Masters-Thesis-Lasse-Blaauwbroek

Eindhoven University of Technology

MASTER

On the interaction between unrestricted union and intersection types and computational effects

Blaauwbroek, L.

Award date: 2017

Link to publication

Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration.

General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Technical University Eindhoven Department of Mathematics and Computer Science

Master’s Thesis

On the Interaction Between Unrestricted Union and Intersection Types and Computational Eﬀects

Lasse Blaauwbroek

Eindhoven, August 2017

Supervisor prof.dr. Herman Geuvers

Advisors

prof.dr. Tim Willemse prof.dr. Alexander Serebrenik Master’s Thesis Contents

Contents

1. Introduction4

2. Background6 2.1. Unrestricted Union and Intersection Types...... 6 ∨ 2.1.1. Informal Treatment of the Semantics of λ∧ ...... 8 ∨ 2.1.2. The Feature-subsuming Power of λ∧ ...... 10 ∨ 2.1.3. Challenges of λ∧ ...... 15 2.2. Models for Computational Effects...... 22 2.2.1. Pass by Reference...... 23 2.2.2. Reference Types...... 23 2.2.3. Pass by Sharing...... 27

3. Preliminaries 29

∨ 4. Formalization of λ∧ 32 + 4.1. Algebraic Data Types λ× ...... 33 4.1.1. Deﬁnitions...... 33 + 4.1.2. Correctness Properties of λ× ...... 35 + 4.1.3. Strong Normalization of λ× ...... 39 ∨ 4.2. Unrestricted Union and Intersection Types λ∧ ...... 44 4.2.1. Deﬁnitions...... 44 ∨ 4.2.2. Correctness Properties of λ∧ ...... 52

∨ 5. Formalization of λ∧ with Mutations 60 + 5.1. Mutable Algebraic Data Types λ× ...... 61 5.1.1. Deﬁnitions...... 61 5.1.2. A Notion of Equivalence...... 63 + 5.1.3. Correctness Properties of λ× ...... 67 + 5.1.4. Turing Completeness of λ× with Mutations...... 71 ∨ 5.2. Mutable Unrestricted Union and Intersection Types λ∧ ...... 75 5.2.1. Deﬁnitions...... 75 ∨ 5.2.2. Correctness Properties of λ∧ ...... 76 ∨ 5.2.3. Turing Completeness of λ∧ with Mutations...... 79

6. Conclusion and Further Work 80

A. Generic Variables 86

2 Technical University Eindhoven Contents Master’s Thesis

B. Generic Types 87

C. Deﬁnitions for Algebraic Data Types 88

D. Proofs for Algebraic Data Types 93

E. Deﬁnitions for Unrestricted Union and Intersection Types 99

F. Proofs for Unrestricted Union and Intersection Types 108

G. Deﬁnitions for Mutable Algebraic Data Types 113

H. Proofs for Mutable Algebraic Data Types 119

I. Deﬁnitions for Mutable Union and Intersection Types 125

J. Proofs for Mutable Union and Intersection Types 134

Department of Mathematics and Computer Science 3 Master’s Thesis 1. Introduction

1. Introduction

Within the academic domain of programming language research the never-ending quest is to synthesize models for languages that are evermore expressive while still being simple to reason about and convenient to use for a programmer. A big part of this is the design of type-systems that can type as many “desired” programs as possible. Traditionally, an important tool to do this is parametric polymorphism. Much research exists on this topic and many (functional) programming languages offer this facility, including the convenience of ML-style type-inference. A close cousin of parametric polymorphism is the notion of intersection types, which is essentially a discrete version of parametric polymorphism. This paradigm is very powerful in the sense that it is able to subsume many programming language features that would otherwise have to be introduced separately. However, although it was invented in the eighties, this paradigm has not received nearly as much attention. This can partially be contributed to the fact that the expressivity of intersection types is a double-edged sword. Many of the desired properties of type-systems, such as type-inference, do not hold for intersection types, and need to be worked around. For this reason, intersection types have historically not been used in the design of programming languages in the industry. Only in recent times have we started to see some languages, such as the Ceylon programming language, adopt simple versions of intersection types due to advancements in its theory. However, as we will see, quite some issues remain that need to solved in order to enable broad applicability. In this thesis, we are interested in a λ-calculus outﬁtted with a very general notion of intersection types, usually referred to as unrestricted intersection types. Together with its dual, union types, this makes for a very interesting calculus that has only recently started to be researched in-depth. We will give an overview of the current state-of-the-art of this calculus, both of its (potential) uses and the challenges that need to be solved. Then we will focus on one particular challenge, namely the integration of computational effects with unrestricted union and intersection types. Within the world of functional programming languages, the most prevalent method of introducing computational effects is through ML-style reference types. For this reason, the combination of intersection types and computational effects has always been studied within this paradigm of reference types. As we will show, a naive combinations of intersection types and computational effects leads to a calculus that does not preserve typing under evaluation. Existing research focuses on ﬁnding ways to restrict the expressiveness of this calculus so that this subject reduction property can be restored. In this thesis, we propose that a slightly different model for computational effects should be used instead. Instead of reference types, we use a model called pass-by-sharing. Although this terminology is relatively obscure, this

4 Technical University Eindhoven Master’s Thesis

is the model that is used by all major object oriented programming languages such as Java and C#. We will show that by using pass-by-sharing instead of reference types, all of the issues around the subject reduction property vanish, while allowing for a more expressive type-system. To that end, we present a formalization of a λ-calculus outﬁtted with unrestricted union and intersection types, using the pass-by-sharing style of computational effects, and prove that this combination is well-behaved. Apart from a paper proof, we also present a mechanical proof, formalized in the Coq proof assistant. This thesis is organized as follows. Chapter2, contains a treatment of the relevant background information. In Section 2.1, we give an overview of intersection types, how they might be used and their challenges. Then, in Section 2.2, we discuss different models for computational effects, and show how they interact with intersection types. Chapter4 contains a formalization of unrestricted union and intersection types, which is extended with computational effects in Chapter5.

Department of Mathematics and Computer Science 5 Master’s Thesis 2. Background

2. Background

In this chapter, we provide some background on the concept of unrestricted union and intersection types and how they compare to different models of computational effects.

2.1. Unrestricted Union and Intersection Types

The concept of a λ-calculus with intersection types can be traced back independently to Coppo and Dezani-Ciancaglini [1] and Pottinger [2]. The original purpose of this calculus was the ability to type exactly all strongly normalizing λ-terms, see Section 2.1.3.1 on page 15. This was mainly meant as a theoretical exercise to increase the number of typable terms. Later, it it became clear that intersection types are also of interest for practical programming languages. We will therefore begin our motivation for intersection types with an example of a more practical nature. Consider a λ-calculus outfitted with natural numbers and booleans. We are interested in the following λ-term M ≡ λ f . f 5 + f true. This term accepts a function f , applies it to both a number and a boolean and finally sums the result of these applications. We would now like to give this term a type. In the Simply Typed Lambda Calculus (STLC), it is not difficult to see that this is impossible, because we need f to be a function that is simultaneously of type N → N and of type B → N. One solution to this problem is to use parametric polymorphism [3, p. 316], in which case we can type f as ∀α.α → N. This then enables us to give M the type (∀α.α → N) → N. A downside of this approach is that the type ∀α.α → N is far more restrictive than required. A function of this type needs to be able to handle any kind of input, while M only applies it to booleans and natural numbers. The idea behind intersection types is to solve this problem by typing M as (N → N ∧ N → B) → N (note that intersections have weaker precedence than arrows). The intersection type-constructor τ ∧ σ literally means that a term is both of type τ and of type σ. This is not unlike the concept of overloading as is present in many programming languages such as Java. As we will see later, this paradigm is very powerful. However, extending the STLC with only the intersection type constructor also has some limitations. To see this, consider what practical terms we can actually apply M to. One possible candidate is a constant function such as λy.3. Since this function does not use its parameter, and clearly returns a number, it can trivially be typed both as N → N and N → B. However, because the class of constant functions is not the most interesting, we would also like to see if we can make a more interesting function that actually uses its argument. The problem here is that we do not know whether the argument is of type N

6 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

or B. We can therefore not perform any calculations speciﬁc to either of these types. All operations we perform must be overloaded for both N and B, which means that we just move our implementation problem to these operations. Instead, what we would like to do is make the result of our function depend on the type of the input that is supplied. For example, when we are dealing with natural numbers, we might want our function to behave like λx.x2. On the other hand, in case of booleans we might want the function to behave like (λx.if x then 5 else 8). To provide this functionality, we simply repeat the trick we used before, but now on the term-level: Like we introduced the intersection type-constructor ∧ to indicate that a function has two types, we now introduce the merge operator ⊗ to indicate that a function consists of two separate implementations. Hence, the function we desire can now be written as

(λx.x2) ⊗ (λx.if x then 5 else 8).

Another example where the merge operator can be used is with the definition of overloaded arithmetic functions. For example, in a calculus with both natural numbers and reals, it would be very convenient to have an addition function (+) that is typed as follows: + : N → N → N ∧ R → R → R. With this type, we are able to use + for naturals and reals interchangeable, while keeping the full type-safety. It should be clear that a term 5 + 8 is of type N, while the type 2.5 + 0.5 is of type R. Additionally, with such a definition of +, terms such as 2.5 + 3 are untypable, because they combine naturals and reals (unless the language also implements some form of number-coercion). In a type system without intersection types (and other forms of polymorphism), the reals and naturals will typically have separate addition functions +R and +N. What we would like to do is to take these two definitions of plus, and combine them into a function + with the type definition above. With a standard lambda calculus there is no expression that performs this combination. However, using the merge operation, we are able to define the function + as follows:

+ ≡ +R ⊗ +N.

The combination of intersection types and the merge operator is often referred to as unrestricted intersection types, in contrast to normal intersection types, which are restricted exactly in not having a merge operator [4]. Note that Pottinger [2] originally introduced the convention to denote an intersection type with the intersection operator (∩). Nowadays it seems that this convention has largely shifted to the conjunction operator (∧). We will adopt this latter convention. For the merge operator, Dunﬁeld [4] uses the f ,, g. However, in the interest of legibility, we will use the symbol ⊗. The ﬁnal ingredient to the calculus of our interest is the dual of intersection types, namely union types. A union τ ∨σ of two types τ and σ is the type of a term that can be typed as either τ or σ. The precise semantics of this type-constructor will become clear in the next section. It might seem natural to also introduce a dual to the merge operator.

Department of Mathematics and Computer Science 7 Master’s Thesis 2. Background

Let’s denote this operator as ⊕. If we have two terms, f and g of respectively type τ and σ, the operation f ⊕ g would then produce a term of type τ ∨ σ. Such an operation does not make sense, however, because both f and g are already of type τ or of type σ. Therefore, they both already inhabit the type τ ∨ σ, which means that the semantics of the ⊕-operator would be unclear at best. The λ-calculus that combines unrestricted intersection types and union types is de- ∨ noted by λ∧. In the next section we will give an informal treatment of the semantics of this calculus. Then, in Section 2.1.2 on page 10, we will give an account of the power that this calculus harbors. However, as usual, with great power come great challenges. In Section 2.1.3 on page 15 we outline some of these challenges and give a short survey of the proposed solutions to these challenges.

∨ 2.1.1. Informal Treatment of the Semantics of λ∧ In this section, we will give an informal overview of the static and dynamic semantics of ∨ λ∧. For a more formal treatment, we refer to Chapter4 on page 32.

2.1.1.1. Static Semantics

∨ The type-system of λ∧ is in principle a rather simple extension of the STLC. Apart from the normal typing rules, the crucial rules we need to add are the following.

Γ ` t:τ Γ ` t:σ Γ ` t:τ Γ ` u:τ Γ ` t : τ ∧ σ Γ ` t ⊗ u : τ Γ ` t ⊗ u : τ

Our ﬁrst rule straightforwardly embodies the fact that if a term inhabits two types, it will also inhabit the intersection of those types. For the second and third rule, we ﬁrst note that they are symmetric. A peculiarity of these rule is that their conclusions contain a term that does not occur in the assumptions. As we will see in Section 4.2 on page 44, this fact makes these rules somewhat ill-behaved when using a naive evaluation strategy. However, we will show that using a more sophisticated evaluation strategy circumvents these problems. Another question one might ask is how these rules embody the intuition that the term t ⊗ u represents the merge of t and u, and should therefore inhabit the intersection of the types of t and u. The rule that encodes this intuition is admissible under these three rules, as is show by the following derivation.

Γ ` t:τ Γ ` u:σ Γ ` t ⊗ u : τ Γ ` t ⊗ u :σ Γ ` t ⊗ u : τ ∧ σ

Apart from these three rules, there are many additional relations between types that we will encode using a subtyping relation 4. The assertion τ 4 σ states that all terms that inhabite type τ also inhabit type σ. Below we show the subtyping rules that are

8 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

speciﬁc to union and intersection types.

τ ∧ σ 4 τ τ ∧ σ 4 σ τ 4 τ ∨ σ σ 4 τ ∨ σ

ρ 4 τ ρ 4 σ τ 4 ρ σ 4 ρ ρ 4 τ ∧ σ τ ∨ σ 4 ρ

σ → τ1 ∧ σ → τ2 4 σ → (τ1 ∧ τ2) τ1 → σ ∧ τ2 → σ 4 (τ1 ∨ τ2) → σ

σ ∧ (τ ∨ ρ) 4 (σ ∧ τ) ∨ (σ ∧ ρ) (σ ∨ τ) ∧ (σ ∨ ρ) 4 σ ∨ (τ ∧ ρ) The top two rows encode the basic behavior of union and intersection types. Then follow distributive rules of union and intersection types over each other and over arrow types. Using these rules, together with reﬂexivity and transitivity, it is not difﬁcult to show that the subtyping relation forms a congruence and that union and intersection types are commutative, associative and idempotent and satisfy the absorption laws. The following distributive identities are also admissible. (σ ∧ τ) ∨ (σ ∧ ρ) = σ ∧ (τ ∨ ρ) (σ ∨ τ) ∧ (σ ∨ ρ) = σ ∨ (τ ∧ ρ)

σ → τ1 ∧ σ → τ2 = σ → (τ1 ∧ τ2)

τ1 → σ ∧ τ2 → σ = (τ1 ∨ τ2) → σ For these identities it is the case that the proof of one direction can be directly found in the axioms. The other directions are straightforward to derive. Finally, the following two relations can also be derived.

σ → τ1 ∨ σ → τ2 4 σ → (τ1 ∨ τ2) τ1 → σ ∨ τ2 → σ 4 (τ1 ∧ τ2) → σ It should be noted that these relations cannot be extended to identities. To see why, consider a function of type σ → (τ1 ∨ τ2). This function produces a term either of type τ1 or τ2. Which type is chosen may depend on what term is supplied as a parameter. Contrast this with a function of type σ → τ1 ∨σ → τ2. In this case, the choice to produce a term of type τ1 or τ2 is made beforehand, and cannot be inﬂuenced by the parameter. Therefore, σ → (τ1 ∨ τ2) cannot be a subtype of σ → τ1 ∨ σ → τ2.

2.1.1.2. Dynamic Semantics

In order to see how the merge operator behaves, we will take a look at possible reductions of the term N ≡ ( f ⊗ g) t. We already know that the term f ⊗ g represents the merge of the functions f and g. Hence, it behaves as both f and g at the same time. Intuitively, this means that N can reduce either to f t or to g t. To determine which reduction to use, it is necessary to look at the accompanying types of the subterms in N. This therefore means that the operational semantics depend on the type-derivation we have of N.

Department of Mathematics and Computer Science 9 Master’s Thesis 2. Background

To show this, we will assume f to be a function typable as τ → σ and g a function typable as φ → η. Hence, f ⊗ g is typed as τ → σ ∧ φ → η. Now in order to get a correct type for N, the term t can be either of type τ or φ. In the first case, it makes sense that N reduces to f t, because this is the only reduction that preserves type-safety. Conversely, in the second case N must reduce to g t in order to preserve type-safety. Apart for τ and φ, there are two additional possible types for t, namely τ ∧ φ and τ ∨ φ. For the first case, we note that in order for t to be of type τ ∧ φ, it either needs to be trivial, or reduce to a term of the form x ⊗ y, where x is typed as τ and y is typed as φ. We now have a choice to reduce N to either f x or g y. Both reductions preserve type-safety and are equally valid. There is, however, a third option. That is to reduce N to ( f x) ⊗ (g y), a term of type σ ∧ η. By performing this reduction, we do not have to make an arbitrary choice, but simply keep both possibilities. Finally if t is of type τ ∨ φ, then it must be the case that t is also typable as either τ or φ. In this case, we simply check which of the two it is, and reduce to f t in the first case and g t in the second. The behavior of the merge operator as introduced above is rather peculiar, and is quite difficult to describe formally in a straightforward way. A full formalization can be found in Chapter4 on page 32. It should also be noted that because the operational ∨ semantics of λ∧ is dependent on typing-information, there can be situations where the reduction of a term is ambiguous because there are multiple possible typings of the term. ∨ For simplicity reasons, we have chosen to keep our formalization of λ∧ in the style of Curry (without explicit type-information in the terms). However, in the examples below, we will sometimes add type-information in Church’s style in order to disambiguate the semantics of a term. Further information about type-inference and Church versus Curry style type systems can be found in Section 2.1.3.1 on page 15.

∨ 2.1.2. The Feature-subsuming Power of λ∧ Since the conception of intersection types, many possible uses for this paradigm have been conceived. The big advantage of union and intersection types is that it is able to subsume a number of language features that would otherwise have to be introduced separately. Having many separate features dramatically increases the complexity of the language because all these features have to interact. ∨ This makes λ∧ a good candidate for an intermediate language. One can have a ∨ program in a higher order language with a complex syntax, and compile it into λ∧. We can then take advantage of the relative simplicity of this calculus to type-check the program and perform all kinds of analyses, transformations and optimizations before ﬁnally compiling the program to machine code. We will now give a short overview of ∨ some language features that can (potentially) be encoded with λ∧.

2.1.2.1. Composable Overloading

The most obvious feature where intersection types can be used is overloading. Many programming languages implement some form of overloading, often with subtly dif-

10 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

ferent semantics. The main idea is, however, to have multiple functions with different input and output types, but with the same name. For example, in Java one can have the following functions, that perform the same summation operator, on different numerical types.

int sum(int a, int b){...} long sum(long a, long b){...} float sum(float a, float b){...} double sum(double a, double b){...}

When one then calls the function sum(x), the exact function that is being called depends on the type of x. In functional languages similar functionality often exists, for example in the concept of typeclasses in Haskell. The above example can easily be encoded with unrestricted intersections by simply taking the merge of all four implementations.

 λa, b : int. . . .   int → int → int  λa, b : long. . . .   long → long → long O  ^  sum ≡   :    λa, b : float. . . .   float → float → float λa, b : double. . . . double → double → double

Overloading with intersection types is also more ﬂexible than its classical counterpart, because it is composable. In Java, if one has two overloaded functions f and g with n implementations, and one wants to deﬁne a third function h that uses these functions, then n copies of h must be written with different typings in order to make h fully overloaded. With intersection types, this becomes much easier. For example, let f and g be typed as ^ α → β ^ β → γ f : 1 1 and g : 1 1 . α2 → β2 β2 → γ2 Then, the composition of these functions can simply be typed as

^ α → γ g ◦ f : 1 1 . α2 → γ2

With this ﬂexibility, it is conceivable to make functions with much more expressive typings, without much extra burden for the programmer. For example, the typing of the summation function can be enhanced with approximate information about the computation, in a style that is often associated with abstract interpretation [5].

even → even → even odd → odd → even ^ sum : pos → pos → pos neg → neg → neg ···

Department of Mathematics and Computer Science 11 Master’s Thesis 2. Background

Assuming that other arithmetic functions are enhanced in the same way, then if one writes an algorithm using these functions, the typechecker can automatically deduce what properties hold about this algorithm using the composability of intersections. It should be pointed out that while the type system supports such enhancements quite easily, it is rather non-trivial to actually implement the sum function above. Additional language features such as advanced subtyping or dependent typing are required for this. Some work along these lines has been done by Dunﬁeld and Pfenning [6].

2.1.2.2. Objects

Another interesting usage pattern for unrestricted intersection types is the encoding of objects. This was originally devised by Reynolds in the programming language Forsythe [7]. There, a more restricted version of the merge operator was used. Therefore, below we will give a somewhat different presentation of the encoding of objects using our intersection operator. In order to create an object, one first needs a set of labels used to give the methods of the objects a name. These labels need to exist both on the term-level and type-level. To accommodate this, will assume that our calculus contains an infinite set of disjoint string types, which we will denote as xyz, where xyz is the label of this type. These string types have exactly one inhabitant, namely this string itself, which we denote xyz, such that xyz : xyz. It should be noted that we only introduce string types as a convenience. In reality, any set of disjoint types with at least one inhabitant would do. For example, the set of types {α,α → α,α → α → α,...} could be used instead. In addition to string types, we also assume that our language has an assignment operator, denoted as x := t, that can be used to mutate variables. This assignment modifies the contents of variable x and returns a unit-term of type >. We do not strictly require the assignment operator, but because mutation is often used in objects, we will include it for the purpose of the example below. We can now give the following example of an object that is simply a container that holds a value of type α that can be retrieved and updated. O λs:get.x ^ get → α box ≡ λx:α. :α → α λs:set.λx0:α.x := x0 set → α → >

The term boxα is itself the constructor of the container, that needs to be supplied a term a of type α in order to be initialized. The result of the redex boxα a is a closure, where variable x contains a. The resulting term (λs:get.x) ⊗ (λs:set.λx0:α.x := x0) can then be used to access and modify this variable. A possible usage of this box is as follows:

let b = boxN 5 in b set (3 + b get); b get.

12 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

Here, b ﬁrst gets initialized with a box that holds the value 5. The box is then updated by storing the value that results from adding 3 to the value currently in the box. Finally, this new value is retrieved from b, resulting in the number 8. Note that in the term above ; is used as a statement separator. For a call-by-value language this can be straigforwardly deﬁned as

a; b ≡ (λx.λy.y) a b.

The let b = . . . in . . . syntax can simply be interpreted as

let x = t in u ≡ (λx.u) t.

The example above shows us how we can make basic objects. It should be noted, ∨ however, that we have not shown how λ∧ can encode objects with open recursion (objects whose member functions can recursively refer to each other). For this, one needs some kind of recursive language feature such as “letrec” in Scheme [8]. It turns out, however, that using the combination of an assignment operator and intersection types, we can write a ﬁxed-point combinator that can be used instead. For more information, see Section 5.1.4 on page 71.

2.1.2.3. Algebraic Datatypes

Algebraic Datatypes are used in programming languages to represent structured data. The basic idea is to have a sum type α + β that holds either a value of α or β and a product type α × β that holds both a value of type α and a value of type β. This description should sound very familiar to the description of union and intersection types. There are some differences between these two paradigms, however. If we have a pair t of type α × β, and we want to retrieve the values contained in the pair, we have to

use projections. The term proj1 t will result in a value of type α, while proj2 t will result in a value of type β. This is not the case for an intersection term u of type α ∧ β. Here, we can use u directly both as a term of type α and β, without using projections. Similarly, if we have a term x of type α and a term y of type β, we can use the injections

inj1 x and inj2 y to produce a term of type α + β. However, with union types both x and y will already be of type α ∨ β, without using injections. The conclusion we can thus make is that we can use union and intersection types instead of sum and product types, and that this substitution allows us to dispense with projections and injections, as can be seen in Table 2.1 on the following page. It should now become apparent, however, that there is one fundamental problem here. When the types of the values in products and sums are homogeneous, the translation to intersections and unions becomes ambiguous. For example, the pair (5, 8) has type N × N, and we can access both 5 and 8 with projections. However, the term 5 ⊗ 8 is of type N × N and hence due to idempotence of type N. Since we cannot use projections, it is not possible for the programmer to indicate whether the value 5 or 8 is wanted. For a further discussion of this problem, called the coherency problem, we refer to Section 2.1.3.3 on page 21.

Department of Mathematics and Computer Science 13 Master’s Thesis 2. Background

Table 2.1.: Translation between Sum and Product types, Union and Intersection types and an encoding using objects that can be used with homogeneous types. Sum/Product Union/Intersection Object version

(x, y) x ⊗ y (λs:proj1. x) ⊗ (λs:proj2. y) proj1 t t t proj1 proj2 t t t proj2

case t of u1, u2 (u1 ⊗ u2) t ((λx.u1 (x inj1)) ⊗ (λx.u2 (x inj2))) t inj1 t t λs:inj1. t inj2 t t λs:inj2. t

However, even with homogeneous types, we can still encode algebraic datatypes using objects as introduced in the previous section. As can be seen in Table 2.1, for homogeneous products we reintroduce the concept of projections by wrapping the values in a container. This container can then be applied to the labels proj1 and proj2 in order to retrieve its contents. Note that the type of such a container is not α ∧ α but

rather proj1 → α ∧ proj2 → α. Similarly, for homogeneous sums, we also create an object that wraps its type, now being of type inj1 → α ∨ inj2 → α.

2.1.2.4. Curry-Howard Isomorphism

It is well known that under the Curry-Howard correspondence [9], conjunctions and disjunctions are usually mapped to algebraic datatypes [10]. However, given the approximate isomorphism between algebraic datatypes and union and intersection types, one might ask if the latter can also fulﬁll this role. For restricted intersection and union ∨ types, that is λ∧ without the merge operator, this turns out not to be the case. As noted by Pottinger [2], the problem is that with such a calculus we may only give one witness t for a type α ∧ β, meaning that t must be simultaneously typable as α and β. This does not correspond with the traditional concept of conjunctions, where witnesses for α and β can be completely separate (as is the case for algebraic datatypes). However, as is observed by Dunﬁeld [4], if one is allowed to use the merge operator, this changes. While it is true that the type α ∧ β must still be witnessed by one term t, this term can now be composed of two separate witnesses t = x ⊗ y. ∨ So how do the changes between algebraic datatypes and λ∧ we observed in the previous section impact the Curry-Howard correspondence? We already saw that problems only occur with homogeneous types like α ∧ α and α ∨ α which are, due ∨ to idempotence, equal to α. It can therefore happen that λ∧ provides many separate witnesses for α. For a programming language this leads to problems, because it becomes unclear which witness should be used when performing computations. However, in the logical perspective we only care that at least one witness has been supplied. Which witness would be used in computations is of no consequence and can be arbitrarily chosen without any problems. We can therefore conclude that the correspondence

14 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

between conjunctions and intersections is just as valid as the correspondence between conjunctions and products. The same argument can be made for unions and sums.

∨ 2.1.3. Challenges of λ∧ ∨ In the previous section, we have seen that λ∧ is very powerful. As most know, however, there can be no light without darkness. This calculus is not exception to this rule. In this ∨ section we will discuss some of the challenges in making λ∧ viable for practical use, and how we can solve or mitigate these challenges.

2.1.3.1. Undecidability of typing

∨ As stated earlier, the original motivation for λ∧ was to create a type system that can type more terms than the simply typed lambda calculus, while remaining strongly normal- ∨ izing (i.e. for every typable term in λ∧, there is no inﬁnite sequence of β-reductions). The theorem below shows that this goal was met exceptionally well. For this, we of ∨ course have to show that λ∧ is indeed strongly normalizing. In Section 4.1.3 on page 39 ∨ a proof of the strong normalization of the call-by-value evaluation strategy for λ∧ can be found. For the purposes of this section, we need the strong normalization of the general β-reduction relation, however.

∨ Theorem 1 (strong normalization of all typed terms) Let t be a term typable in λ∧ with some type τ and context Γ . Then there is no inﬁnite sequence of β-reductions for t. 2

PROOF Since the proof is very similar to the strong normalization proof we give for the call-by-value evaluation strategy in Section 4.1.3, we will omit this proof. A proof for intersection types without unions and a merge operator is given by Ghilezan [11]. ∨ For λ∧ a direct proof is not possible because no traditional operational semantics for ∨ this calculus exist. However, in Chapter4 on page 32, we will show how λ∧ can be elaborated into algebraic datatypes. Therefore, this theorem is a corollary of the strong normalization of algebraic datatypes [12]. All these proofs are relatively minor variations of the original proof of the STLC by Tait [13].

∨ The interesting part of λ∧ is that we can also show the reverse of this theorem.

Theorem 2 (typing of all strongly normalizing terms) Let t be strongly normalizing un- ∨ der β-reduction. Then t is typable in λ∧ with some type τ and context Γ . 2

PROOF A proof for intersection types without unions and a merge operator is again ∨ given by Ghilezan [11]. Because every term typable in this calculus is also typable λ∧, ∨ this proof will also hold for λ∧. We give a short overview of the proof given by Ghilezan. The proof consists of three parts:

• Showing that all terms that are in normal form (irreducible terms), are typable in ∨ λ∧. This can be done by induction on the structure of irreducible terms.

Department of Mathematics and Computer Science 15 Master’s Thesis 2. Background

• Showing a reverse subject reduction property. Let the term t reduce to u in one step by contracting the redex (λx.v) w. If u is typable as τ under context Γ and w is also typable under Γ , then t will also be typable as τ under this context. This can be shown by induction on t and the size of τ.

• Finally, the full proof is performed by induction on the combined length of all possible β-reductions of t, denoted as n(t). If n(t) = 0, then t must be in normal form, and is therefore typable. In the step case, there must be a possible reduction of t to some term u by contracting a redex (λx.v) w in t. Now it must be the case that n(w) < n(t) and n(u) < n(t). Therefore, it follows by the induction hypothesis that both w and u are typable under contexts Γ1 and Γ2. One can then show that both terms are also typable under the union of these contexts (if a variable x occurs typed as ρ in Γ1 and φ in Γ2, one simply takes the intersection of these types). The proof is then completed by the reverse subject reduction property.

It should be noted that this proof only works for general β-reductions. If we use the call-by-value evaluation strategy, we can no longer type all strongly normalizing terms. A simple counterexample can be found by taking a diverging term, say Ω, and ∨ wrapping it in a λ-abstraction λx.Ω. Since Ω is not typable in λ∧, the wrapper term is also not typable. However, because the call-by-value strategy is not allowed to reduce under λ-abstractions, this term is trivially in normal form. At ﬁrst sight, the fact that we are able to type exactly all strongly normalizable terms seems to be very exciting and interesting. It is, however, the culprit of some ∨ quite crippling problems with λ∧. To see this, we note the famous result by Turing establishing the Turing-completeness of (untyped) lambda calculus [14]. This means that the undecidability of the halting problem applies to lambda calculus. It should be clear that the idea of a “halting” lambda expression coincides approximately with the concept of strong normalizability. This therefore makes strong normalization an undecidable property. It then follows easily from Theorems1 and2 on the preceding page that type checking–and by extension type inference–is also undecidable. ∨ This fact makes λ∧ rather unattractive for a practical programming language, because any algorithm that checks the correctness of a program must necessarily be incomplete or incorrect. Below we explore some options to overcome this obstacle.

Rank-k Intersection Types A possible solution is to restrict the locations where intersection types are allowed to occur. There are multiple variants of such a system. The one discussed here is based on a paper by Kfoury et al. [15]. They use a different syntax to ∨ define intersection types, but the results are not difficult to transfer to λ∧. A rank-k intersection type is a type such that no intersections occur to the left of more than k arrows (→). This is easiest to visualize on the abstract syntax tree of a type, see Figure 2.1 on the next page. The formal definition is as follows.

16 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

→ times left of at most k ≤ k arrows j → τ j

→ τ2

∧ τ1

α β

Figure 2.1.: The abstract syntax tree of a rank-k intersection type.

Deﬁnition 1 (rank-k intersection types) Let k ∈ N and τ be a type. We say that τ is a rank-k intersection type if the predicate rank(τ, k) holds:  true if τ is primitive  false if τ = σ ∧ ρ and k ≤ 0  rank(τ, k) = rank(σ, k) ∧ rank(ρ, k) if τ = σ ∧ ρ and k > 0 2  rank(σ, k) ∧ rank(ρ, k) if τ = σ ∨ ρ  rank(σ, k − 1) ∧ rank(ρ, k) if τ = σ → ρ

It should be noted that in order for a type τ to belong the the “class” of rank-k intersection types, it does not actually need to contain an intersection type. The type α → β → γ, does not contain intersections, but does nonetheless belong to the rank-k intersection types, for any k. Given this deﬁnition, we can now state the following result: ∨ Theorem 3 Type-checking and type-inference is decidable for λ∧ if the types used in type- derivations are restricted to rank-k intersection types, for some k. 2

PROOF A formal proof of this theorem is given by Kfoury et al. [15] by providing an actual type-inference algorithm that is then proved to be correct and terminating. We will not repeat the algorithm here. We only note that if a term is rank-k typable, then there exists a function l(k) that bounds the number of β-reductions that can be performed on t. Therefore, the halting problem is decidable again, because we can simply reduce t up to l(k) times to see if it halts. The result above makes it possible to create a practical programming language with ∨ λ∧. Note however that the rank-k restriction means that we are no longer able to type all strongly normalizing terms. One might ask how expressive this new lambda calculus now is. For some statements about this expressivity we refer the interested reader to Kfoury et al. In practice, however, it is certainly the case that for large enough k, the calculus can be used quite effective. This is especially true when combining intersection types with parametric polymorphism as has been done by Pierce [16].

Department of Mathematics and Computer Science 17 Master’s Thesis 2. Background

∨ Church-style Variants of λ∧ Until now, we have discussed a so-called Curry-style ∨ variant of λ∧. In a Curry-style calculus, the variables of a lambda abstraction are not given an explicit type. Contrasting this, a Church-style calculus has explicitly typed lambda expressions (explicitly here means that it is part of the grammar and is not given merely as a hint to the type-checker). Normally, this is done by giving every variable a type when it is bound by a λ-abstraction, see for example the term λx:τ.t. ∨ Such a deﬁnition leads to problems in the context of λ∧, however. Consider the term λx.x. We wish to state this term in the Church-style, while giving it the type σ → σ ∧ τ → τ. We immediately run into trouble when creating a proof-tree, as can be seen below. Γ ` (λx:τ.x) : σ → σ Γ ` (λx:σ.x) : τ → τ Γ ` (λx:? .x) : σ → σ ∧ τ → τ It is impossible to give x a type that is suitable for both branches of the proof-tree. A solution to this problem is presented by Reynolds [7]. Instead of annotating a variable with one type, Reynolds allows for a list of types, denoted by σ1|σ2| ... |σn. In order to use this new syntax, the normal typing rule for λ-abstractions needs to be changed.

Γ , x:σi ` t:τ

Γ ` (λx :σ1|σ2| ... |σn.t) :σi → τ This new rule states that when we have a λ-abstraction, we may select an arbitrary type from the typelist of the abstraction. Any type obtained for the abstraction by this selection is a valid typing. It is not difficult to see that the Church-style term for the example above is (λx:τ|σ.x) :σ → σ ∧ τ → τ. Although we do not discuss them further, a number of extensions, improvements and alternatives to Reynolds’ system have been proposed [16, 17, 18]. ∨ The main reason why a Church-style version of λ∧ is interesting is that, unlike the Curry-style system, typechecking is trivially decidable. This is because every variable has a finite number of possible types, and therefore every subterm has a finite number of possible types. It should be noted, however, that type-checking has a worst-case running time that is exponential in the number of lambda abstractions in the term to be checked, since there is potentially a lot of backtracking that has to be performed in the abstraction-rule above. There is a lot of confusion in the literature about the expressiveness of the Church- ∨ style version of λ∧. Wells and Haack [18] claim that not all terms that can be typed in the Curry-style can be typed Church-style. This is also hinted at by Barendregt [19]. Although all authors appear to be referring to the same category of type-systems, this view is contradicted by Reynolds [7] and Pierce [16]. With the rules as presented above, it does indeed appear that the Church and Curry styles are equally expressive. The confusion about this topic seems to stem from a different interpretation of the abstraction rule above. Wells and Haack take this rule to mean that the term t should be typable as τ under the assumption x:σi for each i. This is contrasted by Reynolds, who only requires one of the types in σ1|σ2| ... |σn to correctly type t as τ.

18 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

Although the latter interpretation is the original one, there is something to say for Wells and Haack’s view because under this paradigm it is only possible to assign exactly one type to every term. In order to have this beneﬁt we do, however, have to give up a lot of expressiveness.

Bidirectional Typechecking As we have seen in the previous section, adding types to ∨ λ∧ makes typechecking decidable. An unfortunate side-effect of this is that the programmer now has to manually give types to all variables in the program. A compromise between Church and Curry styles can be found in the concept of Bidirectional typechecking. The main idea of this concept is that instead of a type judgement of the form Γ ` t:τ, one has two separate inference methods:

Checking Γ ` t ⇐ τ: Checks that type τ can be assigned to t under assumptions Γ . Here τ, t and Γ are all inputs to the checking procedure.

Synthesizing Γ ` t ⇒ τ: Synthesizes type τ from term t and context Γ . Here t and Γ are inputs and τ is produced.

The separation of checking and synthesizing allows one to add type-hints in a term at locations where the type-inference algorithm would not otherwise be able to deduce the correct type. Adding the type-hint means that synthesizing a term can be simpliﬁed to just checking that the type that is hinted at is valid. The crucial difference with a Church-style system is that it is now only necessary to annotate a term that cannot be inferred by the type-checking algorithm. The concept of bidirectional type-checking has been developed for intersection types by Dunﬁeld and Pfenning [6]. The rules for such a system can be found below.

Γ , x:τ ` t ⇐ σ Γ ` t ⇒ σ → τ Γ ` u ⇐ σ Γ , x:σ ` x ⇒ τ Γ ` (λx.t) ⇐ σ → τ Γ ` t u ⇒ τ

Γ ` t ⇐ τ Γ ` t ⇐ σ Γ ` t ⇒ τ ∧ σ Γ ` t ⇒ τ ∧ σ Γ ` t ⇐ τ ∧ σ Γ ` t ⇒ τ Γ ` t ⇒ σ

Γ ` t ⇒ τ Γ ` t ⇐ τi

Γ ` t ⇐ τ Γ ` (t:τ1|τ2| ... |τn) ⇒ τi Note that if we replace the symbols ⇒ and ⇐ with :, the rules above are the same as the normal rules one would expect for such a calculus, with the exception of the last two rules, which introduce type hinting. The separation into checking and synthesizing is only added so that we can restrict the rules such that they can be applied in a syntax- directed way (meaning that type-checking is decidable). Whenever it occurs that the rules can only check a term, while it needs to be synthesized, the programmer can add an annotation to the term, after which the last rule can be applied. For the same reasons as explained in the previous section, this rule accepts a list of type-hints instead of just one type.

Department of Mathematics and Computer Science 19 Master’s Thesis 2. Background

Using the rules as shown above, a type-hint is required on every redex of a term (as can be readily seen from the corresponding rule). This makes this system arguably less usable than a Church-style calculus. It is, however, possible to construct more elaborate rules in which less hints are required [6,4].

2.1.3.2. Principal Typing

For practical programming languages, it is quite important that programs can be written in a modular fashion. This means that it is also required that different modules of a program can be type-checked and compiled separately, so that they can be reused and combined later without having to recompile the whole (potentially very large) code-base. In order to achieve maximal reusability of a module, we wish to assign the functions in these modules the most generic type possible. If a term has a most general type, this type is called the principal type of the term. A good overview of principal typing is given by Wells [20]. The basic deﬁnition is as follows. Deﬁnition 2 (principal typing) Let t be a term in some lambda calculus. A context Γ and type τ in the same calculus with Γ ` t:τ is a principal type of t under the following condition: If there is another context Γ 0 and type τ0 such that Γ 0 ` t:τ0, then there must be a series of type-substitutions that transform Γ into Γ 0 and τ into τ0. More precisely, there must be a series of substitutions [α 7→ σ][β 7→ ρ] ... such that Γ 0 ⊇ Γ [α 7→ σ][β 7→ ρ] ... 0 and t = t[α 7→ σ][β 7→ ρ] ... 2

Such principal typings are important, because if one can show that if every term in a lambda calculus has a principal typing, we can give all terms in a module its principal type. If a second module then wishes to interface with this module, and it requires a function to be typed with a different type, this type can be obtained simply by performing one or more substitutions in the principal type. Because of this, the principal typing property also represents a major step towards having decidable type-checking [20]. ∨ The λ∧ calculus is to powerful for principal typing to hold as it is stated above. A counterexample is easily obtained with the term λx.x, which can be typed with an arbitrary amount of intersections α → α ∧ β → β ∧ ... It is clear that it is impossible to use a type-substitution to obtain extra or fewer intersection clauses in this type. Therefore, no principal type for this term can exist. It should be noted, however, that the deﬁnition of principal typing is rather arbitrary in that it only allows substitution operations to be performed on types. Some work has been done to loosen the deﬁnition of principal typing somewhat to also allow other “desirable” transformations of types. Several different approaches along these lines lead to a system with intersection types that admits principal types. These systems have had only had limited practical success, however. For an overview, we refer to Wells [20]. Another, more practical solution to this problem comes from parametric polymorphism. It is well-known that λ2 admits principal typings, while the more general System F does not [20]. Many programming languages that support System F will perform type-inference only within the λ2 fragment. The full power of System F can only be leveraged when a programmer supplies an explicit type. A similar approach can be

20 Technical University Eindhoven 2.1. Unrestricted Union and Intersection Types Master’s Thesis

used for intersection types, by adding parametric polymorphism to the calculus. In order to assign types to a term, one uses parametric polymorphism for the output type as much as possible, because we wish to use the output of a function in as much places as possible. Conversely, for input types, we try to use intersection types because we wish to impose the least amount constraints on the input we give to functions. As an example, let us consider the term

(λ f . f 5 ⊗ f true)(λx.x).

In order to type this, one would ﬁrst consider the term λx.x. Since we wish to maximize the places where the output for this function can be used, we give it the type ∀α.α → α. For λ f . f 5 ⊗ f true, we note that the argument f is used twice, with differently typed arguments. We want to use intersection types for the input types of f in order to keep them as speciﬁc as possible. The output of f is directly used in the output of the whole term, so we want to keep it as general as possible. A good type for the complete term is therefore ∀α, β.(N → α ∧ B → β) → α ∧ β. In order to make this work, such a type-systems must make sure that ∀α.α → α is a subtype of N → α ∧ B → β. Although such a combination of intersection types and parametric polymorphism still does not admit principal typing, this can work quite well in practice. For further information on such calculi, we refer to Pierce [16].

2.1.3.3. Conﬂuence and Coherence

∨ In Section 2.1.2.3 on page 13 we already identified a major problem with λ∧: it is not confluent. This can be seen using the example 5 + (1 ⊗ 2), which can reduce to both 6 and 7, or possibly even 6 ⊗ 7. The problem here is that 1 ⊗ 2 represents two different integers at the same time, and there is no way to differentiate them. We therefore either have to make an arbitrary choice to reduce to either 6 or 7, or make the choice to make our language aware of the non-determinism, and keep track of all possibilities by reducing to 6 ⊗ 7. The first option is undesirable because we have to make an arbitrary choice. The second choice could be an interesting option if one wanted to create a non-deterministic language. In most practical situations this would lead to problems, however. The question arises, for example, what would happen if one tried to print 6 ⊗ 7. Printing a list of numbers might be undesirable here, because the type-system indicates that this term holds a single integer. In the context of unrestricted intersection types, this lack of confluence is referred to as the coherency problem by Reynolds [21]. He proves that the language Forsythe [7], a very restricted version of the calculus presented here, is coherent. For the general version ∨ of λ∧, Dunfield [4] takes the practical approach to this problem by simply taking the left part of a merge whenever an ambiguity arises. Dunfield does acknowledge, however, that this is quite an ad-hoc solution which is asking for a more principled approach. One attempt to do this is given by S. Oliveira, Shi, and Alpuim [22], who introduce the concept of disjoint intersection types. The main idea here is to only allow two terms to be merged if their types have no common supertype. By doing this, one makes sure that the terms in a merge can always be distinguished by their types. This does indeed make

Department of Mathematics and Computer Science 21 Master’s Thesis 2. Background

the calculus coherent. Such a restriction makes the calculus much less useful, however. A ﬁrst problem is that the subtyping relation of the type system can no longer form a lattice. If this was the case, every two types would have a common supertype and no two types could ever be merged. Note, however, that S. Oliveira, Shi, and Alpuim do provide a solution to this problem for the special case of a top-type. Another hurdle is that this restriction makes it essentially impossible to work with union types. To see this, consider a term u typed as N ∨ B. The only meaningful way to use this term is to supply it to a term t of type N → α ∧ B → α. This application t u essentially performs a pattern-matching operation: The term t is the merge of two functions. If u contains a number, we use the left part of this merge. Otherwise, if u contains a boolean, we use the right part. The problem here is that the types N → α and B → α contain a common supertype, namely (N ∧ B) → α. This means that this type is uninhabitable, which in turn means that we will never be able to pattern match on ∨ union types. The conclusions is therefore that the coherence of the full λ∧ remains an open problem.

2.2. Models for Computational Eﬀects

Most functional programming languages work in a purely functional setting, were absolutely no observable side-effects may occur. It has been widely documented that such referentially transparent programs are simpler to reason about and therefore contain fewer bugs. Despite this, even proponents of purely functional languages agree that having in-place modifiable state is necessary in some cases [23]. One reason is that there is often a performance gain when using mutable state, either because an algorithm depend crucially on mutable state or because mutable implementations can simply be more easily optimized to run efficiently on current hardware. Examples of algorithms that have no efficient pure implementation include the Union-Find algorithm [24] and most algorithms that have to mutate graphs, such as trapezoidal decompositions [25]. It should be noted, however, that any algorithm can be simulated in a purely functional setting with at most logarithmic slowdown, because we can imitate mutable memory with an updatable binary tree. Nonetheless, this can still lead to impracti- cally slow programs because the hidden constants of binary trees are rather large. An additional argument for explicit mutation is that some programming problems are so in- herently mutable that shoehorning them into a purely functional setting is unnecessarily complicated. In this section we describe a number of different approaches to model computational effects in λ-calculus. Although many different forms of computational effects exist, we are mainly interested in the ability of a programming language to have updatable state, often by reading and writing to a key-value store. Access to this store is regulated by different evaluation strategies, some of which we will discuss below.

22 Technical University Eindhoven 2.2. Models for Computational Eﬀects Master’s Thesis

2.2.1. Pass by Reference

One of the most unstructured models for computational effects is the so-called pass-by- reference evaluation strategy. In this model, the arguments that are passed to a function will not be copied when they are passed onto the stack. Instead, an implicit pointer to the memory location that holds the arguments is created, which is placed onto the stack instead. When a function then modifies the contents of a variable, the original caller of the function can directly observe this mutation simply by evaluating the contents of the variable. This means that in addition to the normal return value of a function, one can create many more communication channels between the caller and callee, simply by mutating the arguments of the called function. It should be clear that this paradigm is very flexible. The downside is, however, that it becomes rather difficult to reason about the behavior of a program. Whenever a function is called, it is impossible to determine if the arguments to this function will be changed, without examining the source-code of this function. This can lead to subtle and unexpected bugs.

2.2.2. Reference Types

A somewhat more structured approach to mutation employs reference types. An example of such a system is the C programming language. Here a standard pass-by-value evaluation strategy is used, where arguments are fully evaluated and copied before being passed to a function. It is, however, possible to emulate the effect of pass-by-reference by taking an explicit reference to an argument. Such a reference does not have the same type as the value it references. Instead the type must be decorated with an indication that we are dealing with a reference. Since a pointer is essentially a number that indicates a location in memory, this pointer is treated as one would normally treat a number in a pass-by-value language (in C it is even possible to use pointer arithmetic). In order to access the value referenced by the pointer, one then uses a so-called dereferencing operation. The main advantage of reference types over the pass-by-reference strategy is that everything is more explicit. A function that wishes to receive a reference as an argument must explicitly indicate this in its type information. Reading and updating this function is also explicit using the dereferencing operation. This makes references strictly opt-in, which means that parts of a program where we do not use them remain easy to reason about, while we can still harness the full power of references. In the functional realm, a very similar method is employed by impure languages. The most standard approach here is the one taken by Standard ML. This is again a normal pass-by-value language, equipped with a reference type-constructor denoted by α ref. In order to create a term of this type, one initializes a new cell in the key-value store using the special syntax ref v. Now, if v is a value of type α, this expression populates a new memory cell with v and then evaluates to a reference to this cell, which is of type α ref. One can then use a term t of type α ref, by dereferencing it using the syntax !t, which retrieves the correct value from memory, or by replacing the value in memory

Department of Mathematics and Computer Science 23 Master’s Thesis 2. Background

using the syntax t := u. An example of a program that mutates a cell is the following.

let b = ref 5 in b := (3+!b); !b

This program has the same behavior as the example we gave in Section 2.1.2.2 on page 12. Hence, it ﬁrst creates a memory cell containing the number 5. A reference to this cell is stored in the variable b. We then retrieve the stored value, add it to the number three and place the result in the memory cell. Finally, we again retrieve the contents of the cell, resulting in the number 8.

2.2.2.1. Reference Types and Intersection Types

In a language with a simple type-system, such as the STLC, this approach to mutation works fine. Problems start to appear when adding more complex types such as parametric polymorphism or intersection types. The problem was first found for parametric polymorphism by Gordon, Milner, and Wadsworth [26] and later for intersection types by Davies and Pfenning [27]. In order to fully illustrate the problem and possible solutions, we now introduce a very minimal ML-like calculus with reference types, intersection types and natural numbers. The grammar of a type in this calculus is defined as follows.

+ T ::= V | (T → T) | (T ref) | (T ∧ T) | N | N V ∈ Var

The grammar of a term is deﬁned as follows.

t ::= v | n | (t t) | (λv.t) | (ref t) | (!t) | (t := t) v ∈ Var n ∈ N

These syntactical elements already ask for quite an elaborate type system. For the purposes of this demonstration, we will only introduce the rules that are absolutely necessary, however.

24 Technical University Eindhoven 2.2. Models for Computational Eﬀects Master’s Thesis

x:τ ∈ Γ Γ , x:σ ` t:τ Γ ` t :σ → τ Γ ` u:σ Γ ` x:τ Γ ` λx.t :σ → τ Γ ` t u : τ

Γ ` t:τ Γ ` t:σ Γ ` t : τ ∧ σ Γ ` t : τ ∧ σ Γ ` t : τ → σ1 ∧ τ → σ2

Γ ` t : τ ∧ σ Γ ` t:τ Γ ` t:σ Γ ` t : τ → (σ1 ∧ σ2)

Γ ` t:τ Γ ` t : τ ref Γ ` t : τ ref Γ ` u:τ Γ ` ref t : τ ref Γ ` ! t : τ Γ ` t := u : τ

+ Γ ` t:N n > 0 + Γ ` t:N Γ ` n:N Γ ` 0:N

Apart from the standard rules, we include very simple rules for integers, rules that deal with reference types, introduction and elimination rules for intersection types, and finally a rule that distributes intersections over arrows (the reason for including this last rule will become clear shortly). Because we have mutation in this language, we need the evaluation strategy to be call-by-value (otherwise the calculus would not be confluent). With this in mind, we define the set of values in this calculus simply by the set of variables and the set of terms that have an outermost λ-abstraction. This is because under the call-by-value strategy it is not allowed to reduce under a λ-abstraction. In order to model the mutation, we introduce a key-value store Σ, that maps variables to terms. The evaluation strategy is then defined as a mapping between pairs of a store and a term. Such a pair is denoted as Σ . t. The rules are as follows:

Σ . t 7→ Σ . t0 Σ . u 7→ Σ . u0 t ∈ Value u ∈ Value Σ . t u 7→ Σ . t0 u Σ . t u 7→ Σ . t u0 Σ . (λx.t) u 7→ Σ . t[x 7→ u]

Σ . t 7→ Σ . t0 t ∈ Value x:t ∈ Σ (x ∈/ Σ) Σ . ref t 7→ Σ . ref t0 Σ . ref t 7→ Σ , x:t . x Σ . ! x 7→ Σ . t

Σ . t 7→ Σ . t0 Σ . u 7→ Σ . u0 u ∈ Value Σ . t := u 7→ Σ . t0 := u Σ . x := u 7→ Σ . x := u0 Σ . x := u 7→ Σ , x:u . u

We can now give a simple program that illustrates the problem with this calculus:

let b = ref 1 in b := 0; ! b

It should be clear from the operational semantics that this program evaluates to 0. The problem is, however, that we can assign this program the type N+, which means that

Department of Mathematics and Computer Science 25 Master’s Thesis 2. Background

the calculus does not preserve typing under reduction. To see how this is the case, we ﬁrst expand the deﬁnitions of the let-syntax and the statement separator:

(λb.(λx.λy.y)(b := 0) ! b) ref 1

We can now give the term ref 1 the following type.

1 > 0 + · ` ref 1 : N ref 1 > 0 + · ` ref 1 : N ref · ` ref 1 : N ref + · ` ref 1 : N ref ∧N ref

Correspondingly, if we stipulate that Γ = {b:N ref ∧N+ ref}, we can type the term λb.(λx.λy.y)(b := 0) ! b as follows.

+ b : N ref ∧N ref ∈ Γ + Γ ` b : b : ref ∧ + ref b : N ref ∧N ref ∈ Γ · N N · Γ ` ∧ + · Γ ` b : N ref Γ ` 0:N b : b : N ref N ref + + + Γ ` (λx.λy.y) : N → N → N Γ ` b := 0 : N Γ ` b : N ref + + + Γ ` (λx.λy.y)(b := 0) : N → N Γ ` ! b : N + + · ` (λb.(λx.λy.y)(b := 0) ! b : (N ref ∧N ref) → N

Combining these derivations leads to the problematic typing. The intuitive problem with this derivation is that the assignment operator :=, is not invariant in the type of b. This allows us to remove clauses from an intersection type. In this case, we remove the constraint that b should be positive. At ﬁrst sight, this might seem to be trivial to solve. If we could just make the typing rule for assignment invariant, our problem is solved. This is not easily done, however, because our grammar allows the term t in the assignment t := u to be arbitrary. Therefore, we cannot require the type of t to be invariant, because type-rules “above” the assignment rule will already had the chance to weaken the type of t before the assignment rule gets involved. One might then try to only allow t to be a variable, instead of an arbitrary term. We can then adjust the typing rule as follows.

x : τ ref ∈ ΓΓ ` u:τ Γ ` x := u : τ

This would indeed make the rule invariant. However, now our type system is incomplete, because it is still possible to make terms like (λx.x) ref y, that are typable as a reference. Since these terms are not variables, we could never use these terms in an assignment. Davies and Pfenning [27] do present a working solution to this problem. They do not allow reference types to occur directly below intersection types. That is, the type

26 Technical University Eindhoven 2.2. Models for Computational Eﬀects Master’s Thesis

α ref ∧β ref is not allowed, because the reference types occur below a reference type. However, we allow the type α → (β ref) ∧ γ → (φ ref), because now the reference is no longer directly below the intersection. Using this restriction, it is now possible to prove that the pathological case presented above can never occur. This leaves us with only one hurdle, namely the rule that distributes intersections over arrows. Using this rule, we can circumvent the imposed restriction as follows.

Γ ` t :α → (β ref) ∧ α → (γ ref) Γ ` t :α → (β ref ∧γ ref)

The only way to solve this problem, is to completely remove this rule, which means that our calculus becomes less expressive. A solution that manages to keep the full expressivity of the calculus is given by Dezani-Ciancaglini, Giannini, and Rocca [28]. They keep track of types that contain a reference type using a kind-system. This information can then be used to more precisely restrict which types are allowed where. Although this completely solves the problem, the result is a much more complex type-system.

2.2.3. Pass by Sharing

A third possible model for computational effects is an evaluation strategy originally coined as pass-by-sharing by Liskov et al. [29]. In this model no reference types exist. Instead, as the name suggests, all communication happens by mutating shared objects. Although the term pass-by-sharing is quite obscure, this model is used almost universally by object oriented programming languages like Java and C#. In some sense pass-by- sharing takes the middle ground between pass-by-reference and reference types. Like pass-by-reference, all references are implicit and do not have to be dereferenced in order to be used. All arguments to a function are also automatically passed as a reference, which means that we no longer need reference types. However, contrary to what happens with pass-by-reference, we do make a copy of the argument before we take the reference. Because a function always receives a reference to a fresh copy of its arguments, it is impossible to directly communicate with the caller through the parameters. This means that it is much easier to reason about code than with pass-by-reference. Because we have no reference types in this paradigm, it is now actually possible to use the following invariant type rule for assignment.

x : τ ∈ ΓΓ ` u:τ Γ ` x := u : τ

The invariance of this rule prevents any of the problems we encountered in the previous section. For a complete formalization of pass-by-sharing, we refer to Chapter5 on page 60. Since we can no longer use direct communication between caller and callee, one might then ask how this communication happens instead. For this, we go back to the concept

Department of Mathematics and Computer Science 27 Master’s Thesis 2. Background

of a box we saw in Section 2.1.2.2 on page 12. O λs:get.x ^ get → α box ≡ λx:α. :α → α λs:set.λx0:α.x := x0 set → α → >

When such a box is passed around using pass-by-sharing, the box is copied every time. However, because this copy is shallow, the closure x of the box is not copied. Hence, all copies of the box hold a reference to the same closure, and by reading and writing to this closure, these copies can communicate with each other. Another question is how expressive the pass-by-sharing paradigm is compared to reference types. This question is also easily answered with the existence of the box construct, which is a direct correspondence with reference types. Let t1 be a box of type get → α ∧ set → α → > and t2 be a reference of type α ref. The dereferencing operation ! t2 can be simulated using t1 get and the assignment operation t2 := u can be simulated using t1 set u. Hence, we can view a reference type as syntactic sugar around the box-construct, which makes pass-by-sharing just as powerful as reference types. In the functional world, both in academia and the industry, there is almost no use of pass-by-sharing. This is rather strange, because active research is being done in trying to solve the problems explained in the previous section. It seems that using the pass- by-sharing paradigm is an alternative that completely circumvents all these problems without signiﬁcant downsides. In this thesis we will show that pass-by-sharing is indeed a viable alternative.

28 Technical University Eindhoven Master’s Thesis

3. Preliminaries

∨ In the next few chapters we will give a formalization of λ∧ both with and without intersection types. All of the proofs presented here have been formalized in the Coq proof assistant [30]. For every definition and proof we give reference to the corresponding Coq definition in the appendix. There are some differences between the paper proof and the mechanized proof. On paper, we use a traditional presentation of the λ-calculus, while the Coq-code uses a method developed by Aydemir et al. [31] and Charguéraud [32] named the locally nameless representation with co-finite quantification. At its heart, this method uses de Bruijn indices [33] in order have a unique representations of term and to alleviate the need to perform α-conversions. However, in order to keep the style of reasoning somewhat similar to the traditional method, normal variables are used for unbounded variables. Another major difference is the use of co-finite quantification in the typing rule for λ-abstractions. As noted by Charguéraud [32], there are two basic ways to implement this rule with de Bruijn indices.

x ∈/ fv(t) ∪ dom(Γ ) Γ , x:σ ` tx : τ ∀x, x ∈/ fv(t) ∪ dom(Γ ) Γ , x:σ ` tx : τ Γ ` λt :σ → τ Γ ` λt :σ → τ

Note that tx represent the substitution of variable x into the lowest de Bruijn index. Both these rules are valid, and it can be shown that if we use one rule, the other rule is admissible. The first rule is useful when building a type-derivation because we only have to prove the rule for one variable x. On the other hand, the second rule is useful when analysing the structure of an existing derivation, because the rule holds for all variables x. With co-finite quantification, one chooses a middle ground between these rules. ∀x, x ∈/ L Γ , x:σ ` tx : τ Γ ` λt :σ → τ Here, L is a finite list of variables that can be freely chosen. We must now prove the rule for all variables x, except for those in L. Under this rule, the first rule above can be shown to be admissible. This can be seen because there will always be a variable x ∈/ L such that x ∈/ fv(t) ∪ dom(Γ ). Since these rules imply each other, the second rule is then also admissible. We refer to Charguéraud [32] for a very in-depth treatment of this style of formalization. Note that because all our proofs have been formally verified, we will permit ourselves some hand-waving for the paper version. We will often omit the proof of simple lemma’s, omit trivial lemma’s entirely, and only discuss the interesting cases of more complicated theorems. The rule of thumb here is that the paper proof version is mainly intended to

Department of Mathematics and Computer Science 29 Master’s Thesis 3. Preliminaries

be understandable. We invite readers who are interested in the nitty-gritty details to read the mechanized proof. In the remainder of this chapter we describe the standard definitions and conventions that are part of any lambda calculus and are therefore shared by the different calculi introduced in the next chapters. Because we will be defining multiple different λ-calculi, we will give various definitions and relations the same name between the different calculi. Whenever it is ambiguous to exactly which definitions we refer, we will disambiguate this by adding the name of the relevant calculus as a subscript.

Deﬁnition 3 (variables) var on page 86 The set Var contains an inﬁnite set of variables, distinguishable using an equality operator (=). 2

Convention 1 When describing variables on the term-level, we mostly use lowercase letters from the end of the Latin alphabet (x, y, z). For variables on the type-level we use lowercase letters from the start of the Greek alphabet (α, β, γ,...).

In order to describe all shared deﬁnitions of all calculi we will stipulate that the grammar of the types of every calculus contains at least variables and functions.

T ::= V | (T → T) | ... V ∈ Var

Furthermore, the grammar of a term in every calculus consists of at least variables, application and lambda abstractions.

t ::= v | (t t) | (λv.t) | ... v ∈ Var

Convention 2 Metavariables describing terms will usually be denoted using lowercase Latin letters from the middle of the alphabet (t, u, v). Metavariables describing types are taken from the middle of the lowercase Greek alphabet (ρ,σ, τ,...).

Convention 3 The function constructor τ → σ is taken to be right-associative. Conversely, the application t u is take to be left-associative. The parentheses around the outer-most lambda abstraction of a term are allowed to be omitted.

Deﬁnition 4 (context) context on page 91, context on page 117, context on page 128 A context Θ is a (ordered) mapping from variables to some item. Appending a variable x and item k to the context Θ is denoted by Θ, x:k. Note that if the variable x already exists in Θ, then Θ, x:k updates this mapping to k. Two contexts Θ1 and Θ2 can be concatenated using Θ1, Θ2. We use the notation Θ1, x:k, Θ2 to refer to a list that contains a mapping from x to k. However, for the sake of legibility, we will also use the notation x:k ∈ Θ to assert that x is contained in Θ. 2

30 Technical University Eindhoven Master’s Thesis

Deﬁnition 5 (typing context) A typing context Γ is a mapping between variables and types. 2

Deﬁnition 6 (subtyping context) A subtyping context ∆ is a mapping between variables and a pair of types. It contains assertions of the form σ 4 α 4 τ, meaning that type variable α is a supertype of σ and a subtype of τ. 2

Deﬁnition 7 (coercion context) A coercion context ∆ is an extension of a subtype context, that in addition to subtype assertions also contains witnesses of these assertions. It contains assertions of the form t ←- σ 4 α 4 τ ,→ u, that again type variable α is a supertype of σ and a subtype of τ. The terms t and u should be functions witnessing these assertions by providing conversions respectively between terms of type σ and α and between terms of type α and τ. 2

Deﬁnition 8 (store) A store Σ is a mapping between variables and terms. 2

Deﬁnition 9 (free variables) fv on page 94, fv on page 109, fv on page 119, fv on page 135 The set fv(t) of free variables of term t is deﬁned as the set of variables in t that are not bound by a λ-abstraction in t. 2

Deﬁnition 10 (substitution) subst on page 93, subst on page 108 The substitution t[x 7→ u] denotes the term that results from substituting u at every occurrence of x in t. 2

Convention 4 (Barendregt convention) Whenever we are working with some terms t, u,..., v, we choose all bound variables in these terms such that they are different from all free variables in any of the terms. Note that this convention guarantees that when substituting variables, we avoid the unwanted capture of bound variables.

Deﬁnition 11 (α-conversion) The α-conversion of a lambda abstraction λx.t with variable y is the term λy.t[x 7→ y]. 2

Note that because the mechanized proof uses de Bruijn indices, there is not equivalent for α-conversion in the Coq-code

Deﬁnition 12 (α-equivalence) Two terms t and u are α-equivalent if there exist a series of α-conversions of the lambda abstractions in t that make t and u equal. 2

Convention 5 Whenever we compare two terms for equality, we always do this modulo α- equivalence. When proving the equivalence of two terms, we will always perform α-conversions implicitly.

Definition 13 (reflexive transitive closure) Given a relation R, we denote R∗ to be the reflexive transitive closure of R. 2

Department of Mathematics and Computer Science 31 ∨ Master’s Thesis 4. Formalization of λ∧

∨ 4. Formalization of λ∧

As explained in Section 2.1.1.2 on page9, the main challenge with the formalization of ∨ λ∧ is defining the appropriate operational semantics. This is problematic because the behavior of the merge operator is dependent on the type information that accompanies a term, which makes it impossible to give an accurate evaluation strategy using traditional operational semantics. Instead, we will use a method invented by Dunfield [4] that first uses the type deriva- ∨ tion of a term in λ∧ to elaborate it to a calculus with algebraic datatypes, which we + will denote by λ×. As we saw in Section 2.1.2.3 on page 13, algebraic datatypes map quite closely to union and intersection types. The major difference is that algebraic datatypes have explicit injections and projections, while unions and intersections do not. Information about the selection of the left or right part of a merge, that was earlier encoded within the type derivation, can now be conveniently translated into injections + and projections. This means that after the elaboration to λ×, the evaluation of a term no longer depends on its type derivation and can proceed as would normally happen with algebraic datatypes. ∨ + Because this process of first elaborating from λ∧ to λ× and then evaluating the resulting term is quite complicated we wish to validate it against a more simple model. For this ∨ purpose, we use a naive over-approximation of the operational semantics of λ∧ that does not depend on type information. We will show that every evaluation step made in the elaboration of a term can be simulated withing this over-approximation. The converse does not hold, however. Since our naive reduction relation is an over-approximation, it can make a “wrong” step that cannot be followed by the elaborated term. An overview of the full process can be seen in Figure 4.1 on the facing page. We begin ∨ with a term t of type τ in λ∧, and perform a coercion step that removes all dependencies on the subtyping relation in the type derivation. For every instance where the subtype relation τ 4 σ is used, we create a term c that translates any term of type τ to a term of type σ. Using these coercion-terms, we can then construct a term u that has the same + type as t but no longer uses the subtyping relation. We then elaborate u into a λ×-term 0 ∨ + u that can be typed as |τ|, which is a translation of the λ∧-type τ into a λ×-type. This term is then evaluated in one or more steps into a value v0. Finally, as a validation step, we show that the over-approximation is able to follow this evaluation by evaluating u ∨ 0 into a λ∧-term v, which can then be elaborated to v . One might ask why we first perform a coercion before doing the elaboration. It should be possible to do the coercion and elaboration in one step. Indeed, this is the approach taken by S. Oliveira, Shi, and Alpuim [22]. Dunfield claims that the coercion step is added because it simplifies the process (the over-approximation would become a lot more complicated because it now needs to perform the task of the coercions). It

32 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

∨ ∨ + λ∧ coerce λ∧ 64 elaborate λ× 0 t:τ ∆ ` τ 4 σ ,→ c u:τ Γ ` u:τ ,→ u0 u :|τ|

evaluate evaluate u 7→∗ v u0 7→∗ v0

∨ + λ∧ 64 elaborate λ× 0 v:τ Γ ` v:τ ,→ v0 v :|τ|

∨ Figure 4.1.: An overview of the operational semantics of λ∧.

turns out, however, that by eliminating this step, we can no longer correctly deﬁne the over-approximation (S. Oliveira, Shi, and Alpuim get away with this by simply ∨ omitting the over-approximation). This is the case, because a λ∧-value v that is coerced + and elaborated in one step does not always end up as a value in λ×. The result is that we can perform a step on the right-hand-side of the diagram, while the left-hand-side is stuck, thereby invalidating it. + In the remainder of this chapter, we will ﬁrst give a formalization of λ× before pro- ∨ ceeding with the formalization of λ∧.

+ 4.1. Algebraic Data Types λ×

We give a fairly basic formalization of a calculus with algebraic datatypes and top and bottom types.

4.1.1. Deﬁnitions

+ Deﬁnition 14 (grammar of λ× types) type on page 87 + The grammar of a type in λ× is deﬁned as follows.

T ::= V | > | ⊥ | (T → T) | (T × T) | (T + T)

V ∈ Var 2

Convention 6 The typeconstructors + and × have a lower precedence that →. Furthermore, the associativity of both + and × does not matter.

Department of Mathematics and Computer Science 33 ∨ Master’s Thesis 4. Formalization of λ∧

+ Deﬁnition 15 (grammar of λ× terms) term on page 88 + The grammar of a term in λ× is deﬁned as follows.

t ::= v | () | (t t) | (λv.t) | (t, t)

v ∈ Var 2

The purpose of the syntax absurd t is to transform a term t of type ⊥ to a term of an arbitrary type τ. Since we will later prove that ⊥ is uninhabitable, this syntax will never actually be evaluated. Furthermore, the syntax case t of u is taken to be a pattern matching construct. Here, t should be a injection, while u should be pair of functions. Depending on whether t is a left or right injection, it is passed to either the left or right function in the pair. + The operational semantics of λ× will be characterized using a call-by-value reduction relation. For this, we need the concept of a value. Because the call-by-value strategy does not reduce under a λ-abstraction, all abstractions are considered values. Note that we do not consider a variable a value, but rather a normal form. This is mainly because otherwise the proof of strong normalization we present in Section 4.1.3 on page 39 becomes, surprisingly, much more difficult. + Definition 16 (values of λ×) value on page 90 + The set Value contains all terms of λ× that are values. It is defined as the smallest set closed under the following rules.

t ∈ Value u ∈ Value () ∈ Value λx.t ∈ Value (t, u) ∈ Value

t ∈ Value t ∈ Value

inj1 t ∈ Value inj2 t ∈ Value

+ Deﬁnition 17 (operational semantics of λ×) cbv on page 90 + The relation 7→ represents the operational semantics of λ×. It is deﬁned as the smallest relation closed under the following rules.

0 0 t 7→ t λ+ u 7→ u t ∈ Value λ+ 7→ APP × 7→ APP × t u 7→ t0 u 1 t u 7→ t u0 2

∈ u Value λ+ 7→ ABS × (λx.t)u 7→ t[x 7→ u]

0 0 t 7→ t + t 7→ t + λ× λ× 0 7→ PROJ1 0 7→ PROJ2 proj1 t 7→ proj1 t proj2 t 7→ proj2 t

34 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

t ∈ Value u ∈ Value + t ∈ Value u ∈ Value + λ× λ× 7→ UNPROJ1 7→ UNPROJ2 proj1(t, u) 7→ t proj2(t, u) 7→ u

0 0 t 7→ t λ+ u 7→ u t ∈ Value λ+ 7→ PAIR × 7→ PAIR × (t, u) 7→ (t0, u) 1 (t, u) 7→ (t, u0) 2

0 0 t 7→ t + t 7→ t + λ× λ× 0 7→ INJ1 0 7→ INJ2 inj1 t 7→ inj1 t inj2 t 7→ inj2 t

0 0 t 7→ t u ∈ Value λ+ u 7→ u λ+ 7→ CASE × 7→ CASE × case t of u 7→ case t0 of u 11 case t of u 7→ case t of u0 12

t ∈ Value u ∈ Value + t ∈ Value u ∈ Value + λ× λ× 7→ CASE21 7→ CASE22 case inj1 t of u 7→ (proj1 u) t case inj2 t of u 7→ (proj2 u) t

+ Deﬁnition 18 (static semantics for λ×) typing on page 91 + The relation Γ ` t:τ contains all λ×-terms t typable as τ under typing-context Γ . It is deﬁned as the smallest relation closed under the following rules. τ ∈ Γ Γ ` ⊥ x: λ+ λ+ t: λ+ VAR × UNIT × ABSURD × Γ ` x:τ Γ ` ():> Γ ` absurd t : τ

Γ σ ` τ Γ ` σ → τ Γ ` σ , x: t: λ+ t : u: λ+ → INTRO × → ELIM × Γ ` λx.t :σ → τ Γ ` t u : τ

Γ ` t:τ × σ + Γ ` t:τ × σ + λ× λ× ×ELIM1 ×ELIM2 Γ ` proj1 t : τ Γ ` proj2 t :σ

Γ ` t:τ + Γ ` t:σ + λ× λ× +INTRO1 +INTRO2 Γ ` inj1 t : τ + σ Γ ` inj2 t : τ + σ Γ ` τ Γ ` σ Γ ` τ + σ Γ ` τ → ρ × σ → ρ t: u: λ+ t : u : λ+ ×INTRO × +ELIM × Γ ` (t, u) : τ × σ Γ ` case t of u : ρ

+ 4.1.2. Correctness Properties of λ× + We now show the correctness of λ×. For this, we would like to show the following properties.

• If a term can be reduced, it is not a value. Conversely, a term that is a value cannot be reduced.

Department of Mathematics and Computer Science 35 ∨ Master’s Thesis 4. Formalization of λ∧

• The evaluation strategy is deterministic.

• The reduction relation preserves typing.

• It is not possible to inhabitate the ⊥-type.

• Any typable term is either a value or can be reduced.

• An algorithm exists to determine whether a term is a value. Furthermore, an algorithm exists to execute the evaluation strategy. Note that we do not provide + + a type-inference algorithm for λ×, because we only use λ× as an intermediate language.

The ﬁrst two of these objectives are quite easy to prove.

Theorem 4 (reducible terms are not values) cbv value on page 93 0 If t 7→ t , then it holds that t ∈/ Value 2

PROOF By induction on the reduction relation.

Theorem 5 (values are not reducible) value cbv on page 93 If t ∈ Value, then t is not reducible. 2

PROOF By induction on the structure of values.

Theorem 6 (determinism of evaluation) determinism on page 93 If t 7→ u1 and t 7→ u2 then u1 = u2. 2

PROOF By induction on the derivation of t 7→ u1 and then comparing the structure of t 7→ u1 to the structure of t 7→ u2, utilizing Theorem 4 to obtain contradictions.

To prove the subject reduction property, some more machinery is required. We ﬁrst have to establish some facts

Lemma 1 (typing under permuted contexts) equal context on page 94 0 0 If Γ is a permutation of Γ and Γ ` t:τ then Γ ` t:τ. 2

PROOF By induction on the structure of Γ ` t:τ.

Lemma 2 (context weakening) context weakening on page 95 Let Γ ` t:τ. Then we have Γ , x:σ ` t:τ. 2

λ+ PROOF By induction on the structure of Γ ` t:τ. The interesting case is → INTRO × , where we have to prove that Γ , x:σ, y:ρ ` t:τ, while the induction hypothesis gives us Γ , y:ρ, x:σ ` t:τ. This is, however, easily remedied with an invocation of Lemma1.

Lemma 3 (substitution lemma) subst reduction on page 95 If Γ , x:σ ` t:τ and Γ ` u:σ, then Γ ` t[x 7→ u] : τ. 2

36 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

PROOF To prove this, we ﬁrst have to perform some induction loading. We strengthen our statement as follows: Let Γ 0 ` t:τ and let Γ be a context such that Γ 0 is a permutation of Γ , x : σ. Now, if we have Γ ` u:σ, then Γ ` t[x 7→ u] : τ must hold. We then proceed by induction on the derivation of Γ 0 ` t:τ. The only interesting case is λ+ → INTRO × , where we must prove Γ ` (λy.t)[x 7→ u] : ρ → τ. Barendregt’s convention gives us that x 6= y, which means that this statement is equal to Γ ` λy.t[x 7→ u] : ρ → τ. λ+ We can then apply → INTRO × to obtain Γ , y:ρ ` t[x 7→ u] : τ. This statement is equal to the conclusion of the induction hypothesis. We do then have to prove the following. • Γ , y:ρ, x:σ is a permutation of Γ 0, y:ρ, which is true because we know that Γ , x:σ is a permutation of Γ 0. Note that it is here that we need the induction loading. Had we not done this, then we would have to show that Γ , y:ρ, x:σ is equal to Γ , x:σ, y:ρ, which is (depending on how we represent contexts) not true. • Finally, Γ , y:ρ ` u:σ must be true. Because we know that Γ ` u:σ, this follows from Lemma2. We are now equipped to prove the subject reduction property. Lemma 4 (subject reduction) subject reduction on page 95 0 0 If Γ ` t:τ and t 7→ t then Γ ` t :τ. 2

PROOF By induction on the structure of Γ ` t:τ, and a subsequent analysis of the possible reductions that can be performed. The only hurdle occurs when t = (λx.t0) u, which means that t reduces to t0[x 7→ u]. This case is, however easily proved using Lemma3. Theorem 7 (transitive subject reduction) subject reduction trans on page 95 ∗ 0 0 If Γ ` t:τ and t 7→ t then Γ ` t :τ. 2

PROOF A direct corollary of Lemma4. We now turn to the proof that we cannot inhabitate the bottom type. Any attempt to directly prove this using induction fails, because if one has a term of type α → ⊥ such that α is inhabited, one can obtain a term of type ⊥. We therefore also have to prove that functions that can create ⊥ from “nothing” are also uninhabitable. For this, we ﬁrst make a characterization of such types. Deﬁnition 19 (⊥-generating types) not bottom on page 95 The predicate not⊥(τ) is true if the type τ does not generate ⊥.  τ = > true if  false if τ = ⊥  true if τ = α not⊥(τ) = not⊥(σ) ⇒ not⊥(ρ) if τ = σ → ρ   (σ) ∧ (ρ) τ = σ ∧ ρ not⊥ not⊥ if  not⊥(σ) ∨ not⊥(ρ) if τ = σ ∨ ρ 2

Department of Mathematics and Computer Science 37 ∨ Master’s Thesis 4. Formalization of λ∧

We also generalize this function to contexts. Deﬁnition 20 (⊥-generating contexts) not bottom’ on page 118 The predicate not⊥(Γ ) for some context Γ is true if for all x:τ ∈ Γ we have not⊥(τ). 2

We can now pose a lemma that is suitably strong. Lemma 5 (typable terms do not generate ⊥) typing not bottom on page 95 If Γ ` t:τ and not⊥(Γ ) then it must hold that not⊥(τ). 2

PROOF By induction on the structure of Γ ` t:τ. Theorem 8 (⊥ is uninhabitable) untypable bottom on page 95 No term t exists such that · ` t:⊥. 2

PROOF Follows directly from Lemma5. The last main theorem is to show that the evaluation relation can always make progress until it reaches a value. Note that this is only possible if a term is typable with a empty context. Otherwise, the evaluation might encounter an unbound variable and get stuck. Theorem 9 (progress) progress on page 95 If · ` t:τ then either t ∈ Value or there exists a term u such that t 7→ u. 2

PROOF By induction on the derivation of · ` t:τ. The possible cases are then as follows.

λ+ rule VAR × : In this case, we have that t is a variable, which cannot be typed because the context is empty.

λ+ rule ABSURD × : In this case, we have t = absurd u and · ` u:⊥. This is not possible according to Theorem8.

otherwise: In all other cases, we have a subterm, for which the induction hypothesis decides whether or not progress can be made. In some cases, we can immediately determine whether or not a step in the full term can be made using this information. Otherwise, we need to look one level deeper in either the type derivation or the derivation of the reduction in order to fully decide the problem. To show that this version of the progress property can be applied multiple times, we include the following transitive progress property. Theorem 10 (transitive progress) typing sn evaluation on page 96 ∗ If · ` t:τ and t is strongly normalizing, then there exists a value v such that t 7→ v. 2

PROOF We use Theorem9 and Lemma4 successively until we obtain a value. Our last step is to prove that we can actually make an algorithm that can evaluate a + term. It should be noted that although this is rather trivial for λ× as deﬁned above, this is not the case for the Coq formalization due to the use of de Bruijn indices.

38 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

Theorem 11 (decidability of Value) value dec on page 96 An algorithm exists to determine if a term t is a value. 2

PROOF This algorithm can simply analyze the structure of t and follow the rules of Value in a syntax-directed way.

Theorem 12 (decidability of 7→) cbv dec on page 96 An algorithm exists to determine if a term t can be reduced. 2

PROOF Again a syntax-directed approach can be taken by following the rules of 7→ and using the algorithm of Theorem 11 when necessary.

+ 4.1.3. Strong Normalization of λ× We now give a proof that the evaluation strategy 7→ is strongly normalizing for all terms t typable as · ` t:τ. This proof follows a general method devised by Tait [13], and adapted for algebraic datatypes by Dougherty [12]. Note that because the evaluation strategy is deterministic, there is no real difference between weak and strong normalization. This simpliﬁes our task somewhat. Having said that, we still need to develop quite some machinery in order to formulate an induction hypothesis that is strong enough to carry the proof. When attempting a naive induction proof, one will ﬁnd that in some cases the induction hypothesis is more than strong enough, while in other cases we lack information. We therefore need a method to redistribute the information carried by the induction hypothesis. For this, we introduce the notion of strong computability.

Deﬁnition 21 (strong computability) sc on page 96 A term t is strongly computable under type τ, denoted as sc(τ, t) if · ` t:τ and t is strongly normalizing. Additionally, depending on the structure of τ, we impose the following requirements:

If τ = σ → ρ: ∀u, sc(σ, u) ⇒ sc(ρ, t u)

If τ = σ × ρ: sc(σ, proj1 t) and sc(ρ, proj2 t) 0 ∗ 0 0 0 ∗ 0 0 If τ = σ + ρ: (∀t , t 7→ inj1 t ⇒ sc(σ, t )) and (∀t , t 7→ inj2 t ⇒ sc(ρ, t )) 2

We can then show that the notion of strong computability is compatible with the evaluation strategy.

Lemma 6 (compatibility of sc and 7→) sc cbv on page 96 0 0 If sc(τ, t) and t 7→ t then sc(τ, t ). 2

0 PROOF By induction on τ. The fact that t should be typable follows from Lemma4, and the fact that t0 is strongly normalizing follows because t is strongly normalizing. We then have to show the extra three properties:

Department of Mathematics and Computer Science 39 ∨ Master’s Thesis 4. Formalization of λ∧

If τ = σ → ρ: In this case, we know ∀u, sc(σ, u) ⇒ sc(ρ, t u) (1) and must show that ∀u, sc(σ, u) ⇒ sc(ρ, t0 u). From the induction hypothesis, we know that sc(ρ, t0 u) is true when sc(ρ, t u) is true. This in turn follows from (1) and the fact sc(σ, u).

0 If τ = σ × ρ: Without loss of generality, we only show sc(σ, proj1 t ). We know that 0 0 sc(σ, proj1 t). Because t 7→ t we also know proj1 t 7→ proj1 t . Using these facts, the induction hypothesis gives us directly what we need.

00 0 ∗ 00 00 If τ = σ + ρ: Without loss of generality, we only show that ∀t , t 7→ inj1 t ⇒ sc(σ, t ). 0 ∗ 0 0 Since we know that ∀t , t 7→ inj1 t ⇒ sc(σ, t ), this follows from the reduction 0 ∗ 00 t 7→ t 7→ inj1 t .

Lemma 7 (reverse compatibility of sc and 7→) cbv sc on page 96 0 0 If · ` t:τ and sc(τ, t ) and t 7→ t then sc(τ, t). 2

PROOF By induction on τ. The fact that t is strongly normalizing follows directly from Theorem6, and the fact that t0 is strongly normalizing. We also have to show the extra three properties:

If τ = σ → ρ: We can make the reverse of the argument made in the previous lemma.

If τ = σ × ρ: Again, the same argument as was made in the previous lemma applies.

00 ∗ 00 00 If τ = σ + ρ: Without loss of generality, we only show ∀t , t 7→ inj1 t ⇒ sc(σ, t ). 0 ∗ 00 00 Since we have both t 7→ t and t 7→ inj1 t , it must be that either t = inj1 t or t0 7→∗ t00 (this follows from Theorem6). 00 0 00 0 t = inj1 t : Because we have t 7→ t , and therefore inj1 t 7→ t , it must be the case 0 0 0 0 that t = inj1 t2 for some t2. We then invoke the property we have for sc(σ, t ) 0 ∗ 0 0 using the reﬂexive fact inj1 t2 7→ inj1 t2 to obtain sc(σ, t2). With this result, 00 0 together with t 7→ inj1 t2, we invoke the induction hypothesis to obtain sc(σ, t00). This is what was required. t0 7→∗ t00: This case is immediately settled, by invoking the property we have from 0 0 ∗ 00 sc(σ, t ) on the reduction t 7→ t .

Lemma 8 (transitive compatibility of sc and 7→)

1. If sc(τ, t) and t 7→∗ t0 then sc(τ, t0). sc cbv trans on page 96

2. If · ` t:τ and sc(τ, t0) and t 7→∗ t0 then sc(τ, t). cbv trans sc on page 96

PROOF By induction on the deﬁnition of the transitive closure, using Lemmas6 and7.

40 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

In principle we are now ready to prove the strong normalization property, is it not for one major issue. That issue is in case we have to prove strong normalization for the λ-abstraction λx.t. In this case, we have to show ∀u, sc(σ, u) ⇒ sc(φ, (λx.t) · u). We will do this by invoking Lemma7, after which we have to prove sc(φ, t[x 7→ u]). At this point, we would like to use the induction hypothesis. However, the induction hypothesis states sc(φ, t) instead. In order to solve this discrepancy, we will strengthen the induction hypothesis by proving that if we have a list of value-substitutions ξ = [x1 7→ v1][x2 7→ v2] ..., then any term t ξ is strongly normalizing. This also means that the requirement · ` tτ is no longer sufﬁcient, because t will contain free variables.

Deﬁnition 22 (substitution and context list) instantiation on page 96 Let ξ = [x1 7→ v1][x2 7→ v2] ... [xn 7→ vn] be a list of substitutions, and

Γ = [xn:τn,..., x2:τ2, x1:τ1]

an ordered context. These lists are compatible, denoted by Γ ♥ξ, if all terms vi are values, such that sc(τi, vi). 2

We must now build some knowledge about these substitution lists.

Lemma 9 (Γ ♥ξ typing) instantiation typing on page 97 Let Γ 0 be a context, Γ be a context-list and ξ a substitution-list such that Γ ♥ξ. If Γ 0Γ ` t:τ 0 then it follows that Γ ` t ξ:τ. 2

PROOF By induction on Γ . For empty lists, this is trivial. Otherwise, we must prove that Γ 0 ` t[x 7→ v] ξ. We invoke the induction hypothesis, for which we have to prove Γ 0, Γ ` t[x 7→ v]. We then invoke Lemma3, after which we have to prove Γ 0, Γ , x:σ ` t and Γ 0, Γ ` v:σ. The ﬁrst obligation is an assumption. For the second obligation, we use Lemma1 to obtain · ` v:σ, which follows from Γ ♥ξ.

Lemma 10 (substitution list behavior) unit env msubst on page 97 until case env msubst on page 97 Let ξ be a substitution list. We then have

() ξ = () (λx.t) ξ = (λx.t ξ)(projx t) ξ = projx t ξ

(injx t) ξ = injx t ξ (t, u) ξ = (t ξ, u ξ)(case t of u ξ) = case t ξ of u ξ. 2

PROOF By induction on ξ.

Lemma 11 (strong normalization behavior)

1. If t and u are strongly normalizing then (t, u) is strongly normalizing. Acc pair on page 98

Department of Mathematics and Computer Science 41 ∨ Master’s Thesis 4. Formalization of λ∧

2. If t is strongly normalizing then injx is strongly normalizing. Acc inj1 on page 98

PROOF By induction on the ﬁnite list of reductions given by the strong normalization property. + Lemma 12 (transitive reduction rules for λ×) ∗ 0 ∗ 0 1. If t 7→ t then t u 7→ t u cbv app1 trans on page 97 ∗ 0 ∗ 0 2. If t is a value and u 7→ u then t u 7→ t u cbv app2 trans on page 98 3. If t 7→∗ t0 and u 7→∗ u0 then t u 7→∗ t0 u0 cbv app trans on page 98

∗ 0 ∗ 0 4. If t 7→ t then (t, u) 7→ (t , u) cbv pair1 trans on page 98 ∗ 0 ∗ 0 5. If u 7→ u then (t, u) 7→ (t, u ) cbv pair2 trans on page 98 ∗ 0 ∗ 0 6. If t 7→ t then projx t 7→ projx t cbv proj1 trans on page 98 ∗ 0 ∗ 0 7. If u 7→ u then case t of u 7→ case t of u cbv case11 trans on page 98 8. If u is a value and t 7→∗ t0 then case t of u 7→∗ case t0 of u cbv case12 trans on page 98 9. If t 7→∗ t0 and u 7→∗ u0 then case t of u 7→∗ case t0 of u0 cbv case trans on page 98

∗ 0 ∗ 0 10. If injx t 7→ injx t then t 7→ t cbv inj1 trans on page 98

PROOF By induction on the deﬁnition of the transitive closure of a relation. With these lemmas, we are ready to prove the main result of this section. Theorem 13 (substitution strong normalization) msubst sc on page 98 Let Γ be a context-list and ξ a substitution-list such that Γ ♥ξ. We then have that if Γ ` t:τ, then sc(τ, t ξ) holds. 2

PROOF By induction on the derivation of Γ ` t:τ. We will now describe the interesting cases. Note that many cases, we have to show that · ` t ξ. This is in all cases easily done by invoking Lemma9 such that we have to prove Γ ` t, which is an assumption.

λ+ rule VAR × : We must show that sc(τ, x ξ). Using the fact that Γ ` x:τ and Γ ♥ξ we deduce that x ∈ Γ and therefore there exists v such that [x 7→ v] is a substitution in ξ. Therefore, x ξ = v. The fact sc(τ, v) immediately follows.

λ+ rule ABSURD × : We must now prove sc(τ, (absurd t) ξ)). Note, however, that we know that Γ ` t:⊥. We will therefore be obtaining a contradiction using Lemma5. For this, we have to show not⊥(Γ ). Hence, for all x:σ ∈ Γ we must have not⊥(σ). From Γ ♥ξ we then know that there is a value v such that · ` v:σ. A second invocation of Lemma5 then proves not ⊥(σ).

42 Technical University Eindhoven + 4.1. Algebraic Data Types λ× Master’s Thesis

λ+ 0 0 rule → INTRO × : We now have t ξ = (λx.t ) ξ. Using Lemma 10 this becomes λx.t ξ, which is clearly a value and therefore strongly normalizing according to Theorem5. We must also show that ∀u, sc(σ, u) ⇒ sc(ρ, (λx.t0) ξ u). Since we know that u is strongly normalizing, we can use Theorem 10 to obtain a value u0 such that u 7→∗ u0. It then holds that (λx.t0) ξ u 7→∗ t0 ξ[x 7→ u0] due to Lemmas 10 and 12. We then use Lemma8 to change the proof obligation to sc(ρ, t0 ξ[x 7→ u0]). Note that due to Barendregt’s convention, we have sc(ρ, t0[x 7→ u0] ξ). We can then ﬁnally use the induction hypothesis. To do this, we only have to show that Γ , x:σ♥[x 7→ u0]ξ. Because Γ ♥ξ, most of this follows automatically. However, we do have to show that sc(σ, u0). For this, we use u 7→∗ u0 and Theorem 10 to move the proof obligation back to sc(σ, u), which is an assumption.

λ+ rule → ELIM × : This case is where the sc property comes to good use. We have an obligation sc(ρ, (t u) ξ), which reduces to sc(ρ, (t ξ)(u ξ). From the induction hypothesis, we have sc(σ → ρ, t ξ), and therefore ∀w, sc(σ, w) ⇒ sc(t ξ w). We can directly use this property, after which our proof obligation moves to sc(σ, u ξ), which is the second part of the induction hypothesis.

+ + λ× λ× rules ×ELIM1 and ×ELIM2 : Without loss of generality, we must prove 0 0 sc(σ, (proj1 t ) ξ), which reduces to sc(σ, proj1 t ξ). The induction hypothesis gives us sc(σ × ρ, t ξ), which is induction-loaded with the exact property we need.

+ + λ× λ× rules +INTRO1 and +INTRO2 : Without loss of generality, we must prove sc(σ + 0 0 ρ, (inj1 t ) ξ), which reduces to sc(σ + ρ, inj1 t ξ). Note that the induction hy- 0 0 pothesis gives us sc(σ, t ξ). Now, to prove the strong normalization of inj1 t ξ, we invoke Lemma 11, after which the strong normalization of t0 ξ follows from the induction hypothesis. We also have to prove the extra obligations 00 0 ∗ 00 00 00 0 ∗ 00 00 ∀t , inj1 t ξ 7→ inj1 t ⇒ sc(σ, t ) and ∀t , inj1 t ξ 7→ inj2 t ⇒ sc(ρ, t ). The second obligation is vacuous because a left injection can never reduce to a right injection. For the ﬁrst obligation, note that Lemma 12 gives us t0 ξ 7→∗ t00. We then use Lemma8 to move the obligation back to sc(σ, t0 ξ), which is the induction hypothesis.

λ+ rule ×INTRO × : We must now prove sc(σ × ρ, (p, q) ξ), which is equal to sc(σ × ρ, (p ξ, q ξ)). The induction hypothesis gives use sc(σ, p ξ) and sc(ρ, q ξ). To prove the strong normalization of (p ξ, q ξ), we use Lemma 11 to split this into proving strong normalization of p ξ and q ξ separately. This then follows directly from the induction hypotheses. We also have to prove the extra obligations

sc(σ, proj1(p ξ, q ξ)) and sc(ρ, proj2(p ξ, q ξ)). We show the proof for the ﬁrst obligation. Note that since p ξ and q ξ are strongly normalizing, we can use Theorem 10 to obtain values p0 and q0 such that p 7→∗ p0 and q 7→∗ q0. We then use Lemma 12 to obtain the following evaluation chain.

∗ 0 ∗ 0 0 0 proj1(p ξ, q ξ) 7→ proj1(p , q ξ) 7→ proj1(p , q ) 7→ p

Department of Mathematics and Computer Science 43 ∨ Master’s Thesis 4. Formalization of λ∧

Lemma8 can then be used to move the obligation to sc(σ, p0). Lastly, we use Lemma8 and p ξ 7→∗ p0 to immediately move the obligation back to sc(σ, p ξ), which is an induction hypothesis.

λ+ rule +ELIM × : In the last case, we must prove sc(ρ, (case p of q) ξ), which is equal to sc(ρ, (case p ξ of q ξ). The induction hypothesis gives use sc(σ + φ, p ξ) and sc(σ → ρ × φ → ρ, q ξ). Since p ξ and q ξ are strongly normalizing, we can use Theorem 10 to obtain values p0 and q0 such that p ξ 7→∗ p0 and q ξ 7→∗ q0. Note that since we can type p ξ as σ + φ we can also type p0 as σ + φ due to Theorem7. 0 00 Now, since p is a value, the only way it can receive this type is if it either inj1 p 00 or inj2 p . Without loss of generality, assume the ﬁrst. We then use Lemma 12 to obtain the following evaluation chain.

∗ 0 ∗ 00 0 0 00 case p ξ of q ξ 7→ case p ξ of q 7→ case inj1 p of q 7→ (proj1 q ) p

0 00 Lemma8 can then be used to move the proof obligation to sc(ρ, (proj1 q ) p ). In order to move the obligation back again, we note that since q ξ 7→∗ q0 we 00 ∗ 0 00 also have (proj1 q) p 7→ (proj1 q ) p . We can therefore move the obligation to 00 sc(ρ, (proj1 q) p ). For the last steps, we see that the induction-loading property accompanying

sc(σ → ρ × φ → ρ, q ξ) gives us sc(σ → ρ, proj1 q ξ), which in turn gives us 00 ∀k, sc(σ, k) ⇒ sc(ρ, (proj1 q ξ) k). Using this property leaves us with sc(σ, p ). ∗ Finally, from sc(σ + φ, p ξ), we get ∀k, p ξ 7→ inj1 k ⇒ sc(ρ, k). This ﬁnishes the ∗ 00 proof, because we have p ξ 7→ inj1 p .

Theorem 14 (strong normalization) strong normalization on page 98 If · ` t:τ then t is strongly normalizing. 2

PROOF A direct consequence of Theorem 13.

∨ 4.2. Unrestricted Union and Intersection Types λ∧

∨ We now give a formalization of λ∧, which approximately follows the same approach taken by Dunﬁeld [4].

4.2.1. Deﬁnitions

4.2.1.1. Grammar

∨ + The grammar of λ∧ is much simpler than that of λ×, because almost all functions are subsumed by the merge operator.

44 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

∨ Deﬁnition 23 (grammar of λ∧ types) type on page 87 ∨ The grammar of a type in λ∧ is deﬁned as follows.

T ::= V | ⊥ | > | (T → T) | (T ∧ T) | (T ∨ T)

V ∈ Var 2

Convention 7 The typeconstructors ∧ and ∨ have a lower precedence that →. Furthermore, the associativity of both ∧ and ∨ does not matter.

∨ Deﬁnition 24 (grammar of λ∧ terms) term on page 99 ∨ The grammar of a term in λ∧ is deﬁned as follows.

t ::= v | (t t) | (λv.t) | (t ⊗ t)

v ∈ Var 2

4.2.1.2. Type System

∨ The next step is to define a subtyping and typing relation for λ∧. As we explained in Section 2.2.3 on page 27, we will circumvent the problems with reference types that occur in combination with intersection types by using a pass-by-sharing evaluation strategy. This allows us to use a much richer subtyping relation than is used by Dunfield, who keeps all typeconstructor completely orthogonal from each other. Another difference is that our subtype relation has a subtype-context which allows us to model a wide range of primitive types simply by adding them to the subtype-context. In contrast, Dunfield does not include a subtype-context, which means that all primitive types must be explicitly encoded into the type-system.

∨ Definition 25 (subtyping relation for λ∧) subtyping on page 101 ∨ The ternary relation ∆ ` σ 4 τ defines a subtype relation for λ∧-types σ and τ under subtyping-context ∆. It is defined as the smallest relation closed under the following rules. τ α σ ∈ ∆ τ α σ ∈ ∆ 4 4 4 4 4 4 VAR1 VAR2 ∆ ` α 4 σ ∆ ` τ 4 α

TOP4 BOTTOM4 ∆ ` τ 4 > ∆ ` ⊥ 4 τ

→ TOP4 → BOTTOM4 ∆ ` > 4 ⊥ → > ∆ ` > → ⊥ 4 ⊥

∆ ` σ σ ∆ ` τ τ 2 4 1 4 1 4 2 4 FUN1 FUN2 ∆ ` σ1 → τ 4 σ2 → τ ∆ ` σ → τ1 4 σ → τ2

Department of Mathematics and Computer Science 45 ∨ Master’s Thesis 4. Formalization of λ∧

∆ ` τ 4 σ ∆ ` σ 4 ρ REFL4 TRANS4 ∆ ` τ 4 τ ∆ ` τ 4 ρ

4 4 ∧ELIM1 ∧ELIM2 ∆ ` τ ∧ σ 4 τ ∆ ` τ ∧ σ 4 σ

4 4 ∨INTRO1 ∨INTRO2 ∆ ` τ 4 τ ∨ σ ∆ ` σ 4 τ ∨ σ

∆ ` ρ 4 τ ∆ ` ρ 4 σ ∆ ` τ 4 ρ ∆ ` σ 4 ρ ∧INTRO4 ∨ELIM4 ∆ ` ρ 4 τ ∧ σ ∆ ` τ ∨ σ 4 ρ

∧→ DIST4 ∆ ` σ → τ1 ∧ σ → τ2 4 σ → (τ1 ∧ τ2)

∨→ DIST4 ∆ ` τ1 → σ ∧ τ2 → σ 4 (τ1 ∨ τ2) → σ

∧∨DIST4 ∆ ` σ ∧ (τ ∨ ρ) 4 (σ ∧ τ) ∨ (σ ∧ ρ)

∨∧DIST4 ∆ ` (σ ∨ τ) ∧ (σ ∨ ρ) 4 σ ∨ (τ ∧ ρ)

As discussed in Section 2.1.1.1 on page8, is not difficult to prove that the subtyping relation is a congruence and that union and intersection types are commutative, associative and idempotent and satisfy the absorption laws. In addition, all the standard distributive identities are admitted. With these properties, the subtyping relation form a complete, bounded, distributive lattice. The relation even comes somewhat close to being a Heyting algebra. However, a Heyting algebra also includes rules that fundamen- tally change the shape of a term, which is undesirable in a subtype relation. For example, we do not include rules such as τ 4 σ → τ, because automatically transforming a term of type τ to a function of type σ → τ, would lead to very strange behavior. The rules → TOP4 and → BOTTOM4 are exceptions to this, because they occur at the very top and bottom of the lattice, where they do no harm. ∨ Definition 26 (typing rules for λ∧) Γ „∆ ` t:τ on page 104 Γ ` t:τ on page 104 ∨ The quaternary relation Γ , ∆ ` t:τ contains all λ∧-terms t typable as τ under typing- context Γ and subtype-context ∆. It is defined as the smallest relation closed under the following rules.

x:τ ∈ Γ λ∨ Γ , ∆ ` t:σ ∆ ` σ 4 τ λ∨ VAR ∧ SUB ∧ Γ , ∆ ` x:τ Γ , ∆ ` t:τ

Γ , x:σ, ∆ ` t:τ λ∨ Γ , ∆ ` t :σ → τ Γ , ∆ ` u:σ λ∨ → INTRO ∧ → ELIM ∧ Γ , ∆ ` λx.t :σ → τ Γ , ∆ ` t u : τ

46 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

Γ , ∆ ` t:⊥ λ∨ t ∈ Value λ∨ ⊥ELIM ∧ >INTRO ∧ Γ , ∆ ` t:τ Γ , ∆ ` t:>

Γ , ∆ ` t :σ1 → τ ∧ σ2 → τ Γ , ∆ ` u :σ1 ∨ σ2 λ∨ ∨ELIM ∧ Γ , ∆ ` t u : τ

Γ , ∆ ` t:τ λ∨ Γ , ∆ ` u:τ λ∨ ⊗INTRO ∧ ⊗INTRO ∧ Γ , ∆ ` t ⊗ u : τ 1 Γ , ∆ ` t ⊗ u : τ 2

Γ , ∆ ` t:τ Γ , ∆ ` t:σ λ∨ Γ , ∆ ` t:τ ∧ σ λ∨ ∧INTRO ∧ ∧ELIM ∧ Γ , ∆ ` t : τ ∧ σ Γ , ∆ ` t:τ 1

Γ , ∆ ` t:τ ∧ σ λ∨ Γ , ∆ ` t:τ λ∨ Γ , ∆ ` t:σ λ∨ ∧ELIM ∧ ∨INTRO ∧ ∨INTRO ∧ Γ , ∆ ` t:σ 2 Γ , ∆ ` t:τ ∨ σ 1 Γ , ∆ ` t:τ ∨ σ 2

In addition to the relation Γ , ∆ ` t:τ, we also deﬁne the relation Γ ` t:τ, which has the same typing rules, but with an empty subtyping context. Note that this effectively λ∨ disables ruleS UB ∧ . 2

It should be noted that there is a large overlap between the subtyping and typing rules. ∨ 4 λ∧ For example, the rules ∧ELIM1 and ∧ELIM1 perform the same function. We need this overlap because, as illustrated in Figure 4.1 on page 33, the first step in the compilation process will be to perform coercions such that we no longer need the subtyping relation. The consequence of this is that the typing rules need to take over some of the functions that where performed by the subtyping relation. The typing rules are largely the same as those presented by Dunfield. An exception is λ∨ ∨ELIM ∧ , for which Dunfield uses the following.

Γ ` v : τ ∨ σ Γ , x:τ ` E[x]:ρ Γ , x:σ ` E[x]:ρ Γ ` E[v]:ρ

Here E[t] represents a term with a single hole, that is filled with the term t. By using such a hole, it is ensured the v is substituted at only one location of E. As shown by Dunfield and Pfenning [34], allowing v to be substituted in multiple locations results into λ∨ problems when adding reference types. With ∨ELIM ∧ , we take a different approach that more closely follows how sum types are eliminated with algebraic datatypes by using the case t of u construct. The problem with reference types described by Dunfield and Pfenning does not apply to us, because in Chapter5 on page 60 we will use the pass-by-value strategy instead. λ∨ Lastly, we note the rule >INTRO ∧ . This rule is somewhat incomplete in the sense that only values are allowed to be typed as >. However, because of the more general subtyping rule TOP4 , we are still able type arbitrary terms as >. The reason for using ∨ this two-pronged approach will become clear when we define the elaboration of λ∧- + terms to λ×-terms.

Department of Mathematics and Computer Science 47 ∨ Master’s Thesis 4. Formalization of λ∧

4.2.1.3. Coercions

The next step is to provide a mechanism to remove all uses of the subtype relation from a type derivation. For this, we add so-called coercions to the subtype derivation. These coercions are terms which acts as a witness of the subtype relation. If we have that τ 4 σ, then the accompanying coercion c is a function of type τ → σ, which enables us to convert terms of type τ to σ, thereby removing the need for the subtyping relation. ∨ Definition 27 (coercion relation for λ∧) coercion on page 104 ∨ The relation ∆ ` σ 4 τ ,→ c defines a coercion relation for λ∧-types σ and τ under ∨ coercion-context ∆. The witness c is a λ∧ term of type σ → τ. It is defined as the smallest relation closed under the following rules. t ←- τ α σ ,→ u ∈ ∆ t ←- τ α σ ,→ u ∈ ∆ 4 4 4,→ 4 4 4,→ VAR1 VAR2 ∆ ` α 4 σ ,→ u ∆ ` τ 4 α ,→ t

,→ ,→ TOP4 BOTTOM4 ∆ ` τ 4 > ,→ λx.λy.y ∆ ` ⊥ 4 τ ,→ λx.x

,→ → TOP4 ∆ ` > 4 ⊥ → > ,→ λx.λy.x

,→ → BOTTOM4 ∆ ` > → ⊥ 4 ⊥ ,→ λx.x λy.y

∆ ` σ σ ,→ t 2 4 1 4,→ FUN1 ∆ ` σ1 → τ 4 σ2 → τ ,→ λ f .λx. f (t x)

∆ ` τ τ ,→ t 1 4 2 4,→ FUN2 ∆ ` σ → τ1 4 σ → τ2 ,→ λ f .λx.t ( f x)

,→ ∆ ` τ 4 σ ,→ t ∆ ` σ 4 ρ ,→ u ,→ REFL4 TRANS4 ∆ ` τ 4 τ ,→ λx.x ∆ ` τ 4 ρ ,→ λx.u (t x)

4,→ 4,→ ∧ELIM1 ∧ELIM2 ∆ ` τ ∧ σ 4 τ ,→ λx.x ∆ ` τ ∧ σ 4 σ ,→ λx.x

4,→ 4,→ ∨INTRO1 ∨INTRO2 ∆ ` τ 4 τ ∨ σ ,→ λx.x ∆ ` σ 4 τ ∨ σ ,→ λx.x

∆ ` ρ 4 τ ,→ t ∆ ` ρ 4 σ ,→ u ,→ ∧INTRO4 ∆ ` ρ 4 τ ∧ σ ,→ λx.(t ⊗ u) x

∆ ` τ 4 ρ ,→ t ∆ ` σ 4 ρ ,→ u ,→ ∨ELIM4 ∆ ` τ ∨ σ 4 ρ ,→ λx.(t ⊗ u) x

,→ ∧→ DIST4 ∆ ` σ → τ1 ∧ σ → τ2 4 σ → (τ1 ∧ τ2) ,→ λx.λy.x y

48 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

,→ ∨→ DIST4 ∆ ` τ1 → σ ∧ τ2 → σ 4 (τ1 ∨ τ2) → σ ,→ λx.λy.x y

,→ ∧∨DIST4 ∆ ` σ ∧ (τ ∨ ρ) 4 (σ ∧ τ) ∨ (σ ∧ ρ) ,→ λx.(λy.y ⊗ x) x

,→ ∨∧DIST4 ∆ ` (σ ∨ τ) ∧ (σ ∨ ρ) 4 σ ∨ (τ ∧ ρ) ,→ λx.(λy.y ⊗ (λz.z ⊗ (y ⊗ x)) x) x

Note that if one removes the witnesses from these rules, they become equivalent to the normal subtyping rules. There is, however, one additional difference. The context of the coercion relation requires witnesses of the subtype-assertions that are made in it. This is not needed for the subtyping relation. It is possible to convert a coercion-context to a subtype-context:

Deﬁnition 28 (coercion-context to subtype-context) co2su on page 104 The function co2su(∆) converts a coercion-context to a subtype-context by removing the witnesses from the assertions. Hence, an assertion t ←- τ 4 α 4 σ ,→ u becomes τ 4 α 4 σ. 2

In order for a coercion-context ∆ to be valid, we also require its witnesses to be correctly typable for under some typing-context Γ . We therefore have the notion of compatibility between ∆ and Γ .

Deﬁnition 29 (coercion-context and typing-context compatibility) Γ ♥∆ on page 104 A coercion-context ∆ is compatible with a typing-context Γ , denoted as ∆♥Γ , if for all assertions t ←- τ 4 α 4 σ ,→ u ∈ ∆, we have that Γ ` t : τ → α and Γ ` u :α → σ. 2

4.2.1.4. Approximate semantics

∨ We now turn our attention to the approximate semantics of λ∧.

∨ Deﬁnition 30 (values of λ∧) value on page 100 ∨ The set Value contains all terms of λ∧ that are values. It is deﬁned as the smallest set closed under the following rules.

t ∈ Value u ∈ Value λx.t ∈ Value t ⊗ u ∈ Value

∨ Deﬁnition 31 (over-approximation of operational semantics of λ∧) cbv approx on page 101 ∨ The relation 7→ represents an over-approximation of the operational semantics of λ∧. It

Department of Mathematics and Computer Science 49 ∨ Master’s Thesis 4. Formalization of λ∧

is deﬁned as the smallest relation closed under the following rules.

0 0 t 7→ t λ∨ u 7→ u t ∈ Value λ∨ 7→ APP ∧ 7→ APP ∧ t u 7→ t0 u 1 t u 7→ t u0 2

u ∈ Value λ∨ 7→ ABS ∧ (λx.t)u 7→ t[x 7→ u]

λ∨ λ∨ 7→ UNMERGE ∧ 7→ UNMERGE ∧ t ⊗ u 7→ t 1 t ⊗ u 7→ u 2

0 0 7→ ∨ 7→ ∨ t t λ u u λ λ∨ 7→ MERGE ∧ 7→ MERGE ∧ 7→ SPLIT ∧ t ⊗ u 7→ t0 ⊗ u 1 t ⊗ u 7→ t ⊗ u0 2 t 7→ t ⊗ t

This approximation has several strange properties. For example, the 7→ never termi- λ∨ nates, because it is always possible to execute 7→ SPLIT ∧ . This means that the strong normalization property does not hold for 7→. An even more serious issue is that the subject reduction property does not hold for 7→.

Example 1 (subject reduction counterexample) A counterexample of the subject reduction property is the lambda term (λx.x) ⊗ Ω. Here Ω is represents the diverging term (λx.x x)(λx.x x). This example can be trivially typed as follows:

x:α ∈ x:α λ∨ VAR ∧ x:α ` x:α λ∨ → INTRO ∧ · ` λx.x :α → α λ∨ ⊗INTRO ∧ · ` (λx.x) ⊗ Ω :α → α 1

Note that in this derivation, we do not even have to consider the type of Ω, thanks to ∨ λ∧ rule ⊗INTRO1 . We now perform the following β-reduction on our term:

λ∨ 7→ UNMERGE ∧ (λx.x) ⊗ Ω 2 Ω .

Now recall that it was proved by Coppo and Dezani-Ciancaglini [1] that intersection types type exactly the strongly normalizing terms. Since Ω is a diverging term, it immediately follows that the result of this reduction, being Ω, is not typable. Therefore, the subject reduction property does not hold. 2

As noted before, the reason for these problems is that 7→ does not take into account the type-information of a term. It is therefore necessary to “intelligently” choose the correct rules in order to make a valid evaluation of a term. However, because these rules are rather simple, they are still useful as a tool to validate that the elaboration to algebraic datatypes presented below is correct.

50 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

4.2.1.5. Elaboration

∨ + The last step in the compilation process is the elaboration of the λ∧-term into λ×-terms. We do this with the help of the typing derivation. The basic idea is to elaborate any term that is typed as an intersection to a pair of terms, such that when we later use this term, we can select the desired part of the intersection using projections. Note that we even do this if a term with in intersection type is not formed using the merge operator. For example, the term λx.x can be typed as τ → τ ∧ σ → σ, but does not contain a merge. We will, however, still elaborate this term to the pair (λx.x, λx.x). This is somewhat wasteful, but it signiﬁcantly simpliﬁes the implementation of the elaboration.

∨ Definition 32 (elaboration relation for λ∧) elaboration on page 105 0 ∨ The relation Γ ` t:τ ,→ t defines an elaboration relation for λ∧-terms of type τ into + 0 λ×-terms t . It is defined as the smallest relation closed under the following rules. Γ σ ` τ ,→ 0 x:τ ∈ Γ λ∨,→ , x: t: t λ∨,→ VAR ∧ → INTRO ∧ Γ ` x:τ ,→ x Γ ` λx.t :σ → τ ,→ λx.t0

0 0 0 Γ ` t :σ → τ ,→ t Γ ` u:σ ,→ u λ∨,→ Γ ` t:⊥ ,→ t λ∨,→ → ELIM ∧ ⊥ELIM ∧ Γ ` t u : τ ,→ t0 u0 Γ ` t:τ ,→ absurd t0

t ∈ Value λ∨,→ >INTRO ∧ Γ ` t:> ,→ ()

0 0 Γ ` t :σ1 → τ ∧ σ2 → τ ,→ t Γ ` u :σ1 ∨ σ2 ,→ u λ∨,→ ∨ELIM ∧ Γ ` t u : τ ,→ case u0 of t0

0 0 Γ ` t:τ ,→ t λ∨,→ Γ ` u:τ ,→ u λ∨,→ ⊗INTRO ∧ ⊗INTRO ∧ Γ ` t ⊗ u : τ ,→ t0 1 Γ ` t ⊗ u : τ ,→ u0 2

0 0 Γ ` t:τ ,→ t1 Γ ` t:σ ,→ t2 λ∨,→ Γ ` t:τ ∧ σ ,→ t λ∨,→ ∧ NTRO ∧ ∧ 0 0 I ∧ELIM1 Γ ` t : τ ∧ σ ,→ (t1, t2) Γ ` t:τ ,→ proj1 t

Γ ` t:τ ∧ σ ,→ t ∨ Γ ` t:τ ,→ t ∨ λ∧,→ λ∧,→ ∧ELIM2 ∨INTRO1 Γ ` t:σ ,→ proj2 t Γ ` t:τ ∨ σ ,→ inj1 t

Γ ` t:σ ,→ t ∨ λ∧,→ ∨INTRO2 Γ ` t:τ ∨ σ ,→ inj2 t

Note that just like with the coercion relation, if we remove the elaboration terms from these rules, we end up with the normal typing rules. It should now become clear why λ∨,→ the rule >INTRO ∧ has a restriction that we can only type values as >. All terms t of type > are elaborated to the unit-term (). That means that any side-effects that

Department of Mathematics and Computer Science 51 ∨ Master’s Thesis 4. Formalization of λ∧

λ∨,→ might occur in t will not be performed. However, note that >INTRO ∧ only works with values. Because values are guaranteed not to have side-effects, we can use this rule without losing side-effects In order to type an arbitrary term as >, we note the ,→ coercion-rule TOP4 , which transforms any term to a term of type > using the witness λx.λy.y of type τ → >. This typing is valid, because λy.y is a value. Now, this means that any term t that is typed as > will be replaced with the term (λx.λy.y) t. Due to the call-by-value nature of the evaluation, all side-effects in t will therefore be evaluated before this redex is contracted.

∨ 4.2.2. Correctness Properties of λ∧ ∨ We now show the correctness of λ∧. For this, we would like to show the following properties.

• The subtyping relation is compatible with the coercion relation, and an algorithm exists to transform a subtyping derivation to a coercion derivation.

• The coercion relation produces witnesses that are correctly typable.

• Any term typable using the subtyping relation can be transformed into a term with the same type, such that we no longer need the subtype relation

• The typing relation is compatible with the elaboration relation, and an algorithm exists to transform a type derivation to an elaboration derivation.

+ • When we elaborate term t of type τ to the λ×-term u, then u must be typable using + an appropriate λ×-type |τ|. • No term exists that inhabits the type ⊥.

• The elaboration relation is consistent with the over-approximation we have deﬁned, as is illustrated in Figure 4.1 on page 33.

• An algorithm exists to decide if a type is a subtype of another type.

We divide these properties in the categories static semantics, dynamic semantics and decidability, which we will discuss below.

4.2.2.1. Static Semantics

The ﬁrst item in the list is relatively simple to show, with just a few lemma’s.

Lemma 13 (subtyping-context and coercion-context compatibility) su2co on page 108 co2su exists on page 108 Let ∆ be a coercion-context.

1. Whenever t ←- σ 4 α 4 τ ,→ u ∈ ∆ then σ 4 α 4 τ ∈ co2su(∆).

52 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

2. Whenever σ 4 α 4 τ ∈ co2su(∆) then there exist t and u such that t ←- σ 4 α 4 τ ,→ u ∈ ∆. 2

PROOF By induction on ∆. Theorem 15 (subtyping and coercion compatibility) coercion subtyping on page 108 Whenever ∆ ` σ 4 τ ,→ c then co2su(∆) ` σ 4 τ. 2

PROOF By induction on the derivation of ∆ ` σ 4 τ ,→ c, using Lemma 13. Theorem 16 (coercion algorithm) subtyping coercion on page 108 Whenever co2su(∆) ` σ 4 τ then there exists a term c such that ∆ ` σ 4 τ ,→ c. 2

PROOF By induction on the derivation of co2su(∆) ` σ 4 τ, using Lemma 13. ∨ We now give context-weakening lemma’s for λ∧. Their proofs are similar to their + counterparts for λ×. Lemma 14 (typing under permuted contexts) equal context typing on page 108 equal context elaboration on page 108 Let Γ 0 be a permutation of Γ . 1. If Γ ` t:τ then Γ 0 ` t:τ. 0 0 0 2. If Γ ` t:τ ,→ t then Γ ` t:τ ,→ t . 2

Lemma 15 (context weakening) equal context typing on page 108 equal context elaboration on page 108 1. Let Γ ` t:τ. Then we have Γ , x:σ ` t:τ. 0 0 2. Let Γ ` t:τ ,→ t . Then we have Γ , x:σ ` t:τ ,→ t . 2

We can now show the correctness of the coercion witnesses, and furthermore show that an algorithm exists to remove any dependencies on the subtyping relation. Theorem 17 (coercion witness typing) coercion typing on page 109 Let Γ be a typing-context and ∆ a coercion-context such that Γ ♥∆, i.e. they are compatible. Then, whenever we have that ∆ ` τ 4 σ ,→ c then Γ ` c : τ → σ must hold. 2

PROOF By induction on the derivation of ∆ ` τ 4 σ ,→. We must now build a type- derivation for the witnesses of the various coercion rules. These derivations are mostly straight-forward, requiring an occasional invocation of Lemma 15. Theorem 18 (subtyping elimination) typing sub elim on page 111 Let Γ be a typing-context and ∆ a coercion-context such that Γ ♥∆. Then, whenever we have 0 0 that Γ , ∆ ` t:τ a term t exists such that Γ ` t :τ holds. 2

Department of Mathematics and Computer Science 53 ∨ Master’s Thesis 4. Formalization of λ∧

PROOF By induction on the derivation of Γ , ∆ ` t:τ. The type-derivation can remain λ∨ completely the same, except when the subtyping relation is used in SUB ∧ . In this case, we have a proof that ∆ ` τ 4 σ, and a proof that Γ ` t:σ. We then use Theorem 16 to obtain a witness c of the subtype relation between τ and σ, and use Theorem 17 to show that c is typable as τ → σ. We can then easily show that the term c t is typable as Γ ` c t : τ.

The next step is to show that the elaboration relation is compatible with the typing relation. For the paper version, this is simple, but due to the use of co-ﬁnite quantiﬁcation in the mechanized proof, this requires quite some machinery.

Theorem 19 (typing and elaboration compatibility) typing elaborate on page 111 0 Whenever Γ ` t:τ ,→ t then Γ ` t:τ. 2

0 PROOF By induction on the derivation of Γ ` t:τ ,→ t .

Theorem 20 (elaboration algorithm) elaborate typing on page 111 0 0 Whenever Γ ` t:τ then there exists a term t such that Γ ` t:τ ,→ t . 2

PROOF By induction on the derivation of Γ ` t:τ.

Now, for an elaboration Γ ` t:τ ,→ t0, we also wish to make sure that t0 is of the right ∨ 0 + 0 type. However, since t is a λ∧-term, and t is a λ×-term, we cannot simply type t with τ. Instead, we ﬁrst deﬁne the following bijection between types of these calculi.

∨ + Deﬁnition 33 (bijection between λ∧ and λ×) ∨ + Let the function | · | be the following bijection between types in λ∧ and λ×.  |τ | + |τ | τ = τ ∨ τ  1 2 if 1 2  |τ1| × |τ2| if τ = τ1 ∧ τ2  |τ | → |τ | if τ = τ → τ |τ| = 1 2 1 2 ⊥ if τ = ⊥  > τ = >  if  τ if τ ∈ Var 2

Note that this deﬁnition has no Coq counterpart, since we exploit the fact that the ∨ + grammars of the type-systems for λ∧ and λ× are isomorphic, and hence use the same grammar for both.

Theorem 21 (elaboration subject reduction) elaboration subject reduction on page 111 0 0 For any elaboration Γ ` ∨ t:τ ,→ t we have Γ ` + t :|τ|. 2 λ∧ λ×

0 ROOF Γ ` ∨ τ ,→ P By induction on the derivation of λ∧ t: t .

54 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

∨ The behavior of the static semantics of λ∧ can now be summarized with the following theorem. ∨ Theorem 22 (static semantics of λ∧) static semantics on page 111 Let Γ be a typing-context and ∆ a coercion-context such that Γ ♥∆. Then if Γ , co2su(∆) ` + λ× ∨ 0 + 0 t:τ, there exists a λ -term t and a λ -term u such that Γ ` + t :τ ,→ u and Γ ` + u:|τ|. 2 ∧ × λ× λ×

PROOF A direct consequence of Theorems 18, 20 and 21.

∨ An interesting corollary of this theorem is the fact that ⊥ is uninhabitable in λ∧. Theorem 23 (⊥ is uninhabitable) untypable bottom on page 111 No term t exists such that · ` t:⊥. 2

+ PROOF Instead of proving this from ﬁrst principles like with did for λ×, we can now + use Theorem 22 to show that there must exist a λ -term u such that · ` + u:⊥, which × λ× leads to a direct contradiction using Theorem8.

4.2.2.2. Dynamic Semantics

We now arrive at the most signiﬁcant correctness question: Is the elaboration consistent ∨ with the over-approximation 7→? That is, we wish to show that if a λ∧-term t elaborates + 0 to a λ -term u, and u 7→ + u , then we can simulate this reduction with the over- × λ× ∗ 0 0 approximation such that t 7→ ∨ t , in such a way that t can then be elaborated directly λ∧ to u0. A complication here is that it might take either zero, one, or more steps of the over-approximation to perform the simulation:

zero If we type the term λx.x as τ → τ ∧ σ → σ, then the term (λx.x) y elaborates to

(proj1((λx.x), (λx.x))) y. We can then reduce this term to (λx.x) y. Nothing needs to happen in order to simulate this step, the original term already was (λx.x) y.

one Consider the same term (λx.x) y, but now type λx.x as τ → τ. The term simply elaborates to itself, so when we contract the redex to y, this needs to be simulated in exactly one step.

two Consider the term ((λx.x) ⊗ g) y. Note that it is possible to completely disregard the type of g, and type (λx.x) ⊗ g as τ → τ. The whole term then elaborates to (λx.x) y, which in turn reduces to y. In order to simulate this, we have to perform the two steps ((λx.x) ⊗ g) y 7→ (λx.x) y 7→ y.

7→ ∨ Because we are dealing with the transitive version of λ∧ here, we must ﬁrst develop transitive versions of some of the normal reduction rules. ∨ Lemma 16 (transitive reduction rules for λ∧) ∗ 0 ∗ 0 1. If t 7→ t then t u 7→ t u cbv app1 trans on page 111

Department of Mathematics and Computer Science 55 ∨ Master’s Thesis 4. Formalization of λ∧

∗ 0 ∗ 0 2. If t is a value and u 7→ u then t u 7→ t u cbv app2 trans on page 111 3. If t 7→∗ t0 and u 7→∗ u0 then t u 7→∗ t0 u0 cbv app trans on page 111

∗ 0 ∗ 0 4. If t 7→ t then t ⊗ u 7→ t ⊗ u cbv merge1 trans on page 111 ∗ 0 ∗ 0 5. If u 7→ u then t ⊗ u 7→ t ⊗ u cbv merge2 trans on page 111

PROOF By induction on the deﬁnition of the transitive closure of a relation. Using these rules, we can show a special case of our consistency theorem for values. Lemma 17 (value consistency) value monotonicity on page 111 + ∗ 0 Let v be a λ -value such that Γ ` t:τ ,→ v. Then there must be a reduction t 7→ ∨ t such that × λ∧ 0 Γ ` t :τ ,→ v. 2

PROOF By induction on the derivation of Γ ` t:τ ,→ v. The only interesting case is ∨ λ∧,→ ∧INTRO . In this case, we have an elaboration Γ ` t :σ ∧ τ ,→ (v1, v2). From the 0 0 ∗ 0 induction hypothesis, we know that there must be two terms t1 and t2 such that t 7→ t1 ∗ 0 0 0 and t 7→ t2. We also know that t1 and t2 elaborate respectively to v1 and v2. We must however, obtain a value that elaborates to (v1, v2). This is done with the following reduction chain. ∗ 0 ∗ 0 0 t 7→ t ⊗ t 7→ t1 ⊗ t 7→ t1 ⊗ t2 Since the merge of two values is also a value, this is indeed correct. It is now not difﬁcult 0 0 to show that Γ ` t1 ⊗ t2 :σ ∧ τ ,→ (v1, v2) We also create a special case of the consistency theorem for λ-abstractions. Lemma 18 (abstraction consistency) abs value on page 112 ∗ 0 0 If Γ ` t :σ → τ ,→ λx.u, then there must be a reduction t 7→ ∨ λx.t such that Γ ` λx.t :σ → λ∧ τ ,→ λx.u. 2

PROOF By induction on the derivation of Γ ` t :σ → τ ,→ λx.u. It then follows that t is either already a λ-abstraction, or it is a merge, in which case we have from the induction hypothesis that one side of the merge reduces to a λ-abstraction. Without loss ∗ 0 0 of generality, assume we have t = t1 ⊗ t2 such that t1 7→ λx.t1 and λx.t1 elaborates to λx.u. We are then done by showing that we can make the reduction chain

t ⊗ t 7→ t 7→∗ λx t0 1 2 1 . 1. The next step is a version of the substitution lemma for elaborations. Lemma 19 (substitution lemma) subst elaboration on page 111 0 0 0 0 If Γ , x:σ ` t:τ ,→ t and Γ ` u:σ ,→ u , then Γ ` t[x 7→ u] : τ ,→ t [x 7→ u ]. 2

PROOF Although somewhat more complicated because we have to deal with two sub- + stitutions, the proof proceeds along the same lines of the corresponding lemma of λ×, see Lemma3.

56 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

We now only need some simple inversion properties before we are able to give our ﬁnal theorem.

Lemma 20 (inversions for elaborations)

0 0 1. If Γ ` t : τ ∨ σ ,→ inj1 t then Γ ` t : τ ,→ t elaboration inj1 on page 112 0 0 2. If Γ ` t : τ ∨ σ ,→ inj2 t then Γ ` t :σ ,→ t elaboration inj2 on page 112 0 0 0 0 3. If Γ ` t : τ ∧ σ ,→ (t1, t2) then Γ ` t : τ ,→ t1 and Γ ` t :σ ,→ t2 elaboration pair on page 112

PROOF By induction on the derivation of the elaborations.

Theorem 24 (consistency) consistency on page 112 0 0 For any elaboration Γ ` t:τ ,→ u such that u 7→ + u there must exist a term t such that λ× ∗ 0 0 0 t 7→ ∨ t and Γ ` t :τ ,→ u . 2 λ∧

PROOF By induction on the derivation of Γ ` t:τ ,→ u. Most cases proceed in approximately the same manner. We show the proofs for three interesting cases.

λ∨,→ rule → ELIM ∧ : In this case, we have that t = f p and u = g q. There are three possible reductions of g q. g 7→ g0: In this case, we know from the induction hypothesis that there is a f 0 such that f 7→∗ f 0. We then use Lemma 16 to obtain f p 7→∗ f 0 p. It is easy to see that f 0 p elaborates to g0 q. q 7→ q0: Because we use pass-by-value reduction, we know that g is a value. We then use Lemma 17 to obtain the result that there must exist a value f 0 that elaborates to g such that f 7→∗ f 0. From the induction hypothesis we know that there exists a term p0 that elaborates to q0 such that p 7→∗ p0. We then again use Lemma 16 to obtain f p 7→∗ f 0 p0. The term f 0 p0 trivially elaborates to g0 q0. g = λx.g0: We now have the reduction (λx.g0) q 7→ g0[x 7→ q], and know that q is a value. Using Lemma 17, we obtain a value p0 that elaborates to q such that p 7→∗ p0. Lemma 18 gives us an term λx. f 0 that elaborates to λx.g0 such that f 7→∗ λx. f 0. Using Lemma 16, this gives us f p 7→∗ (λx. f 0) p0 7→ f 0[x 7→ p0]. We must then show that f 0[x 7→ p0] elaborates to g0[x 7→ q]. This is easily done with the help of Lemma 19.

λ∨,→ rule → ELIM ∧ : We now have t = f p and u = case q of g. There are now four possible possible reductions for u. g 7→ g0 or q 7→ q0: These two reductions follow the same pattern as the ﬁrst two reductions of the previous case.

Department of Mathematics and Computer Science 57 ∨ Master’s Thesis 4. Formalization of λ∧

0 0 g and q are values: This means that g = (g1, g2) and q is either inj1 q or inj2 q . 0 Without loss of generality, assume q = inj1 q . We then have that 0 0 case inj1 q of(g1, g2) 7→ g1 q . 0 Because both (g1, g2) and inj1 q are values, we can use Lemma 17 twice to obtain terms f 0 and p0, such that f p 7→∗ f 0 p0 (using Lemma 16). We also 0 0 0 know that f elaborates to (g1, g2) and p elaborates to inj1 q . We then use 0 0 Lemma 20 to conclude that f must also elaborate to g1 and that p must also elaborate to q0. The ﬁnal step is to trivially deduce that f 0 p0 must elaborate to 0 g1 q .

∨ ∨ λ∧,→ λ∧,→ rules ⊗INTRO1 and ⊗INTRO2 : For these rules, we have t = t1 ⊗ t2 and a reduction u 7→ u0. The induction hypothesis gives us that there exists t0, that elaborates to 0 ∗ 0 ∗ 0 ∗ 0 u such that either t1 7→ t or t2 7→ t . We then simply conclude that t1 ⊗ t2 7→ t , which is exactly what we need.

To fully complete our development, we also include a transitive version of the consistency theorem.

Theorem 25 (dynamic semantics) dynamic semantics on page 112 ∗ 0 0 For any elaboration Γ ` t:τ ,→ u such that u 7→ + u there must exist a term t such that λ× ∗ 0 0 0 t 7→ ∨ t and Γ ` t :τ ,→ u . 2 λ∧

PROOF Follows by induction on deﬁnition of the transitive closure, and Theorem 24.

4.2.2.3. Decidability

∨ In Section 2.1.3.1 on page 15 we already saw that type-inference for λ∧ is undecidable. However, we also discussed some methods to add type-hints that make the calculus decidable again. This still requires us to have a decision procedure for the subtyping relation, however. There are two challenges in creating such an algorithm, that have prevented the author from finishing it in time. First, the deduction rules for the subtyping relation as stated above cannot be used in a syntax-directed manner. For example, it is easy to get into an infinite regress, by successively apply the transitive rule. It is possible to define an equivalent set of rules that are more suitable for syntax-directed use. Such rules are indeed used by Dunfield [4]. This does mean that the rules become somewhat more complicated. Therefore, we have chosen for the simpler, declarative rules. It is, however, rather difficult to show that these two presentations of subtyping rules are equal. The second problem lies within the subtyping-context. We use a subtyping-context where variables may be bounded both from below and above, such as τ 4 α 4 σ. As far as the author knows, this is a rather unique approach. Normally variables may only be bounded from above. There is a good reason for this. If we have the subtyping assertion τ 4 α 4 σ, it follows from transitivity that τ 4 σ. Because both τ and σ may be chosen

58 Technical University Eindhoven ∨ 4.2. Unrestricted Union and Intersection Types λ∧ Master’s Thesis

freely, it is possible to create malicious subtypings such as τ1 ∨ τ2 4 σ1 → σ2. With such strange subtypings in the context, it becomes impossible to make a complete decision procedure for the subtyping relation. Another issue is the possibility for recursive subtyping assertions such as τ 4 α 4 σ → α. Such assertions also open up the possibility of inﬁnite regress. To prevent these malformed contexts from being formed, we propose the following notion of a well-formed context.

Deﬁnition 34 (well-formed subtyping context) subtyping’ on page 103 A subtyping context ∆ is well-formed for a given subtyping relation ∆ ` τ 4 σ if ∆ is 0 the empty context · or if ∆ = ∆ , τ 4 α 4 σ and • context ∆0 is well-formed;

• the type variable α does not occur in σ and τ;

0 • the judgment ∆ ` τ 4 σ holds. 2

We claim that with this notion, these problems should largely be resolved. The Coq code accompanying this thesis contains a partial proof that a decision procedure for the subtyping relation exists. However, since it is not completed, we will not describe it here further.

Department of Mathematics and Computer Science 59 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

∨ 5. Formalization of λ∧ with Mutations

∨ Now that we have a full formalization of λ∧ without mutation, we proceed by adding the notion of an assignment operator, using the pass-by-sharing evaluation strategy as explained in Section 2.2.3 on page 27. The general structure of the elaboration process remains the same, and many definitions and proofs need to have little or no change. We will therefore often only note the changes with respect to the previous chapter and give a reference to the revised Coq definition inline in the text. We will show that by using pass-by-sharing instead of reference types, we circumvent all problems that are normally associated with computational effects. As shown in Section 2.2.3, for intersections without a merge operator, these problems exhibit itself in the subject reduction property, which no longer holds. However, as noted by Dunfield [4], for unrestricted union and intersection this is not the case. This is a consequence of the additional elaboration step we take, and the fact that the subject reduction property does hold for algebraic datatypes with reference types. So how does the problem exhibit itself? For this, recall the following example that shows the problem: let b = ref 1 in b := 0; ! b

We showed in Section 2.2.3 that by typing ref 1 as N ∧ N+, this term evaluates to 0 while it is typable as N+. Would we elaborate such a term to algebraic datatypes, one would end up with let b = (ref 1, ref 1) in

(proj1 b) := 0;

!(proj2 b). The term ref 1 is elaborated to the pair (ref 1, ref 1) because it is typed as an intersection type. It is easy to see that the whole term can still be typed as N+. However, the term no longer evaluates to 0 but rather to 1 because the assignment operator selects the left part of b and the dereferencing operator selects the right part of b. Therefore the subject reduction property is preserved. The property that is being violated instead is the read-after-write property. One would expect that if one assigns a term t to a variable and subsequently reads this value, the result will be t. That is not the case here, however. Using the pass-by-value strategy, such a violation can never happen, because the left- hand-side of the assignment operator only accepts variables instead of complete terms that evaluate to a variable. Although it is trivial, we will show that the read-after-write + ∨ property therefore indeed holds in both λ× and λ∧.

60 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

+ 5.1. Mutable Algebraic Data Types λ× 5.1.1. Deﬁnitions

∨ The types of λ∧ do not need to be adapted in order to add computational effects to the calculus. For the grammar, however, we have to add the assignment operator.

+ Deﬁnition 35 (grammar of λ× terms) term on page 113 + The grammar of a term in λ× is deﬁned as follows.

t ::= v | () | (t t) | (λv.t) | (t, t) | (v := t)

v ∈ Var 2

An assignment x := t has the intuitive effect that the variable x will be updated to contain t. Given that we only added an assignment operator, the notion of value does not have to be changed ( value on page 115). The biggest change occurs in the operational semantics. Our reduction relation now has to keep track of key-value store Σ, and we have to add rules that update this store.

+ Deﬁnition 36 (operational semantics of λ×) cbv on page 115 + The relation 7→ represents the operational semantics of λ×. It relates pairs consisting of a store Σ and a term t with each other. We denote such a pair as Σ . t. The relation is deﬁned as the smallest relation closed under the following rules.

0 0 Σ1 . t 7→ Σ2 . t + Σ1 . u 7→ Σ2 . u t ∈ Value + λ× λ× 0 7→ APP1 0 7→ APP2 Σ1 . t u 7→ Σ2 . t u Σ1 . t u 7→ Σ2 . t u

0 ∈ Σ Σ . 7→ Σ . + x:t λ+ 1 t 2 t λ 7→ VAR × 7→ ASSIGN × Σ . x 7→ Σ . t Σ . x := t 7→ Σ . x := t0 1

∈ + ∈ t Value λ u Value λ+ 7→ ASSIGN × 7→ ABS × Σ . x := t 7→ Σ , x:t . () 2 Σ . (λx.t)u 7→ Σ , x:u . t

0 0 Σ1 . t 7→ Σ2 . t + Σ1 . t 7→ Σ2 . t + λ× λ× 0 7→ PROJ1 0 7→ PROJ2 Σ1 . proj1 t 7→ Σ2 . proj1 t Σ1 . proj2 t 7→ Σ2 . proj2 t

t ∈ Value u ∈ Value + t ∈ Value u ∈ Value + λ× λ× 7→ UNPROJ1 7→ UNPROJ2 Σ . proj1(t, u) 7→ Σ . t Σ . proj2(t, u) 7→ Σ . u

0 0 Σ1 . t 7→ Σ2 . t + Σ1 . u 7→ Σ2 . u t ∈ Value + λ× λ× 0 7→ PAIR1 0 7→ PAIR2 Σ1 . (t, u) 7→ Σ2 . (t , u) Σ1 . (t, u) 7→ Σ2 . (t, u )

Department of Mathematics and Computer Science 61 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

0 0 Σ1 . t 7→ Σ2 . t + Σ1 . t 7→ Σ2 . t + λ× λ× 0 7→ INJ1 0 7→ INJ2 Σ1 . inj1 t 7→ Σ2 . inj1 t Σ1 . inj2 t 7→ Σ2 . inj2 t

0 Σ1 . t 7→ Σ2 . t u ∈ Value + λ× 0 7→ CASE11 Σ1 . case t of u 7→ Σ2 . case t of u

0 Σ1 . u 7→ Σ2 . u + λ× 0 7→ CASE12 Σ1 . case t of u 7→ Σ2 . case t of u

t ∈ Value u ∈ Value + λ× 7→ CASE21 Σ . case inj1 t of u 7→ Σ . (proj1 u) t

t ∈ Value u ∈ Value + λ× 7→ CASE22 Σ . case inj2 t of u 7→ Σ . (proj2 u) t

+ λ+ λ+ λ× × × Apart from the addition of the rules 7→ VAR , 7→ ASSIGN1 and 7→ ASSIGN2 the λ+ only signiﬁcant change occurs in 7→ ABS × . Because we wish to have the ability to mutable variables, we cannot perform a direct substitution when contracting a redex. Instead, we save the term that would normally be substituted in the store. Then, when a λ+ variable needs to be evaluated, we retrieve this value from the store using 7→ VAR × . This can be seen as a form of delayed substitution. This delayed substitution is also the main source of the difference between reference types and the pass-by-sharing strategy. As can be seen in Section 2.2.2 on page 23, with reference types a normal, direct substitution is performed. The creation of a new cell is instead performed by the following rule.

t ∈ Value Σ . ref t 7→ Σ , x:t . x

Note however that the net effect for a redex Σ . (λx.t) ref u is the same, because it reduces in two steps to Σ , x:u . t. This means that there is practically no difference in the operational semantics of reference types and pass-by-sharing, except that reference types need to be explicitly dereferenced.

+ Deﬁnition 37 (static semantics for λ×) typing on page 117 All the previously deﬁned rules for the relation Γ ` t:τ remain. We only add the following rule to deal with assignments.

τ ∈ ΓΓ ` τ x: t: λ+ ASSIGN × Γ ` x := t : > 2

62 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

5.1.2. A Notion of Equivalence

The new evaluation strategy no longer only operates on terms but also on stores. That means that 7→ is technically no longer deterministic. This can be seen because rule λ+ 7→ ABS × can choose the variable that is added to the store freely (note that this fact relies rather heavily on the convention that α-conversions are executed automatically). Another problem is that we will want to compare terms that are similar, but have stores with different orderings, or one store has an additional unreachable key. In order to remedy this, we need an equivalence relation for pairs of stores and terms. For this, we note that we can view the pair Σ . t as a graph, where the nodes are the set of terms in Σ, including t. We then draw an edge between two terms p and q if p contains a free variable x such that x:q ∈ Σ. Armed with this insight, we will take inspiration from the notion of bisimulation [35] in order to define our equivalence. To do this, we begin with a notion of equivalence on terms only. + Definition 38 (equivalence for λ×-terms) term eq on page 119 Let R be a relation on variables. We then define the relation t ≈R u between terms t and u as the syntactic equality, except for free variables, which should be relatable by R. 2

Lemma 21 (≈R is an equivalence) termEquivalence on page 119 Let R be an equivalence on variables. Then the relation ≈R is also an equivalence. 2

PROOF By induction on the deﬁnition of ≈R.

Lemma 22 (compatibility of ≈R and values) value term eq on page 123 Let v1 ≈R v2 such that v1 is a value. Then v2 is also a value. 2

PROOF By induction on the deﬁnition of ≈R.

Lemma 23 (R-permutation) term eq extend2 on page 123 0 Let R and R be relations on variables such that t ≈R u. We then have t ≈R0 u whenever the following holds. 0 ∀x, y, (x ∈ fv(t) ∧ y ∈ fv(u) ∧ xRy) ⇒ xR y 2

PROOF By induction on the structure of t ≈R u.

We can then extend this notion of equivalence to pairs as follows. + Deﬁnition 39 (R-equivalence for λ×-pairs) store term eq’ on page 122 Let R be a relation on variables. We then deﬁne the relation Σ1 . t ≈R Σ2 . u on pairs as follows. The relation Σ1 . t ≈R Σ2 . u holds whenever:

1. t ≈R u

2. For all variables x1, x2 and term p1 such that x1Rx2 and x1:p1 ∈ Σ1 there exists a term p2 such that x2:p2 ∈ Σ2 and p1 ≈R p2.

Department of Mathematics and Computer Science 63 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

3. For all variables x1, x2 and term p2 such that x1Rx2 and x2:p2 ∈ Σ2 there exists a term p1 such that x1:p1 ∈ Σ1 and p1 ≈R p2. 4. R is a one-to-one relation. That is: • If xRy and xRz then y = z.

• If yRx and zRx then y = z. 2

+ Deﬁnition 40 (equivalence for λ×-pairs) store term eq on page 122 Two pairs are equivalent, denoted by Σ1 . t ≈ Σ2 . u, if there exists a relation R such that Σ1 . t ≈R Σ2 . u. 2

Of the four requirements for this equivalence, the ﬁrst three are fairly standard for a bisimulation-relation. The last is non-standard however. Normally, it is alright for two graphs to be equal if one is an unfolding of another. For example, the following graphs are equivalent under normal bisimulation.

start t x start t1 t2 x

For us, this represents a problem, however, because we would like the equivalence to be compatible with the reduction relation. That is, if t ≈ u and t 7→ t0 and u 7→ u0, then we would like t0 ≈ u0 to hold. If we omit the one-to-one mapping requirement, then a counterexample to this compatibility is as follows.

x : (λz.x) . x := t; x ≈ x : (λz.y), y : (λz.x) . x := t; y

Recall that ; is deﬁned as the statement separator, such that a; b ≡ (λx.λy.y) a b. These terms are equal under the relation R = {(x, x), (x, y)}. However, after one step, we end up with the following. x:t . x 6≈ x:t, y : (λz.x) . y These terms are obviously not equal anymore. Using a one-to-one relation remedies this problem, because then pairs are no longer equal if one is an unfolding of another. Although the one-to-one restriction works, it also wrongly excludes many equalities when assignments are not used in terms. For our purposes, this notion of equivalence is strong enough, however. Theorem 26 (≈ is an equivalence) storetermEquivalence on page 123 The relation ≈ is an equivalence. 2

PROOF Reﬂexivity: Easily proved by choosing R to be the identity-relation.

0 Symmetry: Now we must prove that given Σ1 . t ≈R Σ2 . u, there exists a relation R 0 −1 such that Σ2 . u ≈R0 Σ1 . t. This can be shown by taking R = R .

64 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

Transitivity: We are given relations Σ1 . t ≈R1 Σ2 . u and Σ2 . u ≈R2 Σ3 . v and must 0 show that there exists R such that Σ1 . t ≈R0 Σ3 . v. This is shown by taking 0 R = R1; R2.

Before we can prove that ≈ is indeed compatible with 7→, we ﬁrst have to solve one additional problem. Consider the pair x:λy.z . (λy.y)v. Note that the variable z does not occur in the store. Because of α-conversion, we are then allowed to perform two different reductions to x:λy.z, z:v . z and x:λy.z, y:v . v. These terms are no longer equivalent. Note that Barendregt’s convention does not save us here, because it does not apply to the store. In the Coq-formalization, de Bruijn indices also do not help, because unbounded variables can still occur in the store. For this reason, we have to introduce the notion of a closed pair.

Deﬁnition 41 (S-closed pairs) closed’ on page 123 Let S be a set of variables. A pair Σ . t is S-closed, denoted as closedS(Σ . t), if ∀x, x ∈ fv(t) ⇒ x ∈ S. Additionally, for all x ∈ S, we have that there exists a term u with x:u ∈ Σ and ∀y, y ∈ fv(u) ⇒ y ∈ S. 2

Deﬁnition 42 (closed pairs) closed on page 123 A pair Σ . t is S-closed, denoted as closed(Σ . t), if there exists a set S such that closedS(Σ . t) holds. 2

Note that this deﬁnition allows for stores that contain terms that are not closed, as long as those terms are not reachable. We now develop some properties about closed pairs. Lemma 24 (closed is compatible with 7→) closed cbv on page 123 If closed(Σ1 . t) and Σ1 . t 7→ Σ2 . u, then closed(Σ2 . u). 2

PROOF We strengthen the induction hypothesis, to the following: If closedS(Σ1 . t) and 0 Σ1 . t 7→ Σ2 . u, then there exists a set S such that closedS∪S0 (Σ2 . u). We then proceed 0 by induction on Σ1 . t 7→ Σ2 . u. In most cases, we can keep S empty, except when a variable is added to the store.

Lemma 25 (closed is compatible with ≈) closed store term eq on page 123 If closed(Σ1 . t) and Σ1 . t ≈ Σ2 . u, then closed(Σ2 . u). 2

PROOF Let S be the set such that closedS(Σ1 . t) and R the relation such that Σ1 . t ≈R 0 Σ2 . u. Now let S = {x | ∃y, y ∈ S ∧ yRx}. It is then relatively simple to show closedS0 (Σ2 . u).

Now, in order to formulate a strong enough induction hypothesis that can prove the compatibility of ≈ and 7→, we note that our deﬁnition of equivalence is such that if Σ1 . t ≈R Σ2 . u, then R may contain a pair of variables (x, y) that does not occur in t and u. This is completely harmless. However, when we reduce Σ1 . t and Σ2 . u it can happen that Σ1 gets extended with an additional variable, which can incidentally be

Department of Mathematics and Computer Science 65 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

chosen to be x. This extra pair of variables in R can then get in the way of proving an equivalence of these reduced terms. We therefore have eliminate all spurious pairs that occur in R.

Lemma 26 (≈R minimalization) store term eq minimal on page 123

Let closedS1 (Σ1 . t), closedS2 (Σ2 . u) and Σ1 . t ≈R Σ2 . u. Then deﬁne

R↓ = {(x, y) | xRy ∧ x ∈ S1 ∧ y ∈ S2 ∧ x ∈ Σ1 ∧ y ∈ Σ2}.

We then have Σ1 . t ≈R↓ Σ2 . u 2

PROOF We ﬁrst need to show that t ≈R↓ u. We do this using Lemma 26. Note that if we have x and y such that xRy, x ∈ fv(t) and y ∈ fv(u), then according to the deﬁnition of closed pairs, x must be in S1 and Σ1 and y must be in S2 and Σ2. This is what was required. The other three conditions for Σ1 . t ≈R↓ Σ2 . u follow by simple case analysis.

Lemma 27 (minimal consistency of ≈ and 7→) store term eq cbv on page 123

Let Σ1 . t ≈R Σ2 . u such that closedS1 (Σ1 . t) and closedS2 (Σ2 . u). Now take

R↓ = {(x, y) | xRy ∧ x ∈ S1 ∧ y ∈ S2 ∧ x ∈ Σ1 ∧ y ∈ Σ2}.

0 0 0 0 0 If Σ1 . t 7→ Σ1 . t , then there must exist a relation R with R↓ ⊆ R and a term u such that 0 0 0 0 0 0 Σ2 . u 7→ Σ2 . u and Σ1 . t ≈R0 Σ2 . u . 2

0 0 PROOF We proceed by induction on Σ1 . t 7→ Σ1 . t . Most cases proceed in the same way. We discuss some interesting examples.

+ λ× 0 0 rule 7→ APP2 : This is a very typical case. We have t = t1 t2 and t = t1 t2, such that t1 0 0 is a value and Σ1 . t2 7→ Σ1 . t2. Because t1 t2 ≈R u, we must have that u = u1 u2. 0 0 We can then use the induction hypothesis to obtain a relation R with R↓ ⊆ R and 0 0 0 0 0 0 0 a value u2 such that Σ2 . u2 7→ Σ2 . u2 and Σ1 . t2 ≈R0 Σ2 . u2. It is then easy to 0 0 show using Lemma 22 that Σ2 . u1 u2 7→ Σ2 . u1 u2. What remains, is to show that 0 0 0 0 Σ1 . t1 t2 ≈R0 Σ2 . u1 u2. There are four conditions that need to be met for this to hold. The last three conditions follow immediately because we already know that 0 0 0 0 0 0 Σ1 . t2 ≈R0 Σ2 . u2. We are then left with proving t1 t2 ≈R0 u1 u2, which breaks 0 0 down to proving t1 ≈R0 u1 and t2 ≈R0 u2. The second part follows immediately. For the ﬁrst part, however, can only show t1 ≈R u1. Note the discrepancy between 0 R and R . To solve this discrepancy, we use Lemma 26 to obtain t1 ≈R↓ u1. Finally, 0 we can use Lemma 23 together with R↓ ⊆ R to obtain the desired result.

+ λ× 0 rule 7→ ASSIGN2 : Here, we have t = x := v and t = (), where v is a value, such that the reduction that happens is Σ1 . x := v 7→ Σ1, x:v . (). Because x := v ≈R u, we 0 0 must have that u = y := v with xRy and v ≈R v . Because R already contains the pair (x, y), we can simply choose R0 = R. All obligations are then relatively easy to prove.

66 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

+ λ× 0 0 rule 7→ ABS : In this case, we have a reduction Σ1 . (λx.t ) v 7→ Σ1, x:v . t . We also have that u = (λy.u0) v0. From Lemma 22 it follows that v0 is a value, such that 0 0 0 0 0 we can make the contraction Σ2 . (λy.u ) v 7→ Σ2, y:v . v . Now, take R = R↓ ∪ 0 0 0 {(x, y)}. We must show Σ1, x:v . t ≈R0 Σ2, y:v . v . The last three requirements for 0 0 this equivalence are easily proved with some bookkeeping. To show that t ≈R0 v , 0 0 note that we have t ≈R v . We can then use Lemmas 23 and 26 to obtain the desired result.

Theorem 27 (consistency of ≈ and 7→) store term eq cbv on page 123 0 0 0 0 Let closed(Σ1 . t) and Σ1 . t ≈ Σ2 . u. Then if Σ1 . t 7→ Σ1 . t , there must exist a pair Σ2 . u 0 0 0 0 0 0 such that Σ2 . u 7→ Σ2 . u and Σ1 . t ≈ Σ2 . u . 2

PROOF We use Lemma 25 to obtain closed(Σ2 . u). The theorem then follows immediately from Lemma 27.

The last equivalence we introduce is β-equivalence, which is a simple extension of ≈-equivalence over 7→.

Definition 43 (β-equivalence) beta eq on page 123 The β-equivalency is a relation on pairs, denoted as Σ1 . t ≈β Σ2 . u. It is defined as the reflexive, symmetric and transitive closure of the following relation.

{(Σ1 . t, Σ2 . u) | (closed(Σ1 . t) ∧ Σ1 . t 7→ Σ2 . u) ∨ Σ1 . t ≈ Σ2 . u}

Note that we need the left-hand-side of a reduction to be closed, because although closedness is preserved from left to right, this is not the case from right to left. 2

Note that the fact that ≈β is an equivalence follows immediately from the fact that it is a reﬂexive, symmetric and transitive closure.

+ 5.1.3. Correctness Properties of λ× + The most basic correctness properties for λ× remain exactly the same.

• We still have that reducible terms are not values ( cbv value on page 119) and values are not reducible ( value cbv on page 119).

• The determinism of the evaluation strategy also remains provable ( determinism on page 119). Note, however, that duo to a difference in encoding, the paper version must be modulo ≈-equivalence classes, while this is not the case in the Coq version.

• We can still show that ⊥ is uninhabitable ( typing not bottom on page 121 and untypable bottom on page 121).

Department of Mathematics and Computer Science 67 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

• Proofs for the decidability of values and the evaluation strategy also follow approximately the same structure ( value dec on page 122 and cbv dec on page 122). That is where the similarities end, however. The traditional subject reduction property, as proved in Lemma4 on page 37 does not hold for the new evaluation strategy. To see this, recall the following typing-rule and reduction-rule. Γ σ ` τ ∈ , x: t: λ+ u Value λ+ → INTRO × 7→ ABS × Γ ` λx.t :σ → τ Σ . (λx.t) u 7→ Σ , x:u . t Note that in order to type t, a variable needs to be added to Γ , while this variable is not necessary to type (λx.t). Now assume that we can type (λx.t) u as τ under context Γ . This term can be reduced to the term t. In order to type this term, we will need to extend Γ , which means that the traditional subject reduction property fails. We will therefore prove an alternative version of the property, where context-extension is allowed. Another issue we have to address is that the the typing-context must be compatible with the store. That is, we need all terms in a store to be typable under the context. Otherwise, the subject reduction will not hold, since we sometimes substitute terms from the context back to the main term. To remedy this, we introduce the following deﬁnition of compatibility. Deﬁnition 44 (store and context compatibility) Γ ♥Σ on page 118 Typing-context Γ is compatible with store Σ, denoted as Γ ♥Σ, if for all x:τ ∈ Γ there exists a term t such that x:t ∈ Σ and Γ ` t:τ. 2

Before proving the subject reduction property, we ﬁrst need to lay down some foundations. We start with a somewhat stronger version of the context weakening lemma. Lemma 28 (context weakening) context weakening2 on page 121 0 0 Let Γ ` t:τ. Then for any context Γ , we have Γ , Γ ` t:τ. 2

λ+ PROOF By induction on the structure of Γ ` t:τ. The interesting case is → INTRO × , where we have to prove that (Γ 0Γ ), x:σ ` t:τ, while the induction hypothesis gives us Γ 0, (Γ , x:σ) ` t:τ. This is, however, easily remedied with an invocation of Lemma1 on page 36. Lemma 29 (♥ and 7→ compatibility) env cbv on page 121 0 Take Γ and Σ1 such that Γ ♥Σ1. Now, if Γ ` t:τ and Σ1 . t 7→ Σ2 . t , then Γ ♥Σ2 holds. 2

PROOF By induction on the derivation of Γ ` t:τ, and the subsequent analysis of the + 0 λ× structure of Σ1 . t 7→ Σ2 . t . The interesting cases are the rules 7→ ASSIGN2 and λ+ 7→ ABS × . Here, we modify or insert a variable in the context, and have to show that Γ ♥Σ , x:t. That is, if y:σ ∈ Γ then there must be a term u with y:u ∈ Σ , x:t and Γ ` u:σ. Now, if y 6= x, this follows immediately from the fact that Γ ♥Σ. Otherwise, if y = x, we take u = t, so that it is clear that y:u ∈ Σ , x:t is indeed true. The fact Γ ` u:σ then follows from the induction hypothesis.

68 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

We are now equipped to prove a modiﬁed version of the subject reduction property. Theorem 28 (subject reduction) subject reduction on page 121 0 0 Take Γ and Σ1 such that Γ ♥Σ1. Now, if Γ ` t:τ and Σ1 . t 7→ Σ2 . t , then there exists a Γ such that 0 0 0 0 Γ , Γ ` t :τ Γ , Γ ♥Σ2 and not⊥(Γ ) ⇒ not⊥(Γ , Γ ). 2

0 0 PROOF Note that for this proof, we are only interested in Γ , Γ ` t :τ. The other two 0 0 properties Γ , Γ ♥Σ2 and not⊥(Γ ) ⇒ not⊥(Γ , Γ ) are there because we need them for induction-loding purposes in later proofs. The proof proceeds by induction on the 0 structure of Γ ` t:τ and subsequent analyses of Σ1 . t 7→ Σ2 . t . Most cases can be settled by easily by taking Γ 0 = ·, because no extension of the context is necessary. The three requirements then follow easily, with some help from Lemma 28. The interesting case happens when Σ1 . (λx.t) u 7→ Σ1, x:u . t. In this case, we know that Γ ` λx.t :σ → τ and Γ ` u:σ. We can therefore take Γ 0 = x:σ. Showing that the three required properties hold proceeds as follows: Γ 0, Γ ` t:τ: We apply Lemma1 on page 36 to obtain Γ , x:σ ` t:τ, which must be true because Γ ` λx.t :σ → τ holds. 0 Γ , Γ ♥Σ1 . x:u: This proof proceeds similarly to the proof of Lemma 29. 0 0 not⊥(Γ ) ⇒ not⊥(Γ , Γ ): We must show that for all y:ρ ∈ Γ , Γ not⊥(ρ) holds. If x 6= y, this follows immediately from not⊥(Γ ). Otherwise, if x = y, we must show not⊥(σ). For this, we note that Γ ` u:σ, which means that we can use Lemma5 to obtain the desired result.

Theorem 29 (transitive subject reduction) subject reduction trans on page 121 ∗ 0 0 Take Γ and Σ1 such that Γ ♥Σ1. Now, if Γ ` t:τ and Σ1 . t 7→ Σ2 . t , then there exists a Γ such that 0 0 0 0 Γ , Γ ` t :τ Γ , Γ ♥Σ2 and not⊥(Γ ) ⇒ not⊥(Γ , Γ ). 2

PROOF By induction on the definition of the reflexive transitive closure. For the base ∗ 0 case, we can simply use Theorem 28. In the step, we have two reductions Σ1 . t 7→ Σ2 . t 0 ∗ 00 0 00 and Σ2 . t 7→ Σ3 . t , and must find an appropriate Γ such that we can type t . We therefore use the induction hypothesis to obtain Γ1 with the properties 0 Γ1, Γ ` t :τ Γ1, Γ ♥Σ2 and not⊥(Γ ) ⇒ not⊥(Γ1, Γ ).

We then use the induction hypothesis again together with our newly acquired properties to obtain Γ2 such that 00 Γ2, (Γ1, Γ ) ` t :τ Γ2, (Γ1, Γ )♥Σ2 and not⊥(Γ ) ⇒ not⊥(Γ2, (Γ1, Γ )).

Finally, the associativity of the context concatenation operator will give us our ﬁnal properties.

Department of Mathematics and Computer Science 69 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

Finally, we turn to the progress property. This property also has to be modiﬁed somewhat. The previous version, Theorem9 on page 38, only works for typings with an empty context. This is because otherwise the context can contain a type that generates ⊥, which would mean that the evaluation can become stuck. In the new situation, we cannot leave the context empty, however. That is because during evaluation, the context can be extended, meaning that the transitivity of the progress property no longer holds. We will therefore accept non-empty contexts Γ , but stipulate that they must be compatible with the current store Σ, i.e. we must have Γ ♥Σ. However, this means that we have to ensure that Σ cannot contain a term of type ⊥. For this purpose, the previous subject reduction proofs carry the extra property 0 not⊥(Γ ) ⇒ not⊥(Γ , Γ ). With this, we can make sure that we never extend Γ with ⊥-generating type. There is one problem with this approach, however. Although we have previously proved in Theorem8 that no term typable as ⊥ can be concocted, it is possible to create a store that already includes it beforehand. Γ = x : > → ⊥ Σ = x : λy.x It is not difﬁcult to prove that Γ ♥Σ. This might seem strange, because we proved that no such terms exist. And it is indeed impossible to create store Σ from an empty store. But if we start from Σ, this can still result in a problem. We therefore end up with the following progress property. Theorem 30 (progress) progress on page 121 Take Γ and Σ1 such that Γ ♥Σ1 and not⊥(Γ ). Then if Γ ` t:τ then either t ∈ Value or there exists a store Σ2 and a term u such that Σ1 . t 7→ Σ2 . u. 2

PROOF The proof follows a similar pattern as Theorem9 on page 38. To show that this version of the progress property can indeed be applied multiple times, we include the following transitive progress property. Theorem 31 (transitive progress) typing sn value on page 122 Take Γ and Σ1 such that Γ ♥Σ1 and not⊥(Γ ). Now let Σ1 . t be a pair that is reducible only ﬁnitely many times. It then follows that if Γ ` t:τ, then there exists a store Σ2 and a value v ∗ such that Σ1 . t 7→ Σ2 . v. 2

PROOF We use Theorem 30 and Theorem 28 successively until we obtain a value. We end with a proof that shows that no read-after-write violations can occur. Theorem 32 (read after write) read after write on page 122 Let Σ be a store, x a variable and v a value. Then there exists a store Σ 0 such that Σ . x := ∗ 0 v; x 7→ Σ . v. 2

PROOF We simply take the following reduction chain: Σ . x := v x 7→ Σ x v . () x 7→ Σ x v . x 7→ Σ x v . v ; , : ; , : , :

70 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

+ 5.1.4. Turing Completeness of λ× with Mutations + In Section 4.1.3 on page 39 we proved that λ× without mutation is strongly normalizing. + The question is whether or not this is also the case for λ× with mutation. At first sight, it might seem that this should indeed be true. The intuition here is that in most languages that are not strongly normalizing, it is possible to inhabit ⊥. We have proved that this is + not the case for λ× with mutations. However, it turns out that by making clever use of mutations, we can obtain a diverging term. Even more strongly, we will show that we can build a special case of the fixed-point combinator. Let f 0 be the function of type (τ → τ) → τ → τ for which we wish build a fixed- point. Instead of a traditional Y-combinator, we want to build a term that reduces to the following pair. f : λx. f 0 f x . f Because of the recursive nature of the store, this pair intuitively satisfies the expected fixed-point equation f = f 0 f , which means that f is indeed a fixed-point of f 0. However, we wish to build a fixed-point combinator that does not depend on a store that is already populated with a fixed-point. To do this, we will be building a term Y that reduces to the pair above. As this term is quite complex, we will explain how to do this in stages. Let f be an initial approximation of the fixed-point we require. The function λx.x will do for this purpose. Now consider the store

Σ = f : (λx.x), K : ((λx. f 0 f x), (λg. f := g)).

Note that K is a pair, of which the left-hand-side is a second approximation of the ﬁxed- point. With the right-hand-side, we can mutate the initial approximation f . In order to obtain a full ﬁxed-point, we use the pair

Σ . (proj2 K)(proj1 K); (proj1 K).

The term proj1 K selects the second approximation of the ﬁxed-point. The term (proj2 K)(proj1 K) then updates the initial approximation f with this second approximation. By doing this, the store now contains f : λx. f 0 f x, which is exactly what we needed. Using these building blocks, we can now create a term Y that does not depend on a populated store.

Definition 45 (fixed-point combinator) y combinator on page 124 The fixed-point combinator Y is defined as follows.

K ≡ λ f .((λx. f 0 f x), (λg. f := g))

T ≡ λK.(proj2 K)(proj1 K); (proj1 K) 0 Y ≡ λ f .T (K λx.x)). 2

Department of Mathematics and Computer Science 71 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

We do of course wish to show that this term is indeed correct. The ﬁrst step for this is to show that we can actually type this term. It is interesting to note that we cannot give Y the term (τ → τ) → τ for arbitrary τ. That is because the process as outlined above needs to build an initial approximation to the ﬁxed-point. It does not matter what term this is, but it has to be typable as τ. We have already shown that this is in general not possible, because ⊥ is uninhabitable. We therefore, give Y the type ((τ → τ) → (τ → τ)) → (τ → τ)

so that the initial approximation λx.x can indeed be typed. Theorem 33 (ﬁxed-point combinator typing) y combinator typing on page 124 We have · ` Y : ((τ → τ) → (τ → τ)) → (τ → τ) for any type τ. 2

PROOF Let Θ = τ → τ × (τ → τ) → >. It is then not difﬁcult to show that we can give the subterms of Y the following types.

f 0 : (τ → τ) → (τ → τ) ` K : (τ → τ) → Θ f 0 : (τ → τ) → (τ → τ) ` T : Θ → (τ → τ)

· ` Y : ((τ → τ) → (τ → τ)) → (τ → τ).

Theorem 34 (ﬁxed-point combinator speciﬁcation) y combinator spec on page 124 Let h be a function that has been normalized such that h = λk.λy.h0, and let v be a value. Then for any store Σ, such that closed(h) and closed(v), we have

Σ . Y h v ≈β Σ . h (Y h) v. 2

PROOF We will ﬁrst reduce both terms as far as possible, and then show that these reductions are equivalent. We start with the reduction of the term Y h, which both terms contain. In this reduction, we have P = ((λx. f 0 f x), (λg. f := g)).

Σ . Y h 7→ Σ , f 0 : h . T (K λx.x)) 7→ Σ , f 0 : h, f : λx.x . T ((λx. f 0 f x), (λg. f := g))) 7→ 0 ∗ Σ , f : h, f : λx.x, K : P . (proj2 K)(proj1 K); (proj1 K) 7→ 0 0 Σ , f : h, f : λx.x, K : P . (λg. f := g)(λx. f f x); (proj1 K) 7→ 0 0 ∗ Σ , f : h, f : λx.x, K : P, g : λx. f f x . f := g; (proj1 K) 7→ 0 0 0 ∗ Σ , f : h, f : λx. f f x, K : P, g : λx. f f x . proj1 K 7→ Σ , f 0 : h, f : λx. f 0 f x, K : P, g : λx. f 0 f x . λx. f 0 f x

Now let Σ 0 = Σ , f 0 : h, f : λx. f 0 f x, K : P, g : λx. f 0 f x. We then have the reduction

Σ . Y h v 7→∗ Σ 0 . (λx. f 0 f x) v 7→ Σ 0, x:v . f 0 f x 7→∗ Σ 0, x:v . (λk.λy.h0)(λx. f 0 f x) x 7→∗ Σ 0, x:v, k : λx. f 0 f x, y:v . h0.

72 Technical University Eindhoven + 5.1. Mutable Algebraic Data Types λ× Master’s Thesis

On the other side, we have the reduction

Σ . h (Y h) v 7→∗ Σ 0 . (λk.λy.h0)(λx. f 0 f x) v. 7→∗ Σ 0, k : λx. f 0 f x, y:v . h0.

It is then straightforward to prove

0 0 0 0 0 0 Σ , x:v, k : λx. f f x, y:v . h ≈I Σ , k : λx. f f x, y:v . h .

The ﬁnal result can then be obtained from Theorem 27.

It should be noted that having a fixed-point combinator does not guarantee that a calculus is Turing complete. For example, it has been shown by Statman [36] that if one adds a fixed-point combinator to the simply typed λ-calculus, then the halting problem is still decidable. Therefore, this calculus cannot be Turing complete. The reason why this happens will become clear if we try to use Church encodings to simulate µ-recursive functions, as was originally done by Kleene [37]. In a Church encoding, we represent numbers as iterators. If t is a Church encoding for the numeral n, then t f x reduces to f (n)x, that is, we apply f to x for n iterations. For this, we define a term Z for zero, and a successor function S.

Z ≡ λ f .λx.x S ≡ λn.λ f .λx. f (n x)

Using these encodings, one can write λ-terms for addition, multiplication and even subtraction. With these terms, µ-recursive functions can be emulated. However, we must also give these numerals a type. With parametric polymorphism, we can give a numeral the type ∀α, (α → α) → α → α. Using this type, we can use the numerals to iterate arbitrary terms. The subtraction function relies crucially on this ability. It is implemented using a Church encoding of a pair containing a number and a boolean. For + simplicity, we will illustrate this with pairs from λ×. We deﬁne the booleans false (F), true (T), and then the predecessor function P.

F ≡ λa.λ.b.b T ≡ λa.λ.b.a

R ≡ λp.(proj2 p)(S (proj1 p), T)(Z, T)

P ≡ λn. proj1(n R (Z, F)) Term P takes a number n, and produces the number n − 1. This is done by iterating the pair (Z, F) through n using function R. The first time we run (Z, F) through R, the pair (Z, T) will be returned. Only on subsequent iterations will the number be incremented. By not incrementing the number on the first iteration, we obtain the number n − 1. This whole process works only because we can iterate arbitrary terms using n, in this + case pairs. However, in the simply typed λ-calculus and λ×, we cannot give numbers the type ∀α, (α → α) → α → α. Instead, we must use a fixed type (τ → τ) → τ → τ, which means that P is not typable.

Department of Mathematics and Computer Science 73 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

However, when we can use mutations, we can use a clever way to get around this. The type of numerals is ﬁxed as

N ≡ (> → >) → > → >.

We then deﬁne the following external iterator.

Deﬁnition 46 (external iterator) iterator on page 124 We deﬁne the external iterator for Church numerals as follows.

It ≡ λn.λ f .λx.n (λy.x := f x)(); x 2

This function takes a number n, function f and starting element x and iterates x through f . The trick here is that we use n as a “dummy” iterator, while the actual iteration happens within the store, by successively updating x with f x. This term can be typed as follows. Theorem 35 (external iterator typing) iterator typing on page 124 For all types τ, we have · ` It : N → (τ → τ) → τ → τ. 2

PROOF Building a type derivation for this term is straightforward, and will not be shown.

Using this typing, we have recovered the ability to iterate arbitrary terms. We can therefore redeﬁne the predecessor function as follows.

P ≡ λn. proj1(It n R (Z, F)) + This means that λ× with mutations is indeed Turing complete. A full proof of this fact requires that we prove a correctness property for It. It turns out, however, that it is surprisingly complicated to deﬁne a suitable correctness property. We would like to show that for all Σ, f , v and n, we have that

Σ . It (S n) f v ≈β Σ . f (It n f v).

However, in the most general case this is not true, because f might be a diverging function. We could require Σ . f to be strongly normalizing, but this is surprisingly difficult to carry through the induction hypothesis. This proof will therefore be omitted. Note that the Coq-formalization also contains a partial proof that µ-recursive functions + can be simulated in λ×. However, since this has not been finished, we will not describe it here. It is interesting to note that if either mutation or algebraic datatypes are removed from the calculus, it is no longer Turing complete. Removing mutations makes the calculus strongly normalizing as proved earlier. Otherwise, if we remove algebraic datatypes, we can no longer form a pair of functions that access and mutate the fixed- point approximation (we cannot replace these pairs with Church-encoded pairs because the left and right functions have different types).

74 Technical University Eindhoven ∨ 5.2. Mutable Unrestricted Union and Intersection Types λ∧Master’s Thesis

∨ 5.2. Mutable Unrestricted Union and Intersection Types λ∧

5.2.1. Deﬁnitions

∨ The extension of λ∧ with mutations is rather simple. We again extend the term-grammar with an assignment operator.

∨ Deﬁnition 47 (grammar of λ∧ terms) term on page 125 ∨ The grammar of a term in λ∧ is deﬁned as follows.

t ::= v | (t t) | (λv.t) | (t ⊗ t) | (v := t)

v ∈ Var 2

The type-system remains almost entirely the same as it was before. In particular, the subtyping and coercion relation remain the same ( subtyping on page 128 and coercion on page 131). The typing and elaboration relations only need one additional rule to deal with the assignment operator.

∨ Deﬁnition 48 (typing relation for λ∧) Γ „∆ ` t:τ on page 130 Γ ` t:τ on page 130 The previously deﬁned typing relation Γ , ∆ ` t:τ is extended with the following rule for assignment.

x:τ ∈ ΓΓ ` t:τ λ∨ ASSIGN ∧ Γ ` x := t : > 2

∨ Deﬁnition 49 (elaboration relation for λ∧) elaboration on page 132 The previously deﬁned elaboration relation Γ , ∆ ` t:τ ,→ t0 is extended with the following rule for assignment.

0 x:τ ∈ ΓΓ ` t:τ ,→ t ∨ λ∧,→ 0 ASSIGN Γ ` x := t : > ,→ x := t 2

The dynamic semantics of the calculus also remain approximately the same. In particular, we have the same definition of values ( value on page 127). The over- approximation of the evaluation strategy needs to be outfitted with a store, and the rule + for redex contraction needs to be modified in the same way as we did for λ×.

∨ Deﬁnition 50 (over-approximation of operational semantics of λ∧) cbv approx on page 127 ∨ The relation 7→ represents the operational semantics of λ∧ and relates pairs consisting of a store Σ and a term t with each other. We denote such a pair as Σ . t. The relation is

Department of Mathematics and Computer Science 75 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations deﬁned as the smallest relation closed under the following rules.

0 0 Σ . t 7→ Σ . t ∨ Σ . u 7→ Σ . u t ∈ Value ∨ 1 2 λ∧ 1 2 λ∧ 0 7→ APP1 0 7→ APP2 Σ1 . t u 7→ Σ2 . t u Σ1 . t u 7→ Σ2 . t u

0 Σ . 7→ Σ . ∨ x:t ∈ Σ λ∨ 1 t 2 t λ 7→ VAR ∧ 7→ ASSIGN ∧ Σ . x 7→ Σ . t Σ . x := t 7→ Σ . x := t0 1

t ∈ Value λ∨ u ∈ Value λ∨ 7→ ASSIGN ∧ 7→ ABS ∧ Σ . x := t 7→ Σ , x:t . λx.x 2 Σ . (λx.t)u 7→ Σ , x:u . t

λ∨ λ∨ 7→ UNMERGE ∧ 7→ UNMERGE ∧ Σ . t ⊗ u 7→ Σ . t 1 Σ . t ⊗ u 7→ Σ . u 2

0 0 Σ . t 7→ Σ . t ∨ Σ . u 7→ Σ . u ∨ 1 2 λ∧ 1 2 λ∧ 0 7→ MERGE1 0 7→ MERGE2 Σ1 . t ⊗ u 7→ Σ2 . t ⊗ u Σ1 . t ⊗ u 7→ Σ2 . t ⊗ u

λ∨ 7→ SPLIT ∧ Σ . t 7→ t ⊗ Σ . t

∨ 5.2.2. Correctness Properties of λ∧ ∨ Because the static semantics of λ∧ remain almost unchanged, most of the properties regarding to the type-system remain intact. In particular, the following properties are easily adapted.

• The compatibility of the subtyping relation with the coercion relation, and the algorithm to transform a subtyping derivation to a coercion derivation ( coercion subtyping on page 134 and subtyping coercion on page 134).

• The typability of coercion witnesses ( coercion typing on page 135).

• The elimination of the subtype relation from type-derivations ( typing sub elim on page 137).

• The compatibility of the typing relation with the elaboration relation, and the algorithm to transform a typing derivation to a coercion derivation ( typing elaborate on page 137, elaborate typing on page 137).

• The subject reduction property for elaborations ( elaboration subject reduction on page 137).

• The uninhabitability of ⊥ ( untypable bottom on page 137).

• And ﬁnally, we have the summary of the static semantics as given in Theorem 22 on page 55( static semantics on page 137).

76 Technical University Eindhoven ∨ 5.2. Mutable Unrestricted Union and Intersection Types λ∧Master’s Thesis

The consistency of the over-approximation of the evaluation relation with the elaboration relation needs some adaptations to work. Note, however, that the overall structure of the proof remains that same. 7→ ∨ We start with new versions of the transitive reduction rule for λ∧ , including one for ∨ λ∧ 7→ APP1 . ∨ Lemma 30 (transitive reduction rules for λ∧) ∗ 0 ∗ 0 1. If Σ1 . t 7→ Σ2 . t then Σ1 . t u 7→ Σ2 . t u cbv app1 trans on page 137

∗ 0 ∗ 0 2. If t is a value and Σ1 . u 7→ Σ2 . u then Σ1 . t u 7→ Σ2 . t u cbv app2 trans on page 137

∗ 0 ∗ 0 ∗ 0 0 3. If Σ1 . t 7→ Σ2 . t and Σ2 . u 7→ Σ3 . u then Σ1 . t u 7→ Σ3 . t u cbv app trans on page 137

∗ 0 ∗ 0 4. If Σ1 . t 7→ Σ2 . t then Σ1 . t ⊗ u 7→ Σ2 . t ⊗ u cbv merge1 trans on page 137

∗ 0 ∗ 0 5. If Σ1 . u 7→ Σ2 . u then Σ1 . t ⊗ u 7→ Σ2 . t ⊗ u cbv merge2 trans on page 137

∗ 0 ∗ 0 6. If Σ1 . t 7→ Σ2 . t then Σ1 . x := t 7→ Σ2 . x := t cbv assign trans on page 137

PROOF By induction on the deﬁnition of the transitive closure of a relation.

We then proceed with the special cases of value-consistency and abstraction-consistency.

Lemma 31 (value consistency) value monotonicity on page 137 + ∗ 0 Let v be a λ -value such that Γ ` t:τ ,→ v. Then there must be a reduction Σ . t 7→ ∨ Σ . t × λ∧ 0 such that Γ ` t :τ ,→ v. 2

PROOF See Lemma 17 on page 56

Lemma 32 (abstraction consistency) abs value on page 137 ∗ 0 If Γ ` t :σ → τ ,→ λx.u, then there must be a reduction Σ . t 7→ ∨ Σ . λx.t such that λ∧ 0 Γ ` λx.t :σ → τ ,→ λx.u. 2

PROOF See Lemma 18 on page 56.

A simpliﬁcation in the proof is that we no longer perform direct substitutions when when contract a redex. We therefore no longer need a substitution lemma. Instead, we get another problem. The consistency theorem compares the reduction relation of two different calculi. Both these relations work with a store, and in order for the comparisons to work, these stores need to have the same contents. But because the relations work on different calculi, we cannot simply use the same store for both relations. To remedy this, we introduce the notion of an elaborated store.

Department of Mathematics and Computer Science 77 ∨ Master’s Thesis 5. Formalization of λ∧ with Mutations

Deﬁnition 51 (elaborated store) elaborated store on page 138 ∨ ∨ + Let Γ be a λ∧-context, Σ1 a λ∧-store and Σ2 a λ×-store. Now Σ2 is an elaborated store of Σ1 under context Γ , denoted as Γ ` Σ1 ,→ Σ2, under the following condition. If x is a ∨ 0 + 0 variable, τ a λ∧-type and t a λ×-term such that x:τ ∈ Γ and x:t ∈ Σ2, then there must ∨ 0 be a λ∧-term t such that x:t ∈ Γ and Γ ` t:τ ,→ t . 2

Note that this deﬁnition requires every term in Σ2 to have a counterpart in Σ1, but not the other way around. This is done, because the ﬂow of information in the consistency theorem goes from 7→ + to 7→ ∨ . λ× λ∧ Theorem 36 (consistency) consistency on page 138 ∨ ∨ + Let Γ be a λ∧-context, Σ1 a λ∧-store and Σ2 a λ×-store such that Γ ` Σ1 ,→ Σ2. Additionally, 0 take an elaboration Γ ` t:τ ,→ u and reduction Σ . u 7→ + Σ . u . Now there must exist a 2 λ× 3 0 ∨ ∨ 0 context Γ , λ∧-store Σ4 and λ∧-term t such that ∗ 0 0 0 0 0 Σ . t 7→ ∨ Σ . t Γ , Γ ` t :τ ,→ u and Γ , Γ ` Σ ,→ Σ . 1 λ∧ 4 4 3 2

PROOF By induction on the derivation of Γ ` t:τ ,→ u. The general ﬂow of the proof remains the same as before. A difference is that we must now choose a Γ 0 to extend the context when new variables are introduced. This only happens when a redex is contracted. Otherwise, we always choose Γ 0 = ·. We also have the extra proof obligation 0 Γ , Γ ` Σ4 ,→ Σ3. This is required to prove the transitive consistency property below, and can be proved by simple bookkeeping. We can then summarize the dynamic semantics with a transitive version of the consistency theorem. Theorem 37 (dynamic semantics) dynamic semantics on page 138 ∨ ∨ + Let Γ be a λ∧-context, Σ1 a λ∧-store and Σ2 a λ×-store such that Γ ` Σ1 ,→ Σ2. Additionally, ∗ 0 take an elaboration Γ ` t:τ ,→ u and reduction Σ2 . u 7→ + Σ3 . u . Now there must exist a λ× 0 ∨ ∨ 0 context Γ , λ∧-store Σ4 and λ∧-term t such that ∗ 0 0 0 0 0 Σ . t 7→ ∨ Σ . t Γ , Γ ` t :τ ,→ u and Γ , Γ ` Σ ,→ Σ . 1 λ∧ 4 4 3 2

PROOF Follows by induction on deﬁnition of the transitive closure, and Theorem 36. We end again with a proof that that shows that no read-after-write violations can occur. Theorem 38 (read after write) read after write on page 138 Let Σ be a store, x a variable and v a value. Then there exists a store Σ 0 such that Σ . x := ∗ 0 v; x 7→ Σ . v. 2

PROOF We simply take the following reduction chain: Σ . x := v x 7→ Σ x v . () x 7→ Σ x v . x 7→ Σ x v . v ; , : ; , : , :

78 Technical University Eindhoven ∨ 5.2. Mutable Unrestricted Union and Intersection Types λ∧Master’s Thesis

∨ 5.2.3. Turing Completeness of λ∧ with Mutations + ∨ Just like λ×, the λ∧-calculus with mutations is also Turing Complete. We show this by deﬁning a term Y0 that can be shown to elaborate to Y.

Definition 52 (fixed-point combinator) y combinator on page 138 The fixed-point combinator Y0 is defined as follows.

K0 ≡ λ f .(λx. f 0 f x) ⊗ (λg. f := g) T0 ≡ λK0.K0 K0; K0 Y0 ≡ λ f 0.T0 (K0 λx.x)).

Note that this term is obtained from Y simply by removing all projections and translating pairs to merges. 2

Theorem 39 (ﬁxed-point combinator elaboration) y combinator elaboration on page 138 0 For all τ, the elaboration · ` Y : ((τ → τ) → (τ → τ)) → (τ → τ) ,→ Y holds. 2

PROOF Let Θ = τ → τ ∧ (τ → τ) → >. It is then not difﬁcult to show that we can give the subterms of Y0 the following elaborations.

f 0 : (τ → τ) → (τ → τ) ` K0 : (τ → τ) → Θ ,→ K f 0 : (τ → τ) → (τ → τ) ` T0 : Θ → (τ → τ) ,→ T

· ` Y : ((τ → τ) → (τ → τ)) → (τ → τ) ,→ Y.

∨ We can also deﬁne the external iterator It for λ∧ in almost the same way as we did for + λ×. The only change we have to make is to translate the unit () to the identity function λy.y.

Deﬁnition 53 (external iterator) iterator on page 138 We deﬁne the external iterator for Church numerals as follows.

It’ ≡ λn.λ f .λx.n (λy.x := f x) λy.y; x 2

Theorem 40 (external iterator typing) iterator typing on page 138 For all types τ, we have · ` It’ : N → (τ → τ) → τ → τ. 2

PROOF Building a type derivation for this term is straightforward, and will not be shown.

0 ∨ Together, the terms Y and It’ show that the λ∧-calculus with mutations is indeed Turing complete.

Department of Mathematics and Computer Science 79 Master’s Thesis 6. Conclusion and Further Work

6. Conclusion and Further Work

In this thesis, we have seen that unrestricted union and intersection types form a very powerful paradigm that can be used to subsume many other programming language features. At the same time, there are many open problems that have to be solved before these ideas can be used in industry-strength languages. The combination with reference types represents one of these problems, because either the subject reduction property or the read after write property is violated. Although there exist methods to make these language features work together, they all leave something to be desired. We have shown that by using a different model of computational effects, namely the pass-by-sharing evaluation strategy, these problems can be sidestepped completely. At first sight, reference types seem to be more expressive than the pass-by-sharing paradigm. However, we have shown that since unrestricted intersections can be used to create objects, we can create a object boxα that essentially simulates reference types. We therefore claim that there is no real downside to using pass-by-sharing instead of reference types. By side-stepping the problems that occur with reference types, we were also able to ∨ create a version of λ∧ with a subtyping relation that is much stronger than the original version of Dunfield. Our additions to the subtyping relation makes it a complete, bounded and distributive lattice, that also includes distribution of intersections and unions over arrows. It remains an open question whether or not a decision procedure for this subtyping relation exists. Due to its complexity, and our time constraints we have not been able to show this. However, because the subtyping relation is a fragment of a Heyting algebra, which is a model for intuitionistic predicate logic and therefore decidable, we see no reason why such a procedure would not exist. ∨ We have also shown that a side-effect of adding mutations to λ∧ is that the calculus ∨ becomes Turing complete. As it was shown that we can use λ∧ to encode objects, we can now build objects that support open recursion using a fixed-point combinator, without having to add syntax for recursive functions. It should be noted that although we have proved the correctness of the fixed-point combinator, some work remains to formally show that the calculus is Turing complete. ∨ In this thesis, we have not considered the problem of type-checking for λ∧. We have given our calculus in the Curry-style, where no type-hints can be given. It is known however, that in this style, type-inference and type-checking is undecidable. There ∨ is no reason to suspect that we could not modify λ∧ to use either the Church-style, bidirectional type-checking, a rank-k restriction or a combination of those to make type-checking decidable. We leave this as further work. ∨ Finally, the biggest remaining problem for λ∧ is coherency. The calculus we presented is not coherent. Note that this means that while the evaluation of a term is deterministic,

80 Technical University Eindhoven Master’s Thesis

the elaboration process is not. One way to solve this is to always make a consistent, but arbitrary choice when an ambiguous merge occurs. Dunﬁelds convention is to always choose the left merge. For intersection types, another solution exists by requiring the types of merged terms to be disjoint. However, as we saw this solution does not work ∨ when union types are included, and is therefore not applicable for λ∧. It seems that ∨ ﬁnding a solution to this problem is one of the last major problems before λ∧ can be used for mainstream programming languages.

Department of Mathematics and Computer Science 81 Master’s Thesis Bibliography

Bibliography

[1] Mario Coppo and Mariangiola Dezani-Ciancaglini. “An extension of the basic functionality theory for the λ-calculus”. In: Notre Dame Journal of Formal Logic 21.4 (1980), pp. 685–693. [2] Garrel Pottinger. “A type assignment for the strongly normalizable λ-terms”. In: To HB Curry: essays on combinatory logic, lambda calculus and formalism (1980), pp. 561– 577. [3] Benjamin C. Pierce. Types and programming languages. MIT Press, 2002. ISBN: 978-0- 262-16209-8. [4] Joshua Dunfield. “Elaborating intersection and union types”. In: J. Funct. Program. 24.2-3 (2014), pp. 133–165. [5] Patrick Cousot and Radhia Cousot. “Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints”. In: Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, Los Angeles, California, USA, January 1977. Ed. by Robert M. Graham, Michael A. Harrison, and Ravi Sethi. ACM, 1977, pp. 238–252. [6] Joshua Dunfield and Frank Pfenning. “Tridirectional typechecking”. In: Proceed- ings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, Venice, Italy, January 14-16, 2004. Ed. by Neil D. Jones and Xavier Leroy. ACM, 2004, pp. 281–292. [7] John C Reynolds. “Design of the programming language Forsythe”. In: ALGOL-like languages. Springer, 1997, pp. 173–233. [8] Michael Sperber, R Kent Dybvig, and Matthew Flatt. Revised [6] Report on the Algorithmic Language Scheme. Vol. 19. Cambridge University Press, 2010. [9] William A Howard. “The formulae-as-types notion of construction”. In: To HB Curry: essays on combinatory logic, lambda calculus and formalism 44 (1980), pp. 479– 490. [10] Philip Wadler. “Propositions as types”. In: Commun. ACM 58.12 (2015), pp. 75–84. [11] Silvia Ghilezan. “Strong Normalization and Typability with Intersection Types”. In: Notre Dame Journal of Formal Logic 37.1 (1996), pp. 44–52. [12] Daniel J. Dougherty. “Some Lambda Calculi with Categorial Sums and Prod- ucts”. In: Rewriting Techniques and Applications, 5th International Conference, RTA-93, Montreal, Canada, June 16-18, 1993, Proceedings. Ed. by Claude Kirchner. Vol. 690. Lecture Notes in Computer Science. Springer, 1993, pp. 137–151.

82 Technical University Eindhoven Bibliography Master’s Thesis

[13] William W. Tait. “Intensional Interpretations of Functionals of Finite Type I”. In: J. Symb. Log. 32.2 (1967), pp. 198–212. [14] Alan M. Turing. “Computability and λ-Deﬁnability”. In: J. Symb. Log. 2.4 (1937), pp. 153–163. [15] Assaf J. Kfoury et al. “Relating Typability and Expressiveness in Finite-Rank Inter- section Type Systems (Extended Abstract)”. In: Proceedings of the fourth ACM SIG- PLAN International Conference on Functional Programming (ICFP ’99), Paris, France, September 27-29, 1999. Ed. by Didier Rémi and Peter Lee. ACM, 1999, pp. 90–101. [16] Benjamin C. Pierce. “Intersection Types and Bounded Polymorphism”. In: Mathe- matical Structures in Computer Science 7.2 (1997), pp. 129–193. [17] J. B. Wells et al. “A Typed Intermediate Language for Flow-Directed Compilation”. In: TAPSOFT’97: Theory and Practice of Software Development, 7th International Joint Conference CAAP/FASE, Lille, France, April 14-18, 1997, Proceedings. Ed. by Michel Bidoit and Max Dauchet. Vol. 1214. Lecture Notes in Computer Science. Springer, 1997, pp. 757–771. [18] Joe B. Wells and Christian Haack. “Branching Types”. In: Programming Languages and Systems, 11th European Symposium on Programming, ESOP 2002, held as Part of the Joint European Conference on Theory and Practice of Software, ETAPS 2002, Grenoble, France, April 8-12, 2002, Proceedings. Ed. by Daniel Le Métayer. Vol. 2305. Lecture Notes in Computer Science. Springer, 2002, pp. 115–132. [19] H. P. Barendregt. “Lambda Calculi with Types”. In: Handbook of Logic in Computer Science (Vol. 2). Ed. by S. Abramsky, Dov M. Gabbay, and S. E. Maibaum. New York, NY, USA: Oxford University Press, Inc., 1992, pp. 117–309. ISBN: 0-19-853761-1. [20] J. B. Wells. “The Essence of Principal Typings”. In: Automata, Languages and Pro- gramming, 29th International Colloquium, ICALP 2002, Malaga, Spain, July 8-13, 2002, Proceedings. Ed. by Peter Widmayer et al. Vol. 2380. Lecture Notes in Computer Science. Springer, 2002, pp. 913–925. [21] John C. Reynolds. “The Coherence of Languages with Intersection Types”. In: Theoretical Aspects of Computer Software, International Conference TACS ’91, Sendai, Japan, September 24-27, 1991, Proceedings. Ed. by Takayasu Ito and Albert R. Meyer. Vol. 526. Lecture Notes in Computer Science. Springer, 1991, pp. 675–700. [22] Bruno C. d. S. Oliveira, Zhiyuan Shi, and João Alpuim. “Disjoint intersection types”. In: Proceedings of the 21st ACM SIGPLAN International Conference on Func- tional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016. Ed. by Jacques Garrigue, Gabriele Keller, and Eijiro Sumii. ACM, 2016, pp. 364–377. [23] John Launchbury and Simon L. Peyton Jones. “State in Haskell”. In: Lisp and Symbolic Computation 8.4 (1995), pp. 293–341. [24] Bernard A. Galler and Michael J. Fischer. “An improved equivalence algorithm”. In: Commun. ACM 7.5 (1964), pp. 301–303.

Department of Mathematics and Computer Science 83 Master’s Thesis Bibliography

[25] Raimund Seidel. “A Simple and Fast Incremental Randomized Algorithm for Computing Trapezoidal Decompositions and for Triangulating Polygons”. In: Comput. Geom. 1 (1991), pp. 51–64. [26] Michael Gordon, Robin Milner, and CP Wadsworth. “Edinburgh LCF: a mechanized logic of computation, volume 78 of”. In: Lecture Notes in Computer Science (1979), pp. 1–6. [27] Rowan Davies and Frank Pfenning. “Intersection types and computational effects”. In: Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming (ICFP ’00), Montreal, Canada, September 18-21, 2000. Ed. by Martin Odersky and Philip Wadler. ACM, 2000, pp. 198–208. [28] Mariangiola Dezani-Ciancaglini, Paola Giannini, and Simona Ronchi Della Rocca. “Intersection, Universally Quantiﬁed, and Reference Types”. In: Computer Science Logic, 23rd international Workshop, CSL 2009, 18th Annual Conference of the EACSL, Coimbra, Portugal, September 7-11, 2009. Proceedings. Ed. by Erich Grädel and Rein- hard Kahle. Vol. 5771. Lecture Notes in Computer Science. Springer, 2009, pp. 209– 224. [29] Barbara Liskov et al. CLU Reference Manual. Vol. 114. Lecture Notes in Computer Science. Springer, 1981. ISBN: 3-540-10836-X. [30] Bruno Barras et al. “The Coq proof assistant reference manual: Version 6.1”. PhD thesis. Inria, 1997. [31] Brian E. Aydemir et al. “Engineering formal metatheory”. In: Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008, San Francisco, California, USA, January 7-12, 2008. Ed. by George C. Necula and Philip Wadler. ACM, 2008, pp. 3–15. [32] Arthur Charguéraud. “The Locally Nameless Representation”. In: J. Autom. Rea- soning 49.3 (2012), pp. 363–408. [33] Nicolaas Govert De Bruijn. “Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem”. In: Indagationes Mathematicae (Proceedings). Vol. 75. 5. Elsevier. 1972, pp. 381–392. [34] Joshua Dunﬁeld and Frank Pfenning. “Type Assignment for Intersections and Unions in Call-by-Value Languages”. In: Foundations of Software Science and Compu- tational Structures, 6th International Conference, FOSSACS 2003 Held as Part of the Joint European Conference on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7-11, 2003, Proceedings. Ed. by Andrew D. Gordon. Vol. 2620. Lecture Notes in Computer Science. Springer, 2003, pp. 250–266. [35] Davide Sangiorgi. Introduction to bisimulation and coinduction. Cambridge Univer- stity Press, 2012. ISBN: 978-1-107-00363-7. [36] Richard Statman. “On the lambdaY calculus”. In: Ann. Pure Appl. Logic 130.1-3 (2004), pp. 325–337.

84 Technical University Eindhoven Bibliography Master’s Thesis

[37] Stephen Cole Kleene et al. “Lambda deﬁnability and recursiveness”. In: Duke mathematical journal 2.2 (1936), pp. 340–353.

Department of Mathematics and Computer Science 85 Master’s Thesis A. Generic Variables

A. Generic Variables

Module type for variables with a setoid and a fresh variables generator given a list of variables already in use. Module Type VariablesType(E:DecidableType)(Import S:WSetsOnE ). Module E := Dec2BoolE . Instance varEqDec: EqDec E.t E.eq := E.eq dec. Notation var := elt. Notation vars := S.t. Infix "∈" := In (at level 70, no associativity). Notation "x ∈/ y" := (¬In xy )(at level 70, no associativity). Parameter var fresh : ∀ L,{ x | x ∈/ L }. Print var fresh.

Parameter var fresh in : ∀ L1 L2,( ∀ x, x ∈ L1 ↔ x ∈ L2) → proj1 sig( var fresh L1) = proj1 sig( var fresh L2). End VariablesType. We give a concrete implementation of VariablesType using natural numbers. Module NatSet := Make Nat. Module NumVariables <: VariablesType Nat NatSet. Module E := Dec2Bool Nat. Include E. Instance varEqDec: EqDec E.t E.eq := E.eq dec. Definition gen var L := 1 + fold max L 0. Lemma fold left max: ∀ Lxy , x ≤ y → x ≤ fold left max Ly . Lemma ina le fold left max: ∀ Lxy , InA eq xL → x ≤ fold left max Ly . Lemma fold left max comm: ∀ Lx , fold left(ﬂip max) Lx = fold left max Lx . Definition var fresh: ∀ L,{ x |¬ In xL }. Lemma zero length: ∀ {A} L, 0 = @length AL → L = nil. Lemma var fresh in helper: ∀ La ,( fold left max La )= a ∨ InA eq (fold left max La ) L.

Lemma var fresh in: ∀ L1 L2,( ∀ x, In xL 1 ↔ In xL 2) → proj1 sig(var fresh L1) = proj1 sig(var fresh L2). End NumVariables.

86 Technical University Eindhoven Master’s Thesis

B. Generic Types

Module AllTypes(E:DecidableType)(S:WSetsOnE )(Import V:VariablesTypeE S). Inductive type := | type bottom : type | type top : type | type var : var → type | type arrow : type → type → type | type sum : type → type → type | type prod : type → type → type. Notation "⊥" := type bottom (at level 8). Notation ">" := type top (at level 8). Notation "’ x" := (type var x)(at level 8). Notation "x ’→ y" := (type arrow xy )(at level 9, right associativity). Inductive type eq : type → type → Prop := | type bottom eq : type eq ⊥⊥ | type top eq : type eq >> | type var eq : ∀ xy , x === y → type eq ’x ’y | type arrow eq : ∀ τ 1 τ 2 σ 1 σ 2, type eq τ 1 τ 2 → type eq σ 1 σ 2 → type eq τ 1 ’→ σ 1 τ 2 ’→ σ 2 | type sum eq : ∀ τ 1 τ 2 σ 1 σ 2, type eq τ 1 τ 2 → type eq σ 1 σ 2 → type eq (type sum τ 1 σ 1)(type sum τ 2 σ 2) | type prod eq : ∀ τ 1 τ 2 σ 1 σ 2, type eq τ 1 τ 2 → type eq σ 1 σ 2 → type eq (type prod τ 1 σ 1)(type prod τ 2 σ 2). Instance typeEquivalence: Equivalence type eq. Instance typeEqDec: EqDec type type eq. End AllTypes.

Department of Mathematics and Computer Science 87 Master’s Thesis C. Deﬁnitions for Algebraic Data Types

C. Deﬁnitions for Algebraic Data Types

Module Algebraic(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ). Module T := AllTypesESV . Include T. Notation "x ’+ y" := (type sum xy )(at level 11, left associativity). Notation "x ’× y" := (type prod xy )(at level 11, left associativity). Inductive term := | unit : term | bvar : nat → term | fvar : var → term | app : term → term → term | abs : term → term | pair : term → term → term | proj1 : term → term | proj2 : term → term | inj1 : term → term | inj2 : term → term | case : term → term → term | absurd : term → term. Notation "hi" := unit (at level 1). Notation "ˆ x" := (bvar x)(at level 2). Notation "h x i" := (fvar x)(at level 3). Notation "t · u" := (app tu )(at level 4, left associativity). Notation "’λ t" := (abs t)(at level 6, right associativity). Notation "h t , u i" := (pair tu )(at level 3). Notation "’case’ t ’of’ u" := (case tu )(at level 8). Notation "’proj1’ t" := (proj1 t)(at level 5). Notation "’proj2’ t" := (proj2 t)(at level 5). Notation "’inj1’ t" := (inj1 t)(at level 5). Notation "’inj2’ t" := (inj2 t)(at level 5). Notation "’absurd’ t" := (absurd t)(at level 5). Reserved Notation "{ k 7→ u } t" (at level 0, k at next level). Fixpoint open rec kut := match t with |hi⇒hi |h xi⇒h xi

88 Technical University Eindhoven Master’s Thesis

| ˆi ⇒ if i == k then u elseˆ i | t1·t2 ⇒{ k 7→ u}t1 · {k 7→ u}t2 | ’λ t ⇒ ’λ {1+k 7→ u}t |h t1, t2i⇒h{ k 7→ u}t1, {k 7→ u}t2i | proj1 t ⇒ proj1 {k 7→ u}t | proj2 t ⇒ proj2 {k 7→ u}t | inj1 t ⇒ inj1 {k 7→ u}t | inj2 t ⇒ inj2 {k 7→ u}t | case t1 of t2 ⇒ case {k 7→ u}t1 of {k 7→ u}t2 | absurd t ⇒ absurd {k 7→ u}t end where "{ k 7→ u } t" := (open rec kut ). Notation "t ! u" := {0 7→ u}t (at level 4). Inductive lc : term → Prop := | lc unit : lc hi

| lc fvar : ∀ x, lc hxi

| lc app : ∀ tu , lc t → lc u → lc (t·u)

| lc abs : ∀ Lt ,( ∀ x, x ∈/ L → lc t!hxi) → lc ’λ t

| lc pair : ∀ tu , lc t → lc u → lc ht, ui

| lc proj1 : ∀ t, lc t → lc (proj1 t)

| lc proj2 : ∀ t, lc t → lc (proj2 t)

| lc inj1 : ∀ t, lc t → lc (inj1 t)

| lc inj2 : ∀ t, lc t → lc (inj2 t)

| lc case : ∀ tu , lc t → lc u → lc case t of u

| lc absurd : ∀ t, lc t

Department of Mathematics and Computer Science 89 Master’s Thesis C. Deﬁnitions for Algebraic Data Types

→ lc (absurd t). Inductive value : term → Prop := | value unit : value hi

| value abs : ∀ t, lc ’λ t → value ’λ t

| value pair : ∀ tu , value t → value u → value ht, ui

| value inj1 : ∀ t, value t → value inj1 t

| value inj2 : ∀ t, value t → value inj2 t. Reserved Notation "t 7→ u" (at level 70). Inductive cbv : term → term → Prop := | cbv app1 : ∀ t t’u , t 7→ t’ → lc u → (t·u) 7→ (t’·u)

| cbv app2 : ∀ tu u’ , value t → u 7→ u’ → t·u 7→ t·u’

| cbv abs : ∀ tu , lc ’λ t → value u → (’λ t)·u 7→ t!u

| cbv proj1 : ∀ t t’, t 7→ t’ → proj1 t 7→ proj1 t’

| cbv proj2 : ∀ t t’, t 7→ t’ → proj2 t 7→ proj2 t’

| cbv inj1 : ∀ t t’, t 7→ t’ → inj1 t 7→ inj1 t’

| cbv inj2 : ∀ t t’, t 7→ t’ → inj2 t 7→ inj2 t’

| cbv unproj1 : ∀ tu , value t → value u → proj1 ht, ui7→ t

| cbv unproj2 : ∀ tu , value t → value u → proj2 ht, ui7→ u

90 Technical University Eindhoven Master’s Thesis

| cbv pair1 : ∀ t t’u , t 7→ t’ → lc u →h t, ui7→h t’, ui

| cbv pair2 : ∀ tu u’ , value t → u 7→ u’ →h t, ui7→h t, u’i

| cbv case11 : ∀ t t’u , t 7→ t’ → value u → case t of u 7→ case t’ of u

| cbv case12 : ∀ tu u’ , lc t → u 7→ u’ → case t of u 7→ case t of u’

| cbv case21 : ∀ tu , value t → value u → case inj1 t of u 7→ (proj1 u)·t

| cbv case22 : ∀ tu , value t → value u → case inj2 t of u 7→ (proj2 u)·t where "t 7→ u" := (cbvut ). Notation "x 7→* y" := (clos reﬂ trans cbv yx )(at level 70). Notation context := (M.t type). Notation "x : τ ∈ Γ " := (M.MapsTo x τΓ )(at level 70, τ at next level). Notation "Γ / x : τ" := (M.add x τΓ )(at level 1, x at next level). Notation empty := (M.empty ). Reserved Notation "Γ ` t : τ"(at level 70, t at next level). Inductive typing : context → term → type → Prop := | typing var : ∀ Γ t τ, t:τ ∈ Γ → Γ `h ti : τ

| typing unit : ∀ Γ , Γ `hi : >

| typing absurd : ∀ Γ t τ, Γ ` t : ⊥ → Γ ` absurd t : τ

| typing abs : ∀ L Γ t σ τ,( ∀ x, x ∈/ L → Γ /x:σ ` t!hxi : τ) → Γ ` ’λ t : σ ’→ τ

| typing app : ∀ Γ tu σ τ, Γ ` t : σ ’→ τ → Γ ` u : σ → Γ ` t·u : τ

| typing proj1 : ∀ Γ t σ τ, Γ ` t : σ ’× τ → Γ ` proj1 t : σ

Department of Mathematics and Computer Science 91 Master’s Thesis C. Deﬁnitions for Algebraic Data Types

| typing proj2 : ∀ Γ t σ τ, Γ ` t : σ ’× τ → Γ ` proj2 t : τ

| typing inj1 : ∀ Γ t σ τ, Γ ` t : σ → Γ ` inj1 t : σ ’+ τ

| typing inj2 : ∀ Γ t σ τ, Γ ` t : τ → Γ ` inj2 t : σ ’+ τ

| typing pair : ∀ Γ tu σ τ, Γ ` t : σ → Γ ` u : τ → Γ `h t, ui : σ ’× τ

| typing case : ∀ Γ tu σ τ ρ, Γ ` t : σ ’+ τ → Γ ` u :( σ ’→ ρ)’ × (τ ’→ ρ) → Γ ` case t of u : ρ where "Γ ` t : τ" := (typing Γ t τ). End Algebraic. Module Type AlgebraicProperties(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOn E) (V:VariablesTypeES ). Include AlgebraicEMSV . Parameter cbv value : ∀ t t’, t 7→ t’ →¬ value t. Parameter value cbv : ∀ t t’, value t →¬ t 7→ t’.

Parameter determinism : ∀ t t’1 t’2, t 7→ t’1 → t 7→ t’2 → t’1 = t’2. Parameter subject reduction trans : ∀ Γ t t’ τ, Γ ` t:τ → t 7→* t’ → Γ ` t’:τ. Parameter progress : ∀ t τ, empty ` t:τ → (value t ∨∃ t’, t 7→ t’). Parameter untypable bottom : ∀ t, ¬empty ` t:⊥. Parameter strong normalization : ∀ t τ, empty ` t:τ → Acc cbv t. Parameter lc dec : ∀ t,{ lc t}+{ ¬lc t}. Parameter value dec : ∀ t,{ value t}+{ ¬value t}. Parameter cbv dec : ∀ t,{ t’ | t 7→ t’}+{ ∀ t’, ¬t 7→ t’}. Parameter typing evaluate : ∀ t τ, empty ` t:τ → {t’ | t 7→* t’ ∧ value t’}.

End AlgebraicProperties.

92 Technical University Eindhoven Master’s Thesis

D. Proofs for Algebraic Data Types

Module AlgebraicFull(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ) <: AlgebraicPropertiesE MSV . Include AlgebraicEMSV . Inductive term eq : term → term → Prop := | unit eq : term eq hihi | bvar eq : ∀ nm , n === m → term eq ˆn ˆm | fvar eq : ∀ xy , x === y → term eq hxih yi | app eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq t1·u1 t2·u2 | abs eq : ∀ t1 t2, term eq t1 t2 → term eq ’λ t1 ’λ t2 | pair eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq ht1, u1ih t2, u2i | proj1 eq : ∀ t1 t2, term eq t1 t2 → term eq proj1 t1 proj1 t2 | proj2 eq : ∀ t1 t2, term eq t1 t2 → term eq proj2 t1 proj2 t2 | inj1 eq : ∀ t1 t2, term eq t1 t2 → term eq inj1 t1 inj1 t2 | inj2 eq : ∀ t1 t2, term eq t1 t2 → term eq inj2 t1 inj2 t2 | case eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq case t1 of u1 case t2 of u2 | absurd eq : ∀ t1 t2, term eq t1 t2 → term eq absurd t1 absurd t2. Instance termEquivalence: Equivalence term eq. Instance termEqDec: EqDec term term eq. Lemma value lc: ∀ t, value t → lc t. Lemma cbv lc: ∀ t t’, t 7→ t’ → lc t. Theorem cbv value: ∀ t t’, t 7→ t’ →¬ value t. Theorem value cbv: ∀ t t’, value t →¬ t 7→ t’.

Theorem determinism: ∀ t t’1 t’2, t 7→ t’1 → t 7→ t’2 → t’1 = t’2. Lemma context unique: ∀ Γ x (σ τ: type), x:τ ∈ Γ /x:σ → σ = τ. Reserved Notation "[ k 7→ u ] t" (at level 0, k at next level). Fixpoint subst kut := match t with |hi⇒hi |h xi⇒ if k == x then u else hxi | ˆi ⇒ ˆi | t1·t2 ⇒ [k 7→ u]t1 · [k 7→ u]t2

Department of Mathematics and Computer Science 93 Master’s Thesis D. Proofs for Algebraic Data Types

| ’λ t ⇒ ’λ [k 7→ u]t |h t1, t2i⇒h [k 7→ u]t1,[ k 7→ u]t2i | proj1 t ⇒ proj1 [k 7→ u]t | proj2 t ⇒ proj2 [k 7→ u]t | inj1 t ⇒ inj1 [k 7→ u]t | inj2 t ⇒ inj2 [k 7→ u]t | case t1 of t2 ⇒ case[ k 7→ u]t1 of[ k 7→ u]t2 | absurd t ⇒ absurd[ k 7→ u]t end where "[ k 7→ u ] t" := (subst kut ). Lemma double open rec: ∀ tvjiu , j 6= i →{ j 7→ v}t = {i 7→ u}({j 7→ v}t) → t = {i 7→ u}t. Lemma lc open rec: ∀ tuk , lc t → t = {k 7→ u}t. Lemma subst open: ∀ tuvx , lc u → [x 7→ u](t!v)=([ x 7→ u]t)!([x 7→ u]v). Lemma subst open var: ∀ tuxy , lc u → x =/= y → ([x 7→ u]t)!hyi =[ x 7→ u](t!hyi). Fixpoint fv t := match t with |hi⇒ S.empty |h xi⇒ S.singleton x | ˆi ⇒ S.empty | t1·t2 ⇒ S.union (fv t1)(fv t2) | ’λ t ⇒ fv t |h t1, t2i⇒ S.union (fv t1)(fv t2) | proj1 t ⇒ fv t | proj2 t ⇒ fv t | inj1 t ⇒ fv t | inj2 t ⇒ fv t | case t1 of t2 ⇒ S.union (fv t1)(fv t2) | absurd t ⇒ fv t end. Lemma subst fresh: ∀ tux , x ∈/ fv t → [x 7→ u]t = t. Lemma subst intro: ∀ tux , x ∈/ fv t → lc u → t!u =[ x 7→ u](t!hxi). Lemma in permuted context: ∀ Γ xyz (σ τ: type) φ, ¬E.eq xy → z:φ ∈ Γ /x:σ/y:τ → z:φ ∈ Γ /y:τ/x:σ.

Lemma equal context: ∀ Γ 1 Γ 2 t τ,( ∀ x σ, x:σ ∈ Γ 1 → x:σ ∈ Γ 2) → Γ 1 ` t:τ → Γ 2 ` t:τ. Definition m2s m := M.fold (λ v ( : type) s, S.add vs ) m S.empty. Lemma in s in folds: ∀ {X} lsx , x ∈ s → x ∈ fold left( λ a (p : var × X), S.add (fst p) a) ls . Lemma folds widen: ∀ {X} lxs s’ ,

94 Technical University Eindhoven Master’s Thesis

(∀ x, x ∈ s → x ∈ s’) → x ∈ fold left( λ s (v: var × X), S.add (fst v) s) ls → x ∈ fold left( λ s (v: var × X), S.add (fst v) s) l s’. Lemma inm ins: ∀ Γ x, M.In x Γ → x ∈ (m2s Γ ). Lemma context weakening: ∀ Γ xt σ τ, ¬M.In x Γ → Γ ` t:τ → Γ /x:σ ` t:τ. Lemma typing lc: ∀ Γ t τ, Γ ` t:τ → lc t. Lemma subst reduction: ∀ Γ tux τ σ, Γ /x:σ ` t:τ → Γ ` u:σ → Γ ` [x 7→ u]t : τ. Lemma subject reduction: ∀ Γ t t’ τ, Γ ` t:τ → t 7→ t’ → Γ ` t’:τ. Theorem subject reduction trans: ∀ Γ t t’ τ, Γ ` t:τ → t 7→* t’ → Γ ` t’:τ. Fixpoint not bottom τ := match τ with |>⇒ True |⊥⇒ False | ’x ⇒ True | σ ’→ τ ⇒ not bottom σ → not bottom τ | σ ’× τ ⇒ not bottom σ ∧ not bottom τ | σ ’+ τ ⇒ not bottom σ ∨ not bottom τ end. Lemma typing not bottom: ∀ t Γτ , Γ ` t:τ → (∀ x σ, x:σ ∈ Γ → not bottom σ) → not bottom τ. Theorem untypable bottom: ∀ t, ¬empty ` t:⊥. Theorem progress: ∀ t τ, empty ` t:τ → (value t ∨∃ t’, t 7→ t’). Fixpoint term length t := match t with |hi⇒ 1 |h xi⇒ 1 | ˆi ⇒ 1 | t1·t2 ⇒ term length t1 + term length t2 | ’λ t ⇒ 1 + term length t |h t1, t2i⇒ term length t1 + term length t2 | proj1 t ⇒ 1 + term length t | proj2 t ⇒ 1 + term length t | inj1 t ⇒ 1 + term length t | inj2 t ⇒ 1 + term length t | case t1 of t2 ⇒ term length t1 + term length t2 | absurd t ⇒ 1 + term length t end. Lemma term length nonzero: ∀ t, 1 ≤ term length t. Lemma open rec term length: ∀ tx , term length t = term length t!hxi.

Department of Mathematics and Computer Science 95 Master’s Thesis D. Proofs for Algebraic Data Types

Lemma open rec swap: ∀ tnmxy , n 6= m →{ n 7→h xi}{m 7→h yi}t = {m 7→h yi}{n 7→ hxi}t. Lemma lc open rec var: ∀ tpq , lc t!hpi→ lc t!hqi. Definition lc dec t : {lc t}+{ ¬lc t}. Definition value dec t : {value t}+{ ¬value t}. Definition cbv dec t : {t’ | t 7→ t’}+{ ∀ t’, ¬t 7→ t’}. Lemma typing sn evaluation: ∀ t τ, empty ` t:τ → Acc cbv t → {t’ | t 7→* t’ ∧ value t’}. Fixpoint sc τ t : Prop := empty ` t:τ ∧ Acc cbv t ∧ match τ with | σ ’→ τ ⇒∀ u, sc σ u → sc τ t·u | σ ’× τ ⇒ sc σ proj1 t ∧ sc τ proj2 t | σ ’+ τ ⇒ (∀ t’, t 7→* inj1 t’ → sc σ t’) ∧ (∀ t’, t 7→* inj2 t’ → sc τ t’) | ⇒ True end. Lemma sc typing: ∀ τ t, sc τ t → empty ` t:τ. Lemma sc Acc: ∀ τ t, sc τ t → Acc cbv t. Lemma sc lc: ∀ t τ, sc τ t → lc t. Lemma sc cbv: ∀ τ t t’, sc τ t → t 7→ t’ → sc τ t’. Lemma sc cbv trans: ∀ τ t t’, sc τ t → t 7→* t’ → sc τ t’. Lemma cbv cbv trans: ∀ t t’ t’’, t 7→ t’ → t 7→* t’’ → t = t’’ ∨ t’ 7→* t’’. Lemma cbv sc: ∀ τ t t’, empty ` t:τ → t 7→ t’ → sc τ t’ → sc τ t. Lemma cbv trans sc: ∀ τ t t’, empty ` t:τ → t 7→* t’ → sc τ t’ → sc τ t. Fixpoint msubst sst := match ss with | nil ⇒ t | ((x,v)::ss) ⇒ msubst ss [x 7→ v]t end. Fixpoint mupdate( Γ : context) xts := match xts with | nil ⇒ Γ | ((x,τ)::xts) ⇒ (mupdate Γ xts)/x:τ end. Inductive instantiation : list (var × type) → list (var × term) → Prop := | i nil : instantiation nil nil | i cons : ∀ x τ v ctx env, value v → sc τ v → instantiation ctx env → instantiation ((x,τ)::ctx)((x,v)::env).

96 Technical University Eindhoven Master’s Thesis

Definition lookup{ X} x (env: list (var × X)) := fold right( λ an , if fst a == x then Some (snd a) else n) None env. Lemma instantiation lookup: ∀ env ctxx , instantiation ctx env → (∃ v τ, lookup x env = Some v ∧ x:τ ∈ mupdate empty ctx ∧ sc τ v) ∨∀ τ, ¬x:τ ∈ mupdate empty ctx. Lemma fv open rec: ∀ txy , x ∈ fv t → x ∈ fv t!hyi. Lemma context fv: ∀ Γ t τ x, Γ ` t:τ → x ∈ fv t → M.In x Γ . Lemma closed fv: ∀ t τ x, empty ` t:τ → x ∈/ fv t. Lemma msubst closed: ∀ envv τ, empty ` v:τ → msubst envv = v. Lemma swap subst: ∀ txyuv , y =/= x → y ∈/ fv u → x ∈/ fv v → [x 7→ u]([y 7→ v]t)=[ y 7→ v]([x 7→ u]t). Definition ctx2s{ X} ctx := fold left( λ s (v: var × X), S.add (fst v) s) ctx S.empty. Lemma subst msubst swap: ∀ env ctxtxu τ, x ∈/ ctx2s env → empty ` u:τ → instantiation ctx env → [x 7→ u](msubst envt )= (msubst( (x, u)::env) t). Lemma msubst open rec: ∀ env ctxtx , x ∈/ ctx2s env → instantiation ctx env → (msubst envt )!hxi = msubst envt !hxi. Lemma instantiation typing: ∀ Γ ctx envt τ, instantiation ctx env → (mupdate Γ ctx) ` t:τ → Γ ` msubst envt :τ. Lemma subst lc: ∀ tux , lc t → lc u → lc [x 7→ u]t. Lemma msubst lc: ∀ env ctxt , lc t → instantiation ctx env → lc (msubst envt ).

Lemma var env msubst: ∀ τ envxv , empty ` v:τ → lookup x env = Some v → msubst env hxi = v.

Lemma unit env msubst: ∀ env, msubst env hi = hi. Lemma abs env msubst: ∀ envt , msubst env ’λ t =’ λ (msubst envt ). Lemma app env msubst: ∀ envtu , msubst envt ·u =( msubst envt ) · (msubst envu ).

Lemma proj1 env msubst: ∀ envt , msubst env proj1 t = proj1 (msubst envt ).

Lemma proj2 env msubst: ∀ envt , msubst env proj2 t = proj2 (msubst envt ).

Lemma inj1 env msubst: ∀ envt , msubst env inj1 t = inj1 (msubst envt ).

Lemma inj2 env msubst: ∀ envt , msubst env inj2 t = inj2 (msubst envt ). Lemma pair env msubst: ∀ envtu , msubst env ht, ui = hmsubst envt , msubst envu i. Lemma case env msubst: ∀ envtu , msubst env case t of u = case( msubst envt ) of (msubst envu ).

Lemma cbv app1 trans: ∀ t t’u , t 7→* t’ → lc u → t·u 7→* t’·u.

Department of Mathematics and Computer Science 97 Master’s Thesis D. Proofs for Algebraic Data Types

Lemma cbv app2 trans: ∀ tu u’ , u 7→* u’ → value t → t·u 7→* t·u’. Lemma cbv app trans: ∀ t t’u u’ , lc u → value t’ → t 7→* t’ → u 7→* u’ → t·u 7→* t’·u’.

Lemma cbv pair1 trans: ∀ tu t’ , t 7→* t’ → lc u →h t, ui7→ * ht’, ui.

Lemma cbv pair2 trans: ∀ tu u’ , u 7→* u’ → value t →h t, ui7→ * ht, u’i. Lemma cbv pair trans: ∀ tu t’ u’ , lc u → value t’ → t 7→* t’ → u 7→* u’ →h t, ui7→ * ht’, u’i.

Lemma cbv proj1 trans: ∀ t t’, t 7→* t’ → proj1 t 7→* proj1 t’.

Lemma cbv proj2 trans: ∀ t t’, t 7→* t’ → proj2 t 7→* proj2 t’.

Lemma cbv case11 trans: ∀ t t’u , t 7→* t’ → value u → case t of u 7→* case t’ of u.

Lemma cbv case12 trans: ∀ tu u’ , u 7→* u’ → lc t → case t of u 7→* case t of u’. Lemma cbv case trans: ∀ t t’u u’ , value u’ → lc t → t 7→* t’ → u 7→* u’ → case t of u 7→* case t’ of u’.

Lemma cbv inj1 trans inj1 : ∀ ty , inj1 t 7→* y →∃ t’, y = inj1 t’.

Lemma cbv inj2 trans inj2 : ∀ ty , inj2 t 7→* y →∃ t’, y = inj2 t’.

Lemma cbv inj1 trans: ∀ t t’, inj1 t 7→* inj1 t’ → t 7→* t’.

Lemma cbv inj2 trans: ∀ t t’, inj2 t 7→* inj2 t’ → t 7→* t’.

Lemma cbv inj1 trans inj2 : ∀ t t’, ¬ inj1 t 7→* inj2 t’.

Lemma cbv inj2 trans inj1 : ∀ t t’, ¬ inj2 t 7→* inj1 t’. Lemma Acc pair: ∀ tu , Acc cbv t → Acc cbv u → Acc cbv ht, ui.

Lemma Acc inj1 : ∀ t, Acc cbv t → Acc cbv inj1 t.

Lemma Acc inj2 : ∀ t, Acc cbv t → Acc cbv inj2 t. Lemma msubst sc: ∀ ctx envt τ, (mupdate empty ctx) ` t:τ → instantiation ctx env → sc τ (msubst envt ). Theorem strong normalization: ∀ t τ, empty ` t:τ → Acc cbv t. Definition typing evaluate: ∀ t τ, empty ` t:τ → {t’ | t 7→* t’ ∧ value t’}. End AlgebraicFull.

98 Technical University Eindhoven Master’s Thesis

E. Deﬁnitions for Unrestricted Union and Intersection Types

Module Intersection(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ). Notation "{ x & P }" := (sigT (fun x ⇒ P)) (at level 0, x at level 99). Notation "{ x | P }" := (sig (fun x ⇒ P)) (at level 0, x at level 99). Module A := AlgebraicFullEMSV . Include A.T. Notation "x ’∨ y" := (type sum xy )(at level 11, left associativity). Notation "x ’∧ y" := (type prod xy )(at level 11, left associativity). Notation typing context := (M.t A.type). Notation "x : τ ∈ Γ " := (M.MapsTo x τΓ )(at level 70, τ at next level). Notation "Γ / x : τ" := (M.add x τΓ )(at level 1, x at next level). Notation empty := (M.empty ). Inductive term := | bvar : nat → term | fvar : var → term | app : term → term → term | abs : term → term | merge : term → term → term. Notation "ˆ x" := (bvar x)(at level 2). Notation "h x i" := (fvar x)(at level 3). Notation "t · u" := (app tu )(at level 4, left associativity). Notation "’λ t" := (abs t)(at level 6, right associativity). Notation "t ⊗ u" := (merge tu )(at level 5, left associativity). Notation "hi" := A.unit (at level 1). Notation "’ˆ x" := (A.bvar x)(at level 2). Notation "’h x i" := (A.fvar x)(at level 3). Notation "t ’· u" := (A.app tu )(at level 4, left associativity). Notation "’’λ t" := (A.abs t)(at level 6, right associativity). Notation "h t , u i" := (A.pair tu )(at level 3). Notation "’case’ t ’of’ u" := (A.case tu )(at level 7). Notation "’proj1’ t" := (A.proj1 t)(at level 5). Notation "’proj2’ t" := (A.proj2 t)(at level 5). Notation "’inj1’ t" := (A.inj1 t)(at level 5).

Department of Mathematics and Computer Science 99 Master’s ThesisE.Deﬁnitions for Unrestricted Union and Intersection Types

Notation "’inj2’ t" := (A.inj2 t)(at level 5). Notation "’absurd’ t" := (A.absurd t)(at level 5). Notation "t ’7→ u" := (A.cbv ut )(at level 70). Notation "x ’7→* y" := (clos reﬂ trans A.cbv yx )(at level 70). Notation "’{ k 7→ u } t" := (A.open rec kut )(at level 0, k at next level). Notation "’[ k 7→ u ] t" := (A.subst kut )(at level 0, k at next level). Notation "t !! u" := ’{0 7→ u}t (at level 4). Notation "Γ ’` t : τ" := (A.typing Γ t τ)(at level 70, t at next level). Instance ProdEqDec{ A}{B}{RA}{RB} ‘(EqDec ARA , EqDec BRB ): EqDec (A×B) . Inductive term eq : term → term → Prop := | bvar eq : ∀ nm , n === m → term eq ˆn ˆm | fvar eq : ∀ xy , x === y → term eq hxih yi | app eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq t1·u1 t2·u2 | abs eq : ∀ t1 t2, term eq t1 t2 → term eq ’λ t1 ’λ t2 | merge eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq t1⊗u1 t2⊗u2. Instance termEquivalence: Equivalence term eq. Reserved Notation "{ k 7→ u } t" (at level 0, k at next level). Fixpoint open rec kut := match t with |h xi⇒h xi | ˆi ⇒ if i == k then u elseˆ i | t1·t2 ⇒{ k 7→ u}t1 · {k 7→ u}t2 | ’λ t ⇒ ’λ {1+k 7→ u}t | t1 ⊗ t2 ⇒{ k 7→ u}t1 ⊗{ k 7→ u}t2 end where "{ k 7→ u } t" := (open rec kut ). Notation "t ! u" := {0 7→ u}t (at level 4). Inductive lc : term → Prop := | lc fvar : ∀ x, lc hxi

| lc app : ∀ tu , lc t → lc u → lc (t·u)

| lc abs : ∀ Lt ,( ∀ x, x ∈/ L → lc t!hxi) → lc ’λ t

| lc merge : ∀ tu , lc t → lc u → lc t ⊗ u. Inductive value : term → Prop := | value abs : ∀ t, lc ’λ t → value ’λ t

100 Technical University Eindhoven Master’s Thesis

| value merge : ∀ tu , value t → value u → value t ⊗ u. Reserved Notation "t 7→ u" (at level 70, u at next level). Inductive cbv approx : term → term → Prop := | cbv app1 : ∀ t t’u , t 7→ t’ → lc u → t·u 7→ t’·u

| cbv app2 : ∀ tu u’ , value t → u 7→ u’ → t·u 7→ t·u’

| cbv abs : ∀ tu , lc ’λ t → value u → (’λ t)·u 7→ t!u

| cbv unmerge1 : ∀ tu , lc t → lc u → t ⊗ u 7→ t

| cbv unmerge2 : ∀ tu , lc t → lc u → t ⊗ u 7→ u

| cbv merge1 : ∀ t t’u , t 7→ t’ → lc u → t ⊗ u 7→ t’ ⊗ u

| cbv merge2 : ∀ tu u’ , lc t → u 7→ u’ → t ⊗ u 7→ t ⊗ u’

| cbv split : ∀ t, lc t → t 7→ t ⊗ t where "t 7→ u" := (cbv approxut ). Notation "x 7→* y" := (clos reﬂ trans cbv approx yx )(at level 70). Notation subtyping context := (list (type × var × type)). Notation "τ 4 α 4 σ ∈ ∆" := (InA equiv (τ, α, σ) ∆)(at level 70, α at next level, σ at next level). Reserved Notation "∆ ` τ 4 σ"(at level 70, τ at next level). Inductive subtyping (∆ : subtyping context): type → type → Type := | subtyping var1 : ∀ τασ , τ 4 α 4 σ ∈ ∆ → ∆ ` ’α 4 σ

| subtyping var2 : ∀ τασ , τ 4 α 4 σ ∈ ∆ → ∆ ` τ 4 ’α

| subtyping top : ∀ τ, ∆ ` τ 4 >

Department of Mathematics and Computer Science 101 Master’s ThesisE.Deﬁnitions for Unrestricted Union and Intersection Types

| subtyping bottom : ∀ τ, ∆ `⊥ 4 τ

| subtyping arrow top : ∆ `> 4 ⊥ ’→>

| subtyping arrow bottom : ∆ `> ’→⊥ 4 ⊥

| subtyping arrow1 : ∀ σ 1 σ 2 τ, ∆ ` σ 2 4 σ 1 → ∆ ` σ 1 ’→ τ 4 σ 2 ’→ τ

| subtyping arrow2 : ∀ σ τ 1 τ 2, ∆ ` τ 1 4 τ 2 → ∆ ` σ ’→ τ 1 4 σ ’→ τ 2

| subtyping reﬂ : ∀ τ, ∆ ` τ 4 τ

| subtyping trans : ∀ τ σ ρ, ∆ ` τ 4 σ → ∆ ` σ 4 ρ → ∆ ` τ 4 ρ

| subtyping inter elim1 : ∀ τ σ, ∆ ` τ ’∧ σ 4 τ

| subtyping inter elim2 : ∀ τ σ, ∆ ` τ ’∧ σ 4 σ

| subtyping union intro1 : ∀ τ σ, ∆ ` τ 4 τ ’∨ σ

| subtyping union intro2 : ∀ τ σ, ∆ ` σ 4 τ ’∨ σ

| subtyping inter intro : ∀ τ σ ρ, ∆ ` ρ 4 τ → ∆ ` ρ 4 σ → ∆ ` ρ 4 τ ’∧ σ

| subtyping union elim : ∀ τ σ ρ, ∆ ` τ 4 ρ → ∆ ` σ 4 ρ → ∆ ` τ ’∨ σ 4 ρ

| subtyping inter arrow dist : ∀ τ 1 τ 2 σ, ∆ ` σ ’→ τ 1 ’∧ σ ’→ τ 2 4 σ ’→ (τ 1 ’∧ τ 2)

| subtyping union arrow dist : ∀ τ 1 τ 2 σ, ∆ ` τ 1 ’→ σ ’∧ τ 2 ’→ σ 4 (τ 1 ’∨ τ 2)’ → σ

| subtyping inter union dist : ∀ τ σ ρ, ∆ ` σ ’∧ (τ ’∨ ρ) 4 (σ ’∧ τ)’ ∨ (σ ’∧ ρ)

| subtyping union inter dist : ∀ τ σ ρ, ∆ ` (σ ’∨ τ)’ ∧ (σ ’∨ ρ) 4 σ ’∨ (τ ’∧ ρ) where "∆ ` τ 4 σ" := (subtyping ∆τσ ).

Inductive sub context valid : subtyping context → Prop := | sub empty : sub context valid [] | sub add : ∀ ∆τασ , sub context valid ∆ →¬ Exists (λ trp, snd(fst trp) = α) ∆

102 Technical University Eindhoven Master’s Thesis

→ ∆ ` τ 4 σ → sub context valid ((τ, α, σ)::∆). Definition subtyping’ ∆τσ := prod (sub context valid ∆)(∆ ` τ 4 σ). Reserved Notation "l $ Γ , ∆ ` t : τ"(at level 70, Γ at level 200, ∆ at next level, t at next level). Inductive typing (l: Prop) Γ∆ : term → type → Type := | typing var : ∀ t τ, t:τ ∈ Γ → l$Γ ,∆ `h ti : τ

| typing sub : ∀ t τ σ, l → l$Γ ,∆ ` t:σ → ∆ ` σ 4 τ → l$Γ ,∆ ` t:τ

| typing abs : ∀ Lt σ τ,( ∀ x, x ∈/ L → l$Γ /x:σ,∆ ` t!hxi : τ) → l$Γ ,∆ ` ’λ t : σ ’→ τ

| typing app : ∀ tu σ τ, l$Γ ,∆ ` t : σ ’→ τ → l$Γ ,∆ ` u : σ → l$Γ ,∆ ` t·u : τ

| typing union elim : ∀ tu σ 1 σ 2 τ, l$Γ ,∆ ` t : σ 1 ’→ τ ’∧ σ 2 ’→ τ → l$Γ ,∆ ` u : σ 1 ’∨ σ 2 → l$Γ ,∆ ` t·u : τ

| typing merge1 : ∀ tu τ, l$Γ ,∆ ` t:τ → lc u → l$Γ ,∆ ` t ⊗ u : τ

| typing merge2 : ∀ tu τ, l$Γ ,∆ ` u:τ → lc t → l$Γ ,∆ ` t ⊗ u : τ

| typing inter intro : ∀ t τ σ, l$Γ ,∆ ` t:τ → l$Γ ,∆ ` t:σ → l$Γ ,∆ ` t : τ ’∧ σ

| typing inter elim1 : ∀ t τ σ, l$Γ ,∆ ` t : τ ’∧ σ → l$Γ ,∆ ` t : τ

| typing inter elim2 : ∀ t τ σ, l$Γ ,∆ ` t : τ ’∧ σ → l$Γ ,∆ ` t : σ

| typing union intro1 : ∀ t τ σ, l$Γ ,∆ ` t : τ → l$Γ ,∆ ` t : τ ’∨ σ

| typing union intro2 : ∀ t τ σ, l$Γ ,∆ ` t : σ → l$Γ ,∆ ` t : τ ’∨ σ

Department of Mathematics and Computer Science 103 Master’s ThesisE.Deﬁnitions for Unrestricted Union and Intersection Types

| typing top value : ∀ t, value t → l$Γ ,∆ ` t:>

| typing bottom : ∀ t τ, l$Γ ,∆ ` t:⊥ → l$Γ ,∆ ` t:τ where "l $ Γ , ∆ ` t : τ" := (typingl Γ∆ t τ). Notation "Γ „ ∆ ` t : τ" := (typing True Γ∆ t τ)(at level 70, ∆ at next level, t at next level). Notation "Γ ` t : τ" := (typing False Γ nil t τ)(at level 70, t at next level). Definition coercion context := list (term × type × var × type × term). Definition co2su( c : coercion context) := map( λ e, let ’( , τ, α, σ, ) := e in( τ, α, σ)) c. Notation "t ←- τ 4 α 4 σ ,→ u ∈ ∆" := (InA equiv (t, τ, α, σ, u) ∆)(at level 70, τ at next level, α at next level, σ at next level, u at next level). Notation "Γ ♥ ∆" := (∀ t τασ u, t ←- τ 4 α 4 σ ,→ u ∈ ∆ → (Γ ` t : τ ’→ ’α) × (Γ ` u :’ α ’→ σ))(at level 70). Reserved Notation "∆ ` τ 4 σ ,→ t" (at level 70, τ at next level, σ at next level). Inductive coercion (∆ : coercion context): type → type → term → Type := | coercion var1 : ∀ tu τασ ,( t ←- τ 4 α 4 σ ,→ u ∈ ∆) → ∆ ` ’α 4 σ ,→ u

| coercion var2 : ∀ tu τασ , t ←- τ 4 α 4 σ ,→ u ∈ ∆ → ∆ ` τ 4 ’α ,→ t

| coercion top : ∀ τ, ∆ ` τ 4 > ,→ ’λ ’λ ˆ0

| coercion bottom : ∀ τ, ∆ `⊥ 4 τ ,→ ’λ ˆ0

| coercion arrow top : ∆ `> 4 ⊥ ’→> ,→ ’λ ’λ ˆ1

| coercion arrow bottom : ∆ `> ’→⊥ 4 ⊥ ,→ ’λ ˆ0·’λ ˆ0

| coercion arrow1 : ∀ σ 1 σ 2 τ t, ∆ ` σ 2 4 σ 1 ,→ t → ∆ ` σ 1 ’→ τ 4 σ 2 ’→ τ ,→ ’λ ’λ ˆ1·(t·ˆ0)

| coercion arrow2 : ∀ σ τ 1 τ 2 t, ∆ ` τ 1 4 τ 2 ,→ t → ∆ ` σ ’→ τ 1 4 σ ’→ τ 2 ,→ ’λ ’λ t·(ˆ1·ˆ0)

| coercion reﬂ : ∀ τ, ∆ ` τ 4 τ ,→ ’λ ˆ0

| coercion trans : ∀ τ σ ρ tu , ∆ ` τ 4 σ ,→ t → ∆ ` σ 4 ρ ,→ u → ∆ ` τ 4 ρ ,→ ’λ u·(t·ˆ0)

104 Technical University Eindhoven Master’s Thesis

| coercion inter elim1 : ∀ τ σ, ∆ ` τ ’∧ σ 4 τ ,→ ’λ ˆ0

| coercion inter elim2 : ∀ τ σ, ∆ ` τ ’∧ σ 4 σ ,→ ’λ ˆ0

| coercion union intro1 : ∀ τ σ, ∆ ` τ 4 τ ’∨ σ ,→ ’λ ˆ0

| coercion union intro2 : ∀ τ σ, ∆ ` σ 4 τ ’∨ σ ,→ ’λ ˆ0

| coercion inter intro : ∀ τ σ ρ tu , ∆ ` ρ 4 τ ,→ t → ∆ ` ρ 4 σ ,→ u → ∆ ` ρ 4 τ ’∧ σ ,→ ’λ (t⊗u)·ˆ0

| coercion union elim : ∀ τ σ ρ tu , ∆ ` τ 4 ρ ,→ t → ∆ ` σ 4 ρ ,→ u → ∆ ` τ ’∨ σ 4 ρ ,→ ’λ (t⊗u)·ˆ0

| coercion inter arrow dist : ∀ τ 1 τ 2 σ, ∆ ` σ ’→ τ 1 ’∧ σ ’→ τ 2 4 σ ’→ (τ 1 ’∧ τ 2) ,→ ’λ ’λ ˆ1·ˆ0

| coercion union arrow dist : ∀ τ 1 τ 2 σ, ∆ ` τ 1 ’→ σ ’∧ τ 2 ’→ σ 4 (τ 1 ’∨ τ 2)’ → σ ,→ ’λ ’λ ˆ1·ˆ0

| coercion inter union dist : ∀ τ σ ρ, ∆ ` σ ’∧ (τ ’∨ ρ) 4 (σ ’∧ τ)’ ∨ (σ ’∧ ρ) ,→ ’λ (’λ ˆ0⊗ˆ1)·ˆ0

| coercion union inter dist : ∀ τ σ ρ, ∆ ` (σ ’∨ τ)’ ∧ (σ ’∨ ρ) 4 σ ’∨ (τ ’∧ ρ) ,→ ’λ (’λ ˆ0⊗(’λ ˆ0⊗(ˆ1⊗ˆ0))·ˆ1)·ˆ0 where "∆ ` τ 4 σ ,→ t" := (coercion ∆τσ t).

Reserved Notation "Γ ` t : τ ,→ u" (at level 70, t at next level, τ at next level). Inductive elaboration Γ : term → type → A.term → Prop := | elaboration var : ∀ xy τ, x:τ ∈ Γ → x === y → Γ `h xi : τ ,→ ’hyi

| elaboration abs : ∀ Lt t’ σ τ,( ∀ x, x ∈/ L → Γ /x:σ ` t!hxi : τ ,→ t’!!’hxi) → Γ ` ’λ t : σ ’→ τ ,→ ’’λ t’

| elaboration app : ∀ t t’u u’ σ τ, Γ ` t : σ ’→ τ ,→ t’ → Γ ` u : σ ,→ u’ → Γ ` t·u : τ ,→ t’ ’· u’

| elaboration union elim : ∀ t t’u u’ σ 1 σ 2 τ, Γ ` t : σ 1 ’→ τ ’∧ σ 2 ’→ τ ,→ t’ → Γ ` u : σ 1 ’∨ σ 2 ,→ u’ → Γ ` t·u : τ ,→ case u’ of t’

| elaboration merge1 : ∀ t t’u τ, Γ ` t:τ ,→ t’ → lc u → Γ ` t ⊗ u : τ ,→ t’

Department of Mathematics and Computer Science 105 Master’s ThesisE.Deﬁnitions for Unrestricted Union and Intersection Types

| elaboration merge2 : ∀ tu u’ τ, Γ ` u:τ ,→ u’ → lc t → Γ ` t ⊗ u : τ ,→ u’

| elaboration inter intro : ∀ t t’1 t’2 τ σ, Γ ` t:τ ,→ t’1 → Γ ` t:σ ,→ t’2 → Γ ` t : τ ’∧ σ ,→h t’1, t’2i

| elaboration inter elim1 : ∀ t t’ τ σ, Γ ` t : τ ’∧ σ ,→ t’ → Γ ` t : τ ,→ proj1 t’

| elaboration inter elim2 : ∀ t t’ τ σ, Γ ` t : τ ’∧ σ ,→ t’ → Γ ` t : σ ,→ proj2 t’

| elaboration union intro1 : ∀ t t’ τ σ, Γ ` t : τ ,→ t’ → Γ ` t : τ ’∨ σ ,→ inj1 t’

| elaboration union intro2 : ∀ t t’ τ σ, Γ ` t : σ ,→ t’ → Γ ` t : τ ’∨ σ ,→ inj2 t’

| elaboration top value : ∀ t, value t → Γ ` t:> ,→hi

| elaboration bottom : ∀ t t’ τ, Γ ` t:⊥ ,→ t’ → Γ ` t:τ ,→ absurd t’ where "Γ ` t : τ ,→ u" := (elaboration Γ t τ u). End Intersection. Module Type IntersectionProperties(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOn E) (V:VariablesTypeES ). Include IntersectionEMSV . Parameter coercion subtyping : ∀ ∆στ u, ∆ ` σ 4 τ ,→ u → co2su ∆ ` σ 4 τ. Parameter subtyping coercion : ∀ ∆στ , co2su ∆ ` σ 4 τ → {u & ∆ ` σ 4 τ ,→ u}. Parameter coercion typing : ∀ Γ∆στ t, Γ ♥∆ → ∆ ` τ 4 σ ,→ t → Γ ` t : τ ’→ σ. Parameter typing sub elim : ∀ Γ∆ t τ, Γ ♥∆ → Γ „co2su ∆ ` t:τ → {t’ & Γ ` t’:τ}. Parameter typing elaborate : ∀ Γ t τ t’, Γ ` t:τ ,→ t’ → inhabited (Γ ` t:τ). Parameter elaborate typing : ∀ Γ t τ, Γ ` t:τ → {t’ & Γ ` t:τ ,→ t’}. Parameter elaboration subject reduction : ∀ Γ t τ t’, Γ ` t:τ ,→ t’ → Γ ’` t’:τ. Parameter consistency : ∀ Γ tu u’ τ, Γ ` t:τ ,→ u → u ’7→ u’ →∃ t’, t 7→* t’ ∧ Γ ` t’:τ ,→ u’. Parameter static semantics : ∀ Γ∆ t τ, Γ ♥∆ → Γ „co2su ∆ ` t:τ → {t’ &{ u | Γ ` t’:τ ,→ u ∧ Γ ’` u:τ}}.

106 Technical University Eindhoven Master’s Thesis

Parameter dynamic semantics : ∀ Γ t τ u u’, Γ ` t:τ ,→ u → u ’7→* u’ →∃ t’, t 7→* t’ ∧ Γ ` t’:τ ,→ u’. Parameter untypable bottom : ∀ ∆ t, empty♥∆ → empty„co2su ∆ ` t:⊥→ False. End IntersectionProperties.

Department of Mathematics and Computer Science 107 Master’s Thesis F. Proofs for Unrestricted Union and Intersection Types

F. Proofs for Unrestricted Union and Intersection Types

Module IntersectionFull(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ) <: IntersectionProper- tiesEMSV . Include IntersectionEMSV . Instance termEqDec: EqDec term term eq. Lemma su2co: ∀ ∆σατ tu , t ←- σ 4 α 4 τ ,→ u ∈ ∆ → σ 4 α 4 τ ∈ co2su ∆. Lemma co2su exists: ∀ ∆σατ , σ 4 α 4 τ ∈ co2su ∆ → {t &{ u | t ←- σ 4 α 4 τ ,→ u ∈ ∆}}. Lemma coercion subtyping: ∀ ∆στ u, ∆ ` σ 4 τ ,→ u → co2su ∆ ` σ 4 τ. Lemma subtyping coercion: ∀ ∆στ , co2su ∆ ` σ 4 τ → {u & ∆ ` σ 4 τ ,→ u}. Lemma context unique: ∀ Γ x (σ τ: type), x:τ ∈ Γ /x:σ → σ = τ. Lemma double open rec: ∀ tvjiu , j 6= i →{ j 7→ v}t = {i 7→ u}({j 7→ v}t) → t = {i 7→ u}t. Lemma lc open rec: ∀ tuk , lc t → t = {k 7→ u}t. Reserved Notation "[ k 7→ u ] t" (at level 0, k at next level). Fixpoint subst kut := match t with |h xi⇒ if k == x then u else hxi | ˆi ⇒ ˆi | t1·t2 ⇒ [k 7→ u]t1 · [k 7→ u]t2 | ’λ t ⇒ ’λ [k 7→ u]t | t1⊗t2 ⇒ [k 7→ u]t1⊗[k 7→ u]t2 end where "[ k 7→ u ] t" := (subst kut ). Lemma subst open: ∀ tuvx , lc u → [x 7→ u](t!v)=([ x 7→ u]t)!([x 7→ u]v). Lemma subst open var: ∀ tuxy , lc u → x =/= y → ([x 7→ u]t)!hyi =[ x 7→ u](t!hyi).

Lemma equal context typing: ∀ Γ 1 Γ 2 t τ,( ∀ x σ, x:σ ∈ Γ 1 → x:σ ∈ Γ 2) → Γ 1 ` t:τ → Γ 2 ` t:τ.

Lemma equal context elaboration: ∀ Γ 1 Γ 2 t t’ τ,( ∀ x σ, x:σ ∈ Γ 1 → x:σ ∈ Γ 2) → Γ 1 ` t:τ ,→ t’ → Γ 2 ` t:τ ,→ t’.

108 Technical University Eindhoven Master’s Thesis

Lemma in permuted context: ∀ Γ xyz (σ τ: type) φ, ¬E.eq xy → z:φ ∈ Γ /x:σ/y:τ → z:φ ∈ Γ /y:τ/x:σ. Lemma context weakening typing: ∀ Γ xt σ τ, ¬M.In x Γ → Γ ` t:τ → Γ /x:σ ` t:τ. Lemma context weakening elaboration: ∀ Γ xt t’ σ τ, ¬M.In x Γ → Γ ` t:τ ,→ t’ → Γ /x:σ ` t:τ ,→ t’. Definition m2s m := M.fold (λ v ( : type) s, S.add vs ) m S.empty. Lemma in s in folds: ∀ {X} lsx , x ∈ s → x ∈ fold left( λ a (p : var × X), S.add (fst p) a) ls . Lemma inm ins: ∀ Γ x, M.In x Γ → x ∈ (m2s Γ ). Lemma value lc: ∀ t, value t → lc t. Lemma typing lc: ∀ Γ t τ, Γ ` t:τ → lc t. Lemma coercion typing: ∀ Γ∆στ t, Γ ♥∆ → ∆ ` τ 4 σ ,→ t → Γ ` t : τ ’→ σ. Lemma elaborate lc: ∀ Γ t t’ τ, Γ ` t:τ ,→ t’ → lc t. Lemma elaborate lc’: ∀ Γ t t’ τ, Γ ` t:τ ,→ t’ → A.lc t’. Fixpoint fv t := match t with |h xi⇒ S.singleton x | î ⇒ S.empty | t1·t2 ⇒ S.union (fv t1)(fv t2) | ’λ t ⇒ fv t | t1⊗t2 ⇒ S.union (fv t1)(fv t2) end. Reserved Notation "{ k ← x } t" (at level 0, k at next level). Fixpoint close rec’ kxt := [ match t with |h yi⇒ if x == y thenˆ k else hyi | î ⇒ î | t1·t2 ⇒{ k ← x}t1 · {k ← x}t2 | ’λ t ⇒ ’λ {1+[ k ← x}t [ [ | t1⊗t2 ⇒{ k ← x}t1 ⊗{ k ← x}t2 end [ [ where "{ k ← x } t" := (close rec’ kxt ). [ Notation "t # x" := {0 ← x}t (at level 4). [ Reserved Notation "’{ k ← x } t" (at level 0, k at next level). Fixpoint close rec kxt := [ match t with |hi⇒hi | ’hyi⇒ if x == y then ’ˆk else’ hyi | ’î ⇒ ’î

Department of Mathematics and Computer Science 109 Master’s Thesis F. Proofs for Unrestricted Union and Intersection Types

| t1 ’· t2 ⇒ ’{k ← x}t1 ’· ’{k ← x}t2 | ’’λ t ⇒ ’’λ ’{1+[ k ← x}t [ [ |h t1, t2i⇒h ’{k ← x}t1,’ {k ← x}t2i [ [ | proj1 t ⇒ proj1 ’{k ← x}t [ | proj2 t ⇒ proj2 ’{k ← x}t [ | inj1 t ⇒ inj1 ’{k ← x}t [ | inj2 t ⇒ inj2 ’{k ← x}t [ | case t1 of t2 ⇒ case’ {k ← x}t1 of’ {k ← x}t2 | absurd t ⇒ absurd’ {k ← x[}t [ end [ where "’{ k ← x } t" := (close rec kxt ). [ Notation "t ## x" := ’{0 ← x}t (at level 4). [ Lemma open rec swap: ∀ tnmxy , n 6= m →{ n 7→h xi}{m 7→h yi}t = {m 7→h yi}{n 7→ hxi}t. Lemma open close rec swap: ∀ tnmxy , x =/= y → n =/= m →{ n 7→h xi}{m ← y}t = {m ← y}{n 7→h xi}t. [ [ Lemma open close rec swap’: ∀ tnmxy , x =/= y → n =/= m → ’{n 7→ ’hxi}’{m ← y}t =’ {m ← y}’{n 7→ ’hxi}t. [ [ Lemma term eq open rec: ∀ tnux , t === u →{ n 7→h xi}t === {n 7→h xi}u. Lemma term eq open rec’: ∀ tnux , t === u → ’{n 7→ ’hxi}t ===’ {n 7→ ’hxi}u. Lemma neg fv open rec: ∀ tyxn , y ∈/ fv t → y =/= x → y ∈/ fv {n 7→h xi}t. Lemma neg fv open rec’: ∀ tyxn , y ∈/ A.fv t → y =/= x → y ∈/ A.fv ’{n 7→ ’hxi}t. Fixpoint term length t := match t with |h xi⇒ 1 | ˆi ⇒ 1 | t1·t2 ⇒ term length t1 + term length t2 | ’λ t ⇒ 1 + term length t | t1⊗t2 ⇒ term length t1 + term length t2 end. Lemma term length nonzero: ∀ t, 1 ≤ term length t. Lemma open rec term length: ∀ txn , term length t = term length {n 7→h xi}t. Lemma lc open rec var: ∀ tnxy , lc {n 7→h xi}t → lc {n 7→h yi}t. Lemma value open rec: ∀ tnxy , value {n 7→h xi}t → value {n 7→h yi}t. Lemma lc term eq: ∀ tu , lc t → t === u → lc u. Lemma value term eq: ∀ tu , value t → t === u → value u. Lemma typing open rec var: ∀ Γ xy τ σ tn , x ∈/ fv t → y ∈/ fv t → Γ /x:σ `{ n 7→ hxi}t:τ → Γ /y:σ `{ n 7→h yi}t:τ.

110 Technical University Eindhoven Master’s Thesis

Lemma elaboration open rec var: ∀ Γ xy τ σ t t’n , x ∈/ fv t → y ∈/ fv t → x ∈/ A.fv t’ → y ∈/ A.fv t’ → Γ /x:σ `{ n 7→h xi}t:τ ,→ ’{n 7→ ’hxi}t’ → Γ /y:σ `{ n 7→h yi}t:τ ,→ ’{n 7→ ’hyi}t’. Lemma typing abs’: ∀ Γ t t’x τ σ, x ∈/ fv t → x ∈/ A.fv t’ → Γ /x:σ ` t!hxi : τ ,→ t’!!’hxi → Γ ` ’λ t : σ ’→ τ ,→ ’’λ t’. Lemma elaboration abs’: ∀ Γ tx τ σ, x ∈/ fv t → Γ /x:σ ` t!hxi : τ → Γ ` ’λ t : σ ’→ τ.

Lemma love weaken: ∀ Γ 1 Γ 2 ∆,( ∀ x τ, x:τ ∈ Γ 1 → x:τ ∈ Γ 2) → Γ 1♥∆ → Γ 2♥∆. Lemma close fv’: ∀ txn , x ∈/ fv {n ← x}t. [ Lemma typing term eq: ∀ Γ tu τ, Γ ` t:τ → t === u → Γ ` u:τ. Lemma open rec var term eq: ∀ tnux , x ∈/ fv t → x ∈/ fv u →{ n 7→h xi}t === {n 7→ hxi}u → t === u. Lemma open rec close rec: ∀ tnx , lc t → t === {n 7→h xi}{n ← x}t. [ Lemma open rec var term eq’: ∀ tnux , x ∈/ A.fv t → x ∈/ A.fv u → ’{n 7→ ’hxi}t === ’{n 7→ ’hxi}u → t === u. Lemma open rec close rec’: ∀ tnx , A.lc t → t ===’ {n 7→ ’hxi}’{n ← x}t. [ Lemma elaboration term eq: ∀ Γ t τ t’ u’, Γ ` t:τ ,→ t’ → t’ === u’ → Γ ` t:τ ,→ u’. Lemma typing sub elim: ∀ Γ∆ t τ, Γ ♥∆ → Γ „co2su ∆ ` t:τ → {t’ & Γ ` t’:τ}. Lemma typing elaborate: ∀ Γ t τ t’, Γ ` t:τ ,→ t’ → inhabited (Γ ` t:τ). Lemma close fv: ∀ txn , x ∈/ A.fv ’{n ← x}t. [ Lemma elaborate typing: ∀ Γ t τ, Γ ` t:τ → {t’ & Γ ` t:τ ,→ t’}. Lemma elaboration subject reduction: ∀ Γ t τ t’, Γ ` t:τ ,→ t’ → Γ ’` t’:τ. Theorem static semantics: ∀ Γ∆ t τ, Γ ♥∆ → Γ „co2su ∆ ` t:τ → {t’ &{ u | Γ ` t’:τ ,→ u ∧ Γ ’` u:τ}}. Lemma untypable bottom: ∀ ∆ t, empty♥∆ → empty„co2su ∆ ` t:⊥→ False.

Lemma cbv app1 trans: ∀ t t’u , t 7→* t’ → lc u → t·u 7→* t’·u.

Lemma cbv merge1 trans: ∀ tu t’ , t 7→* t’ → lc u → t⊗u 7→* t’⊗u.

Lemma cbv merge2 trans: ∀ tu u’ , u 7→* u’ → lc t → t⊗u 7→* t⊗u’. Lemma value monotonicity: ∀ Γ t t’’ τ, Γ ` t:τ ,→ t’’ → A.value t’’ →∃ t’, t 7→* t’ ∧ value t’ ∧ Γ ` t’:τ ,→ t’’. Lemma subst lc: ∀ tux , lc t → lc u → lc [x 7→ u]t. Lemma value subst: ∀ tux , lc u → value t → value [x 7→ u]t. Lemma subst elaboration: ∀ Γ t t’u u’x τ σ, Γ /x:σ ` t:τ ,→ t’ → Γ ` u:σ ,→ u’ → Γ ` [x 7→ u]t : τ ,→ ’[x 7→ u’]t’.

Department of Mathematics and Computer Science 111 Master’s Thesis F. Proofs for Unrestricted Union and Intersection Types

Lemma subst fresh: ∀ tux , x ∈/ fv t → [x 7→ u]t = t. Lemma subst intro: ∀ tux , x ∈/ fv t → lc u → t!u =[ x 7→ u](t!hxi). Lemma abs value: ∀ Γ tx σ τ, Γ ` t : σ ’→ τ ,→ ’’λ x →∃ t’, t 7→*’ λ t’ ∧ Γ ` ’λ t’ : σ ’→ τ ,→ ’’λ x.

Lemma elaboration inj1 : ∀ Γ t t’ τ σ, Γ ` t : τ ’∨ σ ,→ inj1 t’ → Γ ` t:τ ,→ t’.

Lemma elaboration inj2 : ∀ Γ t t’ τ σ, Γ ` t : τ ’∨ σ ,→ inj2 t’ → Γ ` t:σ ,→ t’.

Lemma elaboration pair: ∀ Γ t t’1 t’2 τ σ, Γ ` t : τ ’∧ σ ,→h t’1, t’2i→ prod (Γ ` t:τ ,→ t’1)(Γ ` t:σ ,→ t’2). Lemma consistency: ∀ Γ tu u’ τ, Γ ` t:τ ,→ u → u ’7→ u’ →∃ t’, t 7→* t’ ∧ Γ ` t’:τ ,→ u’. Theorem dynamic semantics: ∀ Γ t τ u u’, Γ ` t:τ ,→ u → u ’7→* u’ →∃ t’, t 7→* t’ ∧ Γ ` t’:τ ,→ u’.

End IntersectionFull.

112 Technical University Eindhoven Master’s Thesis

G. Deﬁnitions for Mutable Algebraic Data Types

Module Algebraic(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ). Notation "{ x & P }" := (sigT (fun x ⇒ P)) (at level 0, x at level 99). Notation "{ x | P }" := (sig (fun x ⇒ P)) (at level 0, x at level 99). Module T := AllTypesESV . Include T. Notation "x ’+ y" := (type sum xy )(at level 11, left associativity). Notation "x ’× y" := (type prod xy )(at level 11, left associativity). Inductive term := | unit : term | bvar : nat → term | fvar : var → term | assign bvar : nat → term → term | assign fvar : var → term → term | app : term → term → term | abs : term → term | pair : term → term → term | proj1 : term → term | proj2 : term → term | inj1 : term → term | inj2 : term → term | case : term → term → term | absurd : term → term. Notation "hi" := unit (at level 1). Notation "ˆ x" := (bvar x)(at level 2). Notation "h x i" := (fvar x)(at level 3). Notation "ˆ x := t" := (assign bvar xt )(at level 2, x at next level). Notation "h x i := t" := (assign fvar xt )(at level 3, t at next level). Notation "t · u" := (app tu )(at level 4, left associativity). Notation "’λ t" := (abs t)(at level 6, right associativity). Notation "h t , u i" := (pair tu )(at level 3). Notation "’case’ t ’of’ u" := (case tu )(at level 8). Notation "’proj1’ t" := (proj1 t)(at level 5). Notation "’proj2’ t" := (proj2 t)(at level 5).

Department of Mathematics and Computer Science 113 Master’s Thesis G. Deﬁnitions for Mutable Algebraic Data Types

Notation "’inj1’ t" := (inj1 t)(at level 5). Notation "’inj2’ t" := (inj2 t)(at level 5). Notation "’absurd’ t" := (absurd t)(at level 5). Reserved Notation "{ k 7→ u } t" (at level 0, k at next level). Fixpoint open rec kut := match t with |hi⇒hi |h xi⇒h xi | ˆi ⇒ if Nat.eq dec ik then hui elseˆ i | ˆi:=t ⇒ if Nat.eq dec ik then hui := {k 7→ u}t elseˆ i:={k 7→ u}t |h xi:=t ⇒h xi:={k 7→ u}t | t1·t2 ⇒{ k 7→ u}t1 · {k 7→ u}t2 | ’λ t ⇒ ’λ {1+k 7→ u}t |h t1, t2i⇒h{ k 7→ u}t1, {k 7→ u}t2i | proj1 t ⇒ proj1 {k 7→ u}t | proj2 t ⇒ proj2 {k 7→ u}t | inj1 t ⇒ inj1 {k 7→ u}t | inj2 t ⇒ inj2 {k 7→ u}t | case t1 of t2 ⇒ case {k 7→ u}t1 of {k 7→ u}t2 | absurd t ⇒ absurd {k 7→ u}t end where "{ k 7→ u } t" := (open rec kut ). Notation "t ! u" := {0 7→ u}t (at level 4). Inductive lc : term → Prop := | lc unit : lc hi

| lc fvar : ∀ x, lc hxi

| lc assign : ∀ xt , lc t → lc hxi:=t

| lc app : ∀ tu , lc t → lc u → lc (t·u)

| lc abs : ∀ Lt ,( ∀ x, x ∈/ L → lc t!x) → lc ’λ t

| lc pair : ∀ tu , lc t → lc u → lc ht, ui

| lc proj1 : ∀ t, lc t → lc (proj1 t)

114 Technical University Eindhoven Master’s Thesis

| lc proj2 : ∀ t, lc t → lc (proj2 t)

| lc inj1 : ∀ t, lc t → lc (inj1 t)

| lc inj2 : ∀ t, lc t → lc (inj2 t)

| lc case : ∀ tu , lc t → lc u → lc case t of u

| lc absurd : ∀ t, lc t → lc (absurd t). Inductive value : term → Prop := | value unit : value hi

| value abs : ∀ t, lc ’λ t → value ’λ t

| value pair : ∀ tu , value t → value u → value ht, ui

| value inj1 : ∀ t, value t → value inj1 t

| value inj2 : ∀ t, value t → value inj2 t. Notation "x : τ ∈ Ω" := (M.MapsTo x τΩ )(at level 70, τ at next level). Notation "Ω / x : τ" := (M.add x τΩ )(at level 1, x at next level). Definition dom{ X} m := M.fold (λ v ( : X) s, S.add vs ) m S.empty. Definition next{ X}(Ω : M.t X) := proj1 sig( var fresh (dom Ω)). Notation store := (M.t term). Notation pointers := (M.t var). Reserved Notation "x 7→ y" (at level 70). Inductive cbv : (store × term) → (store × term) → Prop := | cbv app1 : ∀ Σ 1 Σ 2 t t’u ,( Σ 1, t) 7→ (Σ 2, t’) → lc u → (Σ 1, t·u) 7→ (Σ 2, t’·u)

| cbv app2 : ∀ Σ 1 Σ 2 tu u’ , value t → (Σ 1, u) 7→ (Σ 2, u’) → (Σ 1, t·u) 7→ (Σ 2, t·u’)

| cbv var : ∀ Σ xt , x:t ∈ Σ

Department of Mathematics and Computer Science 115 Master’s Thesis G. Deﬁnitions for Mutable Algebraic Data Types

→ (Σ, hxi) 7→ (Σ, t)

| cbv assign1 : ∀ Σ 1 Σ 2 xt t’ ,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, hxi:=t) 7→ (Σ 2, hxi:=t’)

| cbv assign : ∀ Σ xt , value t → (Σ, hxi:=t) 7→ (Σ /x:t, hi)

| cbv abs : ∀ Σ xtu , lc ’λ t → value u → x = next Σ → (Σ,(’ λ t)·u) 7→ (Σ /x:u, t!x)

| cbv proj1 : ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, proj1 t) 7→ (Σ 2, proj1 t’)

| cbv proj2 : ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, proj2 t) 7→ (Σ 2, proj2 t’)

| cbv inj1 : ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, inj1 t) 7→ (Σ 2, inj1 t’)

| cbv inj2 : ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, inj2 t) 7→ (Σ 2, inj2 t’)

| cbv unproj1 : ∀ Σ tu , value t → value u → (Σ, proj1 ht, ui) 7→ (Σ, t)

| cbv unproj2 : ∀ Σ tu , value t → value u → (Σ, proj2 ht, ui) 7→ (Σ, u)

| cbv pair1 : ∀ Σ 1 Σ 2 t t’u ,( Σ 1, t) 7→ (Σ 2, t’) → lc u → (Σ 1, ht, ui) 7→ (Σ 2, ht’, ui)

| cbv pair2 : ∀ Σ 1 Σ 2 tu u’ , value t → (Σ 1, u) 7→ (Σ 2, u’) → (Σ 1, ht, ui) 7→ (Σ 2, ht, u’i)

| cbv case11 : ∀ Σ 1 Σ 2 t t’u ,( Σ 1, t) 7→ (Σ 2, t’) → value u → (Σ 1, case t of u) 7→ (Σ 2, case t’ of u)

| cbv case12 : ∀ Σ 1 Σ 2 tu u’ , lc t → (Σ 1, u) 7→ (Σ 2, u’) → (Σ 1, case t of u) 7→ (Σ 2, case t of u’)

| cbv case21 : ∀ Σ tu , value t → value u → (Σ, case inj1 t of u) 7→ (Σ,(proj 1 u)·t)

116 Technical University Eindhoven Master’s Thesis

| cbv case22 : ∀ Σ tu , value t → value u → (Σ, case inj2 t of u) 7→ (Σ,(proj 2 u)·t) where "x 7→ y" := (cbvyx ). Notation "x 7→* y" := (clos reﬂ trans cbv yx )(at level 70). Notation context := (M.t type). Notation empty := (M.empty type). Reserved Notation "Γ ` t : τ"(at level 70, t at next level). Inductive typing : context → term → type → Prop := | typing var : ∀ Γ x τ, x:τ ∈ Γ → Γ `h xi : τ

| typing assign : ∀ Γ xt τ, x:τ ∈ Γ → Γ ` t:τ → Γ `h xi:=t : >

| typing unit : ∀ Γ , Γ `hi : >

| typing absurd : ∀ Γ t τ, Γ ` t : ⊥ → Γ ` absurd t : τ

| typing abs : ∀ L Γ t σ τ,( ∀ x, x ∈/ L → Γ /x:σ ` t!x : τ) → Γ ` ’λ t : σ ’→ τ

| typing app : ∀ Γ tu σ τ, Γ ` t : σ ’→ τ → Γ ` u : σ → Γ ` t·u : τ

| typing proj1 : ∀ Γ t σ τ, Γ ` t : σ ’× τ → Γ ` proj1 t : σ

| typing proj2 : ∀ Γ t σ τ, Γ ` t : σ ’× τ → Γ ` proj2 t : τ

| typing inj1 : ∀ Γ t σ τ, Γ ` t : σ → Γ ` inj1 t : σ ’+ τ

| typing inj2 : ∀ Γ t σ τ, Γ ` t : τ → Γ ` inj2 t : σ ’+ τ

| typing pair : ∀ Γ tu σ τ, Γ ` t : σ → Γ ` u : τ → Γ `h t, ui : σ ’× τ

| typing case : ∀ Γ tu σ τ ρ, Γ ` t : σ ’+ τ → Γ ` u :( σ ’→ ρ)’ × (τ ’→ ρ) → Γ ` case t of u : ρ where "Γ ` t : τ" := (typing Γ t τ).

Department of Mathematics and Computer Science 117 Master’s Thesis G. Deﬁnitions for Mutable Algebraic Data Types

Definition madd{ X} Γ 1 Γ 2 := M.fold (@M.add X) Γ 2 Γ 1. Definition not bottom’ Γ := (∀ x σ, x:σ ∈ Γ → not bottom σ). End Algebraic. Module Type AlgebraicProperties(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOn E) (V:VariablesTypeES ). Include AlgebraicEMSV .

Parameter cbv value : ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) →¬ value t. Parameter value cbv : ∀ Σ 1 Σ 2 t t’, value t →¬ (Σ 1, t) 7→ (Σ 2, t’).

Parameter determinism : ∀ t t’1 t’2, t 7→ t’1 → t 7→ t’2 → t’1 = t’2.

Parameter subject reduction trans : ∀ Σ 1 Σ 2 Γ t t’ τ, Γ ♥Σ 1 → Γ ` t:τ → (Σ 1, t) 7→* (Σ 2, t’) →∃ Γ ’, madd Γ ’ Γ ` t’:τ.

Parameter progress : ∀ ΓΣ 1 t τ, not bottom’ Γ → Γ ♥Σ 1 → Γ ` t:τ → (value t ∨∃ Σ 2 t’,( Σ 1, t) 7→ (Σ 2, t’)).

Parameter typing sn value : ∀ ΓΣ 1 t τ, not bottom’ Γ → Γ ♥Σ 1 → Γ ` t:τ → Acc cbv (Σ 1, t) →∃ t’ Σ 2,( Σ 1, t) 7→*( Σ 2, t’) ∧ value t’. Parameter untypable bottom : ∀ t, ¬empty ` t:⊥. Parameter lc dec : ∀ t,{ lc t}+{ ¬lc t}. Parameter value dec : ∀ t,{ value t}+{ ¬value t}. Parameter cbv dec : ∀ t,{ t’ | t 7→ t’}+{ ∀ t’, ¬t 7→ t’}.

End AlgebraicProperties.

118 Technical University Eindhoven Master’s Thesis

H. Proofs for Mutable Algebraic Data Types

Module AlgebraicFull(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ) <: AlgebraicPropertiesE MSV . Include AlgebraicEMSV . Inductive term eq (Eq: var → var → Prop): term → term → Prop := | unit eq’ : term eq Eq hihi | bvar eq’ : ∀ nm , n === m → term eq Eq ˆn ˆm | fvar eq’ : ∀ xy , Eqxy → term eq Eq hxih yi | assign bvar eq’ : ∀ nmt 1 t2, n === m → term eq Eqt 1 t2 → term eq Eq ˆn:=t1 ˆm:=t2 | assign fvar eq’ : ∀ xyt 1 t2, Eqxy → term eq Eqt 1 t2 → term eq Eq hxi:=t1 hyi:=t2 | app eq’ : ∀ t1 t2 u1 u2, term eq Eqt 1 t2 → term eq Equ 1 u2 → term eq Eqt 1·u1 t2·u2 | abs eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq ’λ t1 ’λ t2 | pair eq’ : ∀ t1 t2 u1 u2, term eq Eqt 1 t2 → term eq Equ 1 u2 → term eq Eq ht1, u1ih t2, u2i | proj1 eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq proj1 t1 proj1 t2 | proj2 eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq proj2 t1 proj2 t2 | inj1 eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq inj1 t1 inj1 t2 | inj2 eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq inj2 t1 inj2 t2 | case eq’ : ∀ t1 t2 u1 u2, term eq Eqt 1 t2 → term eq Equ 1 u2 → term eq Eq case t1 of u1 case t2 of u2 | absurd eq’ : ∀ t1 t2, term eq Eqt 1 t2 → term eq Eq absurd t1 absurd t2. Instance termEquivalence Eq : Equivalence Eq → Equivalence (term eq Eq). Instance termEqDec: EqDec term (term eq E.eq). Lemma value lc: ∀ t, value t → lc t.

Lemma cbv lc: ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) → lc t.

Theorem cbv value: ∀ Σ 1 Σ 2 t t’,( Σ 1, t) 7→ (Σ 2, t’) →¬ value t.

Theorem value cbv: ∀ Σ 1 Σ 2 t t’, value t →¬ (Σ 1, t) 7→ (Σ 2, t’).

Theorem determinism: ∀ t t’1 t’2, t 7→ t’1 → t 7→ t’2 → t’1 = t’2. Lemma context unique: ∀ {X} Γ x (σ τ: X), x:τ ∈ Γ /x:σ → σ = τ. Fixpoint fv t := match t with

Department of Mathematics and Computer Science 119 Master’s Thesis H. Proofs for Mutable Algebraic Data Types

|hi⇒ S.empty |h xi⇒ S.singleton x | ˆi ⇒ S.empty | ˆx:=t ⇒ fv t |h xi:=t ⇒ S.add x (fv t) | t1·t2 ⇒ S.union (fv t1)(fv t2) | ’λ t ⇒ fv t |h t1, t2i⇒ S.union (fv t1)(fv t2) | proj1 t ⇒ fv t | proj2 t ⇒ fv t | inj1 t ⇒ fv t | inj2 t ⇒ fv t | case t1 of t2 ⇒ S.union (fv t1)(fv t2) | absurd t ⇒ fv t end. Lemma in permuted context: ∀ {X} Γ xyz (σ τ: X) φ, ¬E.eq xy → z:φ ∈ Γ /x:σ/y:τ → z:φ ∈ Γ /y:τ/x:σ.

Lemma equal context: ∀ Γ 1 Γ 2 t τ,( ∀ x σ, x:σ ∈ Γ 1 → x:σ ∈ Γ 2) → Γ 1 ` t:τ → Γ 2 ` t:τ. Lemma in s in folds: ∀ {X} lsx , x ∈ s → x ∈ fold left( λ a (p : var × X), S.add (fst p) a) ls . Lemma folds widen: ∀ {X} lxs s’ , (∀ x, x ∈ s → x ∈ s’) → x ∈ fold left( λ s (v: var × X), S.add (fst v) s) ls → x ∈ fold left( λ s (v: var × X), S.add (fst v) s) l s’. Lemma inm indom: ∀ {X}(Γ : M.t X) x, M.In x Γ → x ∈ (dom Γ ). Lemma context weakening: ∀ Γ xt σ τ, ¬M.In x Γ → Γ ` t:τ → Γ /x:σ ` t:τ. Lemma typing lc: ∀ Γ t τ, Γ ` t:τ → lc t. Lemma helper1: ∀ {X} l Γ xn , NoDupA (@M.eq key X)((x,n)::l) → x:n ∈ Γ → x:n ∈ fold left( λ (a0 : M.t X)(p : M.key × X), a0 / (fst p):( snd p)) l Γ . Lemma mapsto madd: ∀ {X} ΓΓ ’, ∀ x (n : X), x:n ∈ Γ → x:n ∈ madd Γ ’ Γ .

Lemma helper2: ∀ {X} lx τΓ 1 Γ 2,( ∀ x τ, x:τ ∈ Γ 1 → x:τ ∈ Γ 2) → x:τ ∈ fold left( λ (a : M.t X)(p : M.key × X), a / (fst p):( snd p)) l Γ 1 → x:τ ∈ fold left( λ (a : M.t X)(p : M.key × X), a / (fst p):( snd p)) l Γ 2. Lemma helper3: ∀ {X} lk x0x τΓ , NoDupA (@M.eq key X)((k, x0):: l) →¬ E.eq xk → x:τ ∈ fold left( λ (a : M.t X)(p : M.key × X), a / (fst p):( snd p))((k, x0):: l) Γ → x:τ ∈ fold left( λ (a : M.t X) (p : M.key × X), a / (fst p):( snd p)) l Γ . Lemma helper4: ∀ {X} Γ ’x x0 x1 , InA (M.eq key elt( elt:=X)) (x, x0) (M.elements Γ ’) → InA (M.eq key( elt:=X)) (x, x1) (M.elements Γ ’).

120 Technical University Eindhoven Master’s Thesis

Lemma helper5: ∀ {X} Γ ’x x1 , InA (M.eq key( elt:=X)) (x, x1) (M.elements Γ ’) →∃ x0, InA (M.eq key elt( elt:=X)) (x, x0) (M.elements Γ ’). Lemma madd dec: ∀ {X} ΓΓ ’x (τ : X), x:τ ∈ madd ΓΓ ’ → {x:τ ∈ Γ ∧¬ M.In x Γ ’}+ {x:τ ∈ Γ ’}. Lemma mapsto madd2: ∀ {X} ΓΓ ’, ∀ x (n : X), x:n ∈ Γ ’ →¬ M.In x Γ → x:n ∈ madd Γ ’ Γ . Lemma madd add: ∀ {X} ΓΓ ’xy (σ τ : X), y:σ ∈ madd Γ ’ Γ /x:τ → y:σ ∈ (madd Γ ’ Γ )/x:τ. Lemma context weakening2: ∀ ΓΓ ’t τ, Γ ` t:τ → madd Γ ’ Γ ` t:τ. Lemma fv open rec: ∀ txy , x ∈ fv t → x ∈ fv t!y. Lemma context fv: ∀ Γ t τ x, Γ ` t:τ → x ∈ fv t → M.In x Γ . Lemma open rec swap: ∀ tnmxy , n 6= m →{ n 7→ x}{m 7→ y}t = {m 7→ y}{n 7→ x}t. Lemma neg open rec fv: ∀ tyx , y ∈/ fv t →¬ E.eq yx → y ∈/ fv t!x. Lemma typing open rec var: ∀ Γ xy τ σ t, x ∈/ fv t → y ∈/ fv t → Γ /x:σ ` t!x:τ → Γ /y:σ ` t!y:τ. Lemma eq fv: ∀ xyt , E.eq xy → x ∈ fv t → y ∈ fv t.

Lemma env cbv: ∀ Σ 1 Σ 2 Γ t t’ τ, Γ ♥Σ 1 → Γ ` t:τ → (Σ 1, t) 7→ (Σ 2, t’) → Γ ♥Σ 2. Lemma empty madd love: ∀ ΓΣ , Γ ♥Σ → madd empty Γ ♥Σ. Lemma empty madd mapsto: ∀ Γ x τ, x:τ ∈ madd empty Γ → x:τ ∈ Γ . Lemma typing not bottom: ∀ t Γτ , Γ ` t:τ → not bottom’ Γ → not bottom τ. Theorem untypable bottom: ∀ t, ¬empty ` t:⊥.

Lemma subject reduction: ∀ Σ 1 Σ 2 Γ t t’ τ, Γ ♥Σ 1 → Γ ` t:τ → (Σ 1, t) 7→ (Σ 2, t’) → ∃ Γ ’, madd Γ ’ Γ ` t’:τ ∧ madd Γ ’ Γ ♥Σ 2 ∧ (not bottom’ Γ → not bottom’(madd Γ ’ Γ )).

Lemma madd assoc: ∀ {X} Γ 1 Γ 2 Γ 3 y (σ : X), y:σ ∈ madd Γ 1 (madd Γ 2 Γ 3) ↔ y:σ ∈ madd(madd Γ 1 Γ 2) Γ 3.

Lemma subject reduction trans’: ∀ Σ 1 Σ 2 Γ t t’ τ, Γ ♥Σ 1 → Γ ` t:τ → (Σ 1, t) 7→*( Σ 2, t’) → ∃ Γ ’, madd Γ ’ Γ ` t’:τ ∧ madd Γ ’ Γ ♥Σ 2 ∧ (not bottom’ Γ → not bottom’(madd Γ ’ Γ )).

Theorem subject reduction trans: ∀ Σ 1 Σ 2 Γ t t’ τ, Γ ♥Σ 1 → Γ ` t:τ → (Σ 1, t) 7→* (Σ 2, t’) →∃ Γ ’, madd Γ ’ Γ ` t’:τ.

Theorem progress: ∀ ΓΣ 1 t τ, not bottom’ Γ → Γ ♥Σ 1 → Γ ` t:τ → (value t ∨∃ Σ 2 t’, (Σ 1, t) 7→ (Σ 2, t’)).

Department of Mathematics and Computer Science 121 Master’s Thesis H. Proofs for Mutable Algebraic Data Types

Fixpoint term length t := match t with |hi⇒ 1 |h xi⇒ 1 | ˆi ⇒ 1 |h xi:=t ⇒ 1 + term length t | ˆx:=t ⇒ 1 + term length t | t1·t2 ⇒ term length t1 + term length t2 | ’λ t ⇒ 1 + term length t |h t1, t2i⇒ term length t1 + term length t2 | proj1 t ⇒ 1 + term length t | proj2 t ⇒ 1 + term length t | inj1 t ⇒ 1 + term length t | inj2 t ⇒ 1 + term length t | case t1 of t2 ⇒ term length t1 + term length t2 | absurd t ⇒ 1 + term length t end. Lemma term length nonzero: ∀ t, 1 ≤ term length t. Lemma open rec term length: ∀ tx , term length t = term length t!x. Lemma lc open rec var: ∀ tpq , lc t!p → lc t!q. Definition lc dec t : {lc t}+{ ¬lc t}. Definition value dec t : {value t}+{ ¬value t}. Definition cbv dec t : {t’ | t 7→ t’}+{ ∀ t’, ¬t 7→ t’}. Lemma typing sn value: ∀ ΓΣ t τ, not bottom’ Γ → Γ ♥Σ → Γ ` t:τ → Acc cbv (Σ, t) →∃ t’ Σ’,( Σ, t) 7→*( Σ’, t’) ∧ value t’. Theorem read after write: ∀ Σ xt , value t →∃ Σ’,( Σ,(’ λ hxi)·hxi := t) 7→*( Σ’, t).

Definition injection( R: relation var) := ∀ xyz , Rxy → Rxz → E.eq yz . Definition one2one R := injection R ∧ injection(ﬂip R).

Definition store term eq’( R: relation var) st1 st2 := let ’((Σ 1, t1),( Σ 2, t2)) := (st1, st2) in (∀ xy x’ y’ , Rxy → E.eq x x’ → E.eq y y’ → R x’ y’) ∧ one2one R ∧ term eq Rt 1 t2 ∧ (∀ x1 x2 u1, Rx 1 x2 → x1:u1 ∈ Σ 1 →∃ u2, x2:u2 ∈ Σ 2 ∧ term eq Ru 1 u2) ∧ (∀ x1 x2 u2, Rx 1 x2 → x2:u2 ∈ Σ 2 →∃ u1, x1:u1 ∈ Σ 1 ∧ term eq Ru 1 u2).

Definition store term eq st1 st2 := ∃ R, store term eq’ R st1 st2. Lemma term eq ﬂip: ∀ Ptu , term eq Ptu → term eq (ﬂip P) ut .

Lemma term eq comp: ∀ P1 P2 tuv , term eq P1 tu → term eq P2 uv → term eq (λ ac , ∃ b, P1 ab ∧ P2 bc ) tv .

122 Technical University Eindhoven Master’s Thesis

Instance storetermEquivalence: Equivalence (store term eq). Lemma term eq open rec: ∀ tnuxyR , term eq Rtu → Rxy → term eq R {n 7→ x}t {n 7→ y}u. Lemma term eq extend: ∀ tu (RR’ : relation var),( ∀ xy , Rxy → R’xy ) → term eq Rt u → term eq R’tu . Lemma lc open rec: ∀ nxyt , lc {n 7→ x}t → lc {n 7→ y}t. Lemma lc term eq: ∀ tuR , term eq Rtu → lc t → lc u. Lemma value term eq: ∀ Rtu , value t → term eq Rtu → value u. Lemma value store term eq: ∀ tu , value (snd t) → store term eq tu → value (snd u). Definition infv inS t (S: var → Prop) := ∀ x, x ∈ fv t → Sx . Definition closed’( S : var → Prop) st := let ’(Σ, t) := st in (∀ xy , Sx → E.eq xy → Sy ) ∧ infv inS tS ∧ lc t ∧ (∀ x, Sx →∃ u, x:u ∈ Σ ∧ infv inS uS ∧ lc u). Definition closed st := ∃ S, closed’ S st. Lemma open rec fv: ∀ tyx , y ∈ fv t!x →¬ E.eq yx → y ∈ fv t.

Lemma closed cbv: ∀ tu , t 7→ u → closed t → closed u. Lemma term eq extend2: ∀ tu (RR’ : relation var),( ∀ xy , x ∈ fv t → y ∈ fv u → Rxy → R’xy ) → term eq Rtu → term eq R’tu . Lemma term eq fv: ∀ (R : relation var) tux ,( ∀ xy x’ y’ , Rxy → E.eq x x’ → E.eq y y’ → R x’ y’) → term eq Rtu → x ∈ fv t →∃ y, y ∈ fv u ∧ Rxy . Lemma term eq fv2: ∀ (R : relation var) tux ,( ∀ xy x’ y’ , Rxy → E.eq x x’ → E.eq y y’ → R x’ y’) → term eq Rtu → x ∈ fv u →∃ y, y ∈ fv t ∧ Ryx . Lemma closed store term eq: ∀ tu , closed t → store term eq tu → closed u.

Lemma store term eq minimal: ∀ S1 S2 Rtu , closed’ S1 t → closed’ S2 u → store term eq’ Rtu → store term eq’( λ xy , Rxy ∧ S1 x ∧ S2 y ∧ M.In x (fst t) ∧ M.In y (fst u)) tu . Lemma store term eq cbv: ∀ tuv , closed t → t 7→ v → store term eq tu →∃ v’, u 7→ v’ ∧ store term eq v v’. Lemma closed cbv trans: ∀ tu , t 7→* u → closed t → closed u. Definition cbv closed ut := t 7→ u ∧ closed t. Definition beta eq := clos reﬂ sym trans (union cbv closed store term eq). Notation "x =β y" := (beta eq yx )(at level 70). Instance beta eq equivalence: Equivalence beta eq. Lemma cbv trans beta eq: ∀ tu , closed t → t 7→* u → t =β u. Lemma wikkel: ∀ {X} Γ x, M.In x Γ ↔∃ τ, InA (M.eq key elt( elt:=X)) (x, τ) (M.elements Γ ). Lemma indom inm: ∀ {X}(Γ : M.t X) x, x ∈ dom Γ → M.In x Γ .

Department of Mathematics and Computer Science 123 Master’s Thesis H. Proofs for Mutable Algebraic Data Types

Definition y combinator := ’λ (’λ (’λ proj1 ˆ1)·((proj2 ˆ0)·(proj1 ˆ0)))·((’λ h’λ ˆ2·ˆ1·ˆ0,’ λ ˆ1 := ˆ0i)·(’λ ˆ0)). Definition y combinator2 := ’λ (’λ (’λ proj1 ˆ1)·((proj2 ˆ0)·(proj1 ˆ0)))·((’λ h’λ ˆ2·ˆ1·ˆ0,’ λ ˆ1 := ˆ0i)·(’λ ˆ0)). Lemma y combinator typing: ∀ α, empty ` y combinator :(( α ’→ α)’ → α ’→ α) ’→ α ’→ α. Lemma y combinator2 typing: ∀ α, empty ` y combinator2 :(( α ’→ α)’ → α ’→ α) ’→ α ’→ α. Lemma open rec lc: ∀ tnx , lc t → lc {n 7→ x}t.

Lemma cbv app1 trans: ∀ t t’u Σ 1 Σ 2,( Σ 1, t) 7→*( Σ 2, t’) → lc u → (Σ 1, t·u) 7→* (Σ 2, t’·u).

Lemma cbv app2 trans: ∀ tu u’ Σ 1 Σ 2,( Σ 1, u) 7→*( Σ 2, u’) → value t → (Σ 1, t·u) 7→* (Σ 2, t·u’). Lemma y combinator spec: ∀ fv Σ, closed (Σ, f ) → closed (Σ, v) → lc f → value v → (Σ,((’ λ ’λ f )·(y combinator·(’λ ’λ f )))·v)= β (Σ,( y combinator·(’λ ’λ f ))·v). Definition I := ’λ ˆ0. Definition zero := ’λ ’λ ˆ0. Definition succ := ’λ ’λ ’λ ˆ1·(ˆ2·ˆ1·ˆ0). Definition one := succ·zero. Definition two := succ·one. Definition three := succ·two. Notation num := ((> ’→> )’ →> ’→> ). Lemma zero typing: empty ` zero : num. Lemma succ typing: empty ` succ : num ’→ num. Definition iterator := ’λ ’λ ’λ (’λ ˆ1)·(ˆ2·(’λ ˆ1 := ˆ2·ˆ1)·hi). Lemma iterator typing: ∀ τ, empty ` iterator : num ’→ (τ ’→ τ)’ → τ ’→ τ. Lemma iterator zero: ∀ fv Σ, closed (Σ, f ) → closed (Σ, v) → value f → value v → (Σ, iterator·zero·f ·v)= β (Σ, v).

End AlgebraicFull.

124 Technical University Eindhoven Master’s Thesis

I. Deﬁnitions for Mutable Union and Intersection Types

Module Intersection(E:DecidableTypeBoth)(M:WSfunE )(S:WSetsOnE ) (Import V:VariablesTypeES ). Notation "{ x & P }" := (sigT (fun x ⇒ P)) (at level 0, x at level 99). Notation "{ x | P }" := (sig (fun x ⇒ P)) (at level 0, x at level 99). Module A := AlgebraicFullEMSV . Include A.T. Notation "x ’∨ y" := (type sum xy )(at level 11, left associativity). Notation "x ’∧ y" := (type prod xy )(at level 11, left associativity). Inductive term := | bvar : nat → term | fvar : var → term | assign bvar : nat → term → term | assign fvar : var → term → term | app : term → term → term | abs : term → term | merge : term → term → term. Notation "ˆ x" := (bvar x)(at level 2). Notation "h x i" := (fvar x)(at level 3). Notation "ˆ x := t" := (assign bvar xt )(at level 2, x at next level). Notation "h x i := t" := (assign fvar xt )(at level 3, t at next level). Notation "t · u" := (app tu )(at level 4, left associativity). Notation "’λ t" := (abs t)(at level 6, right associativity). Notation "t ⊗ u" := (merge tu )(at level 5, left associativity). Notation "hi" := A.unit (at level 1). Notation "’ˆ x" := (A.bvar x)(at level 2). Notation "’h x i" := (A.fvar x)(at level 3). Notation "’ˆ x := t" := (A.assign bvar xt )(at level 2, x at next level). Notation "’h x i := t" := (A.assign fvar xt )(at level 3, t at next level). Notation "t ’· u" := (A.app tu )(at level 4, left associativity). Notation "’’λ t" := (A.abs t)(at level 6, right associativity). Notation "h t , u i" := (A.pair tu )(at level 3). Notation "’case’ t ’of’ u" := (A.case tu )(at level 7). Notation "’proj1’ t" := (A.proj1 t)(at level 5).

Department of Mathematics and Computer Science 125 Master’s Thesis I. Deﬁnitions for Mutable Union and Intersection Types

Notation "’proj2’ t" := (A.proj2 t)(at level 5). Notation "’inj1’ t" := (A.inj1 t)(at level 5). Notation "’inj2’ t" := (A.inj2 t)(at level 5). Notation "’absurd’ t" := (A.absurd t)(at level 5). Notation "t ’7→ u" := (A.cbv ut )(at level 70). Notation "x ’7→* y" := (clos refl trans A.cbv yx )(at level 70). Notation "’{ k 7→ u } t" := (A.open rec kut )(at level 0, k at next level). Notation "t !! u" := ’{0 7→ u}t (at level 4). Notation "Γ ’` t : τ" := (A.typing Γ t τ)(at level 70, t at next level). Instance ProdEqDec{ A}{B}{RA}{RB} ‘(EqDec ARA , EqDec BRB ): EqDec (A×B) . Inductive term eq : term → term → Prop := | bvar eq : ∀ nm , n === m → term eq ˆn ˆm | fvar eq : ∀ xy , x === y → term eq hxih yi | assign bvar eq : ∀ nmt 1 t2, n === m → term eq t1 t2 → term eq ˆn:=t1 ˆm:=t2 | assign fvar eq : ∀ xyt 1 t2, x === y → term eq t1 t2 → term eq hxi:=t1 hyi:=t2 | app eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq t1·u1 t2·u2 | abs eq : ∀ t1 t2, term eq t1 t2 → term eq ’λ t1 ’λ t2 | merge eq : ∀ t1 t2 u1 u2, term eq t1 t2 → term eq u1 u2 → term eq t1⊗u1 t2⊗u2. Instance termEquivalence: Equivalence term eq. Reserved Notation "{ k 7→ u } t" (at level 0, k at next level). Fixpoint open rec kut := match t with |h xi⇒h xi | î ⇒ if i == k then hui elseˆ i | î:=t ⇒ if Nat.eq dec ik then hui := {k 7→ u}t elseˆ i:={k 7→ u}t |h xi:=t ⇒h xi:={k 7→ u}t | t1·t2 ⇒{ k 7→ u}t1 · {k 7→ u}t2 | ’λ t ⇒ ’λ {1+k 7→ u}t | t1 ⊗ t2 ⇒{ k 7→ u}t1 ⊗{ k 7→ u}t2 end where "{ k 7→ u } t" := (open rec kut ). Notation "t ! u" := {0 7→ u}t (at level 4). Inductive lc : term → Prop := | lc fvar : ∀ x, lc hxi

| lc assign : ∀ xt , lc t → lc hxi:=t

| lc app : ∀ tu , lc t → lc u → lc (t·u)

| lc abs : ∀ Lt ,( ∀ x, x ∈/ L → lc t!x)

126 Technical University Eindhoven Master’s Thesis

→ lc ’λ t

| lc merge : ∀ tu , lc t → lc u → lc t ⊗ u. Inductive value : term → Prop := | value abs : ∀ t, lc ’λ t → value ’λ t

| value merge : ∀ tu , value t → value u → value t ⊗ u. Notation "x : τ ∈ Ω" := (M.MapsTo x τΩ )(at level 70, τ at next level). Notation "Ω / x : τ" := (M.add x τΩ )(at level 1, x at next level). Definition dom{ X} m := M.fold (λ v ( : X) s, S.add vs ) m S.empty. Definition next{ X}(Ω : M.t X) := proj1 sig( var fresh (dom Ω)). Notation store := (M.t term). Notation pointers := (M.t var). Reserved Notation "t 7→ u" (at level 70, u at next level). Inductive cbv approx : (store × term) → (store × term) → Prop := | cbv app1 : ∀ Σ 1 Σ 2 t t’u ,( Σ 1, t) 7→ (Σ 2, t’) → lc u → (Σ 1, t·u) 7→ (Σ 2, t’·u)

| cbv app2 : ∀ Σ 1 Σ 2 tu u’ , value t → (Σ 1, u) 7→ (Σ 2, u’) → (Σ 1, t·u) 7→ (Σ 2, t·u’)

| cbv var : ∀ Σ xt , x:t ∈ Σ → (Σ, hxi) 7→ (Σ, t)

| cbv assign1 : ∀ Σ 1 Σ 2 xt t’ ,( Σ 1, t) 7→ (Σ 2, t’) → (Σ 1, hxi:=t) 7→ (Σ 2, hxi:=t’)

| cbv assign : ∀ Σ xt , value t → (Σ, hxi:=t) 7→ (Σ /x:t,’ λ ˆ0)

| cbv abs : ∀ Σ xtu , lc ’λ t → value u → x = next Σ → (Σ,(’ λ t)·u) 7→ (Σ /x:u, t!x)

| cbv unmerge1 : ∀ Σ tu , lc t → lc u → (Σ, t ⊗ u) 7→ (Σ, t)

| cbv unmerge2 : ∀ Σ tu , lc t → lc u → (Σ, t ⊗ u) 7→ (Σ, u)

| cbv merge1 : ∀ Σ 1 Σ 2 t t’u ,( Σ 1, t) 7→ (Σ 2, t’) → lc u

Department of Mathematics and Computer Science 127 Master’s Thesis I. Deﬁnitions for Mutable Union and Intersection Types

→ (Σ 1, t ⊗ u) 7→ (Σ 2, t’ ⊗ u)

| cbv merge2 : ∀ Σ 1 Σ 2 tu u’ , lc t → (Σ 1, u) 7→ (Σ 2, u’) → (Σ 1, t ⊗ u) 7→ (Σ 2, t ⊗ u’)

| cbv split : ∀ Σ t, lc t → (Σ, t) 7→ (Σ, t ⊗ t) where "t 7→ u" := (cbv approxut ). Notation "x 7→* y" := (clos reﬂ trans cbv approx yx )(at level 70). Notation subtyping context := (list (type × var × type)). Notation context := (M.t type). Notation empty := (M.empty type). Notation "τ 4 α 4 σ ∈ ∆" := (InA equiv (τ, α, σ) ∆)(at level 70, α at next level, σ at next level). Reserved Notation "∆ ` τ 4 σ"(at level 70, τ at next level). Inductive subtyping (∆ : subtyping context): type → type → Type := | subtyping var1 : ∀ τασ , τ 4 α 4 σ ∈ ∆ → ∆ ` ’α 4 σ

| subtyping var2 : ∀ τασ , τ 4 α 4 σ ∈ ∆ → ∆ ` τ 4 ’α

| subtyping top : ∀ τ, ∆ ` τ 4 >

| subtyping bottom : ∀ τ, ∆ `⊥ 4 τ

| subtyping arrow top : ∆ `> 4 ⊥ ’→>

| subtyping arrow bottom : ∆ `> ’→⊥ 4 ⊥

| subtyping arrow1 : ∀ σ 1 σ 2 τ, ∆ ` σ 2 4 σ 1 → ∆ ` σ 1 ’→ τ 4 σ 2 ’→ τ

| subtyping arrow2 : ∀ σ τ 1 τ 2, ∆ ` τ 1 4 τ 2 → ∆ ` σ ’→ τ 1 4 σ ’→ τ 2

| subtyping reﬂ : ∀ τ, ∆ ` τ 4 τ

| subtyping trans : ∀ τ σ ρ, ∆ ` τ 4 σ → ∆ ` σ 4 ρ → ∆ ` τ 4 ρ

| subtyping inter elim1 : ∀ τ σ, ∆ ` τ ’∧ σ 4 τ

128 Technical University Eindhoven Master’s Thesis

| subtyping inter elim2 : ∀ τ σ, ∆ ` τ ’∧ σ 4 σ

| subtyping union intro1 : ∀ τ σ, ∆ ` τ 4 τ ’∨ σ

| subtyping union intro2 : ∀ τ σ, ∆ ` σ 4 τ ’∨ σ

| subtyping inter intro : ∀ τ σ ρ, ∆ ` ρ 4 τ → ∆ ` ρ 4 σ → ∆ ` ρ 4 τ ’∧ σ

| subtyping union elim : ∀ τ σ ρ, ∆ ` τ 4 ρ → ∆ ` σ 4 ρ → ∆ ` τ ’∨ σ 4 ρ

| subtyping inter arrow dist : ∀ τ 1 τ 2 σ, ∆ ` σ ’→ τ 1 ’∧ σ ’→ τ 2 4 σ ’→ (τ 1 ’∧ τ 2)

| subtyping union arrow dist : ∀ τ 1 τ 2 σ, ∆ ` τ 1 ’→ σ ’∧ τ 2 ’→ σ 4 (τ 1 ’∨ τ 2)’ → σ

| subtyping inter union dist : ∀ τ σ ρ, ∆ ` σ ’∧ (τ ’∨ ρ) 4 (σ ’∧ τ)’ ∨ (σ ’∧ ρ)

| subtyping union inter dist : ∀ τ σ ρ, ∆ ` (σ ’∨ τ)’ ∧ (σ ’∨ ρ) 4 σ ’∨ (τ ’∧ ρ) where "∆ ` τ 4 σ" := (subtyping ∆τσ ). Inductive sub context valid : subtyping context → Prop := | sub empty : sub context valid [] | sub add : ∀ ∆τασ , sub context valid ∆ →¬ Exists (λ trp, snd(fst trp) = α) ∆ → ∆ ` τ 4 σ → sub context valid ((τ, α, σ)::∆). Definition subtyping’ ∆τσ := prod (sub context valid ∆)(∆ ` τ 4 σ). Reserved Notation "l $ Γ , ∆ ` t : τ"(at level 70, Γ at level 200, ∆ at next level, t at next level). Inductive typing (l: Prop) Γ∆ : term → type → Type := | typing var : ∀ t τ, t:τ ∈ Γ → l$Γ ,∆ `h ti : τ

| typing assign : ∀ xt τ, x:τ ∈ Γ → l$Γ ,∆ ` t:τ → l$Γ ,∆ `h xi:=t : >

| typing sub : ∀ t τ σ, l → l$Γ ,∆ ` t:σ → ∆ ` σ 4 τ → l$Γ ,∆ ` t:τ

| typing abs : ∀ Lt σ τ,( ∀ x, x ∈/ L → l$Γ /x:σ,∆ ` t!x : τ) → l$Γ ,∆ ` ’λ t : σ ’→ τ

| typing app : ∀ tu σ τ, l$Γ ,∆ ` t : σ ’→ τ → l$Γ ,∆ ` u : σ

Department of Mathematics and Computer Science 129 Master’s Thesis I. Deﬁnitions for Mutable Union and Intersection Types

→ l$Γ ,∆ ` t·u : τ