfak sum (B.x A B) is formed using a rule (s, s) E Rl: and x i' FV(B), then it is Just a cartebiall plod 11ft. type A x B 0

4-1.4 Labelled Products

T.abelled prodlld.S ale gcncI"alisatlons of t hl" (:alh~~illli prOdlltl. types A x B introduced earlier.. They will be used as record types in the programming language., We have to introduce a (::olkttion of labels, and two very slmpJ~ jlldgl;!m(>ut~ involving labels;

4 .. 8 DIi:~ INI,!'ION,

1, ;: is the set of all htlwl!; Wr ,\~Sllllle 0,1,2, E ;:

2 For judgements of the form (iI, ,ill} 01llbd and I : (.II, "., In), where 1,11,12 , .. E {. W~ have t hI) follow'ing infclf'nrf rules

II, "., I" E ;: and 1!.1Il. dl"t.inrt (ll, .. ,/TI ) :: Dr"bd

o

Because 0,1, 2, .. E [, w~ will hI' fl.ble 10 fonsider unlabelled product~ fLS special cases of labelled one" .. Bewarc th,lt t,h(' l!Lbel" 0,1,2 ,and the natural O\unb(:rs used as data in thE' programming ll!.nguage lUI:' Hot. thr ~allll' ,\lld bf'IOllg to different syntactIc catcgodes ..

Labelled product types are of tho ((Inn n(II::Al,.. ,i" An}" Theil' inhabitants ate terms of the form (II 1-* aI, .. ,Itl >-+ an) Tlwi;~" !.i'rlnS !Ll'e essentially mappings from ll:l-bds to terms" 1'hc formation of labelled produd.", b (.(lllt.rolh'd hy tit,. "amc set of rules as the cartesian prodl1cts So the type nUl AI, .. ,In:A,,) rau IH' formed if all the At inhabit the ",arM Same

66 CHAPTER 4 SIMPLE EXTENSIONS

sort s E RX AHhough thaI, labdkd prOdU(tl; ar!) written u~iug "II", Wl~ wil! SLll! refer to them as x-typ(.)~, !Lud rl:!wrW thl' uame Tl-typei:! for I,lw dep~ndtnl, produc't$ (fI.rA B) ..

Clearly t,h!' order of t.he fidds "I,::Ai" and "Ii ..... (L[" iu trrm~ nU]::A], ,in::An) and {1] ..... (H, .... , En ...... an) ii:! ]rrelevant.. TermB that are equal up to permutation!; of firlds art' idI'IIt.ified, in the Jjil,me way !l.J; term8 that an' equal up to renil,ming M houud variables are identified

We will also allow the empty product type I10 Thia type la a type with only oue inhab­itaul" uamely th~ empty fTl<lpping 0 from labeh to t~rrmj .. This typ~ requircs ,;omc special attentioIl .. For ~vl'ry ,~ E RX t.here Ii; an empl,y produ('1, no .. So if there is more than one s in RX, these types no and thf'ir iuhabil.allt,s () have to get a subscript s to distinguish them .. Otherwise we lose the property that the type of a term is unique up to converl:lion AB far a..8 the syntax is ('ol1('erned, we do not gain anything by using th~ l~mpty prodllC't type no as the unit, I.ype .. SplX.ial type ir)fH~!IHf:' J\ll!.!Jj havl.' 10 h(' gIVl'U for the empty pr'oduct because it,s introduction and formation 'Ill!:! d,) Hot hav(' any prrIIlis~f's .. Bllt as fat' as the semantics is ('()rH'~rIlI!d, t.hl:' ~Tllpl.y product cau h~' t.n'(l.ti'd as any ollur product

4 9 DEFINITION (Ext.cnsion of (D)PTS with x-typcs) The extension of a (D)PTS wil.1I lah!'!l!'d plodl!!'t t.>P('~ .- or simply x"tyP(~S for ~hort -- is spcdfica by ,L ,:;I't, of rnll',; RX ~ S The set of pseud()t.~'rr[]!; i~ t'xt.f:'nd~'d !I.-.~ follow"

T .. = .... I Tl(C::T,.. ,C::T) I (C ,-, T, ,c ,-.... T) ITt, Ino. I n.

The following reductioll rule is iLddcd

(l] 1-. If], .. , I"~ ' ., (1,,)1, ~i'I (t,

and the followir)S type iuf~r('l\( i' r\1ll~~

(xform)

(x intro)

(xelim)

(I10form)

(1 1, .. ,1,,)"Otil&.t rf-A, sfol"!=O 11.

r f- I1(II::AI, ,inA,,) ~

rf-a. A,fon=O .. f1 rl~n(ll::Al, .. ,i,,·A,,) r I- (l] ...... (Lj, ,I" ...... ';;:;;) n(l]A], I" A,,)

r f- b I1(IJAJ, "I" A'l) I, (l 'l""M'~' In} r I- /!..I; A,

~ f- no. .~

f f- nn., s , I- O. ··no.

If .~ E W' and n of 0

o The rules (xform), (xmtro) and (xeliml arc similar to tht' origin",] PTS ntlr~ {ill" formation,

introduction aud f'liIlliuitliou of acpl'IHkll! »todnct.s (I1J' A.. B) Havillg A E RX 'iLl! b('· seen as having (C1 labd , ~) E R"

Th~ TI-rt<ludi(lIl ruil' for litbdkd pl()du("l~ I';

4 .. 1. EXTENDING PTSs WITH +, )( AND r: 67

Note that that tills rule depends on the type of a. This is another reason to exclude 1)­

reduction For all the type systems in t.his thesis, the typing relation depends on the reduction relation (namely in the conversion nIle (~conv)), but the reduction relation does not depend on the typing relation Including t.he 'r/-tule above would mean that the reduction relation in turn depl~nds on the typing relation, so that the reduction relation can no longer be defined before the typing relation is defined

For the empty product, the direction of the 1J-rule above does riot make senae. It has to be reversed::

(L 1>,) (} if a I10·

In fact, for the '11-tules there is not a natural direction as there is for all the B·rulea ..

Because we aJiSUrrH' all the natural llumbt'rs ,Ire labels, unlabelleri products can be treatoo as a special ca.<;c of labelled producto

4 . .10 NOTATION (Unlabelled n-ary pro(\llcts) For termS AI, .. .. , AT! and a(,.. ,(I,,, we write Al )( x An for the n-ary POOd\ltt type D(1::A I , . . ,It::A,,), and (Ill, . ,(Ill) for the n-!.upl(' (10-4 (Ij,. ,n.-. att ) D

Note that thl! rcdllctlOn and iufen'wf rults for II{l A,2:11} arC indeed exactly the ones given for A x B earlier.. So t.he e>xt('nsio)) wit.h x-type given in dennition 4 .. 9 subsumes th~ one given in defilllt.ioll 4 .. 3.

4.1.5 Labelled Sums

LiLb('lled sum types, generahsH,t.io!l~ of the disjoint ':fum types A + B discussed earlier, are of t.ht' form I:(IIAI"" ,i,,::An ) Tilt' inhabitants of ~(ll AI, . ,1,~;Atl) are essentially pairs (t;,a,) with a, of type Ai· Tilt' fMmation of labelled sumS is controlled by the same set of tules R+ !\3 the di~j()illt. sum types

The inlrodtlction rule for labdl~'d ~ltrn types is

As for the disjoint. slim, the s\lb~rrlpt of In~aIAl' ln An)/! is n('ceSSMy for type inference A possible way of avoiding these> sllh~cript~ w()\llcl be to allow som(' form of subtyping. The type I:(l;A,} would then br a ~ubtype of I:(I) At,· ., i"A,,}, so for at :: A. the t.erm (in.1. a.) would have type L:(I • ..A,) and a!~O tit!' snpertype ~(lI::AI,. ,[,,'An ) Subtyping will not be treated in this thesis.

The injectioll in;COI,Al I.A. I I, (/ could bl' typ('d \\ lthoU!. its arg\lm(!nt /1., namely as

Dr I:v(>n without the> projertioll Ii, 1l,llll('h ~\S

68 CHAPTER 4 SIMPLE EXTENSIONS

Of course this is only possible jf the8e tYP('8 can be formed ..

As for the \lIllahelled binary sums, different ways to write the elimination priudple exist One possibility III a clIse"expression of the form (case d of inll XI f-t CI I. I in .. l" X" f-t c,,) with the type inference rul!'

F t- d :; LOIA I , ,i,,:A,,) r, x,:Ai I- c, : C for ~ "" 0 n r f- (case d of In 11 x( f-t CI I " .. , I in,.[" x" f-+ C,,) :: C

and the reduction rules

(,a5e (inl:\iJ.A1 ,lnA~) I, a,l of In II ,XI t-t CI I lin I" X,) t-t c,,) [:>;:1 c"x, ::= ad (C;l5e c of in .. ll XI f-+ inE(c j AI> ,10,1",1/" ,XI I I in.,l" x'" t-t inr:l1, A" 1.04.,)" x,,) [>'1 c

We will 1l~(l a g['Il!'rll.lhll.tion of 7., with th~ lI)feren('e r\1le

r r I" ll{ll A] • I' C, .. ,l"::A,, -.... C} r r 2:(/l A], ,in:A,,}:: s r r C:: ~

r!- \l i ~{lj A j , ,1,,::A,,} ----I C

So, a.s for the unlabelled binary disjoint sum~, only elimination~ when' tIte tyW' of th~' rang~~ C is the !jarne!\1:l the type of domain E(l] AI, .. ,l'l::An ) are allowed

The a·reduction rules for V i~

Vb (In):(11 AI.. I" A,,)..i, 11) l>,B II, l, (1

The ?J"rule is easiest to (,Xp['CSIo III l.('rm~ or 'inril l Al i. II,.,)

To compare the inff'IenCC rule for V with tit0 one for case, note that if r, XI A, f- c, c., then r f- (AXiA .. Ci) A. ---T Co and th('n

Fr(II,.......(Ax] .. Aj .. q), .. ,1" ........ p,.I"I1::AlI (,,)) II(l'l::A] · .. ·,C, .... ,l,,::A,,----IC) ,.

The term (case d of mil t"] ,....... (j I .. lin l".r" ,......, t,,) (all b~ express0d in terms of \1" namE"ly as 7{/1 H (AXI A] etl., {" t-t (A.t'" .A" (,,)) ri 'This term has til(' COHo:>ct r('duction hl'­haviour:

VUI"""" I], ,I" ........ jll) (H1~(/,AI /,.,.A..,) Ii ai ~{i ~lt t-t fl' ,I" t-t in) I, a C'-fj I, (l.

Llk~· the empty product type flO the empty surn type :EO n'quin'~ !;Ollll' Ixtl"il il! U~IlLion

The empty 5um type L:O is an o:>mpt.y t.yp(', fol' whkh tiWf(' H 110 liltl"odlllt.lOll ml[' !o ("(jIl~!I1l('t Inhabitants" For every $ E R I there is an empty sum L:O Like no, these get a ollbbCrlpl.. S to distinguish thrtn .. To prr~('['V'1' 1I1l1(1I.;\" of typl'!; mote' ha!; !.O be' don(' Instantiating the elimination rule above for thf' Imply !;lllll pmdll("e~

r r j no r f- 2::0 s r f- C ~ r 1- \l I E () ..... ('

ThiS rn~<lll~ that for any f II(J the h:!'m \l f uln hav(' rnany tYIW~, 11[,( 8U~[' Its 1";utg0 ('atl be allY typl-! C ~ .. To pre~('!'vc ulliq\\(,ll(,!:\~ of type~, t.he uUlg~ of V'I is wr:d 11'11 itM il MlIbS(~l"lpl

So the elimination rule for empty sums ho:>comes

r f- i nil. r f- EO. s r f- C •• ~

rl-\lk··E() ...... C

4,,1. EXTENDING PTSs WITH +, x AND ~ 69

4,,11 DEFINITION (Extension of (D)PTS with +-typea).. The extensiOn of a (DWlS with l",beLled sum types - or sirnply +·types for ahort - is specified by a set of rules R+ <;;;; S. The set of pseudoterms is extended as follows

T ; = ... I E(C:T, ,1>T) IlnE(CT .(,T) TTl \7T I \7T T I EO.

The following red uction rule is added

\7h (injCcltAl ..l"A~)·.I; a) I>Jj h .. l, (L

and the following type inference rules

( +form)

(+intro)

(+elim)

(EOform)

r t- :E{II·A 1, ,LA,,) s

r f- (h :: Ai r t- :EO I ::A l , .. ,InA,,) :: s rf-inBil.iI! l"k,)..!i ().; ~(IIAl,·· .. ,ln A ,,}

r t-! nUl Al ---> C, .... ,l"A" ---. C) r t- ~(l1 AI> .. .. ,["An) :: ,,9

rt-c:;S

~t-:EO.:;s

r t- f . I10~ r f- :l:{). :: ,,9 r f- C : 8

r t- '9 fe; :E()~ ---> C

if s E R+ and It # 0

D For labelled sums the notation using case seemS mOn' natural than the one using \1. The

notation using \7 - or rather 1 h(' infix '7 - is \If-du] for unlabelled 6umS::

4 .. 12 NOTATION (Unlabelled n-ary sums) For terms AI • .. ,A .. , /I, .... , In we write AI + and 117 ... <gin for \7(1 .... h,·· ,n I-' J,,) ..

+ A" for the n·ary ourn E{l::A 1, ..... , n::An } ,

o

Note that the reduction and inference rules for r:(l A,2··B) are indeed exactly the ones Kivell for A + B earlier So the extension with +·type", given in definition 411 S\lbsllmes the one given in definition 44..

4.1.6 Properties of (D)PTSs extended with +, x and E

Extending a PTS Or DPTS with +, x and r: preserves all the pwpf'r1.ies of arbitrary PTSs ot" DPTSs listed in thapter 2 For the reduttion relation the property of Church-Rosser is P(eoerwd

4 .. 13 LEMMA.. !3-reductiol1 to> ClmrclJ-Rosser

PIWOr' .. This can b~ pr(}V(~d by t.hl~ usual Tait-Martin-LOf method. Another way is to use the theory of Combinatory RN!ud.JOn Systems (CRSo) and verify that [>5 i!:> an orthogonal CRS (~ee IKOR93]) 0

70 CHAPTER 4, SIMPLE EXTENSIONS

4 .. 14 LEMMA do-reduction is Cll1lrch-R()!;~('r

PROOF .. This call be proV(>d in exattly the same way as in lemma 226, Le, using the fact that 1>(1 is CR and the faft that Ii-normal forms exist.. 0

All other properties of PTSl'; and DPTSl'; in cha.pt.er 2 a.n> pr(lVi~d by ilHhutioll On t.ypf' derivations or by induct.ion On thr st.mdmt of termS Exhmding thel:iE:' induct.iOll proo£~ tor the new inference rules a.nd new lCrlll-cons!.['lltlions is tomplt't,f'ly l';t["a.igh!.forw~lrd .. We jllst liat the ma.in properties

415 LeMMA (Correctness of Types) For all (D)PTS~ with +, )( and L: if r f- a :: A then A E S or r f- A s for som€' s E S D

4 16 L£MMA (SRi1 Suh}~( t Red\H tiOl)

For all PTSs \\itb +, x illld :E:: d r 1 ,) J] and b D-ill/ tliell rill' .. 11 0

117 LEMMA (UT (J Uniqucness of Types) For all functional PTSs with +, x a.nd L if r r h :: B a.nd r f- Ii .. B' th(,ll B ::::',1 Bi 0

4 18 LEMMA (SR,Bb SuhjNt. Ih·du( t.ion) For all DPTSs with 1-, x and r: if r ~- b :: IJ alld r I !J D-i5bli' thCll r 1- // :: lJ.. 0

4 .. 19 LICMMA (UT 03J lJniq\l('ll(>~s of Type5) For all functional DPTSs with +, x and ~ if r f- b:: Band r f- b fl' thel! r 1 n =::::'1'16 n' o

4 .. 20 TmwREM (Elimination of dE"fiuit.ions) For all spt6fi(i!.tion~ S if r f-AS~ (J A t.I,(·n hnf(T) f-;.,s hnfl ((1,) hnfr(A) o

4-2 EXTENSION OF THE PROGRAMMING LANGUAGE

4.2 Extension of the Programming Language

The programming langllage .\w~ is extended to provide with more da.tatypes as primitiv~s

4 .. 21 DEFINITION >'w;(6) is the (D)PTS with + , x and E specified by

S h., D.}

A {* •.. Os}

Rn {(O., D.), (0., >1<.), (*s, *~)} Rl: ;;;;;; {(D~I*')}

RX "" R+ ;;;;;; {>I<.}

o The new datatypes that can b~! f[)nuCd using RX = {*.} arC unlabelled product types

of the form 0'1 X x 0"", inhahittd by progrltms of th(' form (MI ,. .., Mn ), and labelled products types - or record tYJlc.~ - of the form TIUI(TI, .... , l,,;()'j\}, inhabited by programs of the form (II f-+ Ml, ,/" 0-0 M,,) The ~mpt.y prMhlt1. no., provides a datatype with jl1H

one inhabitant, for whidl Wf' illtrodnc~ a ll)or(, Suggestive name

4 .. 22 DEfINITION (Unit Type) .. The data-type Unit and its lIlhabita.nt unit are defined by !.hc following context rUNIT,

Unit "" no.. *. I

Unit 0.. Unit

o The n(!w datMypes that tan he fOl·mcd using R+ '" {*.} are unlabelled ~llm types of

the form "'I + . + O"'l and lahcllcd sum typeD also known as vanant tY]J~/; - of the forIn E(tIO"I, .. I 1>\:O"tl)·· The ~rnpt.y sum gives us an empty datatype ..

4 .. 23 DF::FTNTTTON (Empty Typ(') .. Th~ {I;t!.a.t)p~ Empty is defiIli'<l by the followlng (;OIltext rF;YI'TY

Empty"" EO :: *~ o

Using the empty product tyP(> Unit i~l!d +-typcs, It two-el~ment t.ype of booleans ca.n be constructed·

4 24 DEFINITION (DookiLl!!\) The> dlttatyp~ bool a.nd its element8 true alld false are defint>d by the following context Tu()(n

bool Unit + Unit :: *. , true inUml+U'llt 1 un·it:: bool ,

false - inu'HHU"il 2 unit .. bool ,

jf Afi* •.. '\b::booL Ax, y:O' .. 7(Au::Unit. x, ),~t Unit y) b

n(~* •.. bool --t (\ --+ 0' ---> 0'

For programs b:: bool, Ml 'f and M2 T w!.' wntt' (If b then M, else M2 ) for (If T Ml M2 b) Note that t he type pitramC't.N ,. is omitt.ed It. not difficult to see that dus missing pa.ra.meter call be recollstruct~d (it i>; tht' type of Ml and M2 ).. 0

72 CHAPTER 4. SIMPLE EXTENSIONS

The term (If /; then M J else M 2 ) reduces M expected

r UN /T , rllOOr f­

rUN'IT, rllocn f-

if true then aj else a2 r>>'M at if false then at else u. t»;.M U.

We will a.Iways t\S8ume that rBOOL, TUNFI and FJ:;'MJ'TY are part of the (ont,ext.

The new datatypes that can be forrn('d Ilsing RE "" {(D., ",.,l) are of the form (Eo: P( o} The~e datatypes are the types of programs of I,he form (inl:;" 0( " TN), SlIdl pn~gra.rns q,n be Ilnderst(jod ~ a pairs (r, N) consisting of a datatype-(onstrutLor T and a program N of I.ype 0"[0: ;;;;; 1'J E-typc>s (all b~' UJ:lf.'d as abstract datatypes For a thorough explanation of this we refer to [MP84] .. Two tx,trnplf!s are givf.'n below

4 .. 25 EXAMPLE,. We consider a simple ab~1 rad (bl.at.)' pc, fM li~l.s of bookans .. An ;lbst.raft. datatype consists of a datatype and a to]]etLion of op('rMion~ On it TlwJ:)i" op('r;ltlOfls pT()vuk thl) only way to manipulate inhabitants of that datatype" For an absttaft dal.al.ypt' of boolean list.s we want a datatype booll!~t with thi\ following op('ratioll~

(;'mpty

(()n~

hNUi hit

/)()()1l18t,

bool --4 b()ollh~t --4 booll1sl, booths! --4 bool, /)()()lkd --4 booih~1

Thc~c 4 opcrat.lOns Ul.ll h~' ]1l"ovJded by a single pl"op'am of the following record typo:>

IJ{ empty

head booll!M, um~

boolhst ---. bool, lad bool ,. IIOO!l~,~t ". /)()()lil~t,

b()oil~,~t ".,. b()()iI~st

This record type gives tIll"' sigtlal.lII(' of !til ,tbJ:)tmt(. d(l.t,at.yp~' of boolNl.n h~t,;" For il.ll IIllpli'­mentation of this abstract datatypc we h!1v(' t.o (hOOSt' ;1 p'lrt.icular d'Lt,tl.yW b()olll~t lInd a program of thE:' t.ype above implementmg the operations on boolcall~ IJ"ts jll ,L p]"ogram M that USE'1l thi~ abstract dat.atype we simply assume the existence uf a dalalypc baal/!oSt and a progrlllIl of t,IH~ typt.> ii,hovp .. For tbis L:>t y pes can be tlsed The dMatype-C'onstrllctor F as follow!';

F == )"boolhst.*$ IJ( empty

hffLd b()oih,~t n ,. bool, tm,/

bool -,. b()olh~1 -, In;oih,~t, b()olh~1 --4 bo()ilz.~t

ThiS F gives the signature of Olll" ahsl.rafl. d!tull.ypr ·The t) PC'

ADT = (LlioolltM * ... F b()olh.~t) *.

('an now 8erVe as the type of [IJlpl()nl('nt,<1I.J(jJJ~ of t.he ,L!JslriltL d<LI.M,t p( of bOOh'iLll h~t." For an implement.at,ion of this abstr"a<:'t dat.i"l.tVpc ·we hIL~C 10 rhoos(' a dM!llype 7 alld a program of type FT The inha.bitant.s of r then lepresent lists of booleans, and tit.: program of type Fr provl(k~ thE' jlllpl(~m~\1tii,ti()HS of t!J(' operat.ions on t.hese (l"'epr('~('nta([olls of) list.s The introduction tull' fnr t,hp d'l.t'l.t,ype ADT l~

(L::lntro) r r- T ::~. r r- /Ii F T

r f- (inAD7 'T N) ADT

4 2 EXTENSION OF THE PROGRAMMING LANGUAGE 73

So, an inhabitant of ADT - i,e .. an implementation of the abstract datatype of boolean lists - can be built using a datatype 7 and a program N of type Fr., Of course, there is nO guara.ntee that this is indeed a cMrect implementation of lists, e .. g- it may well be the case that (N.cons b I) 1».116 Z .. Later, in examples 4..43 and 445, specifications for ADT will be giv(>n

To make a program USing t.he abstract. data.t,ype of boolean lists, we simply assume the existence of a type boo/list :: ~. and a program ;J;' of type (F booilis!) providing the operations on it.. For example, suppo",e p is a ctatatype and

r, boo/list *., x .. F boo/hst f- M :: (J

Hrrc the program M Carl make use of the operations x,.empty, :t: .. oons, x"hrod and x .. ta~l on the type boo/list .. Theil by the eliminatl(lIl rille for the type ADT, the rule (Eelim),

r I- '7(Au.oolhst;:" .... )"~·' .. F boolit,~t 1'11):: ADT ---> p

The program V(Aboo/hst*, .. A:I"ji' booiltst M) take~ il.n implementatioll of the abstract data­type of boolean list.s as an argulTl!'llt, fot" example the Olli' defined above::

ThiS program 6·red\l(:e~ 1,0 M[boo/hst ::= Til. ::= N] .. The crucial point is that in the "main" program M the variables 11O()lk~t and x are visihh~, but not the bhldings to l' and N In other words, the interface of th~ ahsl,!<"LC't datatype iM visible in M I but the implementation is llOt

When ~"types are usrd ill this way, tlwl'l illlplementations of ahst,ract datatypes become first-class citi~enJ; 111 the [.)Iogramming liLllgllage, i c .. they !;an be manipulated just like any other data Or progt'·am.. For 1l1~tanC'c, they can be pa~sed as parameters, and the choice betw~en differcnt. implem('ntal,lOll~ (at) t.hen be mad~~ at dut"ing the exe' ulion of a program o

426 NOT,i\T10N We writ~ (abstype nJl{ with xo- 15!111J1 Ln M) for \l(>'aD< .. AX,.(1,. M) ~mp .. o

So thi' program given at. thi' I'nd of the examplE.' a.bovc is written as

(3bstypt! /x}()JhM ". wlthxF b()Ollt~t IS (iOADT 7" N) in 1'11)

With this notation thl' interface of the a.bSt.la{'t datatyp~ and the implementation are no longer separated by I.IL!' main program M ..

)"w; docs not. only provide tht ahstraC't datatypes, huI, also abstract datalypc-constructor~

4 .. 27 EXAMPLE, An abstTMt datatYPC-COllstructor ("om:;ists of a datatyp(>-tonstructor and Ii collection of operatiolL~ nil thc dataty])('s that tall be built with iI, As an example we consider an abstrad. daUltypc-const.rud.or for huilding lists over any datatype., It comprises a datatype-constructnr h~t ". ---> *'" and op(,[<ltions for manipula.ting inhabitants of the datatypes (hst 0-)., fN all datatYPl'S 1)'" I f3

74 CHAPTER 4 SIMPLE EXTENSIONS

TheHE:! opE:'rations can be provided by it single program of typE:'

IT{ empty head

n(~~" .. h.~t (~,

nf.\:~ ... IMt (~ -4 0',

01", alternatively, by a program of t} PI'

cons tatl

fIo,::>I<. n{ empty lw:zd

h~t a, cons list Q ---t 0:, tail

ITa;;*. a ---; lIst Ct ---> k~t 0,

ITo::* 8 /tst a ---> /tst 0; } ,

Cl ---t 1!9t (~ ---t h8/ (), hst 0; ---t last 0;

WE:' choose the second {lption, 8,nd define a datatype-constructot F as follows

F .\/lst::>I< • ...., "'. nn*, .. D( empty head

The dMi1type

con~

tat!

ADT = (r: It.~t *, -4 *. F list) '".

I< ---t IHt () _ h9t (~,

Itst Q ---t I!st ();

is then the type of implcmfntatlolls of ,In i:lbslI<ld datatype-Collbtrudor tor maklng-lists Its inhabitants are of th(' fom! (InA[)7 TN), wit.h T .. *. ---; *. and N:: Fr .. If

l,h~~n in thE:! program !vi tl1(' opNat!OllS

.1 CI e"lpiV

.. r a .. cons I (T .. h(·rui

d. (T .. /a,1i

can be llsed, for all d1l.t1l.tYlwH 0" ..

Pl"opcrties of Au): and :\w) ~

1"1.\/ a a ---t hst (1 ---t hst 0

IMt (T -4 a IMt (T-.... li8t (T

D

As for th~' oyotem wlthout + , x and L, the cOllt~xt-fr(,f ~yntax of lli(' p~(,IJ(I()I.(Tm~ can be rdlned., dbtlngl1i~hing th(' ctlffN('nt I('~('l~ ::

4 .. 28 DF:l"lNlTION .. For :\w:, the sN~ of p~~lIdO!('nn~ Cons ami Prog ddl[H~d J[J ddllllt.io[J 3 .. 2 a.n> extended l:\8 follows;:

Cons

Prog

I Cons x.. X Cons I n(l:Cons,

I Cons + 1- Cons I L:(£ Cons,

I p:Varo• Kind Cons)

I {Frog, ,Prog) I V:' ,...... Prog,

.. ,£ Cons) I no., ,C .. Cons) I "'SO.,

,t, ,...... Prog) I 0., I Prog C

Imeons £ Cons I 7Prog I VProgCons

IlnCons Cons Prog

D

4 .. 2" EXTENSION OF THE PIWGRAMMINC LANGUAGE 75

The set Kind containing the kinds ie not affected by the new type-constructors.. The dependencies between KInd, Cons and Prog do not change: Cons still only d~pcnds on Kind, and Prog depends on Cons and Kind.. As for .\w., the kinds, dat.a.type-constructors and pl"ograms are elemcnts of Kind, Cons and Prog, respcctively::

429 L£MMA (Classificat.ion for AWn

L If r f- U( ;; 0. then ll( E Kind.

2 If r f- a .; U( D. then a E Cons

3 .. If r f- M :: (7 ;; *$ then M E Prog ..

PROOF In exact.\y the same way M lemma 3 5 o

The usual Ilncodings of + , x and E in .\w. Ciln bc used to show that the extension of .\w$ and ),.W.6 with +, x alld l:: pr'cscrv(~ t.h~ property of strong normalisatioJl;;

PROOF .. This follQw~ fl·om the fat.t t.hat "\...,.(b) is SNtJ(~), bccause there (exists a mapping !-I willch maps reductiou S!.'qucnccs in AW-; W\ t.o longer reduct. ion sequences ill ..\!.<.I'(6) This map­ping translates +-, x- ann L:-type~ to t.heir usnal encudiugs, which were given in definition .111 as en(;odings of V I A and :3 N-ary productJ:; and sums can be treated as repeated binary oneS, Le h x (72 X .... x ani"" 10-1 X (0"2 x ( .... X a,,))I .. Labelled prodncts can bl;' tn'ated as unla­belled ones. We aosunW ~omc ol"derillg Ull tlte sct of labf:'b to fix a unique order of the fields, alld thcn simply forg!'!. about the Jab!'\,; 0

76 CHAPTER·~ SIMPLE EXTENS[()NS

4.3 Extension of the Programming Logic

Extending >.wp with +, x and L ill thc salllC way a.<; >.W. prodHCc~ the following system >.w:

431 DEFtN!'] ION >.w+( is thc (D)PTS with +- , x and L specified bY' p .~!

S {*tl, old A {*p Dr}

RlI ::::; {(Op, Op), (Op, >!<p), ("p, "p)} RI: {(Op, ~p)}

R"""R+ "" {*p}

o In this system cartc"ian produ!'I.S all' iut('['prft,ed ai; conjnn<'tions, disjoint snm~ as disjune,

tions, and dependent sums as cxist~ntial qnalltit'ic.ations In )"wp we wrot~ 'if for n, jf) AW; we now also write 1\ for x, V for + and 3 fOl L .. The new propositions thllt ('",n b(' fonnl:'d aTI:' conjunctions PI 1\ , .. 1\ p", and disjtllH'tions PI v.. V p,~ I and higher order exist('ntJal quan­tifications (3P::1P .. Q) Thet''(' is no t'f!!.l tl('ed for the labelled c.onjnnctions V'{lJ PI, ,1,.Fn )

and labdlcd disjun(tlon~ 3(11 Pl" .. , 111::P11)" In tl1(, progr!lIllIllLug language labclled products MId SumS are nel:'ded for more readable prograrn~ .. II) th(' logi!', OU tll!' othfr hand, wc arc nOt. n:ally cou('ernl:'d with the readability of proof tennj;; IT)d('.·~:d, for t.h!' logi!' t.herc i>; no t"cal lleed t.o have v, " and 3 as prilllitlves, be(,am~' for tbe encodin!;1-\ giwn in d!'nllitlOll 3 . .11 all tht n'qnir~d propmtlfs (lUI 1w provl'd

Illst~'H.d of ddining propositioll!' True alld False III t('nn!; of higher 01"(1('[ qliaLltification as in definitioLl 3 .. 11, theY' f,tu ll'W .. i\bo he ddlucd ~I$ UH' cmpty conjunction and di~jnnction :.

4 .. 32 DI",FINI rH)N (True ;~Jld F~lse) The (llllt('xt ddillilli\ !.Ill pl()p()sition~ True and False l~

True ,,-,VO. r *1"

False = 30., *t'

Then for True and False we h/\,ve the following iufpn')I('~~ rulp~

(Tru~ 'intro)

(F~lse ehm)

/ r 0.. True

r f- ]I :: True r 1- l' *p

Tf--V))p False ---t P

u

Thl:' extension of ),,"'-'1., with +, x and I:, (olltJl,l1"Iillg hoth AW; iLlld >.w:, is lh(' following

~y~tern Awl

4 .. 33 DEFtN!lWN >''''''7\61 i~ lh(' (D)PTS with + , x and L ~p('dtH'd by

S {~.,D. *l.,D p }

A -'- 1*, 0" *1' 01'1

4.,3, EXTENSION OF THE PROGRAMMING LOGIC 77

R[J "" { (C1.,0.), (C1 .. ~.), (~$' *~),

(0 .. 0",), (*$, Dp), (D., ~))), (,.", "p),

RE ;;: (0$, *.),

(O"lI<p), (1I<.,lI<p),

R"",R+ -- {*.,~))}

(Clp , 0",), (0"" ~!)), (*p, It. p) }

CI "fhe specification of Awt consists of those of Awi and >.w:, with four more rules for

I1"types and two mOrC' I"ules for Z-tyP(~~" ThC' ndcs in RE are t.ho~(' of >,wi and .:\ow;, plus (0., *",) and (*., *p) .. These two rules enl!.bl(' eXIstential quantificatiotl, over kinds D( and over datatypcs {f, Le (3.1: .. 17 P) and (30: JT" P) .. Th(! rules added for IT-types but not for !::-types are (0$' Op) and (,..., op) There do('~ not, seem to be any Hoe for r:-types formed using these rules, nor fl.ny intuitive interpr~tA.tloll of t.hem

The conte:lCt-frcc syntax given ill ddinition 4.,28 for >.w; can be extended to the whole of >.wt

4,.34 DEfINITION For >....,t, the MIs of p~eudoterms PCons a.nd Proof defined in definition 3,2 are extended M follows

peons I PCons 1\ .. A PConsl v(lPCons, .. , CpeonS)

I PCons V V peons I 3(CP(ons, .. , ['Peons)

I (3Varo·X,nd .. PCons) I (3Var"'Cons PCons) I (3VarDY . .Pklnd Peons)

Proof I {proof, ,Proof) I (£ l-t Proof, .. , C. - Prod) I 0.» I Proof..£

IlnCons"[ Proof I ryProof I 'VProofpCons

I inpCons Cons Proof I 'inp(ons Prog PrOOf I inpCons peons Proof

In exactly th~ sa.rnl' W!l.) lemma 3 17 WI!.J:; ]>wycd, it can be proVl'd that::

435 LEMMA (Clas~ifi('atl(1n fot Awt)

If r f- If( 0$ Own If{ E Kind

2 If r f- (J l/{ D. t.h!;:!! 17 E Cons

3 If r r M {f *. Uti'll M E Prog

4 If r f- JP Dp UH'll II' E; Pkind

5 If r I~ P JP Dp then P E PCons

6 If r f- p :: P :: !'p then p E; ProoL

o

o

78 CHAPTER 4 SIMPLE EXTENSIONS

The !)ncoding8 of + , x and L: can be used to show that AWl and AWI~ are strongly norma.li~ing::

4 36 COROLLARY Th~ ~ySt,~IlI AWL (t) is SNr.l(6)

PROOF., As corollary 4 .. 30, no", u~lllg SN oI6 .1 (If AWl-(6l inht,+!ad of AW,p.l o

Bccau.sc t.hC'r~· ;tre no rule8 of the form I-I)' -A) in Rn or RI:) Awt is a conservatlve ext~n810n of AW;

4,,37 THEOREM (Con>;C'rvat.ivity of Awi O\l{!r AWn Suppose r j- (L A in Awl and a 18 a program, datatype-coH8tructor or a kmd (i e a E Prog u Cons U Kind)

Then r D,., f- a A in AW.t

Pnool' Induction on the derivation of r r- It .. A D

4 .. 38 DltlClltl~[ON .. WI:' now di~(,\l~tl po~~ible gell(,l'ali~ati()us of tliE;' djmilp~ti(lr) T1d~'8 for +­type:':, and Our rC'(l.Snni; for f')(( Irldmg thcm SImilar !l;('nerahBatwH ~')(i~t~ for thl l'iir()inatiOfl fllics for S-tyW'~" Tb~'!:'E;' gt'm'l"1l,lis('d l"ul('s arc instances of the ruh'B for ~o-called inductIVe typc~ giv('J\ in [CPOO)

SUPPOM' r f·· (l + T *. TIl(' (>lilnination rule we have fOI this <htat.yp(' i~

r f- f (f ---t p r f- 1) :: 1" ---t Ii r r- Ii ~.

l'r-fvf} (T+T--->P

• Olle pcl~J;ibk, g~!npr~li8~ti()11 i~ to allow tlit, ranp;(' of J'V9 .. p in thi~ T\l11' ~hov(' to h'l.W' another LJPt' lh,LIJ ~., I'm ilJ~talli'("

(i) r r- J' IJ' --! ~I=' r r- q .. ~ ---t "I='

r 1- l''VCJ :: IJ't 'T ,,', *p

rhi:': infN(,IIf\' I\lli' ;III(lwo a p~('di( <1(.(' Oil IJ' + T to be duhncd \I~jHg a (,,;l~,-dj?tjllctioll .. Without rulE;' (1), it iB st.H1 posdbl(' to ddine It plwlicate on cr + r in terms of predicates on (r and T, fol" in~lall("C' as

(1 + .,. ---t "p

From all CXI('ll~ioll;d poiu!. of view r'vQ alld Ran' thl /;,HUi Th,· ouly ddkr("I1« i~ III

th~ir reduction behaviour The reducLlOII rule for 'V gives

u:! (PdJ)(m",+r 1 r) and Pc al"(, ("ollvNtihlc On the other hand,. R(in"'4! l .. r) and T' :;, are not ('0 ltW'I'tibl(' Iu::<t(,hd, \\if' .lust IJ,w(' ~t ploof P sl\("h t hl~t

f! n(ln"I~··1 r) = /' J

43_ EXTENSION OF THE PROGRAMMING LOGIC 79

• Another way to generalise the elimina.tion rille for +-types is to allow j7g to have a II-type, and not just an ---+-typ(>

(ii) r j- PI :: "'[1;:(1,. P (in,,+~ 1 x) r f- P2 :: VY::L P (1n"+T_2 y) r f- P , (J + T ---> *"

r f- P!"lP2 ' (Vz::u + T P x)

This rule can be used to prove prop(!["t,i~s of inhabitants of (J + T, e .. g ..

I;;fz::(J + T (:l.x:O" .. z "",,+,- in.,+T_1 1;) V (3y:::r .. z ""<"+1" In,,+r,2 y)

Instead of rule (ii), we can ~imply int.roducc an axiom

VP:(J + T ---+ *", (\1.:1;0" .. P(In.,+T.J x)) ...:. (Vyr, P(in,,+.-,2 V}) ~ (Vz:Q" + T .. P z)

AgalIl, the olllJ difference between having rule (il) a.nd having t.he axiom AX,,+r is in th~ r~dllction behaviour" The pl'oof (Pfvp2)(in.,+r 1 z) of the pt"oposition P (inH .. l x) I~-teduces to (PI x), the pl'oof {AX(r+T P PI P2 (in,,+T.J x)) of thc same proposition does not But, since we are not int~~fe~ted in the red uctioll behaviour of proofs, this difference does not matter

So the niles (i) and (ii) an' not strictly neccssary, and only rule (i) ha.s any advantages (viz .. a more powerfullnt,('llsiollal (\quality of propositions)., We exclude them for tWO reasons"

First, if these rules IH(> included, w(' (all no longer usc the fact that AC6 is 8o-strongly normalising to prove strong nOflllali.;at,I(Hl of the system,. We do not want to ha~ to pay attention to a strong nQrrnali!;ation proof here

A more fundn.mcntal rCaSOn is that in chapter 5 the programming la.nguage will be ex­tended with a fix point 0p(,l"ator Type~ will be then hE> int,E>rpreted as cpos, and the datatype ct + 1" wtll include an "undefin(>d" !demPllt .i"+T Rule (ii) is then no longer sound.. The problem with rule (i) is th~t. it. d(wl; !lot follow from the reduction rules for 'V whether the predicate P'VQ i~ t.nle or false ill .i"+T" 1'0 define a predicate on the cpo (J' + T in terms of predicates OJ) 0" and 'J", wI' now' a.l~o ha.ve t.o choose a value for the predicate in .1.,+7" (In the programming language this problem is solved by taking t.he function 179 to be strict, ie the va.luc of /''79 :: ~ + 'r ---t p in .i"+T will be .11' ) 0

As in AWL, in Awl. we want to u:;e til!;' axioms in AXIOM (definition 3,23) for classical logic a.nd (xt,f'nsionality of functions in the programming language .. To reason about the new data-types SOrrtl' addit.ional axioms arc nf'eded,

For x-types we want. axioms st.a.t.ing that pair'ing is surjective, i..e that all inhabitants of n(lp7J .. l,,"an ) arC of the fonn (II ,..... N I , " , {" !-' Nnl

Similarly, for +- and ~-t.yp('s we want axioms 8t~t.Jng t.hat all t.heir inhabitants can be constl"uctcd using (one of) the injcction(s.!

Finally, we intl"oduce an axiom stating t,hat true and false arC not equaL Using this

axiom we can prove., for any +-type, that in;Si/l'(il r"''''',ll, N; and In:r-(Cl:"l .,rn:"n),lj N j are not equal if I, '" I) To do t hi~, ctdilH' n fUll(t.iOn f ~(llo'l, .... , 1"i7"l ---t bool such that f (in It Ni ) [:»,% true and f (Inl) Nj } D->M false; thl'n by thl' ol'finition of Lcibniz' equality it follows from false t- true that

80 CHAPTER 4., SIMPLE EXTENSIONS

439 DEFINITION" AX lOM+ i':l thf:' J:if:'t of ;l.xi<)mf; containing

classic

Pb<Xd

AX"_T

AXllaJ/{ "

AXn(h:(11 1 •• '(1.,)

'fP:*p" ("P) =} P,

true 7'bod false,

'<1/,9" 0 ---."T', ('fX(f (f x) =T (gx)) =} f =" "T g,

'7/,9: (llClD< 6'),. ('fO' U< (f 0') =" (g 0;')) =} f ""!l"ue " 9,

Vl'll(ijal, ",1,,"0',,) ---. *p

('11"j;;"I,,, ,1."""0,, .. 1'(1 1 >-t :tj, "I" f-t x,,))

=} ('f.,r.nUI ··0"1,,, ",1"0",,),, P ::f),

I:IPl:(lj"(Tj,,, ,Ina,,} ---. lOp

(liT I 0") P( In .l..<I,:o, t,.,,, .. ,)11 JIl)

.=::) (V.:1.: n an J'(in~~,lpT'h li~~,(1n) lt~ Xt:a.)')

=;- ('t::r'Eal;;(Tj, ,i"IT,,} .. P x},

'1P('[,(',U": 0-) - *1'

('/(~JK '11:: (j P(in.t:<"D{ (! (t .xl) =} (>:Iz ('[',oJl\- (7) .. p z)

for all a - T, (lICl:B( 0'), fI(i j 6'1 /"0",,), (LOU": IT) E Cons o

Using axiom8 in AX IOM+ W(' nlll for lX;Llllple prove the propo~jtion~ ('t.·.·r::Empty False), (V'~ •• Uhit.. x =Un.t Unit), aud ('11." boo!.. .. ~ ""boo/ true V ,x =bool f;llse)

The fLXiomf> in AX IOM+ tan bC'sa.fely llsed in )"wi

440 LEMMA (Con8i~ten(y of A.X lOM+ III Awl) False is not provable in a ('(ll)ti~xt ((luI H.illiug nlll.> axioms from AX 10M'r

r'HOOF See ]emlllit 7 27" o

4.4 Program and Proof Development

In (:hapter 3 we gH.V~~ f'xarnpks Dr {()llpINI derwatioll rul('~ in AWl, pair,; Dr d( I'i\abl(' rules consisting of a. typ!:' iui(T('nti' 1'\1[(' and a concsponding proof ruk fill it (Nt.a.in program {onatruction AW; ()ff{"r~ mall,> JH'v. 'Aa~ s fO!" forming program" ill ;lddi! iOll 10 the' lambda abjjtract~orl and a.ppliC(ltioll ilvililabl{' ill \w,,, F'OI' thC's(' we UUj gi'o!'I.' proor I'll 1('» In accompany the type infel'ence nll('8 SOllH' ~'){,nllpli''; ill( giw bdov.

4..41 LEMMA (Coupled derivation rule for if - then - else) T'he fo11o\\ ing rules a.r(' dC'rivabl(' using axiom~ from A X lOM+

r f- b' bool r f- p * .• r f- M P Tf-N::p r r' 'if /, then MeIse N .. {I

rr-. fl •• (! ---'''p

T,p (Ii =b""l true) r-. _ R M r,p (I, =/"'''/ false) f- _ R N r f- _ .. R (If b then M el£e N)

44. PROGRAM AND PROOF DEVELOPMENT 81

(When we present such coupled derivation rules as above, it is left implicit that the premisses of th~ typ~ inference rule are also premisses of the proof rule .. Repeating all these premisses would be tedious., In this particular case, just the premiss r I- p :: It<. is needed for the proof rule to be derivable .. )

PItOOF Showing that the type inference rule (on the left) is derivable is trivial (as will be the case in the examples that follow) .. To show that the proof rule (on the right) is derivable, two axioms from AXIOM+ are needed .. Recall that bool ~6 Unit + Un'it and Unit ~6 no •. From AXil!) and AXu",t+ut<,t it follows that Vb.bool.. b ""~l true V b =Iwcl false (i) . Then

p :: ct, M, N ; p, b:: bool, R:: p ---t *p, b -bool true no> R M, b =000l false no> R N

2 b -bod true I 3 RM 1,2

4 R (if true then Meise N) 3, ({36conv)

5 R (If b thl!n Meise N) 4, b =~(>(>/ true

6 b =boot true =* R (If Ii then Meise N) 5

7 b ""kat false =* R (if b then MeIse N) analogously

8 (b -bool false V b =bo<>I false) =* R (if b then Meise N) 6,7

9 Vb E boo! Jl (If b then Meise N) 8, (i)

4..42 LI!;MMA (CO\lpkd derivation rule for case) The followillg t\lIC~ att' ([('t"lvablt' using axioms from AX 10 M+::

r I- :E(II::Q"I, ,l,,::a,,} *. r f-. p *~ r f- N E(ll-(Tl,.. ,i,,(Tn} r, 'r OJ t-- Mj :: p for ~ = 0 .... l~

r I- (case N of inhTI I-> Ml 1

r I- R:: p ---t *p r,p •• (N "'nlp'1!, ,10:1101 in..l,.:r,) f- _ R M. for t = 0 ... 11

r f- _:: R (case N of In [IX! 1-7 Mil .. Iln.1".l' .. I-> M .. )

D

Subscripts of in have been omitted here to keep things readable; It 18 clear from the context what they should be

PROOF Analogou~ 1.0 If!mrll!t 4 41, now \lsillg AXE(tl'<'l ,I.,,,..) to distinguish the cases N ""E(II'''l, I"."n) In l; N, when' Z = 1.. n 0

The> specification of an abstract datatype (~(\:;;".; c-) involves a polymorphic pfedica.te p (nu::~. a ---t I!<p) .. A~ all example we look at. t.he abstract datatype of boolean lists intro­d\lced ill CXiLtlIplt' 4,,25 ..

82 CHAPTER 4 SIMPLE EXTENSIONS

4,,43 EXAMPLE, Het;Lll th!;l.t ill example 4 .. 25 the datatype-('on~tructon' A DT and F wer!;' defined as::

F Aboolilsl::*. 1I{ empty /)()()lIt,,~t ,

(;on,,~ bool ---. b(t(}Il~~t ....... boolk~t, head boo/Jisi ---> bool,

tat! oooliis 1 ---> boolils 1 :.Io:~ ---? *tI ~ ADT "" ('Eboolhjt:*,. F boolh~t) *~

To specify the abstract datatyp~ ADT of b(}ol~;Lll h~l~ w~ ('all U~e the following polymorphic prt.'dicate P,

p AOOOUlst::*. :\'rFhooJh~t

x tall x emptJ; '"'bo"lli,~ In 2 unIt 1\ ,)::"huui ,;t i rnply =/>,,(!I In 2 unit

1\('Vbbool,U)()()li~,,~1 ,r IiHI(! ( .. OTl~ iii) ""110011 .. £ m .. ll ,I\. ""(: .. h('(~d(....(,' (on", bi) =/"'01 In,J b)

11 boolilst ::* ... F boolllsi ---+ * /'

Again, subscrlpt.s of In llfl.H' b('l'll ())lllttf'(1 lll'ri tl) kNp IILJllg;~ l ('itdilb!I"

An implementation (mAul r N) ADT of the ahstr'/ict dah1Y\H" is correct if w() ('an give

a proof of (P r N) For a program 'V( >.1100111$1 *. A -cF booilist M) ADT - p we can then

provl~ [orn~(tlleJj'" of M und~r the Msumption 1hM (P bool/isl ~'I iJ

For till" abstype-con~truC't,ion ddill~d ill <I 26 w(' call giv'(' 01(' following pn)of mk::

444 LEMMA (COllpl(~d dprivatim) nd!:' fol" ~bstype) The following rnl('s art' ([('["ivahle ll~IJI~ ilXIllJrl,,.. IHllll AX {OM+::

r f- (:En *$ 0"1 *$

r f- p *. r f- r *. r t- N () jlt = t".1

r, 0 ~."T (T I_~ .... ~..£ ___ _ r f- (abstype (,"*. with r (f IS (InL" •• , 'r N) U1 MI fI

J t- J' :: (11(~""" rr -> *1;)

r 1- II :: (! --- ~ll rl-_ PTN

r, 0 ~" .'.r ,,(7, ]! T P (~ "f f-. fl ,M ---------::c;;------:--;-::­

r f- _ R (abstype ('( *. wlth:r 0" 15 (In~> .. " (f r N) In j'lif)

can be derived, This imm('<iiatdy follows fr'om 1h(' fad t..hlt!

o

44.. PROGRAM AND PROOF DEVELOPMENT B3

The derivation rules above can be seneralised for (Lo.;/f( 0") with J[( an arbitrary kind, simply by taking P :: (TIo:::J[{ .. (T ---> *,,) The rOIl pled derivation rules for the abstype-construct can also be specialised, t.o take int.o attount a representation invariant for the abstract datatype .. As an example, we first. reconsider the specifica.tion for ADT:

4 .. 45 EXAMI'LE .. The specification given for ADT in e;-:ample 443 can be improved by requir­ing that thl're is a repl'·esentation invariant I :. booihst - Oi<p which holds for empty and is preserved by cons and tat/::

P "" .\OOoIl!st::* •... U:boolhst ---> * •.. .\zFb()ollist ..

I z .. empty 1\ x .. /a!1 x .. cmpty =bMIl,.! in .. 2 unit 1\ :.head x .. empty ;;;;/wv/ In .. 2 unit

A (Vb'bool, lbooil~st

(11) -> (x. ta!l(xcons b l) =boQ1I •• t in.l I 1\ x .. hcad(x .. cons b l} =bwI inl b A / eX' tmll) 1\ I (.~ .. con~ bl)) )

fIboolllsh. (hst ---t *,,) ---> (Fboollist ---> *J»

Compared with the specification gi~F~!) II) !:!xalllpk 443, the conditions" x .. tall(x .. cQns b 1) = 1" and "x' head(x"cons bl) = b" 1I0W ollly ha.v(' to hold fm lists I that satisfy the representation invariant I,. Now an implenwllt(l.tioll (InAD'i TN) ADT is correct if we ('an Siw an invariant / .. T ---> *v for which then' b il, plMf of V~ c' 1 N)

Recall that in section 3 43 WI! di~Cll~~!>d th(' annotation for datatype-coDstructors.. The prop-constructor P IU])1(ltat.('~ llw dal a.!,ypc--c.onsnuctor F *. ---> *, .. Note that the type of P l!; ind~ed type_of -ilft •• _., (F) p.s defined ill definition 331) Ll

For the abstype-const.ructioll !wotlI!'r proof 1'111!' (fill now be given'

4..46 LEMMA (Collpled derivation rule for abstype) The following rules are derivahl!' \l~ing axi(lIrl~ flOm AX 10 M+

r f- (L~*~ 0") *. r r- p .... . r r T .... .

r r- N :: o'l(} ::;;; 1"1 r, (~::"'., 1:: {j r M p r f- (ilb5type (~::*. with ::to is (in~"., '" ,. N) in M) , p

r f- P (IT(, *, .. (n ---> *.) -I' \0" ---. .... p)) r f- R p ---> *1'

r f- / T ---> *r rf-_ PdN r,C! *., / C\ ---t *p, .. l: a,p~ P n / x f- _~.-,-R",-,-M-,---___ ~ r r _ n (abstype ():: ..... with ..r a is (inI:(>;., " T N) in M)

PHOO!' .. Similar to lemm~ 4 44 o

Again, these derivation rl1k~ (all hI' ~/,lll'raj[~Nl t.o (Ec.::H( tr) with H{ an arbitrary kind Then we have to takc P : (nn .. H{ type _of J~ft u, \ n) --4 ((T -", Oi<p)) and / type -of -ltft ad 0:)

84 CHAPTER 4 SIMPLE EXTENSIONS

The coupled derivat.ioll rules are all ~omp()s~t~o'f!,(l.1 rule~, Le t.hey dt!duce the typ" alld the correctness of a program from the type and COrrectness of its tomponent parts.. To prove e()rn'dne~$ of pfogfams we may also want to use transformatton rules, i..e using equalities between progtams to replace (aub)progr<Lrn~ by equal one~ .. Using a.xIoms from AX IOM+ many equalities can be ded\l'f'd in Awl

447 DEf'lNITION (corn position) Comp<),.~ition fM pfOgrams is defined by the following context r~oml'o~'t.on

o ACt, /3, ~ 11<. >.g 0 ---. "t, >.fa. ---. f3 ),XCl .... 9 (f xl no, ti, 'Y*~ (fj ---> 'Y) ---> (0: ---> 6) ---> (0 ---> 1')

o will be writt~n mfix, without its three type parameters, .. So we write goj for (0 p a 'T" 9 j) .... TlWst> mbsing typl:' pararo~ter8 C!l.rl easily bl:' rI:'('onstructed (by looking at thl:! typP~ of j and g) D

It i8 not difficult to prove the tHl.l1sformation rule for distributinR; 0 over \7::

448 LEMMA .... The £ollowmg prop(~,;iti[)11 ih prov~tb!t' uliing ~tXi()lIlS frolll AX lOM+

Pnom' 1 ~1-P-I~'P-2-,~T-,a--::-*-,-,-j--P--1---->--a-,-g-::-P-2---->--q-,-,-I-::-a---->--~~ .. I 2

3

4

5

G

7 I::J

r:P1

(hQ(j7g))(In p ,+p"J 1 ,rj =T ((hof)7(hoq))(,nl'l+p~1:C) both sides ih'i·reduce

t.o II U I)

1;13; PI .. (ho(f\7J))(inp! I p~l .x) =r Uhof)\7(hog))(lnrl +1" 1 .I) 3

\;fYP2 (ho (f\7g))(in p1 +1,~2 1/) =r ((hof)\7(l/og))(lnp, + 1',2 y) ~irnJlarly

'1ZPI + (ll (ho(f7tJ)) z =T ((hof)7(hotJ)) Z 4,5, AX", !-IIZ

ho(j\7g) =PIH2-r (hof)\7(1h>g) 6, AXPI II', '''T

Many such transformation niles can be proved .... For instance, fOI the dbtribntiof) of ('()mpo­sition over (If then else)

4..49 LEMMA The follov,lng; propo~ilioIlS iLl""{' plo\abk using axioms fron! AX JOM+

1 YIJ::bool.. 'rtp,(T,'J'"::*, Vj,g(T ---> T .... Vhf! ---> iT

(If iJ th~n f ~ls~ g) 011. ==-p~r,f iJ th~n j 011. else yoh

2 'ltb;:bool.. '1p, 0, T::*'. '111,::0 ---. T .. '1 j, yp ---. (j

ho(if h then i else y) =p_r If I) then hoi else 11,0(; o

By the definition of boo! and (If then else), tIl(' second pltl'! of t..lm I('lllrna j, all 1[)f1t'lllt..iatioIl of the pt'CviOllS km ma

Chapter 5

Recursion

ReCUfoive data.types !wd rccllIsiv€' programs ar'e essential in any typed functional program­ming la.nguage" In t.his f"hapt€'r the programming language is extE:'nd(!d with recursion at both the ltv!'l of datatyp% and the level ()f programs" The new programming language Aw~ is the exten~ion of AW; wit.h t.wo new primit.ives, namely a type const.rutt,or J.l to form recursive datatypes and a fix point combhlator Y to form re(:\lrs[ve programs

The extension with unrestrict.td recursion drastica.lly chang(!~ t,he nature of the program­ming language.. It now offer~ I.hl' full power of t,he untyped lambda calnllu$ The price for this unrestricted rf'cursion [0,; t,hat. t.he prognl.lnrning hngu/!.ge now includes non-terminating programs programs of typ~~ (J ...... l' arc now pmtl{J,l funct.iolls from (J to T .. This affects the semantics of thf' pt"ogral11)Tling hnguage I!.lld (hC'l1ce) UIE' way we reason abOllt progra.ms in the programmiug lop;ic

In cha.pt,cr 8 the oelll,lllt.lfS of the plOgl amming bllguage with renlrsion is discussed" Datatype~ can no longel in[,C'l pt'Ned be <Ili ~Ns" Instead, t,hey will be interpreted as cpos This me8.n~ that domain t.hcOl"Y can bE:' \lhl'd M the b!\J:!i~ for l"easoning about the new pro­gramming language, This i~ t.he convent!cllli'l,l way of rea.~()lling about. non-termination and part.ial objects; the bE:'Bt known exampl!:' of a programming logic basE:'d on domain theory is LCF [GMW79]"

The programming logic AWt will be (>xti'lldcd to a syotcm Awt" No new logical primitives are needed iJI A ... { Some dornfLlll-titcoretic uotinlls, such as the Ol'dering 1; On programs, and their properties Itre needed, but, thC'sc can all b!:' ('xpt'essed using t,he primitives of AWt.,

It will be ShOWll that. all toll!:' domam theory that. is Heeded can be formali:.:ed inside the system AW~: Thl:' highC'r-order u!\.t\ll'C of t.he logic turm out to be uodul for this, In particular, II. ena.bles us to dcfill(, t.ht:' notioll of ;~dmissibilit.y (or (hain-completenc~s) for predicates in the ~y'stem Conseqlll'nt.ly, t h(' logi( i~ more powerful than LCF, be(:au~(' there thio notion has to live in the meta-theory

Th(C structure of this ('hapt,cI' is ~jlllihtl', to the pn~violls ones In scction 5,,1 the pro­gramming language AW~ is defined In ~i'dion 52 the a.%ociatcd programming logic )"wt is definE:'d, and a fot'ml\,li~l!.tiOlI of domain th("nry ill this syst~~m i~ giv'en Finally, in section 53 we gl"(> somc exampl(;'1; of W'l)S t.o prove (i)nN't.ness of programs m )"wi

85

86 CHAPTER 5 RECURSION

5.1 Extension of the Programming Language

In this section we defin~ the program language Awt', wha'h t'xl.t'lld~ t.ht' f,yf;U'1II AW: defilled III the previous chaptel" with rl"Cnrf;lvl' dat!ltyp~8 and ren1rsive programs

For rec'ursive datatypcs a nt'w Iype' ("(H1struC'tor /. is int.roduced, with which recursive type~ of the form (}lex ~ ... 0) (an he formed A re('ur~ive type (t./,o.::* •.. 0) is the solution of the recursive type equat.lou

where C\' E Varo, is a. dal.atyp('-vH.rla.bl~ In other word~, the datatype (J.to.::~. (1) is iso­morphic with its unfolding 17ft} ::= (/tn::*. 0")] .. This isomorphism is given by two operations unfold/I"".' " and fold ..... :., '" which ma.p inhabitants of a recursive type to its unfolding and ba,c'k These operations C()[,fH' wil.h th!' following r(!d1U:tion rule~::

unfold,,,,,., " (fold i,,,., "MI Do., M

fold i ",., " (unfold!,,,., "M) ~" M

It follows h"onl the~(' reduct.LOtt rll1('~ t.hat fold""., /f and lJnfold i ",., " do llldced ~iH~ all i.s.o­morphism ..

An alternative to OpcIMions (old,,,,,., " ;tnd unfold},,,., " i~ to idl~llt.jfy <I rec'ur~jve type and it!; unfolding .. Latcr, in disfUS"IOll 5 10, it I~ rXpllll\led why we haw c'hoJ:'~'n not to do this ..

Recursion a.I progralll l('vd j" plOvidl'd by a fixpoillt·opcrlHor Y,

y (l1er"~. (er ---t 0:) ---t (:I) ,

wit.h til(! reduction rule

Y ci f ~" I (Y 17 f)

In fact, th!'l"(' l~ no n'lll n~'~~d t.o add a fixpoinl.-oprrat.ol'· as a. pllmltlv(' Bcransc we havc solutions of all rccur~lv~~ typ~~ ('quations - including for instancc a solution (/.<a::~., (t - a) of Q ~ Q ---t 0. - we> hav(' th(' full [)ClWW of UI(' l1l1typed lambda calcl1lu~, and fixpoint"opcrators ca.n he ddincd .. An example of this is giv('n lMer, in exampl(' G 2 Thr r!,;L~ml for lndnding a. fb,point-operator Y as a pl"imitiv(' is t.hat is plays f;utlt H.ll 11llj)O(t.i\ltt role A )';(1., a dm?ct implementation of Y will h(' IllMC cffi( lcnt than any definable fixpoint-operator ..

1'hl' programming lan~uag(' Aw~' alld its (',xWnsioll w'ith ddinitlollf; Aw~'! ;LIT HOW defined as follows

5 .. 1 DUINI lION (.\W~'(61)

Th~ progr::\rmnlng hnguag(, Aw~' (bl l~ tll(' f'xl lnSHJll of AW; (~'I wli h t hl" P!;l'lldotrrLllh, ITdlldl{)n 'Ilk!; and type inference given below Thl' ~<'I. of P"l udOI.l,Ilil'; l~ l"xUndl'd il,; follow~

T::= I (pVarn,~. T) I foldw •.• , " T I unfold"" .• , " T I Y

Tlw following reduction l"\dr~ itll' addl'd

unfold!",., " (fold},,, •• " M)

fold il,,,·., " (unfold"" .• , " M) Y!lf

[>1' Al 1>" M r> " f (Y !l f)

5 . .1" EXTENSION OF THE PROGRAMMING LANGUAGE

and the following type inference rules

C/.tform)

(Jllntro )

(p.elim)

(Yintro)

r f- M 0"[0: ::= (p.o:*~ .. O")J r f- fold JJ(>:., " M : (p.Q::*._ 0')

r f- M :: (flO:~.·· 0-) r f- unfold ... fi:., ~ M :: O"[C\' .,= l!.m::*$- 0")]

( t- Y ;: (na;;"." (0: ---t Oi) ---t 0:)

87

D

Unlike the reduction rules for +, )( and ~ introdu('ed in the prl)viou~ chapter, the new reduction rules are not induded in the notion of IJ-rlO'duction, but in$I,{::ad we have a separate notion of Jl-I"eduction As a result, (3- and (3o-reduction arE:' kept strongly normalising,. At this point there is no reason for 11Iwing sepal'l!.tlO' rlO'duction n~latlom; t>/3 and 1>1' But for the programming logic >.. .... r introduC'ed in !;H:tioll 52 it. will be important that B(fi)-reduction is kept strongly normalising (or ra.ther tha.t 8(6)-conversion is kept decidable) This will be explained in more detail in the next sect.ion in disCllssion 5 . .10 .. For the same reason we do not identify recursive types with tlwir unfoldings .. Then 8-r('duction would also not be strongly normalising and B-conversion would hI' llIl(\ccid,tblc ..

The two redllction rules for fold"",:" " and unfold)lfi", ~ can be seen as a {3- and an TI­rednction ruk It. is the convention that the reduction of a term formed by an introduction tOI\f;I,mction applit"d 1,0 an rlimination construction is c~lIed B·reduction, and that the redw:­bon of a term formed by an elimll1;ttion constl"uction applied to an introduction construction is caJkd l1-n~du(:t.ion .. For (,xarnplt, in t.he O-r('diccs (\r:A.. b) a and (u, b),l elimination construc­tiOllo - application and sel!)ctiou - MC apphcd to intt'oduction conStl"nctions - abstraction and pairing - In the jl-r~dk(,i:1 (A'l":A b .~.) i\lld (17..1, (1, .. 2} introduction c:onst.rllctions are applied to elimination construction" ..

By this convention unfold!'«: •• a (fold l " •. :., " M) t>1' M i~ th(' O-rcdnction rule, and fold!,"".' " (unfoldJ,,,,., "M) D- J, M the !1-r~dud.io~1 rule for [I-types Of the two reduction rules for fold l , ... ,., i1 and unfold/",:.,,, it is thl~ "fi"-NdllC!.lon rul(' that appea.rs to be the crucial one.. For inl:>tau(:e, in exal)lple 52 b(!low it is t.hi~ reduction rule that is needed tD prorill("e an innnit,E! [('dndiOn ~f'qu(>ncc We do not know if there are infinite reduction sequences in which the "t/"·l'·nle fold ... fi .• , " (unfold ... ",., I') M) [>J,M is used, but the "8"-rulc unfold!,,,,, " (fold!""., " M) I> I' M is not used

5 2 EXAMPLE An example of a fixpointroperator for programs that 10 now typable is

T

InW

(pf}::*$" f} ---> ((~ .... 0-) - 0-) ~. (ATT .. )"f((t ---> (~) .. f ((unfold T .);) x I)) 1" ---> (0: ---+ 0:) ---> 0:

In !1' (fold T 1(1) (nc.::~. ((I ---t (~) ---t (I)

Tlu8 is a typed w'rSlon Df Tilling'!; fixpoillt (OlnhillHJm for I hI' ullI,yp('d lambda calculus, which we can get simply by er!l.l:'iug all IllE:' tYIW illfDrmat.ioll ;Llld I,he operations fold,. and unfold.,-

88 CHAPTER 5.. RECURSION

It is easy to verify that Y 1 "rillY is ill(i('I'd it fiXpOlnt.-opl~rator

YTuring Q f t>!.l6 T=, In W=, In W (fold~ w) 1 t>J T=, In W=, In ('\11,1 1 (( unfold. 11) 11 f)) (fold r w) 1 l»p T= in W= .. in f ((unfold T (fold T 11») (fold T w) 1) [:>1' 1'"" In 10;;;;;:, In f (u., (fold T w) f) ~b f (Y1"rmg 4 f)

0

In contrast to l.ht' programmillg la!lglla.g(~J:; int.rod\lced el!.rlil'r, ",II dl!.tl!.typl'~ I!.rl' !lOW in­habited, as is shown helow, In )"w., and )"w: there are no program~ inhabIting thl' dat.at.ypr (na;", .. il), but ill AW: th~re are, aJ; t.bl~ foIJowmg definition demOnlltfah'~,

5.,3 DCr'INITI(lN The (ollh'xt fJ i~

(An:: ... Y (} (A.r::n, .·.r))

Consequently, any dat.atypc (J hits rtt lea~t Olle' mhabitant, namciy (.l 6) Given th(' reduction rule for Y, it is easy to see that this program doC's not hiwc a normal form The iJiterpretl:l.tion of (J. 0-) In the cpo-model given in chaptpI b will of course be the bottom eiemt'llt of thf:' q.lO

that i8 the int.erpretation of (J

W€ will always i:l}l~Um(' th~ t r 1. i~ part of the ('outext The tYlW parameh'l of 1. will 1)1" written as a subscript, i..c we wfit.£' .l" fOl (.l 6)

Wit.h th\:' type constructor /1 W(' C!l.ll at last lnltke "n'aJ'" datl!.tYl)('~' ':'lIdl ",h '" dittatypc fot the llat.ural numlwfs::

5A EXAMPLE Th~ cont('xt r",,, ddinin/l; tli(' datatYlH' of natllr",!ullmtwrH )~

nat o s p

(fLO ~. Unit + 0) ::~,

fold",,! (In""il+""/ 1 unit) :: nat An nat fOld nat (inbllt+,,,01 .. 2 n) nat --t nat An n~t.. 'i7(>.r Unit. 0, Am::nat m) (un(old nat n I nat -., nat

D

Of (:ours~, Ow pri(;(~ for havillg ",II r(~( lHH1\i'1' t.yp~'s Hlld it fiXpOlllt (olJJhill!Lt()J IS that this dat.at.ypt' nat nOt. only h!l~ illhi~hit.i\llt~ S" 0 .... It.h I) E IN, hilt ahn all illhahi! ant .l,,,,/

Properties of Aw~' and Aw~\

The type inferenct' rule (Jlform) giv('s 11('W dahtypes, t 11(' ot Itt'! IU'W tyW' ITIiI'r('Il< ( rul~~ glvt' new programs .. The set~ of pS('\ldoteI'm~ Cons and Prog haw to l)(' ('xtt'nded au ordlllgl)::

5 .. 5 DI':I' INI'lI(jN Thi' i;d.H of P"('1I(\01(rlll" (ons '!lId Prog ({('Illii d III (Ii'fini! wll 4 lb for Aw.1

are extended &3 follows

Cons

Prog

I (pVarn,,,. Cons)

I fold"" •• " Prog I unfoldw ,," " Prog I Y

o

5,1. EXTENSION OF THE PROGRAMMING LANGUAGE

Then::

5 .. 6 LEMMA (Classification for .\w:)

1, If r f- J[( D, then D( E Kind,

2., If r f- (J ., J[( :; D. then (T E Cons,

3., If r f- M :: II : "'. t,hl;!l\ M E Prog,

PROOF Exactly the same way as lC'mmas 3,.5 and 4,,29

89

D

With the exception of !;trong normalisation, the systems .\w~ and >..wt ~ inherit all the properties of ).,w: and .\w; 6 And ev('n though OJI' and 'ot,o-reduction are not strongly normalising, 8trong normalisation for /3- and Oli·reduction 18 preserved ..

Only programs (an I/,-reduce, the kinds, dat.atypl:'s and ot.her data.type-constructofs can­not .. Because of this, types are not just unique IIp f31J.(S)-conversion, but they are even unique up to B( D)·conversion ..

57 TUBOREM (Prop~rti('s of )"wn,

• CRiJ;J :. 8J1,-r~du(tioll i~ Church-Rosser

• SR,jJ.6 if r r I; Band b 1»{:IfJ b' then r f- b' " B..

• UT 8 if r r IJ Band r f- b ;: 8 ' then B ':::!:{j n' • SNJ3 :. if r r Ii B tho:>n band B ar(' tJ-strongly llorrllalising

PROOF As for PTSs with +, x and l: (L('lnllliL 4 . .13)' ClnU'ch·Rosser can be proved using the theory of Combinatory Redu(.(i~m Sy'Sl.C'IHS (eRSs)., The relation POOl' is not an orthogonal CRS, becauJ;1) it, h!!.'; i;o-callcd ovcdapping rcdices of the form

fold,.""., (f ( unfold!"",,., " (foldl ,,,,", " M) )

ThiS terril (ont.ain" two ovcdapping l'edices, indicated by till;! OVl'r- and underlining" However, contracting either rtdex rf'sult. in the same term, namely (fold)""., <1 M), ~o f>{:I1' is a weakly orthogona.l CRS .. Confluence for weakly orthogonal CRSs is proved in [Raa92],.

SNt> for AW: follows from SN~ for ).,w: All the h,mlS that arc typable in .\w: are -with a Blightly diff('rt'nt ,~ynt"x for the jl-types and with extra pil.ramt>t.crs for fold!,,,,,,, (f and unfold!'"",.. (f - also typa.bl~ ill >..w; in the following context,

M

fold unfold

y

(*. ---> *.J ---> ~" nF::~. ---> * ... F(/i,l-') ---t JLF nF::~. ---> * ... /LF -. F(iJ,F) (no::~. ((t ....... (~) - (~)

It Hlf.·n follows from SN;:i for )"w: that all thC!'4' t.ennR an! t3-strongly normalising., The propl;!rti('~ SR and UT fan be proyed in the Btandard way, i .. !'! .. by the same inductions

uSl:'d in chapter 2 for PTS!; (alld ill ('hapt.ct' 4 for PTS:;: with +, x and l:) 0

90 CHAPTER 5 RECURSION

5 .. 8 THEOREM (Pl"opertil~!; of AW~'~)

• CRi1I'~ :: O,LtD"t"edlICl.ioll if; Churdl-Ro8:'l(,1'

• SR/j/A :' if r f- b " Band b ~>ljJ'. 1/ th~'n r f- bl :: B

• UT iJ~ , if r t-!J B alld r f- b B' then B '::::.JJ6 B'"

• SN{:j6 if r I- b :: B then band B ar(' iM-~trOllg[y nrmnah8ing in r • ElirnillMlOll of definitions if r t- a A III .\w~ 6 tlll~ll bnf(r) f- bnf do) Dnfr(A) in >'w~'

PROOF .. $N/jJ can be proved in th(' !';amC way J:W SN/j for >'w~' in the previous th~o]'cnl All

the other properUt:'8 ("an be proved in cxatUy' t.h~ sa.mE' way 8.3 in ('hapter 2 for DPTSs and in chapter 4 fot', DPTS~ with +, x and Z 0

5,,2.. EXTENSION OF THE PROGRAMMING LOGIC 91

5.2 Extension of the Programming Logic

In this section the pmgrarnmillg logic '\Wt is defined, in which we (;an reason ahout the programming language '\w; ..

As we mentioned earlier, domain theory il:l used as the basis for reasoning about )..w~ .. However, no notions or axioms from domain theory,," such as the cpo ordering ~ and its properties - have to be included as primitives in the system >,(,.J~- lnstead, all the domain theory that is needed wlll be fontll'l.lised in t.he system, i .. e .. we will give a cOnte;x;t declaring and defining all the domain-theoretic l)OtiOIIS Rnd axioms that are needed .. No new logical primitives other than the one!:l already offered by '\wt are needed for this, so as the system "\Wt we can simply take the system .\wt with its >.w;-suhsystem extended to .\w:·

5.9 DEFINITION (Awtp)) The pr<lgratnrning logIc '\W~:(b) is the extension of the system AWL· (Ii) with the pseudoterms, reduction and type inference rules given in definition 5 .. 1 0

510 DISCUSSION (8(6)-collwrsion vs tL-conversion of types) .. In Awt there is an illf~n>llt~ ral!' t.O B-convert types, namely the rule

(8conv) r f- b;; B r f- B' :: s B ';Z..tJ B'

rf.. b:: D'

whkh allows a t.ype t() he replateJ by a 8-convertible one In .\wi~ we have the more powf'rflll conversion rille (flliconv), which allows the Oli·conversion of types .. With this rule, the following inference rule is derivable ..

(6conv) r f- b E r f- B'. s r f- B ~~ E'

rr b:: B'

It is easy to !:lee t.hat, b~("a..U$(! (If t.ll!'~~ ml!'~, typ!' checking involves testing convertibility of t.ypes .. For e;x;ampk, to ch!'tk if t :: A r.~ .. AilS derivable in >'wj(~) we have to check among

other things - if A and A' are B(6)·conV('rtible .. ilec·a\lSe i3(b)-reduction is Chllrch-Rosser and strongly normalising, B(6)-conversion is decidable ..

The type infel"ence rules of ),,(,.Jt do not include a ~l-conversion rule

r r b ; B r f- B': s B :;:'1' B' r f- b IJ'

wlllch allows a type to be n;plau:d by <I JI.-(;Ollv~·rtibk One In the programming language )"w~ there is no use for t.his rule, because in AW~' t.here ar~ no t.ypes that. tan be It-reduced (only programs can be j1.-reduced) .. But in )"wt there are types that /l-reduce, because programs can occur as subcxpressions of propositions .. For example, if P :: (J ---l- *v then P (V q f) is a proposition that tL-rcduces to P U (Y (J I)).. The rule (/leon.,,) could be used to deduce r f- p P (Y (! f) from r t- p P (j (Y (1 I)) and vice versa, and hence it could be used to prove (Y (T f) =" f (V (1 f)

Tlw reason for (>xduding t.h(> rul(> (p,conv) i~ that it would makl' t.ype inference undecidable, because /l"conversion is undecidable .. To he preci8e, it would make type inf~rencc for proof terms undecidable. ie it would no longer be dE'tidl!.ble if r I- p :: P for proof t.erms P E Proof and propositions P E PCon~

92 CHAPTER 5 RECURSION

For the same reaSOn, we do not identify a recursive type and its unfolding This would make the operations foldl"".' iT a.nd unfoJd,.(o, •• " redundant, but it would also make type inference undecidable, because fi-t()nver~i()n io then no longer deddable D

The rules (.Bconv) alld (&onv) Can b€.' Hoed to prove that all 50-convertible programs are Leihniz' equal (soe page 41, when~ th~ notion of Leibniz' equality of programs is intro­duced)" Becallse we do not have the rule (uc:onv), we cannot prove Leibniz' equality of p­con'\l'ertible progra.mo in the same way., The properties fold""., ¢' (unfold,.",., " M) =""'., ¢' M, unfold.l'''''' iT (foldl""'.' " N) =u[o =(/'0:., ,,)1 N, and (V (J f) """ f (V (J 1) will have to be intro­duced H$ a.xiomo (see definition 5,,17),

So, \lnlike fj- and 6-conversions, any /I.-conversions that are done in a proof leave a trace ill the proof term that represents that proof Proof terms for the properties llle'lltlOlll'd abo\e effectively record all the p-conversions that are done in a proof

Properties of AWr and AI .• /ib

In the system .\wi we h'l.ve the ~a.me inference rulE'B for prop-kinds, prop,('on~tru('tor~ and proofs as in Awt" This lIH"i\.J1!; thi;l.t th~' ('ollh~xt-frl:'~~ oyutll.X for t,ltl;'.;e k'ol{,IJ:; relllallll; 1111(:hll.ngl>d, Le for AWl[ the sets Pkind, Peons and Proof ('an be ddilled by thl:' Barr\(' (or)text-fn'~' gra.mmar given in definition 434 for .\wI

The systems '\Wt and AWL~ inhC'rit. all th" propert.ll'S of '\1.1.1 t and ,\ ... t ~ 'The Chllreh­Rosser properties for fi/. and 8,JO whidl do not depold On Ul(~ typing r~dation ha.',(' alrrady been proved for AW~ and .\w~· ~ in Uw pn'vl()lls ~e{'tioll St,rong norrn'l.li~lI.t,ion of (:i( h )-rf'dlldion for AW/'(6) can be provNI in t,he ~a.lrl~· wILy as for .\w~ (6)" The·1 r{'m;tilling pr(lpert,ief; (an all be proved by lht saHli' indue t,l(m~ uH~~d to proV(' the~Hi' pr(lp~~rt,H~~ for HH~ IH~~violIS HYSt,PIlli;"

5 .. 11 THIWREM (Pr(lplrti(~J:; of AwD

• CR~I' (j,'-fl:'duction is Church·Rossel"

• SR$I' if r t- /; :: B ,~lld Ii ~> {J I, // t1H'll I t- // lJ

• UT (j if r f- b Band r t- II B' t he'll B '::t~ B'

• SN,5 if r f- b B then h hnd B arc ;i-strongly normaliSing

• Conservativity of AWj OVf'l' >'w~'" if r f- a A in AWL and il. E Prog U Cons U Kind t.hen rO,., t- i1 A in .\w:'

n

5.12 Tm:OItJ;;M (Properti~·~ of ),w~'b)

• CRpl'o ' 8/tD-I''(:(\nction is Chllrdl-Roi\i';('l

• SRil). :: if r f- b " Band b [:» i3i'~ 1/ then r t- bl " B

• UT liJ :' if r f- b Band r f- Ii :: B' th~'u B ::O:ilJ D'"

• SNfl6 if r f- b ' B then band B aI""'" do-strongly normalhing in r • Elimination of definitiolls::

if r f- a :: A m AwL t.lHll (nf(l') t- lnf/ (fi) lnf; (A) ill AW~~

o

52 EXTENSION OF THE PROGRAMMING LOGIC 93

Formalisation of Domain Theory in )"w'i

To reason about recursive programs in )"wi, a (;onte;x:t Tcpo will be defined, which declares the cpo ordering!: and aU the properties of ~ and of y" In this context Scott's mle for computational induction - also known as fixpoint induction - will be provable .. The model given in chapter 8 gives the justification for the axioms in Tcpo

First we list the notions from the theory of cpos that, have to be formalised"

5,.13 DEFINITION (chain, cpo, monotonic, continuous) .. Let A be a set, partially ordered by !;,4" Le .. ~A is refiexive, tra.nsitive and antisymmetric

1.. a. I;ubset C of A is called a chain if it is not empty and if for all ;t;, y E C, it; ~A tI or y ~A x ..

2 .. A il; called a cpo if tvery thaill C in A has a least upper bound - or limit - U C, and it has a least clement ..LA (which is the least upper hound of th~ empty set in A)"

Suppose the sets A and B, partially ordered by i;;;A and [;;B, resp(lct.ivcly, arc cpos"

3 a function f from A to B is called monotonic if for all it;, yEA, if x ~A y then f(x) [;;H f(y)··

4 a function f from A 1,0 B is ~a.lIed continuous if f(UC) = U{J(;t;) I;t; E C} for every chain C in A

If A be a cpo and f II. continuous function from A to A, then f has a least fixed point Y(f) .. This means that YU) = f(Y(f)), and if f(x) = x then Y(f) ~A it; This least fixed point of YU) is the least uppel' bound of {loA, f(.LA),f2(..LA), .... } .. The least fixpoint of f is alao the leMt prefixpoint, of /,1;0 If /(7.:) [;;A ::r: then Y(!) ~A ,x

Scott's fixpoint induction rule - given in lemma 515 below - provides a way to reason about least fixpoints,. It. r(>quires t.he following dE.'finition

514 DI:;I"INITION A prfdicatc /, Oil a ~!'I, A is called admtsstble if for every chain C in A for which all elementl; I;at,jsfy P thE.' limit, ()f C al~o satisfies p, 0

5 .. 15 LEMMA (Fixpoint Induction),. Let A be a cpo, f a continuous fundioll from A to A, and P an admissible predicate on A .. If

• P(l-A)

• for all .x E A, if Per) thl:'n P(j(';r))

thl'n P(Y(f)) ..

A Awi6-context Tcl'o will be dcfinl'd, whi("h d!'cla.res an ordering ~ on datatypes, and axioml:l for [;; and y, from which it, fOllowS that all datatypes are cpos, that all programs of some type 0' ---> T a.re (Olitill11011S (alld hellce monOI,onir), and that Y produces least fixed pomts Before this ('.ontext IS df.'filled WI:' fh!:<t discuss the ingredients one by one

94 CHAPTER 5 RECURSION

The most importa.nt notion needed is the cpo-ordering [;; (In progra.ms.. Like Leibniz' equaJlty of progl"ams, introduced in definition 3 21, this is a polymorphi!:: predicl!.t.e of type (ITO': "'". (~ - (~ ---> "1"), Le

c n(x·~, .. (~ ....... (.\; ---> *1'

For [; the same nOl.a.t.iQnal conventions are used as for :;;:;L, i .. 1' c: li; w;nttl:'n mfix with Its first argument a.s a subscript So for instant!' wI' write (M [;;" N) for (!;;; (J M NI,

h. IS easy to give axioms stating that [;; is reflexive, transitive and ant.isYltlltLN.rif, and that all functions are monotoniC

ref! VOl *$" '<Ix C\' X ~l' X

trans antl,~ym

monotonl(:lty

\;;f0' *. \Ix, y, Z::,~ .. 1:: [;;'" y => y [;;" z "*' x [;; .... z '<Ia:*$ "ix, yet x!;;; ... 11 &:> !) [;;" .. I." =>r =" y V(~, fI*. 'iff (I; - 8 'Ix, irCL x ~,,1/ :-:- f _f' ~.(;/ f y

We also need some pl'Opl'rti("!; of t.hl' fix]101nt-opcratol" Y provided by the plogr<'llllnlill$; lan­guaW'>, lla.rnely th!l.t (Y (J' f) is tIlt Itas\. {lx('·d-pOIllt. of f for all f (r ---+ (r The lI.Xiom5 below state that (Y (7 [) Ii; a fixpoint of f and that. it is smallC'l" t.hall iLlly ot.lwr pT£'fix-po'lllt::

fix V(P ... 'ifja---t('( .. Ya/="J(Yaj) h.·(lsl.fir; 'In * ... '1/ a ---t <X .. \;;f,x n / r ~'" .J' => Y (~f [;;,,''1;

It imffitdiILt.dy follows from the axionl kll~l.fi~.· t.hat C~'(n ... ';i·,'1; .. n ..l" [;;" ::c). with 1.. as defined III definition 53 So eve!) dal,\\..l' pc 0 h,\~ i\ ki\.~t. deul('nt., namely tht, program 1.."

We ~till need the propC'l'ty that. all dl<\llI!:' bJ:\v~' It'!l.I;t. UpPt'1 bounds, aud that all functions are continuous, EXPIC""llll; \.lH'~(' proll('rt.i('~ jn "w~'. n'(juires a bit mol"(' work

First of all, t.IH! llotion of (least) upper bound of [j. "Ilb~el {M j , .. .. , M,.} of,t dat<Lt) W (7

is needed .. Pl"edkah'~ 011 datatypes will be> used 10 (h;na.de>rl~('· such ~UbMpt~ .. Th~' followlllg terms UB alld LUB (~xpr~l:\S the notions of upper bound and leaH UppCl" boulld of ,], pr(;dlcatc On a datatype, respecthcl)

un ).a::*. ),p .. t', ---t ~JI A.'r (~ V1j::n .. P 11 "'" Y [;;'" ::r

n(~::*. ((~ ---+ *1') ---+ C\' ---+ *1' LUB ;;;;: ;\(L~. )'P::(~ ---+ *1' ,\1" n (un (\' PT) II. ('11 Cl UB Cl P Ii .,-,:-. I~" iJ)

n{~ *, (n ---+ *1') ---+ (l ---t *11

1£ P (]' ---'I *p, then tIl(' pl'OpO~lt.I()JJ (Uli (r I' ::l) ~lak, that x is an upPt'l" bound of the ~et charatt,<'rl!>rd by /' and (LUll (J' P T) ~tM('~ that .J' b ,l lea!>! UppN' 1)()\llld Ol' linllt of l.hi" set.

(.hlll1/. An*; )"C (t - *. (3:r .. ('( .. C .~,) .A ('I,r, !/:a ex' 1\ C Ii =:> ;t ... ~".<} V Y ~" r}

I1!> ~., ((~ ---+ *,» ---+ *)'

If Cis predital.r (HI It d~t.l\tYPI' (~, then (elWin (l C) *JI i!> the proposilion "C is a thain" Using predlC<]'U~& to dli\ra(Jt'ri~(' ~et~, and using LUB and cham. rlcfinNI al)o\(', WC' then

get thC' following aXiom for ("ontimllty of all fundloll~

contmutty 'Ir1, T* ... 'r:I!/::(7 ---! T .. '<Ie (r ---+ *p .. '\;11111) (J \;;f11(b l1"

C' = (),y .. T .. ~.'.'f::(r tJ·:r =~ y A C ,~) T ---+ *1' In

(ch(lm (r Cl =} (LUll (J Club) =} (LUB r C' h.b' l =} 9 hI> ""7 IllY

52 EXTENSION OF THE PROGRAMMING LOGIC 95

Here C' :: T ---> "'p is the image of C under g .. Wc can now give the last prop~rty of !;;;, na.mely that all chains have a. !cast upper bound::

complete 1;I(.l~. '<ICa ---> "'$' cham 0: C ",... (31ub::n .... LUB a Club)

Recall that from lea,~tfot, it followed that all datatypes have a least element, So, from lctJ.iltjix and complete together it follows that all data types are cpos ....

Note that we cannot hope to define .. or even to declare - a function

that maps predicates to their lim ito, b(':cause t,hi~ type cannot be formed in ).Wt6- A term (U (j P) would be an inhabitant of the dat.a.type (f depending on a predica.tt P So it is a term in the programming lal1g1lll.g~ df'W'lldi!lg on a term in the logic .. Thi~ i~ exactly one of the dependencies we have ("ho~~n [,0 cxchlde in AWL and its extenoions ..

A set P is called admissibh' - or (:hain-tomplr[,c - if any chain in P ha.s a. limit in P,. A predicate P a --+ "'pis call('d adlllif;f;ibk if the set it characterises is, i .. l:' if for any chain C for which all elements saUdy P t II(' lillli! ,,1':0 satisfies p, So we define

An::~ •.. )"P Q - *1' 'lC"(); ---. "'p V lull (~.,

(chmnt\C) => (LUBaChtb) =*" (VXl.:. .... C:t:->Px) => (Plub) lll}::~. (n ---. "'1') --+ *p

The fact the !lotion of admbibJilty ('all be ('xpl""r~srd and that admissibility of programs Ci111 be ptoved in the system mea.ns tha.t. th~! logic we have is stronger than LCF ([PallS7])" Th(>r(' the conditjoll of the admi88ibilit.y of P in fhpoirlt.. induction is strengthened to a. syn­tactic check on the !;lIapr of P Even though the notion of admissibility is definable, such a syntacti{' {'heck carl still be Ilseful. becaus~ proving a.dlllissibility of a predicate can be qliite (orrtplicated

All dE:'daration~ and dl'filllt.ions in repo have now been diSC\ll';~('d, \\ith the exception of the (self-expla.nll.tnry) d!'fillitiot\ of strIct

5 .. 16 Dr:FINJ'I'ION r CPO is th(' AW~~rcont!:'xt

C IIQ*$Q--->o-*p

n;ft '10:::>1". '<1.1,. a.. x ~(>" :r

tron8 ';10:::*, ';1.7;, y, ::::n .. 3·· 1;;;" II '* Y ~<">" Z =} X [;;(> Z

(mtz~ym" '<I(}::~. V~.., ir Q ,· J' ~,~ 11 => 11 [;;(>·.r '::;>'1; =", Y

monatomctty VQ"lh., '<If (t ---> /J Y/ r, yD .. . t· !;;;" 11 ;;;} f ,.1: ~.B J Y

fix VQ *. '<If a ---+ n Y n f ""<> f (Y (); f)

leastjiz ';/C'< *. I;I/;et. ---. Q,. 'V.l,;;Q f ,7; !;;; ... x "* Y ~ f [;;;" X·

VB "" ACt ... ),1' (); ---. *P" >'x;Q., Vy 0' .. P 11 =*" 11 (;;;" x

ilO'*, .. (} ---> *p) ......, l.k ---. *p

96

Lun

cham

contmlLtty

complete

adml88lble

strict

CHAPTER 5.. RECUItSION

>'0: *~ ).,Po: ---> *p '\xo: (VB 0: P xl A ('iy:o: .. VB 0; P y ,*, ~'" y)

no: ". (0 - *p) ---> 0; -t *p

.\cr:;". .\Ccr ---> "'.

(3J;(); .. Cx) A C'iT,yr'>CxACy:::::.. X [;;'" yVV [;;'" 1.')

no.,,,. (0 ---> *v) ---> *p

't(1,1"::*. 'tga - T .. 'tC::(1 - *p .. 'thtb::D' .. ';fIlth',.

C' = (.\1/,T, :lx,./T, . .9 X =T 11 II ex):: T -t *p in

(cham C! C) '* (LUB C! Club) :;} (LVB T C' lub' ) =} I) lub =T lub'

'tt)::* ... 'VCo ---> ,jo, .. ch(zU! (l; C => (3l~zb(k LUB (); C luh)

'\0;:*." )'P'Ct ---> *p

'<Ie CI' --t */1 'tlub 0

(duli,n Q C) =} (um (> c itl,b) =} (\;I.:r{~ .. C.T => P T) '* (P lub)

T1(~::*. «~ ---> *1') ---> *p

'\0", T *. ,\f;:(J ---> T f.1" =r .iT

nD',"'::*. (0 -t T) ---> "1'

o

MOTe axiom8 are ne('ded thall just the OUt'S ill repo We want to UJ;e axioms !;llnilar t.l) thl' One8 in AX lOM+ (definition <I 39), e g axioms for clllSsicallogk, aXlomJj for ext,t·Il>;i(Hlalit.y (If --->. and n·types, and axioms for str\lctm'al induct.ion on +-, x- and ~:::'types Below a 8E't of axioms AXIOM II is defined that can be: safely used in >"W~b That these axioms are sound is shown in chaptel" 8, using t he cpo-model

Compared with !.Ill' ,~xiOm}; in AX [OM+ t,h('n' ar(" ;L ftw difftrell('.es .. Fitst of all, we want axioms relating the cpo-ordering on the different datatypes" For the -t., n·, and x-dat.atypef< we want to be able t.o prove

f ~O_7 q -¢=;> ('\1'):: rJ f x ~T gx) (il

/ [;;n<> II( " .rJ {=;> ('rt0:D( /0[;;" go) (ii)

M ~nlll"l 1.".1 N .;:::::::. Nil ~'" MIl j\ 1\ NI"~,,., Ml" (iii)

All the implicat.lOll}; fronl [('f1. Ul ri~ht f'illl lJ(' ]llovtd uf;illg monotonicity.. For example, if

f ~tlcdK u II, thtn by rllouot.ollillt.y

(A·.r::(lh.ff( <71 T rd J [;;" (X·.·I::(1I06< .. 0) .. :t· (k) II ,

and h~n('~ f (l; ~" .9 0:

For (i) alld (ii), t.lll' ill'lphnlt.ioll!; from nght t,!) kft ,n·r.· illdu!itd a.~ ,lXJOlll~ ill AXIOMI' They tarl r(>plan:! the (l.xioTn~ for ('xtmlH)ol)(l.hty of --->- 'lTld n-typ('~ th,lt.w!'n' illduded in AX 10M and AX [OM+, h(,( au!'p t.hPH(~ follow from (i) <Lnd (ii) bj t,h!' anli:symlllctry of ~

For (iii), the implication fl"om right. to left does not have to be included I\~ an il.)("lQTn, because it follows frommonotollicity ofth<' fnnclion ttlpie O"l ---> -t (1" ---> TI(il"O"I in an)

wIth t~tpie Nt N'I I»M ([1 f-+ Nt, ,I" f-+ N,J

52- EXTENSION OF THE PROGRAMMING LOGIC 97

No properties of the ordering ~ on +·types and E-types have to be included as axioms., For instance, we can already prove that

The implication from ldt to right follows from the fact that (),X::O"i .. il1lCill"" .In>7n)Jj x) is monotonic .. The un plication from right to left can be proved by defining a program I of type :to)d].. In::Gn) ---. Go such that j (inr:(lla, In"'n)/' x) r»1J6 x, and using the fact that this funct.ion 1 is monotonic

We can also prove, for any I, oj;. IJ' that

To do this, define functions j,g ~(11::0"1 1" .. 0',,) ---> bool >;\lch that 1 (In 1, x) f»P6 true, f (in'!J x) 1»$6 false, q (in I, ,1') [»n~ f<llse, aud f (int) .:r) t»~J true .. Then by monotonicity of f and q and antlsymmetry of k it foll()w~ tha.t

The axioms AX);ill""'l in:an ) and AXl';",:g(" in AXIOM+ for st.ructural induction on +. and E·types have to change., A type E(I)(1I" /,,::(1,,) not only contains elements of the form In 1: (lJ;<"1 1.,<",,),1, M" but it now also cont.aiua a bOUoIll element .i1:III:<'I1 In;''n) For example, for the datatype :C{1::17], 20'2), i c,. 0"] + "'2, we now get

AX<T,+<T, : '1P(1'] + 172 ....... "'P' (V''rYO']., P(lnO'I+"2,,1 ,x])) =*" (I;I'X2::0"2 P(In"I+,,~2 X2))

=*" P 1.<"1 +<"2 =*" (V Z::O"I + 0"2 .. P z)

DatMy-pcs (Ec.::l1( 0') ,,,,Iso cont~in bottom element,s, 80 for theoe the axioms AXlCa:b'( " are char1gcd in the same ",ay ..

For +- M E-t.yp('~ we also have to incluctc axioms that. st.ate that all function!; constructed using the elimination construction \l ltr(~ iltrh t..

Finally, for t.he JI.-t.ype~ W(' hltVi' tD iutimk axiom~ AX!",,,_, " that state that foldJ,<"" .... " and Ul1foldJ,<C<'., (J are isomorphbl)l~

5.,17 DEFINITION AXIOMi' is t.h(' oct. of "'xWII!$ tolltailling

d~sslc

Pb"QJ

AX"_OT

AXn .... ,n,· (J

'rfP::*p ("p) ;;;;} P,

true oFbQ(>i. false,

'<11,g (T-T ('<i.ra It'~T9·:r) '* f~,,-~q, VI,g (ITC'f}J( .. 0") .. (VcdICfct(;;"ga) "*' f~n«;u(,,9

1;1 P::I1(I);(T], " , 1!\:O",J --+ *t> ..

(V:nO"],.. ,1""::(1,, .. P(l] I-t .:l::l, , .. , ,I" I-t x,,})

=} (Vz::IT(I)O"] , .. , InO",J. p z),

'<1P::f;(l1 0'],.. ,1,,0',,) ---t "'P'

('1:<)(1'1 P(In£(ll"l J,.,,,.) .. l] xd) =}

98 CHAPTER 5 ltECUHSlON

--> C'ixn(Tn .. P(inl:(/j:<>"j .... In:<'n)....l,, x,,))

"* P ..il:<lI"1 in .. "")

=> (VZ:::EUj .... O"J, ,lt~;;O""") P Z),

AXEcdK" :: VP, .. ('L.Q .. ./[{, .. 0") ---. ~P'"

AX!.',,>, "

('Vo.Jl( 'VIa P(InE",gC" Q ":V))

=> P l,E,-,UC "

=} (Vz ('L.c.D( a) P .0),

(Vz (WX" ..... 0") .... fold" ... ,., " (unfold, .. "., " Z) """,,:>, ".0) /I.

('1':;0"10: ::= (Ito::,". O')J" unfoldf""" " (fold .. ",:., (7 z) "",,[u =1 .. 1'''':'' (71] z)

STRICT y':(1I:"1 1.,;(1".,)

STRICTEod}( "

'1p::* ..... 'iff nUl 0"1 ---. p, .. , .... , I" a" ---. p) .... V' f ..iL\!j""1 I,,:,',,) """ .. I p

'rip * ..... 'f f (11et ff( a --t II) .... \! f ..iI;a g( " ==p J_ p

for all 0" ---. 'I",(11Ct::d( a),IT(lIITI .... .... I,,0",.),I;<l 1 0"1""" I" cr,,)t(r;,~g( a), (/,,:. >1< ..... (7) C Con~ o

Of course, w(' want.. to know if the axioms in repo and AX 10M" an' tOn"I~1.('nt.. Thl~

can be proved using Ih(, model given in chapter 8

5, .. 18 LEMMA (CorIoiotency of repo and AXIOM).! ill AWL! False i~ not provable in the context. TCl'O ('xll'ud('d with axiorn~ from AX 10/1..[1'

PROOF Sec lemma 833.. .. o

5 .. 3. PROCRAM AND PROOF DEVELOPMENT 99

5.3 Program and Proof Development

As in the previous programming logic's, in >"w~ we can prove propositions that can be used to deduce a property of a program from certain properties of its subprograms, and we can prove propositions tha.t state equalities bet.ween programs, which can be used as transfOrmation rules.

First we conoider the problem of proving properties of recursive programs, I.e .. programs constructed with the fixpoint combinat.or Y .. The following lemma is Crucial for this·

5 .. 19 LEMMA (Fixpoint Induction). In the context repo the following proposition is provable::

'if(J;; ...... V 1:(J --> 17 'if P :: (J --> ... "

adm~88~ble 17 P "* P.1(7 ..:. ('ifx(}' .. P x => P (f x)) => P (Y 17 f)

PROOF .. Let r t- (1 :; .... , r t- P (J --> "'p lind r f- j 17 -- (1, and suppose that r f- _ (adm~,~,~~ble (J P). r f- _ P.1" and r f- • :: (I:IX(1 .. P.x => P (f x)) .. To prove P(y(J fl ..

The plan of the proof is <'IS follows If P .L" Rna ('i.X:17 P.;1; .:::,.. P (f x)), then all clements in the chain

.1" !:;.., f 1" ~" j2

.1.., ~" satisfy P Since P is admissible It then follow~ that the least upper bound of this chain also satisfies P So to prove P (Y a fl, we have to show that {.La. f .L", j2 .1"', .... } is indeed a chain and that (Y (J f) is its !cast upper bound ..

The predicate on (J that characterises the (:hain {.1", j .1", j2 1,,>.. } is defined a..<; follows::

C A.ro' .. ('rfQ;(J --> *)1 Q.L" -> (VY(J·· Q y => Q (f V)) '* Q x)

It is ca..~y to verify that C (J --. "'p is twe iu .L" and closed under J, and for any predicate Q 17 -- ~p that is also true in .L" and cl%ed \mder j we ha.ve ('Vx;(J .. C x '* Q x). So C. (T --> "'p [s the smallest predicat.e that is true h~ .L" and closed under J

We have to prove t.hat C is a chain and that (Y (1 f) is the least upper bound of C- Proving of (cham (T C) i~ not difficult define

Q = AX_17 ('tIza .. C z => (z ~IT Z V . .t: ~" .1;)) (T --4 I!<p ,

and prove that this predicate is true in .1" and closed under f.. A fairly deta.iled proof of (LUll 17 C (Y (J f)) is given it! figure 1) 1 011 p<l.ge 10!! It is essentially a conventional proof of thE:' fact that the least fixpoillt of a continuous fUllNion j is the least upper bound of the chain .L" [;; J .1" ~ j2 1.(7 ~ .. The t.ype para1l1l'tt>r of ~ is omitted ill figure 5.1.. 0

This It>mma gives the follov.ing proof rule t.o arrompany the type inference rule for Y::

5 .. 20 COROLLARY (CO\lphl aerivation ruk' for Y) .. In the cOntext repo the following rules are deliva-hlc

r r (J ... ~ rf-j (J-(T

rt-Y(1j (!

r I- P :: (1 --. "'p

r t- _ adm~ss!bte 0' P f' t- _ P.1q r t- _ "VX(J P X ..;. P (f x) r t- _ P (Y (J f)

o

100 CHAPTER 5 .. RECURSION

chain (I C

2 3Jttb(7 (HIB (J Club) 1, complete

3 l~,b : (7, (LUB (J C hto) I 4 C' = ()"YIY .. (3.:r:<7 .. C x A J x --=" V)) (7 ---t *))

6 3/11,&';(1 (LUI) (7 Club') 5, {:omp1ete

7 11tb' <7, (LUB a C' Inb')

8 lub' =" flub

9 LUB(JC'(jI1.,,)

10 LUB a C' U h!b)

11 V:.r::(J, ex;::::. C·'I;

12 UB a C' h,b

13 flub (; lub

14 V (J f (;;; hLb

15 ..1..,. (;;; V (J J

16 X :: (I, X !;;; Y 17 f I i----'-------.J.

17 Ix [; f (Y a J)

18 f X ~ Y {T f

19 'if:J.a T (;;; V (J f =} f r [;; Y <7 f

20 'tXer C'I; =} f r ~ V a f

21 un (7 C (V (t f)

22 lltb [;; Y (7 f

23 lub --" V (7 f

24 L UB (J C (Y (T f)

25 DUB (J C (Y !7 f)

3,7,contHlUlt.y, dcf (;'

7,8

G,9,(Vlntro),(3ellm)

def C,C'

3,11, def UB,LUB

10,12, def Ll.m

13, 1~(l8tfix

16, monotun.c!iv

15,19, def C

20, (M UB

21, 3, dd L un

3,23

2,24,('iflntro I,(.:lel'm)

Figun' 5 .. 1 proof of l('mmiL 5 .. 1 f)

53- PROGRAM AND PROOF DEVELOPMENT 101

Lemma 5-19 and its corollary are of course useless if we cannot prove admissibility of predicates,. Large dasses ofpredlcates can be shown to be admissible, see for insta.nce [ZNV72] [f'au87], To prove that a predlcat.e is admissible, it is useful to prove admissibility for all predicates of a certain form, as in lemma 5 .. 21 below, and to prow that a certa.in construction preserve admissibility, as in lemma. 5 .. 22 below .. These two lemmas indicate a well-known class of admissible predicates ..

521 I .. ro:MMA In conte;o;t rcpo the following proposition is provable.

>1(k, 13 ...... 'rig, h .. Q --4 13 admIssIble (l;' (Ax::a .. 9 x (;;.0' h z)

PROOF Suppose 0:, fJ "'. and g, h :: tl ...... i3 Define p= ('>"x::a,. 9 x !:,B h x) :: a --4 .p­To prove (I.dm~sstble Q P we have to prove

Suppose C :: 0, ---t "p, lub a, ((cham Q C), (LUB (~C lub), and ('I1x::n, C x=> P x)- So C is a chain with l!'ast upper bound 11th and all elements in C satisfy P ..

To prove (P IItb), Le q lub (;;; h ltd) Define predkatcs Cg and Cil l\l; follows::

(>.y .. T 31::::()' P x A Y ""T 9 x) (>'Y::T 3.1"0' P x A Y ""r II x)

T --4 .p

T ---t .p

By contInuity (g lub) 10 the limit of G9 , and (h lub) is the limit of Ct., Le (LUB l' Cf) (9 Il.Lb)) and (LUB l' Ct, (h l'!lb)) It follows from ('<i.xc< C.x => P x) - which )0 6-convertible with (\I'.x::o; .. eX;;} .9 x !;n h~) - than for ev~ry df'mcnt of Cg there is a larger element of Gil, i .. 1)-

Then (h iub) - the least \1pPE'I bonnd of c.~ is also an upper bUlllld of C~, B\1t. (g lub) is the leQ.$t upper bound of Cg and so Q lub !: h lub 0

It IS well-known that conjttndion "pn>s~rv('~" admissibility

5,22 LEMMA In context repo the following pwpo~ition is provable

V'Q::"s' V' P, Q(k ...... "'., (ulmtsstble a P :0> admtsstble (\' Q "* adm!sstble (\' (>..:I;::(~ .. P.x A Qx)

PROOF Easy

Using the Ia.~t t.wo lemm$ (l.dm[~sibility for a lat'ge class of predtCates can be proved, For example, by the antisymmetry [)f ~ it immediately follows from these lemmas that all predicates of th!' form (),'r::(1 .. [J.;1; =T It .x) :: (1 ---t "'" are ndmissible ..

Fixpoint induction can not ollly Ill' used to prove properties of individual recursive pro­gnuIls, but can also be n~f·d 1.0 prove many tr!lll~fot'tnation rule'5 for recursive programs An example is given in the next lemnlll

102 CHAPTER 5 RECURSION

1 (J;;>I<.l 2 j,g::(J--->17l

3 f..1 '" 9 ..1, Jot) "'- ,gof1

4

')

6

7

9

10

II

12

13

14

15

16

17

18

19

ulimts.nble (AX::IT x!; Y g)

..1 [;;; Yq ,....-----'­

x .. 17, T!: ,"C..!J f ~; i;;; / (Y q)

uarn!.sszble (AY (] j Y !; Y 9)

9 ..1 ~ Y 9

f J.. [;;; Yq '---"

II rr, ~ 1) ~ Y II]

gUy)~g(Y(J)

f(qy)[;;;g(YO)

f (g y) r; Y':!

'ty 17 .. / II !;;; Y'I =). f (q 1/) ~ Y i)

f(Yq)[;;;Yq

f t [;;; Y q

Itx (J t i;;; Y g =} f t [;;; Y I)

y/r;Yg

20 'tj,g(]--->(J jJ..=g.1=}jo.il=ao/=}Yji;;;Yg

21 j,g 17 ~ (J,j J.. '" g-!:,joQ = yo!] 22 Y / =Y(j

l!'mrnil, 5 21

j('mnw. 5 21

(5, 'I!,01/o%ntoty, fix)

3,9

11 mmW/OT!!c!tll

\12

l J, /Ix

11, ('tifltro)

8,1),1 "J

7,16, tran~

17, Iltl fltro)

4.,5.,18, k'I1Hlla 5 . .1!)

20.,2) ani/811m

23 "'j,g (j -" 17 j J.. ~.Ii..l ==>- j"9 ~ (io/ :=;,. Y j = Y.l1 22, (';'lntro), (:...;. Intro)

1"'11\"\lf(' 5 2 proof of lemma 5 .. 2:,l

63 PROGRAM AND PROOF DEVELOPMENT 103

5 .. 23 LEMMA .. In the context Tepo the following propo8Jtion is provable:

PR.OOF,. This proof, giv~n in figure 52 on page 102, is still sma.ll enough to be given in full in natul"al deduction format,. The type parameters of .1, Y , "", !: and admi88~ble - which are nearly always q .. - an> omitted in this proof.. 0

In lemma 4..48 we gave a example of a tran~formation rule in )..wt, namely for the distri­bution of composition over \1 .. D~callse +·types nOw include bottom elements, in )"Wt this rule requires an extra condit.ioll

5,24 L1!:MMA In the context TeI'O the following proposition is provable using axioms from AXIOM).!::

2

3

4

(j

7

8

10

11

12

'VPI,P~,T'(!"."f:PI ..... Cf,QP2 ---+ (T,h::a ---> 1"

(stnct (T T h) => ho(f'Vg) ""Pl+P~-" (hof)'V(hog)

stNct (J T hJ

I ~:~,))(;o" +'" 1_,) =. ((hof)o(ho,))Oo"+,, 1.x) botb ,;d~ 1»,Ll6 h (f xl

VXPI (lk(j'Vg))(lnpdP'J 11') =~ ((l!of)?(ho.9»)(inf.'I+t>~l.:r) 4

VY·I.12 .. (It.o(f'Vg))(lnp,+.<'~2!1) =r ((hof)V'(h09))(inpl+p~2 y) siIllilarly

((hof)'V(ilog))..Lp!+p, ""T .1T STRICT .<'\+1"

U'Vg).1t>I+t>~ """ .1" STRICT PI+P.

(ho(j7y)).1PI+t>< =T .LT 2,8

(ho(f'Vg)).1I'I·~P~ =T ((hof)'1(lI oq))1. p1 +1', 7,9

'VZPI + 02, (ho(f\Jg)) z "",. ((Ilof)9(hog)) z 4,5,10, AXpI+p~

h,,(!,vry) =pl+.<'.-T (h"f)'Vlhog) 11, AXPI+p~_T

In lemma 4..49 we gave two dl~t.ribllt ion ['ule:> for composition over (if then else) in )"wt In )..wr the second of these req\1irc~ an extra conditiun ..

525 LF-MMA In tho:' ('ont(')(t rCI'O the followiug pl"C>p0l'.itlon is prov~hl!' using axioml; from AXIOM"

1.. 'V/}::bool 'VO, CT, r*. V J, [}(1 --t r .. \l/i.::p ---> a (if b then f else 11) oh =1'_' if II then f oh else (Ion.

104 CHAPTER 1 RECURSION

2 Vblbool., 'r:Ip, 0", T1"~ Vhlt~ ---. "T" .. '1 J, glp -4 0',

strict 0" T h =*" h~(lf b then j else g) =p_~ If b then hot else hag o

By the definition of bool and (If then else), t,h~ ~(~cond part of this lcmma i13 an instantiation of the pr(!V)OUB lemma

It is awkward ttl have to usc thc cpo-ordering!:; every tiltl{' WI' want to prove termination of a recursive program Some standard rp.( ufsion pattenls '" III b~ u~ed often in recursive programs, Buch as primitive recursion, Or r~CUT8ion on the natllral numbers or lists with all l'ccur!live calls on slwl,ller natural numbers or >;horter lists FOI·· these COmmon recursion patterns we would like to prov0 termination once and fM alL Also, we would want to derive induction rules tailored to those rC(,llrsiOTI patterns, which Call h~ ujj~d from then on to prove properties of pwg-r<l.mJ:; that \Ise on(' of tbeJ:\~ recursion patterns ..

Part II

Semantics

105

Chapter 6

The Basic System

This chapter treatJ5 lh(> ~('mant.i(s of t.he bl;\l;k ~yst.cm AWL introdu(.ed in chapter 3. The semantics givE's a 150\ln<l lnt.crpretation of till' ~yst.em It provides I:l. denotational semantics for the programming languagc ann It t.luth-t(l,uk ~('mantics for the logic, w'hich shows that the logic is free from intullsistencies The model provides t.he justifica.tion (a.nd possibly also the inspiration) for ext.ensions of tlie ha.~ir ~y~tcm This can be !)xt.cnsions of the progra.mming languagl" c .. g new datatype,:>, dat.at.ypc-constI'uctors and a.~sociat.ed primitive operations, as will be considercd in subseqmmt. chapters.. It can abo be extensions of the logic, typically axiom.; expressing propert.ies of pl"ogr<l.ms or datatypes .. SOrllC examples of 3uc'h axioms have alrea.dy been given in chapter 3 ..

The structure of thi~ (·hapt.el" dosely follow8 that. of chapter 3 .. We begin by considering the two subsystems of .\WI.. AW. and AWl' Although syntactically th~~sc t.wo systems are idOllt.ital - they are ('opiel5 of AW - we want different int.~~l"pl"ctations for them .. This is because in .\w. om main interest. COllt(mlS the interpretation of t.I11~ tet'ms (pror;raml5), whercas in AWl' Our main interest ('one~Tll~ t.ht illtNpr€'tation of t.h~ t.ypes (propositiolls) Also, the modela will have to accommodat.!' extensions of the sY8tems, and ).w. and AWp will bc extended in different direetloDJ5 ..

Still, the global struct\lrC of t.he models for AW .• and AWp is the same In S!'ttion 6 .. 1 we describc t.he general st.rlldlll·C of a. mod('1 for ),.w, t.hr higher older lambda ("alc.ulus .. This is a stt·aight.forward ext~)lS10Il of t.he cnvironment lll()(lrls dcfined in [ilMM90] for the second oI'dcr lambda cakul\1~

In section 6 .. 2 we glVt> ;'\ modI'! for .\w. by ,;h()wiIlg t bt the PER-rnodd, '" hich is the best k110WIl model for the sewnd alld highcr ouler lambda caklllns, is indeed an J11st.<;l.Iltiation of thIs general modd definition

In section 6 .. 3 it is shown how t.h\' ~cnelill model dcfillition tan be instantiated to produce a model for .\wp The model for .\wI' is IlIUl'h simpler than the OIl!' for AW. It uses the classical int.erpret.ation of propositiou':> "'':> trut.h valucs .. It identlfie':> all proof terms, whi(:h is why it. is called it Jll"oof-it'-rclevanc(, )l1(ldd Tbi~ simple model suffic'es t.O pl'Ove consistenc:y of the logic ..

In section 6 .. 1 WE' ("{)nsi<ll'r t.he semantit~ of tb~~ wbolt~ of AWL It is shown how the proof­inclcvance for ),.wp (An hI' mmbiu('d wit.h allY ])lodd fO! ).w. to product) <;l. model for AWL

In AWl, there an~ lllOrf' pI'ccl\ca.tes .. propo~it](lllb and pr'oofs than in AWl" but. the truth-value interpretation of .\wp UUI casily h(' cxt.~·ll(hl t.O illdnd~ the addihOn1'l.1 const.ructs of A41I ... 'This model prove~ (·on~i~t.('n('y of t.he logk, and wnsist.('ncy of the axtoms 111 AX 10M ..

107

108 CHAPTER 6 THE BASIC SYSTEM

In defining the semantics of AWL <Lnd It~ ~ubsystems, the distlntt.lon between the different levels plays an Important role, In th!' d~!finHion of a PTS there is Ju>;t one (;ollectlon of (psl'udo)terms" But for lh~! particular PTSs we corlSid~!r II. more refined context-free syntax has been Intwduced in definitions 34 and 316, whel"e the dilTtnmt setJ:; of pseudotel"lns Kind, Cons, Prog, Pklnd, PCons and Proof are defined The interpretation of tNTrlS in the different models will be based on this context-free Qyntax

As far as the semantic's is concerned, only PTSs, and not DPTSs, have to lw cOrlsld~red, By theorem 2,,36 any model for a PTS also models the aQJjodated DPTS" As the interpretation of a DPTS-term A in ('ontext r we can takr th~ interpretation of its 8-not"mal form, the PTS­term bnf r(A) This means the interpretation of DPTS-terms is given in two !';t,eps fir~t take the b-normal form, and then take the intcrpl"datl/Jn of the resulting PTS-temL Ddining Ihl) interpretation of DPTS-t~'lm8 directly would only ()bJ:«'ure the model definitlons ",it,hout any a.dded value, becallso it would 511nply amoullt to tOlllP0!;lJlg Ow function 6nfj _) and the interpretation function fOI PTS-t('lll\S

6.1 General Model Definition for AW

In this section we give the genet"al dcfillit,I()ll of the notion of environnwllt lIlnd~1 fOI t.h~ ~ystem

AW" Thi~ describes the oVNall "trudme of an environment mod!'l for AW, ~!ld ... because AW. and Aw1' are copies of Aw al~o of t'rlVirOllmcnt modd~ for AW, and A(,)j'"

In iDMM90j the noti()n of envirollment modl'l for tlte f,etond order lambda calculus is defined It is based 011 1.11(' notion of environment mod("l for t.Iw untyp~~d lambda calculus, as given in lMey82j The gew:~r!l.1 rnod~!1 definitioll for >. ..... - tho hIY!U'1" onkr l~rnbdJt calculus -is a simple i-'xteIlsion of the one for tht' >;(,f'olld order lambda calculus"

The aim of ~llc:h a general model df'Hniti{lll iJ:; to ~eparate the general charad.on~tlt~ of it Aw-model from I,ho~e that I!.re particulal" to sjH,tlfit models Some properties call be provell with rf;!!;pect to this gcncr.d [llodd ddlnltion, which saves ll~ fcolll h!l.ving to prove them for each Aw-rn(]del mdividu/Ill} III p<trtlf'lll~r., 8()\Hldn€'ss of type a~signl1l("llt, 1,,('

a.nd soundness of (,Ollvfr~l()n, j {'

11 ~fI b =*" [a] = I b] ,

will be proven fOl" the gpH'ral model d('fillitioll Because the general mod~'l definition ~pccifio~ t~xiL('tly whnt con~titute!:\ a model for AW, it

tall il,IJjo help the desigu of it slw("1fk model This Wll! hI' th!' (a~p III dillptl'r b, where a model is constructed by solving I.bl' dOlll!l.lll ~·qmtt.ions thM are part 1)f til(" gl'[!('r~l m{)dd dl'finition

The general lllod!:,! d~'hnition is txplail\(d ll~llIg tlw (OpY .\W. of AW n('call that III AW. t,hree levels were dl>;tlllgU)~h('d killds, dalil.!ypr-(,()ll!;tnl(tOT~ and programs The two top layers of AW., the dM,atYIH'-Co1l5tI'Uctors and thril" killds, do !lot depend on the bottom layer, the programs .. Tlti!; [(H3!UIS th€' illlerpl"i'la!lnu of tlll~ k)))dJj and datatype·(,ollstrlldol'~ ('an br considered separately, before Wt t\ll"ll t.o tilt 11Itnpretation of the pl"Ogmtns

61 GENERAL MODEL DEFINITION FOR >,W 109

The ~Jnantics of the kinds and datatype-construdors

The datatype"constructor~ with their kinds form a aimply typed lambda calculus with a single type constant *~ and term constants --+ *. --> *. - ~. and II " (II( --> *.) - *. for all kinds D{" So a model for the datatype-constructors a.nd their kinds is a model for the simply typed lambda calculus_ Bdore we give a forma.l definition of what constitutes a model for the kinds and datatype-constructors, we d~scll.~,~ the different ingredients

The kinds are gl:'nerat,ed hy

II{"" *. I J1{ ....... 1I( ,

so all kinds are closed expressions For the il~terptHa.tion of kinds we simply have a set KmdlK for every kind II(

Th(' datatype-construd,()rs of type DO; are int.~rpr~tcd a~ clements of the set KtrtdlJ( So if Trr:J::JK,then

~ r f- {T D\] 7} E J(mdU(

~ r r a ll( 11/ is the meanillg of t.he datatype-c'onstrnctot" r:J in the environment '/)" This environment 1] is a function whifh gives the meaning of t.he free variables of 17

By lemma 35 th~' datatypc-construct.orH a.n> of t.he fOlm

(1;;; C/ I ('\aBC (7) I 0"17 I (1 ---t (]" I (ITa1IC (7)

where a E Varo. and d{ r'anges ove!' kinds.. To define the l1leanj~lg of a.bstractions and a.pplications in dat.!\.t.yW-foll~ttH((.ors Ii C' .. (,\0' l/'; a) and 0"10"2), the ~et,s Kmd/K have to J';olvc the domain eql1atjon~

Kmli u,,_11\2 ~ IKmdo{1 -----> }{md1ld where the square br!l.tk('t.s denote' some SHh'5~~t of t.he- function spa(.e The associated iso­morphisms a.re the t'lement-to·functioll 1l1Il..ppingi:, well·knowll from models of the type-free Ia.mbda calculus

In fact, Kmdll'j_'O,. Imd Kmt/o{, ---+ J(!ndl/{~ C(l.n ht' t.aken equal and not. just. isomorphic We maint.ain t.h~ isomorphisms hel"(' to ~~mpha~izc the similarity with tht' definition of t.he semantics of programs t.hat. will bc giV{'ll h.t!'L

Sol~'ing the dom!l.in ~'q\l(l..tillllS above takcs CIU~ of tlw interpretation of abstraction and application ilt datat.ype.constru{ t.o!~" This [('aves only the datat.yp(.'~ of the form (T --> 7" a.nd (rIaD( 0") to be dutl!. with

The meaning of 17 --> T (E Kind.,) is ct",tim'd il) t('ntlS of t.he meaning::; of 17 and l' (both E J{md.,) For this a funct.iou El is nCe'ded, with

6 E Kond., -----> Ktnd., -----> Kmd.,

The mf'a.ning of (rIa" B( (7) (E J{"md.,) is defined in terms of the function that maps /!oil possible interpretation~ (If (1 (E Kmdo{) to the reoult.ing meanings of 0" (E Ki'nd.,) So ~ r f- (ITa: 1I{ .. (T) *. ] 7/ I>; ([dined in tel"m~ of t,hl! fUllft.ion which IIlI\pS (t E Ktnd/K to

~ r, {}; 1l{ f- (! :: *.1711< ••• "" (1.] E J{wd., For t.hiH a f\lllttiolt [IT] is needed, with

IT!] E II (lC,uijl\' ----t Kmd.,) - Kmd •• f-/f,:u,

So 6 provi(\('s the intCl"pl{'tatwll of -', ,~lld @] provid~~ Ow illt,('l"pretation of II.. We have now introdtKt~d ~~vtl"ything that is tw('d!:'d fol" ,L Hlnde! for the AW$"datatyp~-c,onstructors

110 CHAPTER 6 THE BASIC SYSTEM

6-1 DEFINII'ION .. An envtronm("nl frame /01' the dat(},typ(~-C01!8tTuctors of .\w. if,!!, 4-t.\IPl~

(Kmd,1i Kind , 8, [[j), w'here

• Kt11(i "" {KmdJl( I D{ is!!' klTld} is a family of Sd$, mdexed by kinds

• iJJJ('nd "" {~U(I,J1(~ I 0(1 --4 Jl(~ is a kind} if; a. family of bijections with

wherl' I,he square br·atkM.s dellOte some s\lbsd of the function space ..

• EJ E;; Ki11.11 •• ------> Kmd., -----. Kl1td ....

(j

The meaning of a datat.yp~-(onstructoI C! depi'nds on an enVlI'onment giving t.b~! meaning of its fre!' va.riables The JtltaniugJ:' a~~igned to til{' fn'l wuiahles of (1 by tlJi~ l'UVlronment have to match the kinds assign{d to them in the COllt[!Xt The f['('e vltriables of a datal.ype­constructor are all datat.ype-{'ou~l,rlldor variables, if.. if r f- (1 Il(, then tlw frf'e v<Lri;Lhl[!s of

(1 are are declared in rD' ,

6 .. 2 DI,l'INITION L!'t. r Iw a .\w.-(Otlt.txl .. An environment 1) .~aIt4in rD'

- if 71(0) E Kmd u1 for all 0: :: 1/{ in r.J· .. written 1/ F r IJ

•

o

The mNuling of datatype-(ollst.m('tor~ is defined by uldud.ion on it~ typ<' d(,l'nation rMlwr than by indue liOn on its strnct.un' Tlll~ b dOlle becal1~(' tilt df,nni(ion Involves (type) infor­mation which cannot. be f011nd in th!' d;lt.;~typt'-(OnSf.rllctor~, but wluch ('lUl hI:' found in th!'ir type d~rivations .. For eX"'luple, the mC;l11iug of (11" depends on 4 U{,D(" where IKI ---t ]K2 is the typ!' of of (1 .. The [IH);U1illg of pl'ogl'ams ",til btl') 1\hio be defined b) lududion ou type dcrivatlMI~

A type derivat.ion f(Jr '" term follO\,,~ 1.11(' );trUC'ture of that t!'rm fnlrly dosely, so thcrc is nOI, much different(' h~:t.w(·('n the' two fonll~ (Jf llIduC't.ioll Ho\\ev('[", Ih(r(~ 1~ a diffNence It is calis-eel by the inf('t'·tnce rul('s (weaken) <1-11(1 (iiconv), which (an be ,Ipplied at many points in f\ derivation

Bylcmma 2 .. t5 we can l'('stri( 1,1.11(, piac('s wh!'J'l' tltl' rnl(' (we<lken) is llsed, nauldy only to derive r r (T :: JJ( whcre a iM it variahle In tlJ('~[' (<lM~~ the intel'pt'ct;HIOu (If (7 l~ Immediately givi>u hy the envirOlllncul.

This leaves (;jeenv) ab the only tnf('["tul(' rule whose us(' j" not dlr~!( t<'d by til(' syntax .. So the only way to produce different tYllt' dnwil t JOltS for t.it/' saml' tl'r1[li~ by dlfferC'nt appltcations of the rule (fleenv) .. Whenevet'· wi' ddiu(' the meanitlg of If'TrHS hy Induction on thcll' type derivation, the fir~t thing to do is of (}U1I'(' proV(' that diIT('['('nI, tYlH! d('rivatiolt do not ['esult. jn diff~rent meanillgs of I h(, 8ame tCl'llJ

63 DEFINrnON (S('mant.ics of .\W.-di~ti\t.ype.coltstructOI'~) For d"'tatype-con8tmctor~ (T we dcfilJ(' [ r f- (T 1/( ~ 1/ for all l' r- (T 11\" and I) F ru. , by

6 . .1. GENERAL MODEL DEFINITION FOR AU;

induction on thl'! derivation of r f- (f 0(, as follows

[ r,O< D{, r f- 0' ffq 1/

[n-o···g<h TI(O:)

[r f- (T PC h

111

if r I- (1 •• O( follows from r f- {1 IK' by (j3eonv) ..

[ r f- (TT .. 0{2 ]I?

[r t- (\0::11<1. tTl 1I<1 ---t /K2] 11

[ r f- (f ---t T •• *. ~ 1)

[r f- (I1o:0C (T) •• ~.] q

(iPU'I'U(~ [r I- (1 •• IK1 -0 ll{i] 1/) [r I- 'T" 0(111/

4>-1 IKIIK~

(l.a E Kmdu(l- [r, 4 11(1 t- tT •• ff<~ D 1110' :"" aj)

[rf-(J.·*~hG[rf-" *.]11

[IT] IK(Aa E KmdlK ~ r, 0' •• 1l< f- (J •• *. }rJ!0<= aD

The rule (8conll) is not really needed In type d!'riva.tions for datatype-C011structors .. The type of a datatype-Collstt··uctor is a kind and beCI!.\ISt all kinds are in norma.l fotm, this type is uniq\H~, llOt just unique up to 6-conversion .. This means that ll( == O{' in all applications of (8conv) .. An immediat.e C'onsequenN is that [r f- (J . ff{ J 11 does not depend on which partludM type dedvation we con~lder.. 0

The subscript ll( of [IT] u( will ll~ll!l.lly bt onutted .. By lemma 3 .. 5 thE:' da\l~Cf; ill t.he definition above cover all possible type derivations for

datatype-const.ructors Shll, [ r t- (1 •• !1\. ~~) is not. well-defined for all r f- tT •• 1I{ and 1/ Fro. for every environment frame Thf' pfohlem is that

is possibly not in th~~ ~llb~!'t. [Kmdu' l ------> Kmdu,J of K~ndu(1 -- Kmdo<2' i..e .. the range of the iPIKIIK~

6..4 DF'FINITION .. All en1Jlt'Onment model /01' the dMrdypt:-constructors of >..W. is an environ­ITlE;'nt frame for t.he dat.:'I.type-constrnctor.; for whi("h [ r t- tT ff{] I] is defined fot all r f- ~ •• 1K (tnri 1/ F= 1'0... D

III t.he a.d.ual models th:'l.t we consider thl.; will rH'vtr bl' a problem, as the ra.nge KI1td1Kj_lK~ of 4>J1(I"' .. if(~ will aJv.ays bl' the whole function ~pa(e Kindu\1 ------> KmdlK~.·

For any cnvit··onmcnt model for the data.typc-COnSU··llctors we have the following properties ••

65 Tm:OlmM (Soundness of type assignment for dM.atype-constructors). If r f- (1 •• Tl{ thell [ r t- f1 •• 1I( ~ 1) E; Kind O{ for all I) Fro.

PROOF .. Induction on thr· df'li .. a1.iol\ of r f- IY ff(

66 I,EMMA (Soundness of fl-rcduction for datatypll-wIIstrnftms) .. Suppo.;e (T Do tW', r t- (1 1I{ D. alld r f- (J' •• Ill: D.

Th!!ll [r t- a 11{ ~ 7) ;=; ~ r f- ~' ff{ J 1) for <Ill 1/ F 1°' ..

o

PlIO()F 11l(luctiOll on the struCl llr(, of (1 .. Th~ lJlt.~~r('>;t.lllg case is the case that (T is a redex. Here we need the substitution hnll1l1. giW·ll bd[)w 0

112 CHAPTER 0.. THE BASIC SYSTEM

6-7 LEMMA (Substitut.iOIl in datatype-constructors), Suppose r, y :: B., J" I- 17 .. JJ( and r f- b :: B. Tlwn

[r,r[y=b]f-u[y=b] U(]ry = ~r,y B,rtf-CI Jl(~ti[!/=~rt-b B~TI],

for all T/ F (F, F'lv= b])o. and 1/[JI = [ r f- b B D 1)1 F (1,1) :: n, r)o.

PROOF, Induction On th!:' ~tru('tur~ of (1 ..

68 THEOREM (Sollndne~l:l of il-conversion for datatyp(,-(o1\~trll(1.or~) Suppose 17 ~fJ (1" r t- u .. D( :: 0, and r f- 17' U(: Do'

Then [ r f- (1; Jl( ] 1/ = [ r t- 0' JI( J r} for all 1) Fro"

o

PROOF .. Tlli!; follow8 from sOl1l1dncss of d-r('dlll'lioll, SRf) lind eRa .. Dy eRg 0 and Of have a commOn reduct u f

' By SRtJ all I.!'nllii Oil til(' Tt'duf.,tlou path from 0 or a' to (1') have typc JJ( ..

By soundness of 6"redllctloll, ;t11 111(~e tt'rm~ haY(' th~' ~amc meaning (J

The JOemantics of programs

The definition of tlw ~~'ll1alltic6 of programs is similar to the drJilll1.ioIl of Ihr· SflIl<tnl,lts of

datatype-const.J'llct.or~ .. Irlf;tl''l,d of having a family of sNs Kind indexed by kiml!;, w!' nov< have a family of sets Dom illCI!>x!:'d by Kmd •• , i ~ indexed by the interpretations of datatypcs .. The meaning of a program of typ(> " i" ~1J ell'nwnt of the set thl!.t Dom assoflated to til(' meaning of 17,. So if r f- M :: (T, th('n

By lemma 3 5 prograll\~ an' of Ih( forTI!

where) 0 ranges over dalatype-fOl\"tm((,()r~, Ili o,er kll!d~., T E Varo, and n E VarLJ• Ddining the SemiLntl(:o; of prop;rams req\lir('~ mappillg:;. ~llllil,tr 1,0 thc rI('lllcllt-t()-flllldioll ml!.ppingo; it> 0(, -0< ~ neE:'ded to defin~ t h(\ ,,('nlalll I(~ of (hl<dYl)('-<'oll>;1 rudoI'~ HOW('H'r, \)\'( aus(' thert' are two kinds of aLstra( tiOll III progr,llll,;, OV('r a datalype and over 11 kind, thin~s at'e slightly more complicat('d ..

Suppose 1 t- M (r ---> T Then for all r t- N .. (j we' ltaH' 1 r- M NT, ~D "", ~11()Hld

hI' ahl(> to ddilW the m(,!'lning of MN (c nom,,!-, '.1''') 111 h'n)l~ of tlw If)I''l,))ll)g~ of At (E D(Jrrtpr"_T'.IrI) and N (E Dom"!-"',I") Tlll~ 1II1'ii,n", I.IIE' ll1e<l.lling of M h~ to be fonsid!;'r('d !I.J; a mapping fmm DOrflPhi " I" I.cl DOfnp h -.]'1 Tlll~ r('(jmrt'B

(i)

wh~r~ the sCjuar(' bra('kN~ (kllol!' f;OIlIC ~Ilh~d of I.h(· f\l)I( tion ~pl\«' T1J(' a~so(iah'd isomor· phi~m

is thp. elerrH~nt·to·f\ln('11on Jl1itppilJl; IH'('dcd tn ddiw' th(' IlH~jlllillg: ()f t('PT) i\h~tri\(ti{)1) ilnd applitA.tlon ..

6 . .1., GENERAL MODEL DEFINITION FOR),w 113

Sllppose r f- M (IJO:': DC Q-) Then r f- M 1" ., 0"[0: := T] for all r f- l' :; Jl(, So fOr all 'f we have to define the meaning of M1' (E Dom(rl-<7l<> =Tl •• h) in terms of the meaningS of M (E Dom[n_(I1.-. /K O") • .}~) and 7" (E Kindod This requires

Dom[f'I-(n .... :lK iT)"']') ~ l n Dom[r .... ,6(I-.,.,UCh(.-."'''ll, "EK'fldlJ(

(ii)

where the square brackets denote some subset of the generalised Cartesian product. The associated isomorphism

W[rr(nocO( ")~.h E Dom[n-(n<>:./K u) '.)'1 -----> II Domlr,,,, •• ru:: •• h[ .. '=<>[ aEKil'ldK

is used to define the mea.ning of kind abstl'action and applica.t.ion,

So for a model for '\i,<J. we nt>!'d a fa.mily of sets Dom 8uch that

Dom"'Gb ~ [Dom" -----> Domb]

D01n[]]F ~ [ II DOmF(Q)] «EK'fldl/(

for all a, b E; Kmd., and all F E KI7tdo,_ ••

69 DEI'INITION .. An envtronment lrame 101. AW. is a 4-tuple (KIND, Dom, <11-, <l>n}, where

• KiND"" (Kmd, 4>Xi"iI, G, illJ) is an ellvironment model for the datatype-constructors.

• Dum"" {Dom" I a E Ktnd •• } 10 a fll.lllily of sets, indexed by Kmd ••

• <1>- = {W;:b I a,b E Kmd •• } find <l>TI "" {of!~ If- U{ :: D" F E K~ndd( ---t Ktnd •• } a.re familie8 of bijections with

W~b E Dom«G~ - [Duma ----t Dombi ,

4>~ E Dom@]F -----> [n"EKin.i6( DomF(<l)] ,

wh!.'rt t,h(' square brackets denote oorne S11b~(!t. of the: function space and the product, reopectively.

The meaning of a. program depends on an environment that. gives the meaning of its free variables., The meaning~ ao~igutd to th(! ft('r variables have to match the types assigned to t.hrm ill the context..

6.10 DICI"INtI'lON Let. r be a Aw.-col1te){t Au I'nvironment 1/ sahsfies rD ••• - written fJ Fro,., - if

• 1/ F rD', i~ T/(o-) E Kmd o\ for all C1;; 1/1: in rD., and

• T/(.X) E Dom.ln-q".h fot" all -r ff in ro,

o

114 CHAPTER 6 THE BAS1C SYSTEM

6 .. 11 D!:,'FINITION (Semantics of programs) .. For programs M we define [ r f- M 17 ~II for all r I·, M (J and 1/ Fro, •. , by induction on the derivation of r f- M :: C7, as f()lI()w~

[1",x (J,r'f-:I;::(J]1I

[Ff-Mo-h

1)(X)

[rf-M:(Ti]t) if r r M :: 0" follow~ fwm r f- M (J' by (/konv)

[rf-MN 1"]1)

[r f- ("Xd, .. M) (]" - T ~ 71

(1)1 [r r M :: 0" ---> T DrlH r I~ N :: C7 h <I';I

[ r r M (J :: "[0"= 0"1 J 11

[ r f- (:\c.:II( M) (n(~.u( .... T) ~ TI

(J .. eEDompr""']'1 [r,x O"f-M Thl,~:=(I)

({>d r f- M (I1c.'II( T)] 1))[ r f- (! .... U(] t)

<l>:;I(A(lEK~nd"( .... [r,O" II';f-M rhIO"'=aIJ

o

By lcrnrrta:3 .. ,) th~' cll\\l8e~ in thls definition cover all possible type dCli\~1Li()ns for pl'Ogl'ams However, not for (""v(ry ~'llv[Wl)mellt franH' is [r f- M 0" ~ 1) well·ddined for" all r r M if and 1/ F rD •• , In ordcr for til(, llH'!Hling of all abstral tioll (),~ (T M) or 1 .. '\0: II'; M) to be defined the ranges of t.he 1>1 il.lld <1>1 ;thml !J;lV< to hI' lar!;!' PI)ol1gh

612 DEF1Nt 1 toN .... A .\W.-(-'TI,v~mnmfnt model is II >'",,-('IPlil"Ollllwnt fl'ame for ""bleh [ r f- 0" ll{ J 1) is defincd for ~Lll r r !7 :: Il\- ;lnd T/ Fro,., u

Of course we want to show t.hat the" lIl(, .. ,tllillg of ;l ]lmgrilrrl (((]Ih llot dqwnd nIl t..h('"

particular type dCfivMioll w(' nlu,;id(~I"" Ul!ltk~' for dl\l~t..Y]l~'-('()n~t..~II( tor~, fo~ 1\ prog~am thr~n'

can be many tyW (knvat..10ll~ .. , III whicll t..h~ rule (ikonv) is used in dlfIer~'nt places, and differcnt. (hut H-c()1lvertlbl(') t..ype~ arc d('riH'd for su[)('xpl'cs;.;iollS of the pIOp .. p.nl To show that thi~ elMS nr)t infhl~'nc~' the interpretation of the program, we lwed the fact that. these 13-convct"'!.ihll' l,ypN' Illwe 0)(' ~I\m~' interpr('/I\tion .... This ha~ alr('aciv \W(,ll provNl ill t hr,ot"'('llt 68, SOIIlHlllf'f;f; ()f H-umven,jon for th~ datatyp('·(on~trnctors

6, .. 13 LEMMA LN dill allll rlrT2 hr' rknva!t(lTls of r f' M (T 1\11(1 riM (J', rr'~lwr !ivrly

Then [ r f- AI •• (J ] 1/ = I r f- M (J'] 1)

where the meaning1; ar(' ddiu('d Il~iug dr, I ;cud rir 1""2 [(hlH"'ctlvrly

PHOO~ Illdlll tl011 £)[1 111(' stnH tUI(' of /'.1 u~ittg UTi! I\ud thr' "()Ullrlll('~~ of (j-. O[)v"PPIOI) for datatJ PC-C()IlHn1( t(lr~ (t..ltr'(II"~'!ll 6.8) lJ

6 .. 14 TIII::OHLM (Solllldnr'h~ of type' a,~~igllttl('nt for ploglattls) If r t- M !7 lh('ll [r 1-.... f\..1:: (J] 1/ E D()jn~i r" -,1>1 for all II F TO •••

PROOF,. IndllcllOU On the (knvatlOll of I' f- NI (J .... u~mp; ~ourrdj)('~~ of t..ypl~ a,;~iflllrrlE"'nt for datatype-const Iuel,On; (t b(O[!'IU GS) IJ

6 1. GENERAL MODEL DEFINITION FOR >.w

6 15 LEMMA (Soundness of b-n~dllction for programs) Suppose M I> pM', r f- M :: q and r t- M' :: ql

Then [r f- M :: (7] 11 '"' [ r t- M' :: q' ) 7/ for all t) Fro'.' ..

PROO~' Induction on the structure of M

11.5

Datatype-collstructors can be Bubterms of programs, 80 the reduction in M Can be a reduction in a datatype-constructor In M .. Hence we need soundness of J3-reduction for the datatype-constructors (lemma 6 .. 6) ..

The interesting ca..~c is the case that M is a redex, where we use the substitution lemma for programs ghfm bdow. 0

6 16 LEMMA (Substitution in programs) Suppose r, y : [1,1" !- M ;; (J and r I- b·· B. Then

[r, T'ly= bJ f- Miy= bj aly = vJ h = [r", B, r f- M a ~ tll!J :;= [r I- b B] t)j ,

fOr all 7) F (r, r'ly= vi )(1,>, and I/ly= [ r f- b :: B] tlj F= (r, y :: lJ, r)D,.,

PROOF lndlll.-tiou on the strllct1lll' of M, using the 5ubstltution lemma for the datatype­constru('tor~ (ltllJlna G 7) Wl' tmat jno;t. one case, Ull' CHJ';C that M is an abstraction, i .. e .. M ~ (\rp N) It.s type is th('u it flluttion type, !..f:> iT ~/3 P ---> 1" ..

Fir~t some abbreviations A io; A[l' .. = &.1 for )"w.-tl'rms A, and

L -().

1i -

So .Cl. I- v H a.nd f!,. f- (),x . .p N):: (l ---> -r

T,r[y ::'" vi r,Y B,T' qb = [r f- b n Dr/j

SUPPOI:>f:> 7/ F T, T'[1J= b] and II[V= [r f- b: B] III F r,y B,T', ie 1/ F K, and?/ F (). To prove

[ 6. t- (\xp N) p ---> T ] 11 = [~f- (>"~.p .. N) .. p ---> 1'1 t)

By the definition of 1 .. ] •. (I)

[ f!,. f- ('\xp .. N) p ---> T ~ ij

'" 4(1).I-p_T ',I~(l.~ E Dotnlb.l-p.,]r; [6.,:t; P f- N .1"] 1]"1:1; •• "" {j)

[71 t- fix!>. N) p ---> T ~ JI

= <l>IXl-p_ T ',I,,\A~ E D()'j)![25.-l-po.j" [A, .. t: .. p t- N r] 11[X= {j)

13~ th~ substitution kIllltl~ for datatYPl'-( om;t.llld.ors

and by the III

[ll.t-P--->T *.]fi "" [ ~ f- (I ~.I Ii

[Kt- p ----\ T *. b [Lf-7i •• >I<.~t)

[ 6., .. 1 •• fJ t- N ; T ] 11[;r= ~J = [3", l p f- N .. 'f 171[X=';] I

",lid so (i) Note til(\t tlu' IH only appli('~ if 1i11 = {] F (3: 0 x .. fi) and lI[ .. r "" (I F (6., .. l' p) Tll1~ follows from !/ F Eo 1) F ll. ~nd

e E Doml~I." •• pi = DornIXI_p.,],/

Cl

116 CHAP'1'Efl 6 THE DASTC SYSTEM

6 .. 17 THEOREM (Soundness of {3-coIlver~iOl1 for programs), Suppos(' M ~/3 M', r f- M ,. <.T, and r r M':: (7'

Then [r f- M :: C7 D 1} = [ r F M' :: (1' J 1/ for all 1) F r D,-"

PRom". Thi~ follows from soundness of {3-rl'du(:tion, SR,q and eRa

In fact, the environmt>nt, model~ for )..w$ respect not only !3- hu •. al~o 1/-E"<juality.. This follow" immediately from the f!L("t that the ipn(., ,0<2' q..;b' and <P~ are all bij('rt,i()lI~ ..

62 PER-MODEL FOR ),,"';$ 117

6.2 PER-Model for Aws

The best-known models for the second and higher-order lambda. calculus are the so-called PER-modds, first given in [Gir72] In these model8 datat,ypes are interpreted lIS partial equivalence relations over ~Om!' partial combinatory a.lgebra., and programs as equivalence classes In thi8 section it is shown that the PER-model given in [Glr72J, called H EO", can easily be fitted in the general model denliilion for '>"1.0)$"

618 D£FINITION 1.. (IN, ) is Kleene's applicative st.ructure, This mE:'anS ~ have some enumeration of the partial recursive functions, and Tt Tn is the result of applying the nth

partial l"ecursive function t.O 1'n

2 .. PER is the set of all parthtl equivalence relation8 on IN ..

:I if R E PER and n E IN, then I:nlii is t,hf ~'q\livalctlce class of R that. contains n, i..e .. [nJ R ~ {m E 1N I (n.,m) E R} ..

CJ

Fot the model for the dll.t.atype-constructors St'ts J(mdo, are needed, and functions B and [IT]

6.,19 DEFINITION

For all kinds III: tlw >;('1 f(milo, is d('filled aJ; folIov.s

Ktnd., Kmdo,'1_U<'2

PER KI'Tl.(i D(, ........... Kmdu\2

2., The functions EJ E PER ----t PER ----t PER alld

[ill E ITf-J1( o.(J(mdo, ----t PER) ----t PER ftr!' d('fined by

SEJT

[lliF {(n, n') E JN2 1(11 m, n' .. m.') E l' for all (m, m') E S}

n F(rr) aEKma/J(

D

620 L~MMA KINDH1W = (Kmd,1?"""t, [3, [TIJ), where all thE' bijedions in <}Ki"d are identities, io:< an E;'llviTOIIll\Cnt model for tht, dat'l.t.ypt-constructors ..

o

To complel.e- tht model for .\w. W{' W'i'd a family of sets Dom and a.ssociat.ed families of bljeltlons <1'- and q,n

6 .. 21 DI~HNI nON Let R., S, TEPER iLlld F E; I<mdO(' ----t PER fnr some kind II{ Then

1 DOTn/1 == {[nJ R I (n, n) E R}

118 CHAPTER 6 THE BASIC SYSTEM

II I ' ~ I ' 1>F ml[!j]F (I,;;;;; mlF(~)

D

The dcfinitions of 'l>S'T and 'II~ i;!.r~ giv~n In t\~rrn~ of r~'pr~:l:wntativ!'s of (>(j1uval~[H"l\ dasses .. Chccking that lhl"') an' wdl-dl'finl'd ;t~ fUll! t iou,; ou (q11lVit!t-'n( l' (htf;~(,~ is ~t,raight,f(}rward .. For

oJIST we have to \crify that (m 1!,I!!' n') E T If (m,m') E SBl' a,ud (i!,tI' ) f S (i..c that

1m 'I!h = Im'n'II if Im:l~"EJI = l:ml~Gi il,l)d Inl" = l~il,>,) For <l,~t WI' h'lvl tD vi"rify

that that (m,m') E F«(l) if (m,m') E QTIF 'Thes(' pl"operti('s lllllllediately follow from the

definitions of EJ Ilnd [TI]

6,,22 LEMMA .. (KIND m,(), D()lrI, $~, $11) i,; au !'lIVimllllll'ut, fmlll!' Ill! AW.

PItOOI"' .. We only have to show t.hat t.hl'l.t

1>;, E Dom~EP ----T IDotns ----T DOtnl]

1>~.1 E D(Jlil 0 ----T [ II Dattl f'i'" \] ~IEKm~tll(

are bUections, fol" cer'la.in sl.lbs('ts IDotnt> ----T Domll of Dom,., ----T Doml, aud c('rtam ~ub8et~

[n"EK"'~6( Doml'(a)] of D"fK""lJl( Dom"\~1 As th('s~' subsets WI' take the raJlg~M of <Ds\ I!.lld

~. 0

PROOF .. We havf 1.0 pro'll' IhM ~ r r- M :: ct ])1 is d!'fil1NI for all r t- M (f and )1 Fro .•. To prove t.hi" v.(' prOVf' h} iudu( i.l()1l OIL 1.lH ~I r ufi. urI' of 111 1.l1,1t. If 1 r- M (1 wlth

r', == xI PI, ,['", p,,,, I hl'll I.h(l(" i~ ,~ parl,l,d IN IlI"lV(' fUIl(! LOll f E IN"m ---t IN ~ll('h t.hat. for all 'I) Fro,., with 1(!,I,rl-", •• J', = lI(;/i)

In ol.hf'r word,;, giv~"11 n'I)[I!';!'lIt,~(lV['~ 7!, of (hI' 1'(j111vak'll("\' da,,~(~ ~i(..r,), f r('l.lll'n~ a rcprc-1';~Ilt,a.t,ivf! (If the !'qllivll,l~n('I' d(l,"'~ [ r f- M 0' ~ 11 ..

The (,rudal cIISe in this induction is til(' (ast' that AI i~ an il,b~t.r(l,( t,iOll" for wluch WI' IlN~d

Kleene's s"m·n th('or('m (~('(' (' g IDogG71) 0

6-3 PROOF·IRRELEVANCE MODEL FOR >..wp 119

6.3 Proof-irrelevance Model for "\wp

In thi$ section the genera.! model definition glvf.'n in 6,,1 is instantiated to produce a. model for the logic A .... p .. The model for A .... p can be much simplet than that for ).""" because Om main concern is the interpretation of the types (propositions), and not the interpretation of the terrn~ (proofs) Propositions are interpreted as truth values in this model, and all proof termS are identified, which is why the model is called a proof. irrelevance model. This simple model is all that is needed to provt> consistency of ).Wp, and to check the consistency of any additional a;.:iorns

Th stre!;!> that, this model is meant as a model fOr ).'-lp and not for ).w., we use PKznd, PDom, [!J and §] instead of KULd, Dom, [[] and G, respectively_ tIldeed, the model is useless as a mod~l for the programrrliIlg language AW •• beca.use it would identify all programs .. As we shall S(!t, ~ome of the tedtrlital machinery needC\d for an environment model can be avoided for thlo particular model, be<.ausf' it is so simple

A proposition is interpreted ao either the empty set 0 (representing "false") or as a sin­gleton set 1 (reprf.'stnting "truE"')

6_24 DEflN1IlON For all propkinds 1P the ~et PKmdu> is defined a.s

PKmd.p

PKmd[p,_ll', {O, I} PKmdlP, - PKtndiP:l

Hl;'re PKmdlf'! ---+ PKmdll '2 IS the set of all flLnctions from PK$ndll', to PKmdlF':l D

For till' interpretation of propositions that are formed using implication or universal quan· tification we defin!'

6,25 DEFINITION .. The functiol1o ~ E PKmd.v ---+ PKmd.p ---+ PK$nd.p and

[YJ E nf-IP Dp(PKmdlP ---+ PKmd •• ) ---+ PK~T!d.p ar!' defined as follows

{ ~ n

if P = 0 or Q "'" 1 otherwise

F(X) XEI'Kmd.,

So [I]ll,F "" 1 iff F(X) = 1 for a.ll X E PK~ndH' o

626 1,I'MMA PKIND = (PKmd, ~l'Ki"J, §. ~). where all the bijl.'ctions in $PKlnd are identit1e8, is an cnvironmE'nt. rnodf.'l fot the AWl' prOp-tOnstructOI"S

PROOF Trivial, because all <li ll', ll', Mt' ident.itie8 ..

6 27 EXAMPl,L .. For tht, propositional constants and logical connectives defined in defini­tion 3.,11 we get.

[False *1' I "" 0 [ True: *1' I 1

[ 1\ :: *p .... "p ---. "v] [ v .. *p ---> ~p ---. "p]

[3 D> (IP ---> *p) ---> "'I' ~

l.X E {O, I} { 1 if X ="0 o if X = 1

l.K,Y E {O,I}, xnY "X, Y E {O, I}, XU Y

,... AF E Pl(~n(lD~ ----., {a, 1} UX€PKtnd p .. F(XJ

120 CHAPTER 6 THE BASIC SYSTEM

As the family of !;~t!l PDom that maps each clement P of PKlnd.~ to a set PDomf' we t.A.n !;imply take the idell!'lty::

628 DEFINITION .. PDoffll:;;' 1 and PDomO':= 0

Then the domain equations

become

PDmnp[§JQ

PDom0"p

PDom" "-, .. , PDo1r!Q

II J'f)omHX) XEf'Kmd~,

p----.-.Q

II reX) XE Pf{"d.

a

By th~ definition of @] and [2J, either bot.h skit's <1["(' Ut( lmpty ~et or both sides are Singleton 8ets .. So the dOrn<1l11 t'(lnll.t.iou~ for PDom ~I(, solved .. Mon'ovH, 1l.1l the Msociated isomorphbms are uniqu(', ~illq' th~' loolIlorphisms arc eith('t l)(1wh'll two oBe-eh'l11cnt sets or betw~en two emply ~d~ If w," I('! 1>[i'Q I"1.nd 1>J, bt l.h('· I~Olll()rpht~mH ~()billP; tbe' domain equations above, then

6.,29 LEMMA, (PKIND, l'V07n, <1>"", iPV) i~ an environment mode:! for AWl'

PROOF, Easy, b('('a\ls(> P [§J Q and 0 u>F art ISOlll(lrpillC with the whole fUllo,lon Spafl'

P ---+ Q and the whok. product ITXEI'Km"D F(X), n'hp~~(tiv('ly 0

If r 1- p .. P :: *1' and t) F 1 n._. tll(ll by soundness of type asslglllJl(llt

[ r f- p P] t) E [r r P ~ll h E {O, I}

But thiJ:i is only pos:';ll)[(' if [ I' r P ~J> ~ 1) = 1, and I IlI'H ~ r r p /' ij'l) E 1 Till" llH'arlS that all proofs ar(! idelltiflPd 111 thi" modd the} arc alllltt,I'rprl't(,d W" tlw dement of 1 lnstcad of d~fining the inLfrprNat,lOH of i, ploof by illdllC11011 Oil 11.~ tYlw ,knvatloll it ('0\\1<1 ~imply be defined as the clelHl'llt of 1

It also follow'~ Illllllf·dill.t(,ly from sOllndnco:s of hpl' ;t~~i!;lllll(llt t hilt

6,,30 COHOLLA BY P h not provahle III (Olltl'Xi. r jf [ r f- P *1)] ~I = 0 fot' SOlll\" ~I F- 1"0.-...

o

This can hI' lI~cd to prove tOl1sistcl1<'Y (of fl)llll'Xj.,.;)ill .\wP' for ('xampl('

631 COROLLAHY (Coll";l~te)[('y)

L False lS lIol. provable in the emptv COnU'x1.

2 False is !lot. plovahl(' in tIl<' COI1t.cx1. con1 <tilling jw,t t It(, as~urllptiol1

6,,3.. PROOF·IRRELEVANCE MODEL FOR AWP 121

PROOF. 1 follows immediately from the fact that [F~lse •• "'p] ;;;;;; 0 .. For 2 we also have to show that there is an environment 1) that satisfies the context classic: VP:*p. (~~P) => P. The only possible choice for r, is the environment that maps classic to the element of L That this environment satisfies the context follows from [V P::*p. (~~P) "*' P "'p I ;;;;; L 0

This proof-irrelevance modE!1 NII! be seen as a degenerated PER-model, namely the PER­model where partial equiva.lence relations over 1 instead of IN are used, and the only possible function in 12 -----> 1 is used instead of the Kleene application· E JN2 ----t IN..

122 CHAPTER. 6 THE BASTC SYSTEM

6.4 Model for AWL

We now turn to the sema.ntics of the wh!)!!' ~y8tem )"Wl, .. Recall that )"WL consists of three pa.rts::

• the programming Ia,Ilguage )"w~ I

• the purely logica! part ).wP1

• four more PTS-l"ulrs that allow the formation of proofs and propositions tha1 drprnd on programs and data1 .. ypc's

This mran~ t,hat a model for )"WL will contain a Sllbmodd for ).w ... il,nd a 8ubmodel for )"wl)

Wr will in fact produce a model for Awl.., by (olJlbining '" model for )...,. aud a model for" )"wp

To bt> prf~Ctt<~, an arbitrary modcl fot Aw, illld UII' prnnf-Irrdl'vaJl((' modd for )"wp will be comhined

A.wL h>j.J:; the ~am(' pl"ogri'lm~ alld d'L1a1yp('~ HJ; ).w" ~o '~tt~ lllod('] for ),,"" call h(' used to interpret the programs 'i.nd datatypl:'s of AWL Tlus ItlraJl~W(; do [lOt.. have t .. O hx il p1l.r1L(:lt!V interpretation for Aw. J()! .... A modc'! for ).w/.. .. (an hI:' p,iv('u with respect to all arbil.rillY lllodl'! for the ).wl-part

On the other hand, Awl.... do('i'> hiLV( lIIO[! proof~ !lnd lHopooltlons than )"w1' We fix a particular interpretatioll for tht AWp-p<Lrt, llRlll£,!y t lIP proof-irrd('Vall( (' mo<irl defin('d in the pr~'viOUj;\ section .... This pl'Oof-itrC'l('va1Hc'" [llod!'! (ill! ('(!'slly h(' ('xh'nd('d to illU'I'lnet these additi(HlI:d constr\lct..~ in thr IOgIt-part of AWL

kinds, whirh are el('ment~ of Kind,

2, daLa.l.ypt-(on~tru( ton, whle'll <lIe e1rmellts of Cons

3 programs, wltirb arT dl'llH'ut .. !; of Prog.,

4 pmpkirHjs, whidl IU(' e]('m(,111~ of Pklnd

5 prop-(:(}n~tructor~ .. , which M(, ('Iem('llt~ of peons,

u .. , pt'''oof:,;, wbirll ;UT (>klTl(·tlt~ of Proof

Eadl of theJ:\e dep('nds ollly Oll (~Olll('" 01) I iLl [)Ill>' t .. ll'~1 1)1"('( ('(h' Hill th(' ord('r ~iv(,ll above Thl8 layered structure b a ['CSnit. of 1111' hc t t11'\t ,0)11(' 181'" .~~) (()]tlhillation~ aIC ('xdud('d as

PTS-rules in the defiml[()[l nf ).WI 111'[1' thc i(l.Y('IWl ~1nl( l\H'(' plty~ off It UUI b(' exploited by giving th(' !>('ltl!1l1tic'~ of laeil of t .. ll(· k,;d') ~epluMdy

LN M"7. (KIND, Dow, 'I' ,'1,11)

be any envirOn11lC1l1 lllock! fOl .\w. wIth

III Ow r(;'~t of tbb sl:'ction i"L AWf,-[lll)([c I will be ddlHl'd 1)1 w]d( h t"Ill~ modd M i~ th(' )"w.­SUIUllOdd

64. MODEL FOR AWL 123

The semantics of datatype-constructors and programs

AWl, has the same kinds, data.type-constructors and programs as Aw., their interpretation is simply given by ,A4;

632 DEFINITION.. L t) Fro, and 1) f= r D,., arfl defined for AWl,-contexts r lIS for Aw.-contexts (definitions 6 .. 2 and 6 .. 10)

2 [r r (f .. ll( ] 1/ is defined for all r r a .. If{ and 'I) F rr=J· as in definition 6 ... 3.

3. [r f- M .... (T J 1) ilj dl.'nlwd for all r f- M tJ and 1/ f= r D,-. as in definition 6.11

B!'ratlSe M is an environment modd of AW., t.his interpretation has a.1I the properties we have for cnvironment models for .\w~, e .... g ",OU[[dlleS~ of type assignment and conversion

The semantics of prop-kinds

By lemma 317 Ull~ prop-kinds are of thE' form

p= *p lIP - lP I a ---+ lP I (I1(~D{ IP) ,

wlwre D( ranges over kinds, tJ over datatype-con,;tn1ttors, and a: E Varo. So prop-kinds ca.n contain frel) va.riables .. For example, in Q •• *. I- (.\; --> *. 0P' the propkind Q ---> *. COntains a free variable 0;'- This means that the interpretation of a prop-kind depends on an environment that gives tlw interpri'l.<'l1.ioll of It.S fr"ee variables

633 DEFINITION (SI;'mantlcs of prop-kinds) For AWL ·propkindl:llP w~ ddilW [ r t- 1P Op )11 for all r f- lP 0" and 'tf F= rD., by induction on the derivation of r rIP •• 01" a.<; follows

[r r *p op J 1/ ~ {O,l}

[r r IPi -lP2 Op] 1/ - [r r PI DP] 1/ -----t ~ r f- lP2 •• Dp J 'l/ [rrO'---tIP D~>] 1) - Domin", •• ].) ---0 [r rIP;; Dp h

[ r r (IIQ8( IP) Dr> j'l/ - n~EKtndR( [r,o: g( rIP·· Op] 'I)[a.= a]

Hfrr in the right hand Sides, A -----+ B is the s('t of all functions from A to B, and rr~"A B(x) i~ t.hf !';d of all fUllrtions that map an a E A to I\.n el(>meut. of B(a) By lemma 3.17 the clauses above define [ r r JP .. 01'] 1/ for all propkinds lP. Ll

[r f- IP 01' J 71 is jll~t thr ~amc as PKlndtp as defined in the preViOII~ section for the propkinds that ar~ typablf' ill .\wp ....

6 34 LEMMA (Soundnelj~ of b-redll(tioll for prop-kinds). Suppose IP .. iJ /pI, r f- lP 01' and r r pi .. 01'

Then [r f- IP •• Dp 111 = [r f- /P' .. 01' ~ 7/ fo[" all t) F rr::J·

PROOF .... Induction Oil t.h~~ M.mrlllr(' of D\ Ilsing soundness of e-r~du("tion for the datatype­constructors (lemma. 6 .... 6) I;]

124 CHAPTER 6 THE BASIC SYSTEM

The !lub!ltitution lemma for propkinds is not needed to prove soundness of 8-reduction for propkinds, becalls(' all n'dl~d,inn$ in a propkind occur in 8ubexpre!:l!:lions that are datatype­con8tructors We will need the substitution le-mma lat.e-I"

635 LEMMA (Substitution in propkinds) Suppose r, y IJ, r f- /p, 0)' and r f- b B Then

[f,f'IY=/J]rlP[y=bJ:Op]11 = [r,y •• B,rf-/p o~)tl[Y =[rf-b B]tIJ,

for all 7] f= (r, r'[y:- bll o, and Jllv= [ r r b .. JJ hl F (I', y .. U,J')D,

PROOF Induction on f.he- st.rndnrr· of DJ, u>;ing the !;'Ub8titut.ion lemm!l. for th~ datatype­constructors (lemma 6 .. 7) 0

6 .. 36 THEOREM (Soundncss of O-touv('l"siou for prOpkllld>;) .. Suppose /P ""13 lPl, r r lP op and r r B" 0" ..

Th!!n [ r f- JP 01' J 'I = [ r f- ]PI .. op J 1) for all 1) Fro,

PROOF.. This follow!; SR~, CR.il' and ft'ot'\! !:l0\1ll(hW~8 of Ii-reductio)) foj" propkilldB (l~mma 6 .. 34), 0

The semantics of prop-collstt"Uctol":;;

By lemma 3 17 the prop-('onst l'tlctor~ ar.:' of t.ll(, fot'm

J' .. =1 I (AyA .. P) I P(l I (lty A P) I ['.::::. P ,

wherc A rang",; nv(~r Ow kind~, datil.t.yp{'-construclor8 and prop-killds, a over t h(' dl!.ti\typ~­

conStl"\lctors, progmms alld PI"Op-f'onHtrll( f.Ol!;', alld .T E V;lrlJp

The intcqH'ctat.ioll of a PI'OP-("()Ilst rlld,OJ P •• JP will lw ,\.11 ('ii'lIl('llf. of Ol!~ inf.(~rpr('ta1IoJ\ of JP, i e .. if r f- P .. JP .. 0Il 1.[[('11 [ r r P .. 1P J '} E [r r" JP .. Dp] 1/ So for t'xampk pr(!(hca.U's on a dat.al.yp(' c:r ~in' IIltllPI'('f!'d ll,~ {hJ'tl'J'tcti'rhtl( fl1l)("tlOllH of ~l1b~('ts of Dml)1 n-" ',1>1

(:),.37 DH'lNITION .. Li't r b(~ 'I. AW[-(Ollh'xt. All {'rlv'iroumf:lIt 'I .5(!t~sfil.~ rD,-,a. writt.r·n '1/ F ]o,_,n. if T} f=- r D,., <Iud 111P) E ~ r f- IP: 0 1,] 11 for all P JP in r D, 0

Givt'n tht' definition of [ r f- IP Op] 1), the inteq)t"((,ation of application anrl abstractIOn lrl prop-construct.ors is s!t"aightfory<a,r'd For tIle illt.C1l)fNatlOlI of products m propositions we use interst'('tions, as in the model for .xwp

6 .. 38 DI';l"INITIQN (S~'mantics of prop-constructors) For AWr-propconBtruct()r~ P W(' ddilW [r f- P IP] I) for all r f- P IP and n F' rO,.,D., hy induction on the dcrivatton of r f- PIP., itS follows

[ J ,I H', b. rl

[r f- P

Tr' II} -

lPh -tfrri'

[ r t· F(l Plr = (lilt)

[ r f- ('\.:r A PI (Ilr A IP)] I}

[ r r ("it A. J') .. ~1' J 11

~I\ r)

[r f- P ./P' h lP foll()1'< ~ froJll r r J> lP" b> ({Jeonv)

[r f- p (nor.A JP) b [ r I- 11 •• A h .lot" E A [r,~' A f- P lPD 1* = 1;1

(l,'cA [ f', .. 1' •• A r J' ~T'] 11i .• ) •• :;:; (]

64 MODEL FOR AWL 125

{

Kmd A if r I- A 0 8

h A .;:;. Dom(I'rk •• ]tJ if r f- A : *8 were - i r f- A: Dp n 1i if r f- A : Dp

[ r I- A·.·. *1> ] l1 if r f- A *p

Here we take n.,EO B(x) ~ 1 By lemma 3 . .17 the clauses above define [r f- P : IP] 1/ for all propconstmctors P.. Note that in the la..~t clause A may be a proposition, in which case (VxA. P) is an implication A "* P 0

6 .. 39 LEMMA .. Let deT) and der2 be derivations of r I- P :: 1P and r f- P : lP, respectively .. Then

where the meanings are dehlwd using det··] and der2 rE:'spe(.tiveiy

PROOf Induction on the stnl('tnrl' of P

640 TIl£OREM (Soundness of typ4:' asSignment for prop-constructors) If r I- P: 1P: Dp , then [r f- P :: 1P Dr! E [r I- iP: Dp h for all 1/ F rO ••• Dp.

PROOF .. Induction on the derivat ion of r I- P IP, llsing soundness of type assignment {or datatype.constructors and progra.ms (thco]··ems 6 {; and 6 14 ) 0

641 LEMMA (SO\lnrlness of B·reduction for prop-C0I1strllctors). Suppme P r:.- 15 P', r I- P:: 1P and r f- pi JP'

Then [r f- P ;; IP I 1/ = [ r f- pi :: /P'] ,/ for all 'f/ F rD ••• Dp

PIlQQI" .. Induction on the structure of P DMa.typc-constructors, programs and propkinds Can be subterms of prop-constructors, 110 ijo\U1diICSs of i3"reduction for these expressions is needed (lemmas 6 .. 6, 6 . .15 and 6 .. 34 )

As usual, for the case that M iJj t.he rcdcx we llse the substitution lemma. given below 0

6..42 LEMMA (S\1bst.i!.tlt.lon in plop·construct.o~o) Suppooe r, y :: B, r I- P 1P and r f- b· II Th~'n

p,r'[y-=bjl-P[y:=bj lPh ""- [r,y B,r'l-p:IPhly=[rl-b Bhj,

fm all 1/ F (r, r'ly= 0])°·-·0. a.nd 7/[V :- [ r f- b .. B D 1/] F (T, y B, r')D".D"

PROOF .. Induction 011 the stnl';ture of P, using the substitution lemmAA for the datatype­constructors, programs and propkhld8 (lemmAA 6 .. 7, 6.16 and 635).. 0

6..43 Ttl£OREM (Soundness of 6-collversiol1 for pto~}-constructors) Suppose P :::::ff pi, r I- P :: 1P and r f- pi :: JP ..

Then [r I- P •• 1[> ~ 1/ = ~ r f- pi IP D 1/ for all 7/ Fro ••• n.

PROOF .. This follows from I;oundn~~ss of 8-1··cduction for prop-conot.uctQrs, SRj) a.nd CRt! 0

126 CHAPTER 6 THE BASIC SYSTEM

The semantics of proof..,

644 DEFINlIION .. Ld r be a AWI,-context .. An environment 1) s{J,tt~fle~ 1 - if f/ F rD •• ,D. and 1)(X) E [r I- P *p )1} for all x .... P in ro~

So f/ F r iff

• T)(~) E K~ndD( for all x ' Il( in I'D,. and

• t/(x) E DQrnpru., h for all ,x a in r o" and

• ?/(x) E [r I- D~ Op ~ 1/ for all x IP in rOp, and

• 1J('x) E [r I- P "'p] 1] for all T P in r'p

wrilU'n 11 F= r o

Becauf;1' [r I- P *)]] I) E {O, I} , l)(X') E [r f- P :: ~p] 1/ i~ only po~~ibl(' if [r I- /' :: *p] 1) = L

645 DIT'INITION (Semantics of proofs) Fol" ). ..... L-prOot,; p we define [r f- p P] I) for all I' I- P :: P alld 1} F r a~ thf" ekJlll'nt. of 1 0

646 THEOR£M (S()undrH~!;!l ()f type assignment for proofs) .... If r f- p: P then [r I- 1l l' h E [ r f- P *p h for all 1) f= r (i (' ~ r f- P * pIt) = 1) ....

PROOF WI' proVl that, for proofs p,

if r I- p P t .. lH'n [ r I .. · P *1'] 7/ == 1 for all 1/ F r

by indu{,tion on the derivation of I' I- P J>, n~illg ';O)llldll('~S of t,yP(' il.h,~ignmf"lIt for dat .. at.ypl'­con~tru(:tor8, programs and 1)l""OIH'0IlSlllifI01S (llu'Ol('lllS G .... 5, () 14 "1.11(1 G .. if) I.... 0

As for the proof-itr"('}I'vanfl'" modl,1 for A"-'l" it follow~ immediat('ly from ~ound))(',,~ of typ~ tul8ignment that;:

647 COItOLl,HlY P i~ riot provahle' in fonle'xi r if I I' I- P:: ~I'])} == 0 for :-,0111(' fi r- r D

This can be llsed 1.0 pn)V'"(' (oll~i,~t E'IIQ \ of (Olltexto) in .\W i.. .. , (l,~ for in!:'tanc(' ill (ol""ollary 6 19

6048 EXAMI'].,"': I\!; (l,ll example of the intcrpretatioll of a ),.WL-propcon~tnlct()l"", We' consider Lcibniz' equality.., whlth wa~ d('fined ill ddinition J 21 by

=;. ..V~::*, ;\..:r,lJ(~ .... 'tPo --> *)) .... (P.:r) =} IPy) 00'::*, Q --> (\ .. --> *)'

This will turll Oil!.. to b(' lllterpr('ted as equality ill til(' ),.w.-modcL SIlPPO~(~ M alld N lir(' program~ l'ilt..h r I- 111, N !7 alJd )! F= r ThIll

~ r f- M =, N ~p ~ 'I

[1 f- V r (T --> *1' (P M) =} (P N) "J' ~ 1)

n [r, F:: <7 --> */1 r" (p M) "'-'> \p I\[) :: *p] I}W ~ (I ~ E f)01n t("ru •• )u --> {O,l}

64, MODEL FOR >'W& 127

For'; E Dom(H-(l'.,j'1 ---t {a, l} it follows by the definition of [I that

~ r, P a ---t *j:> f- (P M) :.> (P N) :: *p hlP :"" ~l = [r, P a ---t *j:> I- PM .. ~p ~ 111P= e] §] I r, P .. (J --+ *l" f- P N : *p] 1/[P :"" ~!

, beul.usc [ (P M) ..;.. (P N)) ;= [P M I @] [P N I and that

[r, P ; (J --+ *p f- PM .. *p] l1[P •• "" ~l

__ [r, P: {f ---> *p f- P •• tJ --+ "'I' ] 7][P- {] ([ r, P : q - *p f- M :. (J ~ T)[P :- W , because [ P M I = [ P] [M D

e ([ r,p •• (I ---t *j:> f- M •• q ~ 'I[P;= en ,because [P] l1[P:"" el =- ~ ;;;0 ~ ([ r I- M •• d D 11) ,becau~e P docs not occur in M,.

So for [r f- M =" N ~p] 'I we get.

~ r t- M ;;~ N .. *1' )7/

ij r t- '11' a ---t *1' (P M) => (P N) *1'] I) ::::; n e([rt-M"(1~l))~~([rt-N (f]11)

e E Dom( rio'o ., h --+ {O, 1}

Thi~ ran be simplifi~d fUI,·ther if we di"t.ingnish two possibilit.ies for ~ r I- M (J] 1/ and

[rl-N q]f(

(i) Suppose [r t- M tJ] 7/ = [ r t- N (1'] 1)

Then e([rt-M (Jh)",,~([rt-N (1']1)) for all function8 e Since O~O = 1 and 1 B 1 ;;= 1, thiR IlH,tu8 that e([ r f- M a h) ~e([ r t- N (I h) = 1 for all

~ E Domlfl-17 .,jIJ -----> {O, l}

(ii) Suppose [ r t- M tJ n 11 -# [ r t- N (J] I)

Then thHe i~ a fnnctioll ~ E DtJ1)tijn" •• 1rI -----> {O,l} such that e([r t- M 17]7)) 0:::: 1 I;!.ud ~([ r t- N .. 17] 1/) = 0 Then ~(~ r f- M •• a E 1')) ~W r t- N (J ~ 1')) = 0 for this funct.lon {

So

[ r f- M =" N "p ] TI

= n ~([rl-Md'))ff]e([rt-N··tJl11)

~ E Domlfhr •. \>1 ---t {O,l}

{I, if [r f- M a h = [r f- N (7] 1/ (by (i) ) o , if [ r f- M •• (1'] 1) ~ [ r f- N (T] '/ (by (ii) )

This means that [ r I- N =" M .. *p] I) = 1 ..;::::::> [r f- N , tJ] 7) '" [ r t- M tJ] 7). the in­terpretl;!.tlOlI or Leibniz' equal of programs is 1 iff their illt,Npretations IJI the ),.w$-model are

equal - and t.h(l.t.

[ n ] "K \' Y D { 1, if X == Y ""L.. (\;"$ (\' --+ n ......... p = ""t/ E md.,.1", E OIDa 0, if X ¢' Y

o

128 CHA PTF,R 6 THE BASIC SYSTEM

So Leibniz' f'qU1l.lity, a.8 dE:'fined in definition 3,.21, b [ntcrprct.ed fl.i; I~qu~lity in the .\w.­Bubmodel, irrcspf'!'!,ivf' {If the .\w~-model we choose, This means t.hat axioms for L~ibIllZ'

equality of programs can bf' safely added on the basis of equalities that hold in tlw .\w.-tllodf'L For example, because cqualit.y of programs In any .\w.·environment model is extensional, it can be a8BumE:'d that LeibnLr.' equality ii; f'xt.~'n~ional This i~ 8tatE:'d in the corollary below,

6,,49 COROLLARY (Con~i~tency of AXIOM - c1assicallogk and (:xten~io[)ality in .\wd False is not provablE:' in a context containing only axioms from AXIOM,

PROOf', [False *v] = 0, so by corollary 647 we only hl\W to ~how tbat thE:'re l~ an E:'nviron­ment IJ that, satiJJf1e8 this context., The only possible value that an ~'nvir(H)ment (an M5ign to the variabl~a c:la$$ic, EXT and EXTJj( is the dement of L That, t.hiS envirOnment satisfiE:'8 the COtltext above follows from the fact th,tt all th!' propO!;itl(l1l~ ll,"~11l1H3d il) nus ('ontext are int('Ipret.~d <IJ:I 1 0

Chapter 7

Simple Extensions

This chapt.er t.re-at.S t.he seml\n!l(!; of the syst.em,; iIlt.roduced in chapt.er 4, i.e. of t.hf' pro­gramming language AW: and of Lhe associat.ed programming logic Awt .. It buildo on the model definitions given in t.h~ ]ll"edous chapt.!)!" for t.he programming language Aw. and the programming logit AWL .. These modds will be extended to pl'Ovide interpretations for the +-, x· and :E-typcs and their iuhahlt.a.nt.s.

As in the previous chapter., (lnly the system., wit.hont the definition mecha.nism have to be con.,iden,d Any modl:'l fOr a. PTSs with +, X and ~ also p/"Ovides a model {or the cor'responding DPTSs with +, x (l.lId L., because, by t.hrorcm 4 .. 20 - elimination of definitions for DPTSs with +, x, and L -, a ternl il'l a. system with definitions can be interpreted by first eliminating all definitionf;, and then i!)t.~rpr('t.lIlg the resulting t.erm in the system without dell nit ions ..

The structure of t.his chapt.er tlosdy follows that of chapt.er 6 In section 7 .. 1 we give a g~~n('ral model definit.lOll for AW:, which is an extension of the one

for .\w, given in the section 61 .. It is not difficult t.o incorporate the datatype-constructors + and x in the general model ddlnition for .\(&} ... The datatype-GonstructOI" E turns out to bf! slightly more complk!ttcd

In section 7.,2 it is shown t.hat the PER-modd for ;\w; whirh is an extension of the PER-model for >.w. given in :';crtion 62 - i~ !tn instantiation of this general model definition ..

In sect.ion 73 it l.~ shown how the pnlOf-lnelevance model fot·· AWL given ill section 6..4 Can be ext.ended t.O provide It mo(H [01" Awi This model prov('s consistenCy of Awt and consistency of the axioms In AX IOM+

7.1 General Model Definition for AW;

The gf'ncral model dehnition for AW. given ill section I'd will be extended to provide a general model definition for >.w: .. As ill AW., in AW: we can first consider the semantics of kinds, then the semantics of the datat'YP{>-c'Ol1>;(,t"\tctOl'S, and then fillally the sem!l.ntics of the progra.ms ..

To obtain a Aw; -model from a giVf!1l Aw.-model, it has to be extended to provide inter­pretations for the IH'W datatypes and for the new programs .. In t.he genera.l model definition for AW. the f\tn('!.](m~ G and [IT] givt~ the meaning of -- and n·dat.atypes.. We now

also need furu::t,lons G:J, 0 and []] t.o give the meaning of +., x- ,!,ltd 2:-datatypes .. In the general model definition for .\w, t.Iw domain equation!; for -t. and il-d1;ttatypes provide

l20

130 CHAFTER 7., SIMPLE EXTENSIONS

the interpretation for the a.<;!';otiated jlr0gri;l.Tll (on~trud.ion6 W~ now h~vp to indud~, domain equations for the +-, x- and l::-dal atyp('~

The semantks of the kinds and datatype-constructors

As fat a.<; the kind~ an:' con('erned, there is no difference between AW. and AW] So, as for th~ AW.-UlOdel, It family of sets Kmd = {KmdD< 11I{ is a kind} is needed

The new datatype-constructors are given by the definition of Cons in definition 4..21l (We will not hot her with the subscript *~ of the empty product no., and the empty sum ~O" here.) Functions @, 0 and [[I arc needed to give the meaning of the new datat'lpe­

constructOr!'; TIl(' f1Inction ~ will have the same type as [ill, Le

I]] E II (Kind u, -----> Kmd.,) -----> Kind., 'r-U,~ D"

Using [I], the rm;ming of a d!1t!ttyp~ ('[.(l<:Ut- (7) in Kind., is o(,fjned in t('rm.~ of thE:' function in Kmdu( -----t Kuu}, •• that llliLph all p(,!'~ihk inh,rpr(~tatl()n~ of (~ to Hii' n~1l1ting trlc!aning of CT.,

The meanings of dat.<tt.Ylw!'; Il(lJ 171, ,I" r.r,,) and E(ll 0"1, .. , [,,::17,,) in Kmd •• ar~' dl-!hn~'d

in terms of the fnntl.1on III {II, ., i,,} -----> Ktnd •• t.h!lt rrll\pS (l. I(lhd /, to tllf' 1lIlitnin!!; of (]"i

For this fnnt!,iollS 0 Illld [±] ar~ used, with

II \L -----t Kznd •• 1 -----> Kznd •• I- L [11-:l.r, .. 1

ThiS results In the following definit.ion for an environment frame for t.he (on')tructors::

7 .. 1 DEFINlJlON All (~11,mmnm{·nt fmrw fm the d(Jt(lt1J1)(::-crm,~t'rn{.·.t.m8 of ),.w: l~ iL 7-t.llpk

(Kmd,il>K",<I, G, [TI], [f], 0, [IJ\ w!tNt'

• Kmd "" {1(md u( I JJ{ 18 It kind} is a family of St'ts, ind('X('d by kinds

• 1>J(,nd = {'I'u(I U'·J I U\I --4 U\2 i~ a kiwI} is a fa1nily of hijt~(ti(fllH with 1>1K! u(~ E K~ndu'·!_I/(, -----> IKmd Igj -----+ J(~ndIhJ ' wlwn, UIi' ~qllan, hnt(bU; dt'nOil' SOrne !';llbSl!t of (Ill' fllllctioll opaH'

• G E Kind., - Kind., -----t Kmd.,

• @],1]] E I1J-U( o,(Ktnd u, --> }(md.,) -----> Ktnd ••

• 0, G E TIJ-L o,"~) L -----> Ktnd •• ) ~, .• Kind ••

o

We will not distinglll~h t.ht' !t'rrrt 01, .... ,/,,):: Dh~d i-l,lld till' ~l't {II., .,1n} ~ L BI'wan' that f- L:: 0 1,,10<1 I!'; nOt ~~qlllv(ll~nt with L (;; C, bc'cause if L ~ ( i"- <'\11 mnnitl' lit't, thl'n w€! do nol have r L Or"bel .. Thl' f!tct Ulat bh~~II~'d (art('~hl) prOdll( t~ and di!'joint, hl1rrt>.; arf· fmd(:: products and Slun!'; may hI-! m~l'dl-!r1 for c~rt!tin trludd (On!ltnlf'tlOll~ ..

Defining the intcrptd,atJOll of tit!' ll!'W dM.atYV<,-tOllSI TudOrS llSlllg [I] , 0 :tnd ~ is straightforward;;

7..l GENERAL MODEL DEFINITION FOR )"w.~ 131

7.,2 DEFINITION (semantics of AW~ -datatype-constmctors)., For datatype.constructors 17 we ddine [r f- (T Il( n?/ for all r I- (J :: II{ and ?/ t= rO, by induttlon on the derivation of r t- 17 : ][( ~ in definition 6,.3, extended with the following da.uses::

[ r I- II(11 .. (J1o .. ,I" 17,,):: *, ~ 11 0!t! ,l~)(.AI,E{II' ,I .. }_ [rt-(J!*.Jt/)

[B{11,,cn}(1.Ii.;{ll,-·· ,In} [rf.-(Ti:*.]?/) [r I- E{II :: (71, , I... (TTl):: •• )1/

~ r I- (L('(JIC 0) :: *.]?/ ~ D((.Aa E Kmd/K [r, Q : ][{ I- (J" *. h[o:::::: all

o

For 0 and GJ the same notational conventions are used as for their oyntactical counterparts

For instance, we write 310 S2 for [2;] {I2)(l.~ E {l. 2}. S,), The indices Land Il( of 0L' G I, , [IT] IK and ~ 0, will usually be omitted

As in chapter 6, the meaning of some datatypc-c:onstructor may be undefined for a given frame, fot exactly th~ same reaJ:;Orl, namely that the range of the <f>IKI~O(2 may not be large enough., Analogous to definition 6,,4 we df'nnc::

73 DF.:FINITION., An envtronmenl model for the (latatype-con~t'f'lJ,ctor8 of A~: is an environ­ment frame for the datatype-('Onf;trllctors of >..w: for which ~ r t- (J :: ][{] T/ is defined fOt all r I- (J" •• JI( and 1/ Fro. 0

The properties proved ill chapter 6 for a.rbitrary ellvironment models for the datatype­('onstructor~ of AW. also hold for arbitrary ellvironment models for the datatype-constructors of AW;

74 LEMMA (Soundness of t.ypc assignm~'llt for datatype-c.onstructors) If r I- (f Il( thcn [r f- 0" D( ~ 1/ E K,nrl o( for all!1 Fro.,

7 .. 5 LEMMA (Soundness of B-n)llVCrsion for datatype-COlll5t.rnctors) .. Snppose r t- (]" JI':', r f-. (1' 1il", and (r ":::::.{:j (l',

Then [r t- (j .. ][{ ] 11 '"" [ r t- (]! D(] TI for all II Fro.

These lcmmas can be proved III ~x<t("11y t he same wa.y as in ehapt.c!" t),.

The semantics of programs

o

o

Upgrading thl) general mlld!'l definition from A""$ to AW: is more wOrk for the programs than it IS for the datatype.C01l8trU{'!,ors, The genf!ral modE'1 ddinition for >..w. includes dornain tqllations for ..... - and I1-typ!'~

Dom(rl-"_T -.h 9!! [DOTJ![fI-O', •• b -----> DOm(rh .... h]

Domlf'l-(n(lR( 17",1'1 ~ [ II Dmtl.[r" 1/(1-",.,b("'='<1I] "EKltl~1Ii

with the square b!'ad;~~ts denoting ~onl(! ~llh"ct of t.he function spaCe and the generalised Carte/;laJ\ product Now for AW) dOlrl(l.in equatiom, have to be added for the +-, X· and

132 CHAPTEH 7.. SIMPLE EXTENSIONS

E.types, in such a way that the new program construction8 for inhabitant~ of these types call be interpreted using I,h~ !\58ociatcd isomorphisms.,

For +- and x-typt'1~, the follo\ .... ing ~'qul!.tions havi' to be 8l!.tisfied"

Dom[ n-n(11 ''''I tn 0,..,) ...... )7J' ~ n Dom/Ff-(T, -.)'1

I,E{h I.)

DOm(FI-Uh''''1 in O'n.} +.]11 ~ L Dom/rI_(T, -.)'1

I,E{C, Cn )

The functioll mapping I, 1.0 0', is left implil'it In the right-hand !:lides n is llt!, gfo!nf.'rali!:lcd cartesian product, and L is 1,1lf.' !:let-theol"el.ic di'lcriminated (lilion, Le

L D01nIf'I-", -.h = U C,(;(II, Cn) i,E(f.

{(ii, 'd I ,x E Drnn/lh,., •• ]oJ} I.)

Note that lh!' 1ohole cart('~ian product. and di!;crlrrJinated uniOll ;LI!' ([0('<1 in tlte domain (!qua­tions for produd. and sum tYPN, This in contl'ast to thf.' domain eql1atl(Hl~ for function typl~ and pc}lymorphic lypf!o, where' wl' iln' ('out('nt. with wll,~ets of the fnllcticHl opacc and gener­

alised product Thi~ hi becaus(' ~llHW functions ill Dom" ---+ Dom;, Or fL",}(".JII< Domp\f/.) may not be :\-d('finable, Wh('[('iLS ~ll tupl('s ill ill,E{11 I,.,} Dom p (1l ;end all injections inl.o LliE{ll .. in} DOmHI) are ..\-df'finahle (01' rathl'T, C/- and in·defin<lb!(»

Glwn the interpretation of dal ;elypl!~ in defilcit.ioll 7 .. 2, Ot<' domaill ('qllilti(JlI~ for +. and x-tyP()~ arl;!

and

for all L :; land PEL -----> j(!1IiE.. For t.he billary pl'oducts and Slim!; W(' get

Dom(rI_<1"~··.h

D01n[ II-,,+T '.1'.1

where in the nght hand ~Hl('~ x and + all' t.h~' ~et-tlworetic ('al'l (~I>l,11 procil1('t and disfrirni­nated lllllon, Le

For Ih(' I;!rnpty pj·odlld. D() and 1 hI' ('Illpty ~l1m '[0 1'«' gd. tli(l,j DOfnPl(l ',l'~ iiilllllorphic to a smgl~ton set and D(ltn P;CI " J J~ if.Olllorphic t.o t.ll(' flllpty ~et

For th~ ~>typcs t.1H' ~ij\lat.ioll i~ llllHl' complirall'd All Ob~i'i()ll~ dlOJe(' for th(, domain "entation for a I:.typ(' I~ ()n~' ~jlllilM 10 1 h(' 011(' for' it +-tYlW::

L Domp.-,.IJ(I-v ·.}>!r" =,,1 "EJ(",dJ)(

(i)

The !i.8l;odated i~oll\clrph)8m UHJ illd(P{1 h~' m('d to illlll[li (,t the progt';tltH oll~tnl1 lions for E· types .. With the lsoJll()rphi~m from light 1.0 ]('ft the tnl'<luiug of (lnl:,,'lI'(, r N) (;en I", rl('fjned in terms of 1 hf.' meanings of T alld N With the i~()mOlphi~nJ froll! ldt to right t.h(' llH'i'l.lllng of \J f (ECt::NC 0') --. P call lH~ dehncci in I,('['lll!; of the mel'ttJill!!, of f :: (n(~ If{ a ---. pL Howi~vl:'r,

71 GENERAL MODEL DEFINITION FOR Awt 133

the domain equation above requires more than is strictly necessary_ Only an interpretation for a weak l:-type is needed, and (I) provides the interpretation of the strong l::-type (discussed in section 4.1 3).. This is becauJ;(;' with (i) inhabitants of a l:-type are interpreted as pairs con8lst.lng of a datatype-constructor and a program, and the AAsociated isomorphism can be used to define projections 'lT1 and 11"2 such that

"'-1 ([ r I- (In£..dK I} T N) ;; (Ee;:;][C u)] 11) Tt'z([ r I- (InrccIK "r N) ('£0:;9{ .. 0-) J 1/)

[r t- r *.] 1/ '" [r I- N : 1'[e;= r] h

Indeed, ill PER-model eqtlation (i) caunot be solved, as can be shown by considering the cardinality of the two sides Take 9(:;;;. >to. Then the left hand side of (i) is a set of equhJ'alence classes in a partial equivalen('e relation on IN, and the right hand side is a. set of pairs consisting of a partial equivlI.lence rdation on IN and an equivalence elMS_

Later, in chapt.er 8, a model will be given that does sat.isfy (I) (but in which the Dom", are cpos instea.d of sets)

We will give anothet domain equation for ~:-typcs This domain equation does not r8-quire that DomWp is i~omorphk to La DOmF(a), b\lt. only requires that it is isomorphic to

L:" DOmF(",) modulo jjomc equivale)I((> t·clation ~ .. The following example explains the idea behind this

7..6 EXAMPLE Suppose (inI;c.: •• " T N) and (InEa:.. " r) N ' ) arC of type CEQ;"' •.. (7), and sup­pose for all functions f ;; (na;;"'. (j ---t p) and all environments t/ that satisfy the context

~ r r f l' N p J '1) "" [ r I- f / N' ;; p ~ ?).

Then the model does !lot. have to di8tlJIgltish (inI;(>: •• " r N) and (InBa," " r' N'), because there is no function \J f·. (Eo:; ... 0-) --4 P that ('an distingOish them .. We will define a relation ~ on L:", DOItt(r,,, •• ro- •• N .... ''''''I so that th(' plI.irs ([ T] ,[ N)) and ([ '/"' n, [N' ]) are in this relation.. 0

To defiM ~ the following notation is \11';cd

7.7 DEFINIT!ON (App(_,_))

For f E Dtn1t@]F and (,I. E Kmdo( we wlite App(j,a) for q:.~(f) (a.)

For f E Dom"'Gb and {; E Doma we write App(f,~) for 4>;Hf) (0. D

So for example [ r I- f r N ;; p n 1/ '" App(App([ f I , [ r ]), [N D), for [ _] as defined ill def­inition 632

7-8 DEFINITION (~) ..

Let F E Kmdo< --4 Ktrtd.. The rt'lat.lon ;::::; on E"EK'fld,,; DomF(a) is then defined as follows: (a, \) ::::; (a', X') iff

App(App(j, (1), X) .. App(App(j, a'l, Xi)

for all b E Kmd •• and all f Ii; Dom@]CA"EK'fld,,; F(a)G6) o

134 CHAP1'£'R 7 SIMPLE EXTENSIONS

So for the datatype~ T, T' *$ and I,lli' programs N :: 17[0 ::= Tj and N' :: qi'Q := Til in ex­a.mple7,,6wehave([1"~,[NJ) ~ ([T'],[N'])

As the domain equation for I:-types 'he HOW take

The associated isomorphism can 1)(> u~ed to intetprl't th(' progr'am-(;on!;trllctions for' L-I,YP(!Q .. With the isomorphism 4>- j from right to left th(! mea.ning of (In£nO( a T N) can hI' df.'filled in tCrnlQ of the mCi'l,nings of rand N, namely as 01>-1 a.pplied to the equivalence class containing ([ T J, [N]) With the isomorphif;rn 1> from left to right the meaning of \If: (Ea::H(" 0') -0 P can be defined in tCrIfl~ of the mcalling of f :: (TIC!:;}T( a ..... f/), Il!l.mcly as !.II(' fUIH tion which maps an clelrllmt of ~ E Dom 0 F to tlt(' ITSlllt of applying [f J to a and X, when' (fJ" xl i~

any elem~!rIt in the ('{[llivah'nc(' cla:;,~ <1'(0" The defimtloll r)f ~ g\larantcl':-' that it. docs not matt~[" whic'h (a, y) E <!>(e) w(' cltooo;(" ..

With tIl(> domain ('qnM,iolll' for +, x ilUd I: tbllt haH' beeH {;ivrm, t,h~' Aw; -l'm iroHIIlent f,ames arc HOW defined as follow5

79 DEFlNt ["ION (Aw,,' N)VlIllllll1ent [r'am(') .. An enVironmt'11( /,ramejor\w,; i~ It t.nplr (KIND,Dom, if! ",oPll,<l,L,'P",q>'), 'hh('['(',

• KIND = (Kind, rl>"""j, EJ, OTI" W, [2], [IJ,) i~ 811 enl.IPonmtnl model for the AW; -r:onstmd.MI' ..

• Dom = {Dom" I (I, E Kwd •. } IS a fall1i1y of sets

• '1'- and <1>[( i1r( fl.!; in defilli!.llln 6 .. 9, and 1>" "" {1'! If- n..: .. 0., F E Kmd O( ---> K~fld •• }, ,p = {of>;' If- LLJhl",I,F E L ---> Kind.,}, and 01>+ = {<!>j If- L 0"wol,1' E I., ---> Kond.,} !Lr(' families of biJ!>l tioll~ wIth

4>}~ F E J)mn [EJ I ----t (2:::~(;K,ttJo.- DomF(~))/ ~

1>f E DomC]l - TIu:}, Dmnj,(!)

1>7 C DomGJi --> E1CI" DOmj'li'1

o

We now d~fjne the illil'rprdMiOII of !I1(' IllW program COIl"t.llll 1101)~ ill )."""j ",Hl! l'l'spld to an arbitrary ~'nvironmelll. h 11)1)(' Tln~ SilllplJ Il.mO\lHt~ to ills('rtiug t It(' right isomot''Phi,:;ms in the lIght places, bat }'OI)H' of th(' tl'~llih I('ok very \In'lppl'li~il(g III ('xamp]e 7 .. 11 (.It(' )lIter­pr('l.ations of case 'Llld OIbstype ali' {;iWll" whi< h M~ il 101 i'i(~l('l" to r~ad 11t,,!l 111(" l11tC'rpretation j)f'V for +- il.lld )::-datatypc~

7,10 DI",I'INITION (S('lllll.l)tics of AW:;-pl()~pamsl For a ..\""';-program M '.'<11,11 r f- M 0', ~ r I·.M (T ~ t) is d('/IlH'r1 for J} F ru .•. by llldll(tioll

on the derivation of r f- M :: 17, a~ in d('fillitioll G 12, ('xt<'ud('d "'ltlt th~' (bu~('~ given bf'low ..

71, GENERAL MODEL DEFINITION FOR Awi 135

For x-types ,. Let fl;;;;;; IT(ll"u!', .. ,11'Iu,,) arId F = (Ali E {iI," ,In} ~ r I- u, *.] 1/).,

So 0 F =" ~ r t- (J *~ D 1/ Then we ddine

trl- (/1 - MI , .. ,In ...... 0'»): O"Dri - .;J>11(l.I, E {h, .. ,11'I} [r t- Mi:: O",J!1)

[Tt- M..l,: O"i]7) - (WI ~r f- M •• 17]1)) It

where ol>l

For +-types .. Lit (j = E(lIO"j" , I .... (]',,), F = (Ali E {II, ,[" } .. [r f- cr, .. "'. ]tI), R"" [r I- p ""] 1), and (} =J!-I E {EI, ,l,,} .. F(l)GRL So l.:tJF "" [r f- (]' *.] I), and 0G;= ~ r I- rr(lp11 --4 p,.. ,I .... cr .. -- p} .. *$171··

Then we define

[rl-in"..l,M. q]11 - v;-I(li,[rf-M, (Jinl)1

[Tf-\lJ l7--->p]1/ "'- 4z)()'~EDom[!]F <D 4«tl>J ~ r f- f .. 1l(l1:(]'1 - p,,, ,l"fln --4 p) »"1) I) X)

whcrf' ~I '" o}+

F E Dom G F ---+ E/ Dam P(1\

U, X) 1'1(0 E 2:1 Dom}\t) 1'2 = 4f!]FR E DOTn[!]FEJR ---> DomG} ---+ Domn

<1>3 ;= 4>;; E /JamG]c ---+ fL Domp(I)E]R

<1>4 = 4 F(l)l1 E DOTl!;'(/.IGH -- DOtn}(I) ----t Domn

For E-types Let F = (l.a E Kmdu( [r, a II\" t- CI •• *. ~ ,)k,"" I'IJ), G"" (An E Kmdfl( F(a) B R) and

R =..l! t- p *d'17 So ~F = [r t- (L,('r.D{ 0") ~.] I), and [illG = [r t- (ilaD( (]' . ...,. p) *. ~ 1/

Th~\ll we define

[r t- inl..:"U\ " T N (Ec.dK u) h - '*'1 1 [( [r f- T D(]II, [r t- N 0-[0:= 'l"j h ) L..

~rf-\7f (EnD'; (]')--4d 1) - 42"1(1.{EDorrt@JF

44«iPJ ~ r t- f •• (IIaJK t1 ---> p)) '1) a) xJ

whcr-e <1>1 "" of?r E DmnWF ---+ (Ea DOmf'(iO»)/ ~

((L, y) E 4>de) EO::" Dom/"Ia))/ ~ .;J>2 "" :ilJ p /1 E; Dom[£]FBll -- Dom[£]}, ---+ DOTnIl

<f?3 G E Dom[!j](; --t TIa D01,r)'''''(a\BR

<l>~ of?F~."l,R E Domp,"IGIl ---+ D07rLF(al ---+ DO!nR The definit.ion of ~ gll<l.I"~1.lIt('('5 t.)\(I1 il clO('~ nm!I!'1" which «(1, X) E 41(e) is chosen.. 0

136 CHAPTER 7.. SIMPLE EXTENSIONS

7 .. 11 EXAMPLE TIl!:' int!:'rpretations of t,h~, (:~se· and abstypE!-['Onl;tructions are casler to rNtd thC'1l the interpretation of \J given above .. Ddinition 7,.10 gives tlw following illtel'pt'·Clat.ion for ca~e"

[r f- (c~$e N of In 1 [j; 1-" MI I 1m 2!J .-. Mn eS;I(:) T] 1)

[r f- 'V(h .-. P:;1;O"I" Mil, ,in 1-.. (A:r::O"n" Mr,)) N :: T ~ 11 [r,X:Cfi f- Mi T] 11lX =:d

by the definition of case by rlefinition 7 . .10

where (lil\) = <I>t(~rf-N 1:(/1.171, ,1,~Cf"jh) E L1Domp(l),with F = (AI,E {II, ,l,~} ~rt-171::*.h)

As the interpretation of abstype we get

[r t- (abstype c.Jf( with .'!: .. {T IS N III M) p ~ rl

[ r r V().aD\- \117 M) N :: p J II [ r, t~JK, .'.r::0" f- M p] flln ::"'- aj[',r= \.1

by I,IIP ddildt]()n of abstype by dC'finitwn 7 )0

where (o,x) is an) d~'rnent of the ~-('{pliv~ll;'nce class .p~([ J t- N .. (~0: JJ( (r) J tl), wit.h F = (l.a E Kmdo\ [T, n Ui f- Cf ~"] 'II(~ "'- (11) 0

7 12 DI':I'INlTION A ).w+ -rnnronmeni modd il'; ,L .\w+ -t'llviroutne'tll fritUI[ for which [r f- M :: 0"] I) is ddluNI"for all r f- M 17 awl '/ f= rd... 0

If a AW; -frame is not. fL .\w.; -model- Le' 1.11[" llH'lllilng of some plogritm il; lIot dd\lled for the frame· then the reasou i~ tklt the rang<' of Ou(' of tit!:' bijections ¢;'b or lI>V il; too ~!f\all The

reason callIl()!, be that the ['augr' 01"'1 bijec'tion <}~, 1>:. or <1>7 II' too ~malL This i,; OCfauSt' I.hp rl;Lnges of these lllje{ tlons 1'1,1"(, prC'~("lilH"d hy the rl('finition of itu f'lIvironmt'Tlt frame', whetea.~

all subsets of Dom" -----> DomiJ and n~ D01nll ".I are allo\',.cd ,t~ t,ll{' nLrlW' of 'i>"b and <l>~

The pr()puties proved III dl<Lpt.t'l" 6 for ~\lt:.llrMy ('llvlltlllrnent. mod ('Is of ).""" ;d,:;o hold for arbitrary envirOIllll('lIt models of >"""';', !tlld they can be pt"ovNI ill ("xl;Ldly thl;' same way a.~ in chapter 6,.

7 13 LI:.MMA .. Let d(') I alld d('1"2 b{' de'ri\i'at.l()l1~ of r f- M (J and r t- M :: 17, fTl;p~,(tively .. Then

[ r f- M •• (J ~II "" [r f- M (J' J 1/ ,

7,,14 LEMMA (Soundn('s~ of type assignmeIlt for programs) If r t- M •• 0" then ~ r t-!vI (J )1) E Dom[n-" •• h for 1'11111 F r u •••

7 .. 15 LEMMA (Soundness of H-I ()lIvr:l"~lolt for program~) .. Suppose M -==jl M r, r f- M .. {T, il,lld r f- M' ()"

Then [1 t- !vi .. (J ~ 1] = [ r t- M' (TI] '/ fo)' all t) F 1 n,_,

o

o

n

72 PER-MODEL FOR ),w; 137

7.2 PER-Model for Awt

11'1 section 62 it was shown that the PER-model for AW$ is an instantiation of the general model definition for )".;.J, .. Wc will now givc a PER-model for AW; that e;>::tcnds the one given in Sf'ttion 62 and show tha.t is an insta.ntiation of the general model definition for )"w;

Most accounts of PER-models in the literal,ure only deal with --4_ and II.types. In [Gir721 interpretations for +-, x· and I:-types in the PER·model can be found" The interpretation of x-types given below is diffetent from the one given there, This is because we have n-ary prOduct types a.nd not just binary ones

For the sake of simplicity we assume that all labelf; are of the form 11'\ for some n E IN,. This gives us an ea..~y way to a..~sociate a uuique natural number with every label..

The Interpretations EJ and [[] of --4 and n are defined as in definition 6 .. 19 To interpret the +-types we n!,,>('d a pairl!lg function alld proj('ctions ..

7,16 DEfINITION .. The function (_, _) E IN"'l ---t IN" is a r!:'tllfsive SUrjUt.IVe pairing function and 7rl (), :lf2(-) E IN --t IN" are the assoclat~:d pt'ojection functions 0

The datatypc-construd.ors +, )( and E are now int.erpreted as the following functions::

7 .. 17 DEFINITION ..

1.. The fun('t.ioll~ 0, [±] E TIr L 0, •• " (L ----. PER) --t PER an) defined by

for all FE L ----. PER

{(11, n') E lJ'12 I (1l. ), n'n E P(lj) for lj E L}

{((I,nHj,~/)) E ~21 h,TI/) E F(!J) and lj E L}

2, The function ~ E TIrJl"o.(Km<i Jl{ -----> PER) ----. PER IS defined by

[[]F~ {(n.,n')EIN"2 I (n, rt), (n', n') E UaEKmdo.: F((L) , and U"n, t d) E R for all R E PER and (j,j') E [IT](,la E Kmdo{ F(a)6R)} ,

for all F E Kmdo( -".., PER

o

In the definition of [f] w(' can retognize the defiuit.ion of ~ If (n, n) E F(a), (n', n') E F(a' ),

and (f, n E [IT] (.Aa E f(tndn, F(n) EJ R), and we denne

If] - If] ~!} l.,,~/<'t,dl'( I' (JIG 11) E l)om@](,laEK,,,JD< F"(a)GR)

[/1 - [Pl@](l.IIEKmd ol i'(")GR) E Dom@] A n ( "EK,,)dlJ{ F(a)GRl In) - In'IFlIl) E f)01nF(a)

[n'l - In'IFI.") E D()TnF(a)

then U 'n, tn') E R is cquivalellt. with App( App(lfl, a), In!) = App(App([f'l , a'l, [n'])

138 CHAPTEl? 7 SIMPLE EXTli.'NSlONS

7.,18 LI:MMA,. KIND iJIm = (Kmd ~J(1Il1' El, IT!J, [I], 0, [±].) is an envirotltnl'lIt. model fot the .\wt datat.yp!:!-construNo['S 0

'.rIa> ~ets Domfl. aud till:' bijections 1>R's and 1>~ arc df'fiu(:d a8 jn definition 6 .. 21.. T(l

complete the lllodel biject.ions 1>t· , 4>; alld q.~ arf' uf!:!ded::

7., 19 D~FINJTION, For GEL ----T PER, and F E Kmdlh' ----. PER, t.h~ functions

are defined by

Dom 0 G ----T flu Domc(1)

E Dom [!]c; ----> I:IU Domc(n

E Dom [EJ F ----T C[:a€ Kind 1'<" Dom /0'1")) / ~

4>~ InIG}; <Ilt; l(j, Il)] GU

<.t'lll)I~F

Al) E L [nJlo(I,)

(), [nlc~(i,,)

[(11, Inl;'(IZI)] "" wlwrl-! a is an ar-bit.r;Lry ('l('mctlt of Kmd IJI o

Checking tha.t these "fir, 1>~\ ,md 4>~.~ are well-ddilli'd functions Oll NllllV'a.ipn( I:' classes is ~t.raightforward F'ol" 4>; for \\ Illtli t i)l~ is t!J(' mo"t. ('OHlp][( <1,1.('<1 1 hi~ aJl\Ollllls 10 proving

720 LEMMA .. Ld F E Klltd ,l( ----> PER. (n,n') E ~ F (~O InJ@l''' In)~l) and let

a,a' E /(mdl}(" TlwlI

((L,[fll/'I~,1) ~ (a', [11,11'1(<'1)

[((/, 1??'If'I~J)] ",,) PROOF 'Th prow ((r,[njV{i<))::t:; (0',1:1(1F'(,,')) WI' II!lv'(> to prov(' tltat

App(App(j, fl.), rl) = App(App(j, (t), n') , (1)

where R E PER <lnd I ~ Dam r;-;l " _ K ' F(' r=-l ) .. This I is an ('qUlv;Ll("JH (' ('iaR!> in the L...!.lJI .... ~" .n"l1\ "·,1CJII

partial eqnivakJl((! r~htiotl 0IJ(l,{i E Kmdy, F(a)EJR) Let mEl, l C

f = [m)IT!}l.nEKi"d/K F(~IBR.I Then by t.he ddinit.iolls of App(_., .,) (ddiuit.ioll 77) Illld of <I> " <l,tt<l <t>1I (ddlllltioll (\ .. 2l) 0) lS equivalent wit.h

[nt nJII= [fli rl'lll

,Illd by the d('fillitiOll of ~ t 11I~ f()J1()w~ from (n, tl') EmF.

To pro'll' t.h<l,t we hn.H" ~Lll lflVllonm!'nt. j'IL'IfI,( fo~ .\4J: we have 1.0 ~iJOW::

721 LEMMA TIl(' fun(tioll~ 1'/', <I>~I <Iud .pi, n.f(' hlj{'(tioll~

PH.oor Easy"

Finally

o

7 22 LEMMA (KIND II/i()., DOH!, 1'-, <I,ll, ¢:<:, 4> ~" q,+} l~ illl lllVir()1I1)[('ut. model fo[' .\w;

PROOF,. P["OViflg th<lt l r t- M 0' ~ 1) is defilltd fcu' il,1] r f- M r1 itfld TI P rC"l,·· i5 done exactly i1$ ill imnlTIa (j 23" 0

7,3 THE PROGRAMMING LOGIC 139

7.3 The Programming Logic

In the previolls chapter proof-irrelevance models were given for AWp and ),.WL .. In sectioll 63 the general model definition for AW W3JJ in!';!,ant.iated to prOdllCe a proof-irrelevance model for AWp" In section 6..4 a proof-irrelevance model for the "loglcal" part of A(,.)I. was defined givcn an arbitrary model for the programming laIlgnagc AW8 .. Extending these models to deal with the additional primitives of AW: and Awt is vcry easy, and will therefore not be treated in much detail

7.3.1 Proof-irrelevance model for Aw:

The proof-lm:Jcvance model for AWp defint~d in section 6 .. 3 tan be extended to a model for AW;t .. Th!;' new proprconf;tntttors V" A ann :l ftl"C given their usual truth-tahle interpretations:

7 .. 23 DEFINITION .. The functiolls [2J, 0 E nI. ol,,~)L ---t {a, 1}) ----t {O, l} and

[i] E ITU( o.(Kmdu( -. {O, I}) ----+ {O,l} al'e defin~d hy

0LF ~ nnn ta

[~:hF - UF(I) /EI..

W If' I" ~ U F(X) ... v~ PKtnd.iP

o

However, the proof-irrdevance modd for .\Wl~ cannot meet the gellcral model definition giV\!ll ill section 7 .. l The problem 1>; I.h,\.[. this genera.l rnodel definit,itm is already t.oo specific .. In particular, it r!'qnires that Dom"G]b is i80Jn(~rphic with th~~ set-theoretic d~'~J(}~nt union of

Doma and Dotn& So, if Dam" and Dmni! i~fC singl('toll~, Doma[2Jb has t.o be a tW(l-i'I!'ment

s~t. This is clearly not. til(' (\1M ill Ih~ ploof-llTl'levance mudd, because tlwrr DOma [2Jb is

the slngl(;!t(lii s('t 1 if Dorn~ and Domb an' both singlct.ou~ ..

7 .. 3.2 Proof-irrelevance model fOI" Awl

Let. .M = I1dND,Dom,~-,<l>11,4~,4x,1>+)

be any environment modpl for AW} A lll()dd for Awl tall be defin~d irl which M is the snbmodel for AW; .. The ollly di!TN'ence with t.1t(' construction ill section 61 are the interprc­tations for t h~~ 1ll'W prop"c.oll;;t l"nft.ot'·s, wlMh ,\.n' of ('onrse mt.rl"prN.('d a~ in the AW: -model a.bove ..

The intcrpretati(lll ()f the' kiud~, dil1<~typc.consh·\l(!or~ a.nd progra.l'lls is given by }.Il, be· ('H.nf;(' by lemma·1 37 ).wt has th~ ~il.1Il(, kinds, datatyp('-constructor.; and program~ as Awi I

Th(> int.f'rpretat.]Oll of t.he plopkind~ i~ defill~d ItS fol" AWL (dcfinltlOll (33) .. The n(,w pl'·op·constnld.OI'~ :l.l(, givell h) t.h(' definit.ion of peons in definition 4 34 The

dd\nit.ioIl given in S('(tiOll 64 fot" t he l)1t(~rpl"d,<1.t ion of prop-c()nstructor~ has to be extendf.'d to dl'!fl.1 with these Il(>W (flies

140 C'HAPTEH 7.. SIMPLE EXTENSIONS

7,24 Dr:.FINITION (scmarlti('~ of the new AWL-pn>pconstructors) For AWL -propconstructors P W~~ define [ r f- P lP ~ ~I for all r f- P 1P arid If F rD." D~ by indu('tjon on the derivation of r f- P IP, a~ tIl definition 638, extended wlt.h the following clauses::

[r f- 'V(llPt,·· ,i"P,,} :: ~p ] T/ -[ r f- 3(llP!, ,1 ... ::P,,) :: >!<p ~ q "'-

[r t- (3.:rA P) "p n 1) -

n,EUJ .,fnJ [ r t- n. UI;E{11 In) [r t- Pi UeG:A [r,X Af-P

if l' t- A :: d, if r t- A "'" if r t- A Dp

:: *1'] I]

:: *p] T/

"'p] 1)[T = el

if r f- A >!<p o

Finally, il.!; in A<.<J/" all proM t,!'nnt;, are inter·preted iti; !.II!' f'knl!~I)t of 1 The propcrt.i{'>; proved in sefti01l6 4 for the pr·oof-ilI0h'v~1l(e mod('l for AWL al~o hold for thb pro()f-irrc!evanc0 model for Awl, and th('y can hI' proved ill ('xactly thr ~a])]{' Wiq::

7..25 TUEOREM (Soundll(!l::Is)

L Let derl and dt'T·2 hI:' d('rivMion~ of r t- (J A and r f- (J :: Ai, r('~p!'(tivdy Th(,ll

[ r f- (/ :: A ] I} = [r f- a ,. A' ] 7) ,

2, If r f- a :: A, t Iwn for all !) F= r

if r f- A D. If r r A .. *~ if r f" A :: 01'

if r t- A .. "'p

3 If a '::::.(J (/, r I a A. and r t- () A', thell [ r f- a .. A] 7) = [ r r (Ii A] r/ for all I) p r o

Like the proof-lrrd(,v(l.ll(e lUod('ls gJV! IJ IwfCH(', thb one can be US('!! \'0 prow com;i~t.eT)('y,

and ('nllt;,l~tency of conLcxl.s, for lu5talH e

727 LEMMA (Coll"iott'ncy of AX!UM+ II) -'wi) False is not provable in a cont('xt ! DlIt(l,i))infl: only axi()Jtl~ from AX lOM+

PR001· As in the proof nf !(I(lrlla 64!1, w(, ha\(' 10 i;lIpply (l. model M for thr plo~ranlnliI\g la.nguage - the PER-TlIodd wHl do - and dJ0(k that all axioms from AX 1011.1+ ,m' then

interpreted a.~ 1 (" tnlt''') in the re»ult ing AW t -model.. 0

In fact, any l~I{)(ld M that meets the g!'ll!'rallllodd definition fm Aw; UllJ !}{' Ih!,d t,D prove ('(HlSl!:Itency of all ;IX]()Hl~ ill AXIOM+ Thi'· dOHl(l.in ('(]ulUions ('nsmc that thf· proj)!'rtl~~ of +-, x- and Z-dat.atyp!'" g-iven by l~xiom" III AX EO 1\1+ are true

Chapter 8

Recursion

In thi~ chapter we treat, the semantic~ [)( the system~ iutroduced in cha.ptcr 5;; the program­ming language .\w~' and the a88o~.iat,!'d programmiug logic AW~ This chapter is orga.nised in cxactly the jjamc way as chapt,!'t 1., First, in section 8,1, a general model definition for ..\ .... ~ is given.. Thf'n, in section 8 .... 2, a model i~ Nlrlst..mcted that is an instantia.t.ion of this gf1nctal model definit..ion .... And finally, in section 8 .... 3, I,his model for th!' pt'''ogrammiI)g language is tombined with a proof-irrelevance model for the logic, and the resulting model is ltSed to prove soundness of >"w~ and soundncss of all the axioms introduced in chapter 5 ..

Th~ main differE'IH .. e hct.ween the programming language >"w;' and th!' programming lan­guages AW. and >..w; is thaI .. iu AW~ we haw unrestricted retutsion at both program and datatype leveL Consequently, in the general model definitiou £0['" >"w~' datatypes can no longer be int~rprded as sets .. Iui;l,Nl.d types will he lt1tcrprcted il$ tpos, the most commonly used semantic doma.ins in denotatiou!!.l semantks Hffltrsive programs and recurjjjve datatypes can then be interprded as usu~L rp(mSlVC' progl"~l)IS il.~ least lea.st fixpoints in CPUjj, iLnd recursive datatypes as solutions of re('Ur~IVC domain equations ....

The general llIodel definiti()ll gIves a collettioll of domain equations any model has to satisijr.... III scction & .... 2 a model is COlll:'trudcd by solVing t.hese coupled domain equations, BeCiLuse datatype~ Me interpl'eted flS ('pos, the standard technique can be used to do this, Earlil'r versions of tbif; model con~trutl ion - for different system!l arc given in [EHS9j and [PHE93j Compared to the PER-modds gtven in sections 6 .. 2 and 72 this cpo-model is more III line with ('onv~!nt..i()nal prograullning language s~~mantics, and [t is compatible with (onventJOllal denotation<l.l semantics

Given any mudd for >"w~' th~t [Jtf'('ts the g-ej)~'ral model defillit..ion, a proof-irrelevance wodc\ fot" .. Awt can 1.1(' drfined Bec auS(' >..w~ provld!;!!; the same logical primitivejj as >..wt, thlB is don(' in exactly t .. hl' ~altl(' way I\I:l for AWL in se('tioll 7 .. 3 .... Since datat.ypcs are interpreted as cpos, It is easy to verify the i;onndness of th{> a.xtoms introduced in chapter 5 for reasoning a.bout recursiw pt'''ogram~ This pt'''oves the con~ist('n('y of .\.;.J~, of t.he context rCPQ, and of the axioms in AX lOAfl'

As in the previo\[!; chapters, only !.lit' scm~ntk~ of the systemo without the definition rTl!'chanism is treat I'd .... By t..h(>oI'~m~ 5....85 ilt\d ['. 12 5 - ['li[[[ination of (kfinit.ions for AW~ 6 and AW~6 .. - any model for AW;' or '\w~:, ~aTl aliio be l1sed ltjj a[1 interpretation of >.....,!'J or AW~J""

141

142 CHAPTER 8 RECURSION

8.1 General Model Definition Awf

In lhis section the gcnf'ral IlI()(iE:d dl:'finitioll for AW; giVf'Il in ~ection 7 1 IS adapted to pl"Ovidc a general model df'fmit.ion for A~J The maill difkn:'wl:' is that programs are no", iIllerpret.ed as elements of cpo,; rl\t.her than sets .. So in,;!'('ad of a set., we now associate a tpo Dom{ I f-" ., h with every datatypt "

From now OIl, by a cpo we always ml'all an ",-cpo

81 DEFINITION .. All "-'-(PO io a set with a partial ord(!r (;;, a leaJ:lt element .1, alld 11Jnit~ ()f

all thl!.ina of the form Co !;;; C] (;; n [;;; 0

Ii'[)r countable sets this definition is eq\l\valcIlt, wit.h HI(' one given in definition 5 13 For th" g~neral model definition it d[)f:!f:' not really mattet" what, kind of domains are used

New domain cquat.low; have to be included for HlP jj-t.yP{'~ in order' to interpret. tht a.~so61tt.f:!d program COnsl rndioll, \ .. e .. tllE' ftlnet.ioll~ fold and unfold

A final differenC'e wit.h n'Hjl('('t to the W'llcl'al modi'l d[!tinitlon fol' >.,w.1 is that. the d01[tam equatIons for I,hl' +- and ~-types havl' to If( ("ILI~I[W'd, because the ~\lm COll"trndlml On cpos differs from the orte Ott O;~I.~.. ApHrt hom {'l~m('ttts COttslrllcU'd IlSillg t ILl' injections 1nl;(11Al I"An ,and In1:.("A fj, thl' +- ctlld &-tyW'~ now also COtlt;Ull i>Ot.tOIll ~dimH'nt>

The semantics of th!;! kinds and datatype-CuIlf;tl'llctors

AI'; far aJ> the senlattl.l('s of kmdB I!,nc! dat.atyp(,-C'OIlSt.CIl(t[)r~ II< cow'('rned, ther'(' is not much diif!'!rence between A""'; and >"w~J We only have to ext.l'nd thf' definition of an ell"1' ironment framc f<)r the datalype-(on:';t.c\K't()T~ of >.,W~f - dC'finilioll 7 .. 1 with a fllnction 0,

which give" UH" ITlf'ilning of the !lev. dai.atYPI'-f'Ollstrlldor II,

8 2 DEFlNIT'ION .. An enV!l'Onmeni fmm(, fO'- the datatype-(;on.,ltf·yu_!m \ of >"w~' iM a 8-turle

(Kind, of>Xmd, 6, [ill, UJ, [2], [I] , [EJ) , whm

• l(md = {Ktnd u, I JJ\ IJ; if.. kind} is a family of ~lt~, ind~xed by kinds

• ¢ Kind = {1> U(j g{~ I 0\'1 - .. /l": 2 i~ it kind} is a f<"Lllllly of bljf'd.Wll~ wIth <li U(IU<3 E Kmdu'I_U,", -----> [K!ll.dn'l -----T /(milu,,j , wlwrf' thl' ~q1llu'e brlvhts dettote 80me subSN of t.h~' film tion spac~

• [ITJ., W E Dru, oU{~"du, -----> J(wri.,) -----T Kmd.,

• 0, GJ E nl-Lul,,~cIIL -----T KPld.,) -- ,', j(md.,

• [EJ E (Kind., -----T J(md., I -----> Kmd.,

o

8..1. GENERAL MODEL DEFINITION AW~ 143

8 .. 3 DEFINITION (semantics of ~w~-datatype.con8tructors) .. For datatype-con~tructors cr we define [r f- cr JI( D T7 for all r f- cr : II< a.nd 11 F rD. by induction I)n the derivation of r t- (j D{ as in definition 72, extended with the following clause·

Anall)golls to definitions 64 alHI 7..3 we define:: o

8..1 DEFINIrION An enVt'I"Q1!rnent model for the drLtatype-constructoT8 oj ).w: is an environ­ment frame for the COlJ5t.nl(-tors of ).w~' for which [ r f- (J :: 1K J 1/ is defined for all r I- q ; 1K and 'f) Fro... 0

For any environment model for the datatype.constn~ctors of ).w: we ca.n prove the same propert.if.'~ as for environment models for the datatypc-constructors of ~w. or ).w;:

85 LEMMA (Soundnes5 of type assignment for datatype-constructoro) If r t- q :: lK then [ r f- (T :: U\- ~ 1) E Kmdo{ for all 1/ F= r D

,

8 6 LEMMA (Soundness of 6-cOnvNSII)Il for datatype-construttors) Suppose r f- cr :: U...-, r t- (1' :: D{, and (T '==-0 (T' ..

Then ~ r f- (T U(] 1) "" [r f- cr' .. Jf{ J 11 fOr all 1) FrO. These lemmas can be proved in exactly thf' same way as in charters 6 and 7 ..

The semantics of AuJ~'.terms

o

o

A~ tllclltloned before, hl};tNld of a set, we uow AAsociatc a cpo D01nIFI-.,., •• I'l with every datatype (/ .. So for every IL E i\md., there i8 ~ Cpt) Dom", and programs of type tJ will be intet­pr!'tf'd as clements of tlw qm Doml n(1 .,1>1 For a di\.! a1.ype (/, the progra.m Y (f ((J ---t (T) ---t IT

is of COllrse interpretf:d aJi tIl[> lNl.st fixpoint operator on the cpo Domln- .... b ..

ReCUf8ive types should to be i8omorphic to their unfoldjng~.. So it is obvious what the domain !:!qnation for· a rccU[siw typ~ (/I.n ... (f) should be, namely

Domln-("", •• <I'!'".h ~ Domln-.,.!", =(~.c<: •• (Til'.}!)

The as"l)ciated lsomorphism thf:!l giv('s t.he interpretation of t.hc operations fold.l''''''''' and unfoldl ,,,,· •• .,. .. GiVCIl the definition of [ r t- (W)"'. (J): *$ Dr) in definition 8 .. 3, the new domain equations for the recursive tYPf:J;; call also be given as

001n0 p Qi Dom f (0 F!

Because CpOlo fire used instead of set~, Wt' have to reconsider t.h~ domain equations for --", Il-, +- , x· and ~-types glven in the previous cllapt.crs These were

Drmt"G~ "'" IDom" -- Domb) (i)

Dom,[IT]F ~ [IT"~KI'jd., f)OffiF(<).)] (ii)

OOTn0f Q! ITtEL DOmf(t) (iii)

D(}mmr ~ E(I€' KI"d •• Dorn F(a) (iv)

DomGr ~

EIEI- DomF(l) (v)

144 CHAPTER /j RECURSlON

where in the right-h!L!ld !;ldeJ:' ---4, n and I: dCllOtc tht i;f't-tlworetk function space, cartesian product and di~joint. Sum, respectively, and IAI d~not(>H Some oubset of A,

We now have to tllrll th~ right-hand sides into (Po~ For (I), (il) and (iii) this is not a. problem, becall~c t.h!' flatural ordering on t.ll!'~(! f,dJ'; produce~ a cpo If we look at the underlying sets, then only the domalll N[lI'it.IOll~ (iv) and (v) will change ..

8,,7 DEfINITION (FS) .. Let Band C ht tpo~, and let (D, I ~ E i) be a family of tpoS Illdex!!d by some set I .. Th~n

the cpo FS(B, C) is the !;et, of the contmuous functions frOlll B t(f C wit Ii th~ ordering POi!lt w l8e

2" the (PO GP(D. I! E /) is tlw sN. DiEl D, with til!' onh'ring (()ordillatr-wi!;(' if..

J llw (po GS(D, I ~ E n is t.he ~d {.1} U L'El D" partially ordered as follow~

(' ~ t' =- (r ~ J. v ({' = (l,d) f\ c' = (\ r/') 1\ d [d' ))

The new domain f'qU;Lt.IOll" >l,l"~'

Dom"G" ~ FSI1)OTrt~, Dmni;)

Dom [!Dr ~ [GP(1)mnf'('i I II E J<w,d11d]

DOffiGJ .. ~ GP(D(}T.r!.JI.Il liEn

Dom~F ~ GS(D()m.Ft~) I (J C J(~ndll()

DomG·f ~ GS(UOu).rlll liEn

Dom0 f ~

Dmn v(0 F !

u

(i)

(il)

ph)

(Iv)

(V)

(vi)

when' nl~~ ~quare hl'·!'1.( kN~ dl llOU' it ~l1h-( po nl~tI'ild of ,l ~\1h~et of GP( Dam i (~) I (l f' j(l)!flU,)

Bf'lnv, (lte diifN('Il«('S 1)(,t\l.('('11 Iltf' DId !llld tli(' IH'W dOll'laill ('(jllMiom for -t-, n- +-, X-, and 8-types are discu~:;('d

• (i) Tlte old domaitl o:'q\IMl()lI~ llq11l1id f)(J1ri'''GI to 1)(' Holtlorplti(' to ~Otll(, "uh~N of t.ho:' function "patt J)ow" ---4 DOlllb III t.it(' tH'1I. dOlll,ll1l l'qllilllOII It I~ bx( d wltat. t1H~

subset shol1ld 1)€', nilT)W]Y tlH' (oll('('tioll of (·ml,!!TI.IUm~ fUllC'! 1011~ from DOlfi" to f)om);,

because thi~ l~ tlH' !lat.Ill,d jf 1I0t tlt(' ollly po~"ihl(' _ .. dlOi('(' W'(, (,LllIWI I iLh· Iltl' ~t.nC'!.

contluuous functioll;" hl'( iUll-if' hy Ilw 11-)"('dllctiotl mit:' (,\x .. A /;) It t::> 6 bl .. 1 7- (i.1 fUll( t.IOll;' iLlT IlO( alway~ ~t.ri("1 Fnl" Ill"t;Lll({'., if.i il FV(lI) 111('1[ (AT A .. /11.1 [>,) Ii, alld ~o ()..r·A b) t~ lln! M.rict If b =f 1-

81 GENERAL MODEL DEFINITION '\w~ 145

• (ii),(iii) For the II- and x-types there b nO real change.. As far as the underlying sets are concerned, the new domain equabon~ a.re the same as the old ones,

Unlike for the --->-types, for the II-types there is no obvious choice for the sub-cpo in the right-hand side of the domain equation,.. In the model we construct in section 8,,2 we will simply take the whole cpo GP(DomF«(I) I a E; Kmd1l<).

Equation (iii) requires that the domain for Unit, thE! empty product type IIO, is isomor­phic with a one-point cpo .... This means that the program unit of type Unit is interpreted as the only element of this cpo, i..e" its bottom element.... An alternathie is to require that the domain for Unit is isomorphic with a two-point cpo, and take the interpretation of unit different from ..iUnit"

• (iv),(v) FOr the E- and +-typef; there has been a rea.l change" For example, the old domain equation for the typE! (]" + 1" was

The problem is that the set on the right hand side cannot be partially ordered to produce a cpo .... At least, not in a. ~llfh way t hat all the pl'Ograms that can be constructed using In and '7 arc all continuoulj ....

There are two ,on~tructions on CpOf; t,itat are possible int~·rprctations of (T + T: the lazy sum - also known as the di8joint or separated Bum .... _, a.nd the strict Or coalesced sum Forgetting th~ cpo"orciE'I'ing for thr moment, and treating cpos as sets. the lazy sum would result in the following domain equation-

Le a new boHorn dement is provldNL The strict sum would I'esult in the following domain equation ::

Here the bottom demcnts of Dom[Jr"'.h and Domlrh •• ITl are identified ....

The reduction rulE's for +-typcs rule out the second possibility,. If wf! interpret (T + T

a.<; a stl"'ict sum, then the value of the function '79 f7 + T ---> P in (lno-+,. 1 .1",) and (Ino-+T 2 ..i~ ), .. But (hi!'; i~ in ("onllict with the redllction behaviour of /''19: ..

(j'Vy) (In,,+T . .l .1,,) [>8 f.Lo- ,

(j"19) (1n",+r2 .iT) ~{:I 9..iT ,

and f.L u and g..i T may well be diljt,llld ..

Similarly, the fj-I{!dnft..ion t'''ulcs tll/\,k(' it irnpo!';!';ible to interpret n- and x-typea as smashed products

Note that GS(} is a [)IlC-POll)! cpo So the datatype Empty ':::.!~ EO is no longer interpreted as an empty type, btU as a one·elemE'l1t type ....

146 CHAPTER 8, RECURSION

The domain equation

Dom~F 9f GS(D07nflal I a E Kmd/K} 0)

requires more than IS necessary for t,he Inh'rpretation of the assOtlat,{'d program (onstructions, as we alrc;<t(ly di8cussed in chapter 7 for Hl(' same domain cquat.lou with GS replaced by L As for AW;, it would be sufficient If th~~ following domain equatiou iii Mittdied

(ll)

with ~ as defined in definitiou 7 .. 8 .... nut for the particular cpo m(Hkl t .. hat .. 1M giverl in ~ectlon IJ;! the domain ('quations (i) and (ii) an' idfll(i('al.... In this model all C{lUIV;Lku( (~ Clal:>8el:> in ~ are singletous, which i~ ct\n,scd by t.he h( t thllt Dom [!D 1'" is isolllorpliu t .. O !..II(' whole ('PO

GP(.L>OTnP(,,) I a E Kmd u,) b('( ;Ul~("" of this, we will not go to tlie (xt.nt trouhk of u:oing (ii) instead of (i)

g,g DEI INITIQN (,\y)~' cpo ('llVllOllllI<'ut fIIUlH') A cpo (~n!'l,r'onment frame fO! AW': I~ a t \\pl<' ( KIND, Dow, <P~, <t)ll, <t>l., 1>~., 4>+ <1,>1')., wh<'n)

• KIND"" (Kmrl, wl{",,/' G, lliJ, [gJ, [], [±], 0) ban ('llvironmcnt. modd for !.lIt A",,~'-dat atyp~-('on~trnctot'"~

• Dorn = {Doma I n E l( mil.J is Ii family of fpOi,

• .p~ = {1>;;-'b I a,b E: Kind.,}, q,ll "" {1>~~ If- II';: D" P E f(mdJ/, ---., Kind • .}, 1'): =

{I.I>}': If- Jl( .. 0" FE; j{mil u," --I- Kind.,}, (V = {1>; .. If- L Diaod Fe L -+ J(md.,}, 1>+ = {<l>J,.·If- L .. 01(l( .... I,F E L, /{1,r l,d • .l., iwd 1>1' = {<Pj., I F ~ !-(~jl,d •• -", {(m,d.,} ~Ll(, famili(':', of bij~'( ti()ll~ with

<P"'II E Dom" 6;; ----> FS(Dof1l", JJomoi

<t>~.\ C !Jom@]I-' - [GP(Doml"I"1 I (I E j{~'ldll\)l <f>l-

I EO nomOI -----I GS(Dmfl'FI") I Ii E: /(1'IUil/l )

1>; E DOH10 " GP(f)mri'I' If I liE L) , I< I

<pt E Dmn[!] I. ----> GS(D01ni'll""i Ii E L)

1l; E Dllw IE] I --I- Dornl'([Jv,

o

We uOW df'filll' t.h(' itltN})1 ('I al iOIl of f II(' ..\WI,'_pl""OPPtllt~ HI lUI ill bl I i'LI > (mlWlllll<"ul friLlIl<" Only tlw dlff~rel1(('s \\Iit.ll r(~p('( 1 10 ddiuitioll 710, which ddill('~ lli(' ~('IJl;LlIII< ~ of AW;­pt"ogram~, il,re given 11lt:' di!rtITll«"'~ ,11"(' tlil' int<'l"'prt:'tMioll of 'V V.1l<'I(' wi' lJOW liit~(' 1.0 l.iLk!' the bot.t.om el~'ments into ac(ollul ,;llId til(' l))t('rpl dation of thi' llew pl'O!!:l ,lIJ1 (011'" rIl( I.IOU~

(un)fold <l.lld Y .. In ('xatllplr tun t.iJ( Illtl'lpr('jidi()lI~ of case and abstype ,tit gl~I'Il, "']lli'll ;u'('

a 101 r(!"sier to read than I.h(' 11l1.(rpret.~tiOIl of 'V fOI +- and L-lypei,

89 DEFINI rlON (~(lJIilJlt.I('~ of '\W~!-IHOgt'iUll~) For program" M w~~ dl·fj~l(' [r f- At rT ~Ii (OJ iLll r f.M (J" <'.lld 1/ F rU... Il.,~ HI ddlni­tlon7 .. 1U-LC .. h} llld1HtiO!I()llth('d(,liv~LIIOlll)frr M (J" with tb,'folhwill!\ <'xtladll.tls,'s

8.,1" GENERAL MODEL DEFINITION '\w~

For iJ,-types:: Let F -- (Au E Kmd.. [r, CL :; *. f- a :: *. ] 7}[n ::- aD € Kmd •• ---0 Kmd., Then

[r r- fold M·' (J.to:*. (1)] 1/ ;; 4>-1(~ r r- M D'[Q :;= (J.!O*. <7)J] t)) [r I- unfold M 0"10::= (11<7< ..••.. (7)1 ] 1) £ w([ r r- M (J,tQ::*. 0")] 7))

where <1> ;;: 4>j,. E Dom ~~p" ----,I Dom F( 0 F)

B:tr...Y;.

~ r f- Y" \T1(l:~ •.. (0 -t Q) ---+ 0)] 7} :SO: 411(.la E Kmtl •• iJ.>il(l.J E Dom"G'" LFP(IP3 f)) )

where LFP{1!JU)) (\('tlotcs the least fixpoint of 43(1) E IDoma ----t Dom,,] and

'h ;=

For +-types LetF={l.l,E{i l , "I~lrrIT: ~.h),G=(lIE{lI, ... ,I ... },P(i)BR),and R = [ r r- p *. ~?) So L±J F "" [I r- L(ll a[, ,In a,,} , .... h, and 0G;;;; [r f- TI<lI::(11 --> (J,.. ,I" a" ---+ p):: *.])} Thcn

[r r- 'VI E(I) O"l, ,I"~ (7,,} ---t p J 1)

== <Pi l P,{ E Dom [!] F'

{4 4«1>3[rr- j ::TI(1 1 0"j---+P'" .. ,l"a" -tp))ry) 1,) X if <t>1(O = (i., X)

.llnp •• h ifiP)(O=.l

whcre 1>1 iJ>~ E Dom[8F----+{l}UE'rDotllF(l)

42 <l>~FR E Dom[8FGJl ----t [DOtnGF ----+ DomR] 1>3 '=' <Pc E DomC}.-'->TIrDomFfnGR

1>,1 ;;; 4p(J) R E DrnnF(11E]R ----+ [Domp(/) ----t DomR]

Hlr E-t.ypcs ..

147

Ld F=(AaeKmdJi{ ~r,o Dir-D'·· ... ]l)[o::=o:l!,O=(l.aeKmdu( F(a}E)R), and R"" [r r- P *$] 1/ So ~F -- [r f- (EC'<lA- .. 0") *.] )1, and [[] G = [r f- (DoD\" IT ..... p) ..... h, Then

[r I- ry f (Lnll'; (J) ---., ph

{ <l>.d(~3 ~ r. f- f (H(, U{ a -t p) ~?I) a);: if 'h(() '" (a, xl

== <D;-1 (l.~ E Dom rJ:;l / L::J .l~ n-~ •• In if 'l>l (0 - .1

)

148 CHAPTER 8 RECURSION

wher4:! <V( <}£ E Dom ~f' ----. {..l} u 2: .. DOmF(a) F

<1>2 "= ~--. E Dom IE] F EJ R ----. [Dom rn F -----> Dom R] h£JF It <1'1 <PC; E D0 111UDc; -----> TI" Dom r (a)Gf1

<1>4 == <P p:(,,) It E l)omF(~)GR -----> [DomFI.~) -... Domn] 0

810 EXAMPLE" As ill fhapter 7, the int.crpr~t.al,ioll ()f t,h~ C~se- and abstype-constrl1C1ioll il'; eAAier to read then thf" illt,f~rpTetation of V Dcfinit.ioll 89 re~ult8 in the folloWlllg inlcrprf"ta-1.i0[1 for the case- and abstype-constrnction

[r f- (case N of Inl x !-+ MI I = ~ r t- 'V (II >-+ ('\'r 0"1 1111 ),

==- { ~r'Ir.r1 r M, 1"] lli,x..- xl

where 1> = <l> tl {I '1 I ~ A.E 1 fl'C, J'rO'~ •• ~'l

., Iln .. tl. y ........ Mil esac) :: T] ~I

,in >-+ (.\or a" M,,)} N r] 1)

if,t>~rl N LiII"O"II tf'I>~rt-N ~(llO"I'

,I" <1,,)] '(I = (fi, X) , I" 6,,) ] t) -:::: J..

~ r t- (abstype o.;:D{ With .. fa I~ TV in M):: p J 1)

'= ~ r I" \7('\0 If{ AX (]' MIN T] '7

"" { ..l[ r, fdl';:, T a f- 111 1"] (11(, ::= a.II::r ::= xl :f[! ~[rr; NN (L;(kB( 0)] ''I ::...: (fl, \:) ..... r (LnB\ O)]/I:::J..

8.,11 DEF1NI'IION A >'4J~'.e?ltllro))m('Tli Trulli!'! i~ 8. >'w~'-~nvlrollmo:>tlt fram(' for whidl

[r f- M :: 0' ] 1/ is rldino:>d for all r f- M a <tlld ') Fro... 0

'fhl' pl"op~'rt.i{'8 provo:>d in thapt.N~ 6 ill)(( 7 [oJ' IUhitrary cnVnOll!ll('IIt. ll!(jdd~ of AW, il.nd >..w: also hold for arbitrM) ('!lvlmIlJn~'llt models of >",.)~', and t.h(') (';lll Iw pr()~w! in exactly t.he SMll~~ way

812 LEMMA L~,t d<??'1 Ilud /iff·,l be d('li~!lli(Jlll' !If r f-.M (J and r f- M fl, ['f~p('tl.lv('ly

Then ~ r t- M (7] J} = r T ~ .. M a'] 1) ,

where t.IlI' llwanlngs are CjpfilH'd ll~illg, dn I !!.lld den H'!:<IWt tively

8 .. 13 LEMMA (Sollndn\'~.~ of type assiglllJl(llt. for progl!ITll8) ..

If r f- M fJ I.hf'll [ r f- M :: a] 1/ E Dm?/'i r~" -.IT; filr all 11 FrO'.'

8 .. 14 LL'MMA (Sonndntss (If B/J-( ollv'('r~ion for programs) S\lPpO~1:! M ~al' AI', r t- M :: (7, !llld r f- AI' a'

TIwn ~ r f- M 0" D 11 ~ [ r t- M' 17' ] t/ for all 1) F r CJ,., ..

o

o

o

82 CPO-MODEL FOR .\wj 149

8.2 CPO-Model for >.wf In thlJ;; ~ection we construct a cpo· model that is an .:\w~-eIlvitonment model as defined in the previous section" The general model defirlltion gives a system of coupled domain equations that have to be satisfied

DomaGb ;! FS(Dom", Domb) (i)

Dom@)/" ~ [GP(DOffif(a) I a E Ktndnd) (ii)

DommF ~ GS(DOTr!F(a.1 I a E Kmdud (iii)

DomG]F ~ GP(Domf'(1) Il E L) (iv)

D01n0F ~ GS(Domf'(1) II E L) (v)

Dom0 1 ~ DMrtp\[Jf) (vi)

These equations are m\lt\lally recun;ive, hccause of the equations (Ji), (iii) and (vi). It is obvious that (vi) is recurl:;ivc For (il) and (Iii) this is less obviolls, but the right-hand sides

of these equations rf'fcr to all DomF(,,), which ITld\IJes many DOTnFru) with [IT] F or ~ F a ~llbexpresslon of F(tl) (for lu"tallte- DOtnp(@]F) 01" Domp([£jF)) .

To VlIlstt"llct a .:\w~-modcl we will COllstruct a family of cpos Dom = (Doma I a E Kind.,) that solves this Sy6t~'m of coupled dOll'tain equation':'" Fat this the standard technique for solving domain eqn;ttions, as d!)~<;nbcd in for in~t.a.llce [SPIl2], i8 ui;cd The nece$~aty tools for this te(:hniqu~, which illv01Vf' some cat.egory theory, are introdltced in 8ubsection 8.2.,1 In subsectioIl 8,.2 2 the result,!; given in subM!~f'tiOll 8 2..1 are a.pplied to constr\ld a solution of the domain equations l\bovf>

Th~ domain equat,iolls above l~aV(' open the choiCt of a partlc\dar sub-cpo of thc cpo GP(DOTltF(<>i I a E K~Tldod Here we choo~(' the whole cpo" So the modd t.hat is conl:;trutted will ~at,lsfy

8.2-1 Category-theOl'etic solution of recursive domain equations

We ~!;Illrl(' the leader I~ familiar wit.h t.h!' b;\~if nolion~ of (~atcgolY theory .. For a category C, we writ!' ObJ(C) for tlw tolle-ction of obj~\l,S in C For ('/ E Ob)(C), we wtlte Homc(c,c') for thc collection of mm"phisms from (' to ('" ill C

Fixcd"points of Functors

Solutions of ,1 n'Cllt'SIV€' domalll equa1iOllS Dom ~ ;F(Dom) call b~~ r!'gat"ded as Ilxpoints of a functor :F on SOrt\(' category

815 DEFINITION" A fil1)omt of a jm!cto! :F on a category C, is a pail' (Dom, 1), where Dom is a C-ohj~( t and ¢ an i~()m()rphism betw~~l\ !)mn and :F(Dom) 0

The imt.iftl fixpoint theon~llt glVCll bclow gw(>,:; a rlass of functors for which (initial) fixpointa exists, namely ~()-falled w-(Ol1tillllOll,~ f\lllrtor~ 011 w-t<1tegories'

150 CHAPTER 8 HEC!JRSION

8 .. 16 DEFINll'lON ("",-("kun.,,,,,-continuous,w-('()limit,w-(at~gory)

L An w-d!cml i8 a diagram of th(' f011ll (.0 ~ q 4 Cz '

2 .. A functor i~ talIf>d u,J-colltmuous if it p["cs('rV!'~ w-"oilmlts, i e colimits of w-cll!l.ins ..

3 An ",,-cate.9o!~tj is a ('alf'gory with all initial object whidl hrz8 (Ill "';-COI!!lHts, i.,(' in which every w-('hain has a colimit

D

817 THEOREM (lnitlal fixpomt theorem) Every w-continuon~ fundor on an w·category ha.~ an Initial fix~'d-pojnt .. o

This theorem IS Simil>lT to the Icast fixpoint tll~!or('Jn for w-('po~, which sta((~s thM I'VI'TY continuous fnrlttion on a ""-q)O hl'l~ a le;l..st !iXPOil1t .. III fact., the fixpoillt 1 h('()["('lII fOT (,pot< is a particular ca~~ of the initIal fixI'·d point th€orem for w-categories.. In dl'notat.JOnal se­mantics this g('n("ral result is applied t.O (on~tr\lct solutions of a t"CCur»IVI' dnJlJ!JUI equation Dom ~ P(Dom.)

CPO and fUllctors on CPO

We nnw illtn)du('(" the pitrtlclIlar (atq;ori!'~ ilIld f\lll(!Or~ thlll \\olll hI' II~('-(l.. Th!' following categ-ory that pia)!; a (('lltral role

818 DI!:FINITION .. CPO i!; Hl(' utteg()I'Y wlth w-cpo~ i .. !'· .. parti<tlly orden'd .!:lets with an initial nbJ!'!'t and limits of all dlRill~ "0 ~ c\ [; C. ~ .. ~ object,!;., Rlld (ontillUO\l~ functions as Illorphi~ITJ8 D

Because of the int('td!'p!'lI(l('ll(~) of the ctomain ('q\liLIJ()[\~ I.hl~y all bave to be ~olved simul· taneously" Thcl'efOl"C wr wlll ("on~t !'\let. ~ ~oblt iOll ill 11 pniliw:t OltfQOfll

819 DCFINIIION (pmdlld. (ategoryl Let I be an ind!'x ~N alld ell, C<'Il<>gOl,) rill' ["mlll( I (l1,tlf}011/ fI[ C i~ th('u d('fill!:'d a~ follows

• a IL C-Objff't i>; a [Il,mlly k, I t E 1)., whln (~a( Ii ('J i~ Il, C-ohj()ct.,

• a TIl C-mnrphiMTn fTom (c, I ~ E /) to (C; II E I) I~ (t fllTllily (1), 11 E n, where each 1, is a C-morphii\1lJ rrom (', t.o <

D

820 LEMM.A ( IHS7l1 «(I)olbry 257) If C ha~ all w-(Oljllllts i (, C It;LS I olillllh of ,Ill w-dll'.i1l5 , t!t('n ~() d()e~ TI! ( o

So the f;umly of ("po~ Dom = (iJOfll,,, I If E J(wri.,! 11('('(1('(\ fol' til(' '\w~'-nt()d('l i~ ~LJl ohJed in the Cai.!'gory TIK",J., CPO

Thl' cOn"tT\1("tl()ll~ on cpos !ll;lt ;LIT lIMl'd til tll{' domain ('<[natiolls - FS, GP ;ud GS an all functoT,s

8,2 CPO-MODEL FOR '\w~ 151

821 DEFINITION (FS,GP,GS) The object-parts of the functors FS: CPOOP x CPO - CPO and GP, GS •• TIl CPO ---T CPO have bei'n defined in definition 8 .. 7.. The morphi~m-parts are defined below ..

• Suppose ¢ E Hom(B', D) in CPO and * E HQm(C,C') in CPO-Then FS(¢,"\l!) E Hom(FS(B,C),FS(B',C)) is the function that maps ~ E FS(B,C) to Tj;o(, .. 1> E FS(B',C')

• Suppose 1> E Hom(D, E) in TL CPO So <Pi E Hom(D" Ed in CPO for all ~ E I

Then

- GP(¢) E Hom(GP(D), GP(E)) is the function that maps (d j I ~ E I} E GP(D) to ~¢j(dt) liE 1) E GP(E),

- GS(4)) E Hom(GS(D), GS(E)) is the function that maps 1. E GS(D) to .1 E GS(B), and (i, rl) E GS(D) t.O (i, cP;(d)) E GS(E) ..

o

The functor FS is contravanant. in its first argmr)(mt.. Because of thio, it is not possible to (:onf;t.ruct the family of q){)S Doom ;;; {Dom" I (J E K~nd • .) needed for a ..\w~·.model as all

initial fixed-point in thE-! category TI CPO Tlwle i.s a standard te(;hnique to overcome this problem, which is de~<,ribcd below

O-categories

The standard techniqul-' for solving domain equations that involve the fUllction !ipacc functor Or other contravariant funtt.ors is described ll) [LS81] [SP82j" The met.hod is a generalisation of Scntt.'s inverse limit cOllstnl("t.ion We just give a Shott overview of the method For a deat and wlf-conta.ined present.at.i<Hl we t"cfcr to [BHSSI Bf'low' we just li8t all I,he results tha.t we will Ilced,

A special kind of category, the so-called O-cat.q~orics, is used Th!' C1"ucial property of th~'w O-tatcgodes is is ghmn by th('orem 8 .. 25 lwl(}w .. It states that giv!:'n a. functor 'H on an O-ca.t,f'gory C, which h; Vlllt.la~at'iant in olte or mon' of Its arguments, there is a corresponding functor :F on an assoclllt,!'d category CPR" w'iti( h i~ covat"iant in all its a!"guments., Moreover, .,;-c.ontinuity of thi~ fundor :F ('alt be provl'd lcl<\t.t~ely easily Dut fil''St, some definitions are ni'eded ..

822 DEFINITION (O-('at.cgory) A ('ategory i~ an 0· category !If

• every hOm-J:;!.'t. i~ a partially ord4:'n'd ~d" in which every !t.~('('ttding wrchair) ha..o; a. least upper bound,

• compo.;itl(lll is w-contimlOut; with If'Spect to the part,i;Ll order on the horn-sets

o

It is trivial to v'-'dfy t.hat CPO and TI, CPO ale Orcategorics .. The ordering on the hom-sets of TI, CPO is of course defined ('o()rdinMc·wise.,

152 CHAl'TER 8 RECURSION

8 .. 23 DI~l"INITION (r.atcg,ory of E:'mbeddillg-plojedion pairs) .. If C is an O-c'atE:'gory, th!'tl !.II!! a.sHociated catego,,")} of (:.m/Je.ddmo"pro)ectlOn 1'(m .. ~ Cl'R il; th!:' (ategory with

• th!:' same objf'C1$ a~ C, iE:' ObJ(C'f'lt) = OO)(C),

• as morphi~ms embedding-proJw:t,ion pairs of morphi~m~, i .. ! (1,1/J) E Hom(a, b) III Cl'R

iff ¢ E Hornc(a,b) "V' E Homc(b,(l) " ¢,O¥i ~ ~db!\ lj.;o¢- = ~d" D

The following notion can be uSf'd 1,0 prove ".;-continuity of fUllctor!:> on a category CPR

8 .. 24 Dl:F'INITION (Iotal (OJ)1 luuit.yl.. Lflt C be an O-catf'gory., and 'h Co!' xC .......... C be a functor, i e H i~ a blfuudor on C that is (~(Hltravariant ill il~ hn;t 8,)ld coval"i:m1. III it~ s{'c'0I10 argllmcnt,

)-( is called loeMI,!! ( .. onimll0M if it is COU111111()1'IJ:' with I'(,SP('( t to t!J(' p<Llt ill I order on hom­sets, i~: )f, for all b, (/, i, c' E Ob) Ie), tlH' lll:tppillg

1> E Hom(b',b),>j.' E IIorn(c,c') I----t H(1),l/;} E llorn('hfb,c\H(I;',/l)

D

For examplf', It 10 easy to ch!'ck 1 hat. the functol" FS is lo('all) i ontl1.UOUs We can IlOW

state the main pro]wrty of (fllllnOI~ on) O-c'akgol"ies

825 THEOREM (w-tOutirnllty from 10ti'\1 ton1..irl\ll1.y) L~t. H " CoP x C --> C he a locally tOlltill\lO\!!; functor, and C b(' ,U! 0-( 'l,t('goI'Y whkh has all w-colimits, Le ('w'ry ,,-,-cbaiu has a tolillli1

Then the fUlli t.or .F .. CI'!( --t Cf'fI (khlwO by

F(<! h(c,<,,) for CPR-objf'("(..s ( .. F(1), 't/;) (?-t(il l , ¢-), 1-((1), ~p)) for CPJl-morpltil;m~ (1, 'If;)

is lUI w-c'ontinuolls fUll, tor

PROOF .. 'Tills Ill/'(Hem i" a sligbllv W('llkr'B('d v(,l'~ion of tll('On'lIl .1 111 [SP8il The dlt1et(,llu' is that the rat.hel" teclllllt:ll condition that C ha:'> "Ioi<llly dl'h'rnl111ed w-C()lillllt~ of ('rn­beddings" has lwei) r('piltcNI 'A-Ith !..IIi ('OItdH.iOll tlt,Ll C b;L~ itl! "-'-C()liHlit.~ I3y th(' cor'ollar~

to theorem 2 ill [SP8'll this condition I~ st\Ol)gel' n

Tlti~ re~ult will be \ISf'd ill tlH' ll('Xt ~('('tiOll 10 ]HllV'l' w-<'olltinuity of a flllll"lM, with whidl we I.ltl'll ('onstruct a ).w~'-m(ldel a~ all illiti<1.1 llxpoillt.

8.2 .. 2 Construction of a CPO-Illudel

D!:'fore the fanllly of CpO~ Dom C:lli hI' (OIlst.]"m ted, an ell\ itOUlllillt 1l10df'i for t h(' datatY'Pc­constl"uctOt,·" I~ ll(,eded .. Any f'llvirollTll('nt model for the datiL1} Pi·-«Hlht.Iudol's ("afl be used We take the' ~illlpl~'ot posslhk modi'], i .. ~' tIl{' term model::

8,2, CPO-MODEL FOR ),w~ 153

8 .. 26 DEI"IN1'I'ION, KINDTERM "" (Kznd,<pJ(',~d, El, [TI), [[I, 0, W, [EP is the closed term modd for the Aw~-constfuctors.. Ll

So Kmd/K is the collection of a-equivalence classes of closed datatype-constructors of type lK, i .... c,

Ktnd/A' = {O" I € f- u IN}I r;;;;iJ ,

Obviously, KINDTERM is a.n environment model for the datatype-const,mctors of )..w~ .. The function EJ E Kmd., ---> Kmd •• -t KInd., is

EJ ;= .A [O"k ,ITL E Ktnd~ " [0" --+ TI~_., -~ -~ , p

The other datatype.constructors are interpreted silmlady We will not distinguish a datatype­(;Ollstructor 0" and the eq\livfllencc elMS 10"1:::.~ to whith it belongs, and we a.lso do not distin-

guish G and ---., [IT] and TI, [2] and x, et.c ..

To complete the Aw:-modcl, a family of cpos Dom ;;= (Dom" I (l E Kmd.,) is needed that solves the dornalll equations To (:on~tr\lct snch a Dom as a.n t.he initial fixpOlnt, an appropriate w-ca.\,egory and w-contImwu$ hUlttor :F on that categol'Y are needed.. The cat· egory should ha.ve families of ('Po~ a~ object.s, and the fun(:tor :F should ma.p a.Il object Dom "" (D01t!B I a E Kmd • .) to :F(Dom) "" (F(Dom)1L I (J, E Kznd.,) with

:F(Dom)o'_~

:F(DQm)lIf

F{Domh:,,.

;F(Dom)xF

F(Dom}+F

F(Dt}mj,..F

FS (DtlTl!u, Dom~)

;;;; GP(DomF(a) I (Z E Kmdud

GS{DOmF(a) I a E Kmdor}

"" GP(DomF(1) II E L) GS(Domp(1\ II E L)

DOmF(,..fl

Then ally fixpoint of F provid~~ it ~ollttion of the domain equations"

As the categol'Y Wf,; u~(' (ITK'nd., CPO)PI?. We will omit the sub~cript Kind •• and just write (TI CPO)PI? for (TIKmd •• CPO)PR" Dy ddllli!iofl 823 the {:at.egory (IT CPO)PR is thf! category with

• as the morphi~m~ £to'om D to E pr()jediull-Clllbedding pairs (tp,'IP), i(' ¢ E Hom(D,E) and ¢ E Hom(E, D) in IT CPO, and 'Ij)oq, "" zdD and 1wlj; ~ ~de

By the definition of product category (def.. 8 19), this meanS !.hat 4' and 1/J are families of continuou$ FUllctions, with <P«. E DIL ---0 Ea and 1P", E E«. ----> Da a.nd 1/Juc¢'", "" ~dD~ and ¢«o'1jJ~ (;; !dF;o for all a E Kind ••

154 CHAPTER 8.. RI:!::CUllSlON

Instead of the < ategory (I1 CPO) PR we could all';() ll~l' thp. category I1(CPOPR) In fact, the two categol"ics iLre lijomorphic., They have Lhl' $!urw objectJ;; The morphisms in (TI CPO)I'R are pairs of families of tontin\lQUl:\ functions ((1" I a E Kmd.,) , (1)" I a E Km,d • .}), and the morphioms in I1(CPO px) arc familleo of pairs of continuous functions «(1'",4',,) I (I, E. Kmd.,) .. Using TI(CPOPR) instead of of m CPO)PR requires slightly more work

To a.pply the initial fix point throrelIJ we need

827 LEMMA" (II CPO)1'1l il:\ an w-category

PROOF .. W~ mU!:lt ahow that the category (fl CPO)PR has all w-colimits, Le that evety w­

chain has a. (olimit, and that it has an illit.ial l'lement .. Thf' obvious candidate for '.ht' illitial object is the constant family ({.l} I a E Kuul.,)

wbidl rnap~ every index {J 1.0 I hr ()1J/-POlnt cpo .. It c~n ('asily be v(,l'ifiN'1 thaI. I hl~ il; mdN'rl an initial element..

The category CPOI'll h,l~ il,1l w-('olimits (s('e for' m~'a.ll('l' 15»82]) Thi'T1 hy li'mma 820 TI(CPO PR) has all (A)-coIHJlill';, fUJd thj~ Cil,V'gOI'Y is isol1lorphi(' 10 rTI CPO)J'Ji.. 0

We now defin!' t.hl' filTH tor F on thc category al CPO )Ffl !.hM l~ ll~~'d to (on~truct the family of cpos Dom :;:::; (Do1Jl." I (I E Kmd .,) I h~t solv('s I he dOlw\ill l'qll<lI.lOll!; Th!;! dl,fHlition of tit!' (Jhj~~ct-part of :F IS p[""c~(nbl'd by thf> <\oJ)1il,in equations.. Fo!' the ddllJlI.lOll of tlH'" morphism-part. w~ t.11('1) .lust. have 10 l)c (;Lll'ful 10 giVl' FS Ow rlght all;;ulllcllts

8 .. 28 DLFINITION .. The funnor F 110Jll (n (PO)r!? to I.TI CPO)j)/l is dcfilll'd a~ follows::

• (O/}J<d-po,rt) Suppose D E 00) ((IT (POI/'II) .. So D = (Do I a E Kmd.,> is a family of tPI)l'; .. Then F{D) = (:F(D)" I (/ E J(1,T!,d • .l :1>' ddill~'ct as foll()w~

F(J))I1' F(D)np .FtDlu F(D)xJ, Y(D)+J. F(D)IIF

FS(D",D,i GP(DFt.", I (1 E Kwduc) GS(DF'fll I (l E Klndll,')

GP(DFIII II E L) - GS(Dr(!l II E L)

D r (J,v·.1

• I Morplmm-pm l) SIlPPOhf t1, VI) E Hom-(D, E) Itl (TI CPO)I'H .. So ;dl 1)" ;llld W~ ,111'

continuous functions, rj;,. E D~ ".--> Ell alld '1/" E F" ------> D"

Then F(¢,l/.') = (1' ,'/1/), with 1>~L E :F(D"L, -----t J!(ft),. ,11111 «;~ ( F(!~')" --. F(fJ)" di!­fined as f()llm"o

¢~_" FS(1j''', (/),) v;~--, FSlq\., 1),")

¢;w ...... GP((I'FI") I (J E. Kpl(l'I,) 1

~hl1 GP{.;.,[ \".1 I (I. E j{PI,dlld

1EP =- GS(¢/' I") 1(/ E J(p~!lu,) 'j.'~f - GS('I/'i (II) I (! E Kmd nd ¢'xr GP(<PrUI liE L) V'X/' GPOI'I(i1 Ii E L}

1~p .,- GS(i/)FlI) liE l,) 1(U' GS(~.lpm liE L)

1;,/" .,. 1'f(,J' 1 ~I;'F q;'rrl,11

It is easy to v('t'ify ("(lDr<\illat<'-W]sc' that :F pl'('~crH'~ Id('JJliIH'~ ,Iud (""OllJPO~itH)ll, hO thil,t it IS indeed a flJlJClm U

8 .. 2.. CPO·MODEL FOR .\w~ 155

The domain equations for AW~ can now be stated !IS Dom ~ :F(Dom). Theorem 825 will be used to prove that :F is w-continuous

8.29 L~MMA :F il; w-continuous.

Pn.O(W To apply theorem 8 .. 25 w~ fir~t have to prove that II CPO has all uJ"colimits. CPO has all w-colimits (see for ini;tante [SP82J), so then by lemma 8 .. 20 IT CPO has all w-colimits

All that is needed nOw to apply theorem 825 is a locally continuous functor 'H. ; (II CPO)OP x TI CPO - TI CPO such that

:F(D) = 1-{(D, D) for m (PO)PR-objects D F(1),¢) "" (1t(~,¢), 1i(f,tP}) for m CPO)PR-morphisms (.p,1/;)

This functor is defined as follows·

.. (Ob]f;d-ptut) Suppose D E Ob]((TI (PO}oP) and E E Ob)m CPO) .. So D and E are elerMnts of TI CPO Then 'h(D, E) is defined by

H(D,E),,_r h(D, E)rrF 'H(D,E)r:'F 'H.(D, E).". F

'H.(D,E)+f. 1i(D,E)I,f

FS(D", E T )

GP(Ep(lZ) I a E Kmdl1d = GS(Ep(<>l I a E Kmdl1d "" GP(Ep(l; Ii E LI ;;: GS(Ep(l\ 11 E: L)

i:iiiiii Er(/LF)

• (Morp}WJTn-lmd) SlIPPOS(\ 1> E Hom(D,E) in (TICPO)oP, and?j.J E Ho,,(D1,E' ) in IT CPO Then 1i(1, It) E Hom(1f(D, E), H(D', E')) in TI CPO is defined by

h(1),v'J,,-r 'H.(.p, ~))rrF 'H.(1J,~))l:F

'H(¢, '1jJ)xF 1t(1),'lp)+F' ?i(q" 1/J)~,F

~ FS(¢Ol WT) = GP{1tP(<l' I a E Kmd/J()

GS{VJF(<1' I a E Kmdnd "" GP(t,lJF(1) Ii E L} '" GS{If'F(1) II E L>

VJf (I'f\

Note that H uS~jj its first argument, which in the definition above i~ D or ,p, in contravaria.nt places, ie as first I!.rgUlTIf'llt of FS .. It s second argument is used in all ot,hcr places .. It is easy to check - coordinate·wise ... t,h(lt. 7t )wl'scnJC\s idC\ntities and composition, ~o that it is indeed a functor, and it immediately follows from the definitions of:F and 1-( tha,!, ;F(D) ;; H(D, D) and :F(¢,tp);;;; ('H.(1./J,¢),H(1>,'l,ii))

It is also easy to prove - again coordilla.te-wise - that ?-l is locally contimloul; .. This follows immediately from the f/l.e!. that FS, GP, alld GS al'{~ locally continuou8

Then by theorem 8.25 the functor F is ,,-,-continuous d

Now that we hltvc provC'd tltat (IT CPO)I'II i~ an w-clttegory and tlt!!.t :F is an w-continuous fUllctor, by the initial fixpoint theonml (th4'Or('Ill 8 . .17) there is an initial fixpoillt (Dom, (¢, 1,/1)

of F This fixpoint provides It bmlly Df <"PClS Dtlm :::;: (Dam" I a E K~nd • .) and an ¢ and ¢ gIving an isommphlsm bN,\\iCcn Dom and F(Dom)

156 CHAPTER 8 RECURSION

8,.30 LEMMA

Let (DOffi, (1, 11)) b~ th~ initial fixp[)il~t of:F in tht' tal,!.'gory (D CPO)i'l1 ..

Let ot>;:,'b = A,-b, q,~ "" (PrI,dK P(Q)' q,~ ;::: ¢J[(iJ F(h)., 1" PIl"'», 'I>~ = ¢"Q'.' F,.",), tt.1

Then (KINDlIiRM,Dom,q,-,<1>I1,<I>l:,<!>",$+,q,~') is an ~nvironment IIlod(!1 for ),w~' ..

PROOF,. We have to provt' that [r r M :: (T D 11 is defined fot all r I" M tJ and 1} F rO,-, Recall that thi~ amounts to r:hlwkmg if the 1"ilU/;I'S of the isomorphii,rn~ $~"7 and 1>~ and ar!.' large enough .. It e~y is to set' I hat. this is the t'<'1.S(!, be('aus~ the rangt of 1>;'7 is the collCC1.ion

of all contirluoUS functions from Dom" to Dom r , and the l'ang(! of ~}.~ is t'he whol(> product

GP{ DomF(a) I a E /(mdnr) 0

Dil;lcussion

'rlw fact that '.11(' hllve u~(>d tht' Ul.lq~nry CPO is not !"~~PlltiI\J Othel O-tal.q;orleJ:\ could be lls!'d, for instanct' thf~ category of dirr('!.('d wmpl!'l!' p<trll~l orderings (pO~d~ with lubs of all (ilrected sets; a sd. S is dil('ctt'd if (~V('ry finite SUbi;l't, of S h8.-s an upper h01lnd in S) or complct~ lattices ty P{,~ w()l]ld Own b!' 1l11,I"rpn>l.ed as ([it'eel I'd t()lllpl(~h' pat'til\j orderlllgs or

complet.e lat tl('~b

A drawback of Ih~ lTwdel we hl\vt fkscdb('d is th,\!. UII' illt<rprdl!.tiOl1s of I. hI" pDIYl1lorplii( datatyp~'!i are too big, Iwcau"e the cpo Dom 0 F is isomorphic "" ith the v. holt~ prodw I.

D" DomF(al" This produd lont~lll~ many fundi()l1~ which arc Hot piL11l.mdnc, i .. e which behave in completely differellt Wi:l.y~ when appliNI 1.0 dlffcrent argtltll('ulx. I'or ('xample, the cpo Dotnl(ll«;., booi,!.'] tndudf~ fllnctions th;\1 ll'l\1n~ true or false df'(ll'lIdiIW on the typc­argument that they gN, wher(>~~ all eloscd 1.~'rl1l~ of tYl)(' (I1();::~. bool) (l,t(' const/mt funCiiolls .. Alt~rnil.tlve models whidl do not havt' I hil' dmwback al'e tilt' PER-ha~('d modeb df~("nb!'d III

[AP!)Oj a.nd [DM92)' v. hi! It provid(' mltfb lilllitlh'l iltkrprNatiotl of 1111 pnlYlTIorphk typ('~ .. In the~e models Dom'I(ll' .... boob •. I d()!'~ illdl'('d only COtlUUll !'Ollht.;UJ! hmdlOltS

Howeve!", an advantage of I he' 11iOdd COtlstl nCt.WII W4' kw(' descnl)('(l l~ I.b,d It IJ:\ ulUch simpler All 1.h<~1 18 ncC'([ed for tlll' 11lO(kl cotlSII lIdiDll i~ I li(' colh'ct iOll uf dOl1l<tlll l'(]\I(l,t.1om givMI by the geueral ll)odel defiuitlOn It. can C'asil~ he f'xlfll(kd to includt' nth!'r I) pc­cOllsl.rurHons on ('po~, ~11( h M sml\.~h('d prod!\( h and co"l('~('f;d ~11I11~ It. (!Ul also h( ('xtell(kd to in(;orporat~ s\lbt~ pillg, (l,~ h ~hown in [pHEOJj

83 THE PROGRAMMING LOGIC 157

8.3 The Programming Logic

As in the previ(l\l>; chapters, given a.n)" model for the progra.mming language that meets the general model definition, a proof-irrelevance semantics for the associated logic can be defined., In fact, because in Awt we have the same logical primitives as in )"wt, the proof-irrelevance model for ).,w~ can be defiMd ex.actly as it wa.<; defined for )"wt In section 7,,3

Let .M;= (l{[ND,D()m,4>-,~n,~E,,*,",<I>+,4>P}

be any environrlll"nt model for AW~' .. A model for AWL in which .M is the sub-model for At.,J~ can be defi !led a~ follows

• the interpretation of the kinds, datatype-coustmctOl"S and programs is given by M, bec!;tu~(> by lemma 4 .. 37 AWr has the same kinds, datatype.constrnc1.ors and progra.ms !:tSAW ..... •

• thf' interpretation of a.Il other expression!; is defined as for Awt in section 7 .. 3 So the interpretation of th!.' propkinds is as giw.'u ill definition 6 .. 33, (in )"wt propkinds wl'n~ intet'preted as in Awd, the interpretation (or the pr·op·conl;tT\lctors is as given in definition 7.,24, and all proof terms lin:' ill!('rpl"tt.('d as the elenwllt. of 1..

The prop~rt.i('s pr'oved in ~e('(.i(Hl 73 for the pt'Oof-in"~ll'vancc model for A'-'1j also hold for this pmof-iuelevance mod(!l for A",r, and tlwy ("Rll be pl'oved in e:>.::a.ctly the same way

8 .. 31 THEOREM (SO\lndll(,s~) ..

Let JerI and deT2 bf' derivations of r r /1, :: A and r f- (l A', respectively Th(!1l

[ r f- (l :: A ] TI :::;:; [r f- a AI] TI ,

2 If r f- a :: A, then for all 1/ F r

{

KtndA

[rrlC AlliE DomprA •• y>! [r f- A •• oJ> h I r f- A .. *p D 1)

if r f- A : o~ if r r A:; *$

if r r A·· 0l)

if r r A·· *1)

3 If a ==/JI' 0/, r r () A, and r f- (I' A, t.ltC'tl [r f- a :: A] TI = [ r r ()! A J 1/ for allt) Fr. o

As before, the pwof-irTrlcvance model U\ll b(' ll~cd to prOVt' cOTlsi$l,rnq (of contexts)

8 :U COROLLARY (Coll~ist,('nty of AWn ).,wt is (onsist,ctlt. (False i~ not. provable),

8 .. 33 LeMMA (C(}nsi~tcncy of repo alld AXIOMJ' in AwD .. FOII5e is not provable in th!:' (Ont('xt. tel'o extended with axioms from AX lOMIA ..

158 CHAPTER 8 RECURSION

PROOF .. [False:: .. p ] '" 0, 80 we supply ~ model M for thl': programming lallgn~ge and show tha.t in the resulting Awj-rnodel therc i~ l\n environnH'lll .. 1/ that satisfies thc ii)nh~xt Tepo extended with any axiolll~ from AX/OMi'

As M we c~n take the model constrllded in section ~, .. 2 The environment '} sho.lld of course int.erpret the relation ~ .... (IIo ~ .. , 0' - Q - "'p) dc­

clan'!d in repo as (the ('haractet'''is!..ic (\Inc'tion of) the tp~)-ordering in the II IOdf'l , i e ....

{ 1 if x ~ D.",_ Y

.\.a E Kind •• .\;:r,yEDom", 0 ·f rT I X >=Dom. Y

E II"EKmd.. D()w" ----t Dom« ---.-., to, l}

With thi8 interpretal,i()]) of 1;, it call then be checked that aJl the axioms ill rCJ>O !l.nd AX JOMI' are trne ill the model, ic .. that they IU·"(' mt.flpr~'ted !l.5 1

There is all apparent dis(,f!'pallcy bet.w~'en I hI' 1101.1011 of chain in thf lll(){ki and the notion of chain d!'finE!d in repo In th~' model M (()ll~trlli ted in sectioll 8 .. 2 ,~II datatypes arc ""­cpos, whidl means mean" thllt chains of thc fMm Co (;;, Cl ~ (:. ~.. hllve a limit In rCI'u (definition 5..16), on the OI.h[r hand, a cham i~ d£'fin~'d a.~ a totalt) oldi'n'd ~et, and the aXlOlll

complete in l"CI'O ~tates that ,til th~'R~' chains h;~H~ lillJits However, bCf a 11,,(' all (pm in M arc ('(mntable, the:;,!' I.wn notiOllS of ('haill 1lI(' equivalcllt 0

Chapter 9

Conclusion

We now look back on OUI" work, (.()lllpatC it with related work by others, anrl point out some directlopo For fut me reseal''('h

9.1 Evaluation

We have inve~tigat,f'd the possiblHty of u~ing type theory R~ t.he basis for a typNl functional pr-ogramming la.nguage and an !lJ:i"o,ialrd extel'l1al programming logic.. Three pt'Ogrammlng logics have been introdll~.('d, f~H t,hll"'(, ['ichly-tYlWd fundional Pl"ogralmning languages of in­cre!l.':>ing complexity

The b!l..!;i(; Syf;1.f'In AWL is a 5ln(l.1I and homogeneous syStem, which is defined as a sin­gle PTS., It providl.'f; Olll"' language for dMi"Ltypcs, pI'ogr8.m!;, ~p('cific.ations, propo~itions and proofs, including proofs t.hat. pr-ograms med (crtain specificatious.. The programming lan­guage and the logic al'e wfIl-mi"Lt.f!lCd, bccau;oE:' Vd' Uf;(' a single formalism for both of them For every abstraction that is P06siblr in the programmiug language, the logic ptovides match­ing abst,ractlOns to rCMon a.bollt il.. For instance, ill thc pt"ograms we C'lon abstract over all daUttypes - Aa *$ /!.nd in pt'opositions w~~ (.1'111 quantify over all dRt.atypc - \fQ::*~

Mechanical verilkation of Pl"OOf5 hI t.h('~(' systems is po!;!;ibl('.. Verification of proofs amounts to typN'hccking., The (,OIlVl:'r~ion t'ciation in the programming language has to be kept d~:ddable, w'hich does impOf;t some restrictions when t.he programming langl1age is extended with recursion in chapt~l ;; (~c(' discussion 5 .. 10) ..

The logics are all hlghct-oraer logics, providing v('t'y powerful quant.itltations Thb is useful for an implement.at.ion, Iw{a1lf;c without thl:'~e qllRnt.ifiratlons many propositions that can be nOw expr~ss('d inside the syst('IU would have to hI:' givf'n as schematic (uk!':, and then it would be up to t 11(' impl{'m~'utatwll to p!"ovid(' ways for d~'aling with the necesoary q\'lallt.ifications Then' a[~\ hOv.('vct' occasiOllS wh~'n' th(' ab~tractions that MC po~slble are still not powerflll enough For llwt<l.n( (" It. i:o: nol p()~~ibl~' t() q1lantify over all kind~ Qt" over all labelled produrts and sums

Advantages of using P'lre Type Systems

The notion of PTS hI;!}; pr<)v(~d very useful Dy <If.·fining the basic sy8tem ;"""L as a PTS, we obtain a lean and tlcgant syst(,l11 Al~!)., PTSf; an' by naturE" v~ry ort.hogonal systemo The different kinrb of abstract.ion that ~l"f' Illlowcd in a PTS can be freely rombine(i

15<)

160 CHAPTER 9 CONCLUSION

One advantage of U~lllg PTS~ i~ that we get some of the sytltal'li( pmprrtws for free" However, a8 proofs of tlte~e propc'rt.ic''; <l.n' e!l.Oy, but boring, induc.tiotl \)J'oofs, wc' ff'pl I.hif; is nOI. the rno~t important advantagC' .. MOl(' import<l.nt i~ that the compact sp~c.ificat.ion.s of PTSs make it easy to compare and r('[at(, different sy8tems This helped to glwle thc design of thf' bAAic ~:lI'J:ltem in chapter J" lI, is ta~y to dl~tiIlg\\18h the *.·part of the syste'm that provides t..lw programming language, and 111\) *p-part of the system that provides the logic, and the effect of adding a single' PTS-mh, (aU be r...onsidered It also helped to pro\l'e' strong norntali",ation of the systems" It, if; c!lSy to observe that strong normalisation of .xWL and its ex.t.f>II1',iOIl with definitions .\""'LJ llIllllc'diat\>ly follow8 from strong normalisation of .xCb, the' CalculuJ:> of Constructions wilh ddinitiooo

The fact that DPTSs um ('a~ily be ('onlpared also provided the key t.o t.lw p],oof of M.rong IIOrmali$ation for .xC/II the Caltuluf; of COf)!;tructions with definitions Strlll1g llOrmali:';ation of t,hi~ DPTS can casily l)c dC'dut('d from SN of a r('laH>d PTS (llam('h ECC)

Advantages of separating programs from proofs

III the introduction w(' ('xplalll(d tlt~, (hff~']"i'u(e betw('(>n internal Il.lld exl.\'lll;d pro~r~llIlllllllg logics, ~1l1d W~! motivated om fhoil'(' for {'xt.c'·rll;Ll pI"ogllmllning logics .. .x"'h and its cxtensions are all extt],ll;d programming logics" I'logr;lllls and tll(!ir ("orrl'( t1W~8 proofs are separate but related ohjNt...~, a~ arc datl'l.typ~s alld ~p('c'ifl( ilt 101l~,, Tltl! diltaty IH'~ express as much inforlhMiOT) a.':l is possible witholll Inaking typll'lg \\lld~'ddablE' or intl'oriufing irrel('vant proof~ objc'cts in prog-rams In ollt('r v.ord~., dah(.Y[l(>~ ('xp['(>~~ ~t l'llrt.llIl'I.l informatloll hilt 1101 logltal iuformation,

The stnd.. M~p!lratjon Iwtween logic and progralIllIlil1g hlllgnag(, ,Ind t.he fad that pl"ogram~ and datatypC':,; tallll(1t dqWlld on propositions and p]'()()f~, It~l~ ~c'vm'Ll adV'i,Ht.aw'~"

First, it makes it possUJlc to ('xtC'l1d pl"(1gr«'llllll)Hg lallguage anrilogic in differ'ellt dlt"cctlOns, For example, in pt'oofs we want to lISC d<l.~!;I(a..lI(}g:i(: ami in programs we want to usc recUlsion The fact. that, dat.atypeH C il,n not. (,xI)le~~ loptal illforlIl<il.iull In;l.h·s II. pO~~:lbl(' to h'l,ve a fixpomt operator for ~dl dat.;Ltypf'H without. ('ausing inconsistcucic:'; ill tlw logic Thf' fad thflt. wr an' not interested ill t hi' illgnrlthmk c.ont(>\lt~ of pIOO(~ mC<ill~ v.(' (',~ll U~('· (lilSSl( al IngH"

An example of ;L flll'tl1\.'r ~'l(t(>llsion of the PI"ogl"amming lang;llagi" whicb illlll1f'cli'Li.!'ly suggests itself Ollte' W~! bav~' lab('ll('d pl'odn('(.s and smns, is sllblypillg Sllht.ypillg would provide some mlldl-IH,;ed~'d flexibility in ttl(> t.ype SJ~t.('1l1 It. i" 11101(' diHic lilt 1.0 l'nvl~<lge a notion of subt.ypil1g in iJI\('mal programming logics

The ~ep!l.ration betwefll prog'ralllll1illg language and logic means t.hat for t.he larger part of the J:Jystem the semantics tall hI' ki'pt. ~iH)pl~' A 81mple truth-value interpretation can be used ft)r thi! propositions and theh' p]'o(ff~ It at,,\) mi\h'~ it l)OoJ:;lbJe to give a (onventional dc>nnt,atJOnal semant ie~ fol" dH' pro~r;).llllllillg lallg\lag~' ),i,L)~J, which intt'rl)[('(~ rC('\ll"siOll in the u8ual way.,

Pragmatics

We h;Lv(' ~howl'l that althO\lgh th<'y iln ~(''P<tntt.('· Objf'{ t.s, pl'Ogr~.lu~ 811(i tlwjr ("orX'cctnes8 proofs tan h(~ c()n~tl'\I(,t('d t.ogeilici 'TII1~ im,olvr,; fl dOllhl(~ hookkcoppiltg, of programs ~nd their datatypcs 1111 tIl(' (HII hand, and pl'~>dicat.cs and fOll"ettll(,SS p]'()of~ nil I hf' 01 }l(']'

We have showl1 Ulill for c'~{"h hl)guJ'tg(' con~trnctioll ill th~ pl'ogr<"lllll1l111g lall!!,lIagc tllC]'!) i", not only a typmg IIIk, hut !bpl{' aH' aho- possibly ~ev('ral - a~soclat.cd pI"oof ]'ule" that

9_2 COMPARlSON WITH RELATED WORK 161

are derivahll'! in the logic., These rules can be used for the top-down, or compositional, development of programs together wit.h their correctne88 proofs,

The pragmatics of program const,nlction still require8 a lot more work., Most of the primit.ives for program construction offered by AWf, and its extensions are very primitive indeed .. For practical prognun tonst.rllction larger bullding blocks for programs together with t.heir typing and useful proof rules are needed An example of this is given in chapter 4, where some derivable proof rule8 are giv~n for a more complicated language construction, namely the abstyp@-construction for abstract datatypes"

Apart. from these compositiorlal rules, we have also giw;>n a few examples of provable equalities between programs These provide correctness-preserving transformations which can bl' Ils~d to prove that a program meets a certain speclfication" Examples of simple program transformation rulE:'s have been given in chapters <1 and 5 .. Note that any conditions t.hat have to be satidien for R t.ransformation to be ('(Hn\d ("an also be given In the systems"

9.2 Comparison with related work

Several ways ofu:;iug t.ypr th('ol'y as a formal baM!>; for programming logi(,8 hay!! b('cn proposed .. We now COUlparl' somf' of these approa('ht~ with onrs

Program Extraction irl the Calculus of Constructions

The ongoing work on program extr(l,( t,lon from constrll('t]V~ pr()o£~ in the Calculw, of Con­structions a.lld its SH('cessor Coq, ba~i:'d Oil IPM89a), is closely relat('d to our work, at least a..~ far as the type sy~t('ms that are involwd aIr 1'OIH'uncd In section 3 .. 5 v..e have already COrrl­pared the type oyst,('ms involved in thE:' two approa1'hcs" The target. lallg\lagc of the extraC'tion procedure is th!:\ ~iLllle pr'ogramming lang\li'l.gf' provided by Awf." namely Girard's system F"', or in PT$-terms, the PTS Aw

From a pragrnatlt point. of view then? is a big difference" Instead of tonstructing a proof from which a progl"am and its correC'tno,S proof are then extIM:ied, we dil"ectly construc:t a program wit.h a COl"rc('(ne~~ proof In till' illtl"odHction we alrea.dy motivated our ch(lJce for an e)(t~~Tlla.1 rathel" than an inh'l"llitl programming logiC' An advant,age is that the program under (,(}Ilstructlon is clearly vll'lhk iLt, all ! ime's Design dlok('~ ("an t.heH be made not only on the ha.~I~ of the specifi('ation, bnt, al~() OIl the basis of an operational nnderstanding of the algorit.hm and efficiency (on~id('r<ltio!ls Also we have the possibility of giving an incomplete olwoficatioIl, or of specifYlug only i\. p~l.l't. of the program

A big diff!:\r!:\!ltl' '" ith om approach is t.Iu' way recursion is dealt wit.h As shown in chaptE:'r 5, we Can I'xtl'nd the pl"ogrammillg lal1guagr with a fixpoillt operator for making recursive program~ III t,he' programming langl1ag{' t,he'Ll' <"LI"C then non-t.erminat.illg programs and partial objects, and dOlll<l.ill l.h('Ol''Y cl'ln be used to n't\.Son about these

Whi'll the Calculus of Con~trm tiull~ ill llscd as an internal programming logic, a fixpoillt operator C!'Ull101. b(' added, bccl'luse t.hi", would make' the system lnc()llsiste'nt However, the sy8t~m can be extended with a a weU-foulldcd rtCul'SOI" instead of a fbq>oint operator .. WIth 311Ch a well-founded n'('lll"SOl' any rerlH'~iv~' progn'l,I1\ 1'"n be ronstrl1ch'd, pro\ i<it'd a proof i~ supplied that the r(,'Cl.lr~i(lll IS wcll-founde'd

Th(' rcstl'iction to we'll-f()llIld(~d n'tlllsion has obvio118 advantages .. All programs terminate and ther'e are no partial f\lll("t.IOIlS For E:'xampl{', thh; lIl('allS that there can be fl. type nat

162 CHAJ'TEI? f) CONCLUSION

which contains t,]u' n(l.tural numbers If wc have a fixpoint opCl'ator, auy l.yW nat will ~ll;o

contain a bottom f'lellwnt., aud II. pr!:'dicate Nat .. nat ---l- ")) is needed to charactedse thc natural u\lrnbeH' A disadvantagc is that. t.hf'n' i~ a Illil;rnl:l.kh betw~~ll the programs and datatypes in th~ programming logic and thosc availablf' Ul adua.1 progra.rnrning languages .. For example, in the programming logic it is not possible to reason directly about. t.h~ dH.t.H.t.yp!' [)f p[)~"ibly infinite lists as available in lazy fundional programming languages

This difl'ercnct' l~ II. fllndarn~ntal difference between programmmg logirs wb('rt' progri'LrIlS cannot depend On proof~ and programming logics whcr'c program~ ("an d(>p('ltd on prook In prograrnrning logics wher'c programs C!lnuol. dqH>nd or) proof"" partlal fun( tion~ and objects cannot be avoided if wI' want more flexible forms of recursion than primitive recursion, or similar fixed recursion pllt.tentH f(Jr which termination is guar'anteed (e,.g [Men87))

Deliverables

Burstall has introduce'·d t)u~ narnl;' df':/n'el'llbie for a pair consislmg of a pr'o!!,J'am aud a (o['[cct­lltSH proof.. The approarh to progriLm cou~t.ruCl,iou ll!;mg d!'liv~'rabk", diH( 1].~~l;'d in in IBM90i [McK92j, is similil,r t.o OUl8 ill spirit In this approach thc SyStClll .ECC, Illl Extl'lldl'd Call Ulll!; of ConstructiollS I Luon1j, i" ll!;Nll\~ fin er/(!!'rlai progl"ammiltg 10i!,ir fOf pJ'ogralll" III I hI' o.lmpl,y t.yped lambda ca.]('lllll~

OtH' dlff('rf'nn~ wltll our work lS tlw tvp~ sy"t.('m~ ll~('d for I ill pl"ogliLlumillg Ii!.llgllag(' 1n"I,(>(I.(1 of the high(>r orctN lambda fakldu~ AW Ihat WI' llSi', tlw "ituply tY[H'd Imnbd/\ (akulu!; A- 18 used ..

The main dilTcr('lltl wil.h our approach b that the strong S\lm types of ECC are used to form pairs of pt"ogl"ami; itnd corr('1 tIW~~ proof~- d(>liv(>rablcs and pairs of dMatypes and p(eciicat.es - specification!, mwi(:: t.hl' HYS!('lTl CCC .. Thb hM Iht, advantflge t.hat these pairs ('an then be maniplllal.cd illhldr t lIP spt!'lll.. Some examplefl of operations on specifications -i .. e pairs of datatypes and pl"('di(ilh~ thHt (lll! bi' ddjut'd ill ECC art' given iu l'Luo911

Manipulating these pait's ill:'.idc ECC dlH'!; impOh(~ hOltit' r('~trl('tiOll:'; on t.h~ "hape of r)(O­grams and Hpi"(ifi("ation~ P[ogl"am~ ha\(' to tit:> gi~('ll ill iL combilliLlonid IWULllOll .. It l~ not immediately po~sibk t.o t'Xpre8S 1\ [o:>lation between inp\lt and output of fltnnWllS, but this requires so-ralkd ~I'( .. [)[td-nrdi'r dt'Jjvt'lablo:>s ..

Alt.hongh the inh'lltion is tho:> const.ructlOn of Pt'Ogf!lltl~ ill I.he ~imply t.YVi'd liLlllbda tal­culll~, the .;ystem ECe is really murh too po,vf'rfnl for I hi~ pllrpO~(' A.ho., Eee do('~ lIOt separate the world of program~ alld datatyp(,i; frOIll t1l1' world of prooh> and propoBit.io1l8 in the way that A<.o)L and its I~)(t('llsi()r~~ do .. The t.ype *p of all propositions is in fad treat.ed as a datatypf'.. B(,(';'I\I~e of thio .. It is possible t.o form programs and datatyp()~ that dej)f'lld on proofs OJ' propOSltiOIl!:' In piH'ticuhr, t he ~p('('ifi('i'Llion fO!lllf'd b) ~I dal aly-pi' fllld a prNitratc can agaill hI-! \!I;ed a~ a datat} pe" TIllS !nl'an" that thl' lllt,rodndiOll of iL fixpoill! operator for pmg(am~ would malw t hi' "-Yf'I('ltl 1111 oll~i~llll!

ATTT

Haya.<,hi hit~ introlhww! th!:' pl'Ogl"amming logic ATT'T [Hay!.lJI The approadl 10 pro~ram construction he ~llggl'f,t.~ il< ~ho Vt'ly d(}~(' to OUl'S As far as til<' pl"ogramming languagc is concerned, the ollly dilr("I"I'lln~ i~ thid t.lH' ~('colld order lamhda calcul\ls .\2 is us('d instead of the higher order iallliJlb I a'll uill" AW .. And fiB jll '\WI" in ATTT programs and datatypes

92 COMPARISON WITH RELATED WORK 163

cannot depend on proofs or propositions.. Iustead of predicates on datatypes, Hayashi uoes subsets of datatypes, which an' called refinement types,

The possibility of including well-behaved reCurSive datatypes, such as natural numbers and lists, with primitive recursors 1$ considered However, the problem of providing more flexible forms of rp.cmsion than primitive recursion in the system is not considered_

Using it logical fram~work

If we ate not interested in execution of programs, but, just want computer assistance for cOMtruct.ing correct progra.ms, and mechanical verification of proofs, then there is an alterna­tive to implementing ),. ... )[, (or, indeed, to implementing any of the other theories mentioned above)., This alternative is to US!' a so-called logical framework, sttch as AUTOMATH IdB801 Ot' Edinburgh LF [HHP93]

Th~se logical frameworks are type Uwodl's in which arbitra.ry form!!.l systems can be rep-­reseuted, for example tht~ programming logic of our choiCe .. We then do not directly interpret certa.in types as dat~typ~s and others <'L!', propositions .. Instead, we define rcpresentations for ptograms, datatypes, propositions, and specifications ill the logical framcwork, and supply all the typing rules for progranIS and all the lnf~'rp.ut(> nIles for proving propo8ition~ .. The logical framework then provi<if.s SllPPOl't fol' proving statementR in the form!!.1 system that has been given, such M "program M has datat.ypc (f" or "progra.m M satisfies prt'dicate PH.

There are ~cyeral differenct;~ bNween impkllu)Ill.ing ),.WL dlr!;!ttiy, and encoding it ill a logical frarncwotk.

The obvious advaut.agc of the second iLpptoach is that an existing implementation can be \Ised However, the pritt' for this is Ulat the enconiug of a formal system in the logical framework makes thing~ mOrt difficult to read and write.,

Becanse we are alrt'ady intel'ested thl' ~.-part of ),.WE by itself, as 1\ typed programming language, it seemo preferable 110t to uSc a logical fra.lrl~:wotk The impOrt. ant disadvantage of using a logical fril.lrlt'work is namely I,~ that statemellts snch as "progri:\.m M has dat~type a" are expressed InSide the fr·am~~work, i1Ild have to be (dls)pt'w,'ed using t.hc type inference rules The whole point of h~viIlg a tljpr;;d programmiug language i;o that the verification of statements" r f- M err' b ldt, to the type ChNkt'r, so that we do not have to prove these ourselves

LCF

In diapt.f'r 5 the extension of the programming language with a fixpoint combinator is con­sidered, Domain theory i!; used as the basib fOr reasoning about recursive programs in the associated programming logk ),.w~> Thi~ means we ri:'aSon about rec:ursion in the same way as III LCF IGMW79) il'a1l87j,. There are however many differences between LCF and )"wt 1,ik~~ thl' logical fl'anH'WOlb dls(ltssed abow, LeI" does not offer the possibility of execut­ing progr,tnis .. Also, LCF is OIlly toncerned wIth verification of prog'rams, i..e .. with proving: th~t iL givcn pt'·ogram m~~~t.s a cct'tidn spedf1cuttoIl, and not with the constructIOn of corree! programs,.

In .\w\: programs arE' t'Xph,ltl, typNI, whert'l\s in LCF programs are Implicitly typed, in the style of ML Finally, .\w~ pI'·o~'ides a llludl Iidler logical I!!.nguage than LCF .. LCF is a fin;t. OrdeI'· logic, ann th~' original nefinitiolJ clf LCF in [GMW79] provides COnj\lIlction and univet'·sal quantificl!.t1ou as the only logkal tonncctives, and!: as the only predicate symbol..

164 CHAPTER 9 CONCLUSION

AW~ is a highc,r-ord~r logic, in wh1{h pr~dicates are first-class citizens Th1f; h<\~ t.hl:' advantage that many inttn~!lting predicat,cf; (an be defined Or dN.l~Hed inside tht' formal system" For example, we have shown that. the notion of admissibility t'an IH' expr~ss('d in AW~, whE'reM in LCF this Is l~ft to the meta-t.heory Thi:'; adcht.ional strength of Awr makes it posslblt' to build more interesting theorll:'s inside tht' system, in which W~ no longl:'r have to refet" 1.(1 the cpo-ordering!; and On the bottom elcm<"llt. J"

9.3 Future Work

As wc ha..ve already mcutioned, a lot motc work has t.o be done to make program COltstruttion in AWL itnd its exten:;aOll~ practicaL The lallguage const.ructs om'n~d by the type lambda calculi are very primitive, but a.lso very powel"fu!... For pnlJ t.ieal program (oustrn('t.ion we want to have more cOllv('nkl1t constructs for huildings progratll~ at. O\lr dlsposa[ wit.h ill,f;O(~iat!:,d

proof rull:'S We hav(' given a few slmpl(' (xil.lJlplE's of dNl\l'd (Ollf;t.ruct.s, e g If"then-else and abstype, and shoy,n how proof ml(>~ fOl tl!E~rn (all b(' obtaitH'd" More of ~u('b language constrtlcts are needed, with a~~()ciatcd proof ruk~, !'tIle! possibly SOllH' ~IW( '1il.l 8yntax to keep things r<"il.dable In add1t iCllI to stich composil i(]llil,l rtlh'8 for th('~(' ("Olll,t I't\( to, W'(' also want program transformatioll nlleo for them\'< hid I (il.ll b(' med to lHOV( ("Or1H tH('SS of programs

III the system w1t.h n'('I\r~jon, it is awkward t·o hav'c to go bMk t,(] th(' cpo-ordering ~ evct'·y time we want. 10 prove a prop('rt) of a recurBlve program" Many H'cllrsive programs will follow more or kSh stllndard r~Cnt"~l()1l Imt.t(~ms., su('h as Pl'llHlt.iv(' n,( ul"slon, or reCtlISiOtl on the llll.tural numbcrl, ()r list,.; with all r'ccursiv(' {il.ll~ on smaller lliLt ural llllmh{'rH or shorter lists., Fot suc,h common t'('("lIr"IOn patt.('rn~ \\l' \'<ollid lib' to Pl'O'l' I<'l'[llilli~tl()ll ()II(t' and fol' all, and oilt<l.ln MsociaWd Illdllction rulcs t.hat ('all 1)(' \I~ed to prove prop<'rt.il''; of programs using that. recursion pattflllh

The explicit t,ypitlg III tla' pl'ogl'~unmlllg, i;(llfPlagl' and till' 10gl! l("~1\llb ill a large amount. of fairly trivial bookkt'!'pillg, which is wrll-iSllltrd for machine support. by all implementation of thl' type syst.em:,;" 8m hall implemctll ill iOll would offer a progr·il.l11111illg PIlviIOHn1('nt that comhinl~h a 8yntax-dhcft.l'd l,ditor for well-Lyp('d pr(fgril.nIS and a goal-diu'·( t.('d proof !I.J:i:,<jst.ant Suit.able U1(tic~ for th", fOU»t.III( t.i(lll of pl'ogIam~ \\lth I hpll ("orr('('t.ll('S~ pt'()()f~ v,ollid h,lw to be inve&t.igll.t(~d

At ~l'v<,ra.1 placcs wc have mtl"oduc('d spcfial llotatlO]) for ("ertmll bllg,lI,Lg( (Ollst.ru(,(.!:, SomN1llH"f; WI:' also omit.U'd IYI)(" parameters, ill !;lllllg t.llil.t. t hest' could (~a~ilJ IH IT( ollJ;t.ruC'ted from t.hl' Co nt. ext ... An tmpif.ll(('l)t.ation shmlld Hle,tlly Of[t'f such a flC'xibk ~)llt!iX, wIth pO~8i, bilitic:'; to If)t.roducc nev, ll(lt,ttions and to ~llppll'''~ ,,0]][(' of tlte tyP(' illfol"lllaliOll

A topic for fut.llTt, ret;earch iue fmt.h('·r ('Xt.('I1S10ns of tltr pl'·ogrn.lllHliJlF; language Card01li'~

language QUC~1.. [CarBO!, wltifh Ii> bllhPd Oil AW, Sllgg('st 1\ si'VH!i1 1)()8dbilitics to ('xt.cnd t.lH' programming language H('["(' it IS u,;eful that 'We ha~(' ,t m(lr(' or les~ conventional (h'IlL)tat.i()ll~1 semantir~ for t.hE' programming lang-uag(', b('('au~c it (an i\c(ommodat(' lllally <,xt<>nhionJ;'

One Important fxtl'II~IOn h 8ubtypllig A.s ohown in IPHE!JJJ, t.hl' (po-]))odd given in chapt.er 8 can 1)(' ('xt.elld('rl to illt<'ljlr('t. ~lIhtyping Subt} PUI!!; IlH\..h', t lw type w~trm mor(' Al:'xiblc It tl)ab'" It ea~y to ('xt.('1H1 tltc dat.a5tr\l('tllt"(~~ lI~l'·d Hl H program, and !J('IlCt' "1I1}p()rt.~ the evolution of prog]'am~ Hlgh('I-OldPl lal)lhda rakall o,1I("b ilh Au) ('xtp)lded wit.h sl.lbt..~ pmg hav(' heen used to mimi, some of tht' f('lt.lHW of object-orietlt.t:'d pwgr!irHming llulguages IPT92j [FM9.1) By itH'Olj)(f["lltillg ~ubtypillg III AW!" il.lld lis E'xt('n~iOtlS v.( (~(f(]ld IllV'('stigatt' suitable logltal rules fot' t'('as(]]liug ahout. thes(' kill,ll[,,(,'~

Bibliography

IAP90j Martin Abl!.di and Gordon Plotkin, A PER-model of polymorphism and recurSive types .. In Logj'c ~T! Computer SCience, pages 355-365 IEEE, 1990

[AptSl] K R. Apt .. Tell )('ars of Hoare's logic a ~llrvey - Pa.rt I ACM Trans., on Prog. Lang .. and S!jst.., 3(4)131483, 1981

[Barn] lIcnk Barendregt .. Introduction to genel"alhed type syst!"m~ .. Journal of FUnctional i'roqmmmmg, 1::124-154, 1991

[Bar92] Hcnk Barendrfgt.. LI!.JTlbdil. C'alculi with types In D M,. Gabbai, S Abramsky, and T .. S .. E .. Ma.ibaum., editors, Handb()ok of Log~c m Computer S(;~ence, volulrlC 1. Oxford University Press, H)92

[Bil851 Corrado Dohm and Ah'~~an(ho B~lanln(ci Automatic Synthesis of Typed .\. Programs on Tfrm Algebra.~ Theoret~cal Computer SCience, 39..l35-154, 1985

[Ber8S! S .. Berardi.. Towards a mathc>matical analysis of the Coquand.Huet calculus (If con­structions and othcr systems in Barendr~~gt's (\lbe" 19S5

IBHSSj R.. Bos and c.. Hemelik .. An illt.t'·oduction to t.hc category-theoretic solution of r~\lr­sive domain cquatio!1J:; .. Technical n~'IWl"t (88/15), Eilldhoven University of Technol· ogy, 1988

[BR90] IJ..P Balendregt, <tlld C Hemerik .. Types in lambda calculi and programming lan­guages In ESOP, volume 432 of J.t:d!~rt Note8 ~n Comp1der Science Springer, 1990 ..

lBJ93] Bfrt van Bent.hem .J llt.dllg Typing in Pure Type SysteIT1s .. Informaho11 and Com­p11tatwn, 105(1)30-41, 1993

[13JMP93j Bert vall Benthem .hl1t.mg, James McKinna, and R:mrly Pollack. Checking algo­rithms for pufe type oy~t.<:nls .. dr-aft, 1993

[BM901 Rod BUI'stall and Jam~~ McKinna, Dehverables :' an a.pproach to program devel­opment in t.h~ (akulu~ of {,,()uSI,[llC't.ion~ In l''tOCs of the first Workshop on Logical Frameworks, pages 113-12 t, 1990

[DM92] Kim B Druce and Jobn c.. Mitchell PER models of sllbtyping, r~cursive types and higher-ord('r polymorphism.. In Prmclples of Progmmmmq Lang1tages, pages 3Hi-:i27 ACM SIGACT·SIGPLAN, 1992.

[BMM90] Kim B,. Bruc!", Alb<:l"t R, Meyer, «lid John c.. Mitchell The semantics of second­order htmbcla calntl\ls InformatIon tl1!d Com-puttdum, 85.,76-134, 1990.,

165

166 BIBLU)GRAPHY

[Car891 Luca ClI.rdelli .. Typcflll Programming Tt'chnkal Report 45, Digital SRC, 1989

lCH88j Thierry Coquand and G"tard lIuet .. The Cakll111Jj of ConstI\lct.iOIl~ h,fo1·mat!on and Comp"I.lat~on, 76··95-120, lO88 ..

[Chu40j A. Church A formulation of tltt' ,:;imple theor) of t) p(,.,:; Journal of Symboll". Logu:, 556-68, H.l40

jCon86j R.L,. COll,:;l,ahle et al Impkmentmq Mathe)natu:.8 m the Nuprl pmo/ df'l'eiopment system .. Prentice-Hall, 1986

[Coq85] Thierry Coquand Une Theone des Constt'at:tlOn,~ .. PhD thesis, Univ~rhitfi. Pads VII, 1985,

lCJ>90j Thierr} Coqll(l,nd and Chrisl.iIH' Paulin .. Induct.lvdy DdiIwd T.Ypc~ III P Mart.in­L<If and G Milll~, wlHol'~, COLOG-B8, V0i1111H' 417 of L",·( l1.n NotfS !n CompldeT S('~e1!ce, page" 50 66 Springel, HH)O

[dI380] N G d( Druijn A ~IlJV(V of tll(' »1'Oj('("1 AUTOMATH hl.J P.. Si'ldin >\lId J R Hindley, idItOl'S, To H 1J C1(11Y·: Es.sall·~ m C'mrl.lmwt01""Y Loq,c, L<l"Ill/ulil C(lkuius and FOTrw.ltRrT/., p~g(\,s 57f} ()06 Autdmli(" l'r('s~, 1<).'10

jDow·91:1 G .. Dowel( ('I ,Ii The Coq proof n~~l~tant versIon 5')., u~('r~ g\1i(h~ Ihpporl ill' Recherch(' 134, INRIA, 1991

[Dyb90j PcL('r Dybjel' COlllparillg integrated aud t'xh'nt(l,j logl(~ of fUlli tiowd programs Sr:~(:n(:J! of COmp!.li 1 ProgrammlnQ, H··50 79, 1990

jEH89] H t~~u Eikeldu alld C Hem("'rik fb(' i oUl'tnH tlOn of a (""pO IIIIHld to! Jj('( ond or­d(>r lamba cakullli; with l""CCmSIOn III Proc.~ CSN'8V Cmfqmlwg .SOfr1re In th,~

Ndh(.·.·rl(1 .. nds, pages Ul 148, 198~

[.FM(4) KathlcclI Flhhpr and John c.. Mil.chdl Notes on lyp('d Obji'i t-oril'nted programmillg In TACS'!J4., vohmw 7&9 of LNCS', piLge!:' M4 -88G Spl'illgr·r, 1901

jGeu93] Herman GCllwrl' 00!]!C .. ! MId 1'y)!1 .. )''!I~I(:rns PhD tll('~IS, UlllV"('r~ity of Nljmegcn, 1993

[Gir721 J -Y. Cm'tl'd 111..11 '"1)1/ta/wn fOtlcllOlI,dk II Ii!mtr)(ifwn (h.~ IO"ltpm·f'8 dl' l'ilTlthrruJt!que d'onin 81.lph!em PhD t.lli'"~ih, UUlW'ISitt; Pll.tb VII, 1972

jGirS6] J .. -y, Girard .. LllH'al logIc and pill ;t!kh~m In M V("Ilt.UJ"llIi Zilh, i!dltOL Mathemat­Ical Models F)1 the Sernilflt!C\ 0/ f',ml..i1ei!.ml, .o]U!ll(' 280 nf LNCS., pag()~ 166-182

Springct' 1986

IGMW791 Michal'! . .1.. Gordon, ArUJIlI L MihAN, <'Ind Clni:O;l,oplH'1 P Wli.d~worllt EdlnblL1·gh LCF, VOhmH' 71.l of LNCS. Spnllg('l, HI79

[GN!)lj Herman Ci'\IVI'I~ <lnd Mark-. .bll Nl'dt'l'hof A IIlOdll1 II proof of ~t.rong nOImah~at.ioJl for the CakuhlhofCon~tr\1("liollS .. JOII,:rrlal of Attlctt, !j J'f"liIIHWI.m.lIl(j, 1(2) 155·····189, 1991

BIBLIOGRAPHY 167

[Hay93] SU5umu Hayashi Logic of refinement typeo In Procs,. of the Workshop Type8 jor ProgT"(J.m~ and Proojs, 1993

(HeW1] Leen Helmink Goal directed proof (()nSlruction in type t.heory In ProC8 of the first Workshop 01! Logical Pramework5 Cambridge University Press, 1991-

[HHP93] Robert Harper, Furio Honsell, and Gordon Plotkin .. A framework for defining logics., Journal (If the. ACM, 40(1)143-184,1993

[HS73! Hot'st Herrlich and Gl'orge E. Strecker Cate.gory Theory .. Allyn and Bacon, 1973

[KOR93] Jan Willem Klop, Vincent van Oostrom, and Feruke van Raamsdonk. Combinatory Reduction Syst.ems introduction and survey .. CWI report 9362, CWI, 1993"

(LP92] Zhaohui Luo a.nd Robert Poll<~(;k LEGO proof development system.. U!;er's manual.. Technical Rq>Mt ECS·LFCS-92-211, LFCS"Univ~~rf;ity of Edinburgh, 1992..

[LS81] DJ Lehmallu iLnd MB Smyth AlgC'b!'aic sp('cifi(!l.t.ion of data typE'!f; a synthetic' approath .. Math, Syst Thr.:M!i, II 97-139., 1981..

[Luo89] Zhaoh\li Luo .. ECC, th~ Ext,Plld('(\ Calculus of C()Ilf;t.rIlctions In Logu; In Computer SClencf, p;~g'('s 38&-J95 IEEE, 1089

[Lno91J Zhaohui Luo Program sp~('ifkati~lll a.nd dat.a refinemcnt. ln type theory .. In S Abram· sky and TSl'~ Maibaum, edit.()r~, TAPSOFT'91 V(ll 1 CAAP, vol\lme 493 of Lecture Notes 11! Computer Sw::ncr:;, pagel> 143-168 Sprirlger, 1991

ILuo94j Zhaoh\li Luo .. Computation rmri Reasonmq A 'J1ypr: Theo1"'1) jor Computer Sc~ence .. Oxford Sc-il'lIc(! Publir...atiolls, 1994

[McK92J James Md<inna. Deiwerables:' A Caiegot"~cal AppTOru:h to Program Development m TyPf Thwry PhD t.h('sis, lhllv(,l'sity of Edinbllrgll, 1992

IMen87j NP M~>ndkr.. Inductivc type~ alld type constl"aint8 in ~(,colld-ol"der lamhda. calculus In LO(llt In Compute1 S('u':nt~, paf(es 30-36 IEl':E, 1987

[Mey82j Albert R Mcyt't .. What is l!. m()dd of I hC' lambda (,l!.k\llu~? InJormatwn and Control, 5287-122, 1982

[ML79j P Mat'tin-Lor.. COll:lt.ru(tiv(' Mathematlco aJld Computer Programming,. In LogiC, Methodo/')gy and Plltlowllily of Sr ~(~!I,(t, VOhllll(> VI, pal;l's 153-175 North Holland, 1979.

[MP84j John C MitchC'll and GOldoll 0 .. Plotklll Ab6tnu:t, Iypes have exHl'rltial type., In PnT1(·.lpir::~ of Pl'Oqmmmmg J,{!7!(lu<lyes, pagcs 37--51 ACM, 1984 ..

[Ned90] R P Nederpdt.. Pt('sentation of Ilat.lIral deduction.. In Sympostum, Set th~()1'1I, fottnd(!tl()n.~ oj mathemal!cs, R~'("n{'il dC's tl"avaux de l'Tnstitut MatMmatiq\ll', NonV'" fAri!', t.ome 2 (10), J3eogl"!lod., pages 115-125, 1990

[NPS90j B .. Nonlstrom, K hMl"S~OIl, ~lId "I.. M Smith ProgT(!1mr!t1lg tn Martm-Lbf'~ Type TheoTy .:' rm ttdt'OductWl1 Oxf(ll"d Stience Publication,:;, 1000,

168 HIBLIOGRA PHY

[PauS7] Lawrence G. Paul~oll Log!c and Comput(du)1I, volume 2 of Cambrtdge 1hl.ct~ m Theoret!cal ComJl!tier SCIence Cambridgt' UIllv~m·;tty Press, HI1l7

[PH£93j Erik Poll, Kees H!'rn(!rik, and Huub ten Eikdd(!r.. Cpo-models fOI second or­der lambda ('air-ulll!; with l'ecursive typ(':-; alld ~uht'YPJng Theoret!cal In/ofmai,("\ 27(3)221-260, 1993

[PL89j Frank Pfelllling and Peter Lef' LEAP A language with eval and polyrnorphiom In F .. OrejasJ.Dlaz, editor, l'APSOFT89, LNCS, pages J45-359. Spring~'r, 19SO:)

[r>M89al Christine Paulin-Mohring .. Extracting jW Prugnum; frOIT! Proofs in the Calculus of Cllnstructions .. In Phn(:l]!leo~ of Programmmq Lanqu{J,'1t.y, pag~'$ S9 101.. ACM, 1989

[PM89hl Christ.illf· Pa\llill-Moltring £l:tmUwn (if;.5 P1Q{}mmme.s da.n$ k C(.kl.l (k.\ Cun,ltnll­

t!ons .. PhD th(!J:>b, Universite Paris VII, 1989

[PoI93) Erik roll A typechecker fot" Bijctt.iv(' P\IW Type Sy~to:m~ Computing Sti('II«(" Not.(' (93/22), f;indhovell Univcr:-;ity of T0tl!lI(lJOgy, 1993

[PPM90] Frank Pf('nnlIlg !l.nd CIH'btulC Paulill-Moh(inp;.. Inductively Dcfincd Type" 111 t.hr· Calcllllli, ofCClHftnlc(.ions. III M,d.h(~mfliu(ll F{)I~ndal.!On~ of Prr)(j1y,mmm,q L(.''fj!u.yn, VOlllllJ(' 442 of LNCS Spnngf't, !flDO

[PT92j Bcnpunin C. PiNeo: a.nd Da.vid N .. T1l11l('1 Object-oriented prOpi.l.ltlllllllg wit.bclll! r('('ur~iV"(' t.yp~'~ TC'rhniral n('pOI t. ECS-LFCS-92-226, UllivcrRit.y of Edilll}IJrgh, 1992

[Raa92] Femke V,Lll H.;t1HlI~d()nk A simple PI oot of C OUfll1~UCf for W('II kly ort.hogollal Combi­natory R~dlld iOIl SyMt~'HI~ CWI ["('port 9234, CWI, 19H2

IHty74j John C ncynolcls TOWll.l"dM 'l. t.h('OfY of tY1K sltll("1.un .... III l'mgmmmmg Sllrnp()~ll,m Colloquf sur ia PmIj1TJ.mrrwium, ~i"oh.\Tne 19 of LNCS, pages 4()8-425 .. SpruIW'r, 1!l74

[Rey831 Johu c.. Reynolds ryp("~, 'ih~tnld')()ll and paralllHric polymOl plmmL III H .. J:: A M8jjOll, edit.oI, In/o'l"maIIfJn P10reRsmg 88, }Mg('S 513- 523 1F11], Eb~·vJ('r Sc ic·ruT Pu blish('r~ BV (N ort h- 1-101111 lId)., 1983

[R.ey85j John C'.. n("yllold~ Tlln'c Approach('~ to f} pC" St.nu't lilT .. )11 ClIng (.1. aI.., ('ditor, Mathemitlu.ILi F01~1!d(!t!Ons of So/t·wa.re D(··~.;d()prm.·.·nt, LNCS, p,lgP" ')7 tV:! Springer 1985 ..

[Rog(j7:! H.. H.()g~'rM The:01""l1 0/ Recl.j~j,;/~ F:I<n, 111m ~ md RjJl!( i1'l.'(' Comp1itllb!i1tll' McGraw­

Hill, 1967

[SP82j .J G Smyth I'llld G D I'lot.klll. Th(' (""ll,t\'II;ory-t.IH'ol"('tic soll11iOlI of t('tUI~lV(' dOIMllll

I:'quations SIAMhmnl.flZ oj Cmn[!~,.t!nl), 11 701-·783, 19112

[SP911 Paula SCVCIl alld ErIk Poll .. Pl"Il""(' Ty[)(' Sy~tt'm~ witll Dcfitli!.JolI~ .. COlllPIlt.llll; SCiC·IlCf·

Noh' (93/24), Elllclbovc II Ulliv"f"l"">'lt) (If Tedlllo]ogy, 1\.193

rSP94j Paula Sf',,(·-n ~nd Erik Poll Pmt '1 yp(- S'yo;l.E'lIl~ with Ddinjt1(l1l~ In LFCS94, numhor 813 iu LNCS, pag-('s 3lG-321l SpdngN., l!H!4

BIBLIOGRAPHY 169

[Ter89j J" Terlollw .. Een naden:' hcwijstheol"(!tische analy~e van GSTT's .. manuscript, 1989"

[Wad89] Philip Wadlcr Theore)l\~ for free! In F'unctwnal P!"Ogramm~ng Languages and Computer ArdlltectUTe, FPCA '89, PTOC.~ 4th Con/. , pages 347-359 ACM, 1989

IZNV72j Z .. ,Manna, S Ness, and J .... Vulllemln .... fo'ixpoint approach to the theory of computa­tion C()mmu1l!cahon .. ~ of the A CM, 15(7)528-·536, 1972,

Index

-----types, 12 E),109

for PER-mod~l., 117 +-typcs, 60-(;2, 67'-69 [IJ,130

for PER·mod('l, 1:l7 x -types, 5!), 65 67 0,130

for PER-nJo(l!-I, 1.37

~pe"" 12 L.!!J, 109

for PER-model, 117 ~pcs, 62-65 @J, 130

for PER-UHHld, 137 J-i·types, 86

[EJ, 142 1==*-,35 "",3fi V 34 @, 119

Ms,76 liJ, 139 -:>, 34 [S:J, 119 v, 35, 76

GJ.·139 A, J5, 76

0, 139 ..l,88 *. (type of datatyp~8), 2ti *p (typ(' of prop()8ition~), 3:~ 0.,28 Dr' 33 0,119 1, 119 o (("()Ynposition), 84 ~I f= r, 126 TJ Fro" 110

170

TfFro"',113 'fJ f= r D ••• D., 124

fLoGle, 35 TCJ>Q,9.";

[ ] (OU';J~f<JJ(} of., 157

for datat) P('-()U,;t nJ("'t()r~ of AWOl 110 for datatYlH-(""()n~trll( tor~ of AW;, 131 for rlatatype-tOIlst.rll( tor~ of >"uJ~', 142 for programs of AW., 114 for program~ of AW;, 1::11 for progTams of AW~', 11(\ fol' proofs, 12G for prop-con~t.I\J( tor~ of AWL, 124 for pr()p-("()n~tr\1d()l's of Awi, 140 lur prOp-(,oll~trudOt:> of >"w;~., 157 for prop-kinrls of AWl", In for prop-kinds of Awi, 139 for prop-kinds of AW~~, J1')7

Do (OlW-step reduction), 11 1» (manY-H!41p rl:'dll('tion), 11 t::>/:I (B-n'ductiou)., II

for x-tYIW~, 59 for +-typcs, 62 for ~-t}]H'~" 64 for Iabdh'd ptod Utt .~., 66 for lahdicd ~lJJJJS, 69

I>b (n-r('du( t.i(JJJ)., 10 ~J' (/,-[('dudion), ti(j ~ I (Onv(>rSlOtl), II

~iJ, 11 ~b, 16 -;;;:L (Lfihni7' 1'<[l1l1!ity of pl""ograJJJ~), 41

A----O- (simpl) !YWd A-(!\hllJU~I, 15 .\2 (Hecond-ordcr typt'd A-nJ!nd\l~), 15 AW (higll('r"ol""d(t, ty pt'd A-nJ!(""1JI\l~), 15 >"C (Calculus of C'on:-.t.ru( tiorJ~)., l5

AC/", 54

INDEX

)..W~, 28 PER-model, 117-119 geneTa.1 model definition, 108-116

.\wi',33 pn>of-ittclevance model, 119-121

)..wL,38 con~isteIl(;y, 42, 43 consisten(:y of, 126 proof-irrelevance model, 122-128

Aw;,71 PER-model, 137-138 general HIOdd definition, 129-136

AW~, 76 .\wi,76

consist.en<T, 80 consistency oC 140 pToof-irrelew\.llc{, mod('l, 139 140

)..w~, 86 CPO-model, H9-1SG general model definition, 142-148

)..Wt, 91 consistency, 98 consistency of, 157 proof-irrelevance model, 157 158

A (PTS-axiolllS), 10 ab!;tTad dat,atypes, 72-74

pnwf rules for, 82-83 a.dmihsible, 93, 95 all llOt.ation, 44 AXIOM,42

tOnslstency of, 128 AXIOM+, 80

(~(Hlsist.(,IlCy of, 140 AXIOM!', 97

consistency of, 157

bool,71 bound variabl('~, 10

C (ps(,\1do('(mtext,~), 11

Calculus of COllst.mtt,ions, 1, 2. 4, 54 Calculus of Con!;t.T1l('tioll~ (AG), 15 cartesian produ(,t t.yp('~, 59 C<lse., 6l Church nurrtu;ds, 32 Church-Ro8~eT

fOT PTS, 11 for PTS with +, )( and E, 70 for DPTS, 18 for DPTS with +, x and ~, 70 for )..w~, 89 for )..l.o1f, 90

classical logic, 36, 43 composition, 84 confluence (see Church Rosser), 11 Cons (datatype-constructors)

for AW., 30 for AW:, 74 for AW~, 88

conservativi ty of DPTS OV~T PTS, 21 of AWl, over )..w." 39 of Awt over .\w;, 78 of Awt over AW.~, 92

{'()nSistCllCY of AXIOM, 128 of AXIOM", 140 of AXIOM!', 157 of Tepo, 157 of A...,p, 12U

of AWl·, 42, 43, 12G of Awt, 80, 140 of AW~:, 98, 157

coupled o('rivatl()rt I"U I!' , 44 CPO, 150 CR (s('c ChuT<:h Rosser)

data1.ypc, 28

dat.at.ypc-('onstructor, 28 deprudl'lll sum types, 62-65 disjoint sum t,ypCf;, 60-62 DPTS, l(l-23 DPTS with +, X and E, 58-70

elimination of defittit.ion~ fill" DPTS, 21 fOI DPTS wit.h +, x a.nd :E, 70

fOl >'wt~, 90 ('lllbl'ddittg-projection pair~, 152 Empty, 71 ('llvil"onment fram~'

for AW., 113 fOf >.w; 134

171

172

for AW~', 146 for datatype-tonstru(t.ofs of AW., 110 for datatyp~-con~t.rUGtors of AW;, 130 for datatype-constructors of AW~', 142

environment model for AW., 114

for AW;, 136 for AW!', 148 for datatype-constl'll("tor$ of .\w., 111 for datatype·constructon; of AW:, l3l for datJ:l.type-constructors of A""'~, 143

extensionality, 43

F"' (see AW), IS false, 71 False, 35, 76 fix poi tJt, irHh1ctIOT[, 93, 9b FS, 144, 15t fund-ional (D)PTS, 14 fUlwt,ional (D)PTS with +, x and I:, 58 FV (fr!>f:' variables), 10

glohal definition, 16 GP, 144, 151 GS, 144, 151

if, 71

kind,28 Kind (kiTld~), 30

labdkd product types, 6S-57 lahf!lh~d "\1m types, 67-6~ Lf'iblli7' equality, 41

interpretation of, 126 local definition, 15

nat" 88

peons (pr(fp-NTl~tnl("tor~)

for AWl" 39 fot AWL, 77

Pkind (prop-kirHl~), 39 PKmdlJ>, 11~ polynat, 32 product catcgor~, 150 Prog (programs)

for AW., 30 for AW;, 71

for "'w~, 88 prtlgram, 28 program extractlon, 4, 54-56 Proof (proof terms)

for AWL, ::19 for AWt, 77

proof, 33 prop-constructor, 33 prop-kind, 33 proposition, 33 PTS, 10 1,5

PTS with +, X ~ud E" 58 70

R (PTS-nlkl')" to R+,58 R",58 RIl,5t R~, 5t

S (PTS-,:,orts), 10

INDEX

~e("(l)ld-ord~'r typ\'d ),-cltkulns (A:l), IS simply typed ~-('alcuhls (A ----'), 15 SN (~ee ~trong normalisation), 14 "olllldn~'~,~ of fi-conver~ion

for datatype-constructors of AW., 112 for datatype-COnStl'lH.tors of AW;, HI fo]" dal.MY1W-( onst l'llctors of >'w~', 143 fol" pl"ogl"ltms of AW., 115 for programs of >..".,} , 1 J(j

for programs of A""~', 148 fol" AWL, 124-12G fOl' Awt, 140 for AW~~, 157

sOllndn('f(~ of typ(' It~signm('nt fol" natatYP('-fonst.fIH t.OrS of AW., 111 for daUI.1Jlw-ioll~trll(11lT~ of AW;, 131

for datatypt'-("on~tr\l( tOl"5 of AW~', 143 for programs of .\w., 114 for programs of >..w.! , 13G

for Pl'ogl"ltms of AW~', 14t for AWL, 12S-12G for Awt, 140 for .\wj, 157

5pecificatioll, 44 specification of (DjPTS, 10

INDEX

specification of (D)PTS with +, x a.nd E, 58

SR (see subject redl,ction) strong normalisation (SN), 14

for bored uctiOrl, 18 of )"C, 15 of )"Ce, 20

of .\w" 31 of .\WL, 40

of .\wt, 75 of AWL' 78 of Awr, 90

~trorlg sum types, 64 65 ~llbjcct reduction (SR)

for PTS, 14 for PTS with +, x and L, 70 for DPTS, 19 for DPTS with +, x and L, 70 for '\w!', 89 for .\w~, 90

T (pseudoterm~), 10 true, 71 True, 35, 76

\llliqucnf'ss of types (UT) for PTS, 14 for PTS with +, x and ~, 70 for DPTS, 19 for DPTS with +, x and 1:, 70 for AW'" 89

for .\w~: 90 unit, 71 Unit, 71 UT (s('(~ llniq ueness of types)

weak sum type~, 62-65 where, 64

173

Curriculum Vitae

14 juli 1967 geboren t,e Haarl~lmncrmeer

mci 1985 diploma International Daccala\u(;!l;l.te, International S( hool of London

~cptembcr 1985 aanvang studie Informatica

april 19!1O doctoraal examell Informatica, rn~t lof, 'lechnische Ulliversiteit Eindhoven

1990 - 1991 Olld~!rzock('r ill opkiding aa.n de Techllische Ulliversiteit Eindhoven, ill hN kadf'l' van NWOjSION-project " Getypeerde Lambda Cakllli" , onder leidlllg vall dr..ir C Hcmerik

vanaf oktober 1994 EuroFocs Fellowship aall INRIA Roc;quen(:O\lrt, f'tankrijk

huidig adreo Fa.ndt!)it WI,~knndc en 1nfonnatica. T{'thtJ[~clJe Univel"siteit Eindhoven Post bus 513 56()O MD Eindhoven Nederland

e-mail erik@wintllc nl

175

STELLINGEN

bchorende blj het proefschrift

A Programming Logic Based OIl Type Theory

van

Enk Poll

De tlitbreiding van lIet. Brllce-M{~yer-Mit('h('ll moJel met E-types IS niet zo f'E'nvolldig als wordt beweerd in [1] (Zlt> hoofd<;tnk 7 van (lit proefschrift)"

1:11 K B." Br-ucc, A.lL MCyt~r, and J .. C MitchelL The semantics of second-order lambda calculus Injo1'''rnatton (md Compuitdwn, 85 76 134, 1990

2 De in 12] besclm>ven (co)inducticw typeb met (co)recursoren kunnen in de poly­marie lambda-cltkulub .\2 uitgchreid n1!'t indudieve types en primitieve recllrsorcn (beschreven in hijv .... [31) word(~n gccodc('rd

[21 N.. .. P Mendl.:'!"" Indu<'tlvc t.yp('~ alid t .. Y1H:' cOTlI;traints in second-order lambda ('a!tulns .... LOgiC in Computer Sctence, page.s 30 36 .... IEEe, 1987

[31 H Gcuvcrs .... IndtldlV"(' and (Oillilll( tlvl' types with iter .. ation and rccursioll .... In Workhop on Type..s for h~X)JY.lfl~ lind PI(JoF /J{i.sti!(i, Sweden, pages 193-217, 19Q2

3 In 14] w()rdt opgE'lllE'rkt. dat voor d(' typP-( on~tnH't()r "--4" subtypering contravarianti!' vt"'r('ist en nxmsieve type~ c;ovanantl(\ en dar de combinatie van subtypering en rt"'(,Hr~kw types lllE'rdoor problernatisch lijkt Bij ni(>t-standaard gebruik van de invt"'rsc-Jimictconstructle .:;illl dt'ze ~chlJllbaar tegcnstrijdigc eisen aan ----1- eenvoudig te vt"'rf'nigcn ('lie [51)

[41 Y.. .. Brea~\l-T;illll('ll, Tit .... Cuquil,nd, C A Gunter, and A .... Sccdtov .... Irdu!ritance tIS 1m· plicit. COe,ei(Hl .... 11Ijormflhon (l,nri Comp1drd!on, 93(1)::172-221, 1991

1:51 E .... Poll, c.. H~'m~'rik, and H.M M t('ll Eikcldt't .. Cpo-models for sec"ond order lambda calculus with [""Hur~ive typt>s and subtyping .... TheOfdu::(li Inf(J7"mat~cs, 27(3).,,221-260, 1993

4 .. In typcril'lg~-;l,lg()rItnwl\ vom P1lI'(' Type Sy"tern" is hd hdIldig OIll ndast het type van ('('Il tm'ln tegc'itjkeI't Ijd ook bd type Vil,l'I dat type h' bepaJen

Zie E Poll.. A ly))('('bed,N fo!" bij('((iv(' PUle T y pe Sy~tem.s Computing Sc)I-' 11 ( !:' Notl' I~JI22I, EindhoV('ll Tltliv('['~ity of T('chuo]()gy, 1993 ..

5 .. Aang('?:wn i'r rTI('('r er'viHIllg i~ nt('t liet olltwiklwleIl Vdll grote programma's dan met het olltwikkd('n van gt()j(" fOIllWk· 1 WW'lJ'%('l1 , b Iwt. 11llt.tlg om bl..! het ontwerp van 1)(~wlJ';ti11('1l t(, klJkNI ll;l;U f:H l!tt('ltCll ([1(' plognunrm~('Itdh~n lm:d('ll

G .. I3cwl..!u'n l'l'Ict indnctic %,ljll v;tak gocdc v()orbeeldell v;~n bewljzen met intlIIlIddtie

7 FrOlllotl(' aMI ('('ll '1,lllIV('r~lt('lt 1:011 111('1 dln'ct g('volgd mOil/'ll worden dn~)[" ('('J)

<tdll~t(~llllig ~l,\ll di('%dfd(' Illlly('!~Jtl'll

10 Htl l'Ic\,j(>rl ve\O (OIll]!llklll('1 "';('1]«'11 I~ (bl het ;l.fl('~.gclTn Vitn agr(~s"k op d(' aplMmtlIll1 oj) '1(' 1)'11["(',,11 llllll<in lJc'vn'dlg("JJ([ I»