NASA/CR-1999-209321
The Formal
Sam
Owre
and Natarajan
SRI International,
May
1999
Menlo
Semantics
Shankar Park,
California
of PVS
The
NASA
STI Program
Since its founding, NASA has been dedicated the advancement of aeronautics and space science. The NASA Scientific and Technical
Office
to
CONFERENCE PUBLICATION. Collected papers from scientific and technical conferences, symposia, seminars, or other meetings sponsored or co-sponsored by NASA.
Information (STI) Program Office plays a key part in helping NASA maintain this important role.
SPECIAL PUBLICATION. Scientific, technical, or historical information from NASA programs, projects, and missions, often concerned with subjects having substantial public interest.
The NASA STI Program Office is operated by Langley Research Center, the lead center for NASA's scientific and technical information. The NASA STI Program Office provides access to the NASA STI Database, the largest collection of aeronautical and space science STI in the world. The Program Office is also NASA's institutional mechanism for disseminating the results of its research and development activities. These results are published by NASA in the NASA STI Report Series, which includes the following report types: TECHNICAL PUBLICATION. Reports of completed research or a major significant phase of research that present the results of NASA programs and include extensive data or theoretical analysis. Includes compilations of significant scientific and technical data and information deemed to be of continuing reference value. NASA counterpart of peer-reviewed formal professional papers, but having less stringent limitations on manuscript length and extent of graphic presentations. TECHNICAL MEMORANDUM. Scientific and technical findings that are preliminary or of specialized interest, e.g., quick release reports, working papers, and bibliographies that contain minimal annotation. Does not contain extensive analysis. CONTRACTOR
REPORT.
Scientific and
technical findings by NASA-sponsored contractors and grantees.
... in Profile
TECHNICAL TRANSLATION. Englishlanguage translations of foreign scientific and technical material pertinent to NASA's mission. Specialized services that complement the STI Program Office's diverse offerings include creating custom thesauri, building customized databases, organizing and publishing research results ... even providing videos. For more information about the NASA STI Program Office, see the following: •
Access the NASA STI Program at http'//www.sti.nasa.gov
Home
•
E-mail your question
[email protected]
•
Fax your question to the NASA STI Help Desk at (301) 621-0134
•
Phone the NASA STI Help Desk at (301) 621-0390
via the Internet
Page
to
Write to: NASA STI Help Desk NASA Center for AeroSpace 7121 Standard Drive Hanover, MD 21076-1320
Information
NASA/CR-1999-209321
The Formal
Semantics
Sam
Shankar
Owre
and Natarajan
SRI International,
National Aeronautics Space Administration
Menlo
Park,
1999
California
and
Langley Research Center Hampton, Virginia 23681-2199
May
of PVS
Prepared for Langley Research under Contract NAS1-18969
Center
Available
from:
NASA Center for AeroSpace 7121 Standard Drive Hanover, MD 21076-1320 (301) 621-0390
Information
(CASI)
National Technical Information 5285 Port Royal Road Springfield, VA 22161-2171 (703) 605-6000
Service
(NTIS)
Abstract A specification rather with
than
language
how
it is computed.
programming
languages
For our purpose,
state
systems
to simulate and We
the
prove
system
present
Prototype
the
the simply
typed
expressive
language
the design theorem
can
formal
lambda
of a theorem
considerations proving
and
of the
whose prover.
underlying
This
The The
formal
PVS,
typechecking.
°°°
lll
features
important the
ways. behavior can
be
use specifications
to
assistance.
specification in PVS
analysis
some
a specification
language
specification
novelty
static
is computed
which
we mainly
mechanical
(PVS).
calculus.
features
within
Although
systems,
semantics
share
in several
is a logic
with
what
languages
be formalized. of such
System
expressing
are also different language
properties
Verification
the assistance
but
behavior
for
Specification
a specification
of computational used
is a medium
language is that
it contains
(e.g., typechecking)
semantics
particularly
illuminates the
of SRI's is based
interaction
on very
requires several between
of
Contents
1
2
3
Introduction 1.1
Real
1.2
Semantic
1.3
Related
Work
1.4
Outline
...............................
The
Simple
2.1
Contexts
2.2
Type
2.3
Semantics
2.4
Some
Syntactic
2.5
Type
Definitions
2.6
Summary
Adding 3.1
4
6
versus
....................
2
......................
3
...........................
5 7
Theory
9
..............................
10
............................
10
............................. Operations
12 ....................
16
.........................
17
.............................
18
Subtypes
20 .............................
29
Types
Summary and
5.1
Theories
5.2
Constant
5.3 5.4
30
............................. Parametric without
40
Theories
Parameters
41
...................
41
Definitions
.......................
45
Parametric
Theories
.......................
45
Summary
.............................
Conditional 6.1
PVS
Preliminaries
Rules
Summary
Theories
Idealized
Type
Dependent 4.1
5
1
Summary
Expressions
and
48 Logical
.............................
Connectives
49 52
V
7
8
Proof Theory 7.1 PVS Proof
53
of PVS Rules
.........................
7.1.1
Structural
7.1.2
Cut
..........................
54
7.1.3 7.1.4
Propositional Axioms ................... Context Rules .......................
54
7.1.5
Conditional
55
7.1.6
Equality
7.1.7 7.1.8
Boolean Equality Reduction Rules
7.1.9
Extensionality
Rule
Rules
53
......................
Rules Rules
7.2
7.1.10 Type Constraint Soundness of the Proof
7.3
Summary
..................... ...................... Rules .................. .....................
Rules
...................
Rule Rules
.................. ..................
53
55 55 56 56 56 57 57 60
.............................
Conclusion
61 64
Bibliography
vi
Chapter
1
Introduction
PVS
is a system
and
software
succinct, tion
readable,
language
the
with
PVS
specification
support
the
typed
those
products.
theorem
instance,
logic
resulting
array
bounds.
parametric dent
typing,
This
report
tion
language
an overview System The
ensure PVS
in types
fragment
function,
type
with
and and
a concise
and
PVS
PVS
user
purpose users
here
serves
typed
While extensions
formal nor
manuals
set-theoretic a guide
types, records,
and
It is possible, within
their
theories
that
as subtyping, significant
for
respeccan
of the
of the
be
simply depen-
challenges.
PVS
semantics.
to the
and that
specifica-
It is neither
Prototype
Verification
[OSRSC98]).
of the formal The
definition
on a sim-
subtypes
semantics
such
the
powerful
is based with
into
do pose
idealized
because with
functions,
the
For
typechecked
product
are
therefore
language.
advantages.
references
parametricity but
language
of PVS.
and
is extended
are organized the
its intended
of the
record,
several
all array
specifications
(theory-level)
of PVS
efficient
are
is acceptable
logic
system has
language
in conjunction
dependently
system that
The
specifica-
than
be statically
This
for use
as well as individuals.
presents
primary
as presented
prover.
is straightforward,
(see the
developers
and type
to statically
with
can
to admit
PVS
programming
that
proving.
This
to subsets,
The
of a corresponding
is intended
definitions.
The rather
the
hardware
is designed
construction
underlying
constructs
of digital
of PVS
specifications.
proof
of a theorem
language
higher-order type
meaningful
contains
assistance
are analogous
typed
from
properties
language
for effective
for automated
recursive
verifying
considerations
language
only
and
specification
logically
design
different
example,
tive
and
The
somewhat
The
is designed
execution.
ply
for specifying
systems.
semantics
idealized
as a succinct
core
foundation
is as a useful of the
reference
specification
for studying
the
for the language
expressive
2
Chapter
power
of the
language.
by the
formal
Pertinent
semantics
1. What
is the
questions
presented
semantic
about
PVS
1.
Introduction
are answered
directly
here:
core
of the
language,
and
what
is just
syntactic
sugar? 2. What
are
the
rules
for determining
whether
a given
PVS
expression
is
well typed? 3. How
is subtyping
corresponding
handled,
4. What is the assertion?
meaning,
5. Are
the
type
rules
6. Are
the
proof
7. What
is the
given
semantic
It does
not
arithmetic These
proof
obligations
to the
typing
used
by the
of a PVS
expression
or
what
of
semantics?
respect
semantics? by PVS,
and
kinds
language?
parametricity,
and
what,
if any, are
parameterization? are incompatible
the
versus treatment
treat and
the
present
answers
in this nonlogical
recursive
definitions. in a future
semantics
also While
the
of PVS
1. No name convenience
used
resolution.
name
report parts
of clarity.
idealization
and
with
the reference
semantics
of the
omits
must
parameters. the
PVS
important
In particular, abstract
ways.
it ignores
datatypes
[OS97].
version.
several
is faithful
in some
language.
idealizations
the semantic
All names by
is incomplete It also
makes
questions.
PVS
expanded
here
actual
provided
to these
Idealized
for the purpose
theory
to the
of theory-level
extensions
will be treated
The
with
on such
8 summarizes
Real
The
are
here?
Chapter
1.1
how
terms,
respect
are disallowed
limits
language
with
of dependent
meaning
semantic
9. What
in set-theoretic
sound
dependencies
8. What the
form
in particular,
generated?
sound
rules
is the
type
and
to subtypes
treatment to the
from
implemented
be in fully resolved We regard type
checker
the
real
PVS
is not comprehensive, form form
name and
with
resolution not
of PVS. their as a
an operation
1.2.
Semantic
with
Preliminaries
any semantic
in PVS 2.
No
overloading.
4.
to the
Variable Global
5.
1.2
one
declarations
No records. types
name
These
resolution,
PVS
that
are
all the
variables
can range
otherwise,
N(P)
[Chu40],
can be applied Types mantic their
The cepted.
Fraenkel
Paulson
[LP97]
languages. 1. Types
N(N) type
and
since
product
logic
such system.
types
in a specification
express
to be treated
analyze
rather
opinion
it constrains
is like any other
of a proof
the
the tradeoffs
Ada,
typed
seby
ML,
and
widely
ac-
typing
is repug-
by not allowing [Lam94] should
restraints. and
and
and
is not
such
and
of
exemplified
Lamport
property
by syntactic
between
syntactic
logic that
theory a predicate
to itself.
is best
expressiveness
uniformly.
program
than
In the
as Algol,
is
the predicate
be applied
of types
means
distinction
so that
for detecting
languages
since
type
hold. types
cannot
role
This
as well as functions,
some
=N(N)
thus
type
logic.
by defining
distinct
PVS
typing
et al [FBHL84]
impose
and into
This
in the
for strong
We claim
declared.
of records.
as numbers)
mechanism
programming
correctness
by means
features
a contradiction
typechecking.
of differing
type
lished
both
as a powerful
in a mathematical
individuals
locally
convenience.
on higher-order (such
is stratified
emphasized
desirability
be
treatment
As is well known,
to obtain
to a lower
through
use in various
semantic
is based
so on.
that
also serve
is also heavily
must
as a syntactic
essential
over individuals
universe
only
errors
in the
semantically
it is easy
the
All variables are regarded
ignored
and
as =(P(P))so
types
is a syntactic
are visible.
language
of functions,
needed;
overloading
Preliminaries
specification
functions
resolution
of theories is a hint to name resolution. that all instances of theories declared
ignored.
Semantic
of name
import.
declarations
capture
The
that
with
no semantic
present
variable
description
elsewhere.
As
with
A technical
No IPIP©RTINGs. The importing The semantic definition assumes prior
nant
relevance.
will be given
convenience 3.
3
be estab-
Lamport
untyped
argues and
specification
that a useful
2. Types lead to easy semantic errors.
and
discipline early
on the
detection
specification. of a large
class
of syntactic
and
4
Chapter
3. Type The types
information
semantics of the
of the malized The
represents set
their
the
the
expressive
will
be presented
expression
the
subsets
of the
will be given of PVS.
in three enough
The
numbers
real.
element cuts
is closed
graph
under
pairs,
powerset
Note
a y E Y such
that
have
For
set of graphs
that
B, (z,y)
of total
are
of the
Cartesian A set
domain E F, a set
functions
X and
F,
and
The
second
step
a given
PVS
function
two-element
type
semantics
and
set
that
PVS
the
bool
empty
the
real
set, and
by means
modeled
say
the
2
only
of Dedekind
whenever
x Y)
the
sets
and
power
as graphs,
is represented
product range
contains as X
F that
Function(F) from
that
[A--+B]
respectively.
with such
type
of PVS
set R.
(written
functions
of increas-
a set-theoretic
for defining
by any
a universe
products
type.
well-typed
Booleans
0 is the
this
parent
whether
can be captured
we label
a function
fo([A 1 × [BI) A and
be modeled 1, where
we need
Cartesian
so that
of a function y = y'.
and
semantics,
as fo(X)).
representing
can
of the
to
that
a semantic
needed
consist
type
fragment
types.
to each
it
subtypes the
is to define
is to define
(ZFC). is that
domain
a sequence
PVS
universe
real numbers
sequences, the
step
semantic
0 and
the
determines
set constructions
Booleans
elements
the
can be for-
logic
predicate
of each
step
to elements
of choice
set representing
first that
third
in PVS
set 1. The
or Catchy
(written
types
The
of the
of ordered the
base
of the
To define R and
to represent
The
We first lay out the ZFC of PVS. consisting
sets
in the
also has
semantics
The
operation
is well typed.
axiom
in higher-order
by considering
The
steps.
a typechecking
the
logic we use
the set representing 1 PVS
of PVS
assigns a representation and term.
from
with type
the well-formed
of the
constructions
theory
types.
fragments
containing
is to define
set
by mapping terms
set
range
over
semantics
ingly
is given
The
Introduction
reasoning.
well-formed
of a function
set of all functions
are to be interpreted
universe
logic
the type.
interpretation
representing
The
and
Zermelo-Fraenkel
intended
the
to sets,
representing
within
in mechanized
of a higher-order
logic
sets
is useful
1.
of the is a subset
Y if for every (z,y)
E F and
holds
and
a set Y to a set
2 and
that
is, sets
by a subset sets
sets
[A_ and
of [B 1
of X x Y is the z E X (z,y')
there
E F, we
dora(F) = x.
X is represented
is The
as X Y.
lit is only in the standard model of higher-order logic that the function type is required to represent the set of all functions from the domain set to the range set. Higher-order logic can be interpreted in general models where the function type can be interpreted in any manner as long as it satisfies the various axioms such as application, abstraction, and extensionality lAnd86]. Higher-order logic is complete with respect to the general models interpretation so that a statement that is valid in all models is provable. It is, however, incomplete with respect to the standard model.
1.3.
Related
Work
If F is the represents
5
graph the
of a function
result
of applying
function
F will never
the
language,
PVS
expression We PVS
has can
model
by the
sets
2 and
subsets
the
set
are needed
application as the
U0 Ui+
1
entire
type the
included
co.
1.1
(type
of the
simply
subtypes.
the
a in
argument
expression. fragment from
function
the
base and
are used
types.
to iterate
of
spaces,
products
function
It is sufficient
level,
the
typed
Cartesian model
F(t)
because
function
by starting
at each stage. spaces
semantic
so that
products,
then
dora(F),
of the
cumulatively
function
predicate
type
universe
sets,
domain,
t outside
is typechecked
Cartesian
and
in its
F to t. At the
domain
is defined
in PVS,
ordinal
Definition
type
including
to model
up to the
function
to an argument
a function
U, which
products
t an element
same
of previously
to model
the
be applied
the
R, and
and
Subsets
these
stages
universe)
=
{2, R}
=
ui u {x × Y l X, Y e Ui} u {xv
l x, Y e Ui} u
icw
U
=
We refer assign
U_
to U as the
a set in U to each
term
of PVS.
notion and
The
of rank
plays
parametric
1.3
to those The
order malisms mented 2The
2 The
PVS
type
an element
and
of a set X
semantic
in U is the role
in the
definitions
below
in U u to each
least
i such
semantics
that
X
will
well-typed E Ui.
of dependent
The types
theories.
is a long
specification
universe.
an important
Related
There ilar
rank
basic
Work history
of work
underlying
the
in specification
PVS
languages.
specification
language
Many also
occur
ideas
sim-
in other
languages.
wide-spectrum logic.
The
languages
language
[Jon90].
VDM
It is based
with
datatype
inclusion
of
X
U
is one
is actually
The
based
of the
on a first-order
axioms. Y in
are typically
redundant
earliest
logic
datatype
aids
such
with
theories but
on set theory
specification
for-
functions
aug-
include
those
partial in VDM
clarity.
or higher-
6
Chapter
for finite VDM
sets,
maps,
sequences,
has a notion
subtyping. condition
of datatype
to VDM,
with
the
a built-in
resulting
PVS
logic
in notion
of state
to define
nectives
on the
The
with
predicate
ideas
of VDM
Z specification on
a typed
of schemas
invariants.
schemas
convention chosen ing
with
bad(x)
a proof
vative
f(a)
This
when
or a soundness
a is not
in the
partial
but
it is handled
obligations
The
by introducing
generated
compared
to PVS
an initial
semantics
has
by the
since
where
like
many
type
but lacks
commonly
OBJ
[FGJM85]
of the
same
or runtime
checker.
The
on a first-order,
two ground
terms
are
OBJ
for conser-
and
datatypes
logic
equational
so
by exhibiting Larch
a
[GH93] and
op-
parameterization
is also
distinct
definition
datatypes
checks
deal-
it as an axiom
and
theory
in OBJ
used
arbitrarily
mechanism
for specifying
treat-
when the
admitting any
for constants
mechanism retracts
it is based
Spivey's
the
has to be demonstrated
framework subsort
proof.
example,
pre-
semantics
of a is some
For
or
to combine
can be confusing
functions.
languages OBJ
as PVS.
invariants
employs domain
purposes
of Z specification
on datatypes.
an
toolset
accompanied
a formal
principles
mechanisms
constants
presents
Z semantics
for most
an equational/rewriting
and
[Spi88]
as definitional
erations
only
language
is used
Z also
specification
function
is a collection
calculus
undefined
Algebraic
a classical
provides
datatype
contradiction.
provide
[Jon90]
specify
is everywhere
such
uses
A schema Spivey
system
defined
consistency
PVS
to a partial
wide-spectrum
1 + bad(x)
extensions
con-
A Z specification
either
in the
is fine
logical
is another
to an immediate
that the model.
that
functions
recursively =
leads
can
giving that
value.
of
logic for the
is a comprehensive
of types
constraints. connectives.
of partial
logic
and
system
theory.
of declarations
logical
for Z without
[Spi88] set
Z schemas
using
higher-order
linear
a type
Jones
are
is no built-
various
whereas
to assign
The
that
There
including
functions,
RAISE
language
condition/post-condition
the
typing.
datatypes
PVS.
In
higher-order
[RAISE92].
first-order
consisting
to use
of definition.
The
typed
of the
uses a 3-valued
partial
and trees.
form of predicate
dependent
within
formalisms,
subtyping
for VDM.
and
many
it is possible
on its domain
semantics
in that
VDM
as lists
a simple
on strictly
can be defined
since
such
Introduction
in terms of pre-condition/postinto parameterized modules.
subtyping
compact
logics.
to deal
and
function
informal
ment
yields
is based
of state-based
temporal
logic
as a total
with
in PVS
in order
2-valued
based
datatypes
that
of predicate
in VDM
a variety
branching-time
language
is more
axiomatically
based
invariants
PVS
notion
presented PVS
recursive
Operations on state are specified pairs. Specifications are structured
contrast logic
and
1.
similar
rather
than
is quite
proof
restricted
framework unless
except
they
with can
be
1.4.
Outline
proved
equal.
primarily
OBJ
The
automated
[EHDMg3],
logic
[AMCP84].
Andrews order
[And86]
logic.
Pitts)
quantification The
theories
has
the kind
Howe
here
but
PVS
features
missing
families
in the
which terms inaccessible
they
do not The
are
Both
are
(type
universes
of Dybjer).
Dybjer
and types are interpreted. cardinals for his universe
logic
of higheroutlined
(by
Howe
admit
[Howgl,
presented
How96].
clearly
logic.
Howe requires construction.
specifies
Dybjer
and
of language
of Howe,
identify
Not to the
as is done
the semantics
case not
type
is similar
here
in the
has
dependent
dependencies
do describe does
Nuprl
intuitionistic
typing
disallowed in the
on intuitionistic
logics
possible
semantics
in PVS
and
theories.
whereas
typed
and
the
but
carefully
types,
of dependent
subtyping
[GMg3]
aspects
are based
over
[Dybgl]
that
typing.
[GMg3].
universes.
address
case
logic
is
of PVS:
higher-order
semantic
ac-
subtyping
or parametric
of dependently
PVS
dependencies
with
HOL
typed
[CAB+86]
delimit
that
features
as
typing,
quantification
treatment
is
of these
is no dependent
simply
HOL
and Nuprl of type
logic
such
of the
Melham
by Dybjer
semantics.
of type
account
and
those
closest
of the
there
systems
employ
semantics
semantic
and
of the
are
The
many
dependent
and
allows
studied
their
TPS
semantics
a hierarchy
been
also do not
1.4
and
a thorough
set-theoretic
surprisingly,
the
HOL
PVS
higher-order lacks
other
as subtyping,
Coq
over
typing.
with
by
by Gordon
logics.
given
is used
to
systems.
a similar
development
language.
closer
EHDM
like Coq [DFH+91]
higher-order
are
declarations
formal
book
Systems
employs
gives
The
in the
one
such
for proof
checking
to type
Both
features
that
generation.
is restricted
Higher-order without
support specification
proof
which
obligation
subtyping
limited
languages
various
proof
very
as an executable
specification
EHDM
TPS
has
intended
company and
7
and
the
inductive
universe
an infinite
over
sequence
of
Outline
In Chapter of PVS. definition
2, we define Type
the syntax
definitions
of definitional
are
and
also
equivalence
the simply
typed
fragment
and specifies
definitions
that
are needed.
Chapter
function
and
into
language
the
expressions
product and
semantics
introduced on types.
types.
Theories
and
5. The
type
logical
connectives
the
parametric rules
defined
simply
and using
typed
fragment
along
with
the
subtyping
to
chapter
Chapter
the additional 4 extends
in Chapter the
of the in this
3 adds type
rules
language
and
with
theories semantics conditional
semantic dependent
are introduced for conditional expressions
8 are introduced rules of PVS.
Chapter
in Chapter
6.
Chapter
7 specifies
the
axioms
1.
Introduction
and
inference
Chapter The PVS
2
Simple
is a strongly
cludes
types
typed
specification
constructed
constructions,
and
by means
Type
of application,
to be well
typed
constant
to range
over
the
metavariables f,
and
that
The and
the
is a pretype type
Example The
has are
is that
been
the
A,
B,
and
over
in F. the
a
in a given the
in a type
must
[bool,
real],
only
O
type the
metavariables
a, b,
s, we say
such
as bool
pretype
of A1, A2 is constructed that
and
PVS
a symbol
A to range
enough
the symbols
over
base types
pretype
typechecked
simple
assigns
(identifiers),
the
F and
include
pretype
checked
F, A,
T range
symbols and
declared domain
are that
metavariables
variables,
theory
type
variables
B is
as [A1, A2].
context.
Types
distinction
in
between
be appropriately
declared
context.
2.1
(pretypes)
preterms
projections, over
A product
that
use
a context
from
product and
function
in-
to each symbol, and a type to
s range
PVS
fragment
and
constants
is a partial
Given
type
pretype
theory
and types given
over
terms.
of the simple
as [A-+B].
pretypes
r and
if s is not
A function
simple
in the
PVS
We
the
Expressions
metavariables
y range
over
pretypes
constructed A type
The
is undefined
real.
symbols.
typed
tupling.
or VARIABLE)
metavariables
x and
g range
F(s)
variable
which
simply
by the function from
and
a context,
contexts.
expressions,
types
abstraction,
under
and
base
The
constructed
kind (one of TYPE, CONSTANT, the
language.
from the
expressions
Theory
of the
bool, language
applications,
constants.
Applications is an expression
Pairs have
and are
the form
of the form
real, consist
abstractions.
of the
form
f a where Pi a, where
of the
constants,
The
metavariables
(al, a2)
f and
[[real,
where
each
a are preterms.
i E {1, 2}.
Lambda
bool]-+bool]... variables,
pairs,
c and
d range
ai is a preterm. A pair
projection
abstractions
have
10
Chapter
the form used
A(x: T): a, where
T is a pretype
for disambiguation.
given
A term
and
2.
The
Simple
a is a preterm.
is a preterm
that
Type
Theory
Parentheses
has been
are
typechecked
in a
context.
Example
2.2
(preterms)
TRUE, _ TRUE, A (x:
bool):
_(x),
P2 (TRUE,FALSE), (TRUE,/k (x: bool) : _ (7 x)).
2.1
Contexts
A context type
is a sequence
declaration
or a variable with
declaration
respect
rules
be applied
as a partial
(F, s: D)(s)
= D and
F(s)
the
symbol
2.3
partial
function
so that
(F, s: D)(r)
by kind(F(s)). is the
simple
function
T that
assigns
T(F)(a)
type
to a preterm
a that
TYPE as the result F.
3. The
CONTEXT as the
Otherwise, type
keyword under
context
so that
r is undefined
or context.
x:VAR
theory
2. The keyword under context
fragment
kind
assigned
The
can
also
A context s with
declaration
If s is not
for any
as {}.
declared
symbol
D, in F,
s, the
kind
of
of s in F is CONSTANT or to s in F.
[[bool,bool]-+bool]
Rules for the
context
below.
If the
type
FALSE:bool,
rules
1. A type F.
typechecked
are
is represented
for r -¢ s. then
a
pretypes
for a symbol
= F(r)
is either T is a type,
and
presented
declaration
c : T where
context
If F is a context,
type(F(s))
each
(context)
Type type
empty are
TYPE, TRUE:bool,
2.2 The
the
Preterms
The
for contexts
s in F is given
VARIABLE, then
bool:
context.
is undefined.
Example
where declaration
x : VAR T.
to a given
well-formedness
then
of declarations,
s : TYPE, a constant
F.
result
The
context
by a recursively
with
when
of T(F)(A)
is always case
given
is well typed
of T(F)(A)
typechecking in the
are
of an ill-typed
to a context
A is a well-formed
when
F is empty invoked
respect
type
A is a well-formed
for the as T0(F
preterm
defined
simply
typed
). or an ill-formed
2.2.
Type
The
type
in PVS
type
not
in the
simply
type
derivation
type
derivation.
The
meaning
one
canonical
and
types
ingful
when
expressions plicitly
Definition
the
type types,
the
These
rules
checked.
each recursive intermediate
in the
call one. 2.4
so that
(type
given
Thus, sound
and
by recursion
situation
is extended.
Note
do preserve
also that
of the the
but
CONTEXT, ifr(s)
CONTEXT,
in the
is well formed,
is undefined
if F(c)
is undefined,
_-(r)(T) = TYPE, and T0(F ) :
x:VART)
:
CONTEXT,
CONTEXT
if F(x)
is undefined,
_-(r)(T) = TYPE, and T0(F ) : ----TYPE, if
CONTEXT
kind(r(s))
itself
separately
= TYPE
----TYPE, ifT(F)(A) -- T(F)(B) -- TYPE
that
derivation. and
become
well-formedness
context
on the term
rules
relevant
is an
canonical valid
to natural
and T0(F ) = CONTEXT =
it
every
typing
----CONTEXT
c:T)
but
term
the
not
to show
of the
also leads
typed
initial
of the
rules)
T0(F,s: TYPE)=
are
though
of types
only
the well-formedness
well-formedness if the
rules
appropriate
in general,
meaning
is no need
rules that
simply
theory
the
is, independent
type
Note
can,
a number
type.
There
that
of the
and
that
to be shown
is therefore
arguments.
trivial
A term
type
is more
type.
derivation.
is coherent,
Typechecking
Customarily,
be assigned
only show has
for z.
presentation
of its canonical
for a term
presentation are
need
meaning
of a term
soundness
to a preterm.
a functional
fragment,
proof
meaning
definition
is deterministic.
and not on its typing
forward
but
recursive
typed
at most
of the
A functional
type
rules,
soundness
this
by the
assignment
has
element
given
a "canonical"
The
The
.
are
as inference since
always .
11
rules
assigns
presented for PVS .
Rules
straight-
for contexts more
type
context of the then
meanrules
for
is not
ex-
context
in
so is every
12
Chapter
v(r)([A1,A2])
---- TYPE,
if
2.
The
Simple
Type
Theory
T(F)(A 0 = TYPE for 1 < i < 2
= type(r(s)), if kind(r(s))
v(r)(f a) v(r)(A(x:T):a)
=
B,
=
[T--+T(F,x:VAR
• [CONSTANT, VARIABLE}
i/T(F)(f)
= [A-+B]
and
T)(a)],
ifF(x)
and _(r)(T)=
a2)) = (r)(pi a) =
Ti,
In the
type
treat
can
terms
rule
Example 2.5 FALSE : boo1
(type
abstraction,
modulo rules)
the
the
renaming
the context
)
=
CONTEXT
T0(Q
)
=
CONTEXT
=
TYPE
=
[bool,bool]
T(_)(A(x :Dool):TRUE)
the
that
bound
of bound
T0({}
T(Q)(p2(TRUE, FALSE))=
constraint
renaming
Let Q label
T(Q)((TRUE, FALSE))
F(x)
variable
must
be
since
we
variables.
bool
: TYPE, TRUE : bool,
bool =
[bool-+bool]
Semantics
Recall
that
a term
a preterm
of type
declared assigned U. The
a type type
t, whereas
7{r
a type
assigned
in the context
F, the
semantics
empty)
of the
+-- t}(s)
is 7(s)
of the
7 to a symbol when
context
type
r _ s.
I 7)(T) form
F is said to be for the
theory
set A/f (F I 7) (T),
set A/f(F
7 is a list of bindings of an assignment
by T under
F. If 7 is an assignment of the simple
T to a (possibly
T to an element
assignment
application
a with
w(F)(a)
in context
by mapping
The
TYPE
by suitably
T(Q)([[bool,bool]-+bool])
2.3
is undefined
[T_,T2]
for lambda
be satisfied
as equivalent
= d
where
_(r)(a)=
undefined
T(F)(a)
of PVS and
in the
a term basic
{s_ +-- t_}...
s is such
that
7{s
symbols is given a with universe
{s_ +-- t_}. +-- t}(s)
is
2.3.
Semantics
The and
13
meaning
function
a well-formed
AA(F
I 7)(A)
constants,
AA(F
term
to the
is interpreted
abstraction
yields
is mapped
to the
Definition
2.6
a in the
declared
is mapped
is mapped
meaning
context
F under
of the
corresponding (meaning
M(rlz)(s)
from function
Cartesian
of set-theoretic
graph
product.
function
corresponding
set-theoretic
an
ordered
of type the
An A pair
A
_ as names,
assignment
space.
application.
function.
type
assignment
meanings
obtained
corresponding
corresponding
of a well-formed
The
in F are
to the
by means the
the
I 7)(a),respectively.
variables
type
type
returns
expression
and
and
A function
AA
7.
A product application A lambda expression
pair.
function)
= z(s), if kind(F(s))
• {TYPE, CONSTANT, VARIABLE}
M(r I_)(B) :_I_ ,_IIAI M(r ] 7)([T1,T2]) M(r I_)(_1) × M(r I_)(_2) M(P ] 7)(f a) (M(r I_)(/))(M(r I_)(a)) M(r I 7)(A(x: T): a) { I Y • M(r I_)(_), _= M(r,x: VAR _l_{x _- y})(a)} AA(F] 7)((al, a2)) = M(r ] _)(pi a) = ti, whereM(r I_)(a)= M(r
Example
= = = =
] 7)([A--+B])
2.7
in Example
(meaning
function)
2.5, of the
Let co be an assignment
for the
context
form
{bool +--2}{TRUE
+--1}{FALSE +--O}
then M(f_l_)([bool,
bool])
=
2×2
M(f_]_)((TRUE,
FALSE))
=
(1,0)
)
=
{(0,1),(1,1)}
AA(_lw)(A(x:bool):TRUE
Definition context
2.8
(satisfaction)
F (in symbols
1 z(bool)= 2,
_ _ F) iff
A context
assignment
_ is said
to satisfy
a
14
Chapter
2. 7(TRUE)=
2.
The
Simple
Type
Theory
I,
3. 7(FALSE) = O,
3._(s)• U whenever kind(F(s))= TYPE, 5. 7(s) • M(r
Example
2.9
1. The 2. The ft,
and
i T)(type(r(s))) whenever kind(r(s)) • {CONSTANT, VARIABLE}.
(satisfaction)
assignment
_ satisfies
assignment one:
_v{one
TYPE,
zero:
context +--
ft.
1}{zero
+--
then
2.10
for
The tions
If T0(F
all pretypes
preterms
a, T(F)(a) following
of T and
The
follow first
) =
T(F')(a) from
of these
that
typing
CONTEXT and
= TYPE implies
implies
theorems
A/I.
) = T0(F'
A, T(F)(A) = d
satisfies
the
context
one.
We need one useful proposition that asserts not invalidated when the context is extended. Proposition
0}
T(F')(A)
judgements
are
F is a prefix
of F',
= TYPE, and for
all
= d. the
induction
suggested
is straightforward
and
by the is given
definiwithout
proof. Theorem A,
then
2.11
(type
T(F)(A)=
construction)
If T0(F
) =
CONTEXT and
v(r)(a)
=
TYPE.
Theorem 2.12 (type soundness) If T0(F) = CONTEXT, 7 satisfiesF, and ffr)(A) = TYPE,then M(r ] _)(A) • U. Proof. that
The if X
1. A -
proof
• U, then
is by induction for some
s: By Definition
by Definition
2.6, A/I(F
i, X
on the
• Ui. This
2.4, C(s) I 7)(s)
structure yields
is defined is 7(s),
of the
and and
three
pretype
A.
Recall
cases:
kind(C(s))
is TYPE.
Then
by Definition
2.8, 7(s)
• U.
2.3. Semantics
.
A = [B-+C]: label
We then
M(F
] "y)(B),
hypothesis
that
that
] -y)(B)
M(F
M(F .
15
] v)(d)
for each
such
that
from
Definition
Theorem r(F)(a)
The
.
a =
M(F
M(F
.
] "y)(C),
and
equal
be
] "y)(C)
•
Uj.
] 7)(Ai)
b)"
By
B
such
[ 7)(B ) be
=
Y,
then
by
we
have
M(F
Y.
It
follows
I z)(;))(M(r
by
I _)(_)),
such
Definition
2.6,
] 7)(a)
TYPE.
Definitions I _y)(f)
T(s)
2.6
and
M(F
F, and
By Definitions
• M(F and
M(F
2.4 and
Definition hence
to verify
] 7)(d).
= A.
[B-+A], Let •
rank
of preterms.
and =
we
least
it is easy
• M(F
type(F(s))
= T(s)
1.1.
hypothesis,
) = CONTEXT, _y satisfies
r(r)(f)
2.4,
T(F)(B)
rank
Let j be the
Then,
structure
that
I T)(a)
hypothesis, therefore
M(F
on the
M(F
Definition that
• Uy.
If T0(F
2.4, we have
By
X
induction
least
induction
• U.
] 7)(A ) • Uy+I.
is by induction
that
the
] 7)(Ai)
then
by the
the
] v)(A) • Uj+I by Definition
M(F
to A,
we have j
M(F
soundness)
= TYPE. Letting
Let
2.4 and
M(F
tion (M(r .
that
= T(F)(C)
E U.
by Definition
1.1 that
2.8, we have (f
Uj and
i • {1,2},
proof
for some
M(F
•
1. a = s: By Definition and
Y label Y
Again
(term
is defined
T(F)(B)
E U and
for i • {1,2},
2.13
Proof.
and
X
that
= yX, and hence M(F
A = [A1, A2]: have
have
I T)(A) • r(F)(b)
[ 7)(d) 2.6,
X y
and
that
M(F
] _y)((f
2.6
and
=
be X the
M(F
B, and
induc-
I _y)(b)
] 7)((f
b))
• =
b)) • X.
a = (A(x:C):b): By Definition2.4, we have that r(F)(a) is [C--+B], where T(F,x:VARC)(b)is B. Let X be M(F ] _y)(C),and Y be M(F,x:VAR C ] 7{x +-- u}))(B). By the inductionhypothesis,we have that for any u • Y, M(F,x:VAR C]7{x +--u})(b) • X. Since M(F ] _y)(a)is {(u,v)]u • X,v = M(F,x:VARC]_y{x +--u})(b)}, we havethat M(F ]7)(a) • X v. a -- (al,a2): By Definition2.4, r(C)(a) = [A1,A2],wherer(C)(a_)= Ai for i • {1,2}. By the induction hypothesis, M(F ] T)(ai) • M(F ] T)(Ai) for i • {1,2}. By Definition2.6, M(F ] T)(a) -(M(F]7)(al),M(F]7)(a2)) and henceM(F ] 7)(a) is an element ofM(F I-y)(A)whichis M(F I-y)(A)x M(F I-y)(A_).
16
Chapter
2.
The
Simple
Type
Theory
5. a -- Pi b:In this case,weknowby Definition2.4that T(C)(b)= [A1,A2] with i E {1,2}, and T(F)(a) = Ai. By the induction hypothesis, AA(F I 7)(b) = (tl,t2), and by Definition2.6, AA(F I 7)(a) = ti and M(r IV)(_(r)(b))= M(r I_)(A1)×M(r I_)(A2),henceA/I(F]7)(a) E M(r I_)(A3. These must type
three
theorems
be satisfied definitions,
Some
We first
define
context
Definition
the
FV(r)(f
FV(r)(pi
2.15
and
then
the
and
key
invariants
is extended
parametric
the define
free the
variables operation
{s},otherwise if kind(r(s))= 0,
with
theories.
of a term
a in a
of substitution.
Fv(r)(f)
=
Fv(r,x:
=
Fv(r)(al)
a) =
Fv(r)(a)
VARIABLE
o Fv(r)(a) VART)(a) - {x} O Fv(r)(a2)
(substitution)
sial/x1,...,a_/x_]
--
{ s, ai, otherwise if for some
a)[al/Xl,...,a_/x_]
=
(f[al/Xl,
minimali,
s--
. . . , an/Xn] a[al/Xl,...,a_/x_])
=
(A(y:T):a)[al/Xl,...,a_/x_]
(A(y': T): where
(bl,M[al/Xl,...,a_/x4
=
a[y'/y,
. . . , an/Xn]
=
al/Xl,.
yl is a fresh
(bl[al/Xl,
. . ,a_/x_]),
variable
. . . , an/xn], b2[al/Xl,
(Pi a)[al/Xl,
that
below
variables)
a) =
FV(F)((al,a2))
are
language
types,
of collecting
=
FV(F)(A(x:T):a)
2.13)
the
Operations
F as FV(F)(a),
FV(r)(s)
(f
dependent
operation
(free
and
when
Syntactic
2.14
Definition
2.12,
semantics
subtypes,
2.4 given
(2.11,
by the
(Pi a[al/Xl,
. . . , an/Xn])
. . . , a_/x_])
xi
2.5.
Type
Definitions
Recall conversion. added
that terms are treated The above definitions
to the
2.5
Definitions
we enrich
contexts
not
allow
recursive
text
may
use only
main
difference
nitions.
so that
type the
In such
symbols
the
treated
are
the
actual
specification
type
form
a declaration definitions
form
2.16
if they to employ types
where
where
weaker
type
names
words,
To
types
extend
used
type
exMost
equiv-
even
when
declarations
F contains
such
_- to handle
type
that
been
the expanded
are
of name
type
ensure
have
deft-
two
as distinct
If context
we must
The
have
equivalent.
can contain
is T.
context. can
notion
does
in a con-
of the
the
treated
a context
5(F) (T) returns
(expanded
the
all defined
PVS
names
In other
T is a type.
equivalence,
part
definitionally
are
definition(F(s))
definitions.
type
than
are
tend
definitional
definitions. The operation to the context F. Definition
rather
definitions,
of a type
prior
is that
different
T,
for s, then under
canonical
type
have
declaration/definition
in the
language
same
languages
s : TYPE =
may
of an expression.
as the
To accommodate
declared
definitions
alence where syntactically their definitions coincide. of the
symbols 1 so a type
extended
cases,
pressions
type
definitions
in the
to determine other
as syntactically equivalent modulo alpha must be extended as more features are
language.
Type
Here
17
_- returns
replaced
the
by their
form of a type
relative
type)
5(F)(s)
=
s,
if definition(F(s))
5(F)(s)
=
5(F)(definition(F(s))),
is empty if definition(F(s))
is nonempty
= 5(r)([T1,T2]) =
The main
typing
issue
in a context to ensure
rules
here
is well that
are augmented
is to determine formed
_- returns
to return that
relative the
expanded
the
the
type
definition
to the form
preceding of the
in expanded
part
form.
of a type context.
type
The
declaration
We also
corresponding
need to a
preterm. 1For the moment, we are not considering the PVS DATATYPEmechanism, which is a form of recursive type definition [OS97]. Recursive datatypes in the context of the HOL proof checking system are described by Melham [Mel89].
18
Chapter
Definition
2.17
T0(F
,s:
(type
rules
TYPE = T)
=
with
type
The
Simple
Type
Theory
definitions)
CONTEXT, /f F(s) T0(F
2.
is undefined,
) = CONTEXT,
and
= TYPE
= if kind(F(s))
Note
that
returns
the
an expanded
We do not the
5 operator
syntax
context
= 34(F
the
5(T(r)(a))
= fir)(@.
definition
of 34
but
(from
(satisfaction F if in addition
a always
Definition
2.6 since
from
we do need
Definition
for a term
to revise
2.8) to respect
with type definitions) An to the conditions in Definition
definition(F(s))
(abbreviated
as T)
the
notion
the
type
of a defini-
assignment 7 2.8, whenever
is nonempty,
then
I 7)(T).
Theorems and
is,
is unchanged,
= TYPE and
ffF)(a)
and
the
that
assignment
Definition 2.18 satisfies a context kind(F(s))
is idempotent,
to update
for terms
satisfying tions.
7(s)
type,
need
• {CONSTANT, VARIABLE}
..
2.11 and
proofs
2.12 and
are easily
adapted
to the
definition)
Let
Example
2.19
_, boolop:
TYPE = [[bool, T0(fY
(type
)
2.13 continue
bool]-+bool],
to hold
under
modified
definitions.
fY be the
context
V: boolop.
Then
these
extensions,
CONTEXT
=
= [[boo ,booq-- booq, = [[bool,booq booq
2.6
Summary
We have tax
defined
for pretypes
contexts, style formed
types,
where type
each
the
simply
and
preterms,
and
terms.
well-formed
is assigned
the
typed
fragment
the
The
type
context label
type
of PVS
rules
rules
and
are presented
is assigned
TYPE, and
by introducing semantics
each
the
in a novel
label
well-formed
the
syn-
for well-formed functional
CONTEXT, each term
well-
is assigned
2.6.
Summary
a canonical and
maps
of the
type.
The
semantics
a well-formed
type
set corresponding
operations terms
extension,
simple
two type
all type
expanded
type
form
takes
to a set
a satisfying and
to its canonical
of collecting
for variables
The after
19
the
free variables
assignment
a well-formed
type.
We then
in an expression
for a context
term
to an element
defined and
the
syntactic
for substituting
in an expression. theory
is then
expressions
definitions of a given
are
extended treated
have
been
expanded.
type
expression.
with
type
definitions.
as equivalent The
if they
operation
With are
this
identical
d returns
the
Chapter
3
Adding Subtyping
Subtypes
is one of the
main
typing
in PVS
corresponds
several
delicate
issues
the
simply
somehow
typed
has
natural
numbers
checking
each type.
a term
can
obviously
w may
canonical
type
symbols
in the
expression.
the
expected
type
is a supertype
is straightforward.
with
the
canonical
obligations posed
by the
maximal
type
asserting expected
lambda
calculi
subtypes
and
and
defines
expression, types
in the
with
possibly
Statman the
notions
presence
the possibility
empty
types
[MMMS90].
This
have chapter
is the
the
the that
type
of where
correct-
is compatible
generates
proof
constraints
if they
type-
w to return
in a context
then
even With
declarations
predicate
are compatible
that so that the
but
by the
typechecking the
In
numbers.
is a subtype
then
primes,
types,
is used type,
satisfies
also introduces
to presenting the type rules We restrict our attention bool
type
the expression Two
Typed
Moggi,
of the
equivalence
Subtyping
expression
expected
the
We constrain
is given
of its canonical
type.
notion.
Mitchell,
If the
type.
type
far.
to introduce
natural
possible
It raises
of values
it possible to treat
that
1 Sub-
thus
for another
of the
a single
Type
simple
and
several
If the that
supertypes.
reals,
only
to a set
makes
have
return
presented
set of values
as subtypes
language.
of a subset.
language
corresponds
the
of an expression
the ness
type
of the
numbers
notion
in the
Subtyping
odd
specification
set-theoretic
from
the
function
a natural
one
of the PVS
absent
different
as a subtype
and
subtyping,
were
fragment,
at most
numbers,
to the
that
structurally
a term
features
ira-
have
equivalent
of subtypes
is not
of types been
being
studied
introduces
a
empty.
by Meyer, predicate
of compatibility
and
type
equivalence
and semantics. to contexts F that
extend
the
declarations:
prior
: TYPE,
1The form of subtyping
used in PVS is derived from a suggestion of Friedrich 20
von Henke.
21
TRUE
: bool,
FALSE
: bool,
boolop
: [[bool, bool]-+bool],
: [bool-+bool], V
: boolop,
A
: boolop, : boolop
We will abuse
PVS
like V, A, and
D.
form
{x:T
notation The
type
type
A predicate
bool.
of type
bool,
elements of the
then
subtype
quantification
is a term
we can
V(x: T):a
of equality
The
as extensional equality
symbol
we will apply Definition
an
Note
# only 3.1
for
equality
and
to the
expanded
(maximal
type
is used
form
this
type
a
Universal =
in the
definition
of
actual
introduction of parametric
is to be interpreted for the
formal
equality.
#(T)
(given
elements
(A(x: T):a)
both
of a maximal
type T is one such that
of those
the
the introduction
symbol
notion
Since
term
the
for metatheoretic
the
If a is a term
I a} consisting
predicate
of function
'='
type.
the
the
primitive
of subtyping.
below,
following
the
will be to define
A maximal
abbreviation
terms
that
language
forms
definitions
PVS
is the
_(x: T): a, we call
other
has
a is a preterm.
range
for x in a).
predicate
the
in the
section
in the
first step
as #(T).
the
between
equality.
{x: T
of operations
subtype
and
the
a predicate
subtype
it from
to a later
equality
has
the
we use and
is deferred
theories.
Our
Although
where
(e substituted
is just
quantification
to a predicate
type
that
define alex]
infix forms
T is a pretype,
is a function
to distinguish
(A(x: T): TRUE). universal
corresponding
{x: T I a} satisfy
subtype
the customary
x is a symbol,
in PVS
e of T satisfying
predicate
type
pretype
I a} where
A predicate
to employ
supertype
= T.
of a given
In a given
by 6) of a type
context,
expression.
supertype)
= #({x:Tla}) = #(T) #([A-+B]) = [A-+p(B)] #([A1,A2]) = [#(A1),p(A2)]
Note
that
type
of a function
ries with
since subtypes,
[AI--_B I] requires
subtypes type, the showing
correspond the rule
domain
to subsets, type
for subtyping that
in taking
is held between
A I is a subtype
fixed. function
of A, and
the
maximal
super-
In most
type
types
[A--+B]
B is a subtype
theoand of B _.
22
Chapter
Subtyping domain PVS
between type
and
is covariant
in the violate they
type.
of the
return
This
behaves
wise.
These
as being be lost.
Two values
only considers Definition
function
3.3
the
type
are
on natural
supertype
and
interpretation #0(T)
given
subtypes
and
returns
direct
of the
idnat
0 other-
can be viewed
of subtypes
or the
when
Consider
value,
if they
a
would
equal
in nat.
numbers
in
is not
relation
absolute
identified
types
contravariant
extensionally
the
in the
[nat--+nat]
arguments
returns
subset
nor
a subtyping
to equal
of explicitly
(direct
#o(T)
and
a weaker
supertypes
#0({x:T]a})
applied
nat
will be erroneously
[nat--+nat],
3.2
function
on
Subtypes
on function
covariant
Such
abs which
as an identity
We will also employ
Example rations
when
two functions
of type
the
Adding
to be contravariant
Subtyping
is neither
[int-+nat].
functions
said
type.
but that
type
in [nat--+nat]:
which
range
type
means
function
equal
is therefore
in the range
extensionality.
two functions
types
covariant in the
domain
supertype
function
3.
supertype, form
would that
{x: T ] a}.
supertype)
=
#o(T)
=
T,
(maximal
otherwise
supertype)
Given
a context
containing
the
decla-
D i=
j}
int:TYPE, O: int, _, (1, 1>}, {(0,
following
above.
to the
=
TYPE,
= TYPE, and "y satisfies
in context
F, i.e.,
then
F,
28
Chapter
3.
Adding
Subtypes
1. a _ TRUE, or 2. a -- (al = a2) and M(F then
M(F
] 7)(A)=
M(F
] 7)(al)
] 7)(A').
= M(F
] 7)(a2)
holds,
5
Proposition 3.17IfT0(F) = CONTEXTand z(F)(T)= M(r I '7)(T)= M(r I'7)(ix:#(T) IT_(T)(x)} ). We can rems The
2.11,
now examine 2.12,
and
statement
ness,
that
assume rules.
the
2.13.
proof
of Theorem
2.13
a and
soundness
forms
The
of Theorem
is, if t-r
updated must
now
'7 satisfies
(Theorem
7.2)
of the
given
2.11 remains M(F
to include
] '7)(a)
we have
not
by Theo-
straightforward.
be strengthened
F, then since
invariants
TYPE,then
yet
sound-
-- 1.
For now,
presented
the
we
proof
Theorem 3.18 (type soundness) If T0(F) = CONTEXT, '7 satisfiesF, and _(r)(A) = TYPEthenM(r ]'7)(A)• U. Proof.
There
orem
2.12,
T(F)(T)
is only
namely,
when
3.12, 1.1.
Theorem
3.19
_(r)(a)
M(F
Proof.
There
namely, When M(F
given
a --
T(F)(b)
(f
b),
= B'.
I '7)(A).
of the
both
subsets
by Proposition
3.17,
M(F
I '7)(b ) • M(F
M(r
I '7)(A).
cases
rules
• yX
case,
proof
p(B) I '7)(B)
I '7)(B),
and
of The-
by Definition
M(F
] '7)(T)
• U.
we have
M(F
] '7)(A)
3.10,
Since,
by
• U by ..
) = CONTEXT, "7 satisfies
F, and
] '7)(A). in the
proof The
from
that
of Theorem
case of projection
2.13,
expressions
3.15. 3.10,
we have
2.6, M(F
that
I '7)([B-+A])
and M(F
(Theorem
I '7)(p(B)). M(F
induction
T(P)(f)
=
be M (F I '7) (B) , X'beM(FI'7)(B'),
supertype
of M(F
] '7)(T),
• M(F
Definition
I '7)(f)
proof
is a maximal
In this
If T0(F
by Definition
M(F
there
] a}.
Proposition X
to the
hypothesis,
and projection.
by
Let
Then
tion hypotheses, soundness
] '7)(a)
of application
is straightforward
{x:T
soundness)
M(F
to add
C_ M(F
are two affected
those
case
induction
] '7)(A)
(term
= A then
new
A =
= TYPE, so by the
Definition Definition
and
one
7.2),
of both Since, = M(F hence
I '7)(b) and
Propositions B I such
I '7)({x:
p(B)
by Definition
3.15 that
3.10,
Y be
By the induc-
By Definition
B and
by Definition
and
= yX.
• X'.
[B--+A]
X
3.10,
and and
t-r 7_(B)(b),
I 7_(B)(x)}),
3.16, X I are and
we have
2.6, M(F
I '7)(( f b)) •
5We remind the reader that the formulas a in (A __ A t) are equalities, yet formally introduced equality into the language.
but we have not
3.1.
Summary
3.1
Summary
PVS
features
of a type introduces several
a form
types
number,
of subtyping
where
since,
for example,
number,
an even
or a real number.
of the
actual
term
the
When must
must
constraints
imposed
notions
of maximal
compatibility.
These
of the simply able.
equivalence Proof
supertype, notions
typed
fragment
(and
hence,
obligations
such
undecidability.
the
subtype
part
consisting
ated
by subtyping,
PVS
language.
of the
are
be equivalent subtype used
simply
the
type
and
significant
type
rules
and
the proof design
is, sat-
defined and
semantics
Note
are the system
must
equivalence,
correctness
typechecking of the
term
that
We have
subtypes.
type
a rational
type,
actual type.
type
with and
fragment,
the most
the
2 can
the canonical
expected
constraints,
compatibility)
typed
is a subtype,
and
to define
during
an integer,
the
expected
extended
modularization
is perhaps
type with
by the
to the number
number,
expected
of PVS
generated The
a natural
the
supertypes
type
to form
corresponding
be compatible
isfy any
subtype
term
number,
the two maximal the
it is possible
satisfying a given predicate on the type. This kind of subtyping several delicate semantic issues into PVS. A term can now have
be a prime type
29
that
both
are undecidonly into
source
of
a decidable
obligations
consideration
generin the
Chapter
4
Dependent The
PVS
language
employs
of the
type
the
utility
proof
of this type
ing which With
dependent depend
function
allows
vary
A dependent
product
is written
as Ix: A-+B].
into
a dependent type
type
do not
bindings
that
be removed.
The
rules
and
types
function
Example
4.1
type
and
(dependent
free variables
we treat and
given
subtypes
dependencies enhances
predicate in the
the
subtyppredicates.
of one
component
of a prod-
or the
type
range
as Ix: A,B].
actually
type
of the
of a
A dependent type
function
can be transformed
bindings.
Conversely,
any
bind
any variable
occurrences
can
below
will assume
that
as dependent
{j:nat
[i: nat,
[{j: nat
substitution
type
dummy
[i:nat,
dependent
of type
extension
sub-
is type-correct
to predicate
on free variables
It
all product
types.
types)
[i: int-+{j:
Before
predicate
considerably
or function
semantics
are presented
expressive.
value.
is written
inserting
respect
extension
the
Any product
by
contains
addition
component,
to its argument
type
with
depend
make
and
quite
in this fragment
is the
This
of another
type
dummy
arise
step
that
we can
value
according
types
It is also a natural types
typing,
on the
next
of a type.
system.
already
that
The
far is already
an expression
obligations
components
thus
between
whether
equivalence.
between
described
equivalence
It is undecidable
because
uct
fragment
definitional
types. and
Types
I J -< i}], I J -< i}-+bool]],
int
types,
I i < j}].
we update
to account 30
for the
the
definitions
fact that
with
of the subtyping
set
of and
31 dependenttyping, both free and bound variablescanoccur in terms andtypes. This is neededfor the next step where we try to removetype dependenciesby substituting a term into a dependenttype. Definition 4.2 (free variables for types) FV(F)([x:
A_B])
FV(F)([x:A,B]) fV(F)({x:
A ] a})
Definition
4.3
=
FV(F)(A)U(FV(F,x:VtR
=
rv(r)(A)
{x})
A)(B)-{x})
u (rv(r,x:
for
-
VAR A)(a)
-
{x})
types)
. . . , a_/z_] al/z_,...,a_/z_]]
. . . , a_/x_] al/xl,...,a_/x_]]
{y:A[al/xl,...,a_/x_] y is a fresh
The
definition
the
#([x:A--+B])
=
delicate
the
since
the
Definition
al/x_,...,a_/x_]}
definition
#([x: the
(Adding
subtype
8
=
{x:TlaA
[A--+B]\a
=
[A\a--+B\a]
[A,B]\a
=
[A\a,B\a]
Howe brought
bindings,
definition
A,B])
assertions
slightly
function
for the
dependent =
T with
constraints)
b}
this problem to our attention.
a new
types.
x:p(T).
is unchanged product results operation
an additional
The so that
case
of x in B. _ To ensure
we define
in type
for
#(x:T) types
= [x: #(A),p(B)]
occurrences
x is retained,
subtype
modified
to type The
_
{x:TIb}\a
be
of dependent
regarding
4.4 8\a
to
extended
case
regarding
constrains
has
[x:A--+p(B)].
information
information
of #
is first
for
I a[y/x,
variable.
definition
definition
1Doug
VAR A)(B)
I a}[a_/z_,...,a_/z_]
=
type
=
[y:A[al/xl,...,a_/x_],B[y/x,
{z:A
The
u (fv(r,x:
[y:A[al/zl,...,a_/z_]----_B[y/z,
[x: A, B][al/xl,
where
Fv(r)(A)
(substitution
[z: A--+ B][al /zl, =
=
is more
in a loss of that T\a
assertion
type which a.
32
Chapter
We can
now define
the
maximal
supertype
4.
operation
Dependent
Types
for dependent
tuple
types. Definition
4.5
(Maximal
#([x:A,B])
The
=
from
occurrences
of 7c for
that
[i: int-+int]):
remains
essentially
Definition
4.6
a dependent
of an ordinary
of the
be A(f:
variable
4.7
from
that
(A(x: [y: A_p(B)]):
=
(A(x: [y: #(A),
(dependent
for
[i: int-+int]
7r([i: int--+{j:
int
] i __ j}])
=
A(f:
proof
__ checks
obligations
the expected
as needed.
type
now is that
type
is not.
Consider
type
would
be computed
To cope
the
expected
with
this,
B, to be compared
two maximal This
the expected the type
case
is the
using
might
of the
basic
be the
slightly
for dependent
operation with
[{j: nat
]J ]J
types.
by generating
for checking its actual type
(5, (A(x: {j:nat
option
i < j)(f(i))
are equivalent
[{j:nat
[i: nat,
__ in the context
int):
be a dependent
pair
by T as [/:nat, might
x)/y])
(A(j:
types
is compatible
type
we will allow
types)
[i: int-+int]):
be massaged
of an expression
tlety
where
also
whether
must tuples
products.
x)[(pl
V(i: int):
that
I i _< j}])
predicates) =
Recall
free
#(B)\_r(A)(y)]):
] i __ j}])
of -_ must
±nt
is slightly contain
for dependent
dependent
x) A 7r(/3)(p2
type
can
(V(y: A): _r(B)(x(y))))
int
definition
types)
[y: A-+B] 7c(B)
definition
of ordinary
predicates
=
since
7c([i: ±nt-+{j: The
#([i: int--+{j:
The
product
type
type
i _< f(i)).
7r(A)(pl
Example
function
y. For example,
(constraint
_r([y: A, B])
dependent
function
(V(i: int): unchanged
_r([y: A_B])
for
[x:p(A),B\_r(A)(x)]
definition
different
supertype
]j
where
-< i}_{J:
of an expression
The the
_< 5}):x))
-< 5}--+{j:nat
of two maximal
whether
type.
nat types,
a. This
subactual whose
]J
-< 5}]]
]J
-< i}]].
say A and is indicated
33 by the notation (A __B)/a. B are maximal inition the
4.8.
types.
Note
The
that
missing
cases
For a list of formulas
list (V(x:T):al),...,
Definition
4.8
(A __ B)/a
in Definition
al,...,
a,,
let
(type
equivalence
for
dependent
([x:A--+B] [x':A'--+B']) =
(It(A)
_- #(A'));
(_(d)
= _(d'));
__ [x': A'--+B'])/a
=
(It(A)
_- #(d'));
(_(d)
= _(d'));
A2] -_ [y:
g2])
gl,
=
(B __ B'[x/x'])/a(x))
(A1 -_ B1); (V(x: A1):
A1,
As with
a' in (p(A)
only
Definition
=
__ p(B))/a types,
the
type
to account
(type
type rules
=
=
gl)/(pl
a);
a)/x]
FALSE,
otherwise.
_-- g2[(pl
indicates that
rules
for any
must
that
a)/y])/(p2
all the
proof
a)
obliga-
is, k-r a'. be modified
dependencies.
so as to augment
We will give the
defini-
constructions. with
dependent
types)
ifr(x) is undefined, r(r)(d) = TYPE, and TYPE,
TYPE,
A)(B)=
if F(x)
r(F,x:VAR 2Note
(A2 _- B2[x/y]))
(A2[(pl
are provable,
r(r)(d)
depends
_
(A L B)r
notation
r(F,x:VAR r(F)([x:A-+B])
(dl
the
for dependent
r(r)([x:A,B])
/a
=
suitably
4.9
g2])
(A__B)/a
dependent
context
tions
"_ [y: gl,
(A _ B)r,
With the
A2]
in Defrepresent
(B __ B'[x/x']))
(V(x: d):
([x:
a,)
A and
types)
TRUE
([x: A1,
3.6 are included
(V(x: T): al,...,
=
([x: A--+B]
only when
(V(x: T): a,). 2
(V(x: d):
tions
is sensible
TYPE
is undefined,
= TYPE, and A)(B)=
TYPE
that the type-correctness of the proof obligation (_(A) -- 7_(A')) in Definition 4.8 on the prior proof obligations #(A)
__ #(At).
34
Chapter
a)
=
B', where po@(F)(f))= T(F)(a)
4.
Dependent
Types
[x:A-+B],
= A',
(d L d')r,
B' is B[a/x], _-r _(d)(a) =
T(C)(pla) v(r)(p2 a)
Example
4.10
[x:A-+B],
where
B = T(F,x:
VAR d)(a)
=
dl,
where
=
d2[(pl
(dependent
#o(T(F)(a))=
a)/x],
where
f(F)([x:bool--+{y:boollx
we can assign
inition
of the
If F is a function can define
EF
set {fl(Vx include IIF and
X Y from
defining
D y}])
meanings
universe
domain
to be the
Vi+l
TYPE
=
TYPE
sets
types,
set {(x,y}]x
we must
corresponding
set X and
augment
to these
a range
Y, which
E dom(F),y
E F(x)}
the universe
definition
domain
X
that
since
our
is a set of sets, and
def-
constructions. IIF
4.11
(type
=
{2, R}
=
u_
universe
u U s(x) X6U_
u {EFI
F • Wi}
X x Y can be obtained
always
be obtained by IIF where F is defined The universe U can then be redefined
u0
= [x:dl,d2]
we
to be the
E dora(F): f(x) E F(x))}. Note that IIF C_ Ux_,F_(X) but we in the universe U defined below for simplicity. We can drop X x Y
an F with
Definition
=
to dependent
U to contain
with
#o(T(F)(a))
typing)
T(F)([x:bool,{y:boollxDy}])
Before
[x:dl,d2]
with
returns
Y,
to with domain as below. dependent
and
similarly,
Y to always
types)
from
EF
by
X Y can return
X.
35
u {nFI F • WJ
= Uv? xcu_
u_
=
Uu_ icw
U
=
One that
U_
very
important
all type
expression for any
with set
consequence
dependencies a single
must
free variable
[A 1 representing
A,
the meaning
of B under
by induction
on the structure
only in the
predicate
resulting
type
to define
a type
of the
there
part
type
of a subtype with
constructor
the
T"
since
where
value
in PVS
This
that
for any
parameter
proved
z can appear
of the the
z in [AI,
is easily
In particular, returns
is
be the case that
that
rank
universe
if B is a type
property
the
the
of z.
that
it must
n such
be in U,.
of the
sense
A, then
is a bound
of a PVS
vary
extension
in the
z of type
{z +-- z} must
cannot
above
be bounded
meaning there
n-tuple
of the
is no way [T, [...,
T]]
n
for a given
n since
this
would
type
dependencies
such
as [n: nat----_T _] whose The
meaning
corresponding are
were
allowed
an unbounded
in PVS,
function
for dependent product
from
types
one
representation
to dependent
unchanged
dependent
entail
Definition
is equivalent
can
construct
is not types and
3.12. to the
dependency.
a dependent
in U as defined
is obtained
function
Note
If unbounded
that
the
nondependent
All the
semantic one
when
dependencies. Definition
M(F
4.12
(meaning
I _)([x:A,B])
function
=
EF,
with
dependent
types)
where
F maps _ • M(r I z)(A) to M(r,x: M(F
I _)([x: A+B])
=
IIF,
VARA lo,{x +-- z})(B)
where
F maps z • M(F M(r,x:
above.
by adding
types.
I 7)(A) to
VARA lo,{x +-- z})(B)
type
the
cases
other
cases
definition there
are
for no
36
Chapter
Example
4.13
(meaning
function
with
M(r Iz)([x:bool, {y:bool Ix M(r IZ)([x:bool+{y:bool ix
4.
dependent
y}]) = y}]) =
Dependent
Types
types)
{(0, 0>, (0, 1), (1, 1)} {{(0,
0>, (1, 1)},
{(0, 1), (1, 1)}}
We now need preserve and
the
A//(F
theorem
to show
properties
I _y)(a) that
that
in Theorems
• A//(F
(rank
the
4.14
xl,...,xn
is a list of symbols, xl:VAR
2. T(F, xl:VAR
there
A/t(F,
The
F, xl:VAR
proof
1. B = s: Since an i such .
IN]
that
B
is
a
such
pretype,
that
= TYPE, and
list
of values
+--
induction
_' denote
zl,...,
zn where
for F, xl: VAR Al,...,
I _y{Xl
is just
7(B)
by
IN] • Ui regardless By the
it is always
case
the
IN 1 • Ui.
induction
that
IN 1 C_ IT 1 so if we let i= that
a stronger
types.
z1}...
{Xn
on the
7{xl
_
•
N. Let
+-- zl}...{xn
+---
xn: VAR An,
Zn})(N)
pretype
%{xl
+-- zn},
Ui.
F' denote and
[C 1
).
N -- {y: T I a}:
case
any
An
An,
I 7')(C
If
• U
F,
is by structural
Al,...,xn:VtR
A//(F'
I 7)(T)
we prove
of dependent
types
= CONTEXT,
assignment
Xl: VAR A1,...,xn:VAR
Proof. denote
is a satisfying
former,
A//(F
is a list of pretypes
An)(B)
for
to dependent
namely,
semantics)
An)
satisfying that
3.19,
For the
type
A1,...,xn:VAR
is an i such
and
AI,...,An
A1,...,xn:VAR
zl}... {xn +-- zn} we have
3.18
rank-boundedness
bounded
3. % is an assignment then
corresponding
I _y)(r(F)(a)).
incorporates
Theorem
1. r0(F,
the extensions
ITI
Definition of the
hypothesis, • Uj.
j + 1, then
2.6, we have
choice
of values we know
By Definition by Definition
that
3.12, 4.11,
that zl,...,
there
is
zn.
for some we have
it is always
j,
that the
37
.
B
--
[y:C-+D]:
the
induction
A//(F' for
I 7')(C any
A//(F',
)
Uj,
and
By choosing
and
Proposition
4.15
if and
only
some some
7'{Y
I _)(B)
undefined,
k,
it is always it
is always
+-- w}
for
F',y:VAR
E Uk. Then
the
function
+- w})(D)
by Definition
previous
previous
7(F')(C)
T(r',y:VAR C)(D) j,
that
=
=
TYPE.
the
case
that
the
case
that
we
have
C,
F mapping
is an element
4.12
of Ui by Definition
to the
n to be 0, the
need
r'(y)is
y: CAR C IT'{y
w
of Wj+k.
A//(F'
I 7')(B)
is
4.11.
case.
theorem
yields
the
result
that
when
_ U.
to establish
A//(F ] 7)(a) E A//(F ] 7)(A). the substitution lemma below.
F and F',
for
+- w})(D)
an element
Similar
= TYPE, M(F
We next
defined
for
assignment
to A//(F',
is hence
4.9,
CONTEXT, and
i be j + k + 1, we have
4. B -- [y: C, D]:
T(F)(B)
E
y: CAR C IT'{y
Letting
=
hypothesis,
satisfying
in A//(F')(C) HF
Definition
T()(r',y:VAR C)
TYPE, By
By
that
for any
The
first
preterm
step
in this
a, if T(F)(a) direction
If T0(F
) = T0(F'
) = CONTEXT where
if F'(s)
is defined,
and
for
7 is an assignment
= A,
is the
each
then
proof
s, F(s)
satisfying
of
is both
then
1. ifr(s) = r'(s) (i.e., theyareequalwheneitherr(_) orr'(_) is defined), then
(a) r(r)(a) = r(r')(a), for any preterm a. (b) r(r)(A) = r(r')(A), 2. M(r
I _)(A)= M(r'
3. A//(F
I 7)(a)
= A//(F'
for any pretype A.
I _)(A), when r(r)(A)= I 7)(a),
for
any
preterm
TYPE. a such
that
Lemma 4.16 (substitution lemma) If T0(F,x:VAR A) r(r)(a) = A, then
=
r(r)(a)
is
defined.
CONTEXT,
1. If T(F,x:VARA)(b)= B, then M(Fl_)(b[a/x]) = M(F,x: WRA l_{x +- M(F I_)(a)})(b). 2. If T(F,x:CARA)(C) = TYPE,then M(FI_)(C[a/x]) = M(F,x:WR A l_{x _- M(F I "7)(a)})(C).
38
Chapter
Proof. and
The the
.
proof
pretype
b
-
is by simultaneous
C. s:
side
The If
M(F
b
equal
by
the
with
the
preterm
then
by
Definition
4.12,
is
M(F
that
] 7)(a),
4.12,
Since
C
induction
and
the
left-hand
preterm
b
b. the
the
left-hand
right-hand
) is also M(F
can
contain
hypothesis
IT{x
side
I 7)(a).
side
and
the
right-hand
]7)(C[a/x])
I
to the
and
occurrences
M(F
M(F
is equal
v E M(F
free
that
_-
I_)((A(y:C)'d)[a/x])
such
on the
Types
to 7(s).
M(F,x: VAR A M(F
induction
deal
+-- M(rlT)(a)})(b
(A(y: C): d)"
have
x,
Dependent
cases
by Definition
are both
-
-
A lT{x
If s _ x, then
.
s
] 7)(b[a/x])
M(F,x:VAR
side
following
structural
4.
]
of
x,
T)(a)})(C).
set
we
@(C[a/x])
Also,
of ordered
z = M(F,y:VAR
=
pairs
C[a/x]
(v,z)
]7{y
+--
v})(d[a/x]). By the
induction
M(F,y:VAR x does the
hypothesis,
M(F,y:
C[a/x],x:VAR
not
occur
occurrences
free
VAR C[a/x]]7{y
A ]7{Y in C[a/x],
of y and
+-- v}{x by
x so that
Proposition
M(F,
form
(v,z)
and
z
=
v})(d).
By
that
4.12, such
Proposition
(f
follows
easily
from
4. b --
(bl,
b2):
and
the
induction
.
that
In this
The
A
we can
exchange
x: VAR A ] 7{Y +--
set
of ordered
I'y{x
C l_{x
4.15
the
+--- M(F
pairs
of the
I'y)(a)})(C
)
M(rl_)(a)}{y
_
induction
hypothesis,
+-we know
M(rlT)(a)}{y +-- v})(d) = C[a/x] l _{x _- M(r l _)(a)}{y _- v})(d), and
A,y:WR
c):
side is the
and
4.15
= Since
A,y:VAR C[a/x] l T{x +--
A,y:VAR
A,y:VAR
hence it follows 3. b -
right-hand
v E M(F,x:VAR
M(F,x:VAR
M(F,x:VAR
M(F,x:WR
the
that
] 7)(a)})(d).
y: VAR C[a/x],
v}{x +-- M(r l T)(a)})(d) = M(r,x:VAR M(r l _)(a)}{y _- v})(d). By Definition
+--- v})(d[a/x])
+-- M(F
C]7{x
+--
the two sets of ordered case,
the
b[a/x]
induction
conclusion
-
(f[a/x]
are equal.
c[a/x])
hypothesis
follows
pairs
and
easily
from
and
the
Definition Definitions
conclusion 4.12. 2.15,
4.12,
hypotheses.
b - (pi c): This case is also straightforwardsince b[a/x] (pi c[a/x]), and by the inductionhypothesis,M(F,x:VAR a ]7{x +-M(r l _)(a)})(c)= M(r l _)(c[a/x]).
The
remaining
cases
deal
with
the
pretype
C.
39
1. C -
s: This
left-hand 2. C -
case
and
is trivial
since
right-hand
{y: T I d}"
sides
The
(A(x: C): D) case
by Definition both
argument
above.
reduce
here
By the
2.15,
C[a/x]
-
C and
the
of the
b -
to 7(C).
follows
induction
along
the
hypotheses,
lines
we know
that
M(r,x: VAR A lT{x +--M(F IT)(a)})(T) = M(r IZ)(r[a/x]) M(F,y: VAR f[a/x],x:VAR d lT{y +--z}{x +--M(F I7)(a)})(d) = M(r,y:vAR _[a/x] I_{y_ _})(d[a/_]), for any z • M(F 17)(T[a/x]) The .
C
conclusion _
[y:
Essentially,
function
Proposition
argument
induction
z •
M(F,x:VAR
CI[a/x],x:VAR
same
as
the
A
function
4.15
here
by the
mapping
to M(F,y:VAR is the
from
The
C1----}62]:
ous case. the
follows
and
is similar A
4.12.
to that
hypothesis
lT{y
Definition
and
17{x
of the
Proposition
+-- M(F
z
•
M(F
4.15,
17)(a))(C
+-- z}{x +- M(F
mapping
previ0
I _)(a)})(C2
I 7)(Cl[a/x])
) to
M(r, y: VARCl[a/x] l _{y +--z})(C2[a/x]). 4. C = [y: C1, C2]: Similar
Proposition equivalence Note
4.17 with
that
to the
previous
below
without
is stated
respect
its correctness
to term
a of types
depends
on the
case.
proof. A and
soundness
It asserts B when of the
the
semantic
(A L B)r proof
holds.
rules.
Proposition 4.17 If T0(F) = CONTEXT, a is a pretermsuchthat ffr)(a) : B, and (A L B)r, then M(F I 7)(a) • M(F I 7)(A) iffM(FI 7)(a) • M(r I 7)(B). Theorem
4.18
is a preterm Proof. 1. a tion
If T0(P
such
that
) :
CONTEXT, 7 is an assignment
T(F)(a)
= A,
The
proof
is by induction
s:
Then
by
2.8, we have
Definition that
7(a)
then
M(F
on the 4.12, • M(F
I 7)(a)
structure
M(F I 7)(a) I 7)(A).
satisfying • M(F
of the
I 7)(A)
preterm
= 7(a),
P, and a
and
•
a. by
Defini-
40
Chapter
.
a
--
(A(x: C): b):
[x:C-+T(F,x:VAR M(F
By
Definition
C)(b)].
] @(A)
is of the
Let
4.9,
B label
form
IIF
we
4.
have
T(F,x:VAR
where
Dependent
r(F)(a) C)(b).
F maps
Types
=
A
We know
z E M(F
= that
] @(C)
to
M(r,x: VARO l_{x _- _})(B). By the induction
hypothesis
on b, we know
that
for any z E M (F ] _y)(C),
M(r,_: VARO l_{_ _- _})(b)• M(r,_: VARO l_{_ _- _})(B). by Definition
4.12,
M(F
1 7)(a)
is a function
to M(r,x: VARC I_{_ +- _})(_),we have definition .
a
=
b):
r(F)(b) and
=
By
B',
3.1r
Lemma
.
_
•
that 4.16
B')r,
•
M(F
M(F M(F
(pi
I _)(a) •
M(F
1 7)(c)
IIF
by the
M(F
M(F
that
conclusion and
r(r)(f)
and
t-r
] 7)(f)
] _y)(p(B)). •
that
• M(F
Propositions
We
therefore
] 7)([x: 4.17
By
follows
follows Definition
easily
from
easily 4.9.
B-+A'])
3.17,
and
by
Proposi-
Definition
+-- M(F]@(b)})(A'), • M(F
We know
have
] _y)(B).
] _y)(a)
[x:B+d'],
rc(B)(b).
By
M(F
=
and
4.12,
hence
by
]_y)(A'[b/x]). the
from The
induction
hypothesis
Proposition
3.17,
(P2 b) case
also
the
employs
Summary
Dependent portant
A'[a/x],
that
it follows
The
have
] _y)(B').
B]_y{x
b):
we
=
• M(F,x:VAR
induction hypothesis, Lemma 4.16.
4.1
A
] _y)(b)
a = (al, a2): The conclusion and Definition 4.9. a =
4.9,
hypothesis
] _y)(b)
M(F]@(a)
.
(B
] _y)(b)
tion
Definition
induction
M(F
M(F
z • M(F
of II.
(f
by the
mapping
Since
typing degree
as subtype
is a significant
of flexibility
constraints
and
and type
enhancement
to PVS
since
it adds
precision
to the
type
system.
equivalence
that
were
introduced
Notions
an imsuch
for subtyp-
ing can be extended for the case of dependent must be extended to include additional sets
types. The semantic to accommodate the
universe semantics
of dependent
of type
is crucial
types.
in demonstrating semantic universe.
that
The
rank-boundedness
dependent
types
can
dependencies
be interpreted
in this
extended
Chapter
5
Theories Theories
and
The
next
extension
theories.
The
a related
theory
collection
or type We first A theory
and
5.1
type
simple
to the
the
type
contexts
represents Definition
the 5.1
are
where
and
no longer
so that
context
(type
T(O)(F, s : TYPE = T)
parametricity
as in HOL
The
main
theory
declarations
= A.
symbols
but
a theory
now
for
is
as well.
A is a simple
is the declaration
naming
[GM93].
change
context
m: THEORY =
Correspondingly, can
be compound
and
s is a symbol
Parameters we first argument
modify is not
the always
definition empty.
of _- for Here
of contexts.
rules
_-(O)({})
level
together
name.
for theories, the
just
parametric in individual
or type
definition(F(m))
or type
concatenation
be parametric
can contain If F(m)
and
of packaging
m: THEORY = A, where
without rules
can
declaration
m is a symbol
constant
a way
parameters.
declarations.
names m.s
Theories
To define
at the
= THEORY, and
of the form
corresponding
form
theories
polymorphism
without
simple
has the
or theory
provides
permits
than
theories
introduces
Theories
PVS
are no longer
kind(F(m))
constants
of PVS
level rather PVS
declaration
A, then names
Thus,
theory
with no variable
language
of declarations.
consider
contexts
PVS
construct
parameters.
only at the that
of the
Parametric
contexts)
--
CONTEXT
=
CONTEXT, T((_)(F)
ifF(s) and O(s) are undefined, :
41
CONTEXT, and
A; F
42
Chapter
Example
x: VAR T)
5.2
(type
Theories
and
rules
for
following
Definition
rule
5.3
7((-))(F,m:
handles
(type
Theories
contexts) =
7(Q) (real:TYPE, O:real, _
