Recursion over Objects of Functional Type

Under consideration for publication in Math. Struct. in Comp. Science

Recursion over Objects of Functional Type Joëlle Despeyroux y and Pierre Leleu Received September 1999

This paper presents an extension of the simply-typed -calculus allowing iteration and case reasoning over terms of functional types that arise when using higher order abstract syntax. This calculus aims at being the kernel for a type theory in which the user will be able to formalize logics or formal systems using the LF methodology, while taking advantage of new induction and recursion principles, extending the principles available in a calculus such as the Calculus of Inductive Constructions. The key idea of our system is the use of modal logic S4. We present here the system, its typing rules and reduction rules. The system enjoys the decidability of typability, soundness of typed reduction with respect to the typing rules, the Church-Rosser and Strong Normalization properties and it is a conservative extension over the simply-typed -calculus. These properties entail the preservation of the adequacy of encodings.

Contents 1 Introduction 2 The System 2.1 Syntax 2.2 Typing Rules 2.3 Basic Properties 2.4 Reduction Rules 3 Metatheoretical Results 3.1 First Results 3.2 Strong Normalization 3.3 Conuence and Conservative Extension 4 Related Works 5 Conclusion and Future Work References 6 Appendix A. The dierent methods to formalize programming languages 7 Appendix B. A note on the modal core of the system 8 Appendix C. Interpretation of type A in the case A is pure

y

INRIA, 2004 Route des Lucioles - B.P. 93. F-06902 Sophia-Antipolis Cedex, France.

[email protected], [email protected]

2 3 3 5 6 7 9 10 11 14 14 15 16 17 18 19

Joëlle Despeyroux and Pierre Leleu

2

1. Introduction Higher order abstract syntax (PE88) is a representation technique which proves to be useful when modelizing in a logical framework a language which involves bindings of variables. Thanks to this technique, the formalization of an (object-level) language does not need denitions for free or bound variables in a term. Nor does it need denitions of notions of substitutions, which are implemented using the meta-level application, i.e. the application available in the logical framework. Hypothetical judgments are also directly supported by the framework. On the other hand, inductive denitions are frequent in mathematics and semantics of programming languages, and induction is an essential tool when developing proofs. Unfortunately it is well-known that a type dened by means of higher order abstract syntax cannot be dened as an inductive type in usual inductive type theories (like CCI (Wer94), (PM92), or Martin-Löf's Logical Framework (NPS90) for instance). In a rst step towards the resolution of this dilemma, Frank Pfenning, Carsten Schürmann and the rst author have presented (DPS97) an extension of the simply-typed -calculus with recursive constructs (operators for iteration and case reasoning), which enables the use of higher order abstract syntax in an inductive type. To achieve that, they use the operator ` ' of modal logic IS4 to distinguish the types À ! B ' of the functional terms well-typed in the simply-typed -calculus from the types ` A ! B ' of the functional terms possibly containing recursive constructs. In this paper, we present an alternative presentation of their system that we claim to be better in several aspects. We use the same mechanism as them to mix higher order abstract syntax and induction but our typing and reduction rules are quite dierent. Indeed there are several presentations of modal -calculus IS4 (BdP96), (PW95), (DP96). We have chosen the variant by Frank Pfenning and Hao-Chi Wong (PW95), which has context stacks instead of simple contexts. This peculiarity creates some diculties in the metatheoretical study but the terms generated by the syntax are simpler than those of (DPS97) (no 'let box' construction), and so this system is more comfortable to use. Moreover, instead of introducing an operational semantics which computes the canonical form (-long normal form) using a given strategy, our system has reduction rules, which allow a certain nondeterminism in the mechanism of reduction. We have been able to adapt classic proof techniques to show the important metatheoretic results: decidability of typability, soundness of typing with respect to typing rules, Church-Rosser property (CR), Strong Normalization property (SN) and conservativity of our system with respect to the simply-typed -calculus. The main problems we encountered in the proofs are on one hand due to the use of functional types in the types of the recursive constructors, and on the other hand due to the use of -expansion. To solve the problems due to -expansion, we benet from previous works done for the simply-typed -calculus (JG95) and for system F (Gha96). In the second section of the paper, we introduce our version of the modal inductive system, its syntax, its typing and reduction rules. Then in the third section, we prove its essential properties (soundness of typing, CR, SN) from which we deduce that it is a conservative extension of the simply-typed -calculus. Finally, we discuss related works

Recursion over Objects of Functional Type

3

and outline future work. A full version of this paper with complete technical developments is available in (Lel97).

2. The System In this section, we present the syntax, the typing rules and the semantics of our system. First, let us briey recall our motivations. Higher-Order Abstract Syntax The mechanics of higher order abstract syntax (HOAS) has already been exposed in many places, for example in (HHP93). Let us introduce here a simple example of representation using HOAS, that will be useful later when we illustrate the mechanism of the reduction rules. The interested reader will nd a short discussion on the dierent methods to formalize programming languages in appendix 6. Suppose we want to represent the untyped -terms in the simply-typed -calculus with no extra equations. We introduce the type L of untyped -terms together with two constructors lam : (L ! L) ! L and app : L ! L ! L. It is well-known (HHP93) that the canonical forms ( -normal -long) of type L are in one-to-one correspondence with the closed untyped -terms and that this correspondence is compositional. For instance the term of type L (lam x : L:(app x x)) represents the untyped -term x:(x x). Now, these constructors do not dene an inductive type in usual inductive type theories like the Calculus of Inductive Constructions (Wer94) or the Extended Calculus of Constructions (Luo94) because of the leftmost occurence of L in the type of constructor lam. If we allowed this kind of inductive denition, we would be confronted with two serious problems. First, we would lose the one-to-one correspondence between the objects we represent and the canonical forms of type L ! ! L. For instance, if we have a Case construct (denition of a function by case over inductive terms), the term (lam x : L:Case x of : : : ) does not represent any untyped -term. Moreover we would lose the important property of strong normalization; more precisely we could write terms which would reduce to themselves. Our goal is to introduce a system which repairs these deciencies. Following (DPS97), we will use the modal operator ` ' of modal logic IS4 to distinguish the types À ! B ' of the functional terms well-typed in the simply-typed -calculus from the types ` A ! B ' of the functional terms possibly containing recursive contructs. For instance, in our system, a term such as `x : L:Case x of : : : ' will have type L ! L whereas constructor `lam' will have type (L ! L) ! L. Thus, our typing judgment will rule out undesirable terms such as `(lam x : L:Case x of : : : )'.

2.1. Syntax The system we present here is roughly the simply-typed -calculus extended by pairs, modality IS4 and recursion. We discuss the addition of polymorphism and dependent types in the conclusion.

4


Types To describe the types of the system, we consider a countable collection of constant types Lj (j 2 IN ), called the ground types. In our approach, they play the role of inductive types. The types are inductively dened by: Types : T := Lj j T1 ! T2 j T1 T2 j T A type is said to be pure if it contains no ` ' operator and no product.

Context stacks Following the presentation of (PW95), we have context stacks instead

of simple contexts. As usual a context ? is dened as a list of unordered declarations x : A where all the variables are distinct. A context stack is an ordered list of contexts, separated by semi colons ?1 ; : : : ; ?n . `.' denotes the empty context as well as the empty stack. Each stack can be viewed as a Kripke word. Notations. A context stack is said to be valid if all the variables of the stack are distinct. We call local context of a stack = ?1 ; : : : ; ?n the last context of the stack: ?n . The notation `; ?', where is a stack ?1 ; : : : ; ?n and ? is a context, is the stack ?1 ; : : : ; ?n ; ?. Similarly, the notation `; 0 ', where is the stack ?1 ; : : : ; ?n and 0 is the stack ?01 ; : : : ; ?0m , is the stack ?1 ; : : : ; ?n ; ?01 ; : : : ; ?0m . If is a valid stack of m contexts ?1 ; : : : ; ?m and n is an integer, n denotes the stack where the last n contexts have been removed: ?1 ; : : : ; ?m?n if n < m, and the empty stack `.' if n m.

Terms We view open terms of type L, depending on n variables of type L, as functional terms of type Ln = L ! ! L ! L, as in (DH94). For example, terms in the untyped

-calculus given in Section 2 will have three possible forms, envolving what we called higher-order constructors, written with vectorial notations: app : ?! x : ?! L :(app P Q) lam : ?! x : ?! L :(lam P ) var : ?! x : ?! L :xi In general of course, the type of a constructor of a pure type L contains other types than L. Before describing the set of the terms, we consider a nite collection of constant ? terms (the constructors ) Cj;k , given with their pure type: Bj;k;1 ! ! Bj;k;n ! Lj , where each Bj;k;l is a pure type and Lj is a ground type. If nj;k = 0, the type of Cj;k is simply Lj . The terms are inductively dened by: j;k

Terms : M := x j Cj;k j (M N ) j x : A:M j " M j # M j hM1 ; M2 i j fst M j snd M j hiCase M of (Mj;k ) j hiIt M of (M 0 j;k ) where is a function mapping the ground types Lj (j 2 IN ) to types, (Mj;k ) and (M 0 j;k ) are collections of terms indexed by the indexes of the constructors. We delay till Section 2.4 the explanation of the arguments of operators `Case' and Ìt'. The modal operator `"' introduces an object of type A while the operator `#' marks the elimination of a term of type A. As usual, terms equivalent under -conversion are identied.


5

2.2. Typing Rules Typing Rules for Case and Iteration on a Simple Example We give rst the typing rules for Case and It for the untyped -calculus example of Section 2. Except for the use of the operator, and the use of Ln instead of L, there are pretty standard for the app case. Note how the use of Ln enables us to extend the usual case (app) to the fonctional case (lam) in an intuitive manner: ; ? ` M : Ln ; ? ` Mapp : Ln ! Ln ! A ; ? ` Mlam : Ln+1 ! A ; ? ` hiCase M of Mapp Mlam : An 0 :A!A!A 0 : (A ! A) ! A ; ? ` Mapp ; ? ` Mlam 0 0 M : An ; ? ` hiIt M of Mapp lam where A = (L) is the resulting type of the case or iteration process on M . The Case and It functions take as arguments the resulting values for the n variables of the term M being analysed; hence the resulting type An for both operators in the above rules.

; ? ` M : Ln

Examples Let us assume that we have dened the types of the integers `Nat' by declaring two constructors `0 : Nat' and `S : Nat ! Nat'. We can informally dene the function which counts the number of bound variables in an untyped -term by: Count(app M N ) = Count(M ) + Count(N ) Count(lam x : L:(M x)) = Count(M x), where Count(x) = 1 This function can be implemented in our system using the It construct, where = fL 7! Natg. Count has type L ! Nat: Count := (hiIt m; n : Nat::(plus m n) p : Nat ! Nat:(p " (S 0)))

The function `Form' of type (L ! L) ! Nat, which returns 0 if its argument is a free variable, 1 if it is an abstraction term and 2 if it is an application, can be dened as follows: Form M := (hiCase M of u; v : (L ! L)::2 f : (L ! L ! L):1 0) The Typing Rules The typing rules are a combination of the rules for simply-typed -calculus, for pairs and projections, for modal -calculus IS4 (PW95) and the new rules for the recursive constructs `Case' and Ìt'. Due to lack of place we do not give the rules for pairs and projections here. The rules are written in Figure 1 with the following notations: Notations Bj;k;1 , : : : , Bj;k;n are pure types. Lj is an inductive type. (Ti )i=1;:::;p is a collection, possibly empty, of pure types. Each Ti can be decomposed as Ti 1 ! ! Ti r ! Li , where Li is a ground type and each Ti j is a pure type. i=p Given the types C , D1 , : : : , Dp , we denote D1 ! ! Dp ! C by i =1Di :C . j;k

i

6


x : A 2 local context of valid `x:A ; x : A ` M : B () ` x : A:M : A ! B (Var)

(")

; : ` M : A `" M : A

(C ) j;k

`C

(#)

i

(Case)

`M : A `# M : A

(Pop)

j;k;1

j

j;k;nj;k

q

p

i

i

n

j;k

z =p

(It)

`M :

= i

T :B =1

i

i

` h iCase M of (M ) : T =1

T :L =1

i

p

i

n

`M

` h iIt M of (M

0

0

0

z

z

(B : =1 q

p

i

j;k;q

A ; ? valid A

2 IN

:(L ) j

:(L )

q =nj;k

j;k

j;k

=

nj;k

q

j;k

`M : ; ? ` M :

valid, n

! ! B !L = = `M : `M : T :L =1 =1 :B

j;k

`M :A!B `N :A ` (M N ) : B

(App)

j;k;q

n

): (L ) j

i=p

j;k

): (T ):(L ) =1 i

i

n

Fig. 1. Typing rules

We dene T 0z by: T 0 z := (T1 ! ! Tp ! Tz1 ) ! ! (T1 ! ! Tp ! Tzr ) ! (Lz ) z

The map from ground types to types is extended over pure types by the equation: (A ! B ) = (A) ! (B ). These typing rules may seem complex at rst sight but they are naturally derived from the behaviour of the Case and It operators with respect to reduction (sections 2.4, 2.4). Although expressed dierently, our typing rules are similar to those in (DPS96) (in which one can nd many examples), with a more user friendly modal core. See appendix 7 for a discussion on the two systems. 2.3. Basic Properties The system allows the same basic stack manipulations as the modal -calculus IS4 without Case and It (PW95). In particular, as usual, the typing judgments are preserved by thinning and strengthening. Later, these properties will still be true for typed reduction and the interpretations of types. The substitution rule is still admissible:

Proposition 2.1 (Admissibility of (Subst) Rule).

The following rule is admissible: ;x : A ` M : B (Subst) ` N :A` M [N=x ]:B


7

The inversion lemmas are not totally trivial because our typing rules are not syntaxdriven. If we try to type a term of type A, we can always apply rule Pop as well as the structural rule for M . Nevertheless, they remain fairly simple (see (Lel97)). A typically non standard inversion rule is the one for the App case. Rule App, seen from bottom to top, may break a modal type B into two types A ! B and A which are no more modal. Thus, when faced with an application, we try to apply the rule Pop as much as we can (i.e. remove the local context till we have free variables of the term in the local context).

Proposition 2.2 (Inversion lemmas for App). If ` (M N ) : B then there is a type A such that n ` M : A ! B and n ` N : A (n 2 IN ), where n = 0 if B is not of the form C and otherwise n is the least integer

such that n contains some free variables of (M N ). The inversion lemmas allow us to prove the uniqueness of type property (i.e. if ` M : A and ` M : A0 then A = A0 ) and to nd an algorithm which determines if a term M is typable in a stack and which returns the type of M in if it is typable (decidability of typability). 2.4. Reduction Rules Now, we turn to the reduction rules of our system. They are inspired by the reduction rules for Case and It that have been suggested to us by Martin Hofmann as a means to describe the evaluation mechanism of (DPS97). These reduction rules are also the ones underlying the terms and induction principles presented in (DH94) in the Calculus of Inductive Constructions. Indeed this research was undertaken with this main idea in mind: our approach to HOAS (i.e. considering terms in Ln = L ! ! L instead of terms of type L (DH94)) should lead to a much more elegant system than the usual approach. The result seems to conrm our intuition. Reduction Rules for Case and Iteration on a Simple Example First we show the reduction rules for Case and It in the simple setting of the example of Section 2. For the sake of simplicity we introduce some notations.

Notations. For any type B, the type Bn (n 2 IN ) is dened by B0 := B and Bn+1 := B ! Bn . We consider a map from the inductive types to types such that (L) = A, terms Mapp of type Ln ! Ln ! A, Mlam of type Ln+1 ! A, M 0app of type A ! A ! A and M 0 lam of type (A ! A) ! A. We dene two macros 'case' and 'it' by: case M := hiCase M of Mapp Mlam it M := hiIt M of M 0 app M 0 lam Reduction Rules for the untyped -terms In our example, the reduction rules for Case and It are the following ones:


8

(case " ?! x : ?! L :(app P Q)) ,! ?! u : ?! A :(Mapp " ?! x : ?! L :P " ?! x : ?! L :Q) ? ! ? ! ? ! ? ! ? ! ? ! (case " x : L :(lam P )) ,! u : A :(Mlam " x : L :P ) (case " ?! x : ?! L :xi ) ,! ?! u : ?! A :ui (it " ?! x : ?! L :(app P Q)) ,! ?! u : ?! A :(M 0 app ((it " ?! x : ?! L :P ) ?! u) ? ! ? ! ? ! ((it " x : L :Q) u )) ? ! ? ! 0 ? ! ? ! x : ?! L :P ) ?! u )) (it " x : L :(lam P )) ,! u : A :(M lam ((it " ?! ? ! ? ! ? ! ? ! (it " x : L :xi ) ,! u : A :ui The rst argument of the Case and It constructs, M , is the inductive term to analyze (representing an untyped -term in our example). The second one, Mapp , is the function which processes the case of constructor àpp'. The third argument, Mlam, is the function which processes the case of constructor `lam'. Roughly speaking the `Case' construct computes its result by applying Mapp or Mlam to the sons of its main argument. For iteration, the mechanism of reduction is a bit dierent: the terms M 0app and M 0 lam are applied to the result of Ìt' on the sons of the main argument. Operationally, the eect of Ìt' on a term M amounts to replacing the constructors lam and app by the terms M 0lam and M 0 app in M (see (DPS97)). Now since we want to benet from higher order declarations, the main argument of Case/It may have a functional type. In particular we also want to be able to compute Case/It of a projection ?! x : ?! L :xi without a leftmost constructor. That is the reason for the functional type of Case/It constructs : they take as input the values of the computation for the projections (see (DPS97)). Examples. Let us recall here the example 2.2 from the beginning of this section:

Count := (hiIt m : Nat:n : Nat:(plus m n) p : Nat ! Nat:(p " (S 0))) Count has type L ! Nat. Let us give an example of computation: let us count the number of bound variables in the untyped -term (x:x x:x):

: ` (Count " (app (lam x : L:x) (lam x : L:x))) ,! (m : Nat:n : Nat:(plus m n) (Count " (lam x : L:x)) (Count " (lam x : L:x))) which reduces to " (S (S 0)) since: : ` (Count " (lam x : L:x)) ,! (p : Nat ! Nat:(p " (S 0)) (Count " x : L:x)) ,! ((Count " x : L:x) " (S 0)) ,! (u : Nat:u " (S 0)) ,!" (S 0)


9

To further illustrate the reduction mechanism, let us recall the example 2.2 of the form function: Form M := (hiCase M of u : (L ! L):v : (L ! L):2 f : (L ! L ! L):1 0) For instance, the following reductions hold: (Form " x : L:x) ,! (n : Nat:n 0) ,! 0 (Form " x : L:(lam y : L:x)) ,! (n : Nat:(f : (L ! L ! L):1 " x : L:y : L:x) 0) ,! 1 Reduction Rules Now we describe the whole set of reduction rules. Given a term of our calculus, what we want to obtain at the end of the computation is the term of the object language it represents. As we have seen earlier (Section 2), the canonical forms ( -normal -long) are in one-to-one correspondence with the object terms. Thus we want the computation to return canonical forms. That means our reduction rules will incorporate -expansion. The -expansion reduction rule has been thoroughly studied (see (CK93), (Aka93), (JG95)). Adopting it forces us to restrict the reduction rules in some way if we still want Strong Normalization. Thus the reduction we will consider will not be a congruence (more precisely it will not be compatible with the application) and this will induce slight changes in the usual schemes of the proofs of the Church-Rosser and Strong Normalization properties. The purpose of these restrictions is to prevent -expansions to create new -redexes which generate reduction loops. For instance, if we allowed an abstraction to be expanded, x : A:M could reduce to y : A:(x : A:M y) and then to y : A:M [y=x], which is -convertible to x : A:M . Thus we forbid -expansion of an abstraction. Similarly, we cannot allow -expansion of the left argument of an application because otherwise we would have ` (M N ) ,! (z : A:(M z ) N ) ,! (M N ) : B . The choice of -expansion also means we have to keep track of the types of the terms. Indeed a term can only be -expanded if it has type A ! B . Thus we will dene a notion of typed reduction. The reduction relation is dened by the inference rules in Figures 2 (simple types and modality) and 3 (Case and It). We have omitted the product rules and the compatibility rules other than (Appl), which are straightforward. As usual we dene the relations ,! and = (conversion) respectively as the reexive, transitive and the reexive, symmetric, transitive closures of ,!.

3. Metatheoretical Results The classic properties of subject reduction, conuence and strong normalization have already been established for a modal -calculus IS4 without induction (Lel97; DL99a). Here we extend these results to the recursive operators Case and It.

10

Joëlle Despeyroux and Pierre Leleu ( )

` (x : A:P Q) : B ` (x : A:P Q) ,! P [Q=x] : B

( ) ` M : A ! B M is not an abstraction ` M ,! x : A:(M x) : A ! B (Appl )

`M

x fresh

( )

`#" M : A `#" M ,! M : A

( )

`"# M : A `"# M ,! M :

A ` M ,! N : A (Pop) ; ? ` M ,! N : A

,! M : A ! B (6= -step) ` N : A ` (M N ) ,! (M N ) : B 0

0

Fig. 2. Reduction rules. Simple types and modality = " ?! x : ?! T :(C M1 : : : M ) of (M ) : =1T :(L ) (Case C ) ! ` h iCase " ? x : ?! T :(C M1 : : : M ) of (M ) ,! = ? ! ? ! u : T :(M " ?! x : ?! T :M1 : : : " ?! x : ?! T :M ) : =1T :(L ) = ! ` h iCase " ? x : ?! T :(x M1 : : : M ) of (M ) : =1T :(L ) (Case x ) ! ` h iCase " ? x : ?! T :(x M1 : : : M ) of (M ) ,! = ? ! ?! u : T :(u " ?! x : ?! T :M1 : : : " ?! x : ?! T :M ) : =1T :(L ) = ! ` h iIt " ? x : ?! T :(C M1 : : : M ) of (M ) : =1(T ):(L ) (It C ) ! ` h iIt " ? x : ?! T :(C M1 : : : M ) of (M ) ,! ? ? ! ?! u : (T ):(M (hiIt " ?! x : ?! T :M1 of (M ) ?! u ) ::: = ? ! ? ! ? ! of (M ) u )) : (T ):(L ) (h iIt " x : T :M =1 = ! ` h iIt " ? x : ?! T :(x M1 : : : M ) of (M ) : =1(T ):(L ) (It x ) ! ) of (M ) ,! ` h iIt " ? x : ?! T :(x M1 : : : M ?! ? ? ! ? ! u : (T ):(u (hiIt " ?! x : T :M1 of (M ) ?! u ) ::: = ? ! ? ! ? ! (T ):(L ) (h iIt " x : T :M of (M ) u )) : =1

` h iCase

z

nj;k

j;k

j;k

nj;k

j;k

z

nj;k

z

rk

j;k

rk

k

j;k

0

nj;k

j;k

nj;k

j;k

0

0

0

nj;k

k

rk

0

0

z

n

n

z

n

p

i

i

n

j;k

i

j;k

0

rk

0

z

z

j;k

0

k

0

p

i

p

j;k

j;k

k

p

z

rk

k

j;k

n

z

z

k

0

z

j;k

j;k

k

0

z

j;k

0

p

i

j;k

p

i

i

n

p

i

i

n

j;k

0

k

rk

0

j;k

i

j;k

i

p

i

n

Fig. 3. Reduction rules for Case and It

3.1. First Results First, we state soundness of typed reduction with respect to typing rules. It is easily proved by induction on the derivation of the rst hypothesis.

Theorem 3.1 (Soundness of reduction). If ` M ,! M 0 : A then ` M : A and ` M 0 : A. The relationship between substitution and typed reduction is not as easy as in the simply-typed -calculus. If P ,! P 0 and Q ,! Q0 then we do not have any more P [Q=x] ,! P 0 [Q0 =x] because of the side-conditions of reduction rules () and (Appl ). Thus we only prove weak forms of the usual results. For instance, if ; x : A ` P : B and


11

` Q ,! Q0 : A, we only state that there is a term R such that ` P [Q=x] ,! R : B and ` P [Q0 =x] ,! R : B . Nevertheless, these results enable us to prove the local conuence property:

Lemma 3.2 (Local Conuence). If ` M ,! N : A and ` M ,! P : A then there is a term Q such that ` N ,! Q : A and ` P ,! Q : A. 3.2. Strong Normalization Now we briey sketch our proof of the Strong Normalization theorem for our system. The proof follows the idea of normalization proofs `à la Tait' and is inspired by (Wer94) (for the inductive part) and (Gha96) (for the -expansion part). 3.2.1. Reducibility Candidates First we give a denition of the reducibility candidates (GLT89) adapted to our setting. Let us call the set of our terms, dened in Section 2.1.

Denition 3.3 (Reducibility Candidates).

Given a type A, the reducibility candidates CRA are sets of pairs (; M ) of a context stack and a term. They are dened as follows: CR1 8(; M ) 2 C , M is strongly normalizing in (i.e. there is no innite sequence of reductions starting from M in ). CR1' C f(; M ) j ` M : Ag CR2 8(; M ) 2 C such that ` M ,! M 0 : A, we have (; M 0 ) 2 C . CR3 If M 2 NT , ` M : A and forall M 0 such that ` M ,! M 0 : A (6= -expansion), (; M 0 ) 2 C then we have (; M ) 2 C . CR4 If A = B ! C and (; M ) 2 C then (; z : B:(M z)) 2 C , where z is a fresh variable. where NT = n (fx : A:M j M 2 g [ f" M j M 2 g [ fhM; N i j M; N 2 g).

Note that instead of taking sets of terms, we consider sets of pairs of a stack and a term. Indeed, since, because of -expansion, our reduction is typed, it is convenient for the reducibility candidates to contain well-typed terms. In rule CR3, the restriction ` M ,! M 0 : A is not an -expansion comes from (JG95). It has been introduced to cope with -expansions. The rule CR4 is also needed because of the -expansions (Gha96). As usual, if C and D belong to CRA then C \ D belong to CRA . Thus CRA is an inf-semi lattice. Next, we dene the sets C ! D, C D, C where C and D are two reducibility candidates:

Denition 3.4 (C ! D, C , C D). C ! D := f(; M ) j ` M : A ! B and 8?; 8((; ?); N ) 2 C ; ((; ?); (M N )) 2 Dg


12

C := f(; M ) j ` M : A and 80 stack s.t. (; 0 ) is valid; ((; 0 ); # M ) 2 Cg. CD := f(; M ) j ` M : AB and 8? context s.t. (; ?) is valid; ((; ?); fst M ) 2 C and ((; ?); snd M ) 2 Dg. In the denition of C , we need to extend the stack of contexts with 0 in order to get ((; 0 ); M ) 2 C whenever (; M ) 2 C (similarly to the case of C ! D). In the denition of C ! D, the context ? added to the stack is essential; In the

intermediate lemmas, it allows us to add fresh variables to the context. Proposition 3.5. If C and D are two C.R., then C ! D, C D and C are C.R. too.

3.2.2. Interpretation of Types and Contexts Following the sketch of normalization proofs 'à la Tait', we dene the interpretations of types.

Denition 3.6 (Interpretations of types). [ Lj ] := f(; M ) j ` M : Lj and M is SN in g, [ A ! B] := [ A] ! [ B] , [ A B] := [ A] [ B] , If A is not pure, [ A] := [ A] All the above interpretations are obviously C.Rs., except, maybe, for the rst case: Proposition 3.7 ([ Lj ] is a C.R.). The set [ Lj ] is a reducibility candidate. Proof. (CR1), (CR1'), (CR2) and (CR4) are immediate. (CR3) is easy: if M is neutral and if forall M 0 such that ` M ,! M 0 : Lj without -expansion, M 0 2 [ Lj ] , then we notice that actually all the reducts of M belong to [ Lj ] since M (of ground type Lj ) cannot be -expanded. Thus M is SN in and M 2 [ Ln ] . In order to dene [ A] in the case A is pure, we have to take into account the fact that A may be the type of the inductive argument of Case/It. The denition of [ A] in this case involves the smallest xpoint of a function we give in appendix 8. At this point, we have dened the interpretation of type [ A] for all the types A. The following theorem stems from the denitions of the interpretations of types. Theorem 3.8 ([ A] is a C.R.). Given any type A, the set [ A] is a C.R. Then we dene the notion of interpretation of context stack. Like in the classic case of the simply-typed -calculus, the interpretation [ ]] of stack in stack is a set of substitutions from to but the denition is a bit more complex here because we have to deal with context stacks, instead of simple contexts. Thus we use a non standard notion of substitution.

13


Denition 3.9 (Pre-substitution).

A pre-substitution from a stack to a stack is a mapping from the set of the variables declared in into the set of the terms with all their free variables in . A pre-substitution can be applied to a term M with all its free variables in . The result of this operation, denoted by (M ), is equal to term M where all its free variables x have been replaced by their images under , (x).

Notations. Given two stacks and , a pre-substitution from to , a variable x not declared in and M a term with all its free variables in , we denote by [x 7! M ] the pre-substitution from ; x : A to such that [x 7! M ](y) = (y) if y is declared in and [x 7! M ](x) = M . Given a stack 0 such that ; 0 is valid and a substitution 0 from 0 to , `; 0 ' denotes the pre-substitution from ; 0 to such that (; 0 )(x) = (x) if x is declared in and (; 0 )(x) = 0 (x) if x is declared in 0 . Denition 3.10 (Interpretation of context stack).

Given two stacks and , the interpretation of in , [ ]] , is a set of presubstitutions from to . It is dened by induction on : [ :] is the singleton whose only element is the empty pre-substitution from . to . [ ?; x : A] is the set of the pre-substitutions [x 7! M ], where belongs to [ ?]] and ( ; M ) is in [ A] . [ ; ?]] is the set of pre-substitutions ; 0 such that belongs to [ ]] (n 2 IN ) and 0 belongs to [ ?]] . where the notation n has been previously dened in Section 2.1. n

In the denition of [ ; ?]] , the requirement that belongs to [ ]] , more exible than the requirement that belongs to [ ]] , enables us to cope with the context stacks in the proofs. For example, we will have that belongs to [ ; :] ; whenever belongs to [ ]] . n

0

3.2.3. Soundness of Typing Now we reach the nal stage of the proof. The Strong Normalization property will be an easy corollary of the key lemma Soundness of Typing:

Lemma 3.11 (Soundness of Typing). If ` M : A and 2 [ ]] , then ( ; (M )) 2 [ A] . This lemma is proved by induction on the derivation of ` M : A. The most dicult case occurs for rule ("). It is solved by using the typing restrictions imposed by modality (see (Lel97)). The strong normalization theorem is then an easy corollary, using the fact that for any stack , the pre-substitution identity from to belongs to [ ]] .

Theorem 3.12 (Strong Normalization).

There is no innite sequence of reductions.


14

3.3. Conuence and Conservative Extension The conuence property is a corollary of the strong normalization (Theorem 3.12) and the local conuence results (this fact is often called Newman's Lemma, after (New42)).

Theorem 3.13 (Conuence). If ` M ,! N : A and ` M ,! P : A then there is a term Q such that ` N ,! Q : A and ` P ,! Q : A. As usual, the ùniqueness of normal forms' property is a corollary of the strong normalization and conuence theorems.

Corollary 3.14 (Uniqueness of normal forms). If ` M : A then M reduces to a unique canonical form in . The conservative extension property uses the strong normalization result together with the following technical lemma, which needs some notations. Notation. Given a stack ?1 ; : : : ; ?n , two variables x and y declared respectively in ?i and ?j , we say that y is declared in the future of x if j i. A term is said to be pure if it is a term of the simply-typed -calculus (that is to say it does not contain any Case/It, any modal operators, any pairs, nor any projections).

Lemma 3.15 (Possible forms of a canonical term). Given a stack and its local context ?, if ` M : B , M canonical form then: a) either M contains an impure variable of and all the free variables of M are in the future of an impure variable,

b) or M is an impure abstraction (i.e. the type of the bound variable is impure) and all the free variables of M belong to ?,

c) or M is of the form " N and N is closed, d) or M is of the form hM; N i and all the free variables of M and N belong to ?, e) or M is pure and B is pure. Moreover all the free variables of M belong to ?. Theorem 3.16 (Conservative extension). Our system is a conservative extension of the simply-typed -calculus, i.e. if ` M : A

with pure context stack and A pure type then M has a unique canonical form N which is pure.

4. Related Works Our system has been inspired by (DPS97). The main dierence is that the underlying modal -calculus is easier to use and seems to be better adapted to an extension to dependent types. Splitting the context in two parts (the intuitionistic and the modal parts) would most probably make the treatment of dependent types even more dicult, when representing a modal type depending on both non-modal and modal types. We also provide reduction rules, instead of a particular strategy for evaluation. Finally, due to that latter point and the fact that we have adapted well known proof methods, our metatheoretic proofs are much more compact and easier to read. As a consequence,


15

our system seems to be a better candidate for further extensions than the previous proposition. Raymond McDowell and Dale Miller have proposed (MM97) a meta-logic to reason about object logics coded using higher order abstract syntax. Their approach is quite different from ours, less ambitious in a sense. They do not provide a type system supporting the judgments-as-types principle. Instead, they propose two logics: one for each level (the object and meta levels). Moreover they only have induction on natural numbers, which can be used to derive other induction principles via the construction of an appropriate measure. Frank Pfenning and Carsten Schürmann have also dened a meta-logic `M2 ', which allows inductive reasoning over HOAS encodings in LF (PS98). Recent development of this meta-logic are a nice improvement of the system by Raymond McDowell and Dale Miller. It was designed to support automated theorem proving. This meta-logic has been implemented in the theorem prover Twelf, which gives a logical programming interpretation of M2 . Twelf has been used to automatically prove properties such as type preservation for Mini-ML, an impressive result for us. From our denition of valid terms in an object language Ln = L ! ! L ! L implemented in the Calculus of Inductive Constructions, we derived an induction principle, that we claimed to be more natural, and more powerful, than the usual ones (see the denitions of the Valid predicates in (DH94)). Martin Hofmann recently formalized this induction principle in a modal meta-logic, using categorical tools (Hof99). In this paper, he very nicely formalizes and compares, on the categorical level, several representations of terms using HOAS, and several induction principles currently used, sometimes without justications, for fonctional terms.

5. Conclusion and Future Work

We have presented a modal -calculus IS4 with primitive recursive constructs that we claim to be better than the previous proposition (DPS97). The conservative extension theorem, which guarantees that the adequacy of encodings is preserved, is proved as well as the Church-Rosser and strong normalization properties. Our main goal is now to extend this system to dependent types and to polymorphic types. This kind of extension is not straightforward but we expect our system to be exible enough to allow it. We have already proposed an extension of our system to dependent types, only with a non-dependent rule for eliminatin for the moment (DL99b; Lel98). A full treatment of dependent types would have given an induction principle that we did not succeed in justifying in our setting. The work by Martin Hofmann (Hof99) suggests that our induction principles should be provable. Another interesting direction of research consists in replacing our recursive operators by operators for pattern-matching such as those used in the ALF (MN94) system, implementing Martin-Löf's Type Theory (NPS90). Some hints for a concrete syntax for this extension have been given in (DPS97). Frank Pfenning and Carsten Schürmann are currently working on the denition of a meta-logic along these lines. A related domain is the design of a programming language based on some features


16

we have provided in our systems, in particular dependant types. Frank Pfenning and Hongwei Xi have recently proposed such a language, in the ML tradition (PX99).

Acknowledgments Thanks are due to Martin Hofmann for his suggestion for the initial

form of the reduction rules which, stengthening us in the intuitions we had in previous works, make it possible the present results. We also thank André Hirschowitz for many fruitful discussions.

References Y. Akama. On Mints' reduction for ccc-calculus. In Proceedings TLCA, pages 112. SpringerVerlag LNCS 664, 1993. Gavin Bierman and Valeria de Paiva. Intuitionistic necessity revisited. In Technical Report CSRP-96-10, School of Computer Science, University of Birmingham, June 1996. R. Di Cosmo and D. Kesner. A Conuent Reduction for the Extensional Typed -calculus. In Proceedings ICALP'93. Springer-Verlag LNCS 700, 1993. Joëlle Despeyroux. A higher-order specication of the pi-calculus. Submitted for publication, March 1999. Joëlle Despeyroux and André Hirschowitz. Higher-order syntax and induction in Coq. In F. Pfenning, editor, Proceedings of the fth Int. Conf. on Logic Programming and Automated Reasoning (LPAR 94), volume 822, pages 159173. Springer-Verlag LNAI, July 1994. Also appears as INRIA Research Report RR-2292 (June 1994). Joëlle Despeyroux and Pierre Leleu. Metatheoretic results for a modal -calcul. to appear in the Journal of Functional and Logic Programming JFLP, 1999. Joëlle Despeyroux and Pierre Leleu. Primitive recursion for higher-order abstract syntax with dependant types. In Proc. of the FLoC'99 IMLA Workshop on Intuitionistic Modal Logics and Applications, June 1999. Rowan Davies and Frank Pfenning. A modal analysis of staged computation. In Jr. Guy Steele, editor, Proceedings of the 23rd Annual Symposium on Principles of Programming Languages, pages 258270, St. Petersburg Beach, Florida, January 1996. ACM Press. Joëlle Despeyroux, Frank Pfenning, and Carsten Schürmann. Primitive recursion for higherorder abstract syntax. Technical Report CMU-CS-96-172, Carnegie Mellon University, Pittsburgh, Pennsylvania, August 1996. Joëlle Despeyroux, Frank Pfenning, and Carsten Schürmann. Primitive recursion for higherorder abstract syntax. In Philippe de Groote and J. Roger Hindley, editors, Proceedings of the TLCA 97 Int. Conference on Typed Lambda Calculi and Applications, Nancy, France, April 24, pages 147163. Springer-Verlag LNCS 1210, April 1997. An extended version is available as CMU Technical Report CMU-CS-96-172. Neil Ghani. Eta Expansions in System F. Technical Report LIENS-96-10, LIENS-DMI, Ecole Normale Superieure, 1996. Guillaume Gillard. A formalization of a concurrent object calculus up to alpha-conversion. submitted for publication, June 1999. Jean-Yves Girard, Yves Lafont, and Paul Taylor. Proofs and Types. Cambridge University Press, 1989. Loïc Henry_Greard. A proof of type preservation for the pi-calculus in Coq. Research Report RR-3698, Inria, December 1998. Also available in the Coq Contrib library.


17

Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for dening logics. Journal of the Association for Computing Machinery, 40(1):143184, January 1993. Martin Hofmann. Semantical analysis of higher-order abstract syntax. In IEEE, editor, Proceedings of the International Conference on Logic In Computer Sciences, LICS, 1999. C.B. Jay and N. Ghani. The Virtues of Eta-Expansion. Journal of Functional Programming, 5(2):135154, April 1995. Pierre Leleu. A modal -calcul with iteration and case constructs. Research Report RR-3322, INRIA, December 1997. Pierre Leleu. Syntaxe abstraite d'ordre supérieur et récursion dans les théories typées. Phd thesis, École Nationale des Ponts et Chaussées (ENPC), December 1998. In French. Zhaohui Luo. Computation and Reasoning. Oxford University Press, 1994. Raymond McDowell and Dale Miller. A logic for reasoning with higher-order abstract syntax: An extended abstract. In Glynn Winskel, editor, Proceedings of the Twelfth Annual Symposium on Logic in Computer Science, Warsaw, Poland, June 1997. To appear. Lena Magnusson and Bengt Nordström. The ALF proof editor and its proof engine. In Henk Barendregt and Tobias Nipkow, editors, Types for Proofs and Programs, pages 213 237. Springer-Verlag LNCS 806, 1994. M.H.A. Newman. On theories with a combinatorial denition of èquivalence'. Ann. Math., 43(2):223243, 1942. Bengt Nordstrom, Kent Petersson, and Jan M. Smith. Programming in Martin-Lof's Type Theory: An Introduction, volume 7 of International Series of Monographs on Computer Science. Oxford University Press, 1990. Frank Pfenning and Conal Elliott. Higher-order abstract syntax. In Proceedings of the ACM SIGPLAN '88 Symposium on Language Design and Implementation, pages 199208, Atlanta, Georgia, June 1988. Christine Paulin-Mohring. Inductive denitions in the system coq. rules and properties. In J.F. Groote M. Bezem, editor, Proceedings of the International Conference on Typed Lambda Calculi and Applications, TLCA'93, Springer-Verlag LNCS 664, pages 328345, 1992. also available as a Research Report RR-92-49, Dec. 1992, ENS Lyon, France. Frank Pfenning and Carsten Schürmann. Automated Theorem Proving in a Simple Meta Logic for LF. In Proceedings of the CADE-15 Conference, Lindau - Germany, July 1998. Frank Pfenning and Hao-Chi Wong. On a modal -calculus for S4. In S. Brookes and M. Main, editors, Proceedings of the Eleventh Conference on Mathematical Foundations of Programming Semantics, New Orleans, Louisiana, March 1995. Electronic Notes in Theoretical Computer Science, Volume 1, Elsevier. Frank Pfenning and Hongwei Xi. Dependant types in pratical programming. In Proceedings of the POPL'99 International Conference, San Antonio, Texas, January 1999. Benjamin Werner. Une Théorie des Constructions Inductives. PhD thesis, Université Paris VII, Mai. 1994.

6. Appendix A. The dierent methods to formalize programming languages Beside higher order abstract syntax, there exist several methods for describing the notions of bound variables, substitutions, and hypothetical judgments occuring in the formalization of the semantics of programming languages. The heaviest method is the use of de Bruijn indexes. Developments using this approach usually devote 75 percent of the specications and proofs to the pure manipulations of de Bruijn indexes. We think that the


18

only case where this method should be chosen is the case where we want to bootstrap a system implemented using de Bruijn codes. The best alternative today to HOAS seems to us a method due to James Mc Kinna and Randy Pollack, which makes a distinction between free and bound variables by implementing them within two dierent sets. This method has been extensively used by its authors in the formalization of the Lego system in itself. A more recent method, due to Andrew Gordon and Tom Melham, is called ve axioms for -conversion. The idea is to provide an universal implementation of terms, that people could use for their formalizations of bound variables. Both methods lead to signicant overhead in the developments. The method of James Mc Kinna and Randy Pollack giving better results than the other. We have experimented all the above methods (except the de Bruijn code) on some proofs of properties of the -calculus. The proofs using the method of James Mc Kinna and Randy Pollack (Hen98) have exactly the same shape than the proofs using HOAS (Des99), with extra lemmas dealing with the existence of fresh variables, in various places. The proof using the method by Andrew Gordon and Tom Melham (Gil99) might be closer to a hand-written proof, where we are used to explicitly deal with the freshness of variables, but it is even much more heavy.

7. Appendix B. A note on the modal core of the system Although expressed a bit dierently, our typing rules are similar to those in (DPS96) (in which one can nd many examples), except two notable dierences: As noticed before, the modal core is dierent. We have context stacks instead of two contexts and our modal rules ("), (#) and (Pop) are expressed in a very simple way (like in (PW95)). In our last two typing rules the terms Mj;k and M 0 j;k are a priori indexed by all the indexes of the constructors. This means that we should dene one term Mj;k (or M 0 j;k ) per constructor Cj;k . Actually, when computing over inductive terms of type Ln , we only need to dene the terms Mj;k such that Ln and Lj are `mutually' inductive. This notion is essential for a future implementation of an extension of this system as a logical framework but is quite orthogonal to the properties we state and we prove in the rest of this work. The interested reader will nd the denition of mutual inductive types we could adopt here completely formalized in (DPS96). There exist several presentations of the modal core of our calculus in the literature. Let us briey recall them here. It is well known that the following rule for I , which would prevent the system to satisfy the substitution lemma, does not hold: ?À ? ` A ( I) The introduction and elimination rules for the operator of the IS4 system presented in Natural Deduction syle, using contexts, are a bit more complicated (BdP96): ? A A1 ; ; An ` A ( ) ? ` A1 ? ` A n I ?` A ? ` A ( E)


19

Adding terms to the above system in order to get a -calculus verifying the CurryHoward isomorphism, Gavin Bierman and Valeria De Paiva obtained the following rules (BdP96): ? ` M 1 : A 1 ? ` M n : An x1 : A 1 : : : x n : A n ` N : B ( ) I ? ` box N with M1 ; : : : ; Mn for x1 ; : : : ; xn : B ?`M : A ? ` unbox(M ) : A ( E ) Frank Pfenning and Rowan Davies found an interesting variant (DP96) of the previous system by splitting the contexts into two parts: one () for intuitionistic hypothesis, and a second one (?) for modal hypothesis. The introduction rule for becomes much simpler, while the elimination rule now needs a let construct to use modal hypothesis: ; : ` M : A ; ? ` box M : A ( I )

; ? ` M : A (; x : A); ? ` N : B ( ) E ; ? ` let box x = M in N : B

Finally, Frank Pfenning and Hao-Chi Wong proposed an implicit variant of the above system, which no longer needs a let construct (PW95). The idea is to use context stacks ( = ?1 ; ; ?n ) instead of usual contexts in the rules. Each context ?i maybe seen as a Kripke model. The price to pay, besides this non standard use of contexts, is the need for an extra Pop rule which makes the system apparently non deterministic (see rules ", # and Pop in Figure 1). We chose the lattest system because it is the simplest and more elegant one, as far as syntax is concerned. However, both the Pop rule and the non standard use of context stacks complicate a little bit the meta-theoretical study of the system. The interested reader might nd various mappings between the dierent presentations of the IS4 systems in the literature (see (DP96; PW95)).

8. Appendix C. Interpretation of type A in the case A is pure In the denition of [ A] , there is a missing case. In the case A is pure, we have to take into account the fact that A may be the type of the inductive argument of Case/It. Let us call S the set of the total functions that map a pure typeA to a C.R. for type i=p A. We dene the operator F from S to S by giving F (g) i=1 Ti :L for g 2 S , where Ti

20


are pure types and L is a ground type: 9 8 ( ; M ) j ` M : ( T ! : : : T ! L ) and > > 1 p > > > > 0 such that ; 0 is valid ; > > > > 8 > > > > > > q = n i = p > > > > 0 > > : ( L ) ; 8 (( ; ) ; M ) 2 g T :B j j;k i j;k;q > > > > q =1 i =1 > > > > q=n > > > > 0 0 > > = \ < 8((; ); M j;k ) 2 (Bj;k;q ): (Lj ); i=p q =1 F (g) i=1 Ti :L = > ((; 0 ); hiCase M of (M )) 2 > > j;k ; > > > > > z = p i = p m = r > > m > > > > g T :T : ( L ) : ( L ) ; i z > > z > > m =1 z =1 i =1 > > > > > > i = p > > > > 0 0 > > (( ; ) ; h i It M of ( M )) 2 ( T ) : ( L ) ; j;k i > > > > i =1 > > ; : 0 and ((; ); # M ) 2 [ T1 ! : : : Tp ! L] where is quantied over the total functions from ground types to types and is quantied over the total functions mapping each ground type Lj to a C.R.(L ) . We need to prove that F is an operator from S to S . The intuitive justication of this is the following. In the case A is a pure type and g is a function from pure types to C.R.s, F (g)(A) is a C.R., as the intersection of C.R.s. We then show that each component of the intersection is a C.R., as it veries properties CR1 to CR4. j;k

j;k

z

j

Proposition 8.1 (F is an operator from S to S ). If g belongs to S then F (g) belongs to S , i.e. for every pure type A, F (g)(A) is a C.R.

Proof. Consider a pure type A and a function g in S , that is a function from pure types to C.Rs for those types. We prove that F (g)(A) is a C.R. for A by showing that it is the intersection of CRs (i.e sets verifying conditions (CR1) to (CR4)) for A. (See (Lel97) for the complete proof.)

After proving that F is monotone, we are able to give a rigorous denition of [ A] when A is pure, involving the smallest xpoint of F : Denition 8.2 (Denition of [ A] , A pure). We call YF the smallest xpoint of F . By denition, for any pure type A, [ A] := YF (A). Of course, we have to justify this denition. First, we notice that S is an inf-semi lattice because the set of C.R. for a given type is an inf-semi lattice. Now, the existence of YF is proved by Tarski's lemma: F is a monotone operator from the inf-semi lattice S to the inf-semi lattice S . Note that [ A] , image of A by YF is itself a C.R.