sign in sign up
<<
Home , Logic programming, Twelf

A Meta-Programming Approach to Realizing Dependently Typed Programming

Zach Snow David Baelde Gopalan Nadathur Computer Science and Eng. Computer Science and Eng. Computer Science and Eng. University of Minnesota University of Minnesota University of Minnesota [email protected] [email protected] [email protected]

ABSTRACT in an elegant way through type dependencies, and they for- Dependently typed lambda calculi such as the Logical Frame- malize the authentication of proofs through type-checking. work (LF) can encode relationships between terms in types Such calculi can also be assigned a in- and can naturally capture correspondences between formu- terpretation by exploiting the well-known isomorphism be- las and their proofs. Such calculi can also be given a logic tween formulas and types [12]. The system [17] that programming interpretation: the Twelf system is based on we consider in this paper exploits this possibility relative such an interpretation of LF. We consider here whether a to LF. As such, it has been used successfully in specifying conventional logic can provide the and prototyping varied formal systems and mechanisms have benefits of a Twelf-like system for encoding type and proof- also been built into it to reason about these specifications. and-formula dependencies. In particular, we present a sim- Predicate provide the basis for logic programming ple mapping from LF specifications to a set of formulas in languages that are also capable of encoding rule-based spec- the higher-order hereditary Harrop (hohh) language, that ifications. Within this framework, the logic of higher-order relates derivations and proof-search between the two frame- hereditary Harrop (hohh) formulas [13] that underlies the works. We then show that this encoding can be improved by language λProlog [15] provides a builtin ability to treat bind- exploiting knowledge of the well-formedness of the original ing notions in syntax and thus has particular usefulness in LF specifications to elide much redundant type-checking in- representing formal systems. However, unlike LF, this logic formation. The resulting logic program has a structure that cannot reflect dependencies between objects into types and closely resembles the original specification, thereby allow- also does not directly represent the relationship between for- ing LF specifications to be viewed as hohh meta-programs. mulas and their proofs. While such correspondences can Using the Teyjus implementation of λProlog, we show that always be encoded in auxiliary predicate definitions, it is our translation provides an efficient means for executing LF of interest to understand if a more systematic treatment is specifications, complementing the ability that the Twelf sys- possible. A specific form to this question is if Twelf speci- tem provides for reasoning about them. fications can be viewed as λProlog “meta-programs.” There are benefits to such a possibility: the convenience of writing specifications using dependent types can be combined with Keywords the ability to execute them via an efficient λProlog imple- logical frameworks, dependently typed lambda calculi, higher- mentation as well as perhaps to reason about them using order logic programming, translation logics and systems meant for analyzing hohh descriptions [2, 7, 10, 14]. A partial answer to the question raised above has been 1. INTRODUCTION provided by Felty, who described a translation of LF speci- There is a significant, and growing interest in mechanisms fications to hohh formulas and then showed that LF deriva- for specifying, prototyping and reasoning about formal sys- tions correspond exactly to hohh derivations of the trans- tems that are described by syntax-directed rules. Depen- lated LF judgment [5, 6]. The focus on matching derivations dently typed lambda calculi such as the Logical Framework allows Felty to assume the existence of a complete LF judg- (LF) [11] provide many conveniences from a specification ment, and, in particular, of an LF object in her translation. perspective in this context: such calculi facilitate the use of a However, this assumption is inappropriate in our context, higher-order approach to describing the syntax of formal ob- given that we are interested in constructing proof terms that jects, they allow relationships between terms to be captured show particular types are inhabited, i.e., in proof search that plays a fundamental role in the logic programming setting. We therefore refine the earlier mapping to remove this as- sumption and show that the resulting translation preserves Permission to make digital or hard copies of all or part of this work for derivability in a sense relevant to the logic programming in- personal or classroom use is granted without fee provided that copies are terpretation; an important part of our proof is showing how not made or distributed for profit or commercial advantage and that copies to extract an LF object satisfying a type from a derivation bear this notice and the full citation on the first page. To copy otherwise, to constructed using the hohh version of the specification. Our republish, to post on servers or to redistribute to lists, requires prior specific first encoding may include redundant type-checking judg- permission and/or a fee. PPDP 2010 ments which obscure the translated specification and can Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00. result in poor execution behavior. We design conditions for ized by two collections of terms called G- and D-formulas eliminating some of these judgments, resulting in an im- that are defined mutually recursively by the following syntax proved translation that corresponds closely to the intention rules: of the orginal LF specification. This part of our work relies on an analysis of the structure of LF expressions and also G := > | A | D ⊃ G | ∀x.G has relevance, for example, to providing compact represen- D := A | G ⊃ D | ∀x.D tations of proof terms. Finally, we demonstrate that the A specification or logic program is a finite collection of closed execution of the translated form by means of the Teyjus im- D-formulas that are also called program clauses and a goal plementation [9] of λProlog [15] provides an effective means or a query is a closed G-formula. for animating Twelf programs. Computation corresponds to searching for a derivation of In the next two sections, we describe a relevant fragment a sequent of the form Σ; Γ −→ G where Σ is the initial of the hohh logic and the Twelf specification language. Sec- (language) signature, Γ is a logic program and G is a goal. tion 4 then presents our first translation; a full proof of its Figure 1 presents the rules for constructing such a derivation. correctness appears in Appendix A. In the following sec- Read in a proof search direction, the ∀R rule leads to an tion, we describe and exploit a property of LF expressions expansion of the signature in the sequent whose derivation and type-checking to refine the earlier translation to pro- is sought and the ⊃ R rule similarly causes an addition to duce a more efficient and transparent version. Section 6 the logic program. The expression “t is a Σ-term” in the ∀L provides experimental data towards supporting the use of rule means that t is a closed term all of whose nonlogical this translation as a means for executing Twelf programs. constants are contained in Σ. The derivation rules manifest We conclude the paper with a discussion of related work a goal-directed character: to find a derivation for Σ; Γ −→ and possible future directions. G, we simplify G based on its logical structure and then use the decide rule to select a formula from the logic program 2. A HIGHER-ORDER PREDICATE LOGIC for solving an atomic goal. Notice also that the decide rule FOR DESCRIBING COMPUTATIONS initiates the consideration of a focused sequence of rules that is similar to backchaining.2 In particular, if the formula The logic of hohh formulas is based on an intuitionistic selected from Γ has the structure version of Church’s simple theory of types [4]. Both log- 0 ics are built over a typed form of the λ-calculus. The types (∀x1.F1 ⊃ ... ⊃ ∀xn.(Fn ⊃ A ) ...) are constructed using →, the infix, right associative function type constructor, starting from a finite collection of atomic then this sequence is equivalent to the rule types that includes o, the type of propositions, and at least 0 0 1 Σ; Γ −→ F1 ... Σ; Γ −→ Fn one other type. We assume that we are given sets of vari- backchain ables and constants, each with an associated type. The full Σ; Γ −→ A collection of (typed) terms is generated from these by the which has the proviso that for some Σ-terms t1, . . . , tn that usual abstraction and (left associative) application opera- have the same types as x1, . . . , xn, respectively, it is the case tors. Terms that differ only in the names of their bound 0 0 that A is equal to A [t1/x1, . . . tn/xn] and, for 1 ≤ i ≤ n, Fi variables are not distinguished. We further assume a no- is equal to Fi[t1/x1, . . . , ti/xi]. tion of equality between terms that is generated by β- and The logic that we have described has been given an effi- η-reduction. It is well-known that every term has a unique cient implementation in the Teyjus system [9]. It is possi- normal form under these reduction operations in this simply- ble also to reason in sophisticated ways about specifications typed setting. All terms are to be converted into such a that are constructed using it. To begin with, the logic has form prior to their consideration in any context. We write strong meta-theoretic properties arising from the fact that t[s1/x1, . . . , sn/xn] to denote the result of simultaneously derivability in it corresponds exactly to intuitionistic prov- replacing the variables x1, . . . , xn with the terms s1, . . . , sn ability. Moreover, it is possible to construct logics incorpo- in the term t, renaming bound variables as needed to avoid rating mechanisms such as induction to reason powerfully accidental capture. This substitution operation is defined about what does and does not follow from a given specifi- only when si and xi are of the same type for 1 ≤ i ≤ n. cation [1, 8, 10, 14]. In fact, systems such as Abella [7] and We will use only a fragment of the full hohh logic here; Tac [2] have been constructed to provide computer support this fragment still possesses the proof-theoretic properties for such reasoning. that are fundamental to the logic programming interpreta- tion of the hohh logic. The constants from which terms are constructed are differentiated into nonlogical ones that con- 3. LOGIC PROGRAMMING USING THE stitute a signature and logical ones. We do not permit o to TWELF SPECIFICATION LANGUAGE appear in the type of the arguments of nonlogical constants There are three categories of expressions in LF: kinds, and variables. The logical constants are restricted to > of types or type families that are classified by kinds and objects type o, ⊃ of type o → o → o that is written in the custom- ary infix form and, for each type α, Π of type (α → o) → o. 2For the reader unfamiliar with such presentations, the ex- Π represents the universal quantifier as a function over sets. pression Σ; Γ −→D A corresponds essentially to the selection We abbreviate Π (λx.F ) by ∀x.F . An atomic formula, de- of the program clause D as the one to backchain on. This noted by A, is a term of type o of the form p t1 . . . tn where then leads to instantiations of universally quantified vari- p is a nonlogical constant. The logic of interest is character- ables and to the solution of the “body” goals of the clause using the rules ∀L and ⊃L, culminating eventually in solving 1Other, non-interpreted type constructors can be added but the atomic goal by matching it with the head of the clause are not discussed here for simplicity. using the init rule. Σ; Γ ∪ {D} −→ G c∈ / ΣΣ ∪ {c};Γ −→ G[c/x] >R ⊃R ∀R Σ; Γ −→ > Σ; Γ −→ D ⊃ G Σ; Γ −→ ∀x.G

D ∈ Γ Σ; Γ −→D A init decide A Σ; Γ −→ A Σ; Γ −→ A

D[t/x] D t is a Σ-term Σ; Γ −→ A Σ; Γ −→ G Σ; Γ −→ A ∀L ⊃L G⊃D Σ; Γ ∀−→x.D A Σ; Γ −→ A

Figure 1: Derivation rules for the hohh logic or terms that are classified by types. We assume two denu- normal form. To verify such an assertion when A is not in merable sets of variables, one for objects and the other for normal form, we first derive Γ ` A : Type and then verify types. We use x and y to denote object variables, u and v Γ ` M : Aβ . A similar observation applies to Γ ` A : K. to denote type variables and w to denote either. Letting K A variable w that appears in an LF expression P that is range over kinds, A and B over types, and M and N over well-formed with respect to a context Γ has a kind or type of object terms, the syntax of LF expressions is given by the kind Type associated with it through either an assignment following rules: in Γ or a binding operator. Moreover, the normal form of this kind or type must have a prefix of Πs. If the length of K := Type | Πx:A.K this prefix is n, then an occurrence of w is fully applied if it A := u | Πx:A.B | λx:A.B | AM appears in a subterm of the form w M ...M . Further, M := x | λx:A.M | MN 1 n P is canonical with respect to Γ if it is in normal form and Expressions of any of these kinds will be denoted by P and if every variable occurrence in it is fully applied. A well- Q. Here, Π and λ are operators that associate a type with formed context Γ is canonical if the type or kind it assigns a variable and bind its free occurrences over the expression to each variable is canonical relative to Γ. A well-formed after the period. Terms that differ only in the names of type of the form u M1 ...Mn that is fully applied is called bound variables are identified. As with the hohh logic, a base type. The LF system admits a notion of η-expansion P [N1/x1,...,Nn/xn] denotes a simultaneous substitution using which any well-formed expression can be converted with renaming to avoid variable capture. We write A → P into a canonical form. for Πx:A.P when x does not appear free in P . We abbreviate In later sections we shall consider LF derivations in which −−→ all expressions in the end assertion are in normal form. No- Πx1:A1.... Πxn:An.P by Πx:A.P . LF expressions are equipped with a notion of β-reduction tice that every expression in the entire derivation must then defined through the rule (λx:A.P ) N → P [N/x]. All LF also be in such a form. This in turn means that in judg- β 0 expressions that are well-formed in the sense formalized be- ments of the forms (λx:A.B) : (Πx:A .K) and (λx:A.M): 0 0 low are strongly normalizing under this reduction relation (Πx:A .B) it must be the case that A and A are identical. [11]. Moreover any well-typed expression P has a unique Finally, normalization need not be considered in the use of normal form up to changes in bound variable names. We the var-fam and var-obj rules. denote this normal form by P β . The following “transitivity” property for LF derivations The type correctness of LF expressions is assessed relative that follows easily from the results in [11] will be useful to contexts that are finite collections of assignments of types later; here α stands for any judgment, and substitution and and kinds to variables. Formally, contexts, denoted by Γ, are normalization over α and Γ corresponds to distributing these given by the rule operations to the expressions appearing in them.

Γ := · | Γ, u : K | Γ, x : A Proposition 1 (Substitution). Let Γ1, Γ2 be canon- ical contexts, and A be a type in canonical form. If Γ ` M : Here, · denotes the empty collection. We write dom(Γ) to 1 A has a derivation, and Γ , x : A, Γ ` α has a derivation, denote the variables with assignments in Γ, and we write Γ\y 1 2 then Γ , (Γ [M/x])β ` (α[M/x])β has a derivation as well. to indicate the context Γ with the binding for y removed. 1 2 We are concerned with assertions of the following four forms: Additionally we will use a second property of LF deriva- ` Γ ctx Γ ` K kind Γ ` A : K Γ ` M : A tions, which follows from Proposition 1.

The first assertion signifies that Γ is a well-formed context. Proposition 2 (Renaming). Let P be a canonical type The remaining assertions mean respectively that, relative to or kind, Γ = Γ1, x : P, Γ2 be a canonical context, and α a a (well-formed) context Γ, K is a well-formed kind, A is a canonical judgment. Let y be a variable not bound in Γ, and well-formed type of kind K and M is a well-formed object not occurring in α. Then Γ1, x : P, Γ2 ` α has a derivation of type A. Figure 2 presents the rules for deriving such if and only if Γ1, y : P, Γ2[y/x] ` α[y/x] has one. assertions. Notice that for a context to be well-formed it must not contain multiple assignments to the same variable. The logic programming interpretation of LF is based on To adhere to this requirement, bound variable renaming may viewing types as formulas. More specifically, a specification be entailed in the use of the pi-kind, pi-fam, abs-fam and or program in this setting is given by a context. This start- abs-obj rules. The inference rules allow for the derivation ing context, also called a signature, essentially describes the of an assertion of the form Γ ` M : A only when A is in vocabulary for constructing types and asserts the existence null-ctx ` · ctx Γ ` K kind ` Γ ctx u∈ / dom(Γ) kind-ctx ` Γ, u : K ctx Γ ` A : Type ` Γ ctx x∈ / dom(Γ) type-ctx ` Γ, x : A ctx ` Γ ctx Γ ` A : Type Γ, x : A ` K kind type-kind pi-kind Γ ` Type kind Γ ` Πx:A.K kind ` Γ ctx u : K ∈ Γ ` Γ ctx x : A ∈ Γ var-fam var-obj Γ ` u : Kβ Γ ` x : Aβ Γ ` A : Type Γ, x : A ` B : Type pi-fam Γ ` (Πx:A.B): Type Γ ` A : Type Γ, x : A ` B : K Γ ` A :Πx:B.K Γ ` M : B abs-fam app-fam Γ ` (λx:A.B) : (Πx:Aβ .K) Γ ` (AM):(K[M/x])β Γ ` A : Type Γ, x : A ` M : B Γ ` M :Πx:A.B Γ ` N : A abs-obj app-obj Γ ` (λx:A.M) : (Πx:Aβ .B) Γ ` (MN):(B[N/x])β

Figure 2: Rules for Inferring LF Assertions of particular inhabitants for some of these types. Against (appCons z nil (cons (s z) nil) this backdrop, questions can be asked about the existence of (cons (s z) nil) inhabitants for certain other types. Formally, this amounts (appNil (cons (s z) nil))) to asking if an assertion of the form Γ ` M : A has a deriva- inhabits this type and hence will succeed on the query. In tion. However, the object M is left unspecified—it is to be reaching this conclusion, the will use the types extracted from a successful derivation. Thus, the search for involving append that are present in Γ. Further it will do a derivation of the assertion is driven by the structure of A this in a way that bears a close resemblance to the use of and the types available from the context. clauses in a -like setting, interpreting Π like a univer- A concrete illustration of the paradigm is useful for later sal quantifier and → like an implication. discussions.3 Consider a signature or context Γ comprising The simple example we have considered here will suffice the following assignments in sequence: to illustrate most of the later ideas in this paper but it does nat : Type not bring out the richness of dependent types in specifica- z : nat tions. We leave this demonstration to the many discussions s : nat → nat already in the literature. We also note that Twelf has many list : Type additional features like allowing Π quantification in types nil : list to be left implicit and permitting instantiatable variables cons : nat → list → list in queries whose values are to be found through unifica- append : list → list → list → Type tion. While these aspects are treated in our implementa- appNil :ΠK:list.append nil K K tion, to keep the theoretical discussions focused, we shall as- appCons :ΠX:nat.ΠL:list.ΠK:list.ΠM:list. sume that the only capability that is to be emulated is that (append L K M) → of determining the derivability of an assertion of the form (append (cons X L) K (cons X M)) Γ ` M : A in which Γ and A are in canonical form (and M is left unspecified). This assumption is easily justified: these We can ask if there is some term M such that the judgment will be “type-checked” prior to conducting a search and the Γ ` M : append (cons z nil) Twelf system assumes equality under η-conversion. (cons (s z) nil) (cons z (cons (s z) nil)) 4. FROM TWELF SPECIFICATIONS TO is derivable. Assuming that Γ is given by the ambient en- PREDICATE FORMULAS vironment, such a query can be posed in Twelf simply by Felty has previously shown how to translate LF specifica- presenting the type expression. The logic programming in- tions and judgments into hohh formulas [5, 6]. Her transla- terpreter of Twelf will find that the proof term tion proceeds in two steps. First, she describes a coarse map- 3The example of appending lists has been chosen here for its ping of LF expressions into (simply typed) λ-terms. This conciseness and because it allows for an easy connection with mapping loses information about dependencies in types and more traditional forms of logic programming. The primary kinds and also does not reflect the correspondences between application domain of Twelf is in specifying (and reasoning about) formal systems such as evaluators and interpreters objects and types and types and kinds. These relationships for languages, type assignment calculi and proof systems. are encoded later through binary predicates over λ-terms. This orientation informs the choice of benchmarks used in The general structure of Felty’s translation is applicable Section 6. in the context of interest to us. However, the details of her φ(A) := lf-obj when A is a base type φ(Πx:A.P ) := φ(A) → φ(P ) φ(Type) := lf-type

hu M1 ...Mni := u hM1i ... hMni φ(A) hx M1 ...Mni := x hM1i ... hMni hλx:A.Mi := λ x.hMi

{{Πx:A.B}} := λM. ∀x. ({{A}} x) ⊃ ({{B}} (M x)) {{A}} := λM. hastype M hAi where A is a base type

Figure 3: Encoding of types, objects, and simplified translation of LF judgments to hohh

hastype z nat ∀n. hastype n nat ⊃ hastype (s n) nat hastype nil list ∀n. hastype n nat ⊃ ∀l. hastype l list ⊃ hastype (cons n l) list ∀l. hastype l list ⊃ hastype (appNil l)(append nil l l) ∀x. hastype x nat ⊃ ∀l. hastype l list ⊃ ∀k. hastype k list ⊃ ∀m. hastype m list ⊃ ∀a. hastype a (append l k m) ⊃ hastype (appCons x l k m a)(append (cons x l) k (cons x m))

Figure 4: Simple translation of the LF specification for append mapping do not quite fit our needs because of her focus on coding of an object or base type Q is then given by hQi; derivations in the LF and hohh logics. One manifestation of note that in the process we assume a reuse of (LF) variable this is that her translation is not based exclusively on types, names with an appropriate type as part of the correspond- but assumes also the availability of the objects they are in- ing hohh signature. As an example, the LF signature at the tended to qualify. This is not acceptable in the context of end of the last section leads to the following hohh signature: proof search where the task is precisely to determine the ex- nat : lf-type istence of those objects: we need a translation that is only z : lf-obj based on the type, and which can be applied to an hohh s : lf-obj → lf-obj metavariable to correspond to an LF query whose object is list : lf-type left unspecified as a metavariable. Second, the correctness nil : lf-obj result only states an equivalence between LF derivability and cons : lf-obj → lf-obj → lf-obj hohh derivability for known LF assertions, and does not con- append : lf-obj → lf-obj → lf-obj → lf-type sider, for example, whether it is possible for non-canonical appNil : lf-obj → lf-obj or ill-formed objects to be produced in the course of search- appCons : lf-obj → lf-obj → ing for proofs from the hohh specification. In contrast, our lf-obj → lf-obj → lf-obj → lf-obj completeness result will guarantee that after running a query with a metavariable standing for the (encoding of the) ob- Further, the LF type append nil nil nil gets translated to ject, the only possible instantiations of that metavariable are the same term in hohh, where it has type lf-type. This actual encodings of terms. translation behaves well with respect to substitution and The first step towards producing a translation into hohh β-conversion, and is injective for objects (types) of the same that can be used to interpret Twelf specifications is to adapt type (kind). Finally, we take up the translation of LF type Felty’s translation in a way that makes it acceptable in logic assignments and judgments in the last two clauses in Fig- programming discussions. Our translation shall only ac- ure 3. To emphasize reliance only on the structure of types, count for judgments of the form Γ ` M : A since these these clauses describe explicitly only the translation of an are the only ones of interest in the logic programming set- LF type A. Such a type is mapped into an hohh predicate ting described in the previous section. The adequacy of this denoted by {{A}} that, intuitively, codifies the property of restriction actually relies on an auxiliary, easily verified, ob- being a translation of an LF object of type A. This trans- servation: if Γ ` A : Type is known to have a derivation lation is defined on all canonical types and uses the hohh and the last rule in a purported derivation of Γ ` M : A predicate hastype of type lf-obj → lf-type → o. If A is a is an abs-obj, then the left premise for the latter derivation base type, {{Πx1:B1.... Πxn:Bn.A}} has type τ → o where τ must have a proof and hence does not need to be encoded is lf-obj → ... → lf-obj → lf-obj with n negative occurrences by the translation. of lf-obj. Once the translation of LF types is in place, we Our translation is presented in Figure 3. This transla- define {{M : A}} derivatively to be ({{A}}hMi). tion first encodes LF objects and types in hohh terms by Twelf specifications are encoded by dropping all kind as- dropping a lot of typing information; as mentioned already, signments and translating each type assignment they con- this information will be recovered later in the encoding of tain. As an example, the Twelf specification of append LF judgments. Under this translation, an object (type) of translates into the clauses in Figure 4. From these clauses, type (kind) P is represented by an hohh term of simple type we can, for example, derive the goal φ(P ), built from the atomic types lf-type and lf-obj. The en- hastype (cons (s z) nil) list and we could search for terms X satisfying the goal Γ; ·; x we could simply elide them all together; we use > as Γ, Γ0, ∆ ` yi : Ci[y1/z1 . . . yi−1/zi−1]; a placeholder because it simplifies later proofs. This trans- In fact, those subderivations must end with var-obj on lation is illustrated by its application to the example Twelf −→ −→ 0 −→ −→ 0 (yi : Ci[ y / z ]) ∈ ∆ and hence (yi : Ci[ y / z ]) ∈ ∆ specification considered in Section 3 that yields the clauses 0 for Ci ∼ Ci. shown in Figure 7. These clauses should be contrasted with 0 the ones in Figure 4 that are produced by the earlier, naive We next determine ti. By η-equivalence we can assume translation. that ti is of the form λz1 . . . λzn.u. We have We shall now establish the correctness of the optimized 0 −→ −→ −→ hM i = ti y = u[ y / z ], translation, by relating it to the simple translation. We first 0 −→ −→ 0 −→ −→ prove a fundamental lemma concerning the type checking hence u = hM i[ z / y ] = hM [ z / y ]i (by first invert- of instantiations of rigidly occurring variables. In order to ing the substitution, as it is injective, and then pushing be able to use this observation in our correctness argument, it inside the encoding, as the encoding is the identity we formulate the lemma in a rather technical way, talking on variables). Let about encoded types that are the result of instantiations −−→ 0 0 0 0 0 −→ −→ of (a priori) arbitrary hohh terms in encoded types. We ti = λz:C .u where u = M [ z / y ] stress that these technical details concerning encodings are We have shallow, and that the real result is one about type checking 0 0 −→ −→ and redundancy concerning LF expressions that the reader htii = λz1 . . . λzn. hM i[ z / y ] may find informative to extract. = λz1 . . . λzn. u = ti. −→ −→ 0 0 0 −→ −→ Definition 1. Let t be a vector of hohh terms, and x We also have M = ti y1 . . . yn = u [ y / z ]. a vector of variables of the same length. If M and N are We know that D0 derives Γ, ∆0 ` M 0 : A0. From this LF objects, then we write (M ∼ N)[t1/x1 . . . tn/xn] when we obtain a derivation of hMi = hNi[t1/x1 . . . tn/xn]. For LF types A and B, we 0 −→ −→ 0 0 −→ −→ write (A ∼ B)[t1/x1 . . . tn/xn] when the two types are equal Γ, ∆ [ z / y ] ` u : A [ z / y ] up to (• ∼ •)[t /x . . . t /x ] on objects within. Finally we 1 1 n n by renaming variables −→y into −→z , employing Propo- extend this notion to contexts of the same length by pushing sition 2. The context ∆0[−→z /−→y ] contains assignments it down to the types bound by the context. We shall omit −→ (z : C0) and the other variables in its domain do not t and −→x when they are obvious from the context, simply i i occur in u0 nor A0[−→z /−→y ] (since A0 ∼ A, A = D[−→y /−→z ] writing P ∼ Q. and D is a subterm of Bi which cannot contain any −→ yi). We then have Lemma 1. Let t be a vector of hohh terms, −→x a vector −→ −−→ −−→ of variables, and B of canonical LF types, all of same length, Γ ` (λz:C0.u0) : (Πz:C0.A0[−→z /−→y ]) 0 such that tj = htj i for j < i. Let Γ0 = x1 : B1, . . . , xn : Bn. by weakening unused variables and using abs-obj to −→ 1. Let Γ and ∆ be LF contexts, M an LF object and A introduce the variables z . This is a typing derivation 0 a type, all being assumed canonical. Let δ be dom(∆). for ti; we must now show that the associated type is −→ Suppose that there are derivations of x ; δ; xi ⊃ B Γ,x(M x) if Γ; x

nat z ∀n. nat n ⊃ nat (s n) list nil ∀n. nat n ⊃ ∀l. list l ⊃ list (cons n l) ∀l. > ⊃ append (appNil l) nil l l ∀x. > ⊃ ∀l. > ⊃ ∀k. > ⊃ ∀m. > ⊃ ∀a. append a l k m ⊃ append (appCons x l k m a)(cons x l) k (cons x m)

Figure 7: Optimized translation of the LF specification for append

−→ −→ • In the APPo case, we have M = yN , y 6∈ x and object t = numn provides a counter-example to Lemma 1, −→ x ; δ; xi

Γ, Γ0, ∆ ` Nj : Cj [N1/y1,...,Nj−1/yj−1] Theorem 2. Let Γ be an LF context, A an LF type, both canonical, such that ` Γ ctx and Γ ` A : Type are deriv- 0 −−→ 0 −−→0 0 Since A ∼ Πy:C.A1, A is of the form Πy:C .A1 with able. Then when M is an arbitrary hohh term, {{Γ}} −→ 0 0 −→ + − Cj ∼ Cj . Since M ∼ yN and since y is not af- {{A}}(M) has a derivation if and only if Γ −→ A (M) −→ 0 fected by the instantiation of x , it must be that M has a derivation. J K J K −→0 0 is of the form yN with all Nj ∼ Nj . The deriva- 0 Proof. We establish the soundness direction by induc- tion D must proceed in a similar fashion, namely a tion on the derivation of the optimized translation, main- chain of app-obj applications followed by var-obj on 0 0 taining the assumptions about Γ and A. y. Therefore we have a derivation of Γ, ∆ ` Nj : 0 0 0 0 Cj [N1/y1,...,Nj−1/yj−1]. We can conclude by the If A is of the form Πx:B.A our derivation ends as follows: inductive hypothesis because Γ, x : B + −→ A0 −(M x) 0 0 0 J K J K ∀R, ⊃R Cj [N1/y1,...,Nj−1/yj−1] ∼ Cj [N1/y1,...,Nj−1/yj−1] Γ + −→ Πx:B.A0 −(M) −→ −→ J K J K (which relies on the disjointness of x and y ). First, Γ ` B : Type, ` (Γ, x : B) ctx and Γ, x : B ` A0 : Type must have derivations since Γ and A are well-formed. The proof of (2) follows similar mechanisms. First, by a We can thus apply the inductive hypothesis, obtaining that straightforward inspection of the first rules of the derivation −−→ {{Γ, x : B}} −→ {{A0}}(M x) has a derivation. By ∀R and of Γ ` Πx:B.A : Type we extract a derivation of Γ, Γ0 ` ⊃R, {{Γ}}−→ {{Πx:B.A0}}(M) has one as well. A : Type. Then, since A is a base type, it must be (by If A is a base type, then our derivation starts with a backchain- rule APPt) that xi rigidly occurs in one of its arguments M. −−→ Note that A and A0 have the same structure on the path ing on the encoding of some (y :Πx:B.A0) ∈ Γ, i.e., on leading to M, since no object is involved there. Hence, a − ∀x1. ( B1 (x1) ⊃ ... ⊃ simultaneous inspection of the first rules of the derivations −−→ 0 J K − −→ of Γ, Γ0 ` A : Type and Γ ` A : Type, yields derivations ∀xn. ( Bn (xn) ⊃ (u (y x ) hNi))). of Γ, Γ ` M : T and Γ ` M 0 : T 0 for M 0 ∼ M and T 0 ∼ T . J K 0 In particular, this rule application has the form We can conclude using part (1). + + Γ −→ F1 ... Γ −→ Fn The definition of rigidity described above might seem re- J K J K backchain + −→ −−→ −→ strictive. In particular, one might want to allow Γ −→ (u(y x )hNi)[t/x] J K − −→ where Fi is either ( Bi (xi))[t1/x1, . . . , ti/xi] or >. We Γ; δ; x , i.e., there is To test the second claim, we have carried out performance −→ 0 a derivation of x ; xi , we can see that within the deriva- i −−→ • First, as we are interested in logic programming in LF, tion of Γ ` Πx:B.A0 : Type there is a derivation of the traditional logic program for naively reversing a list Γ, x1 : B1, . . . , xi−1 : Bi−1 ` Bi : Type. By substitut- a n times is included. ing (Proposition 1) the derivations provided by the in- ner inductive hypothesis on this formula we construct a • The encoding of evaluators for various languages is a 0 0 derivation of Γ ` Bi[t1/x1, . . . , ti−1/xi−1]: Type. We common usage of LF. We have therefore used an en- can now apply the outer inductive hypothesis on Fi, to coding of Mini-ML along with an encoding of addition 0 0 conclude that {{Γ}}−→ ({{Bi[t1/x1, . . . , ti−1/xi−1]}} ti) as another sample program. This benchmark, referred has a derivation. By Theorem 1, we finally obtain that to as miniml, consists of adding n to 10 using the en- 0 ti is of the form htii. coding. We compose all derivations • The miniml specification does not make essential use of 0 0 dependent types. The typed miniml benchmark, which {{Γ}}−→ {{Bi[t /x1, . . . , t /xi−1]}} ti 1 i−1 consists of an evaluator for Mini-ML in which terms −−→ by backchain on the encoding of (y :Πx:B.A0) ∈ Γ, obtain- are indexed by their type, uses dependent types to en- ing the expected derivation of sure that terms are well-formed. The Mini-ML pro- −→ −−→ −→ gram that was run is a typed version of the encoding {{Γ}}−→ hastype (y t )(u hNi)[t/x] of addition.

Completeness is proved by an induction on the derivation • An implementation of a meta-interpreter for intuition- of the simple translation. This direction is rather straight- istic non-commutative , INCLL, has been forward as it consists only of dropping information. Details proposed as a test program by [19]. This benchmark, can be found in Appendix A. called perm, tests list permutation encoded in INCLL Therefore, by Theorems 1 and 2, intuitionistic provability and run using the meta-interpreter for lists of length under the optimized translation is equivalent to provability n. in LF, and the following is a theorem. • The last benchmark, referred to as num, involves rewrit- Theorem 3 (Optimized translation correctness). ing arithmetic expressions into an equivalent normal Let Γ be an LF specification such that ` Γ ctx has a deriva- form. This example again makes essential use of de- tion, A an LF type such that Γ ` A : Type has a deriva- pendent types by associating with each equivalence tion. Then, for any LF object M such that Γ ` M : A has of two such terms a proof of their equivalence. The a derivation, Γ + −→ M : A − is derivable. Moreover, if benchmark tests rewriting expressions of size n. Γ + −→ A J−(KM) forJ an arbitraryK hohh term M, then it mustJ K be thatJ KM = hM 0i for some canonical LF object such The third through fifth columns of Figure 8 present data that Γ ` M 0 : A has a derivation. comparing the simple translation, the translation with re- dundant typing judgments removed, and the fully optimized 6. PERFORMANCE COMPARISONS translation against the standard of Twelf with default opti- mizations on these benchmarks.4 As described in Figure 6, We have claimed two properties for our translation: that it the fully optimized translation inserts the proof term as the produces an hohh program which corresponds closely to the first argument of the predicate generated. Since this term original LF specification, and that this program provides an is to be determined by proof search, advantage cannot be effective means for executing the specification. Evidence for taken of the capability Teyjus possesses of indexing on the the first claim is provided by the translation of the append first argument. The last column presents data for the case specification presented in Figure 7, especially when one uses where we make the proof term the last argument instead. the easily applied simplification of a formula of the form In the data presented, overflow indicates a heap overflow in > ⊃ F to F . Notice also the correspondence of the defini- the Teyjus simulator, and ∞ means that the program ran tion of the append predicate to the one that one might in, more than 1000 times longer than Twelf. e.g., Prolog, if one drops the first “proof term” argument of The most optimized translation leads to better perfor- the predicate. To fully appreciate this benefit, it is necessary mance in most cases, often significantly so. On the other to consider larger examples that space does not allow us to hand, the simple translation yields a program that is gener- do in this paper. However, such examples are available with ally slower than Twelf. In particular, performance tends to the implementation [21]. We suggest that the reader look deteriorate with larger problems sizes, in keeping with the especially at the example of the evaluator for Mini-ML with difficulty that we noted with this translation. However, the terms that are not indexed by their type that is described simple translation is still comparable to Twelf on the first below in the collection of benchmarks: the translation re- sults in an hohh program that is what one might write in 4This setting with Twelf leads to the best performance on hohh directly. these examples. Example Twelf Simple Optimized Typed Optimized Indexing reverse(10) 1.0 0.40 0.14 0.07 0.08 reverse(20) 1.0 0.57 0.19 0.12 0.11 reverse(30) 1.0 0.63 0.20 0.14 0.11 reverse(40) 1.0 0.41 0.13 0.10 0.07 reverse(50) 1.0 0.46 0.15 0.10 0.08 miniml(50) 1.0 0.74 0.25 0.18 0.08 miniml(100) 1.0 1.25 0.44 0.30 0.17 miniml(150) 1.0 1.75 0.56 0.41 0.25 miniml(200) 1.0 2.89 0.83 0.62 0.41 typed miniml(50) 1.0 2.27 1.07 0.57 0.48 typed miniml(100) 1.0 2.22 0.76 0.49 0.38 typed miniml(150) 1.0 3.49 1.44 0.67 0.55 typed miniml(200) 1.0 3.70 0.92 0.67 0.55 perm(10) 1.0 overflow 3.13 0.94 0.72 perm(20) 1.0 overflow 1.75 0.78 0.44 perm(30) 1.0 overflow 3.05 1.52 0.81 perm(40) 1.0 overflow 3.95 2.15 1.14 perm(50) 1.0 overflow 5.05 2.88 1.59 num(64) 1.0 158.19 0.25 0.23 0.21 num(128) 1.0 ∞ 0.10 0.10 0.07 num(256) 1.0 ∞ 0.15 0.14 0.13 num(512) 1.0 ∞ 0.003 0.003 0.003

Figure 8: Performance comparison results three benchmarks. On the perm benchmark, Twelf does similar to rigidity, used for the different purpose of identify- quite well and even out-performs Teyjus with the optimized ing sub-terms of LF objects that could be reconstructed if translation on problems of large size. We have yet to pin- elided – in contrast, we avoid redundant type checking but point the reason for this—the program is large and difficult still generate a complete LF object. Such an understanding to analyze in detail—but we suspect that the linear head op- might lead both to an improvement of our translation and timization that delays expensive unification computation till to the ability to shorten LF terms that are needed in ap- after simpler checks have been made may have something to plications such as that of proof-carrying-code [16]. From an do with this. The fact that term indexing causes significant implementation perspective, another possible optimization improvement with Teyjus gives credence to this observation. is to avoid constructing an LF object explicitly when the For problems of very large size with all the benchmarks, task has been identified as that of only determining whether the performance of Twelf deteriorates quite dramatically; a type has an inhabitant: experiments in this direction indi- this is seen, for example, in the case of num(n) for a prob- cate in some cases a ten-fold performance improvement over lem of size 512. This phenomenon is linked to the fact that the optimized translation. Twelf consumes excessive amounts of memory. The ulti- We have focused here on realizing Twelf through a trans- mate source of this problem is perhaps the fact that Twelf lation to λProlog. A different approach, worthy of inves- is implemented in SML: it has been argued that realizing tigation, is that of compiling Twelf specifications directly a logic programming language in a to bytecode for the virtual machine underlying the Teyjus setting can lead to poor memory reclamation and eventually system. Such an approach would make it possible to real- to shortage of space [3]. ize optimizations that have been developed for the direct implementation of Twelf [18, 19]. Of special note here are 7. CONCLUSION AND FUTURE WORK optimizations like the linear heads treatment of unification described by Pientka and Pfenning [19] for minimizing oc- We have considered in this paper a translation of Twelf curs checking, that could make a difference in examples such specifications into logic programs in the hohh language. An as the perm program considered in the previous section: di- important part of our ideas is the recognition of certain situ- rect compilation would allow us to regain opportunities for ations in which type information is redundant in LF expres- such improvements that might be lost by translating first to sions and hence its checking can be avoided. Our eventual λProlog and then relying on its implementation that is not translation produces a program that corresponds closely to specially optimized to treat Twelf-specific programs. the original specification and we have argued that it can be A more ambitious line of development concerns meta- the basis for an effective animation of Twelf descriptions. reasoning over specifications. Existing tools might be used The specific work undertaken here can be extended in a to reason about LF programs via the translation, the trans- few different ways. As an extension to our notion of rigid- parency of the translation becoming essential. Anecdotal ev- ity, we might observe that, when applying a variable of type −−→ idence suggests that this transparency is not only enabling, Πx:B.A, we could identify redundant type information, not it is also elucidating: that the generated hohh program is only between a Bi and A, but also between a Bi and a dif- easier to reason about because it highlights those types that ferent Bj . It would also be interesting to relate our work to could have logical importance, and elides those that do not. the ideas of Reed [20] who describes a notion of strictness 8. ACKNOWLEDGEMENTS [16] G. C. Necula. Proof-carrying code. In Conference This work has been supported by the NSF grants CCR- Record of the 24th Symposium on Principles of 0429572 and CCF-0917140. Opinions, findings, and conclu- Programming Languages 97, pages 106–119, Paris, sions or recommendations expressed in this papers are those France, 1997. ACM Press. of the authors and do not necessarily reflect the views of the [17] F. Pfenning and C. Schurmann.¨ System description: National Science Foundation. Twelf — A meta-logical framework for deductive systems. In H. Ganzinger, editor, 16th Conference on 9. REFERENCES Automated Deduction (CADE), number 1632 in LNAI, [1] D. Baelde. A linear approach to the proof-theory of pages 202–206, Trento, 1999. Springer. least and greatest fixed points. PhD thesis, Ecole [18] B. Pientka. Eliminating redundancy in higher-order Polytechnique, Dec. 2008. unification: A lightweight approach. In U. Furbach [2] D. Baelde, D. Miller, and Z. Snow. Focused inductive and N. Shankar, editors, IJCAR, volume 4130 of theorem proving. Accepted for publication at Lecture Notes in Computer Science, pages 362–376. IJCAR’10, 2010. Springer, 2006. [3] P. Brisset and O. Ridoux. The architecture of an [19] B. Pientka and F. Pfenning. Optimizing higher-order implementation of lambda-prolog: Prolog/mali. In pattern unification. In 19th International Conference ILPS Workshop: Implementation Techniques for Logic on Automated Deduction, pages 473–487. Programming Languages, 1994. Springer-Verlag, 2003. [4] A. Church. A formulation of the simple theory of [20] J. Reed. Redundancy elimination for LF. Electron. types. J. of Symbolic Logic, 5:56–68, 1940. Notes Theor. Comput. Sci., 199:89–106, 2008. [5] A. Felty. Specifying and Implementing Theorem [21] Z. Snow. Parinati. Provers in a Higher-Order Logic Programming http://www.cs.umn.edu/~snow/parinati, 2010. Language. PhD thesis, University of Pennsylvania, Aug. 1989. APPENDIX [6] A. Felty and D. Miller. Encoding a dependent-type λ-calculus in a logic programming language. In A. PROOFS OF THEOREMS M. Stickel, editor, Proceedings of the 1990 Conference on Automated Deduction, volume 449 of LNAI, pages A.1 Correctness of the simplified encoding 221–235. Springer, 1990. (Theorem 1) [7] A. Gacek. The Abella interactive theorem prover (system description). In A. Armando, P. Baumgartner, A.1.1 Completeness and G. Dowek, editors, Fourth International Joint We use induction on the derivation of Γ ` M : A to build Conference on , volume 5195 of one for {{Γ}}−→ {{M : A}}. We proceed by case analysis on LNCS, pages 154–161. Springer, 2008. the canonical type A. [8] A. Gacek. A Framework for Specifying, Prototyping, If A is of the form Πx:B.A0 then M must be of the form and Reasoning about Computational Systems. PhD λx:B.M 0 and the LF derivation must end with an abs-obj thesis, University of Minnesota, 2009. rule, i.e., a rule of the form [9] A. Gacek, S. Holte, G. Nadathur, X. Qi, and Z. Snow. The Teyjus system – version 2, Mar. 2008. Available Γ ` A0 : Type Γ, x : B ` M :0 A0 abs-obj from http://teyjus.cs.umn.edu/. Γ ` (λx:B.M 0) : (Πx:B.A0) [10] A. Gacek, D. Miller, and G. Nadathur. Combining generic judgments with recursive definitions. In The induction hypothesis gives us a derivation for F. Pfenning, editor, 23th Symp. on Logic in Computer {{Γ, x : B}}−→ {{M 0 : A0}}. Science, pages 33–44. IEEE Computer Society Press, 2008. By applying the rules ∀R and ⊃R to this, we get a derivation [11] R. Harper, F. Honsell, and G. Plotkin. A framework for {{Γ}}−→ ∀x. {{x : B}}⊃ {{M 0 : A0}}. The righthand side for defining logics. Journal of the ACM, of this sequent is the expected goal: 40(1):143–184, 1993. {{(λx:B.M 0) : (Πx:B.A0)}} = [12] W. A. Howard. The formulae-as-type notion of 0 0 construction. In J. P. Seldin and R. Hindley, editors, ∀x. {{x : B}}⊃ ({{A }} (hλx:B.M i x)), To H. B. Curry: Essays in Combinatory Logic, and hM 0i = (hλx:B.M 0i x) by virtue of η-conversion. , and Formalism, pages 479–490. Academic Press, New York, 1980. If A is a base type then M must be of the form x N1 ...Nn [13] D. Miller, G. Nadathur, F. Pfenning, and A. Scedrov. and the canonical LF derivation must end with a chain of Uniform proofs as a foundation for logic programming. app-obj rules following a var-obj rule that reveals that

Annals of Pure and Applied Logic, 51:125–157, 1991. 0 [14] D. Miller and A. Tiu. A proof theory for generic x :Πy1:B1.... Πyn:Bn.A ∈ Γ. judgments. ACM Trans. on , 0 Moreover, A must be A [N1/y1,...,Nn/yn] and, from look- 6(4):749–783, Oct. 2005. ing at the right upper premise of the app-obj rules, there [15] G. Nadathur and D. Miller. An Overview of λProlog. must be shorter derivations of In Fifth International Logic Programming Conference, pages 810–827, Seattle, Aug. 1988. MIT Press. Γ ` Ni : Bi[N1/x1,...,Ni−1/xi−1] 0 0 for 1 ≤ i ≤ n. By the induction hypothesis we obtain deriva- evidently M = hx N1 ...Nni and, since substitution per- 0 0 0 tions Di of {{Γ}}−→ {{Ni : Bi[N1/x1,...,Ni−1/xi−1]}}. Fur- mutes with encoding, A = A [N1/y1,...,Nn/yn]. Thus, the ther, {{Γ}} must contain desired result would be proven. It only remains, then, to establish the claim. We actually ∀y1. ({{B1}} y1) ⊃ ... ⊃ 0 strengthen it to include also the assertion that, for 1 ≤ i ≤ n, ∀yn. ({{Bn}} yn) ⊃ hastype (x y1 . . . yn) hA i, 0 0 Γ ` Bi[N1/y1 ...Ni−1/yi−1]: Type has a derivation. To 0 prove it, we use an inner induction on i. Since Γ is a well- i.e., the encoding of x :Πy1:B1.... Πyn:Bn.A . By applying formed context, and x :Πy :B .... Πy :B .A0 ∈ Γ, there backchain on that clause, choosing hNii for yi and using the 1 1 n n must be a derivation of derivations Di, we obtain a derivation of

Γ, x1 : B1, . . . , xi−1 : Bi−1 ` Bi : Type {{Γ}}−→ hastype (x hN1i ... hNni) 0 (hA i[hN1i/y1,... hNni/yn]). for 1 ≤ i ≤ n. Using Proposition 1 and the induction hy- pothesis we see that there must be a derivation of The right side of this sequent is precisely Γ ` B [N 0 /y ...N 0 /y ]: Type. 0 i 1 1 i−1 i−1 {{(x N1 ...Nn): A [N1/y1,...,Nn/yn]}}. Noting that A.1.2 Soundness {{Bi}}[N1/y1,...,Ni−1/yi−1] = {{Bi[N1/y1,...,Ni−1/yi−1]}}, We prove the soundness direction by induction on the derivation of {{Γ}}−→ ({{A}} M): assuming that Γ ` A : the outer induction hypothesis and the shorter derivation 0 of {{Γ}}−→ ({{Bi}}[N1/y1,...,Ni−1/yi−1] Ni) allows us to Type has a derivation, we establish that M = hM i for some 0 0 canonical object M 0 and we build a derivation of Γ ` M 0 : conclude that Ni = hNi i for some canonical LF term Ni and A. A case analysis on the structure of the canonical type A that there is a derivation of 0 0 0 will guide us. Γ ` Ni : Bi[N1/y1 ...Ni−1/yi−1], 0 If A is of the form Πx:B.A then the structure of {{A}} forces thus verifying the claim. the hohh derivation to conclude as follows: {{Γ, x : B}}−→ ({{A0}} (M x)) A.2 Completeness of the optimized encoding ∀R, ⊃R (Theorem 2) {{Γ}}−→ ∀x. ({{B}} x) ⊃ ({{A0}} (M x)) If {{Γ}}−→ {{A}}M has a derivation, then Γ + −→ A −M Since A is a valid Type under Γ, B must also be, and A0 has a derivation as well. Note that for thisJ directionK J ofK the must be valid under (Γ, x : B). We can thus apply the proof we are simply dropping information (subderivations) inductive hypothesis, and we obtain that M x = hM 0i and and so we do not rely on Γ being a valid specification or A that Γ, x : B ` M 0 : A0 is derivable for some canonical being a valid type. We proceed by induction on the struc- object M 0. Since x does not occur free in M, we conclude ture of the derivation of {{Γ}}−→ {{A}}M, followed by case that analysis on A. If A is of the form Πx:B.A0 our derivation ends as follows: M = (λx.hM 0i) = hλx:B.M 0i, {{Γ, x : B}}−→ {{A0}} (M x) 0 0 ∀R, ⊃R and we derive Γ ` (λx:B.M ) : (Πx:B.A ) using the abs-obj 0 rule and our derivation of Γ ` B : Type. {{Γ}}−→ {{Πx:B.A }} M + 0 − Otherwise, A is a base type, and the derivation we are con- By the inductive hypothesis Γ, x : B −→ A (M x) J K J K sidering is that of {{Γ}}−→ hastype M hAi. This derivation has a derivation, and by applying ∀R and ⊃R to this deriva- must end in a backchain rule that uses some clause in {{Γ}} tion we can construct a derivation of of the form Γ + −→ Πx:B.A0 − M J K J K ∀y1. ({{B1}} y1) ⊃ ... ⊃ Otherwise, A is a base type and our derivation proceeds 0 −−→ ∀yn. ({{Bn}} yn) ⊃ hastype (x y1 . . . yn) hA i; by backchaining on some (y :Πx:B.A0) ∈ Γ, with hAi = 0 hA i[t1/x1 . . . tn/xn]: note that the variables y1, . . . , yi−1 can appear in {{Bi}} here. Thus, for some hohh terms N1,...,Nn, {{Γ}}−→ F1 ... {{Γ}}−→ Fn backchain 0 −→ hAi = hA i[N1/y1,...,Nn/yn], {{Γ}}−→ {{A}} (y t )

M = (x N1 ...Nn), and, for each i such that 1 ≤ i ≤ n, Here, Fi = ({{Bi}} xi)[t1/x1 . . . tn/xn]. As in the complete- there is a shorter derivation of ness proof of the simplified encoding, we obtain by an in- 0 ner induction that each ti is of the form htii and thus that 0 0 {{Γ}}−→ ({{Bi}} yi)[N1/y1,...,Ni/yi], Fi = {{Bi[t /x1 . . . t /xn]}}(ti). We shall build the deriva- 1 n −→ tion of Γ + −→ A −(y t ) by using backchain on the opti- i.e., of {{Γ}}−→ ({{Bi}}[N1/y1,...,Ni−1/yi−1] Ni). Further, −−→ 0 J K J K 0 −→ −→ we know that x :Πy1:B1.... Πyn:Bn.A ∈ Γ for some x. We mized encoding of (y :Πx:B.A ) ∈ Γ, by choosing t for x . 0 now claim that, for 1 ≤ i ≤ n, Ni = hNi i for some canonical The resulting premises are either 0 0 0 0 LF object Ni and that Γ ` Ni : Bi[N1/y1 ...Ni−1/yi−1] + 0 0 − Γ −→ Bi[t1/x1 . . . tn/xn] ti has a derivation. If this claim is true, then, we can use J K J K 0 0 the var-obj rule to derive Γ ` x :Πy1:B1.... Πyn:Bn.A when xi does not occur rigidly in A , and this case is pro- and follow this by a sequence of app-obj rule applications vided for by the inductive hypothesis, or > otherwise, which 0 0 0 0 0 to prove Γ ` (x N1 ...Nn): A [N1/y1 ...Nn/yn]. Now, we derive using >R.