Internal Program Extraction in the Calculus of Inductive Constructions

Internal Program Extraction in the Calculus of Inductive Constructions Paula Severi1 and Nora Szasz2 Universidad de la Repub lica { Montevideo, Uruguay Centro de Matematica, Facultad de Ciencias ([email protected]. uy) Instituto de Computacion, Facultad de Ingenieria ([email protected]. uy)

1 2

Abstract. Based on the Calculus of Constructions extended with inductive de nitions we present a Theory of Speci cations with rules for simultaneously constructing programs and their correctness proofs. The theory contains types for representing speci cations, whose corresponding notion of implementation is that of a pair formed by a program and a correctness proof. The rules of the theory are such that in implementations the program parts appear mixed together with the proof parts. A reduction relation performs the task of separating programs from proofs. Consequently, every implementation computes to a pair composed of a program and a proof of its correctness, and so the program extraction procedure is immediate.

1 Introduction In Coq [Bar99], the set construction fx : Aj(P x)g is used to write speci cations formed by a set A and a propositional function P over A. Then from an element in a set of the form (x : A)fy : Bj(P x y)g a program of type A!B can be extracted by means of an external function based on realizability interpretation [PM89]. The extracted program obtained in Coq does not belong to the system itself and hence it cannot be manipulated inside Coq. In [Sza97] and [SS01] a Theory of Speci cations with built-in program extraction is presented based on Martin Lof's Type Theory. This calculus internalizes the notion of realizability. Besides data types (sets) and propositions, we have a third sort of types for speci cations. The essential property of a speci cation is that it computes to a pair formed by a data type and a predicate over it. This concept of pair is not de ned as a mere existential or inductive type since it has its own particular reduction rules. Applying these rules, every object of a speci cation computes to a pair composed by a program and its correctness proof. The process of program extraction consists in rst computing the normal form of this reduction and then taking the rst projection. We can also extract the correctness proof internally by applying the second projection. The aim of this paper is to extend the Theory of Speci cations to include inductive types like natural numbers in order to be able to write useful examples and extract real programs. The idea in [SS01] of de ning a reduction relation that

captures the process of program extraction will be adapted to the framework of the Calculus of Constructions and be extended with inductive data types and inductive propositions. Next we describe brie y the structure of this paper. In section 2 we present the Veri cation Calculus as two copies of the same type system, one for programs and one for proofs. In section 3 we present the Theory of Speci cations: we introduce the syntax, the reduction relation ! and the type system of the theory. In section 4 we extend the Theory of Speci cations with inductive data types and propositions. In section 5 we show an example of how to extract a program using -reduction. In section 6 we prove that the -reduction is con uent and normalizing. We, then, show how the projections can be encoded in this theory and we prove that the function [[ ]] that computes the -normal form is a mapping from the Theory of Speci cations into the Veri cation Calculus. Finally, in section 7 we suggest some directions for future research.

2 Veri cation Calculus In this section we de ne the Veri cation Calculus (VC). This calculus contains two copies of the Calculus of Constructions extended with an in nite type hierarchy [Luo89] [Bar99], one for data types and the other for propositions.

De nition 2.1. The Veri cation Calculus VC is de ned as a pure type system [Bar92] with the following speci cation: i j i 2 Natg of sorts for 1. the set S of sorts is the union of an in nite set f i data types and an in nite set f j i 2 Natg of sorts for propositions, i; i+1 ) j i 2 Natg of 2. the set A of axioms is the union of the set f( i i +1 axioms for data types with the set f( ; ) j i 2 Natg of axioms for propositions, 3. the set R of rules is the union of the following sets: i; j; n ) j n=max(i; j ) and j 6= 0 or j =n=0g - the set f( of rules for data types, i; j; n ) j n=max(i; j ) and j 6= 0 or j =n=0g - the set f( of rules for propositions, i; j; n ) j n=max(i; j ) and j 6= 0 or j =n=0g - the set f( of rules for predicates over data types. dType

pType

dType

pType

dType

dType

dType

pType

pType

pType

dType

pType

pType

dType

pType

 We assume the reader to be familiar with the notion of Pure Type Systems and just recall some basic notions in order to make de nition 2.1 complete.

De nition 2.2. Let (S ; A; R) be a speci cation, i.e. a set S of sorts, a set A of axioms and a set R of rules. A pure type system is de ned by the following rules. (axiom) ` k1 :k2 (k1 ; k2 ) 2 A

(start) ?;?x:`U U`:kx:U x ? -fresh (weakening) ? `?;Ux::kU `?v`:Vv:V x ? -fresh

x:U ` V :k2 (k ; k ; k ) 2 R (product) ? ` U?:k`1 (x?; 1 2 3 :U )V :k3 (abstraction) ?; x:U? `` v[x:V:U ]v?:(x`:U(x):VU )V :k

? ` u:U (application) ? `?v:(`xv:Uu):VV [u=x ] ( -conversion) ? ` u:U ?? `` uU:U:k U = U ' 0

0



Remark 2.3. 1. The set R allows to form all combinations of functions amongst the three hierarchies taking care that the impredicativity appears only at level 0. 2. Instead of having an in nite type herarchy we could have a top level n and de ne R bounded by this level.

3 Theory of Speci cations 3.1 Syntax In this section we de ne the syntax of the Theory of Speci cations. We distinguish between data types, propositions and speci cations at a syntactical level. This distinction is made to be able to give a de nition of the reduction ! which does not depend on the typing relation.

De nition 3.1. Let V d, V p and V s be three pairwise disjoint sets of symbol

variables over , and respectively. We de ne the following sets by simultaneous induction. Nat j [V d :Td ]Td j [V p :Tp ]Td j [V s :Ts ]Td j Td Td j Td Tp j Td Ts Td := V d j j (V d :Td )Td j (V p :Tp )Td j (V s :Ts )Td Nat j [V :Td ]Tp j [V p :Tp ]Tp j [V s :Ts ]Tp j Tp Td j Tp Tp j Tp Ts Tp := V p j j (V d :Td )Tp j (V p :Tp )Tp j (V s :Ts )Tp Nat j [V d :Td ]Ts j [V p :Tp ]Ts j [V s :Ts ]Ts j Ts Td j Ts Tp j Ts Ts Ts := V s j j hTd ; Tp i j (V d:Td )Ts j (V p :Tp )Ts j (V s :Ts )Ts where Nat stand for the set of natural numbers.  dTypes

dType

pType

sType

pTypes

sTypes

De nition 3.2. The set of contexts is de ned as: C := ( ) j C ; V d :Td j C ; V p :Tp j C ; V s :Ts



We use the following conventions for metavariables: xd, yd, . . . for elements in V d , xp, yp, . . . for elements in V p , xs; ys; : : : for elements in V s , x; X; y; Y : : : for elements in V d [ V p [ V s , ? ,
, : : : for contexts, A, B , a, b, : : : for elements in Td , P , Q, p, q , : : : for elements in Tp , S , T , s, t, : : : for elements in Ts , U , V , u, v : : : for elements in Td [ Tp [ Ts n, n, n with n 2 Nat. k; k1 : : : for dType

pType

sType

3.2 Reduction

In this section we de ne the reductions ! and ! . We rst de ne the reduction relation ! that performs the task of splitting elements of Ts into pairs. Since variables over speci cations should also reduce to pairs, we assume that there is an association between variables given by an injective function :V s !V d V p .

De nition 3.3. Let :V s !V dV p be an injective function. We de ne the reduction ! on pseudoterms as follows. First we give the rules for variables in V s (vars over ) xs ! (xs) sTypes

n: Now we give rules for the sorts n n n ](xd ! n )i ( ) ! h ; [xd: The following rules state the distributivity law of a non-pair constructor over a pair constructor. (us prod) (x:U )hA ; P i! h(x:U )A ; [f :(x:U )A](x:U )(P (f x))i (us abstr) [x:U ]ha ; pi ! h[x:U ]a ; [x:U ]pi (us appl) ha ; pi u ! ha u ; p ui Note that the rst rule is the axiom of choice for which implication has been replaced by reduction. The following rules state that a function whose domain is a pair is split into two functions. (su prod) (xs:hA ; P i)U ! (xd:A)(xp:(P xd))U if (xs) = hxd ; xpi (su abstr) [xs:hA ; P i]u ! [xd:A][xp:(P xd)]u if (xs) = hxd ; xpi (su app) u ha ; pi ! u a p The following rules erase proofs that occur inside programs. (pd prod) (xp:P )A! A if xp; xs 62 FV (A) and (xs) = hxd ; xpi (pd abst) [xp:P ]a ! a if xp; xs 62 FV (a) and (xs) = hxd ; xpi (pd app) a p ! a sType

sTypes

sType

dType

dType

pType

Moreover, we have compatibility rules for ! .



De nition 3.4. We denote ! ! the re exive, symmetric and transitive closure 

of ! .

In order to ensure con uence for -reduction, we must restrict the -reduction to abstractions and arguments of the same category of types and put an extra condition on the variables. There are three problematic cases that can cause the lost of con uence. The rst two cases are presented when we substitute xd or xp in a term that contains xs. The last case is presented when we substitute xs in a term that contains xd or xp. We now introduce some de nitions for these problematic cases.

De nition 3.5. Let (xs) = hxd ; xpi.

1. Either a variable xd or xp is -free in a term u if xs 2 FV (u). 2. A variable xs is -free in a term u if xd; xp 2 FV (u).



The reduction ! is now de ned as follows:

De nition 3.6. Let :V s !V dV p be an injective function. We de ne the reduction ! on pseudoterms as follows. ([xd:A]u) a ! u[a=xd] if xd is not -free in u ([xp:P ]u) p ! u[p=xp] if xp is not -free in u ([xs:S ]u) s ! u[s=xs] if xs is not -free in u  Remark 3.7. In the following example we show how con uence is lost if some of the conditions in the de nition of -reduction are dropped. Let (xs) = hxd ; xpi. ([xs:hA ; P i]xs) ha ; pi ! ! ([xd:A][xp:(P xd)]xs) a p # # ha ; pi ([xp:P ]xs) p jj # ha ; pi xs These last two terms cannot be joined. Notice that the problem in this example is that the variable xd is -free in the term xs. Instead of having the extra conditions in the -rule, we could have solved this problem in dierent ways. In the case that xs is not -free in u, we could have changed the de nition of substitution using the projections as in [SS01]. In the case that xd or xp are not -free in u, we could have restricted substitutions to the normal form of the reduction given in de nition 6.9. The just mentioned solution has some disadvantages. First it is necessary to add projections as prede ned constants, second it is already making a chose for a strategy of reduction and nally, it does not solve the three cases in a uniform way.

3.3 Type System In this section we present the type system of the Theory of Speci cations (TS) as an extension of the Veri cation Calculus.

De nition 3.8. The speci cation T S for the Theory of Speci cations as a pure type system is as follows. 1. The set S s of sorts is the union of following sets: i j i2Natg of sorts for data types, { the set f i j i2Natg of sorts for propositions, { the set f i { the set f j i2Natg of sorts for speci cations of programs, s 2. The set A of axioms is the union of the following sets: i; i+1 ) j i2Natg of axioms for data types, { the set f( i i+1 ) j i2Natg of axioms for propositions, { the set f( ; i i +1 { the set f( ; ) j i2Natg of axioms for speci cations, i; j; n ) j n=max(i; j ) and j 6= 0 3. The set Rs of rules is f( or j =n=0, and are , or g dType

pType sType

dType

dType

pType

pType

sType

sType

uType

u,v

d p

vType

vType

s

 Remark 3.9. The same comments mentioned in remark 2.3 are applied to T S . However in this case, some care should be taken in the triples allowed in Rs to ensure typability of the abstraction that appears as second component in the n. normal form of sType

De nition 3.10. Let : V s ! V d  V p be an injective function and the speci cation T S de ned above. The Theory of Speci cations is inductively de ned by adding (or replacing) the following rules to the ones for pure type systems (de nition 2.1): i ? ` S: (s-start) ?; xs:S ` xs:S xs; xd; xp ? sType

fresh

i ? ` v :V xs; xd; xp ? -fresh (s-weakening) ? ` S?;:sType xs:S ` v:V

:A ? ` xp:P xd (xs) = hxd ; xpi. (svar) ? ` xd ? ` xs:hA ; P i :hA ; P i (xs) = hxd ; xpi (dvar) ? `? xs ` xd:A ? ` xs ;Pi (pvar) ? ` xp:h:A P xd (xs) = hxd ; xpi n ? ` P :A ! pTypen (pair) ? ` A:dType ? ` hA ; P i:sTypen

n (object pair) ? ` a:A ? ?` p`:Phaa; p?i:h`A h; AP i; P i:sType ? ` u:U x is not -free in V (application) ? `?v:(`xv:Uu):VV [u=x ] (-conversion) ? ` u:U ?? `` uU:U:k U = U ' 0

0



Remark 3.11.

1. In the start and weakening rules for variables for speci cations, not only xs is required to be ? -fresh but so are its corresponding variables xd and xp. 2. The rules svar, dvar and pvar are quite unusual. They allow to type xs knowing the type of xd and xp and conversely. 3. In the application rule substitution is performed in the type and hence an extra side condition for variables is necessary as in the de nition of -reduction. 4. Note that both Generation Lemma and Uniqueness of Types hold for this system. In spite of the fact that there are two rules that assign type to pairs (besides the conversion rule), the type is always unique (up to conversion).

De nition 3.12. 0. 1. A term A is a data type if there exists a context ? such that ? ` A: A term a is a program if there exists a data type A and a context ? such 0. that ? ` a:A . We abbreviate := 0. 2. A term P is a proposition if there exists a context ? such that ? ` P : A term p is a proof if there exists a context ? and a proposition P such that 0. ? ` p:P . We abbreviate := 0. 3. A term S is a speci cation if there exists a context ? such that ? ` S : An term s is an implementation if there exists a context ? and a speci cation 0. S such that ? ` s:S . We abbreviate := dType

data

dType

pType

prop

pType

sType

spec

sType



4 Inductive Types In this section we extend the Veri cation Calculus and the Theory of Speci cations with inductive types. These extensions are based on the Calculus of Inductive Constructions introduced in [Wer94]. The Inductive Veri cation Calculus (IVC) is obtained from the Veri cation Calculus by adding inductive data types and inductive propositions. The typing rule for each elimination constant of an inductive data type is duplicated, i.e. we have one for each sort and . However, as in Coq, there is only one typing rule for each elimination constant of an inductive proposition since data types cannot depend on the logical parts. dType

pType

The Inductive Theory of Speci cations is obtained from the Theory of Speci cations by also adding inductive data types and inductive propositions. The typing rule for each elimination constant of an inductive data type is now triplicated, and we have one for each sort , and . For inductive propositions, we cannot have, as in Coq, an elimination constant that yields a data type or a speci cation. When the elimination constant yields an , the result should be a pair and hence the -reduction has to be extended to state that the elimination constant distributes over pairs. We start this section by showing some particular inductive data type in order to motivate the general de nition of this extension. dType

pType

sType

sType

Natural Numbers The inductive data type Nat with constructors 0 and succ has the following elimination rule: ? ` n:Nat i ? ` U :Nat ! ? ` u1 :(U 0) (natrec) ? ` u2 :(m:Nat)((U m) ! (U (succ m))) i 2 f0; 1g ? ` (Natrec U u1 u2 n):(U n) The -reduction [Wer94] for this constant is de ned as follows: (Natrec U u1 u2 0)! u1 (Natrec U u1 u2 (succ m))! (u2 m (Natrec U u1 u2 m)) In order to obtain the correct reduction for this operator when U is an we must extend the de nition of -reduction to include the following distributivity law: (Distributivity of Natrec over pairs) (Natrec hA ; P i ha1 ; p1 i ha2 ; p2 i n)! h(Natrec A a1 a2 n) ; (Natrec P^ p1 p^2 n)i where: P^ = [n:Nat](P n (Natrec A a1 a2 n)), and p^2 = [n:Nat][q:(P^ n)](p2 n (Natrec A a1 a2 n) q) Note that the predicate P^ is in fact the predicate P applied to the rst component of the pair. uType

sType

Generalization Following [Wer94], inductive types (data types or propositions) are represented by terms of the form Ind(X :V )fC1 (X ) : : : Cn (X )g. The term V is the type of the de ned object. The arity of V is k if V is of the form (x1 :V 1 ) : : : (xm :V m )k and we denote it as arity(V ; k). The arity of the type V of the inductive type can be or . data

prop

The terms C1 (X ) : : : Cn (X ) are the types of the constructors. For example, Nat = Ind(X :data)fX; X ! X g. The type of the constructors should satisfy the restrictions given in [Wer94] to avoid inconsistences. For constructors, the term constr(i; I ) denotes the constructor in the position i of the inductive type I with 1  i  n. The elimination constant for the inductive type I (data type or proposition) is written as Elim(I; U; v1 : : : vm ; v)fu1 : : : un g. The terms v1 ; : : : vm are the parameters of the inductive type I . The term v is the object to be eliminated and it has type (Iv1 ; : : : vm ). The terms u1 ; : : : ; un are the branches which are applied depending on the constructor. We give the introduction and elimination rules for inductive types. We abbreviate I = Ind(X :V )fC1 (X ) : : : Cn (X )g. ? ` V :k (ind) ?; X :V ` Ci (X ):k 8i; 1  i  n arity(V ; k) and k 2 fdata; propg ? ` I :V 0

(intro)

1in ? ` I :V ? ` constr(i; I ):Ci (I )

? ` I :V i ? ` U :(x1 :V 1 ) : : : (xm :V m )Ix1 : : : xm ! ? ` v j :V j 8j; 1  j  m ? ` v :Iv1 : : : vm (elim) ? ` uj :
fCj (I ); U; constr(j; I )g 8j; 1  j  n i 2 f0; 1g ? ` Elim(I; U; v1 : : : vm ; v)fu1 : : : un g:Uv1 : : : vm v uType

The Inductive Veri cation Calculus (IVC) is obtained from the Veri cation Calculus by adding the previous rules and -conversion. The elim-rule has an addii can be i tional restriction: When the arity of V is , the sort i i i or . But when the arity of V is , can only be . The Inductive Theory of Speci cations is obtained from the Theory of Speci cations by adding as before the rules (ind), (intro), (elim) and -conversion. In i can also be i. the elim-rule when the arity of V is , the sort Hence we need to extend the -reduction to deal with the elimination constants. The elimination constants also satisfy the principle of distributivity over pairs. (Distributivity of Elim over pairs) Elim(I; hA ; P i; v1 : : : vm ; v)fha1 ; p1 i : : : han ; pn ig ! hElim(I; A; v1 : : : vm ; v)fa1 : : : an g ; Elim(I; P^ ; v1 : : : vm ; v )fp^1 : : : p^n gi where: data

pType

prop

uType

uType

data

uType

P^ = [x:I ](P x Elim(I; A; v1 : : : vm ; v)fa1 : : : an g), and p^i =
(Ci (X ); pi ) We de ne
(Ci (X ); pi ) by induction on Ci (X ).

dType

pType

sType


(X; p) = p
((x:V )C (X ); p) = [x:V ]
(C (X ); p x)
(((x1 :V 1 ) : : : (xn :V n )X ) ! C (X ); p) = [y:((x1 :V 1 ) : : : (xn :V n )X )][z:((x1 :V 1 ) : : : (xn :V n )P^ (y x1 : : : xn ))]
(C (X ); p y ([x1 :V n ] : : : [xn :V n ]Elim(I; A; v 1 : : : v m ; (y x1 : : : xn ))fa1 : : : an g) z )

5 Example: Extraction of Predecesor Function As an example, we show how to extract predecesor function from its speci cation. We start from the speci cation that states that for any positive natural number n there exists a natural number m such that n=succ m. This is expressed in our language by the following type. (n:Nat)hNat ; [m:Nat](n > 0 ! (n=succ m))i It is easy to see that the following term is an inhabitant of that type. [n:Nat](Natrec U h0 ; p0i ([m:Nat][xs:(U m)]hm ; pm i) n) where - U = [n:Nat]hNat ; [m:Nat](n > 0 ! (n=succ m))i ! ! hA ; P i, - A = [n:Nat]Nat, - P = [n:Nat][m:Nat](n > 0 ! (n=succ m)) and we assume we have the following proofs: ` p0 : P 0 0 and m:Nat ` pm : (P (succ m) m) We show the sequence of -reduction steps from this term to the -normal form. [n:Nat](Natrec U h0 ; p0 i ([m:Nat][xs:(U m)]hm ; pm i) n)

! !

[n:Nat] h(Natrec A 0 ([m:Nat][xs:(U m)]m) n) (Natrec P^ p0 q^ n)i

! !  h [n:Nat](Natrec A 0 ([m:Nat][xd:Nat]m) n) [n:Nat](Natrec P^ p0 q^ n) i

where q = ([m:Nat][xs:(U m)]pm ). At the end, we obtain a term in -normal form which is a pair. The rst component of this pair is the extracted program, i.e. predecesor function: pred = [n:Nat](Natrec A 0 ([m:Nat][xd:Nat]m) n) The second component of the pair is the correctness proof of predecesor.

6 Properties 6.1 Con uence

In this section we prove that ! and !  are con uent. Theorem 6.1. ! is con uent. To prove this we show that the parallel -reduction satis es the diamond property. Theorem 6.2. ! is normalizing. This is proved by induction on the structure of the term. The previous two theorems allow us to do the following abbreviations. De nition 6.3. The normal form of the -reduction of a term u is abbreviated as [[u]].  Substitution lemma holds excluding the problematic cases mentioned in remark 3.7. Lemma 6.4. Let (x) = hxd ; xpi. Suppose that xd, xp and xs are not -free u. Then, 1. [[u[a=xd]]] = [[u]][[[a]]=xd]. 2. [[u[p=xp]]] = [[u]][[[p]]=xp]. 3. [[u[s=xs]]] = [[u]][a=xd][p=xp] if [[s]] = ha ; pi. In the next lemma we show that function [[ ]] preserves -reduction steps. Lemma 6.5. If u! u then [[u]]! !  [[u ]]. The proof is done by induction on the structure of the term. As an immediate consequence of the previous lemmas and theorems we obtain the following theorem. Theorem 6.6. !  is con uent. 0

0

6.2 Projections

In this section we show how to encode the projections in the Theory of Speci cations and prove that the application rule without extra condition is derivable. For each i 2 Nat, we de ne projections Di and Pi for pairs that are objects of at level i. The projections themselves are in fact at level i ? 1. i ]xd Di = [xs: i i ]xp P = [xs: Note that these constants yield the rst and second component of a pair. sTypes

sType

sType

Di hA ; P i! !  A Di hA ; P i! !  P

The next lemma says that the rst projection Di yields a data type and Pi yields a propositional function.

i . Then, Lemma 6.7. Let ? ` S : i and ? `  i S :( i S ) ! i. 1. ? ` Di S : P D 2. S =  hDi S ; Pi S i. i! i and that  i has Proof. It is easy to derive that Di has type P i )(xd ! i ). Note that  i xs =  xd. Then, by applying type (xs: D i )(( i xs) ! i ). conversion rule, we obtain that Pi has also type (xs: D sType

dType

pType

sType

sType

dType

pType

sType

pType

For each i 2 Nat, we de ne the projections di and pi for pairs that are objects of whose type is at level i. The projections themselves are in fact at level i ? 2. i ][ys:xs]yd di = [xs: i i p = [xs: ][ys:xs]yp Note that these two constants yield the rst and second component of a pair. In other words, sTypes

sType

sType

di hA ; P i ha ; pi ! !  a pi hA ; P i ha ; pi ! !  p

Lemma 6.8. Let ? ` s:S. Then, 1.? ` di S s:Di S and ? ` pi S s:Pi S (di S s). 2. s =  hdi S s ; pi S si Proof. Similar to lemma 6.7.

The following de nitions and lemmas are necessary to prove that the extra condition in the application rule can be removed. In case the bound variable of the product is xs, we remove xd and xp from its body using the projections. In case the bound variable is either xd or xp, we remove xs computing the normal form of the following reduction. De nition 6.9. We de ne the reduction !xs on pseudoterms as follows:

xs!xs hxd ; xpi

De nition 6.10. Let ? ` x:V and ?



` V :vTypei . We make the following ab-

breviations: 1. If x=xs then we remove the variables xd and xp using the projections: uxs = u[xd := (di S xs); xp := (pi S xs)] 2. If x is xd or xp then we remove the variable xs by performing xs -reduction: ux = f xs (u)  Note that normal substitution of hxd ; xpi for xs does not work. For example, the substitution of hxd ; xpi for xs in u = (xp:(P xd))(Q xs) would perform conversion and change xp by other variable xp . In fact we want to keep xp and do not perform -conversion. n

0

Lemma 6.11.

1. If ?; x:V ;
` u:U then ?; x:V ;
x ` ux : U x . 2. ux =  u The rst part is proved by induction on the derivation and the second one by induction on the structure of the term.

Theorem 6.12. The application rule without the extra condition is derivable. ` u:U (application) ? `? v`:(vx:uU: )VVx ?[u=x ] Proof: By the previous lemma we have that ? ` v:(x:U ) V x and x is not -free x

in V .

6.3 Correctness In this section we prove that the (Inductive) Veri cation Calculus is a syntactic model for the (Inductive) Theory of Speci cations. The interpretation function is given by the mapping [[ ]] that computes the -normal form. Derivation in the Veri cation Calculus is denoted by `V C .

Theorem 6.13. (Correctness). 1. Let u; u 2 Td [ Tp . If ? ` u:U , then [[? ]] `V C [[u]]:[[U ]]. 2. Let [[S ]]= hA ; P i and [[s]]= ha ; pi. If ? ` s:S then [[? ]] `V C a:A and [[? ]] `V C p:P a. 0

The proof is by induction on the derivation. Since [[ ]] computes the normal form of ! and Veri cation Calculus is normalizing, we have that the Theory of Speci cations is !  -normalizing. Since the function [[ ]] is the identity for terms of the (Inductive) Veri cation Calculus, we have that the Theory of Speci cations is conservative with respect to the (Inductive) Veri cation Calculus.

7 Conclusions The Theory of Speci cations is related to other programming logics that allow the derivation of implementations as pairs program-proof developed in parallel. Besides Coq, we also mention the Deliverables [BM90] and the programming logic !L [Pol94]. In the theory of Deliverables [BM90], a speci cation is a pair consisting of a data type and a predicate over it, and the de nition of deliverable corresponds in a certain way to our notion of functions between speci cations.  -types are used to put together both the components of speci cations and the functions between them. This makes it problematic to obtain a good de nition of function in a direct way. To overcome this diculty second order deliverables have to be de ned using a global speci cation as a parameter. In fact, the need of having second order deliverables arises from not having de ned what a speci cation depending on another speci cation is. We think that to avoid these problems, it is essential to have a special construct for speci cations, different from the  -types and to give special meaning to the dependences between speci cations. Poll's !L [Pol94] is a subsystem of the Veri cation Calculus (see Section 2). However, in [Pol94] the notions of speci cation and implementation are not completely formalized in this language.

We mention possible directions of future research. Firstly, in this paper we study neither subject reduction nor strong normalization for ! and !  and this is something we plan to do in the immediate future. Subject Reduction is not so easy to prove since for the case of -reduction Strengthening is needed and for the case of -reduction the substitution lemma restricting the variables is not needed. Secondly, an alternative mentioned in remark 3.7 is to extend the system with explicit substitutions or implement the -reduction as if a redex were a de nition. In that case we could remove the conditions for the variables that appear in the -reduction rule and in the application rule. This can be usefull if we want to study dierent strategies of reduction.

References [Bar92] H. P. Barendregt. Lambda Calculi with Types. In Samson Abramsky, Dov Gabbay, and Tom Maibaum, editors, Handbook of Logic in Computer Science, volume 1, pages 118{310. Oxford University Press, 1992. [Bar99] Barras et al. The Coq Proof Assistant Reference Manual. Technical report, INRIA, 1999. [BM90] R. Burstall and J. McKinna. Deliverables: An approach to program development in the calculus of constructions. In Proceedings of the First Workshop on Logical Frameworks, Antibes, pages 113,121, 1990. [Luo89] Z. Luo. ECC, an extended calculus of constructions. In 4th. Symposium on Logic in Computer Science., 1989. [PM89] C. Paulin-Mohring. Extracting F! 's programs from proofs in the calculus of Constructions. In Sixteenth Anual ACM Symposium on Principles of Programming Languages, pages 32{49, Austin, January 1989. [Pol94] E. Poll. A Programming Logic Based on Type Theory. PhD thesis, Eindhoven University of Technology, October 1994. [SS01] P. Severi and N. Szasz. Studies of a Theory of Speci cations with built-in program extraction. Journal of Automated Reasoning, 2001. [Sza97] N. Szasz. A Theory of Speci cations, Programs and Proofs. PhD thesis, Department of Computing Science, Chalmers University of Technology, S-412 96 Goteborg, Sweden, June 1997. [Wer94] B. Werner. Une Theorie des Constructions Inductives. PhD thesis, Universite Paris 7, Paris, France, May 1994.