May 27, 1994 - absurd â¡ lem(void) â False. Here we de ne an implicit constant lem by a non-terminating recursion. This seems to be the best known cause of ...
Consistency in ALF (Draft) Thorsten Altenkirch Department of Computer Science, Chalmers University of Technology 412 64 Gothenburg, Sweden
May 27, 1994
1 Introduction ALF is the implementation of a logical framework. This implies that ALF is an open system, we can use it for di�erent approaches to Type Theory or even to encode conventional logic. ALF will only check whether our theories typecheck. We are responsible to make sure that the theory is consistent | i.e. it is no problem to encode an inconsistent theory like System U in ALF. We could restrict ourselves to the monomorphic set theory as it is described in [NPS90], chapter 19. It is straightforward to implement this theory in ALF and to construct proof-objects by explicit de nitions. However, this does not re ect the current usage of ALF, i.e.: � We want to be able to introduce new sets by giving a sequence of constructors. � We want to de ne non-canonical constants by pattern matching. Peter Dybjer has developed a notion of schemes to capture inductively de ned sets [Dyb91, Dyb94]. Thierry Coquand has proposed to use pattern matching to de ne non-canonical constants and has given some criteria when a de nition by pattern matching is sound [Coq92b]. We propose here to combine these approaches to give formal criteria whether a sequence of ALF de nitions (an ALF theory) is consistent. We have the following goals: 1. To give a comprehensive account of type theory with pattern matching based on generalized algebra; thus providing a possible answer to the questions raised in [CS93]. 2. The criteria for a consistent theory should be decidable, such that it is possible to integrate a consistency check in ALF. 3. To give a set-theoretic semantics for all consistent theories, extending the semantics proposed by Dybjer, thus showing relative consistency w.r.t. set theory. 4. To formally show that type-checking and equality is decidable. This could be done by extending Dybjer's and Coquand's glueing construction [CD93].
2 Examples of inconsistent theories We list here four examples of inconsistent theories which can be constructed with the current ALF system. These examples are typical for the possibilities to introduce inconsistencies. Here we understand an inconsistent theorie as one in which we can construct a term inhabiting an empty set, which is de ned as the set-former
False ∈ Set
with no constructors. In all cases apart from the second the inconsistent theories also contain non-terminating terms, which renders the de nitional equality and therefore also typechecking undecidable.
2.1 Non terminating recursion Unit ∈ Set void ∈ Unit lem ∈ (Unit) False lem(void) ≡ lem(void) absurd ≡ lem(void) ∈ False
Here we de ne an implicit constant lem by a non-terminating recursion. This seems to be the best known cause of inconsistency in ALF. In general it can not be decided whether a recursive function terminates. However, we can follow Coquand's suggestion [Coq92b] and restrict ourselves to structural recursion (which is a straightforward generalisation of primitive recursion). This is not such a serious restriction since we can still de ne general recursive programs by wellfounded recursion, which can be presented as an instance of structural recursion (e.g. see [Nor88]).
2.2 Incomplete covering
ALF supports the construction of objects using pattern matching by generating complete sets of patterns. However, this mechanism is not foolproof as the following example shows: Unit ∈ Set void ∈ Unit lem ∈ (Unit) False lem(h) ≡ case h ∈ Unit of end absurd ≡ lem(void) ∈ False
Here we have generated the case-expression 1 in the body of lem before we have introduced the constructor void. This could be avoided if ALF would require that the construction of a pattern can only be started when the de nition of the corresponding set has been completed. However this restriction would make it impossible to introduce mutually recursive-inductive de nitions as they are needed for universes:
Pi ∈ (A ∈ Set; B ∈ (A) Set) Set lam ∈ (A ∈ Set; B ∈ (A) Set; f ∈ (x ∈ A) B(x)) Pi(A, B) U ∈ Set pi ∈ (a ∈ U; b ∈ (El(a)) U) U El ∈ (U) Set El(pi(a, b)) ≡ Pi(El(a), [h]El(b(h)))
We cannot complete U before introducing El.
The fact that we have to use a case here is caused by a shortcoming in the implementation of ALF: On the toplevel ALF has no way to di�erentiate between an empty pattern and a non-existing pattern. 1
2.3 Negativity Dom ∈ Set in ∈ ((Dom) Dom) Dom id ≡ in([h]h) ∈ Dom lem ∈ (Dom) False lem(in(h1)) ≡ lem(h1(id)) absurd ≡ lem(id) ∈ False
Dom appears negatively in the type of its constructor in. Thus it is possibly to de ne a constant lem which formally satis es the requirement for structural recursion. However the expression lem(id) has no normal form and inhabits False.
2.4 Inconsistent re ection Tree ∈ Set sup ∈ (A ∈ Set; (A) Tree) Tree Acc ∈ (Tree) Set acc ∈ (A ∈ Set; f ∈ (A) Tree; (a ∈ A) Acc(f(a))) Acc(sup(A, f)) accTree ∈ (t ∈ Tree) Acc(t) accTree(sup(A, h)) ≡ acc(A, h, [a]accTree(h(a))) tree ≡ sup(Tree, [h]h) ∈ Tree lem ∈ (Acc(tree)) False lem(acc(_, _, h1)) ≡ lem(h1(tree)) absurd ≡ lem(accTree(tree)) ∈ False
This is the subtlest cause of inconsistencies and relates to Girard's paradox. Here we use the type of trees Tree 2 to construct an inconsistent theory. Tree can be understood as an intensional presentation of usual sets in Type Theory: given any family of trees indexed by an arbitrary set we construct a new tree. It is straightforward to show that every tree is wellfounded: accTree | but this is contradicted by the tree of all trees (tree) which contains itself. Certainly the problem is caused by the fact that the type of sup contains an abstraction over Set. However, in general we can not always avoid this as already the example of lists shows:
List ∈ (A ∈ Set) Set nil ∈ (A ∈ Set) List(A) cons ∈ (↓A ∈ Set; a ∈ A; l ∈ List(A)) List(A)
3 Generalized algebraic theories Following Cartmell (i.e. see [Car86]) we can view a logical framework like ALF as a generalization of conventional algebra 3. If we present an algebraic theory we introduce sort-symbols, constantsymbols and equations. To every constant-symbol we assign a sort. Observe that the presentation of an algebraic theory can be strati ed: we rst list the sort-symbols, then the constant-symbols with their assigned sorts and then the equations. Moreover it does not matter in which order we present sort-symbols, constants and equations | we may consider them as nite sets. Given any term it is straightforward to decide wether it is wellformed and to calculate its sort. The situation is quite di�erent for generalized algebraic theories, i.e. for algebra with dependent types. Consider the following example: 2 3
This is a variation of the construction in [Coq92a]. Actually as a generalization of simply typed �-calculus since we also allow higher order terms
Nat ∈ Set 0 ∈ Nat s ∈ (Nat) Nat Fin ∈ (Nat) Set 0Fin ∈ (n ∈ Nat) Fin(n) sFin ∈ (n ∈ Nat; Fin(n)) Fin(s(n)) + ∈ (Nat; Nat) Nat +(0, h1) ≡ h1 +(s(n), h1) ≡ s(+(n, h1)) iFin ∈ (n ∈ Nat; Fin(n)) Fin(s(n)) iFin(n, 0Fin(_)) ≡ 0Fin(s(n)) iFin(_, sFin(n1, h1)) ≡ sFin(s(n1), iFin(n1, h1)) +Fin ∈ (m, n ∈ Nat; Fin(m); Fin(n)) Fin(+(m, n)) +Fin(0, n, 0Fin(_), h1) ≡ h1 +Fin(s(n1), n, 0Fin(_), h1) ≡ iFin(+(n1, n), +Fin(n1, n, 0Fin(n1), h1)) +Fin(_, n, sFin(n1, h2), h1) ≡ sFin(+(n1, n), +Fin(n1, n, h2, h1))
Here we de ne addition for natural numbers and for the family of nite sets. We can only introduce Fin after having de ned Nat, we can only introduce +Fin after having introduced + and the equations for +Fin are only wellformed if we use the equations for +. No strati cation is possible anymore. However, by introducing a special constant Set we can unify sorts and constants. Given a set of names (x) we can de ne the sets of types (�) and the set of terms (M ) as follows:
� :: Set j x j (x : �; : : : ; x : �)� j M M :: x j [x; : : :; x]M j M (M; : : :; M ) An ALF theory, aka a higher order generalized algebraic theory, is a sequence of: Constant-declarations x : � Equations M � M : �. Wrt. a given ALF theory T we can de ne the following judgments 4 : Type ` � Typing ` M : � Equality ` M � M : � We de ne a correct theory (wrt. typing) inductively as follows: the empty sequence is a correct theory. Given a correct theory T we can extend it as follows: 1. By a constant-declaration x : � if ` �. 2. By an equation M � M : � if ` M; M : � As in ordinary algebra equality wrt. an arbitrary theory (with at least one equation) is in general undecidable. However, since the judgements ` � and ` M : � depend on equality it is no more decidable whether a type (aka a sort) is wellformed and it is impossible to decide whether a term is welltyped or to calculate its type. 0
T
T
T
T
0
T
0
T
4
As usual we de ne those judgements w.r.t. an arbitray context.
T
4 Formally consistent theories We want to identify a class of ALF theories which are logically sound (i.e. False is not inhabited) and which have the property that all three judgements are decidable. On the other hand the criteria should be as liberal as possible. We call a type large if it has the form (x1 : �1; : : :; xn : �n )Set. Otherwise it is small. We classify and restrict de nitions as follows: Set formers A constant declaration with a large type. Constructors A constant declaration with a small type of the form (x1 : �1 ; : : :; xn : �n)A(M1 ; : : :; Mm ) where A is a (previously introduced) set former. Non-canonical constants An arbitrary constant declaration. 5 Computation rules A directed equation s.t. the outermost constructor of the LHS is a noncanonical constant. Motivated by the examples before we introduce restrictions on the formation of constructors and computation rules: Constructors Assume a declaration x : � with � � (x1 : �1; : : :; xn : �n )A(M1 ; : : :; Mm ): 1. Every constructor introduces a dependency between the set formers appearing in �i and A. If a set former occurs in the right-most position in �i then the dependency is positive and otherwise negative. We require that the graph generated by the dependencies does not contain a cycle with a negative dependency. 2. Assume that the type of A is (x1 : �1 ; : : :; xn : �n )Set and let B1 : : :Bm be the setformers on which � depends positively and which are on a cycle of dependencies. Assume Bj : (�j 1 : : :�jlj )Set. We require that there is an T : ((�11 : : :�1l1 )Set; : : : ; (�m1 : : :�mlm )Set; x1 : �1; : : :; xn : �n )Set such that (x1 : �1 ; : : :; xn : �n; T (B1 ; : : :; Bm ; x1; : : :; xn))A(x1; : : :; xn) is isomorphic 6 to �. Computation rules Following [Coq92b] we require: 1. The RHS of every computation rule is structurally smaller than the LHS. 2. All computation rules associated to a particular non canonical constant constitute a complete covering. Note that the second condition is global, i.e. it will not hold for every initial sequence of a consistent theory. We call a theory which full lls all these criteria formally consistent. Note that the type of trees is ruled out because it is not possible to nd an operator T as required in the second condition for constructors. However, the type of lists List full lls these requirements. We have not given any restrictions on the sequence of de nitions. In particular the de nition of universes U is formally consistent.
5 It would be interesting to investigate the di�erence in power, if we only allow small non-canonical constants. This would make it impossible to de ne universes. 6 Here we should only consider very simple intensional isomorphisms. We hope to nd a better, syntactic criterion.
5 Discussion We hope that based on this approach it shall be possible to make it precise what can be considered as a consistent formalization in ALF. If ALF is used for program veri cation it is essential that there is a way to ensure that the programer has not broken any of the rules, which in the moment are just part of the folklore. However, it should still be possible to experiment beyond the set of formally consistent theories.
References [Car86] John Cartmell. Generalized algebraic theories and contextual categories. Annals of Pure and Applied Logic, 32:209{243, 1986. [CD93] Thierry Coquand and Peter Dybjer. Normalizationalgorithms, mechanical normalization and intuitionistic model constructions. In Proceedings of El Vintermote, number 73 in Programming Methodology Group Reports. Chalmers University, Goteborg, 1993. [Coq92a] Thierry Coquand. The paradox of trees in type theory. BIT, 32:10{14, 1992. [Coq92b] Thierry Coquand. Pattern matching with dependent types. In Proceeding from the logical framework workshop at B�astad, June 1992. [CP89] Thierry Coquand and Christine Paulin. Inductively de ned types. In Peter Dybjer et al., editors, Proceedings of the Workshop on Programming Logic, 1989. Preliminary version. [CS93] Thierry Coquand and Jan M. Smith. What is the status of pattern matching in type theory? Draft, 1993. [Dyb91] Peter Dybjer. Inductive sets and families in Martin-Lof's type theory and their settheoretic semantics. In Logical Frameworks, pages 280{306. Cambridge University Press, 1991. [Dyb94] Peter Dybjer. Inductive families. Formal Aspects of Computing, 1994. To appear. [Nor88] Bengt Nordstrom. Terminating General Recursion. BIT, 28(3):605{619, October 1988. [NPS90] Bengt Nordstrom, Kent Petersson, and Jan M. Smith. Programming in Martin-Lof's Type Theory. An Introduction. Oxford University Press, 1990.
