Draft for submission to ICFP 2013

Towards dependently typed Haskell: System FC with kind equality (Extended Version)

Stephanie Weirich Justin Hsu Richard A. Eisenberg University of Pennsylvania Philadelphia, PA, USA {sweirich,justhsu,eir}@cis.upenn.edu

Abstract work is that enabling kind equalities introduces complexities sim- System FC, the core language of the Glasgow Haskell Compiler, is ilar to those found in dependently typed languages. However, our an explicitly-typed variant of System F with first-class type equality ultimate goal is to better support dependently typed programming proofs called coercions. This extensible proof system forms the in Haskell, so resolving these issues is an important step in this foundation for type system extensions such as type families (type- process. Specifically, we make the following contributions: level functions) and Generalized Algebraic Datatypes (GADTs). • We describe an explicitly-typed intermediate language with ex- Such features, in conjunction with kind polymorphism and datatype plicit equality proofs at the type and the kind level. The lan- promotion, support expressive compile-time reasoning. guage is no toy: it is a modification of the System FC inter- However, the core language lacks explicit kind equality proofs. mediate language used by GHC today [Sulzmann et al. 2007; As a result, type-level computation does not have access to kind- Vytiniotis et al. 2012; Weirich et al. 2011; Yorgey et al. 2012]. level functions or promoted GADTs, the type-level analogues to We overview the existing design of FC in Section 3 before dis- expression-level features that have been so useful. In this paper, cussing the challenges of our version in Section 4. Note that we eliminate such discrepancies by introducing kind equalities to as FC is the core language for a significant compiler, we cannot System FC. Our approach is based on dependent type systems make sweeping changes. Our modifications must be compatible with heterogeneous equality and the “Type-in-Type” axiom, yet with the existing system. it preserves the metatheoretic properties of FC. In particular, type • checking is simple, decidable and syntax directed. We prove the We extend the type preservation proof of FC to cover the new preservation and progress theorems for the extended language. features (Section 5). The treatment of datatypes requires an im- portant property—that the equational theory is congruent. In other words, we can derive a proof of equality for any form of 1. Introduction type or kind, given equality proofs of subcomponents. The com- Is Haskell a dependently typed programming language? For more putational content of this theorem, called lifting, generalizes the than a decade, clever Haskellers have encoded many programs standard substitution operation. This operation is required in the that were reputed to need dependent types. At the same time, the operational semantics for datatypes. Glasgow Haskell Compiler (GHC), Haskell’s primary implementa- • We prove the progress theorem in the presence of kind coer- tion, has augmented its type system with many features inspired cions and dependent coercion abstraction, requiring significant by dependently typed languages, such as Generalized Algebraic changes to the current proof. We discuss these changes and their Datatypes (GADTs) [Peyton Jones et al. 2006; Schrijvers et al. consequences in Section 6. 2009], type families [Chakravarty et al. 2005], and datatype pro- motion with kind polymorphism [Yorgey et al. 2012]. • We have implemented our extensions in a development branch 1 However, these extensions do not compose well. On one hand, of GHC. Our work is available online. GADTs allow the programmer to exploit type equalities to write Although our designs are inspired by the rich theory of depen- richer terms. On the other, datatype promotion and kind polymor- dent type systems, applying these ideas in the context of Haskell phism have opened the door to much more expressive types. How- means that our language differs in many ways from existing work. ever, GADTs cannot currently be promoted, so the useful type We detail these comparisons in Section 7. equalities available in terms cannot be lifted to useful kind equal- ities available in types. (We consider examples of the features that we want to enable in Section 2.) 2. Why kind equalities? Our goal in this paper is to eliminate such nonuniformities with Kind equalities enable new, useful features in GHC. In this section a single blow, by unifying types and kinds. The challenge of this we review of some of the more recent extensions to the GHC type system (including GADTs, type families, kind polymorphism and datatype promotion) through examples. We also describe new features and examples that require our extensions. Below, code snippets that cannot be written in GHC 7.6 are highlighted in gray. Below, we define “shallowly” and “deeply” indexed represen- tations of types and show how they may be used for Generic Pro-

1 This branch is available from http://www.cis.upenn.edu/~eir/ [Copyright notice will appear here once ’preprint’ option is removed.] packages/nokinds/.

1 2013/3/29 gramming (GP). The former use Haskell’s types as indices [Crary zero :: ∀ (a :: *). TyRep a → a et al. 1998; Yang 1998], whereas the latter use an algebraic datatype zero TyInt = 0 (also known as a universe) [Altenkirch and McBride 2002; Norell zero TyBool = False 2002]. Magalhaes˜ [2012] gives more details describing how exten- zero (TyApp TyMaybe _) = Nothing sions to Haskell, including the ones described in this paper, benefit generic programming. Here, pattern matching with this datatype can also refine kinds Although the examples below are derived from generic pro- as well as types—determining whether a type is of the form Maybe gramming, our extensions are by no means specific to this setting— b makes new kind and type equalities available. we have been able to express dependently typed programs from McBride [2012] and Oury and Swierstra [2008], which we omit isMaybe :: ∀ (a :: k). TyRep a → ... here for lack of space. Our overall goal is to make Agda and Coq isMaybe (TyApp TyMaybe _) = programs more accessible in GHC. -- here we have k ∼ * and ∼ Shallow indexing Consider a GADT for type representations: -- a Maybe b, for some b :: *

data TyRep :: * → * where Deep indexing Kind equalities enable additional features besides TyInt :: TyRep Int kind-indexed GADTs. The previous example used Haskell types TyBool :: TyRep Bool directly to index type representations. With datatype promotion, we GADTs differ from ordinary algebraic datatypes in that they can instead define a datatype (a universe) for type information. allow each data constructor to constrain the type parameters to data Ty = TInt | TBool the datatype. For example, the TyInt constructor requires that the single parameter to TyRep be Int. We can use this datatype to index the representation type. We can use type representations for type-indexed programming. data TyRep :: Ty → * where A simple example is computing a default element for each type. TyInt :: TyRep TInt TyBool :: TyRep TBool zero :: ∀ a. TyRep a → a zero TyInt = 0 -- ‘a’ must be Int Note that the kind of the parameter to this datatype is Ty instead zero TyBool = False -- ‘a’ must be Bool of *—promotion allows the type Ty to be used as a kind and allows its data constructors, TyInt and TyBool to appear in types. This code pattern matches the type representation to determine To use these type representations, we describe their connection what value to return. Because of the nonuniform type index, pattern with Haskell types via a type family (a function at the type level). matching recovers the identity of the type variable a. In the first case, because the data constructor is TyInt, this parameter must type family I (t :: Ty) :: * be Int, so 0 can be returned. Similarly, in the second case, the type instance I TInt = Int parameter a must be equal to Bool. type instance I TBool = Bool However, the GADT above can only be used to represent types I is a function that maps the (promoted) data constructor TInt to ? ? → ? of kind . Representing type constructors with kind , such the Haskell type Int, and similarly TBool to Bool. as Maybe or [], requires a separate data structure, perhaps called We can use these type representations to define type-indexed TyRep1. However, this approach is unsustainable—what about tu- operations, like before. ples? Do we need a TyRep2, TyRep3, and more? Kind polymorphism [Yorgey et al. 2012] allows datatypes to zero :: ∀ (a :: Ty). TyRep a → I a be parameterized by kind variables as well as type variables. For zero TyInt = 0 example, the following type takes two phantom arguments, a kind zero TyBool = False variable κ and a type variable a of kind κ. Pattern matching TyInt refines a to TInt, which then uses the type data Proxy (a :: k) = P family definition to show that the result type is equal to Int. Dependently typed languages do not require an argument like However, kind polymorphism is not enough to unify these TyRep to implement operations such as zero—they can match representations—the type representation (shown below) should directly on the type of kind Ty. This is not allowed in Haskell, constrain its kind parameter. which maintains a separation between types and values. The TyRep argument is an example of a singleton type, a standard way of data TyRep :: ∀ k. k → * where encoding dependently typed operations in Haskell. TyInt :: TyRep Int Note that this representation is no better than the shallow ver- TyBool :: TyRep Bool sion in one respect—I must produce a type of kind ?. What if we TyMaybe :: TyRep Maybe wanted to encode TMaybe with Ty? TyApp :: TyRep a → TyRep b → TyRep (a b) To get around this issue, we use a GADT to represent different kinds of types. We first need a universe of kinds. Above, the TyRep type takes two parameters, a kind k and a type of that kind (not named in the kind annotation). The data data Kind = Star | Arr Kind Kind constructors constrain k to a concrete kind. For the example to Kind is a normal datatype that, when promoted, can be used to be well-formed, TyInt must constrain the kind parameter to ?. index the Ty datatype, making it a (standard) GADT. Similarly, TyMaybe requires the kind parameter to be ? → ?. We call this example a kind-indexed GADT because the datatype data Ty :: Kind → * where is indexed by both kind and type information. TInt :: Ty Star This extension is compatible with our prior uses of TyRep. For TBool :: Ty Star example, to extend zero with a default value of the Maybe type: TMaybe :: Ty (Arr Star Star) TApp :: Ty (Arr k1 k2) → Ty k1 → Ty k2

2 2013/3/29 This indexing means that Ty can only represent well-kinded if γ is a proof of τ1 ∼ τ2, and the expression e has type τ1, then types. For example TMaybe has type Ty (Arr Star Star) and the expression e . γ (pronounced “e casted by γ”) has type τ2. TApp TMaybe TBool has type Ty Star, while the value TApp Making type conversion explicit ensures that the FC typing re- 2 TInt would be rejected. lation Γ `tm e : τ is syntax-directed. Straightforward type Although this GADT can be expressed in GHC, the correspond- checking is an important sanity check on the internals of GHC— ing TyRep type requires two new extensions: promoted GADTs and transformations and optimizations must preserve typability. There- kind-families. fore, all information necessary for type checking is present in FC With the current design of FC, only a subset of Haskell 98 expressions. This information includes explicit type abstractions datatypes can be promoted. In particular, GADTs cannot be used and applications (System FC is an extension of System Fω [Girard to index other GADTs. The extensions proposed in this work allow 1972]) as well as explicit proofs of type equality. the GADT Ty above to be used as an index to TyRep or to be For example, type family definitions are compiled to axioms interpreted by the type family I, as shown below. about type equality that can be used in FC coercion proofs. A type family declaration and instance in source Haskell data TyRep (k :: Kind) (t :: Ty k) where TyInt :: TyRep Star TInt type family F a :: * TyBool :: TyRep Star TBool type instance F Int = Bool TyMaybe :: TyRep (Arr Star Star) TMaybe generates the following FC axiom declaration: TyApp :: TyRep (Arr k1 k2) a → TyRep k1 b → TyRep k2 (TApp a b) axF : F Int ∼ Bool

We now need to adapt the type family I to work with the new When given a source language function of type promoted GADT Ty. To do so, we must classify its return kind, g :: ∀ a. a → F a → Char and for that, we need a kind family. A kind family is a function that produces a kind. For example, we can use a kind family to interpret the expression g 3 True translates to the FC expression elements of the Kind datatype as a Haskell kind. g Int 3 (True . sym axF) kind family IK (k :: Kind) that instantiates g at type Int and coerces True to have type F Int. kind instance IK Star = * The coercion sym axF is a proof that Bool ∼ F Int. kind instance IK (Arr k1 k2) = IK k1 → IK k2 Likewise, GADTs are compiled into FC so that pattern match- ing on their data constructors introduces equality assumptions into This interpretation of kinds is necessary to define the interpre- the context. For example, consider the following simple GADT. tation of types—without it, this definition does not “kind-check”: data T :: * → * where type family I (t :: Ty k) :: IK k TInt :: T Int type instance I TInt = Int type instance I TBool = Bool This declaration could have also been written as a normal datatype type instance I TMaybe = Maybe where the type parameter is constrained to be equal to Int. type instance I (TApp a b) = (I a) (I b) data T a = (a ∼ Int) ⇒ TInt However, once I has been defined, Ty and TyRep can be used In fact, all GADTs can be rewritten in this form using equality in type-indexed operations as in previous versions. constraints. Pattern matching makes this constraint available to the type checker. For example, the type checker concludes below that zero :: ∀ (a :: Ty Star). TyRep Star a → I a 3 has type a because the type Int is known to be equal to a. zero TyInt = 0 zero TyBool = False f :: T a → a zero (TyApp TyMaybe _) = Nothing f Tint = 3 In the translation to FC, the TInt data constructor takes this equality constraint as an explicit argument. 3. System FC TInt : ∀ a: ?. (a ∼ Int) ⇒ T a System FC is the typed intermediate language of GHC. GHC’s ad- When pattern matching on values of type T a, this proof is avail- vanced features, such as GADTs and type families, are compiled able for use in a cast. into FC using type equalities. This section reviews the current sta- tus of System FC, describes that compilation, and puts our work in f = Λa: ? .λx: T a. case x of context. FC has evolved over time, from its initial definition [Sulz- TInt (c: a ∼ Int) → (3 . sym c) mann et al. 2007], to several extensions FC2 [Weirich et al. 2011], ↑ Coercion assumptions and axioms can be composed to form and FC [Yorgey et al. 2012]. In this paper, we use the name FC larger proofs. FC includes a number of forms in the coercion lan- for the language and all of its variants. In the technical discussion guage γ that witness the reflexivity, symmetry and transitivity of below, we contrast our new extensions with the most recent prior type equality. Furthermore, equality is a congruent relation over ↑ 0 0 version, FC . types. For example, if we have proofs of τ1 ∼ τ2 and τ1 ∼ τ2, 0 0 Along with the usual kinds (κ), types (τ) and expressions (e), then we can form a proof of the equality τ1 τ1 ∼ τ2 τ2. Finally, FC contains coercions (γ) that are proofs of type equality. The composite coercion proofs can be decomposed. For example, data judgement 2 This is not the case in the source language; type checking requires non- Γ `co γ : τ1 ∼ τ2 local reasoning, such as unification and type class resolution. Furthermore, checks that the coercion γ proves types τ1 and τ2 equal. These in the presence of certain flags (such as UndecidableInstances), it may proofs appear in expressions and coerce their types. For example, not terminate.

3 2013/3/29 constructors T are injective, so given a proof of T τ ∼ T τ , a 1 2 H ::= Type constants proof of τ ∼ τ can be produced. 1 2 | (→) Arrow However, explicit coercion proofs are like explicit type argu- | ? Type/Kind ments. They are erasable from expressions and do not interfere | T Type constructor with the operational semantics. (We make this precise in Sec- | K Promoted data constructor tion 5.2.) Therefore, FC includes a number of “push rules” that ensure that coercions do not suspend computation. For example, when a coerced value is applied to an argument, the coercion must w ::= Type-level names be “pushed” to the argument and result of the application so that | a Type variables β-reduction can occur. | F Type functions | H Type constants Γ `co γ : σ1 → σ2 ∼ τ1 → τ2 S PUSH (v . γ) e −→ (v (e . sym (nth1 γ))) . nth2 γ σ, τ, κ::= Types and Kinds In this rule, γ must be a proof of the equality σ1 → σ2 ∼ τ1 → τ2. | w Names 1 2 The coercions sym (nth γ) and nth γ decompose this proof | ∀ a: κ. τ Polymorphic types into proofs of τ1 ∼ σ1 and σ2 ∼ τ2 respectively. | ∀ c: φ. τ Coercion abstr. type | τ1 τ2 Type/kind application 4. System FC with kind equalities | τ . γ Casting | τ γ Coercion application The basic idea of this paper is to augment FC with proofs of equality between kinds and to use those proofs to explicitly coerce the kinds of types. We do so via new form of type, written τ . γ, φ ::= σ ∼ τ Propositions (coercion kinds) that, when given a type τ, of kind κ1, and a proof γ that kind κ1 equals kind κ2, produces a type of kind κ2. γ, η ::= Coercions However, there are several novel challenges to this extension: | c Variables • Language duplication. A language with kind polymorphism, | C ρ Axiom application kind equalities, kind coercions, type polymorphism, type equal- | hτi Reflexivity ities and type coercions quickly becomes redundant (and some- | sym γ Symmetry what overwhelming). | γ1 γ2 Transitivity | ∀η(#a1, a2, c).γ Type/kind abstr. cong. Therefore, we follow pure type systems [Barendregt 1992] and | ∀(η ,η )(c1, c2).γ Coercion abstr. cong. unify the syntax of types and kinds, allowing us to reuse type 1 2 | γ1 γ2 Type/kind app. cong. coercions as kind coercions. Furthermore, GHC already uses a 0 | γ(γ2, γ2) Coercion app. cong. shared datatype for types and kinds, so this merger brings the | γ . γ0 Coherence formalism more in line with the actual implementation. Yet, we | γ@γ0 Type/kind instantiation continue to use both of the words type and kind informally. We | γ@(γ1, γ2) Coercion instantiation use the word type (metavariables τ and σ) for those members | nthi γ nth argument projection that classify runtime expressions, and kind (metavariable κ) for | kind γ Kind equality extraction those members that classify expressions of the type language. The new syntax appears in Figure 1; forms that are new or mod- ρ τ | γ ified in this paper are highlighted. These modifications are pri- ::= Type or coercion marily in the type and coercion languages. Note that ? is a new type constant and κ is a metavariable for types. The only dif- e, u ::= Expressions ference in the grammar for expressions is that type abstractions | x Variables and kind abstractions have been merged. In general, the type | λx: τ. e Abstraction system and operational semantics for the expression language | e1 e2 Application is the same here as in prior versions of FC. | Λa: κ. e Type/kind abstraction • Interaction with type equality. Since kinds classify types, kind | e τ Type/kind application equality has nontrivial interactions with type equality. | λc: φ. e Coercion abstraction | e γ Coercion application Because kind coercion is explicit, there are equivalent types | e . γ Casting that do not have syntactically identical kinds. Therefore, like | K Data constructors McBride’s “John Major” equality [2002], our definition of type | case e of p → u Case analysis equality τ1 ∼ τ2 is heterogeneous—the types τ1 and τ2 could | contra γ τ Absurdity have kinds κ1 and κ2 that have no relation to each other. A proof γ of this proposition implies not only that τ1 and τ2 are equal, but also that their kinds are equal. The new coercion form p ::= K ∆ x:τ Patterns kind γ extracts the proof of κ1 ∼ κ2 from γ. Another difficulty comes from the need to equate polymorphic ∆ ::= Telescopes types that have coercible but not syntactically equal kinds for | ∅ Empty the bound variable. We discuss the modification to this coercion | ∆, a: κ Type variable binding form in Section 4.3.2. | ∆, c: φ Coercion variable binding • New type forms and associated coercions. The examples in Sec- tion 2 motivate new features that require reasoning about kind Figure 1. Basic Grammar equality, but some of these new features require additional ex-

4 2013/3/29 tensions to the type language. Furthermore, each new addition Γ `ty τ : κ to the type language requires new proof rules to create and de- compose equality proofs concerning these new forms. We de- `wf Γ w: κ ∈ Γ scribe these new forms in Section 4.2 and their associated coer- K VAR cions in Section 4.3. Γ `ty w : κ • `wf Γ Semantics of datatypes. The semantics of datatypes in FC is K ARROW already complicated, both in the type checking rules and op- Γ `ty (→): ? → ? → ?

erational semantics. The version in this paper (covered in Sec- Γ `ty τ1 : κ1 → κ2 Γ `ty τ2 : κ1 ∆ K APP tion 4.4) simplifies this semantics by using telescopes , which Γ ` τ τ : κ are nested bindings of type and coercion variables. ty 1 2 2 Γ `ty τ1 : ∀ a: κ1. κ2 Γ `ty τ2 : κ1 However, the modifications to coercions, described above, add K INST complexity to the S KPUSH rule of the operational seman- Γ `ty τ1 τ2 : κ2[τ2/a] tics. In particular, this rule relies on a “lifting” operation that Γ, a: κ `ty τ : ? Γ `ty κ : ? 0 K ALLT uses a sequence of coercions that show τ1 ∼ τ1 . . . τn ∼ 0 Γ `ty ∀ a: κ. τ : ? τn to produce a coercion that shows σ[τ1/a1] ... [τn /an ] ∼ 0 0 `wf Γ σ[τ1/a1] ... [τn /an ]. Because of the interactions between kind K STARINSTAR and type equalities in this sequence, this lifting operation must Γ `ty ? : ?

be redefined. Γ `ty τ1 : ∀ c: φ. κ Γ `co γ1 : φ K CAPP 4.1 Type system overview Γ `ty τ1 γ1 : κ[γ1/c] In the next few subsections, we discuss our solutions to the chal- Γ, c: φ `ty τ : ? Γ `pr φ ok K ALLC lenges described above in more detail. However, we first give a Γ `ty ∀ c: φ. τ : ? quick overview of the type system to orient the discussion. Γ `ty τ : κ1 Γ `co η : κ1 ∼ κ2 Γ `ty κ2 : ? A context Γ is a list of assumptions for term variables (x), type K CAST variables/datatypes/data constructors (w), coercion variables (c), Γ `ty τ . η : κ2 and coercion axioms (C). Figure 2. Kind and type formation rules Γ ::= ∅ | Γ, x: τ | Γ, w: κ | Γ, c: φ | Γ, C: ∀ ∆. φ The type system includes the following judgements: functions. Previously, the types of data constructors had to be `wf Γ Context validity (Figure 5) explicitly promoted to kinds [Yorgey et al. 2012]. Now, any data Γ `ty τ : κ Type/kind validity (Figure 2) constructor may freely be used as a type. When the constructor is Γ `pr φ ok Proposition validity (Figure 3) used as a type, its kind is the same as the type of the constructor Γ `tm e : τ Expression typing (appendix) when used as a term. Γ `co γ : φ Coercion validity (Figure 4) Rule K ARROW gives the expected kind for the arrow type con- Γ `tel ρ : ∆ Telescope arg. validity (appendix) structor. We use the usual syntactic sugar for arrow types, writing τ1 → τ2 for (→) τ1 τ2. Note that the kind of the arrow type con- In this paper, we not only unify the grammars of types and structor includes itself, but that does not cause difficulty. kinds, but we also unify their semantics. This means that types and The next two rules describe when type application is well- kinds share rules for validity and coercion checking. In fact, our formed. Application is overloaded in these rules, but the system type formation rules include the ?:? axiom which means that there is still syntax-directed—the type of the first component determines is no real distinction between types and kinds. This choice simpli- which rule applies. We do not combine function types σ1 → σ2 fies many aspects of the language and has no cost to FC. Languages and polymorphic types ∀ a: κ. σ into a single form because of type such as Coq and Agda avoid the ?:? axiom because it introduces in- erasure: term arguments are necessary at runtime, whereas type ar- consistency, but that is irrelevant here as the FC type language is al- guments may be erased. In kinds, the difference between nondepen- ready inconsistent (all kinds are inhabited). Inconsistency is not an dent and dependent arguments is not meaningful. However, when issue because the type safety property of FC depends on the consis- data constructors are promoted to the type level, their types retain tency of its coercion language, not its type language. See Section 6 this distinction. and Section 7 for more discussion of this design decision. Next, the rule K ALLT describes when polymorphic types are Each of the judgements above is syntax directed. Given the in- well formed. This rule is almost the same as before, except that it formation before the colon (if present) there is a simple algorithm checks the validity of κ, the kind of the bound variable. that determines if the judgement holds (and produces the appropri- The rules K STARINSTAR,K CAST and K CAPP and K ALLC ate kind, type or proposition). For reasons of space, some of these check the new type forms. The first says that ? has type ? as dis- judgements have been deferred to the appendix. cussed above. To preserve the syntax-directed nature of FC, we must make the 4.2 Type and kind formation use of kind equality proofs explicit. We do so via new form τ . γ of We next describe our extensions and modifications to the type kind casts: when given a type τ of kind κ1 and a proof γ that kind language of FC. The rules for type formation appear in Figure 2. κ1 equals kind κ2, the cast produces a type of kind κ2. Because Some of these rules are unchanged or only slightly modified from equality is heterogeneous, the K CAST rule requires a third premise prior versions of FC. which ensures that the new kind has the correct classification. This For example, rule K VAR looks up the kind of a type-level premise ensures that inhabited types have kind ?. name from the typing context. Unlike previous systems, this rule To promote GADTs we must be able to promote data construc- now covers the kinding of promoted constructors, since w ranges tors that take coercions as arguments. For example, the data con- over them. Recall that datatype promotion allows data constructors, structor TInt must be applied to a type argument τ and a proof that such as TInt, to appear in types and be the arguments of type τ ∼ Int. Promoting this data constructor requires the new appli-

5 2013/3/29 Γ `pr φ ok Γ `co γ : φ

Γ `ty σ1 : κ1 Γ `ty τ : κ Γ `ty σ2 : κ2 CT REFL PROP EQUALITY Γ `co hτi : τ ∼ τ Γ `pr σ1 ∼ σ2 ok Γ `co γ : τ1 ∼ τ2 CT SYM Figure 3. Proposition formation rule Γ `co sym γ : τ2 ∼ τ1

Γ `co γ1 : τ1 ∼ τ2 Γ `co γ2 : τ2 ∼ τ3 CT TRANS cation form τ γ. Note that there is no type-level abstraction over Γ `co γ1 γ2 : τ1 ∼ τ3 coercion. The form τ γ can only appear when the head of τ is a 0 # 0 Γ `co γ1 : τ1 ∼ τ2 Γ `co γ2 : τ1 ∼ τ2 promoted datatype constructor. Γ ` τ 0 τ : κ Γ ` τ 0 τ : κ As in prior versions of FC, coercions can be passed as argu- ty 1 1 1 ty 2 2 2 0 0 CT APP ments (using coercion abstractions λc: φ. e) and stored in data Γ `co γ1 γ2 : τ1 τ1 ∼ τ2 τ2 structures (as the arguments to data constructors of GADTs). This 0 Γ `co γ1 : τ1 ∼ τ1 system deviates from earlier versions in that the types for these ob- 0 0 0 Γ `ty τ1 γ2 : κ Γ `ty τ1 γ2 : κ jects, written ∀ c: φ. τ, bind the abstracted proof with the coercion 0 0 0 CT CAPP variable c and allow the body of the type τ to depend on this proof. Γ `co γ1(γ2, γ2): τ1 γ2 ∼ τ1 γ2

This is necessary for some kind-indexed GADTs. For example, Γ `co η : κ1 ∼ κ2 consider the following datatype, which is polymorphic over a kind Γ, a1: κ1, a2: κ2, c: a1 ∼ a2 `co γ : τ1 ∼ τ2 K and type parameter. The single data constructor constrains the Γ `ty ∀ a1: κ1. τ1 : ? Γ `ty ∀ a2: κ2. τ2 : ? kind to be ? but does not otherwise constrain the type. CT ALLT Γ `co ∀η(a1, a2, c).γ :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) data T :: ∀ k. k → * where 0 Γ `co η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 K :: all (b :: *). b → T b 0 0 0 Γ `co η2 : σ2 ∼ σ2 φ2 = σ1 ∼ σ2 After translation, the data constructor should be given the following c1 # |γ| c2 # |γ| FC type, where the abstracted kind coercion c is needed to cast the Γ, c1: φ1, c2: φ2 `co γ : τ1 ∼ τ2 kind of the parameter a. Γ `ty ∀ c1: φ1. τ1 : ? Γ `ty ∀ c2: φ2. τ2 : ? CT ALLC Γ ` ∀ (c , c ).γ :(∀ c : φ . τ ) ∼ (∀ c : φ . τ ) K : ∀a :?, b: a.∀ c:(a ∼ ?). (b . c) → T b co (η1,η2) 1 2 1 1 1 2 2 2 0 Γ `co γ : τ1 ∼ τ2 Γ `ty τ1 . γ : κ 4.3 Coercions CT COH Γ ` γ . γ0 : τ . γ0 ∼ τ Coercions γ are proof terms witnessing the equality between types co 1 2 (and kinds), and are classified by propositions φ. The rules under c: φ ∈ Γ `wf Γ CT VAR which the proofs can be derived appear in Figure 4, with the validity Γ `co c : φ rule for φ appearing in Figure 3. These rules establish properties of the type equality relation. C: ∀ ∆. (τ1 ∼ τ2) ∈ ΓΓ `tel ρ : ∆ CT AXIOM Γ ` C ρ : τ [ρ/∆] ∼ τ [ρ/∆] • Equality is an equivalence relation, as seen in rules CT REFL, co 1 2 0 CT SYM, and CT TRANS. Γ `co γ : H ρ ∼ H ρ 0 0 • Equality is congruent—types with equal subcomponents are ρi = τ ρi = τ CT NTH i 0 equal. Every type formation rule (except for the base cases like Γ `co nth γ : τ ∼ τ variables and constants) has an associated congruence rule. The exception is kind coercion τ . γ, where the congruence rule is Γ `co γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) 1 CT NTH1TA derivable (see Section 4.3.1). The congruence rules are mostly Γ `co nth γ1 : κ1 ∼ κ2 straightforward; we discuss the rules for quantified types (rules CT ALLT and CT ALLC) in Section 4.3.2. Γ `co γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) Γ `co γ2 : σ1 ∼ σ2 • Equality can be assumed. Coercion variables and axioms add Γ `ty σ1 : κ1 Γ `ty σ2 : κ2 assumptions about equality to the context and appear in proofs CT INST Γ `co γ1@γ2 : τ1[σ1/a1] ∼ τ2[σ2/a2] (using rules CT VAR and CT AXIOM respectively). These ax- 0 0 0 0 ioms for type equality are allowed to be axiom schemes—they Γ `co γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) TH may be parameterized and must be instantiated when used. 1 0 CT N 1CA Γ `co nth γ : κ1 ∼ κ1 The general form of the type of an axiom, C: ∀ ∆. φ gathers 0 0 0 0 multiple parameters in a telescope, a context denoted with ∆ Γ `co γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) CT NTH2CA of type and coercion variables, each of which scope over the 2 0 Γ `co nth γ : κ2 ∼ κ2 remainder of the telescope as well as the body of the axiom. We specify the list of instantiations for a telescope with ρ, a mixed Γ `co γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2) list of types and coercions. When type checking an axiom Γ `co γ1 : φ1 Γ `co γ2 : φ2 CT INSTC application, we must type check its list of arguments ρ against Γ `co γ@(γ1, γ2): τ1[γ1/c1] ∼ τ2[γ2/c2] the given telescope. The judgement form Γ `tel ρ : ∆ (presented Γ `co γ : τ1 ∼ τ2 Γ `ty τ1 : κ1 Γ `ty τ2 : κ2 in the appendix) checks each argument ρ in turn against the CT EXT binding in the telescope, scoping variables appropriately. Γ `co kind γ : κ1 ∼ κ2 • Equality can be decomposed using the next six rules. For exam- ple, because we know that datatypes are injective type func- Figure 4. Coercion formation rules

6 2013/3/29 tions, we can decompose a proof of the equivalence of two `wf Γ datatypes into equivalence proofs for any pair of type param- eters (CT NTH). Furthermore, the equivalence of two poly- Γ `ty ∀ a: κ. ? : ? T #Γ morphic types means that the kinds of the bound variables GWF TYDATA are equivalent (CT NTH1TA), and that all instantiations of the `wf Γ, T: ∀ a: κ. ? bound variables are equivalent (CT INST). The same is true for Γ `ty ∀ a: κ. ∀ ∆. (σ → T a): ? K #Γ coercion abstraction types (rules CT NTH1CA, CT NTH2CA, GWF CON and CT INSTC). `wf Γ, K: ∀ a: κ. ∀ ∆. (σ → T a) • Equality is heterogeneous. If γ is a proof of the equality τ ∼ 1 Γ, ∆ `pr φ ok C #Γ τ2, then kind γ extracts a proof of equality between the kinds GWF AX `wf Γ, C: ∀ ∆. φ of τ1 and τ2.

4.3.1 Coercion irrelevance and coherence Figure 5. Context formation rules (excerpted) Although the type system includes a judgement for type equality, and types may include explicit coercion proofs, the system does not include a judgement that states when two coercions are equal. to the context as well as an assertion c that a1 and a2 are equal. The reason is that this relation is trivial. All coercions between The polytypes themselves can only refer to their own variables, as equivalent proofs can be considered equivalent, so coercion proofs verified by the last two premises of the rule. are irrelevant to type equality. As a result, FC is open to extension The other type form that includes binding is the coercion ab- by new, consistent coercion axioms. stractions, ∀ c: φ. τ. The rule CT ALLC constructs a proof that This “proof irrelevance” is reflected in several of the coer- two such types of this form are equal. We can only construct cion rules. Consider the congruence rule for coercion application, such proofs when the abstracted propositions relate correspond- 0 ingly equal types, as witnessed by proofs η and η . The proof CT CAPP: there are no restrictions on γ and γ other than well- 1 2 2 2 term introduces two coercion variables into the context, similar to formedness. Another example is rule CT INSTC—no relation is the two type variables above. Due to proof irrelevance, there is no required between the coercions γ1 and γ2. Not only is the identity of coercion proofs irrelevant, but it is need for a proof of equality between coercions themselves. Note always possible to equate a type with a casted version of itself. that the kind of c1 is not that of η1: the kind of c1 is built from types in both η and η . The coherence rule, CT COH, essentially says that the use of kind 1 2 coercions can be ignored when proving type equalities. Although The rule CT ALLC also restricts how the variables c1 and c2 this rule seems limited, it is sufficient to derive the elimination and can be used in γ. The premises c1 # |γ| and c2 # |γ| prevent these congruence rules for coerced types, as seen below. variables from appearing in the relevant parts of γ. The reason for this restriction comes from our proof technique for the consistency Γ `co γ : τ1 ∼ τ2 Γ `ty τ1 . η1 : κ1 Γ `ty τ2 . η2 : κ2 of this proof system. We define the erasure operation |·| and discuss Γ `co (sym ((sym γ) . η2)) . η1 : τ1 . η1 ∼ τ2 . η2 this issue in more detail in Section 6. η η (Note that there is no relation required between 1 and 2.) We will 4.4 Datatypes use the syntactic sugar γ . η1 ∼ η2 for this coercion. Likewise, coherence derives a proof term for decomposing Because the focus of this paper is on the treatment of equality in equalities between coerced types. the type language, we omit most of the discussion of the expres- sion language and its operational semantics. However, because we Γ ` γ : τ . γ ∼ τ . γ co 1 1 2 2 have collapsed types and kinds, we must revise the treatment of Γ `co sym (hτ1i . γ1) γ hτ2i . γ2 : τ1 ∼ τ2 datatypes, whose constructors can contain types and kinds as ar- # # guments. Previously, the arguments to datatype constructors could 4.3.2 Congruence rules for quantified types be ordered with all kind arguments occurring before all type argu- In prior versions of FC, the coercion ∀a: κ.γ proved the equality ments [Yorgey et al. 2012]. In this language, we cannot divide up proposition ∀ a: κ. τ1 ∼ ∀ a: κ. τ2, using the following rule: the arguments in this way. Therefore, we again use the technique of telescopes to describe arbitrary dependency between arguments. Γ `ty κ : ? Γ, a: κ `co γ : τ1 ∼ τ2 CT ALLTX The validity rules for contexts (see Figure 5) restrict datatype Γ `co ∀ a: κ. γ :(∀ a: κ. τ1) ∼ (∀ a: κ. τ2) constants T to have a kind ∀ a: κ. ?. We call the variables a the This rule sufficed because the only quantified types that could be parameters of the datatype. For example, the kind of the datatype shown equal had the same syntactic kinds κ for the bound variable. List is ∀ a: ?.? and the kind of the datatype TyRep (from Section 2) However, we now have a nontrivial equality between kinds. We is ∀ k: ?, t: k. ?. Furthermore, datatypes can only be parameterized need to be able to show a more general proposition, ∀ a: κ1. τ1 ∼ by types and kinds; no coercion parameters are allowed. ∀ a: κ2. τ2, even when κ1 is not syntactically equal to κ2. Likewise, the same validity rules force data constructors K to Without this generality, the language does not satisfy the have types/kinds of the form preservation theorem, which requires that the equality relation be ∀ a: κ. ∀ ∆. (σ → T a). substitutive—given a valid type σ where a appears free, and a proof Γ `co γ : τ1 ∼ τ2, we must be able to derive a proof between Each data constructor K must produce an element of T applied to σ[τ1/a] and σ[τ2/a]. For this property to hold, if a occurs in the all of its parameters a: κ. Above, form ∀ ∆. τ is syntactic sugar for kind of a quantified type (or coercion) variable ∀ b: a. τ, then we a list of nested quantified types. The scope of the bound variables must be able to derive ∀ b: τ1. τ ∼ ∀ b: τ2. τ. includes both the remainder of the telescope ∆ and the form within Rule CT ALLT shows when two polytypes are equal. The first the quantification (in this case, σ → T a). premise requires a proof η that the kinds of the bound variables The telescope ∆ describes the existential arguments to the data are equal. But, these two kinds might not be syntactically equal, so constructor. These arguments may be either coercions or types, and we must have two type variables, a1 and a2, one of each kind. The because of the dependency, must be allowed to freely intermix. second premise of the rule adds both bindings a1: κ1 and a2: κ2 For example, the data constructor TyInt from Section 2 (a data

7 2013/3/29 K: ∀ a: κ. ∀ ∆. σ → (T a) ∈ Γ Γ `lc ∆ ! Ψ Lifting context validity Ψ = extend(context(γ); ρ; ∆) 0 τ = Ψ2(a) `wf Γ 0 LC EMPTY ρ = Ψ2(dom ∆) Γ `lc ∅ ! ∅ for each ei ∈ e, 0 Γ `lc ∆ Ψ a #Γ, ∆ ei = ei . Ψ(σi ) ! S KPUSH Γ `ty σ1 :Ψ1(κ)Γ `ty σ2 :Ψ2(κ) case ((K τ ρ e) . γ) of p → u −→ Γ `co γ : σ1 ∼ σ2 case (K τ 0 ρ0 e0) of p → u LC TY Γ `lc (∆, a: κ) ! (Ψ, a: κ 7→ (σ1, σ2, γ))

Figure 6. The S KPUSH rule Γ `lc ∆ ! Ψ c #Γ, ∆ Γ `co η1 :Ψ1(φ)Γ `co η2 :Ψ2(φ) LC CO Γ ` (∆, c: φ) (Ψ, c: φ 7→ (η , η )) constructor belonging to TyRep : ∀ k: ?, t: k. ?) includes two lc ! 1 2 coercions in its telescope, one asserting that the kind parameter k a1 #Γ, ∆ a2 #Γ, ∆ c #Γ, ∆ is ?, the second asserting that the type parameter t is Int: Γ `lc ∆ ! Ψ • LC TYFRESH TyInt : ∀ k: ?. ∀ t: k. ∀ c1: k ∼ ?. ∀ c2: t ∼ Int. TyRep κ τ Γ `lc (∆, a: κ) ! (Ψ, a: κ 7→ (a1, a2, c)) 0 Alternatively, the data constructor TyApp existentially binds k , a, Γ `lc ∆ ! Ψ c1 #Γ, ∆ c2 #Γ, ∆ b, and c—one kind and two type variables followed by a coercion. • LC COFRESH Γ `lc (∆, c: φ) ! (Ψ, c: φ 7→ (c1, c2)) TyApp : ∀k: ?, t: k.∀k0: ?, a: k0 → k, b: k0, c: t ∼ a b. 0 0 TyRep (k → k) a → TyRep k b → TyRep k t Figure 7. Lifting context validity A datatype value is of the form K τ ρ e, where the τ denote the parameters (which cannot include coercions), the ρ instantiate the existential arguments, and e is the list of usual expression arguments to the data constructor. uncoerced parameters to the data constructor (Int in our example). The forms τ2 and η2 refer to the new, coerced parameters to the 0 5. The “push” rules and the preservation theorem data constructor (like τ in our example). Finally, the coercion γ witnesses the equality of τ1 and τ2. No witness is needed for the The most intricate part of the operational semantics of FC are the equality between η1 and η2—equality on proofs is trivial. “push” rules, which ensure that coercions do not interfere with the The lifting operation is defined by structural recursion on its small step semantics. Coercions are “pushed” into the subcompo- type argument. This operation is complicated by the two type forms nents of values whenever a coerced value appears in an elimination that bind fresh variables: ∀ a: κ. τ and ∀ c: φ. τ. Lifting over these context. System FC has four push rules, one for each such context: types introduces new mappings in the lifting context, marked with term application, type application, coercion application, and pat- 7→• to indicate that they create new bindings. tern matching on a datatype. The first three are straightforward and are detailed in previous work [Yorgey et al. 2012]. In this section, Ψ ::= ∅ | Ψ, a: κ 7→ (τ1, τ2, γ) | Ψ, c: φ 7→ (γ1, γ2) we shall focus on pattern matching and the S KPUSH rule. • • | Ψ, a: κ 7→ (a1, a2, c) | Ψ, c: φ 7→ (c1, c2) 5.1 Pushing coercions through constructors (We use the notation 7→? to refer to a mapping created either with When pattern matching on a coerced datatype value of the form • 7→ or with 7→.) A lifting context Ψ induces two multisubstitutions K τ ρ e . γ, the coercion must be distributed over all of the argu- Ψ (·) and Ψ (·), as follows: ments of the data constructor, producing a new scrutinee K τ 0 ρ0 e0 1 2 as shown in Figure 6. In the rest of this section, we explain the rule Definition 5.1 (Lifting context substitution). Ψ1(·) and Ψ2(·) are by describing the formation of the lifting context Ψ and its use in multisubstitutions, applicable to types, coercions, telescopes, typ- 0 0 0 the definition of τ , ρ and e . ing contexts, and even other lifting contexts. The S KPUSH rule uses a lifting operation Ψ(·) on expressions which coerces the type of its argument (es in Figure 6). For exam- ? 1. For each a: κ 7→ (τ , τ , γ) in Ψ, Ψ (·) maps a to τ and Ψ (·) ple, suppose we have a data constructor K of type ∀ a: ?. F a → 1 2 1 1 2 maps a to τ . T a for some type function F and some type constructor T . Con- 2 ? sider what happens when an expression K Int e . γ where γ is a 2. For each c: φ 7→ (γ1, γ2) in Ψ, Ψ1(·) maps c to γ1 and Ψ2(·) 0 coercion of type T Int ∼ T τ is a scrutinee of a case expression. maps c to γ2. The push rule should convert this expression to K τ 0 (e . γ0) for some new coercion γ0 showing F Int ∼ F τ 0. To produce this γ0, Now, we can now state the judgement form Γ `lc ∆ ! Ψ, we need to lift the type F a into a coercion with respect to the co- shown in Figure 7, which defines when a lifting context is valid ercion nth1 γ, which shows Int ∼ τ 0. and compatible with a given telescope. In previous work, lifting was written σ[a 7→ γ], defined by anal- The two substitution operations satisfy straightforward substi- ogy with substitution. Because of the similar syntax of types and tution lemmas, defined and proved in the appendix. The usual sub- coercion proofs, we could think of lifting as replacing a type vari- stitution lemmas, which substitute a single type or coercion, are a able with a coercion to produce a new coercion. That intuition holds corollary of these lemmas. true here, but we require more machinery to describe precisely. We can now state the lifting algorithm: Lifting contexts We define lifting with respect to a lifting context Definition 5.2 (Lifting). We define the lifting of types to coercions, Ψ, which maps type variables to triples (τ1, τ2, γ) and coercion written Ψ(τ), by induction on the type structure. The following variables to pairs (η1, η2). The forms τ1 and η1 refer to the original, equations, to be tried in order, define the operation. (Note that the

8 2013/3/29 last line uses the syntactic sugar introduced in Section 4.3.1.) 5.2 Correctness of push rules: The type erasure theorem Ψ(a) = γ when In the appendix, we prove that the push rules in the operational a: κ 7→ (τ1, τ2, γ) ∈ Ψ semantics satisfy type preservation. But, do they do “the right Ψ(a) = c when thing”—that is, do these rules reduce to no-ops if we erase types • and coercions? More generally, we would like to know that types a: κ 7→ (a1, a2, c) ∈ Ψ Ψ(τ) = hτi when and coercions do not change the semantics of an expression—we dom (Ψ) # fv (τ) want to prove that type erasure works as expected. To state this formally, we define an erasure operation | · | over Ψ(τ1 τ2) = Ψ(τ1) Ψ(τ2) expressions. This operation erases types, coercions, and equality Ψ(τ γ) = Ψ(τ)(Ψ1(γ), Ψ2(γ)) 0 propositions to trivial forms •ty, •co and •prop and removes all casts. Ψ(∀ a: κ. τ) = ∀Ψ(κ)(a1, a2, c).Ψ (τ) • The full definition of this operation appears in the appendix, and we where Ψ0 = Ψ, a: κ 7→ (a , a , c) 1 2 present only the interesting cases here: and a1, a2, c are fresh 0 Ψ(∀ c: σ1 ∼ σ2. τ) = ∀(Ψ(σ1),Ψ(σ2))(c1, c2).Ψ (τ) |e τ| = |e| •ty |e γ| = |e| •co |e . γ| = |e| 0 • where Ψ = Ψ, c: σ1 ∼ σ2 7→ (c1, c2) We can then prove that erasing types, coercions and casts does not and c1, c2 are fresh change how expressions evaluate e. Ψ(τ . γ) = Ψ(τ) . Ψ1(γ) ∼ Ψ2(γ) Theorem 5.7 (Type erasure). If e −→ e0, then either |e| = |e0| or The lifting lemma establishes the correctness of the lifting op- |e| −→ |e0|. eration and shows that equality is congruent. Lemma 5.3 (Lifting). If Ψ is a valid lifting context with respect to 5.3 Type preservation the context Γ and the telescope ∆, and Γ, ∆ `ty τ : κ, then Now that we have explained the most novel part of the operational semantics, we can state and prove the usual preservation theorem. Γ `co Ψ(τ):Ψ1(τ) ∼ Ψ2(τ) 0 Theorem 5.8 (Preservation). If Γ `tm e : τ and e −→ e then 0 Lifting context creation In the S KPUSH rule, the actual context Γ `tm e : τ. Ψ used for lifting is built in two stages. First, context(γ) defines a lifting context with coercions for the parameters to the datatype. The proof of this theorem is by induction on the typing deriva- tion, with a case analysis on the small-step. Most of the rules Definition 5.4 (Lifting context generation). If Γ `co γ : T σ ∼ are straightforward, following directly by induction or by substi- T σ0 , and T: ∀ a: κ. ? ∈ Γ, where the lists σ, σ0, and a: κ are all tution. The “push” rules require reasoning about coercion propaga- of length n, then define context(γ) as tion. We include the details of the rules that differ from previous i∈1..n work [Weirich et al. 2010] in the appendix. 0 i context(γ) = ai: κi 7→ (σi , σi , nth γ)

Intuitively, (context(γ))1(τ) replaces all parameters a in τ 6. Consistency and the progress theorem with the corresponding type on the left of ∼ in the type of γ. The progress theorem holds only for closed, consistent contexts. Similarly, (context(γ))2(τ) replaces with the corresponding type A context is closed if it does not contain any expression variable on the right of ∼. bindings—as usual, open expressions could be stuck. We use the The lifting context that results from this coercion is compatible metavariable Σ to denote closed contexts. with the parameters of the datatype. More precisely: The definition of consistent contexts is stated using the notions

Lemma 5.5 (Lifting context specification). If Γ `co γ : T σ ∼ of uncoerced values and their types, value types. Formally, we define values v and value types ξ, with the following grammars: T τ , and T: ∀ a: κ. ? ∈ Γ then Γ `lc a: κ ! context(γ). v ::= λx: σ. e | Λa: κ. e | λc: φ. e | K τ ρ e Proof. Straightforward induction. ξ ::= σ1 → σ2 | ∀ a: κ. σ | ∀ c: φ. σ | T σ The canonical forms lemma tells us that the shape of a value is Next, this initial lifting context is extended with coercions us- determined by its type: ing the operation extend(·), which extends a lifting context with Lemma 6.1 (Canonical Forms). Say Σ ` v : σ. Then σ is a mappings for the variables in ∆, the existential parameters to the tm value type. Furthermore, data constructor K . Because these arguments are dependent, we define the operation recursively. The intuition presented before 1. If σ = σ1 → σ2 then v is λx: σ1. e or K τ ρ e. 0 still holds: (extend(Ψ; ρ; ∆))1(τ) replaces any parameter or ex- 2. If σ = ∀ a: κ. σ then v is Λa: κ. e or K τ ρ e. τ 0 istential argument in with its corresponding “from” type and 3. If σ = ∀ c: φ. σ then v is λc: τ1 ∼ τ2. e or K τ ρ e. (extend(Ψ; ρ; ∆))2(τ) replaces a variable with its corresponding 4. If σ = T τ then v is K τ ρ e. “to” type. Definition 6.2 (Consistency). A context Γ is consistent if ξ1 and ξ2 Definition 5.6 (Lifting context extension). Define the operation of have the same head form whenever Γ `co γ : ξ1 ∼ ξ2. lifting context extension, written extend(Ψ; ρ; ∆), as: With this definition of consistency, we can now state and prove extend(Ψ; ∅; ∅) = Ψ the progress theorem. extend(Ψ; ρ, τ; ∆, a: κ) = Ψ0, a: κ 7→ (τ, τ . Ψ0(κ), sym (hτi . Ψ0(κ))) Theorem 6.3 (Progress). Assume Σ is a closed, consistent context. where Ψ0 = extend(Ψ; ρ; ∆) If Σ `tm e1 : τ and e1 is not a value v or a coerced value v . γ, extend(Ψ; ρ, γ; ∆, c: σ1 ∼ σ2) = then there exists an e2 such that e1 −→ e2. 0 0 0 Ψ , c: σ1 ∼ σ2 7→ (γ, sym (Ψ (σ1)) γ Ψ (σ2)) The proof for the progress theorem proceeds exactly as in pre- 0 # # where Ψ = extend(Ψ; ρ; ∆) vious work [Weirich et al. 2010].

9 2013/3/29 However, the challenge is showing that the contexts produced The requirement that c1 and c2 not appear in the (erased) coercion by elaboration of source Haskell programs are consistent. Our proof γ is for purely technical reasons. To prove consistency, our consistency argument proceeds in four steps: proof technique requires that equalities in the premise are also between types with the same head form. This is only true if the 1. We define an implicitly coerced version of the language, where context is consistent, but c1 and c2 may be inconsistent: perhaps coercion proofs have been erased. By working with the implicit c: Int ∼ Bool. If we are allowed to introduce these into the context, language, our consistency and progress results do not depend induction will fail. This is the primary motivation for restricting the on specific proofs. Derivations in the explicit language can be coercion abstraction equality rule in the explicit system as well. erased to derivations in the implicit language. (Definition 6.4) 0 Γ `co η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 2. We define a rewrite relation that reduces types in the implicit 0 0 0 Γ `co η2 : σ2 ∼ σ φ2 = σ ∼ σ system by firing axioms in the context. (Figure 8) 2 1 2 c1 # |γ| c2 # |γ| 3. We specify a sufficient condition, which we write Good Γ Γ, c1: φ1, c2: φ2 `co γ : τ1 ∼ τ2 (Definition 6.6), for a context to be consistent. This condition Γ `ty ∀ c1: φ1. τ1 : ? Γ `ty ∀ c2: φ2. τ2 : ? allows the axioms produced by type and kind family definitions. Γ `co ∀(η1,η2)(c1, c2).γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2) 4. We show that good contexts are consistent (Lemma 6.8), by The consequence of these restrictions is that there are some arguing that the joinability of the rewrite relation is complete types that cannot be shown equivalent. For example, there is no with respect to the implicit coercion proof system. Since the proof of equivalence between the types ∀ c1: Int ∼ b. Int and rewrite relation and erasure preserve the head form of value ∀ c2: Int ∼ b. b—a coercion between these two types would need types, this gives consistency for both the implicit and explicit to use c1 or c2. However, this lack of expressiveness is not sig- systems. nificant. In source Haskell, it would show up only through uses of Similar to surface Haskell, the implicit language elides coercion first-class polymorphism, which are rare. Furthermore, this restric- proofs and casts from the type language. The implicit language tion already exists in GHC—currently, coercions between the types judgements (denoted with a turnstile |=) are analogous to the ex- (Int ∼ b) ⇒ Int and (Int ∼ b) ⇒ b are disallowed. It is possible plicit language but for a few key differences. First, kind coercions that a completely different consistency proof would validate a rule no longer show up in types: they are implicit. that does not restrict the use of these variables. However, we leave this possibility to future work. To connect the explicit and implicit systems, we define an era- Γ |= τ : κ Γ |= γ : κ ∼ κ0 Γ |= κ0 : ? sure operation: AST 0 IT C Γ |= τ : κ Definition 6.4 (Coercion Erasure). Given an explicitly typed term Note that this system is no longer syntax directed—a type may have τ or coercion γ, we define its erasure, denoted |τ| or |γ|, by several syntactically different kinds. This is not a problem, as we induction on its structure. The interesting cases follow: use this system as a proof device for progress only. |τ . γ| = |τ| |γ(γ1, γ2)| = |γ|(•co, •co) 0 Second, the coercion in an application is erased to •co. |τ γ| = |τ| •co |γ . γ | = |γ| |γ@(γ0, γ00)| = |γ|@(• , • ) Γ |= τ : ∀ c: φ. κ Γ |= γ : φ co co IT CAPP Γ |= τ •co : κ All other cases follow simply propagate the | · | operation down the abstract syntax tree. (The full definition of this operation appears In general, we use •co to represent an elided coercion proof. in the appendix.) We define coercion proofs between erased types in a similar We further define the erasure of a context Γ, denoted |Γ|, by fashion. Most of the rules carry over from the explicitly typed erasing the types and equality propositions of each binding. system, but there are three major differences. First, the implicit language does not include a coherence rule. In Lemma 6.5 (Erasure is type preserving). If a judgement holds in 0 the explicit system, the judgement with coercions erased throughout the explicit language, given a coercion proof Γ `co γ : τ ∼ τ , the coherence rule was used to construct a proof γ . γ0 where the kind the context, types and coercions is derivable in the implicit system. 0 of the first type τ is changed, by applying a cast τ . γ . However, 1. If `wf Γ then |= |Γ|. we can accomplish this in the implicit language, by using IT CAST 0 2. If Γ `ty τ : κ then |Γ| |= |τ| : |κ|. to implicitly cast the kind of τ using coercion γ . 3. If Γ ` φ ok then |Γ| |= |φ| ok. Second, the coercion application congruence rule is modified: pr 4. If Γ `co γ : φ then |Γ| |= |γ| : |φ|. 0 Γ |= γ : τ ∼ τ 5. If Γ `tel ρ : ∆ then |Γ| |= |ρ| : |∆|. 0 0 Γ |= τ •co : κ Γ |= τ •co : κ PP Next, we define a non-deterministic rewrite relation on open 0 ICT CA Γ |= γ(•co, •co): τ •co ∼ τ •co implicit types in Figure 8. We also define a joinability relation, written Γ |= σ ⇔ σ , if both σ and σ can multi-rewrite to a This rule says that if two erased coercion applications are well 1 2 1 2 common reduct. formed, then if the two erased coercion abstractions are equal, there Consistency does not hold in arbitrary contexts, and it is difficult is a proof that the two applications are equal. in general to check whether a context is inconsistent. Therefore, The final difference is in the rule for coercion abstractions: like in previous work [Weirich et al. 2010], we give sufficient conditions for an erased context to be consistent, written Good Γ. 0 Γ |= η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 Γ |= η : σ ∼ σ0 φ = σ0 ∼ σ0 Definition 6.6 (Good contexts). We have Good Γ when the fol- 2 2 2 2 1 2 lowing conditions hold: c1 # γ c2 # γ Γ, c1: φ1, c2: φ2 |= γ : τ1 ∼ τ2 1. All coercion assumptions and axioms in Γ are of the form 0 Γ |= ∀ c1: φ1. τ1 : ? Γ |= ∀ c2: φ2. τ2 : ? C: ∀ ∆. (F τ ∼ τ ) or of the form c: a1 ∼ a2. In the first form, the arguments to the type function must behave like patterns. Γ |= ∀(η1,η2)(c1, c2).γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2)

10 2013/3/29 0 It is not clear whether adding the Γ ` ? : ? rule to source Γ |= τ τ ty Haskell would cause type inference to loop as the type language does not include anonymous abstractions. However, the presence TS REFL Γ |= τ τ of nonterminating type expressions only threatens the decidability of type inference—once a type equality has been decided by the 0 0 0 0 Γ, Γ |= κ κ Γ, c: a1 ∼ a2, Γ |= σ σ constraint solver, it is elaborated to a finite equality proof. In FC, LL 0 0 0 TS A T Γ, Γ |= ∀ a1: κ. σ ∀ a2: κ . σ type checking is always decidable. 0 0 0 Other languages that adopt dependent types and the “type-in- Γ |= τ1 τ1 Γ |= τ2 τ2 Γ |= σ σ LL type” axiom [Augustsson 1998; Cardelli 1986] do not have decid- 0 0 0 TS A C Γ |= ∀ c: τ1 ∼ τ2. σ ∀ c: τ1 ∼ τ2. σ able type checking. These languages do not make the same distinc- 0 tions that FC does between expressions, types and coercions, sepa- C: ∀ ∆. (F τ ∼ τ ) ∈ Γ rating logically inconsistent types from logically consistent equal- 0 0 σ1 = τ[ρ/∆] σ1 = τ [ρ/∆] ity proofs. The FC coercion language is limited in expressive power 0 TS RED Γ |= F σ1 σ1 compared to these other languages and the consistency of this lan- guage (i.e., that there are equalities that cannot be derived) is a c: a ∼ τ ∈ Γ TS VARRED consequence of this limitation. This interplay between an incon- Γ |= a τ sistent programming language and a consistent metalogic is also 0 0 the subject of current research in the Trellys project [Casinghino Γ |= τ τ Γ |= σ σ TS APP et al. 2012; Kimmell et al. 2012]. Γ |= τ σ τ 0 σ0 0 Heterogeneous equality Heterogeneous equality is an essential Γ |= τ τ PP part of this system. It is primarily motivated by the presence of de- 0 TS CA Γ |= τ •co τ •co pendent application (such as rules K INST and K CAPP), where the kind of the result depends on the value of the argument. We Figure 8. Rewrite relation would like type equivalence to be congruent with respect to appli- cation, as is demonstrated by rule CT APP. However, if all equal- ities are required to be homogeneous, then not all uses of the rule 0 are valid because the result kinds may differ. For every well formed ρ, every τi ∈ τ and every τi such that 0 0 0 0 For example, consider the datatype TyRep of kind ∀ a: ?. ∀ b: ? Γ |= τi [ρ/∆] τi , it must be τi = τi [ρ /∆] for some ρ with Γ |= σ σ0 for each σ ∈ ρ and σ0 ∈ ρ0. .?. If we have coercions Γ `co γ1 : ? ∼ κ and Γ `co γ2 : Int ∼ m m m m τ, then we can construct the proof 2. There is no overlap between axioms and coercion assumptions. For each F ρ there exists at most one prefix ρ1 of ρ such that Γ `co hTyRepi γ1 γ2 : TyRep ? Int ∼ TyRep κ τ there exist C and σ where Γ |= C ρ1 :(F ρ1 ∼ σ). This C is unique for every matching F τ1. However, this proof requires heterogeneity because the first part 3. For each a, there is at most one assumption of the form c: a ∼ (hTyRepi γ1) creates an equality between types of different kinds: a0 or c: a0 ∼ a, and a 6= a0. TyRep ? and TyRep κ. The first has kind ? → ?, whereas the 4. Axioms equate types of the same kind. For each C: ∀ ∆. (F τ ∼ second has kind κ → ?. τ 0) in Γ, the kinds of each side must equal: for some κ, Γ, ∆ |= The coherence rule (CT COH) also requires that equality be het- F τ : κ and Γ, ∆ |= τ 0 : κ and that kind must not mention erogeneous because it equates types that almost certainly have dif- bindings in the telescope, Γ |= κ : ?. ferent kinds. This rule, inspired by Observational Type Theory [Al- tenkirch et al. 2007], provides a simple way of ensuring that proofs In the rest of this section, we sketch the proof that good contexts do not interfere with equality. Without it, we would need coercions are consistent. Our approach is similar to previous work [Weirich analogous to the many “push” rules of the operational semantics. et al. 2010], but differs in two ways. First, the rewrite relation works There are several choices in the semantics of heterogeneous on types in the implicit language. Second, the rewrite relation is not equality. We have chosen the most popular, where a proposition type directed: rewrite rules are guided by coercion axioms. σ1 ∼ σ2 is interpreted as a conjunction: “the types are equal The main lemma required for consistency is the completeness and their kinds are equal”. This semantics is similar to Epigram of joinability. Here, we write fcv(γ) ⊆ dom Γ0 to indicate that all 1 [McBride 2002], the HeterogeneousEquality module in the coercion variables and axioms used in γ are in the domain of Γ0. Agda standard library,3 and the treatment in Coq.4 Epigram 2 [Al- The proof appears in the appendix. tenkirch et al. 2007] uses an alternative semantics, interpreted as “if the kinds are equal than the types are equal”. Guru [Stump Lemma 6.7 (Completeness). Suppose that Γ |= γ : σ1 ∼ σ2, 0 0 0 et al. 2008] and Trellys [Kimmell et al. 2012; Sjoberg¨ et al. 2012], and fcv(γ) ⊆ dom Γ for some subcontext Γ satisfying Good Γ . use yet another interpretation which says nothing about the kinds. Then Γ |= σ1 ⇔ σ2. These differences arise from aspects of the overall type system— Lemma 6.8 (Consistency). If Good |Γ| then Γ is consistent. the syntax-directed type system of FC make the conjunctive inter- pretation the most reasonable, whereas the bidirectional type sys- tem of Epigram 2 makes the implicational version more convenient. 7. Discussion and related work Unlike higher-dimensional type theory [Licata and Harper Collapsing kinds and types Blurring the distinction between 2012], equality in this language has no computational content. Be- types and kinds is convenient, but is it wise? It is well known that cause of the separation between objects and proofs, FC is resolutely one-dimensional—we do not define what it means for proofs to be type systems that include the Γ `ty ? : ? rule are inconsistent logics [Girard 1972]. Does that cause trouble? The answer is no— inconsistency here means that all kinds are inhabited. But the FC 3 http://wiki.portal.chalmers.se/agda/agda.php?n= type language, even without our extensions, is already inconsistent Libraries.StandardLibrary as type families can be declared at any kind. 4 http://coq.inria.fr/stdlib/Coq.Logic.JMeq.html

11 2013/3/29 equivalent. Instead, we ensure that in any context the identity of T. Altenkirch, C. McBride, and W. Swierstra. Observational equality, now! equality proofs is unimportant. In Proceedings of the 2007 workshop on Programming languages meets program verification, PLPV ’07, pages 57–68, New York, NY, USA, The implicit language Our proof technique for consistency, 2007. ACM. based on erasing explicit type conversions, is inspired by ICC L. Augustsson. Cayenne—a language with dependent types. In Proceedings [Miquel 2001]. Coercion proofs are irrelevant to the definition of of the third ACM SIGPLAN international conference on Functional type equality, so to reason about type equality it is convenient programming, ICFP ’98, pages 239–250, New York, NY, USA, 1998. to eliminate them entirely. Following ICC* [Barras and Bernardo ACM. doi: 10.1145/289423.289451. 2008], we could alternatively view the implicit language as the H. P. Barendregt. Handbook of logic in computer science (vol. 2). chapter “real” semantics for FC, and then consider the language of this Lambda calculi with types, pages 117–309. Oxford University Press, paper as an adaptation of that semantics with annotations to make Inc., New York, NY, USA, 1992. typing decidable. Furthermore, the implicit language is interesting B. Barras and B. Bernardo. The implicit calculus of constructions in its own right as it is closer to source Haskell, which also makes as a programming language with dependent types. In Proceedings implicit use of type equalities. of the Theory and practice of software, 11th international confer- However, although the implicit language allows type equality ence on Foundations of software science and computational structures, assumptions to be used implicitly, it is not extensional type the- FOSSACS’08/ETAPS’08, pages 365–379, Berlin, Heidelberg, 2008. ory (ETT) [Martin-Lof¨ 1984]. Foremost, it separates proofs from Springer-Verlag. programs so that it can weaken the former (ensuring consistency) L. Cardelli. A polymorphic lambda calculus with type:type. Technical while enriching the latter (with “type-in-type”). The proof language Report 10, 1986. of FC is not as expressive as ETT. We have discussed the limitations C. Casinghino, V. Sjoberg,¨ and S. Weirich. Step-indexed normalization for a on equalities between coercion abstractions in Section 6. Another language with general recursion. In Fourth workshop on Mathematically difference is the lack of η-equivalence or extensional reasoning for Structured Functional Programming (MSFP ’12), 2012. type-level functions. M. M. T. Chakravarty, G. Keller, and S. Peyon Jones. Associated type synonyms. In Proceedings of the tenth ACM SIGPLAN International 8. Conclusions and future work Conference on Functional Programming, ICFP ’05, pages 241–253, New York, NY, USA, 2005. ACM. ISBN 1-59593-064-7. This work provides the basis for the practical extension of a popu- K. Crary, S. Weirich, and G. Morrisett. Intensional polymorphism in type lar programming language implementation. It does so without sac- erasure semantics. In Proceedings of the Third International Conference rificing any important metatheoretic properties. This extension is on Functional Programming (ICFP), pages 301–313, Baltimore, MD, a necessary step towards making Haskell more dependently typed. USA, Sept. 1998. The next step in this research plan is to lift these extensions to the J.-Y. Girard. Interpretation´ fonctionnelle et elimination´ des coupures de source language, incorporating these features within GHC’s con- l’arithmetique´ d’ordre superieu´ . PhD thesis, Universite´ Paris 7, 1972. straint solving algorithm. In particular, we plan future language G. Kimmell, A. Stump, H. D. Eades III, P. Fu, T. Sheard, S. Weirich, C. Cas- extensions in support of type- and kind-level programming, such inghino, V. Sjoberg,¨ N. Collins, and K. Y. Ahn. Equational reasoning as datakinds (datatypes that exist only at the kind-level), kind syn- about programs with general recursion and call-by-value semantics. In onyms and kind families. Although GHC already infers kinds, we Sixth ACM SIGPLAN Workshop Programming Languages meets Pro- will need to extend this mechanism to generate kind coercions and gram Verification (PLPV ’12), 2012. take advantage of these new features. We are also aware that Adam D. R. Licata and R. Harper. Canonicity for 2-dimensional type theory. In Gundry’s forthcoming dissertation will include Π-types in a version Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on of System FC,5 and we will want to make this feature available in Principles of programming languages, POPL ’12, pages 337–348, New the source language as well. York, NY, USA, 2012. ACM. Furthermore, even though this version of FC combines types J. P. Magalhaes.˜ The right kind of generic programming. In 8th ACM SIG- and kinds, the Haskell source language need not do so—predictable PLAN Workshop on Generic Programming, WGP 2012, Copenhagen, type inference algorithms may require more traditional stratifica- Denmark, New York, NY, USA, 2012. ACM. To appear. tion. This gap would not be new—the desires of a simple core P. Martin-Lof.¨ Intuitionistic Type Theory. Bibliopolis, 1984. language have already lead FC to be more expressive than source C. McBride. Elimination with a motive. In Selected papers from the Haskell. International Workshop on Types for Proofs and Programs, TYPES ’00, Although the interaction between dependent types and type pages 197–216, London, UK, UK, 2002. Springer-Verlag. inference brings new research challenges, these challenges can be C. T. McBride. Agda-curious?: an exploration of programming with depen- addressed in the context of a firm semantic basis. dent types. In P. Thiemann and R. B. Findler, editors, ICFP, pages 1–2. ACM, 2012. ISBN 978-1-4503-1054-3. Acknowledgements A. Miquel. The implicit calculus of constructions: extending pure type sys- Thanks to Simon Peyton Jones, Dimitrios Vytiniotis, Iavor Di- tems with an intersection type binder and subtyping. In Proceedings of the 5th international conference on Typed lambda calculi and appli- atchki, Jose´ Pedro Magalhaes,˜ Adam Gundry and Conor McBride cations, TLCA’01, pages 344–359, Berlin, Heidelberg, 2001. Springer- for discussion. This material is based upon work supported by Verlag. the National Science Foundation under Grant Nos. 0910500 and 1116620. U. Norell. Functional generic programming and type theory, 2002. MSc thesis. N. Oury and W. Swierstra. The power of Pi. In Proceedings of the 13th References ACM SIGPLAN international conference on Functional programming, T. Altenkirch and C. McBride. Generic programming within dependently ICFP ’08, pages 39–50, New York, NY, USA, 2008. ACM. ISBN 978- typed programming. In J. Gibbons and J. Jeuring, editors, Generic 1-59593-919-7. Programming, volume 243 of IFIP Conference Proceedings, pages 1– S. Peyton Jones, D. Vytiniotis, S. Weirich, and G. Washburn. Simple 20. Kluwer, 2002. ISBN 1-4020-7374-7. unification-based type inference for GADTs. In Proceedings of the eleventh ACM SIGPLAN International Conference on Functional Pro- 5 Personal communication gramming, ICFP ’06, pages 50–61, New York, NY, USA, 2006. ACM.

12 2013/3/29 T. Schrijvers, S. Peyton Jones, M. Sulzmann, and D. Vytiniotis. Complete A.2 Telescope argument validity and decidable type inference for GADTs. In Proceedings of the 14th ACM SIGPLAN international conference on Functional programming, Γ `tel ρ : ∆ ICFP ’09, pages 341–352, New York, NY, USA, 2009. ACM. V. Sjoberg,¨ C. Casinghino, K. Y. Ahn, N. Collins, H. D. Eades III, P. Fu, `wf Γ T2 EMPTY G. Kimmell, T. Sheard, A. Stump, and S. Weirich. Irrelevance, het- Γ `tel ∅ : ∅ erogenous equality, and call-by-value dependent type systems. In Fourth workshop on Mathematically Structured Functional Program- Γ, ∆ `ty κ : ? a #Γ, ∆ ming (MSFP ’12), 2012. Γ `ty τ : κ[ρ/∆] Γ `tel ρ : ∆ T2 CONST A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified Γ `tel ρ, τ : (∆, a: κ) programming in Guru. In Proceedings of the 3rd workshop on Program- ming languages meets program verification, PLPV ’09, pages 49–58, Γ, ∆ `pr φ ok c #Γ, ∆ New York, NY, USA, 2008. ACM. Γ `co γ : φ[ρ/∆] Γ `tel ρ : ∆ T2 CONSG M. Sulzmann, M. M. T. Chakravarty, S. P. Jones, and K. Donnelly. System F Γ `tel ρ, γ : (∆, c: φ) with type equality coercions. In Proceedings of the 2007 ACM SIGPLAN international workshop on Types in languages design and implementa- tion, TLDI ’07, pages 53–66, New York, NY, USA, 2007. ACM. A.3 Expression typing and operational semantics

D. Vytiniotis, S. Peyton Jones, and J. P. Magalhaes.˜ Equality proofs and Γ `tm e : τ Expression typing deferred type errors: A compiler pearl. In Proceedings of the 14th ACM SIGPLAN International Conference on Functional Programming, ICFP `wf Γ x: τ ∈ Γ 2012, Copenhagen, Denmark, New York, NY, USA, 2012. ACM. T VAR Γ ` x : τ S. Weirich, D. Vytiniotis, S. Peyton Jones, and S. Zdancewic. Generative tm type abstraction and type-level computation (extended version). Techni- Γ, x: τ1 `tm e : τ2 cal report, University of Pennsylvania, Nov. 2010. T ABS Γ `tm λx: τ1. e : τ1 → τ2 S. Weirich, D. Vytiniotis, S. Peyton Jones, and S. Zdancewic. Generative type abstraction and type-level computation. In Proceedings of the 38th Γ `tm e : τ1 → τ2 Γ `tm u : τ1 T APP annual ACM SIGPLAN-SIGACT symposium on Principles of program- Γ `tm e u : τ2 ming languages, POPL ’11, pages 227–240, New York, NY, USA, 2011. ACM. Γ, c: φ `tm e : τ Γ `pr φ ok T CABS Z. Yang. Encoding types in ML-like languages. In Proceedings of the Third Γ `tm λc: φ. e : ∀ c: φ. τ International Conference on Functional Programming (ICFP), pages 289–300, Baltimore, Maryland, USA, 1998. ACM Press. Γ `tm e : ∀ c: φ. τ Γ `co γ : φ B. A. Yorgey, S. Weirich, J. Cretin, S. Peyton Jones, D. Vytiniotis, and J. P. T CAPP Magalhaes.˜ Giving Haskell a promotion. In Proceedings of the 8th ACM Γ `tm e γ : τ[γ/c] SIGPLAN workshop on Types in Language Design and Implementation, Γ, a: κ `tm e : τ TLDI ’12, pages 53–66, New York, NY, USA, 2012. ACM. T TABS Γ `tm Λa: κ. e : ∀ a: κ. τ 0 Γ `tm e : ∀ a: κ. τ Γ `ty τ : κ A. Additional semantics T TAPP Γ ` e τ 0 : τ[τ 0/a] Below, we list a few rules and definitions not included in the main tm discussion. Γ `tm e : τ1 Γ `co γ : τ1 ∼ τ2 Γ `ty τ2 : ? T CAST A.1 Context well-formedness Γ `tm e . γ : τ2 These rules ensure that all assumptions in the context are well `wf Γ K: τ ∈ Γ T CON formed and unique. They additionally constrain the form of the Γ `tm K : τ kinds of datatypes and the types of data constructors. `wf Γ 0 Γ `tm e : T τ Γ `ty τ : ? GWF EMPTY Ki are exhaustive for T `wf ∅ for each i Γ `ty κ : ? a #Γ GWF TYVAR Ki: ∀ a: κ. ∀ ∆i . σi → (T a) ∈ Γ `wf Γ, a: κ 0 0 ∆i = ∆i [τ /a] Γ `ty κ : ? F #Γ 0 0 GWF TYFUN σi = σi [τ /a] `wf Γ, F: κ 0 0 Γ, ∆i , xi: σi `tm ui : τ Γ `ty ∀ a: κ. ? : ? T #Γ T CASE GWF TYDATA 0 0 Γ `tm case e of Ki ∆i xi: σi → ui : τ `wf Γ, T: ∀ a: κ. ?

Γ `ty τ : κ x #Γ Γ `co γ : H1 ρ1 ∼ H2 ρ2 H1 6= H2 AR GWF V Γ `ty τ : ? `wf Γ, x: τ T CONTRA Γ ` contra γ τ : τ Γ `ty ∀ a: κ. ∀ ∆. (σ → T a): ? K #Γ tm GWF CON 0 `wf Γ, K: ∀ a: κ. ∀ ∆. (σ → T a) e −→ e Step reduction, parameterized by toplevel context

Γ `pr φ ok c #Γ GWF CVAR S BETA `wf Γ, c: φ (λx: τ. e) e0 −→ e[e0/x] Γ, ∆ `pr φ ok C #Γ 0 GWF AX e1 −→ e1 `wf Γ, C: ∀ ∆. φ 0 S EAPP e1 e2 −→ e1 e2

13 2013/3/29 Γ `co γ : σ1 → σ2 ∼ τ1 → τ2 A.4 Erasure operation 1 2 S PUSH (v . γ) e −→ (v (e . sym (nth γ))) . nth γ |x| = x |λx: τ. e| = λx: •ty. |e| |e1 e2| = |e1| |e2| |Λa: κ. e| = Λa: •ty. |e| S TBETA (Λa: κ. e) τ −→ e[τ/a] |e τ| = |e| •ty |λc: φ. e| = λc: •prop. |e| |e γ| = |e| •co |e . γ| = |e| 0 e1 −→ e1 |K | = K 0 S TAPP e1 σ −→ e1 σ |case e of p → u| = case |e| of p → |u| |contra γ τ| = contra •co •ty

|a| = a Γ `co γ : ∀ a: κ1. σ1 ∼ ∀ a: κ2. σ2 |H | = H 0 1 γ = sym (nth γ) |F | = F 0 0 τ = τ . γ |K | = K S TPUSH (v . γ) τ −→ (v τ 0) . γ@(hτi . γ0) |∀ a: κ. τ| = ∀ a: |κ|. |τ| |∀ c: φ. τ| = ∀ c: |φ|. |τ| |τ1 τ2| = |τ1| |τ2| |τ1 . γ| = |τ1| S CBETA |τ1 γ| = |τ1| •co (λc: σ1 ∼ σ2. e) γ −→ e[γ/c]

|σ1 ∼ σ2| = |σ1| ∼ |σ2|

0 |c| = c e1 −→ e1 S CAPP |C ρ| = C |ρ| e γ −→ e0 γ 1 1 |hτi| = h|τ|i |sym γ| = sym |γ| |γ1 γ2| = |γ1| |γ2| 0 0 0 |∀η(#a1, a2, c).γ| = ∀ (#a1, a2, c).|γ| Γ `co γ :(∀ c: φ. τ) ∼ (∀ c : φ . τ ) |η| 00 1 0 2 |∀ (c , c ).γ| = ∀ (c , c ).|γ| γ = nth γ γ sym (nth γ) (η1,η2) 1 2 (|η |,|η |) 1 2 # # S CPUSH 1 2 (v . γ) γ0 −→ v γ00 . γ@(γ00, γ0) |γ1 γ2| = |γ1| |γ2| |γ(γ1, γ2)| = |γ|(•co, •co) |γ . γ0| = |γ| |γ@γ0| = |γ|@|γ0| 0 00 S COMB |γ@(γ , γ )| = |γ|@(•co, •co) (v . γ1) . γ2 −→ v . (γ1 γ2) i i # |nth γ| = nth |γ| |kind γ| = kind |γ|

e −→ e0 |ρ| (where ρ = τ) = |τ| S COERCE |ρ| ( ρ = γ) = • e . γ −→ e0 . γ where co |∅| = ∅ |Γ, a: κ| = |Γ|, a: |κ| Ki ∆i xi: σi → ui ∈ p → u |Γ, c: φ| = |Γ|, c: |φ| S CASEMATCH |Γ, C: ∀ ∆. φ| = |Γ|, C: ∀ |∆|. |φ| case Ki τ ρ e of p → u −→ ui [e/xi ][ρ/∆i ] A.5 Implicit Language Typing |= Γ Implicit Validity e −→ e0 ASE 0 S C case e of p → u −→ case e of p → u IV EMPTY |= ∅ Γ |= κ : ? a #Γ IV TYVAR K: ∀ a: κ. ∀ ∆. σ → (T a) ∈ Γ |= Γ, a: κ Ψ = extend(context(γ); ρ; ∆) Γ |= κ : ? F #Γ 0 τ = Ψ2(a) IV TYFUN 0 |= Γ, F: κ ρ = Ψ2(dom ∆) for each ei ∈ e, Γ |= ∀ a: κ. ? : ? T #Γ 0 IV TYDATA ei = ei . Ψ(σi ) |= Γ, T: ∀ a: κ. ? S KPUSH case ((K τ ρ e) . γ) of p → u −→ Γ |= τ : κ x #Γ case (K τ 0 ρ0 e0) of p → u IV VAR |= Γ, x: τ

14 2013/3/29 Γ |= ∀ a: κ. ∀ ∆. (σ → T a): ? K #Γ Γ |= τ : κ IV CON ICT REFL |= Γ, K: ∀ a: κ. ∀ ∆. (σ → T a) Γ |= hτi : τ ∼ τ

Γ |= γ : τ1 ∼ τ2 Γ |= φ ok c #Γ ICT SYM IV CVAR |= Γ, c: φ Γ |= sym γ : τ2 ∼ τ1 Γ |= γ1 : τ1 ∼ τ2 Γ |= γ2 : τ2 ∼ τ3 Γ, ∆ |= φ ok C #Γ ICT TRANS IV AX Γ |= γ1 γ2 : τ1 ∼ τ3 |= Γ, C: ∀ ∆. φ 0 # 0 Γ |= γ1 : τ1 ∼ τ2 Γ |= γ2 : τ1 ∼ τ2 0 0 Γ |= φ ok Implicit coercion kind well-formedness Γ |= τ1 τ1 : κ1 Γ |= τ2 τ2 : κ2 0 0 ICT APP Γ |= γ1 γ2 : τ1 τ1 ∼ τ2 τ2 Γ |= σ1 : κ1 Γ |= η : κ1 ∼ κ2 Γ |= σ2 : κ2 Γ, a : κ , a : κ , c: a ∼ a |= γ : τ ∼ τ IP EQUALITY 1 1 2 2 1 2 1 2 Γ |= σ1 ∼ σ2 ok Γ |= ∀ a1: κ1. τ1 : ? Γ |= ∀ a2: κ2. τ2 : ? ICT ALLT Γ |= τ : κ Implicit Kinding Γ |= ∀η(a1, a2, c).γ :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) c: φ ∈ Γ |= Γ ICT VAR |= Γ Γ |= c : φ IT STARINSTAR Γ |= ? : ? C: ∀ ∆. (τ1 ∼ τ2) ∈ ΓΓ |= ρ : ∆ ICT AXIOM |= Γ Γ |= C ρ : τ1[ρ/∆] ∼ τ2[ρ/∆] IT ARROW Γ |= γ : H τ ∼ H τ 0 Γ |= (→): ? → ? → ? ICT NTH Γ |= nthi γ : τ ∼ τ 0 |= Γ i i IT ARROWK Γ |= γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) Γ |= ? → ? → ? : ? 1 ICT NTH1TA Γ |= nth γ1 : κ1 ∼ κ2 |= Γ w: κ ∈ Γ 0 0 0 0 Γ |= γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) IT VAR TH Γ |= w : κ 1 0 ICT N 1CA Γ |= nth γ : κ1 ∼ κ1 0 0 0 0 Γ |= τ1 : κ1 → κ2 Γ |= τ2 : κ1 Γ |= γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) PP TH IT A 2 0 ICT N 2CA Γ |= τ1 τ2 : κ2 Γ |= nth γ : κ2 ∼ κ2 Γ |= γ : τ1 ∼ τ2 Γ |= τ1 : κ2 Γ |= τ2 : κ2 Γ |= τ1 : ∀ a: κ1. κ2 Γ |= τ2 : κ1 IT INST ICT EXT Γ |= kind γ : κ1 ∼ κ2 Γ |= τ1 τ2 : κ2[τ2/a] Γ |= ρ : ∆ Implicit telescope argument validity Γ |= τ : ∀ c: φ. κ Γ |= γ : φ IT CAPP Γ |= τ •co : κ |= Γ IT2 EMPTY Γ, a: κ |= τ : ? Γ |= κ : ? Γ |= ∅ : ∅ IT ALLT Γ |= ∀ a: κ. τ : ? Γ, ∆ |= κ : ? a #Γ, ∆ Γ |= τ : κ[ρ/∆] Γ |= ρ : ∆ Γ, c: φ |= τ : ? Γ |= φ ok IT2 CONST IT ALLC Γ |= ρ, τ : (∆, a: κ) Γ |= ∀ c: φ. τ : ? Γ, ∆ |= φ ok c #Γ, ∆ Γ |= τ : κ Γ |= γ : κ ∼ κ0 Γ |= κ0 : ? Γ |= γ : φ[ρ/∆] Γ |= ρ : ∆ IT CAST IT2 CONSG Γ |= τ : κ0 Γ |= ρ, •co : (∆, c: φ) Γ |= γ : φ Implicit Coercion Typing A.6 Telescope reduction 0 Γ |= ρ ρ Γ |= γ : τ ∼ τ 0 0 0 Γ |= τ •co : κ Γ |= τ •co : κ PP RNIL 0 ICT CA Γ |= Γ |= γ(•co, •co): τ •co ∼ τ •co ∅ ∅ 0 0 Γ |= τ τ Γ |= ρ ρ 0 ONS Γ |= η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 0 0 RC 0 0 0 Γ |= ρ, τ ρ , τ Γ |= η2 : σ2 ∼ σ2 φ2 = σ1 ∼ σ2 c1 # γ c2 # γ B. Regularity Γ, c1: φ1, c2: φ2 |= γ : τ1 ∼ τ2 Γ |= ∀ c1: φ1. τ1 : ? Γ |= ∀ c2: φ2. τ2 : ? These typing judgements are designed to satisfy the following ICT ALLC generation properties that ensure that the subcomponents of each Γ |= ∀ (c , c ).γ :(∀ c : φ . τ ) ∼ (∀ c : φ . τ ) (η1,η2) 1 2 1 1 1 2 2 2 judgement are valid. Γ |= γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) Lemma B.1 (Regularity/Generation). Γ |= γ2 : σ1 ∼ σ2 Γ |= σ1 : κ1 Γ |= σ2 : κ2 1. If Γ `ty τ : κ then Γ `ty κ : ? and `wf Γ. ICT INST 2. If Γ `tm e : τ then Γ `ty τ : ? and `wf Γ. Γ |= γ1@γ2 : τ1[σ1/a1] ∼ τ2[σ2/a2] 3. If Γ `co γ : σ1 ∼ σ2 then Γ `pr σ1 ∼ σ2 ok and `wf Γ. 0 0 0 0 Γ |= γ :(∀ c: σ1 ∼ σ2. τ) ∼ (∀ c : σ1 ∼ σ2. τ ) 0 0 Proof. Γ |= γ1 : σ1 ∼ σ2 Γ |= γ2 : σ1 ∼ σ2 The proof of this lemma is a straightforward induction on NST 0 ICT I C typing derivations, appealing to substitution Lemma C.4. Γ |= γ@(•co, •co): τ ∼ τ

15 2013/3/29 0 0 C. Preservation 1. If Γ, ∆, Γ `ty τ : κ then Γ, Ψ˙ j , Ψj (Γ ) `ty Ψj (τ):Ψj (κ) 0 ˙ 0 This section presents the necessary details for the proof of the 2. If Γ, ∆, Γ `pr φ ok then Γ, Ψj , Ψj (Γ ) `pr Ψj (φ) ok 0 0 preservation theorem. The theorem itself is proved by induction 3. If Γ, ∆, Γ `co γ : φ then Γ, Ψ˙ j , Ψj (Γ ) `co Ψj (γ):Ψj (φ) 0 0 0 on the typing derivation with a case analysis of the rule used in the 4. If Γ, ∆, Γ `lc ∆ ! Ψ then operational semantics. Below, we present only three cases, those ˙ 0 0 0 Γ, Ψj , Ψj (Γ ) `lc Ψj (∆ ) ! Ψj (Ψ ) for S KPUSH,S TPUSH, and S CPUSH. These are the only cases 0 0 0 0 5. If Γ, ∆, Γ `tel ρ : ∆ then Γ, Ψ˙ j , Ψj (Γ ) `tel Ψj (ρ):Ψj (∆ ) that differ from the proof described in previous work [Weirich et al. 0 ˙ 0 2010]. We also present many supporting lemmas needed for these 6. If `wf Γ, ∆, Γ , then `wf Γ, Ψj , Ψj (Γ ) cases, particularly regarding the treatment of lifting contexts. Proof. We proceed by mutual induction. C.1 Lifting contexts There are many cases to consider. We consider the interesting ones here: A lifting context contains two types of mappings: those labeled 0 with 7→ that denote a mapping from type or coercion variables Case K VAR: We know Γ, ∆, Γ `ty w : κ, and by inversion, `wf • 0 0 0 to existing types and coercions, and those labeled with 7→ that Γ, ∆, Γ and w: κ ∈ Γ, ∆, Γ . We must show Γ, Ψ˙ j , Ψj (Γ ) `ty denote a mapping from type or coercion variables to fresh type and Ψj (w):Ψj (κ). coercion variables. We have two cases: A lifting context is considered valid with respect to a context Γ w ∈ dom Γ: Because w ∈/ dom ∆, Ψj (w) = w. Furthermore, and telescope ∆ when the following judgement holds: because κ appears in Γ, ∆, Γ0 before any element in ∆ is declared, we know that κ cannot refer to any variable

Γ `lc ∆ Ψ Lifting context validity declared in ∆. Therefore, Ψj (κ) = κ. By the induction ! 0 hypothesis, `wf Γ, Ψ˙ j , Ψj (Γ ), and we can use rule K VAR 0 `wf Γ to get Γ, Ψ˙ j , Ψj (Γ ) `ty w : κ as desired. LC EMPTY ? Γ `lc ∅ ! ∅ w ∈ dom ∆: By Lemma C.3, a mapping w: κ 7→ (τ1, τ2, γ) must exist in Ψ. Here, we have two further cases, depending Γ `lc ∆ ! Ψ a #Γ, ∆ Γ `ty σ1 :Ψ1(κ)Γ `ty σ2 :Ψ2(κ) on the nature of the mapping: Γ `co γ : σ1 ∼ σ2 7→: Inverting Γ `lc ∆ Ψ eventually gives us Γ `ty LC TY ! Γ `lc (∆, a: κ) (Ψ, a: κ 7→ (σ1, σ2, γ)) Ψj (w):Ψj (κ) (from rule LC TY). Weakening then ! 0 gives us Γ, Ψ˙ j , Ψj (Γ ) `ty Ψj (w):Ψj (κ) as desired. Γ `lc ∆ ! Ψ c #Γ, ∆ • 7→: By the definition of Ψ˙ j , w:Ψj (κ) ∈ Ψ˙ j . By the Γ `co η1 :Ψ1(φ)Γ `co η2 :Ψ2(φ) 0 LC CO induction hypothesis, we can derive `wf Γ, Ψ˙ j , Ψj (Γ ). Γ `lc (∆, c: φ) ! (Ψ, c: φ 7→ (η1, η2)) 0 Then, we apply rule K VAR to get Γ, Ψ˙ j , Ψj (Γ ) `ty a1 #Γ, ∆ a2 #Γ, ∆ c #Γ, ∆ Ψj (w):Ψj (κ) as desired. Γ `lc ∆ ! Ψ 0 LC TYFRESH w ∈ dom Γ : Because w ∈/ dom ∆, Ψj (w) = w. Further- • 0 Γ `lc (∆, a: κ) ! (Ψ, a: κ 7→ (a1, a2, c)) more, we know w: κ ∈ Γ and therefore w:Ψj (κ) ∈ 0 ˙ 0 Γ ` ∆ Ψ c #Γ, ∆ c #Γ, ∆ Ψj (Γ ). The induction hypothesis gives us `wf Γ, Ψj , Ψj (Γ ) lc ! 1 2 ˙ 0 • LC COFRESH and we can use rule K VAR to derive Γ, Ψj , Ψj (Γ ) `ty Γ `lc (∆, c: φ) ! (Ψ, c: φ 7→ (c1, c2)) Ψj (w):Ψj (κ) as desired. We can view the fresh bindings of a lifting context as a typing w ∈/ dom ∆: 0 context: Case K ALLC: We know Γ, ∆, Γ `ty ∀ c: φ. τ : ?, and by 0 0 inversion, Γ, ∆, Γ , c: φ `ty τ : ? and Γ, ∆, Γ `pr φ ok. We Definition C.1 (Single flattening). The operation Ψ˙ j turns a lifting 0 must show Γ, Ψ˙ j , Ψj (Γ ) `ty ∀ c:Ψj (φ). Ψj (τ): ?. context into a typing context. 0 The induction hypothesis gives us Γ, Ψ˙ j , Ψj (Γ ), c:Ψj (φ) `ty • ˙ 0 1. For each a: κ 7→ (a1, a2, c) ∈ Ψ, the context Ψj includes the Ψj (τ): ? and Γ, Ψ˙ j , Ψj (Γ ) `pr Ψj (φ) ok. Thus, by rule 0 binding aj :Ψj (κ). K ALLC, Γ, Ψ˙ j , Ψj (Γ ) `ty ∀ c:Ψj (φ). Ψj (τ): ? and we are • 2. For each c: φ 7→ (c1, c2), the context includes the binding done. cj :Ψj (φ). Case CT ALLC: We know ˙ 0 Definition C.2 (Flattening). The operation Ψ turns a lifting context Γ, ∆, Γ `co ∀(η1,η2)(c1, c2).γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2) into a typing context. and by inversion • ˙ 0 0 1. For each a: κ 7→ (a1, a2, c) ∈ Ψ, the context Ψ includes the Γ, ∆, Γ `co η1 : σ1 ∼ σ1 bindings a1:Ψ1(κ), a2:Ψ2(κ), c: a1 ∼ a2. 0 0 • Γ, ∆, Γ `co η2 : σ2 ∼ σ2 2. For each c: φ 7→ (c1, c2), the context includes the bindings φ1 = σ1 ∼ σ2 c1:Ψ1(φ), c2:Ψ2(φ). 0 0 φ2 = σ1 ∼ σ2 Lemma C.3 (Lifting context domains). If Γ `lc ∆ ! Ψ, then the domain of ∆ equals the set of variables mapped in Ψ. c1 # |γ| c2 # |γ| Proof. Straightforward induction on the derivation of Γ `lc ∆ ! 0 Ψ. Γ, ∆, Γ , c1: φ1, c2: φ2 `co γ : τ1 ∼ τ2 0 Γ, ∆, Γ `ty ∀ c1: φ1. τ1 : ? Lemma C.4 (Lifting context substitution). Suppose Γ `lc ∆ ! 0 Ψ. Γ, ∆, Γ `ty ∀ c2: φ2. τ2 : ?

16 2013/3/29 0 0 We wish to show 4. If Γ, ∆ `tel ρ : ∆ then Γ, Ψ˙ `tel Ψj (ρ):Ψj (∆ ) ˙ 0 Γ, Ψj , Ψj (Γ ) ` ∀(Ψ (η ),Ψ (η ))(c1, c2).Ψj (γ): (This lemma is the same as Lemma C.4, except the j subscripts in j 1 j 2 the conclusion contexts are removed.) (∀ c1:Ψj (φ1). Ψj (τ1)) ∼ (∀ c2:Ψj (φ2). Ψj (τ2)). To use rule CT ALLC, we need to show Proof. Immediate from Lemma C.4 and weakening, noting that any ˙ 0 0 Ψ˙ Ψ˙ Γ, Ψj , Ψj (Γ ) `co Ψj (η1):Ψj (σ1) ∼ Ψj (σ1) (1) difference between j and are guaranteed to be fresh bindings. ˙ 0 0 Γ, Ψj , Ψj (Γ ) `co Ψj (η2):Ψj (σ2) ∼ Ψj (σ2) (2) c1 # |Ψj (γ)| (3) Lemma C.7 (Erased lifted coercions). Let Ψ contain the mapping • c2 # |Ψj (γ)| (4) c: φ 7→ (c1, c2). If Γ `lc ∆ ! Ψ and Γ, ∆ `ty τ : κ, then Γ, Ψ˙ , Ψ (Γ0), c :Ψ (φ ), c :Ψ (φ ) ` c1 # |Ψ(τ)| and c2 # |Ψ(τ)|. j j 1 j 1 2 j 2 co (5) Ψj (γ):Ψj (τ1) ∼ Ψj (τ2) 0 Proof. We proceed by induction on the typing derivation for τ. Γ, Ψ˙ j , Ψj (Γ ) `ty ∀ c1:Ψj (φ1). Ψj (τ1): ? (6) ˙ 0 Γ, Ψj , Ψj (Γ ) `ty ∀ c2:Ψj (φ2). Ψj (τ2): ? (7) Cases K STARINSTAR and K ARROW: Trivial. We know (1), (2), (5), (6), and (7) by the induction hypothesis. Case K VAR: τ = w, and we know `wf Γ, ∆ and w: κ ∈ Γ, ∆. We can derive (3) and (4) by noting that Ψj (·) and |·| commute Here we have two cases: with each other and that c1, c2 do not appear in Ψ. Therefore, if w ∈ dom ∆: We know w is a type variable, so w 6= c. Thus, c1 # |γ|, then c1 # |Ψj (γ)| and likewise for c2. Now, we can w appears either after or before c in Ψ. If w appears after apply CT ALLC and we are done. c, then, by the fact that all mappings with 7→ precede all 0 0 • 0 Case CT AXIOM: We know Γ, ∆, Γ `co C ρ : τ1[ρ/∆ ] ∼ mappings with 7→ in Ψ, Ψ(w) is some fresh variable c , 0 0 0 τ2[ρ/∆ ], and by inversion, C: ∀ ∆ . (τ1 ∼ τ2) ∈ Γ, ∆, Γ and thus c1 # |Ψ(w)| and c2 # |Ψ(w)| as desired. Going 0 0 and Γ, ∆, Γ `tel ρ : ∆ . We must show forward, we can assume w occurs before c in Ψ. Now, • Γ, Ψ˙ , Ψ (Γ0) ` Ψ (C ρ):Ψ (τ [ρ/∆0] ∼ τ [ρ/∆0]) the mapping from w may be built with 7→ or 7→. We have j j co j j 1 2 already handled the latter case, so going forward, we can or, equivalently, assume that the mapping is built with 7→. Ψ(w) = γ for some γ. However, this γ is built from components all of ˙ 0 Γ, Ψj , Ψj (Γ ) `co C Ψj (ρ): which are out of scope of c, c1, and c2. Thus, neither c1 0 0 c γ |γ| Ψj (τ1)[Ψj (ρ)/Ψj (∆ )] ∼ Ψj (τ2)[Ψj (ρ)/Ψj (∆ )] nor 2 appear in and thus do not appear in . Thus, c1 # |Ψ(w)| and c2 # |Ψ(w)| as desired. To use CT AXIOM to prove this fact, we need, in turn w ∈/ dom ∆: In this case Ψ(w) = hwi. Because the spaces of 0 0 C: ∀ Ψj (∆ ). (Ψj (τ1) ∼ Ψj (τ2)) ∈ Γ, Ψ˙ j , Ψj (Γ ) type variables and coercion variables are distinct, we know 0 0 that w 6= c1 and w 6= c2, as desired. Γ, Ψ˙ j , Ψj (Γ ) `tel Ψj (ρ):Ψj (∆ ) Case K APP: τ = τ1 τ2, and we know Γ, ∆ `ty τ1 : κ1 → κ2 The induction hypothesis gives us the second fact above. and Γ, ∆ `ty τ2 : κ1. Here, Ψ(τ1 τ2) = Ψ(τ1) Ψ(τ2). By construction, a lifting context cannot map an axiom variable The induction hypothesis tells us that c1, c2 do not appear in C . Thus, appealing to Lemma C.3, we know that C ∈/ dom ∆. |Ψ(τ1)|, |Ψ(τ2)|. Since |γ1 γ2| = |γ1| |γ2|, the desired result We then have two cases: follows directly from this result. C ∈ dom Γ: Because C is well-formed in Γ, the type of C Case K INST: Analogous to K APP. 0 0 cannot mention any variables in ∆. Thus, Ψj (∆ ) = ∆ , Case K CAPP: τ = τ1 γ1, and we know Ψj (τ1) = τ1 and Ψj (τ2) = τ2. Then, we can conclude that 0 Γ, ∆ `ty τ1 : ∀ c: φ. κ C: ∀ ∆ . (τ1 ∼ τ2) ∈ Γ and we are done. C ∈ dom Γ0: In this case, we can conclude that Γ, ∆ `co γ1 : φ 0 0 C: ∀ Ψj (∆ ). (Ψj (τ1) ∼ Ψj (τ2)) ∈ Ψj (Γ ) We have Ψ(τ1 γ1) = Ψ(τ1)(Ψ1(γ1), Ψ2(γ1)). The induction hypothesis tells us that c1, c2 do not appear in |Ψ(τ1)|. By the and we are done. definition of | · |, |Ψ(τ1 γ1)| = |Ψ(τ1)|(•co, •co). Thus, c1, c2 do not appear in |Ψ(τ1 γ1)| as desired. 0 Case K ALLT: τ = ∀ a: κ. τ , and we know Γ, ∆, a: κ `ty 0 0 • τ : ? and Γ, ∆ `ty κ : ?. Letting Ψ = Ψ, a: κ 7→ We will need the following lemmas to prove the lifting lemma: 0 (a1, a2, c) (for fresh a1, a2, c), we have |Ψ(∀ a: κ. τ )| = Lemma C.5 (Lifting context coercions). If Γ `lc ∆ ! Ψ and Ψ |∀ (a , a , c).Ψ0(τ 0)| = ∀ (a , a , c).|Ψ0(τ 0)|. The Ψ(κ) 1 2 |Ψ(κ)| 1 2 ? ˙ contains the mapping a: κ 7→ (τ1, τ2, γ), then Γ, Ψ `co γ : τ1 ∼ induction hypothesis tells us that c1, c2 do not appear in |Ψ(κ)| τ2. and |Ψ0(τ 0)|, so we are done. Case K ALLC: Analogous to K ALLT. Proof. Straightforward induction on Γ `lc ∆ ! Ψ. 0 0 Case K CAST: τ = τ .η and we know Γ, ∆ `ty τ : κ1, Γ, ∆ `co 0 η : κ1 ∼ κ2, and Γ, ∆ `ty κ2 : ?. We have |Ψ(τ . η)| = Lemma C.6 (Weakened lifting context substitution). Suppose Γ `lc 0 0 |Ψ(τ ) . Ψ1(η) ∼ Ψ2(η)| = |sym ((sym Ψ(τ )) . Ψ2(η)) . ∆ ! Ψ. 0 Ψ1(η)| = sym (sym |Ψ(τ )|). The induction hypothesis tells ˙ 0 1. If Γ, ∆ `ty τ : κ then Γ, Ψ `ty Ψj (τ):Ψj (κ) us that c1, c2 do not appear in |Ψ(τ )|, so we are done. 2. If Γ, ∆ `co γ : φ then Γ, Ψ˙ `co Ψj (γ):Ψj (φ) 0 0 ˙ 0 0 3. If Γ, ∆ `lc ∆ ! Ψ then Γ, Ψ `lc Ψj (∆ ) ! Ψj (Ψ )

17 2013/3/29 Proof of Lemma 5.3 (Lifting): If Γ `lc ∆ ! Ψ and Γ, ∆ `ty or, equivalently, τ : κ, then ˙ 0 0 ˙ Γ, Ψ `co ∀Ψ(κ)(a1, a2, c).Ψ (τ ): Γ, Ψ `co Ψ(τ):Ψ1(τ) ∼ Ψ2(τ) 0 0 0 0 ∀ a1:Ψ1(κ). Ψ1(τ ) ∼ ∀ a2:Ψ2(κ). Ψ2(τ ) Proof. We proceed by induction on the typing derivation for τ. By the induction hypothesis, we have ˙ Case K STARINSTAR: Trivial: Γ, Ψ `co h?i : ? ∼ ?. Γ, Ψ˙ `co Ψ(κ):Ψ1(κ) ∼ Ψ2(κ) ˙ Case K ARROW: Trivial: Γ, Ψ `co h(→)i :(→) ∼ (→). ˙ 0 0 0 0 0 0 0 Γ, Ψ `co Ψ (τ ):Ψ1(τ ) ∼ Ψ2(τ ) Case K VAR: τ = w, and we know `wf Γ, ∆ and w: κ ∈ Γ, ∆. Here we have two cases: We wish to use CT ALLT. The first two premises are already ˙ 0 w ∈ dom ∆: By the definition of ∆, w must be a type variable satisfied, noting that Ψ contains the extra bindings for the ? second premise. We must show a. Using Lemma C.3, there must exist a mapping a: κ 7→ 0 (τ1, τ2, γ) in Ψ. Then, we know Ψ(w) = γ, Ψ1(w) = τ1, Γ, Ψ˙ `ty ∀aj :Ψj (κ).Ψj (τ ): ? ˙ and Ψ2(w) = τ2. By Lemma C.5, we can get Γ, Ψ `co γ : This fact comes directly from the use of Lemma C.6 applied to ˙ τ1 ∼ τ2, and thus Γ, Ψ `co Ψ(w):Ψ1(w) ∼ Ψ2(w) as the type of ∀ a: κ. τ 0. desired. Thus, we can apply CT ALLT, and we are done. w ∈/ dom ∆: Γ, Ψ˙ ` hwi : w ∼ w 0 0 Trivial: co . Case K ALLC: τ = ∀ c: φ. τ , and we know Γ, ∆, c: φ `ty τ : ? Case K APP: τ = τ1 τ2, and we know Γ, ∆ `ty τ1 : κ1 → κ2 and Γ, ∆ `pr φ ok. We can use LC COFRESH to derive Γ `lc and Γ, ∆ `ty τ2 : κ1. Ψ(τ1 τ2) = Ψ(τ1) Ψ(τ2). The induction • 0 ∆, c: φ Ψ, c: φ 7→ (c1, c2) for fresh c1, c2. Write Ψ for hypothesis gives us ! this extended lifting context, and let φ = σ1 ∼ σ2. Γ, Ψ˙ `co Ψ(τ1):Ψ1(τ1) ∼ Ψ2(τ1) We wish to show ˙ 0 0 0 Γ, Ψ˙ `co Ψ(τ2):Ψ1(τ2) ∼ Ψ2(τ2). Γ, Ψ `co Ψ(∀ c: φ. τ ):Ψ1(∀ c: φ. τ ) ∼ Ψ2(∀ c: φ. τ ) We now wish to use rule CT APP, but we need to know or, equivalently, 0 0 Γ, Ψ˙ `ty Ψ1(τ1)Ψ1(τ2): σ1 ˙ Γ, Ψ `co ∀(Ψ(σ1),Ψ(σ2))(c1, c2).Ψ (τ ): ˙ 0 0 Γ, Ψ `ty Ψ2(τ1)Ψ2(τ2): σ2 ∀ c1:Ψ1(σ1) ∼ Ψ1(σ2). Ψ1(τ ) ∼ 0 0 for some types σ1 and σ2. Lemma C.6 applied to the types of ∀ c2:Ψ2(σ1) ∼ Ψ2(σ2). Ψ2(τ ) τ and τ , along with straightforward typing rule applications, 1 2 Γ, ∆ ` σ ∼ σ ok gives us exactly these facts. Thus, We use inversion on pr 1 2 to get Γ, ∆ `ty σ1 : κ1 Γ, Ψ˙ `co Ψ(τ1) Ψ(τ2):Ψ1(τ1)Ψ1(τ2) ∼ Ψ2(τ1)Ψ2(τ2) Γ, ∆ `ty σ2 : κ2 or By the induction hypothesis, we have Γ, Ψ˙ `co Ψ(τ1 τ2):Ψ1(τ1 τ2) ∼ Ψ2(τ1 τ2) ˙ as desired. Γ, Ψ `co Ψ(σ1):Ψ1(σ1) ∼ Ψ2(σ1)

Case K INST: τ = τ1 τ2, and we know Γ, ∆ `ty τ1 : ∀ a: κ1. κ2 Γ, Ψ˙ `co Ψ(σ2):Ψ1(σ1) ∼ Ψ2(σ2) and Γ, ∆ ` τ : κ . This case then proceeds identically to the ty 2 1 ˙ 0 0 0 0 0 0 0 previous case. Γ, Ψ `co Ψ (τ ):Ψ1(τ ) ∼ Ψ2(τ ) Case K CAPP: τ = τ1 γ1, and we know Γ, ∆ `ty τ1 : ∀ c: φ. κ We wish to use CT ALLC. The first, second, third, fourth, and Γ, ∆ `co γ1 : φ. Ψ(τ1 γ1) = Ψ(τ1)(Ψ1(γ1), Ψ2(γ1)). and seventh premises are already satisfied. The fifth and sixth 0 0 0 0 The induction hypothesis gives us premises are c1 # |Ψ (τ )| and c2 # |Ψ (τ )|, respectively. ˙ We use Lemma C.7 to get these conditions. Now, it remains Γ, Ψ `co Ψ(τ1):Ψ1(τ1) ∼ Ψ2(τ1). only to show We now wish to use rule CT CAPP, but we need to know ˙ 0 0 Γ, Ψ `ty ∀cj :Ψj (φ).Ψj (τ ): ? Γ, ∆ ` Ψ (τ )Ψ (γ ): κ ty 1 1 1 1 This fact comes directly from the use of Lemma C.6 applied to 0 0 Γ, ∆ `ty Ψ2(τ1)Ψ2(γ1): κ the type of ∀ c: φ. τ . 0 Thus, we can apply CT ALLC, and we are done. for some types κ and κ . Lemma C.6 applied to the types of 0 0 Case K CAST: τ = τ . η, and we know Γ, ∆ `ty τ : κ1, τ1 and γ1, along with straightforward typing rule applications, gives us exactly these facts. Thus, Γ, ∆ `co η : κ1 ∼ κ2, and Γ, ∆ `ty κ2 : ?. We wish to show Γ, Ψ˙ `co Ψ(τ1 γ1):Ψ1(τ1)Ψ1(γ1) ∼ Ψ2(τ1)Ψ2(γ1) 0 0 0 Γ, Ψ˙ `co Ψ(τ . η):Ψ1(τ . η) ∼ Ψ2(τ . η) or or, equivalently, Γ, Ψ˙ `co Ψ(τ1 γ1):Ψ1(τ1 γ1) ∼ Ψ2(τ1 γ1) ˙ 0 as desired. Γ, Ψ `co sym ((sym Ψ(τ )) . Ψ2(η)) . Ψ1(η): 0 0 0 0 Case K ALLT: τ = ∀ a: κ. τ , and we know Γ, ∆, a: κ `ty τ : ? Ψ1(τ ) . Ψ1(η) ∼ Ψ2(τ ) . Ψ2(η). and Γ, ∆ `ty κ : ?. We can use LC TYFRESH to derive • By the induction hypothesis, we have Γ `lc ∆, a: κ ! Ψ, a: κ 7→ (a1, a2, c) for fresh a1, a2, c. 0 0 0 0 Write Ψ for this extended lifting context. Γ, Ψ˙ `co Ψ(τ ):Ψ1(τ ) ∼ Ψ2(τ ). We wish to show Using this fact with straightforward application of typing rules 0 0 0 Γ, Ψ˙ `co Ψ(∀ a: κ. τ ):Ψ1(∀ a: κ. τ ) ∼ Ψ2(∀ a: κ. τ ) gives us the desired result.

18 2013/3/29 00 00 3. Γ `co sym (hτi . Ψ (κ)) : τ ∼ (τ . Ψ (κ)) Straightforward application of typing rules. 0 0 C.2 Metatheory for S KPUSH Preservation • Case ρ2 = ρ2, γ; ∆2 = ∆2, c: φ: The inductive hypothesis is the same as in the previous case. Having proved the lifting lemma, we still must present and prove a 0 0 0 We must show Γ `lc ∆1, ∆2, c: φ ! Ψ , where Ψ = number of other lemmas before proving that the types are preserved 0 0 in the S KPUSH case. extend(Ψ; ρ2, γ; ∆2, c: φ). By the definition of the extend operation, we know we will Lemma C.8 (Telescope substitution). If Γ `lc ∆ ! Ψ and `wf ∆, have to use rule LC CO. It is easy to see from the definition 0 00 then Ψj (∆) = ∆. of extend that Ψ is Ψ with an additional mapping from c. 0 00 Thus, Γ `lc ∆1, ∆2 ! Ψ fulfills the first premise of LC CO. Proof. By Lemma C.3, the domain of Ψ equals the domain of ∆. To use LC CO, we must show the following: Furthermore, `wf ∆ implies that all kinds in ∆ (constructs to the 00 1. Γ `co γ :Ψ1 (φ) right of a colon) are well-scoped—that is, no variable is mentioned 0 0 We know Γ `tel ρ2, γ :Ψ1(∆2, c: φ). Inverting gives us before it is declared. Because the Ψj (∆) operation is defined only 0 0 Γ `co γ :Ψ1(φ)[ρ2/Ψ1(∆2)]. Because we care only to substitute in kinds and to not substitute a variable after it is about the names of the variables in the substitution expres- locally bound, it is impossible for the substitution to change ∆. 0 0 sion, we can rewrite this as Γ `co γ :Ψ1(φ)[ρ2/∆2]. Thus, Ψj (∆) = ∆, as desired. From the definition of extend, we can see that all of the 00 substitutions performed by Ψ1 (·) that are not in Ψ map a Lemma C.9 (Ψj -consistency). If Γ `lc ∆ Ψ, then Γ `tel 0 0 ! domain element of ∆2 to its corresponding ρ ∈ ρ2. Thus, Ψj (dom ∆) : ∆. 00 we can rewrite the judgement above as Γ `co γ :Ψ1 (φ), as desired. Proof. We wish to use clause 5 of the lifting context substitution 00 00 00 00 2. Γ `co sym (Ψ (σ1)) γ Ψ (σ2):Ψ (σ1) ∼ Ψ (σ2), lemma (Lemma C.4), with ρ = dom ∆ and ∆0 = ∆. We must 2 2 where φ = σ1 ∼ σ2 # # show Γ, ∆ `tel dom ∆ : ∆. This is true by straightforward in- We wish to use the lifting lemma (Lemma 5.3) twice to duction on the length of ∆. Then, we apply Lemma C.4 to get 00 00 get the types of Ψ (σ1) and Ψ (σ2). We know Γ `lc Γ `tel Ψj (dom ∆) : Ψj (∆). By Lemma C.8, this can be rewrit- 00 ∆1, ∆2 ! Ψ . We must show Γ, ∆1, ∆2 `ty σ1 : κ1 for ten as Γ `tel Ψj (dom ∆) : ∆, as desired. some κ1 and Γ, ∆1, ∆2 `ty σ2 : κ2 for some κ2. Inversion on `wf Γ, ∆1, ∆2, c: σ1 ∼ σ2 gives us Γ, ∆1, ∆2 `pr σ1 ∼ Lemma C.10 (Lifting context extension consistency). If Γ `lc 0 σ2 ok, and further inversion gives us Γ, ∆1, ∆2 `ty σ1 : κ1 ∆1 ! Ψ, `wf Γ, ∆1, ∆2, Γ `tel ρ2 :Ψ1(∆2), and Ψ = 0 and Γ, ∆1, ∆2 `ty σ2 : κ2 for some κ1 and κ2, exactly extend(Ψ; ρ2; ∆2), then Γ `lc ∆1, ∆2 ! Ψ . what we needed. 00 Now, we apply the lifting lemma to get Γ `co Ψ (σi ): Proof. We proceed by induction on the derivation of Γ `tel ρ : 00 00 2 Ψ1 (σi ) ∼ Ψ2 (σi ). As shown in the previous case, Γ `co Ψ1(∆2). 00 00 γ :Ψ1 (σ1) ∼ Ψ1 (σ2). Therefore, by simple application 00 of typing rules, we can derive Γ `co sym (Ψ (σ1)) γ • ρ = ∆ = Ψ0 = Ψ 00 00 00 Case 2 ∅; 2 ∅: In this case , and thus we must Ψ (σ2):Ψ2 (σ1) ∼ Ψ2 (σ2) as desired. # # show Γ `lc ∆1 ! Ψ, which we know by assumption. 0 0 • Case ρ2 = ρ2, τ; ∆2 = ∆2, a: κ: 0 0 The inductive hypothesis is: if `wf Γ, ∆1, ∆2, Γ `tel ρ2 : 0 00 0 0 0 Ψ1(∆2), and Ψ = extend(Ψ; ρ2; ∆2), then Γ `lc ∆1, ∆2 ! Lemma C.11 (Telescope composition). If Γ `tel ρ1 : ∆1 and 00 0 0 0 Ψ . We must show Γ `lc ∆1, ∆2, a: κ ! Ψ , where Ψ = Γ `tel ρ1, ρ2 : ∆1, ∆2, then Γ `tel ρ2 : ∆2[ρ1/∆1]. 0 0 extend(Ψ; ρ2, τ; ∆2, a: κ). By the definition of extend, we know we will have to use rule Proof Sketch. By induction on the length of ρ2. 0 LC TY. It is easy to see from the definition of extend that Ψ is 00 0 Lemma C.12 (S KPUSH preservation). If Ψ with an additional mapping from a. Thus, Γ `lc ∆1, ∆2 ! 00 Ψ fulfills the first premise of LC TY. To use LC TY, we must 1. Γ `tm case (K τ ρ e . γ) of p → u : σ and show the following: 0 0 0 00 2. case (K τ ρ e.γ) of p → u −→ case (K τ ρ e ) of p → u, 1. Γ `ty τ :Ψ1 (κ) 0 0 then We know Γ `tel ρ2, τ :Ψ1(∆2, a: κ). Inverting gives us 0 0 0 0 0 Γ `ty τ :Ψ1(κ)[ρ2/Ψ1(∆2)]. Because we care only about Γ `tm case (K τ ρ e ) of p → u : σ the names of the variables in the substitution expression, we 0 0 Proof. By inversion we know that: can rewrite this as Γ `ty τ :Ψ1(κ)[ρ2/∆2]. From the definition of extend, we can see that all of the substitutions 00 • K: ∀ a: κ. ∀ ∆. σ → (T a) performed by Ψ1 (·) that are not in Ψ map a domain element 0 0 • Ψ = extend(context(γ); ρ; ∆) of ∆2 to its corresponding ρ ∈ ρ2. Thus, we can rewrite the 00 • 0 judgement above as Γ `ty τ :Ψ1 (κ) as desired. τ = Ψ2(a) 00 00 • 0 2. Γ `ty τ . Ψ (κ):Ψ2 (κ) ρ = Ψ2(dom ∆) 0 We wish to use the lifting lemma (Lemma 5.3). We know • ei = ei . Ψ(σi ) 0 00 0 Γ `lc ∆1, ∆2 ! Ψ . We must show Γ, ∆1, ∆2 `ty κ : σ • Γ `tm ei : σi [τ/a][ρ/∆] 0 for some σ. This fact, for σ = ?, comes directly from • Γ `tm (K τ ρ e) . γ : T τ . 0 inversion on `wf Γ, ∆1, ∆2, a: κ. • 00 Γ `tm K τ ρ e : T τ. Now, we apply the lifting lemma to get Γ `co Ψ (κ): 00 00 Ψ1 (κ) ∼ Ψ2 (κ). As shown in the previous case, Γ `ty We will have to use rule T CASE to get the desired result. 00 τ :Ψ1 (κ). Therefore, by simple application of typing Because the patterns are not changing, we need only show that 00 00 0 0 0 0 rules, we can derive Γ `ty τ . Ψ (κ):Ψ2 (κ) as desired. Γ `tm K τ ρ e : T τ .

19 2013/3/29 2 0 By convention, we have chosen the length of the list τ to be the • Γ `co nth γ : σ2 ∼ σ2, by CT NTH2CA 2 0 same as that of the list a: κ in the type of K . Thus, we know that • Γ `co sym (nth γ): σ2 ∼ σ2, by symmetry 0 0 0 0 00 Γ `ty K τ : ∀ ∆[τ /a]. (σ[τ /a] → T τ ). • Γ `co γ : σ1 ∼ σ2, by definition of transitivity 0 0 00 00 Now, we must show that Γ `tel ρ : ∆[τ /a]. This can be • Γ `tm v γ : τ[γ /c], by coercion instantiation 0 00 0 00 0 0 0 rewritten as Γ `tel Ψ2(dom ∆) : ∆[τ /a]. • Γ `co γ@(γ , γ ): τ[γ /c] ∼ τ [γ /c ], by CT INSTC. We know from Lemma C.10 that Γ `lc a: κ, ∆ ! Ψ (using Lemma 5.5 to get Γ `lc a: κ ! context(γ)). Lemma C.9 then The final term has the desired type by casting. gives us Γ `tel Ψ2(a, dom ∆) : a: κ, ∆. Invoking Lemma C.11 0 gives us Γ `tel Ψ2(dom ∆) : ∆[τ /a] as desired. D. Type Erasure 0 0 0 We have now shown that Γ `ty K τ ρ :Ψ2(σ) → T τ . 0 We need the following small lemma before we can prove type We need to show that Γ `tm e :Ψ2(σi ), or equivalently, i erasure: Γ `tm ei . Ψ(σi ):Ψ2(σi ). We will need the lifting lemma (Lemma 5.3). We have already shown Γ `lc a: κ, ∆ ! Ψ; we Lemma D.1 (Type erasure erases types). No type variable a or must show Γ, a: κ, ∆ `ty σi : κi for some type κi . By repeated coercion variable c appears free in |e|, for any expression e. inversion on the typing judgement for K , we will get Γ, a: κ, ∆ `ty σ : κ as desired. Thus, the lifting lemma gives us Γ ` Ψ(σ ): i i co i Proof. Straightforward inspection of definition of |e|. Ψ1(σi ) ∼ Ψ2(σi ). We note that, by construction, Ψ1(·) maps a to τ and dom ∆ to ρ. Thus, σi [τ/a][ρ/∆] = Ψ1(σi ). Now, by straightforward application of typing rules, we can see that Corollary D.2 (Substitution in erased expressions). For all expres- sions e, types τ, coercions γ, and variables a and c, Γ `tm ei . Ψ(σi ):Ψ2(σi ) as desired. 0 0 0 0 Thus, Γ `tm K τ ρ e : T τ as desired, and we are done. 1. |e[τ/a]| = |e| 2. |e[γ/c]| = |e| C.3 Other preservation cases We can now present the proof for the type erasure theorem: If Lemma C.13 (S TPUSH Preservation). If e −→ e0, then either |e| = |e0| or |e| −→ |e0|. 1. Γ `tm (v . γ) τ : σ2[τ/a2] and 2. Γ `co γ : ∀ a1: κ1. σ1 ∼ ∀ a2: κ2. σ2 Proof. We proceed by induction on e −→ e0. 3. (v . γ) τ −→ e0 where 0 0 0 4. e = v (τ . γ ) . γ@(hτi . γ ) and Cases S BETA,S TBETA,S CBETA,S CASEMATCH: The erased 5. γ0 = sym (nth1 γ), expression steps by the same rule as the unerased expression, then Γ ` e0 : σ [τ/a ]. appealing to Corollary D.2 in the S TBETA and S CBETA tm 2 2 cases.

Proof. By inversion of the typing derivation we know that Γ `tm Cases S EAPP,S TAPP,S CAPP,S CASE: We appeal to the 0 0 v . γ : ∀ a2: κ2. σ2 and Γ `ty τ : κ2. An additional inversion induction hypothesis. If |e| = |e |, we are done. If |e| −→ |e |, gives us Γ `tm v : ∀ a1: κ1. σ1. Therefore we can show that then we use the same stepping rule as the unerased expression used. 0 • Γ `co γ : κ2 ∼ κ1, by the rules for symmetry and nth and Cases S PUSH,S TPUSH,S CPUSH,S COMB: Straightforward 0 0 • Γ `ty τ . γ : κ1, by casting and application of the definition of erasure yields |e| = |e |. 0 0 • Γ `tm v (τ . γ ): σ1[τ . γ /a1], by type application. Case S COERCE: 0 Furthermore, we have e −→ e OERCE 0 S C 0 0 e . γ −→ e . γ • Γ `co hτi . γ : τ . γ ∼ τ, by reflexivity and coherence and 0 0 0 0 • Γ `co γ@(hτi . γ ): σ1[τ . γ /a1] ∼ σ2[τ/a2], by By the definition of erasure, |e . γ| = |e| and |e . γ| = |e |. 0 0 instantiation. By the induction hypothesis, either |e| = |e | or |e| −→ |e |. In either case, we are done. Thus the final term has the desired type by casting. Case S KPUSH:

Lemma C.14 (S CPUSH Preservation). If K: ∀ a: κ. ∀ ∆. σ → (T a) ∈ Γ Ψ = extend(context(γ); ρ; ∆) 0 1. Γ `tm (v . γ) γ : σ and 0 τ = Ψ2(a) 0 00 00 0 0 2. (v . γ) γ −→ v γ . γ@(γ , γ ), where ρ = Ψ2(dom ∆) 00 1 0 2 3. γ = nth γ γ sym (nth γ) and for each ei ∈ e, # # 0 0 0 0 4. Γ `co γ :(∀ c: φ. τ) ∼ (∀ c : φ . τ ), ei = ei . Ψ(σi ) S KPUSH 00 00 0 then Γ `tm v γ . γ@(γ , γ ): σ. case ((K τ ρ e) . γ) of p → u −→ case (K τ 0 ρ0 e0) of p → u Proof. By inversion, we have Here, e = case ((K τ ρ e) . γ) of p → u and e0 = 0 0 0 0 0 0 • Γ `tm v . γ : ∀ c : φ . τ case (K τ ρ e ) of p → u. Thus, by the definition of 0 • Γ `tm v : ∀ c: φ. τ erasure, |e| = case (K • |e|) of p → |u| and |e | = 0 0 0 0 • Γ `co γ : φ case (K • |e |) of p → |u|. To show that |e| = |e |, we must 0 0 0 • σ = τ [γ /c ]. show only that |e| = |e0|. From the definition of S KPUSH, 0 0 0 0 0 ei = ei . Ψ(σi ) and thus |ei | = |ei | as desired. Let φ = σ1 ∼ σ2 and φ = σ1 ∼ σ2. We can show 1 0 • Γ `co nth γ : σ1 ∼ σ1, by CT NTH1CA

20 2013/3/29 E. Metatheory for Consistency Case CT COH: Given rule: 0 In this section, we show that good contexts are consistent contexts Γ `co γ : τ1 ∼ τ2 Γ `ty τ1 . γ : κ OH 0 0 CT C following the plan laid out in Section 6. Recall the conditions of a Γ `co γ . γ : τ1 . γ ∼ τ2 good context: By induction and erasure, we have |Γ| |= |γ| : |τ1| ∼ |τ2|. We have Good Γ when the following conditions hold: 0 0 But also by erasure, we have |γ .γ | = |γ| and |τ1 .γ ∼ τ2| = 1. All coercion assumptions and axioms in Γ are of the form |τ1| ∼ |τ2|, so we are done. 0 C: ∀ ∆. (F τ ∼ τ ) or of the form c: a1 ∼ a2. In the first form, Case CT CAPP: Given rule: the arguments to the type function must behave like patterns. 0 0 Γ `co γ1 : τ1 ∼ τ1 For every well formed ρ, every τi ∈ τ and every τi such that 0 0 0 0 0 0 0 Γ `ty τ1 γ2 : κ Γ `ty τ1 γ2 : κ Γ |= τi [ρ/∆] τi , it must be τi = τi [ρ /∆] for some ρ with CT CAPP 0 0 0 Γ ` γ (γ , γ0 ): τ γ ∼ τ 0 γ0 Γ |= σm σm for each σm ∈ ρ and σm ∈ ρ . co 1 2 2 1 2 1 2 2. There is no overlap between axioms and coercion assumptions. By induction and definition of erasure, we have |Γ| |= |τ1| •co : 0 0 0 For each F ρ there exists at most one prefix ρ1 of ρ such that |κ|, |Γ| |= |τ1| •co : |κ |, and |Γ| |= |γ| : |τ1| ∼ |τ1|. Hence, there exist C and σ where Γ |= C ρ1 :(F ρ1 ∼ σ). This C by rule ICT CAPP, we have |Γ| |= |γ|(•co, •co): |τ1| •co ∼ 0 is unique for every matching F τ1. |τ1| •co, and we are done by erasure. 3. For each a, there is at most one assumption of the form c: a ∼ Case CT ALLC: Given rule: 0 0 0 0 a or c: a ∼ a, and a 6= a . Γ `co η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 Γ ` η : σ ∼ σ0 φ = σ0 ∼ σ0 4. Axioms equate types of the same kind. For each C: ∀ ∆. (F τ ∼ co 2 2 2 2 1 2 0 c # |γ| c # |γ| τ ) in Γ, the kinds of each side must equal: for some κ, 1 2 0 Γ, c : φ , c : φ ` γ : τ ∼ τ Γ, ∆ |= F τ : κ and Γ, ∆ |= τ : κ and that kind 1 1 2 2 co 1 2 Γ `ty ∀ c1: φ1. τ1 : ? Γ `ty ∀ c2: φ2. τ2 : ? must not mention bindings in the telescope, Γ |= κ : ?. CT ALLC Γ `co ∀(η ,η )(c1, c2).γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2) Showing that these conditions ensure that the context cannot 1 2 prove two value types equal requires a number of auxiliary lemmas. By induction and definition of erasure, we have 0 • |Γ| |= |η1| : |σ1| ∼ |σ1|, Lemma E.1 (No free coercion variables in erased types). If Γ `ty • |Γ| |= |η | : |σ | ∼ |σ0 |, τ : κ, then c#|τ|. 2 2 2 • |φ1| = |σ1| ∼ |σ2|, 0 0 • |φ2| = |σ | ∼ |σ |, Proof. Proof is by inspection of the erasure function. All coercions 1 2 • |Γ|, c : |φ |, c : |φ | |= |γ| : |τ | ∼ |τ |, are removed from types. 1 1 2 2 1 2 • |Γ| |= ∀ c1: |φ1|. |τ1| : ?, and • |Γ| |= ∀ c : |φ |. |τ | : ?. Proof of Lemma 6.5 (Erasure is type preserving) If a judgement 2 2 2 Furthermore, the original rule restricted c and c from holds in the explicit system, the judgement with coercions erased 1 2 appearing in |γ|. Hence by, ICT ALLC, we have |Γ| |= throughout the context, types and coercions is derivable in the ∀ (c1, c2).|γ| :(∀ c1: |φ1|. |τ1|) ∼ (∀ c2: |φ2|. |τ2|) implicit system. (|η1|,|η2|) and we are done by erasure. 1. If `wf Γ then |= |Γ|.

2. If Γ `ty τ : κ then |Γ| |= |τ| : |κ|.

3. If Γ `pr φ ok then |Γ| |= |φ| ok. 0 Lemma E.2 (Application). If Good Γ and Γ |= σ1 ⇔ σ1 and 0 0 0 4. If Γ `co γ : φ then |Γ| |= |γ| : |φ|. Γ |= σ2 ⇔ σ2 then Γ |= σ1 σ2 ⇔ σ1 σ2.

5. If Γ `tel ρ : ∆ then |Γ| |= |ρ| : |∆|. 0 Proof. Let τ1 be a join point of σ1, σ1, and τ2 a join point for 0 σ2, σ2. By repeatedly applying rule TS APP and reflexivity of Proof. By simultaneous induction on the length of the explicit 0 0 typing derivation. We present a few representative cases. rewriting, we find that τ1 τ2 is a join point for σ1 σ2 and σ1 σ2.

Case K CAST: Given rule: Lemma E.3 (Type function preservation). Suppose that C: ∀ ∆. (F τ ∼ τ 0) ∈ Γ, and Good Γ. Now, suppose that Γ |= F ρ σ, where Γ `ty τ : κ1 Γ `co η : κ1 ∼ κ2 Γ `ty κ2 : ? K CAST ρ has length strictly smaller than the size of the telescope τ. Then, Γ ` τ . η : κ 0 0 ty 2 σ = F ρ , such that Γ |= ρ ρ . By induction, we have |Γ| |= |τ| : |κ1| and |Γ| |= |η| : |κ1| ∼ |κ2| and |Γ| |= |κ2| : | ? |. By the rule IT CAST, we Proof. By induction on the length of the telescope ρ. The base case have |Γ| |= |τ| : |κ2|. Finally, by definition of erasure, we is trivial. For the induction step, note that the rule that applies in the have |τ . η| = |τ|, and we are done. given reduction cannot be TS RED, as there aren’t enough terms Case K CAPP: Given rule: in the telescope to reduce. Thus, it must be TS APP that applies. 0 0 0 0 0 00 Therefore, if ρ = ρ , σ , then Γ |= F ρ σ , and Γ |= σ σ . Γ `ty τ1 : ∀ c: φ. κ Γ `co γ1 : φ 0 00 00 00 K CAPP By induction, σ = F ρ , and by rule TS CONS, Γ |= ρ ρ , σ Γ `ty τ1 γ1 : κ[γ1/c] as desired.

By induction and definition of erasure, we have |Γ| |= |τ1| : ∀ c: |φ|. |κ|, and |Γ| |= |γ1| : |φ|. Hence, by rule IT CAPP, Here, we prove completeness of the rewrite reduction with re- we have |Γ| |= |τ1| •co : |κ|, and by erasure |τ1 γ1| = |τ1| •co. spect to the coercion relation. The two key lemmas of the complete- Finally, we have |κ[γ/c]| = |κ|, as the erasure operation erases ness proof are that joinability is preserved under substitution, and a all coercions within κ. local diamond property of rewriting.

21 2013/3/29 0 Lemma E.4 (Local diamond property). If Good Γ, Γ |= σ σ1, Lemma E.6 (Single Step Substitution). If Γ |= τ τ , σ well- 0 and Γ |= σ σ2 then there exists a σ3 such that Γ |= σ1 σ3 formed and a not free in Γ, then Γ |= σ[τ/a] σ[τ /a]. and Γ |= σ2 σ3. 0 Proof. By induction on σ. For instance, if σ = ∀ c: σ1 ∼ σ2. σ , Proof. Induction on lengths of the two step derivations with a case by induction, analysis on the last rule used in each. Γ |= σ0[τ/a] σ0[τ 0/a], The overlapping cases are TS REFL and anything else, TS APP-TS RED (and symmetric), and all instances with the and also 0 same final rule on both sides. The reflexivity overlaps are trivial. All Γ |= σi [τ/a] σi [τ /a]. other pairs of rules apply to types with different head forms. Of the Thus, by rule TS ALLC, we conclude same-same overlaps, most follow by induction. (We demonstrate 0 0 0 an example of this pattern with case TS APP-TS APP below.) The Γ |= (∀ c: σ1 ∼ σ2. σ )[τ/a] (∀ c: σ1 ∼ σ2. σ )[τ /a]. exception is TS RED-TS RED and TS VARRED-TS VARRED The other cases are similar. which are both deterministic. Below, we complete the proof with the TS APP-TS RED case. ∗ 0 Lemma E.7 (Multistep Substitution). If Γ |= τ τ , σ well- formed and a not free in Γ, then Γ |= σ[τ/a] ∗ σ[τ 0/a]. Case TS APP-TS APP Concretely, we have a type τ σ with re- ductions: ∗ Proof. By induction on the length of the reduction Γ |= τ 0 0 00 00 0 Γ |= τ σ τ σ , Γ |= τ σ τ σ τ . The base case is trivial, and the inductive step follows by Lemma E.6. Now, we can deduce: 0 Γ |= σ σ0, Γ |= σ σ00 Lemma E.8 (Single Substitution). If Γ |= τ ⇔ τ , and Γ |= σ 0 0 000 σ , with σ, σ well-formed and a not free in Γ, then Γ |= σ[τ/a] ⇔ So by induction, we can find σ that is a common reduct. We σ0[τ 0/a]. also know Γ |= τ τ 0, Γ |= τ τ 00 Proof. There is a join point τ 00 of τ and τ 0, we can apply ∗ 00 0 ∗ 00 So, also by induction, we can find τ 000 that is a common reduct Lemma E.7 to the reductions Γ |= τ τ and Γ |= τ τ , of the two. Hence, by TS TAPP, and connect two reductions with Lemma E.5. 0 0 000 000 00 00 000 000 Γ |= τ σ τ σ Γ |= τ σ τ σ Lemma E.9 (Single Step Double Substitution). Suppose Good Γ and Γ |= σ σ0, with a free in σ and a0 free in σ0 well-formed, Case TS RED-TS APP Concretely, we have a type F ρ, with re- and Γ = Γ0, c: a ∼ a0, Γ00 or Γ = Γ0, c: a0 ∼ a, Γ00. Then ductions: Good (Γ0, Γ00)[τ/a][τ 0/a0], and if (Γ0, Γ00)[τ/a][τ 0/a0] |= τ ⇔ 0 0 0 0 00 0 0 0 0 0 Γ |= (F ρ) σ1, Γ |= (F ρ) σ2 σ τ , then (Γ , Γ )[τ/a][τ /a ] |= σ[τ/a] ⇔ σ [τ /a ]. where the first reduction is a type function reduction. Now note that, since context is good, type functions axioms are non- Proof. Note first that since Good Γ, the only axiom mentioning 0 0 00 0 0 overlapping. Now say that ρ = ρ0, σ We have by inversion, a, a is c. Hence, Good (Γ , Γ )[τ/a][τ /a ] is immediate. The 0 0 0 0 Γ |= F ρ0 σ2. By Lemma E.3, we have that σ2 = F ρ0, rest follows by induction on the derivation of Γ |= σ σ . 0 0 0 such that Γ |= ρ0 ρ0, and so that Γ |= ρ0, σ ρ0, σ . We have that if the coercion for F is C: ∀ ∆. (F τ ∼ τ 0), then Case TS REFL: Follows from Lemma E.8. Case TS ALLT: The rule is we have ρ0, σ = τ[ρ1/∆], and now by the second condition of 0 0 0 0 0 good contexts, we have a ρ1, such that Γ, Γ |= κ κ Γ, c: a1 ∼ a2, Γ |= σ σ LL 0 0 0 TS A T 0 0 0 0 Γ, Γ |= ∀ a1: κ. σ ∀ a2: κ . σ ρ0, σ = τ[ρ1/∆] Γ |= ρ1 ρ1 0 0 00 0 0 000 In which case we have a reduction Γ |= F ρ0 σ0 τ 0[ρ0 /∆]. where a1 6= a2 6= a 6= a , and Γ, Γ = Γ , c : a ∼ a , Γ . 0 1 By induction, we have both (Γ, Γ0)[τ/a][τ 0/a0] |= κ[τ/a] ⇔ But, by an extension of Appendix E for telescopes, we have that 0 0 0 0 0 0 0 κ[τ /a ] and Γ[τ/a][τ /a ], c: a1 ∼ a2, Γ [τ/a][τ /a ] |= 0 0 0 0 0 0 σ1 = τ [ρ1/∆] Γ |= σ1 τ [ρ1/∆] σ[τ/a] ⇔ σ [τ /a ]. But now, we can put these transitions together with rule TS ALLT: first, we have as desired. Case TS RED-TS RED Concretely, we have a type F σ1 σ2, (Γ, Γ0)[τ/a][τ 0/a0] |= which can also be written as F σ3 σ4, such that we have 0 0 0 reductions: ∀ a1: κ[τ/a]. σ[τ/a] ⇔ ∀ a1: κ [τ /a ]. σ[τ/a] 0 00 α ∀ a : κ0[τ 0/a0]. σ[τ/a] Γ |= F σ σ , Γ |= F σ σ By -renaming, the right hand side is 2 . Now, we have But since good contexts have non-overlapping axioms, we have that only one axiom applies. Hence, we are done: σ0 = σ00. (Γ, Γ0)[τ/a][τ 0/a0] |= 0 0 0 0 0 0 0 0 0 ∀ a2: κ [τ /a ]. σ[τ/a] ⇔ ∀ a2: κ [τ /a ]. σ [τ /a ] and we are done by Lemma E.5. Lemma E.5 (Transitivity of Rewriting). If Good Γ and Γ |= Case TS ALLC: Almost identical to the previous case. σ1 ⇔ σ2 and Γ |= σ2 ⇔ σ3, then Γ |= σ1 ⇔ σ3. Case TS RED: Follows from Lemma E.8. 0 Proof. Appeal to the local diamond property. Suppose σ12 is a join Case TS VARRED: If the coercion in question isn’t c: a ∼ a , point for σ1, σ2 and σ23 is a join point for σ2, σ3. By Lemma E.4, then this case is trivial. Otherwise, we have by assumption that 0 00 0 0 0 there is a join point σ0 for σ12, σ23, and hence is a join point for (Γ , Γ )[τ/a][τ /a ] |= τ ⇔ τ , which is exactly what we σ1, σ3. need to prove.

22 2013/3/29 Case TS APP: Similar to the previous cases. By induction (sup- Proof. Straightforward induction. pose we are substituting σ00, σ000, 0 00 00 000 0 00 0 000 0 We need a lemma to deal with the kind γ construct. Essentially, (Γ , Γ )[σ /a][σ /a ] |= τ[σ /a] ⇔ τ [σ /a ] this lemma states that we don’t need the kind γ construct, as it is and already internalized in our system. (Γ0, Γ00)[σ00/a][σ000/a0] |= σ[σ00/a] ⇔ σ0[σ000/a0]. Lemma E.16 (Admissibility of “kind”). Suppose we have a derivation Γ |= γ : τ1 ∼ τ2, such that Γ |= τ1 : κ1 and So, by applying TS APP, we have 0 0 Γ |= τ2 : κ2 and fcv(γ) ⊆ dom Γ for some subcontext Γ satis- 0 (Γ0, Γ00)[σ00/a][σ000/a0] |= fying Good Γ . Then, there exists a derivation Γ |= η : κ1 ∼ κ2 at strictly lower height, for some η, such that fcv(η) ⊆ dom Γ0. τ[σ00/a](σ[σ00/a]) ⇔ τ 0[σ000/a0](σ[σ00/a]) and Proof Sketch. By induction on the derivation Γ |= γ : τ1 ∼ τ2. Most cases are straightforward. We consider two here. (Γ0, Γ00)[σ00/a][σ000/a0] |= Case ICT TRANS: Given rule: τ 0[σ000/a0](σ[σ00/a]) ⇔ τ 0[σ000/a0](σ0[σ000/a0]) Γ |= γ1 : τ1 ∼ τ2 Γ |= γ2 : τ2 ∼ τ3 ICT TRANS so we are done by Lemma E.5. Γ |= γ1 γ2 : τ1 ∼ τ3 Case TS CAPP: Immediate, by induction. # Note that the free coercion variables of γ1 γ2 lie in a good context, so the same is true of γ1 and γ2. Hence,# by induction, we are able to find derivations of Γ |= η1 : κ1 ∼ κ2 and ∗ Lemma E.10 (Substitution). Suppose Good Γ and Γ |= σ Γ |= η2 : κ2 ∼ κ3, both of height less than that of any 0 0 0 0 0 00 σ , with a, a free in σ, σ , and Γ = Γ , c: a ∼ a , Γ . premises of ICT TRANS. Now, by ICT TRANS, we are able to 0 00 0 0 0 Suppose also that (Γ , Γ )[τ/a][τ /a ] |= τ ⇔ τ . Then, create a proof Γ |= η1 η2 : κ1 ∼ κ3 at height strictly less (Γ0, Γ00)[τ/a][τ 0/a0] |= σ[τ/a] ⇔ σ0[τ 0/a0]. than that of the conclusion,# and we are done.

∗ 0 Case ICT AXIOM: Given rule: Proof. Induction on the length of reduction Γ |= σ σ . The C: ∀ ∆. (τ1 ∼ τ2) ∈ ΓΓ |= ρ : ∆ base case is trivial. The inductive step follows by Appendix E and ICT AXIOM Lemma E.5. Γ |= C ρ : τ1[ρ/∆] ∼ τ2[ρ/∆] Note that the free coercion variables of C ρ lie in a good Corollary E.11 (Joinability substitution). Suppose Good Γ and 0 0 0 0 context, so the same is true of C and ρ. Thus, the axiom lies Γ |= σ ⇔ σ , with a, a free in σ, σ , and Γ = Γ , c: a ∼ in a good subcontext. By definition of Good Γ0, we have that a0, Γ00. Suppose also that (Γ0, Γ00)[τ/a][τ 0/a0] |= τ ⇔ τ 0. Then, 0 00 0 0 0 0 0 both sides are kind κ for a closed kind. Hence, simply choosing (Γ , Γ )[τ/a][τ /a ] |= σ[τ/a] ⇔ σ [τ /a ]. η = hκi suffices. This η will have no free coercion variables Proof. By induction on the number of transitions in Γ |= σ ⇔ σ0. (appealing to Lemma E.1), so the restriction on free coercion The base case is trivial. For the induction step, we can use the variables is vacuously satisfied. induction hypothesis, combined with Lemma E.10. But, what is the height of the derivation of Γ |= hκi : κ ∼ κ? It is one more than the height of Γ |= κ : σ, the premise of Lemma E.12 (Joinability strengthening). If Good (Γ, a: κ, Γ0) Γ |= hκi : κ ∼ κ. This derivation Γ |= κ : σ must be 0 0 0 and Γ, a: κ, Γ |= τ1 ⇔ τ2, then Good (Γ, Γ )Γ, Γ |= τ1 ⇔ τ2. a part of the derivation concluding in ICT AXIOM: One of the premises to ICT AXIOM is Γ |= ρ : ∆. That judgement, in Proof. By inspection on the rewrite relation. The rewrite relation turn, must eventually appeal to IT2 EMPTY, which depends on does not depend on any type bindings in the context, only axioms. |= Γ. Because C ∈ dom Γ, the proof of |= Γ must appeal to IV AX, which in turn depends on Γ, ∆ |= τ1 ∼ τ2 ok. This depends on Γ, ∆ |= τ1 : κ. By Lemma E.14, the proof that 0 Lemma E.13 (Basic implicit substitution). 1. If Γ, a: κ1, Γ |= Γ, ∆ |= κ : σ (for σ = ?) is strictly smaller than that of 0 τ : κ2 and Γ |= σ : κ1, then Γ, Γ [σ/a] |= τ[σ/a]: Γ, ∆ |= τ1 : κ. From the fact that C lies in a good context, κ2[σ/a]. we know that κ must not contain variables introduced in ∆, so 0 0 2. If |= Γ, a: κ1, Γ and Γ |= σ : κ1, then |= Γ, Γ [σ/a]. there exists a derivation Γ |= κ : σ and the height of this 0 0 3. If Γ, a: κ1, Γ |= φ ok and Γ |= σ : κ1, then Γ, Γ [σ/a] |= derivation is no larger than the height of Γ, ∆ |= κ : σ, φ[σ/a] ok. invoking Lemma E.15. Thus, the height of Γ |= hκi : κ ∼ κ is strictly smaller than the height of the derivation concluding Proof. Straightforward mutual induction. in ICT AXIOM, as desired. Lemma E.14 (Implicit regularity/generation). If Γ |= τ : κ, then Γ |= κ : ? and the height of this derivation is at most the height of Γ |= τ : κ. Lemma E.17 (Nth joinability). Suppose that Γ |= H ρ ⇔ H ρ0, 0 and Good Γ. Then, Γ |= ρi ⇔ ρi . Proof. Straightforward induction, appealing to Lemma E.13 in the IT TAPP case. The base cases appeal to rules IT STARINSTAR and Proof. By induction on the length of the telescopes (by inversion, IT ARROWK. both have the same length). The base case is trivial. For induction, 0 note that H ρ, H ρ must both step by TS APP. Hence, by the form Lemma E.15 (Weakening for implicit system). If Γ |= τ : κ, 0 0 0 of that rewrite rule, say that ρ = ρ0, ρ0 and ρ = ρ0, ρ0, and then Γ, Γ0 |= τ : κ for any Γ0 such that |= Γ, Γ0, and there exists 0 the length of the telescopes are preserved. So, Γ |= ρ0 ⇔ ρ0. If a derivation of Γ |= τ : κ with height at most the height of the we want the last element in the telescope, we are done. Otherwise, derivation of Γ, Γ0 |= τ : κ. 0 Γ |= H ρ0 ⇔ H ρ0, and we are done by induction.

23 2013/3/29 From these lemmas we see that joinability is complete. Note that the free coercion variables of ∀η(a1, a2, c).γ lie in Proof of Lemma 6.7 (Completeness) Suppose that Γ |= γ : a good context, so the same is true of γ since c: a1 ∼ a2 is a 0 0 σ1 ∼ σ2, and fcv(γ) ⊆ dom Γ for some subcontext Γ satisfying good assumption that doesn’t overlap with the previous axioms, 0 Good Γ . Then Γ |= σ1 ⇔ σ2. as the variables a1, a2 are fresh. Hence, by induction, we have Γ, a1: κ1, a2: κ2, c: a1 ∼ a2 |= τ1 ⇔ τ2, which we can Proof. By induction on the structure of Γ |= γ : σ1 ∼ σ2. strengthen to Γ, c: a1 ∼ a2 |= τ1 ⇔ τ2, by Lemma E.12. Case ICT CAPP: We have rule: Also by induction, we have Γ |= κ1 ⇔ κ2, which allows us to finish the rule by TS ALLT. Γ |= γ : τ ∼ τ 0 0 0 Case ICT VAR: Trivial, all assumptions are rewrite rules in good Γ |= τ •co : κ Γ |= τ •co : κ PP contexts. Note that c must be a good assumption in the context. 0 ICT CA Γ |= γ(•co, •co): τ •co ∼ τ •co Case ICT AXIOM: We have the rule:

Note that the free coercion variables of γ(•co, •co) lie in a C: ∀ ∆. (τ1 ∼ τ2) ∈ ΓΓ |= ρ : ∆ good context, so the same is true of γ. Hence, by induction, ICT AXIOM Γ |= C ρ : τ [ρ/∆] ∼ τ [ρ/∆] Γ |= τ ⇔ τ 0. Then, by Lemma E.2, we are done. 1 2 Case ICT ALLC: We know that C lies in a good context, so we know that τ1 has 0 0 the form F τ . Thus, rule TS RED shows that Γ |= τ1[ρ/∆] Γ |= η1 : σ1 ∼ σ1 φ1 = σ1 ∼ σ2 1 0 0 0 τ2[ρ/∆], so we are done, noting that TS REFL shows that Γ |= η2 : σ2 ∼ σ2 φ2 = σ1 ∼ σ2 Γ |= τ2[ρ/∆] τ2[ρ/∆] as well. c1 # γ c2 # γ Γ, c1: φ1, c2: φ2 |= γ : τ1 ∼ τ2 Case ICT NTH: We have the rule: Γ |= ∀ c1: φ1. τ1 : ? Γ |= ∀ c2: φ2. τ2 : ? Γ |= γ : H τ ∼ H τ 0 ICT NTH Γ |= ∀(η ,η )(c1, c2).γ :(∀ c1: φ1. τ1) ∼ (∀ c2: φ2. τ2) i 0 1 2 Γ |= nth γ : τi ∼ τi Note that the free coercion variables of ∀ (c , c ).γ lie i (η1,η2) 1 2 Note that the free coercion variables of nth γ lie in a good in a good context, so the same is true of γ, η1, and η2. Hence, 00 0 context, so the same is true of γ. Hence, by induction, then by induction, there is a join point σ1 for σ1 and σ1, and there 00 0 00 00 Lemma E.17, we are done. is a join point σ for σ2 and σ . Let φ = σ ∼ σ . Also by 2 2 1 2 Case ICT NTH1TA: We have rule: induction, there is a join point τ for τ1, τ2. By rule TS ALLC, we have that Γ |= γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) ICT NTH1TA ∗ Γ |= nth1 γ : κ ∼ κ Γ |= ∀ c1: φ1. τ1 ∀ c1: φ. τ 1 1 2 1 and Note that the free coercion variables of nth γ1 lie in a good ∗ context, so the same is true of γ1. Hence, by induction on γ1, Γ |= ∀ c2: φ2. τ2 ∀ c2: φ. τ the two quantified types have a join point. By inversion on the and hence they are joinable. rewrite relation, both sides must step via TS ALLT. Hence, we Case ICT INST: can find a join point for the kinds, and Γ |= κ1 ⇔ κ2 as desired. Γ |= γ1 :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2) Cases ICT NTH1CA, ICT NTH2CA: We have rules: Γ |= γ2 : σ1 ∼ σ2 0 0 0 0 Γ |= σ : κ Γ |= σ : κ Γ |= γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) 1 1 2 2 TH ICT INST 1 0 ICT N 1CA Γ |= γ1@γ2 : τ1[σ1/a1] ∼ τ2[σ2/a2] Γ |= nth γ : κ1 ∼ κ1 Note that the free coercion variables of γ@γ0 lie in a good 0 0 0 0 Γ |= γ :(∀ c: κ1 ∼ κ2. τ) ∼ (∀ c : κ1 ∼ κ2. τ ) TH context, so the same is true of γ and γ. Hence, by induction, 2 0 ICT N 2CA Γ |= nth γ : κ2 ∼ κ Γ |= σ1 ⇔ σ2, and Γ |= (∀ a1: κ1. τ1) ⇔ (∀ a2: κ2. τ2). Now, 2 by inversion on the step relation for quantified types, we find Virtually identical to the previous case. that Γ, c: a1 ∼ a2 |= τ1 ⇔ τ2. By substitution (Lemma E.10), Case ICT EXT: We have rule: we have Γ |= τ [σ /a ] ⇔ τ [σ /a ], as desired. 1 1 1 2 2 2 Γ |= γ : τ1 ∼ τ2 Γ |= τ1 : κ2 Γ |= τ2 : κ2 Case ICT INSTC: ICT EXT Γ |= kind γ : κ1 ∼ κ2 0 0 0 0 Γ |= γ :(∀ c: σ1 ∼ σ2. τ) ∼ (∀ c : σ1 ∼ σ2. τ ) 0 0 By the admissibility of kind γ (Lemma E.16) we can construct Γ |= γ1 : σ1 ∼ σ2 Γ |= γ2 : σ1 ∼ σ2 0 a derivation of Γ |= η : κ1 ∼ κ2 at strictly smaller height Γ |= γ@(•co, •co): τ ∼ τ that proves the same equality, such that η has free variables in a Note that the free coercion variables of γ@(•co, •co) lie in a good context. Then, we are done by induction. good context, so the same is true of γ. Hence, by induction, 0 0 0 Γ |= (∀ c: σ1 ∼ σ2. τ) ⇔ (∀ c: σ1 ∼ σ2. τ ). Now, by inversion on the step relation for quantified types, we find that 0 Γ |= τ ⇔ τ , and we are done. Proof of the consistency lemma, Lemma 6.8: Case ICT REFL: Trivial. Case ICT SYM: Trivial. Proof. Suppose Γ `co γ : ξ1 ∼ ξ2. Then, we have that Case ICT TRANS: Follows from Lemma E.5. |Γ| |= |γ| : |ξ1| ∼ |ξ2|. By completeness, we have that those two Case ICT APP: ∗ Follows from Lemma E.2. types are joinable. There is some σ such that |Γ| |= |ξ1| σ and ∗ Case ICT ALLT: Γ |= |ξ2| σ. However, by inversion on the rewriting relation, Γ |= η : κ1 ∼ κ2 we see that it preserves the head forms of value types (since there Γ, a1: κ1, a2: κ2, c: a1 ∼ a2 |= γ : τ1 ∼ τ2 exist no axioms for those by the first condition of Good |Γ|). Also, Γ |= ∀ a1: κ1. τ1 : ? Γ |= ∀ a2: κ2. τ2 : ? we know that erasure preserves head forms. Thus, ξ1 and ξ2 (and σ) have the same head form. Γ |= ∀η(a1, a2, c).γ :(∀ a1: κ1. τ1) ∼ (∀ a2: κ2. τ2)

24 2013/3/29 F. Metatheory for Progress Using the consistency lemma, it is straightforward to prove progress. We refer the reader to previous work [Weirich et al. 2010] for this proof, which requires only one more case for the current system: Lemma F.1 (Progress for T CONTRA). Assume Σ is a closed, consistent context. If Σ `tm contra γ τ : τ, then there exists some e such that contra γ τ −→ e.

Proof. By inversion on Σ `tm contra γ τ : τ, we get that Σ `co γ : H1 ρ1 ∼ H2 ρ2 and that H1 6= H2. However, these facts exactly contradict the fact that Σ is consistent. Thus, our premises are absurd and we are done.

25 2013/3/29