Towards a Formalized Completeness Proof of Wand's ... - Google Sites

Towards a Formalized Completeness Proof of Wand’s Type Inference Algorithm: Some Issues of Freshness Sunil Kothari

James L. Caldwell

Department of Computer Science University of Wyoming Laramie, USA

Department of Computer Science University of Wyoming Laramie, USA

[email protected]

ABSTRACT While proving the correctness of Wand’s type inference algorithm, we have verified several properties of Wand’s algorithm. The properties are related to the freshness counter which is threaded-in throughout the algorithm. We also update on the progress made since last year.

1.

INTRODUCTION

We are working on a machine-checked correctness proof of Wand’s algorithm[4] in Coq [1]. An outline was given in our earlier paper [2]. In particular, we described how freshness counter was threaded-in through the algorithm. This change led us to prove several properties involving freshness counters. Also, we had to modify the Hindley-Milner type system to account for new variables introduced in the application rule. We have adopted the following conventions in this paper: atomic types (of the form Tvar x) are denoted by α, β, α0 etc.; compound types by τ, τ 0 , τ1 etc. List append is denoted by ++. The terms, types and the constraints are given by the following grammar: Λ ::= τ ::= C ::=

x | M N | λx.M (Terms) where x ∈ String and M, N ∈ Λ. Tvar n | τ1 → τ2 (Types) where n ∈ N and τ1 , τ2 ∈ τ . e [ ] | (τ1 = τ2 ) :: C0 (Constraint Lists) where τ1 , τ2 ∈ τ .

Note that we represent type variables as natural numbers. A type environment is a list of pairs of type string×τ . Substitutions are represented as finite functions from N to types, and are denoted as ρ, ρ0 , ρ1 , etc. We represent substitutions as finite maps from the Coq library Coq.FSets.FMapInterface. The free type variables (FTV) of a type, constraint, and type environment are defined by recursion as expected. The free type variables of a substitution is defined in terms of dom and range functions as: def FTV (ρ) = dom (ρ) ++ range (ρ) The dom and range for a substitution are defined as: def dom ρ = map fst (elements(ρ)) range ρ

def

=

[email protected]

The freshness of a type variable Tvar n is either with respect to a type or a type environment. Thus a variable is fresh with respect to a type (environment) if it is bigger than any variable in the type (environment). This simplifies reasoning about freshness because once we a fresh variable we can just increment it to get a new variable which is guaranteed to be fresh.

2.

WAND’S ALGORITHM AND SOME INTERESTING PROPERTIES

We use a modified version of Wand’s algorithm as shown in Fig. 1. Let Γ denote a type environment, M denote an expression, and n0 be a freshness counter, which is threaded into the algorithm. Then Wand’s algorithm is formalized as a function returning a pair (C, n1 ) = Wand(Γ, M, n0 ), where C is the resulting constraint list and n1 is the updated freshness counter generated by the algorithm. Implicit in this description is the fact that type of the term M is initially assumed to be Tvar n0 . Case W-Var. M is just a variable, say x, then if hx, τ i ∈ Γ e then [(Tvar(n0 ) = τ )], n0 + 1) else Failure Case W-App. M is an application, say M1 M2 , then let (C1 , n1 ) = Wand(Γ, M1 , n0 + 1) and (C2 , n2 ) = Wand(Γ, M2 , n1 ) e in (C1 ++C2 ++[(Tvar(n0 +1) = Tvar(n1 )→Tvar(n0 ))], n2 ) Case W-Abs. M is an abstraction, say λx.M1 , then let (C, n1 ) = Wand(((x, TyVar(n0 + 1)) :: Γ), M, n0 + 2) in e (Tvar(n0 ) = Tvar(n0 + 1) → Tvar(n0 + 2)) :: C, n1 )

Figure 1: Wand’s Algorithm We give below several interesting properties of Wand’s algorithm involving freshness counters. The first lemma states that the returned freshness counter is strictly larger than the input freshness counter. Lemma 1. ∀M. ∀Γ. ∀C. ∀n, n0 . ⇒ Wand(Γ, M, n) = (Some C, n0 ) ⇒ n0 > n

map (λx.FTV(snd(x)) (elements(ρ))

The elements is a Coq library function and returns a list of pairs for a given finite map.

The next lemma states that in case M is a lambda term or an application then the input freshness counter does not occur in the higher branches of the proof tree.

hx, τ i ∈ Γ is the leftmost binding Γ, FTV(Γ)  x : τ (x, τ 0 ) :: Γ, K  M : τ Γ, K  λx.M : τ 0 → τ Γ, K  M : τ 0 → τ Γ, K0  N : τ 0 0 Γ, K ++ K  M N : τ

Lemma 2. ∀M. ∀Γ. ∀h. ∀C. ∀n, n0 . fresh env n Γ ⇒ Wand(Γ, M, n) = (Some (h :: C), n0 ) ⇒ C 6= [ ] ⇒n∈ / (FTV(C))

The following lemma states that the free type variables in the generated constraint are always smaller than the returned freshness counter. Lemma 3. ∀M. ∀Γ. ∀C. ∀n, n0 . fresh env n Γ ⇒ Wand(Γ, M, n) = (Some C, n0 ) ⇒ ∀a. a ∈ (FTV C) ⇒ a < n0

(HM-App-New)

Table 2: Modified Hindley-Milner type system

The statement of the soundness theorem remains the same, but the completeness statement has been changed to account for the freshness with respect to the entire HM proof tree.

Lemma 4. ∀M. ∀Γ. ∀C, C0 . ∀ρ. ∀n, n0 , n00 . fresh env n Γ ⇒ (∀a. a ∈ (FTV ρ) ⇒ a < n) ⇒ Wand(Γ, M, n) = (Some C, n0 ) ⇒ Wand((ρ(Γ)), M, n) = (Some C0 , n00 ) ⇒ n0 = n00 . The next lemma has been crucial in the App case for the completeness proof of Wand’s algorithm. Lemma 5. ∀M. ∀Γ. ∀C, C0 . ∀ρ. ∀n, n0 . fresh env n Γ ⇒ (∀a. a ∈ (FTV ρ) ⇒ a < n) ⇒ Wand(Γ, M, n) = (Some C, n0 ) ⇒ Wand((ρ(Γ)), M, n) = (Some C0 , n0 ) ⇒ C0 = ρ(C).

Theorem 1 (Completeness). ∀M.∀Γ.∀K.∀τ. ` Γ, K  M : τ ⇒ ∀Γ0 .(∃ρ00 .ρ00 (Γ0 ) = Γ) ⇒ ∀k : N. k > 0 ∧ k > max list K ∧ fresh env k Γ0 ⇒ ∃C, ∃k0 : N, Wand(Γ0 , M, k) = (Some C, k0 ) ∧ ∃ρ. unify(C) = ρ ∧ ∃ρ0 . ρ0 (ρ(Tvar k)) = τ ∧ (ρ0 (ρ(Γ0 ))) = Γ The max list function selects the maximum number from a list of numbers. The unify used above refers to the first-order unification. Existing literature on machine checked proofs of correctness of type inference algorithm have axiomatized the behavior of unification algorithm as a set of four axioms. We have extended those axioms to characterize idempotent MGUs for a list of equational constraints and we have also proved that the first-order unification (with substitutions modeled as finite maps) is a model for the extended set [3].

4.

CONCLUSIONS AND FUTURE WORK

(HM-Abs)

We discussed some freshness issues in formalizing completeness of Wand’s algorithm with respect to Hindley-Milner type system. We are currently working on the completeness theorem, and we have found the above lemmas very helpful in our proof. The application case has been the most difficult one so far but we were able to combine the substitutions from the left and the right branch (given by the induction hypothesis) in the HM-App-New rule and show that the combined constraint list is still satisfiable. Lastly, the proof of all the lemmas mentioned in this paper are available at http://www.cs.uwyo.edu/~skothari.

(HM-App)

5.

This lemma is the most complicated to prove. The proof is by induction on M and by Lemma 4.

CORRECTNESS PROOF AND HINDLEYMILNER TYPE SYSTEM hx, τ i ∈ Γ is the leftmost binding Γ x:τ 0 (x, τ ) :: Γ  M : τ Γ  λx.M : τ 0 → τ Γ  M : τ0 → τ Γ  N : τ0 Γ,  M N : τ

(HM-Abs-New)

respect to a Hindley-Milner proof requires us to carry a list of variables. The new type system is show in Table 2.

The following lemma states that if a substitution is sufficiently constrained then the returned freshness counters for a given term for the original environment and for the substitution instance of the environment are the same.

3.

(HM-Var-New)

(HM-Var)

Table 1: Hindley-Milner type system Traditionally, the correctness of the Wand’s algorithm is given in terms of completeness and soundness with respect to the Hindley-Milner type system (see Table 1). We focus on the HM-App rule. An instance of the HM-App rule potentially introduces type variables (in τ 0 ) that do not occur in τ , or in the type environment Γ. To guarantee that the initial counter used in the Wand’s algorithm is fresh with

REFERENCES

[1] Coq development team. The Coq proof assistant reference manual. INRIA, LogiCal Project, 2007. Version 8.1.3. [2] S. Kothari and J. Caldwell. Toward a machine-certified correctness proof of wand’s type reconstruction algorithm. In WMM’09, 2009. [3] S. Kothari and J. L. Caldwell. A Machine Checked Model of Idempotent MGU Axioms for a List of Equational Constraints . In UNIF’10, 2010. [4] M. Wand. A Simple Algorithm and Proof for Type Inference. Fundamenta Informaticae, 10:115–122, 1987.