Termination Checking with Types Strong Normalization for Mendler-Style Course-Of-Value Recursion

Andreas Abel ?

Department of Computer Science University of Munich Oettingenstr. 67 80538 M¨unchen, Germany [email protected]

Abstract. Gim´enez’type system for structural recursion in the Calcu- lus of Constructions is adapted to typed functional programming. As core language, the λ-calculus with inductive types, subtyping and bounded quantification is introduced. Decorated type variables, which represent approximations of inductive types, enable the type system to track the size of arguments to recursive functions and the size of the result of func- tion calls. Novel are an algorithm for type checking and proofs of type preservation and strong normalization.

1 Introduction

The process of verifying a program can be separated into two parts: As the first step, partial correctness is established by verifying that a program matches its specification; then, termination is shown to obtain full correctness. For practical purposes, a complete verification is too tedious in most cases since it requires a huge amount of interactive theorem proving. But verification of certain program properties slowly makes its way into professional software development. Modern programming languages allow the specification of invariants which are verified statically and fully automatically by the compiler. These invariants effectively help uncover programming errors at compile-time. One very basic invariant is typing and type preservation which has been incor- porated into many modern programming languages, e.g. the widely used JAVA, as Nipkow and von Oheimb proved for a considerable subset [26]. Other interest- ing invariants are termination, and, even stronger, termination independent of the internal evaluation strategy, i.e. strong normalization. We aim at developing fully automatic, verified termination checking. For now, we restrict to declarative programming. To be suitable for practical programming, we claim that termination check- ing has to obey the following principles: First, the criteria on which the checker

? Research supported by the Graduiertenkolleg Logik in der Informatik (PhD Program Logic in Computer Science) of the Deutsche Forschungsgemeinschaft (DFG) decides acceptance must be simple enough for the user to comprehend. He should be able to obtain a model of which program is accepted and which is rejected without much difficulty. A good example here is again typing: In typed func- tional languages, e.g., SML [25], it is easy to write well-typed programs and to comprehend type errors. Secondly—this is strongly connected with the first principle—it must be possible for the compiler to give a good error message and point to the expression which makes the program fail the termination check. Otherwise, termination checking will most probably result in a loss rather than a gain of productivity. Traditionally, termination has been investigated in the context of term rewrit- ing systems. Research has focused on developing more and more powerful algo- rithms which accepted more and more programs as terminating. To this end, increasingly strong term orderings have been described (cf. Dershowitz [16], Steinbach [32], Giesl and Arts [7]). The methods of term rewriting are transferable to functional and logic pro- gramming as follows: The given (untyped) program is translated into a term rewriting system which then is checked for termination. The advantage of this procedure is that the full arsenal of methods developed for term rewriting sys- tems is available. However, due to the translation, termination checking will appear obscure to the user. We believe that, in general, it will be very hard to produce helpful error messages and expose the program location which fails ter- mination. Consequently, we focus on methods which directly deal with functional or logic programs. In the area of functional and logic programming, most termination checkers follow methods from term rewriting and rely on term orderings. Some examples: In previous work [1], we used the subterm ordering extended to higher-order functions to capture the class of structurally recursive functions over strictly positive inductive datatypes. For polynomial inductive types, a greater class of functions is accepted in Telford & Turner’s ESFP [34]. Their termination checker also incorporates a limited form of size-change and dataflow analysis which recognizes certain functions as reducers or preservers. Functions in these classes—first described by Walther [35]—have the property that the size of their output is bound by the size of some input argument (strictly smaller in the case of reducers). Finally, Pientka [29] has implemented termination and reduction checking for higher-order logic programs based on the subterm ordering. Unfortunately, the subterm ordering has some drawbacks. As we will see in an example (Sect. 3), it does not capture the notion of size well enough. Furthermore, as Gim´enezpointed out [18], the usual formulations make it hard to prove strong normalization. To my knowledge, no proof has been published so far. An alternative to subterm calculi is the introduction of type variables to keep track of the relation of the input argument of a function with the argument in the recursive call. This technique was first introduced by Mendler [24] for the restricted case of primitive recursion. His ideas were refined by Gim´enez [18], who proposed an extension of the Calculus of Constructions by a notion of subtyping and bounded quantification to type recursive functions over inductive

2 and coinductive datatypes. So far however, he has not shown that his system is sound, that is, proven of type preservation1 and strong normalization. We adopt Gim´enez’ idea for typed functional programming and propose a method of termination checking by type checking. In this paper, we present a core functional programming language Mini-MLµ≤ with higher-order functions and (non-strictly) positive inductive types. The types come with a lean and decidable subtyping calculus. Recursive functions can be written in a natural way as it is common practice in functional languages. Termination and size information are encoded in the types in a natural way and can be checked fully automated. Our main contribution are proofs of type preservation and strong normalization of our language.

1.1 Comparison with Xi’s Work Recently, Hongwei Xi has presented a method of termination verification which relies on dependent types. His approach seems powerful, practical and rather general, which raises the question whether it encompasses our system. This is not the case, for the following reason: To maintain decidability of type-checking, Xi’s types may only be indexed by integer expressions. In his system, we can construct a type list(n) of lists of length n. Then, we can write a recursive function on list(n) which only calls itself with arguments in list(n−1). Xi’s type system recognizes such a function as terminating. However, for some higher-order datatypes like infinitely branching trees, the height of a structure can no longer be described by a natural number; ordinals are required. Thus, recursive functions on such data structures cannot be shown terminating only with integer constraints. We see another potential problem in Xi’s setting, regarding error messages. To check dependent types, constraints have to be solved. If the constraint solver fails, a given expression is not of the ascribed type. In this case it is hard to ex- plain to the user exactly what caused the problem. In the simply typed setting however, type checking is rather straight-forward and type errors are compre- hensible.

1.2 Overview Besides specification of the language and type-checking (in Sect. 4), the proof of type preservation (Sect. 5) and strong normalization (Sect. 6), this paper contains an introduction to inductive types (Sect. 2), an informal description of our method with examples (Sect. 3), possible applications (Sect. 7) and a discussion of related and further work (Sect. 8).

2 Inductive Types

We consider termination in the setting of simply-typed functional programming with inductive datatypes. Table 1 shows the core language Mini-MLµ most con- 1 alternative term: subject reduction

3 Types:

ρ, σ, τ ::= X | 1 | σ + τ | σ × τ | σ → τ | µX.ρ (where X appears only positively in ρ)

Terms: M,N ::= x | λx.M | M1 M2

| inl M | inr M | (case M of inl x1 ⇒ M1 | inr x2 ⇒ M2)

| () | (M1,M2) | fst M | snd M | fold M | unfold M | fix g(x).M Contexts (all variables distinct): Γ ::= · | Γ, x: τ Typing (τ and all types in Γ closed): Γ ` M : τ Lambda-calculus:

x: τ ∈ Γ Γ, x: σ ` M : τ Γ ` M1 : σ → τ Γ ` M2 : σ

Γ ` x : τ Γ ` λx.M : σ → τ Γ ` M1 M2 : τ

Sum types:

Γ ` M : σ Γ ` M : τ Γ ` M : σ + τ Γ, x1 : σ ` M1 : ρ Γ, x2 : τ ` M2 : ρ

Γ ` inl M : σ + τ Γ ` inr M : σ + τ Γ ` case M of inl x1 ⇒ M1 | inr x2 ⇒ M2 : ρ

Product types:

Γ ` M1 : σ Γ ` M2 : τ Γ ` M : σ × τ Γ ` M : σ × τ Γ ` () : 1 Γ ` (M1,M2): σ × τ Γ ` fst M : σ Γ ` snd M : τ

Inductive types and recursion:

Γ ` M : σ(µX.σ) Γ ` M : µX.σ Γ, g : σ → τ, x : σ ` M : τ Γ ` fold M : µX.σ Γ ` unfold M : σ(µX.σ) Γ ` fix g(x).M : σ → τ

Notational definitions: 0 ≡ µX.X abort ≡ fix g(x).g(unfold x) : 0 → τ

Table 1. The core functional language Mini-MLµ.

structs of which are well-known. Note that fix g(x).M bind the two variables g and x in M. Some significant subset of a functional language like SML can be translated to Mini-MLµ. For example, consider the following SML program:

datatype Nat = Zero | Succ of Nat datatype ListN = Nil | Cons of Nat * ListN

fun sum (Nil) = Zero | sum (Cons (n, l)) = sum’ (n, l)

and sum’ (Zero, l) = sum l | sum’ (Succ n, l) = Succ (sum’ (n, l))

4 In Mini-MLµ, the defined datatypes are represented by the type expressions Nat := µX.1 + X and ListN := µY.1 + Nat × Y . We can define term abbreviations which match the SML-constructors. Zero := fold(inl()) Succ := λx. fold(inr x)

Nil := fold(inl()) Cons := λx.λxs. fold(inr(x, xs)) We chose this representation of datatypes, which is quite common in type theory, because it separates the notion of sum types (+) from inductive types (µ). This will pay off in the formulation of the type system in Sect. 4. The simultaneously recursive functions sum and sum’ can be translated into interleaving recursive functions of Mini-MLµ. For the sake of readability we leave out the type annotations. sum : ListN → Nat sum = fix f(l). case(unfold l) of inl x ⇒ Zero | inr x ⇒ fix g(n). case(unfold n) of inl y ⇒ f(snd x) | inr y ⇒ Succ(g(y))
(fst x) Mini-MLµ allows the definition of partial functions; in the remainder of the paper we will develop a more restrictive set of typing rules in which only a class of total functions is typeable. Throughout the paper we consider α-equivalent terms or types as identical. In all contexts we consider the variable names to be unique. We write [N/x]M resp. [ρ/Y ]τ (or τ(ρ)) for capture-avoiding substitution in terms resp. types.

3 Informal Account In this section we explain the underlying ideas of termination checking with types for the case of lists over natural numbers and gently lead towards a formal presentation. By some examples, we give an informal idea of how termination checking works. Let int list denote the lists of integers in some functional programming lan- guage and int list → int list denote all provably terminating functions from lists to lists. Suppose for some function f over lists we can prove the following as- sertion for an arbitrary n: if f is total for lists of length less than n, then f is total for lists of length less than n + 1. Then by induction on n, and since there are no list of length less than 0, we can prove that f is total for all lists. More formally, let Ln := {l ∈ int list : |l| < n}. If for all n,

f : Ln → int list . . f : Ln+1 → int list,

5 T then f : n(Ln → int list). We can extend this principle to size preservation in a straightforward manner. For our purposes, a function on lists is a preserver if it maps lists of length less than n to lists of the same maximal length for arbitrary n. This is captured by the rule

f : Ln → Ln · · · f : Ln+1 → Ln+1 T f : n(Ln → Ln) For a formalization of this rule in a type system, the fundamental idea to keep track of the size of function arguments is the introduction of type variables (X, Y , Z, . . . ). To my knowledge, this principle has first been introduced by Mendler [24]. Following his ideas, primitive recursive functions can be typed as follows:2 Γ,Y :type, g :Y → τ(Y ), x:σ(Y ) ` M : τ(Y ) Γ ` fix g(x).M : µX.σ → τ(µX.σ) By our convention for contexts Y is a fresh type variable. Therefore, inhabitants of Y , which are potential arguments for g, can only be derived from x. The computation rule, (fix g(x).M)(fold N) −→ [fix g(x).M/g][fold N/x]M, is type preserving (substitute µX.σ for Y ). Putting things together, we see that in the body of M the function symbol g can only be applied for the predecessor of fold N. Thus, this rule types exactly the primitive recursive functions. Since it is closer to programming practice, our guiding principle shall be course-of-value recursion instead of primitive recursion. Furthermore, we want to keep track of size change in function arguments. To this end, we decorate type variables Y with size-change information Y i, where i is a natural number, and constrain variables in the form Y ≤ µX.σ. In the case of lists, Y ≤ int list means Y denotes some approximation Ln of the type int list. Decoration is interpreted i as a closer or less close approximation: If Y denotes Ln then Y denotes Ln+i. The inclusive (or cumulative) hierarchy formed by the approximations (Ln ⊆ Lm for n ≤ m) is reflected in the subtyping calculus: we stipulate Y i ≤ Y j for i ≤ j. Since the fixpoint int list is the supremum of the chain (Ln), we furthermore have Y i ≤ int list for all integers i. This gives us the following rules as core of our new typing system. (Y ≤µX.σ) ∈ Γ Y ∈ Γ i ≤ j Γ ` Y i ≤ µX.σ Γ ` Y i ≤ Y j Γ,Y ≤µXσ, g :Y → τ(Y ), x:Y + ` M : τ(Y +) Γ ` fix g(x).M : ∀Y ≤µXσ. Y → τ(Y )

2 This is the rule as presented by Crary and Weirich [14]. By Mendler, Y cannot be free in τ.

6 (We write Y + for Y 1, Y ++ for Y 2, . . . ). Bounded quantification in types has the expected meaning: If M : ∀Y ≤ σ.τ(Y ) and ρ is a subtype of σ, then M : τ(ρ). In the premise of the rule, the type of g ensures that a recursive call is only well-typed with an argument of a proper subtype of Y +, which is the type of the input argument. Thus, the upper bound for the size of the argument of the recursive call is strictly smaller than the upper bound for the size of the input argument x. The type system is capable to recognize the well-known Quick-sort algorithm as terminating. In the following we give an annotated implementation of Quick- sort in an ML-like language. For reasons of readability, we chose to write up the example in external syntax rather that our core language. There is a simple one-to-one correspondence between type annotations in the clauses below and the typing rule for fix given above: The principal function argument is assumed to have type Y +, recursive calls can only occur with arguments of type Y , and the result must have type τ(Y +) (for a certain τ). pivot : int → ∀Y ≤int list .Y → Y × Y

+ + + pivot a []Y = ([ ]Y , []Y ) + pivot a (x :: xsY)Y = let (lY, rY) = pivot a xs in + + if a > x then ((x :: l)Y , rY ≤Y ) + + else (lY ≤Y , (x :: r)Y )

qsapp : ∀Y ≤int list .Y → int list → int list

+ qsapp []Y ys = ys + qsapp (x :: xsY)Y ys = let (lY, rY) = pivot x xs in qsapp lY (x :: qsapp rY ys)

quicksort : int list → int list quicksort l = qsapp l [] All annotations in the function bodies can be infered by the type checking al- gorithm presented in Sect. 4.3 once the types of the functions are given. Note that qsapp is not primitive recursive and can only be recognized as termination if pivot is accepted as a preserver.

4 Type System

In the following we enrich the type system of Mini-MLµ by decorated types, sub- typing and bounded quantification. This constitutes the language Mini-MLµ≤, which types only strongly normalizing terms of Mini-MLµ. For the new typing derivations we prove some inversion lemmata.

4.1 Contexts, Types and Subtyping Table 2 summarizes types and type-related judgments of Mini-MLµ≤. The set of raw types is an extension of the types of Mini-MLµ by decorations τ i and

7 Raw types:

ρ, σ, τ ::= X | 1 | σ +τ | σ ×τ | σ → τ | µX.ρ | τ i | ∀X≤σ.τ (where X appears only positively in ρ)

Identities and notational definitions:

τ 0 = τ τ + := τ 1 (τ i)j = τ i+j for natural numbers i, j (µX.σ)i = µX.σ

Judgments:

Γ cxt Γ is a wellformed context. Γ ; X; Y ` σ : itype σ is a datatype with free positive variables X and free negative variables Y . Γ ` τ : type τ is a wellformed decorated type. Γ ` ρ ≤ σ ρ is a subtype of σ.

Wellformed contexts Γ cxt.

Γ ` τ : type Γ ; ·; · ` µX.σ : itype · cxt Γ, x: τ cxt Γ,Y ≤µX.σ cxt

Datatypes Γ ; X; Y ` σ : itype.

Γ cxt Z ∈ Γ Γ cxt Γ ; X; Y ` σ : itype Γ ; X; Y ` τ : itype ? ∈ {+, ×} Γ ; X; Y ` Z : itype Γ ; X; Y ` 1 : itype Γ ; X; Y ` σ ? τ : itype

Γ cxt Γ ; Y ; X ` σ : itype Γ ; X; Y ` τ : itype Γ ; X,Z; Y ` σ : itype

Γ ; X; Y ` Xi : itype Γ ; X; Y ` σ → τ : itype Γ ; X; Y ` µZ.σ : itype Wellformed types Γ ` τ : type.

Γ cxt Y ∈ Γ Γ cxt Γ ; ·; · ` µX.σ : itype Γ ` Y i : type Γ ` 1 : type Γ ` µX.σ : type

Γ ` σ : type Γ ` τ : type ? ∈ {+, ×, →} Γ,Y ≤µX.σ ` τ : type Γ ` σ ? τ : type Γ ` ∀Y ≤µX.σ.τ : type Subtyping Γ ` ρ ≤ σ.

Γ ; ·; · ` µX.σ : itype Γ cxt (Y ≤µX.σ) ∈ Γ Γ cxt Y ∈ Γ i ≤ j Γ ` µX.σ ≤ µX.σ Γ ` Y i ≤ µX.σ Γ ` Y i ≤ Y j

Table 2. Contexts, Types and Subtyping

bounded quantification ∀Y ≤ σ.τ. Additionally to term variables x, wellformed contexts Γ can bind constrained type variables Y ≤µX.σ. By two judgments, we distinguish two kinds of types: itype Datatypes. These are essentially the positive inductive types of Mini-MLµ. Additionally, they may contain type variables Y which are approximations Y ≤ µX.σ of an inductive datatype µX.σ. Note that the formation rule for σ → τ swaps positivity and negativity of variables in σ.

8 type (Decorated) types. They can contain decorated variables Y i and bounded quantification. All free variables Y for a wellformed type Γ ` τ : type are approximations of datatypes and bound in Γ .

Finally, Mini-MLµ≤ comes with a lean subtyping calculus which relates inductive types µX.σ and their approximations Y i. Subtyping is reflexive and transitive and ensures that to each approximation ρ with ρ ≤ τ there is a unique maximal element µX.σ which is (trivially) computable. Even stronger,

∃σ. Γ ` ρ ≤ µX.σ is decidable for all Γ and ρ. This entails that all four judgments are decidable (critical is only the rule for bounded quantification). Furthermore all judgments allow weakening with wellformed contexts and the following substitution lemma holds:

Lemma 1 (Type Substitution). Let Γ ` ρ ≤ σ. Then

1. If Γ,Y ≤σ, Γ 0 cxt then Γ, [ρ/Y ]Γ 0 cxt. 2. If Γ,Y ≤σ, Γ 0; X; Y ` τ : itype then Γ, [ρ/Y ]Γ 0; X; Y ` [ρ/Y ]τ : itype. 3. If Γ,Y ≤σ, Γ 0 ` τ : type then Γ, [ρ/Y ]Γ 0 ` [ρ/Y ]τ : type. 0 0 4. If Γ,Y ≤σ, Γ ` τ1 ≤ τ2 then Γ, [ρ/Y ]Γ ` [ρ/Y ]τ1 ≤ [ρ/Y ]τ2.

Proof. By simultaneous induction over the derivation.

Inductive types:

Γ ` ρ ≤ µX.σ(X) Γ ` M : σ(ρ) Γ ` ρ ≤ µX.σ(X) Γ ` M : ρ+ + fold unfold Γ ` fold M : ρ Γ ` unfold M : σ(ρ)

Recursive functions:

Γ,Y ≤µXσ, g : Y → τ(Y ), x : Y + ` M : τ(Y +) Y pos. in τ fix Γ ` fix g(x).M : ∀Y ≤µXσ. Y → τ(Y )

Subtyping:

Γ ` ρ ≤ σ Γ ` M : ρ Γ ` ρ ≤ σ Γ ` M : ∀Y ≤σ.τ(Y ) sub inst Γ ` M : σ Γ ` M : τ(ρ)

Table 3. Typing rules for Mini-MLµ≤.

9 4.2 Terms and Type Assignment

Mini-MLµ≤ features the same terms as Mini-MLµ, but comes with a more precise typing of inductive data (fold, unfold) and recursive functions (fix). Furthermore there are typing rules which arise from subtyping and quantification (see Ta- ble 3). The new typing rules for inductive data now treat also inhabitants of approx- imations of inductive types. Let us explain the fold-rule for the example of lists: Let Y ≤ µX.1 + Nat × X be an approximation of the type of lists over natural numbers, x : Nat and y : Y a list in this approximation, that is, a list with size < n for an unknown n. Then inr(x, y) : 1 + Nat × Y , hence, by the folding rule, the list Cons(x, y) = fold(inr(x, y)) : Y + is of size < n + 1. The unfold-rule works analogously. Note that the old rules (of Mini-MLµ) are a special case of the new ones: set ρ = µX.σ. The rule for fix has been motivated in Sect. 3 already. There we embezzled the side condition “Y positive in τ” which will be relevant in the proof of strong normalization. Intuitively, it states that the output τ(Y ) of a recursive function can only be monotonically bounded by the input Y . The subtyping rule sub is the usual one. The instantiation rule inst ensures that all reasonable instantiations of bounded quantifications are possible. The typing calculus enjoys the usual properties of wellformedness, restricted exchange, weakening, strengthening and substitution for term variables x. Sub- stitution also holds for type variables Y : Lemma 2 (Type Substitution). If Γ,Y ≤ σ, Γ 0 ` M : τ and Γ ` ρ ≤ σ then Γ, [ρ/Y ]Γ 0 ` M :[ρ/Y ]τ.

Proof. By induction of the typing derivation and case distinction on the subtyp- ing derivation.

4.3 Type Checking

Types of Mini-MLµ≤-expressions can be checked using a algorithm with uses only local type inference [30]. The idea is to avoid sophisticated concepts like unification variables or constraints in order to make type-checking more pre- dictable. We use the well-known technique of bidirectional type-checking (e.g. [13, 15]). The rules are listed in Table 4. The rough idea is that the type of variables and eliminations can be inferred (rules ↓var, ↓ fst, ↓ snd, ↓ unfold, ↓app and ↓appµ1), whereas the type of introduc- tions must be checked against (⇑lam, ⇑pair, ⇑ fold, ⇑ inl, ⇑ inr and ⇑ fix). Any type that can be inferred can be checked against (⇑↓). Subsumption and instantiation are located at the transition from checking to inference (⇑↓≤ and ⇑inst). A positive abnormality are tuples: They allows inference although they are constructors (↓unit, ↓pair). One of the negative abnormality is the sum-elimination: The type of the side clauses in the case-construct is arbitrary and cannot be in- ferred (⇑ case). Another problem occurs with bounded quantification: In the rule

10 Terms. M,N ::= ... | M : τ Judgments. Γ ` M ↓ τ The type of term M is inferred as τ. Γ ` M ⇑ τ Term M is checked against type τ. Type inference.

x: τ ∈ Γ Γ ` M ↓ σ × τ Γ ` M ↓ σ × τ Γ ` M ↓ σ Γ ` N ↓ τ ↓var ↓ fst ↓ snd ↓pair Γ ` x ↓ τ Γ ` fst M ↓ σ Γ ` snd M ↓ τ Γ ` (M,N) ↓ σ × τ

Γ ` M ↓ ρ+ Γ ` ρ ≤ µX.σ(X) Γ ` M ↓ σ → τ Γ ` N ⇑ σ ↓unit ↓ unfold ↓app Γ ` () ↓ 1 Γ ` unfold M ↓ σ(ρ) Γ ` MN ↓ τ

Γ ` M ↓ ∀Y ≤µXσ.Y → τ Y 6∈ FV(τ) Γ ` N ⇑ µXσ ↓appµ1 Γ ` MN ↓ τ

Γ ` M ↓ ∀Y ≤µXσ.Y → τ(Y ) Γ ` N ↓ ρ Γ ` ρ ≤ µXσ Γ ` M ⇑ τ ↓appµ2 ↓ann Γ ` MN ↓ τ(ρ) Γ ` (M : τ) ↓ τ Type checking.

Γ, x: σ ` M ⇑ τ Γ ` M ⇑ σ Γ ` N ⇑ τ Γ ` ρ ≤ µX.σ(X) Γ ` M ⇑ σ(ρ) ⇑lam ⇑pair ⇑ fold Γ ` λx.M ⇑ σ → τ Γ ` (M,N) ⇑ σ × τ Γ ` fold M ⇑ ρ+

Γ ` M ⇑ σ Γ ` M ⇑ τ Γ ` N ↓ σ1 + σ2 Γ, xi : σi ` Mi ⇑ ρ ⇑ inl ⇑ inr ⇑ case Γ ` inl M ⇑ σ + τ Γ ` inr M ⇑ σ + τ Γ ` case N of inl x1 ⇒ M1 | inr x2 ⇒ M2 ⇑ ρ

Γ,Y ≤µXσ, g : Y → τ(Y ), x : Y + ` M ⇑ τ(Y +) ⇑ fix Γ ` fix g(x).M ⇑ ∀Y ≤µXσ.Y → τ(Y )

Γ ` M ↓ ∀Y ≤µXσ.Y → τ(Y ) match ρ with τ(Y ) =⇒ Y = ρ0 Γ ` ρ0 ≤ µXσ Γ ` N ⇑ ρ0 ⇑appµ Γ ` MN ⇑ ρ Subsumption and instantiation.

Γ ` M ↓ τ Γ ` M ↓ ρ Γ ` ρ ≤ σ Γ ` M ↓ ∀Y ≤σ.Y → τ(Y ) Γ ` ρ ≤ σ ⇑↓ ⇑↓≤ ⇑inst Γ ` M ⇑ τ Γ ` M ⇑ σ Γ ` M ⇑ ρ → τ(ρ)

Table 4. Type Checking.

↓appµ2, the size ρ of the argument needs to be inferred to give a size-bound τ(ρ) on the result of the application. If the size of the result is known, it can be checked (rule ⇑appµ). This rule involves simple matching on the level of types: ρ = τ(ρ0) for some unknown ρ0. However, since types are first-order expressions without reduction, the matching problem is decidable. Disregarding the abnormalities, the algorithm can check the types of normal expressions. In practical programming, most expressions are normal. Not-normal expressions need to be annotated with their type at some sensible position (rule ↓ann). All top-level expressions, e.g. all recursive functions, need to be defined with their type. This is not too heavy a load for the programmer: in Haskell it is quite common; in ML often the types of functions are given via signatures.

11 The presented rules are very close to an implementation. With small refine- ments, they can be transformed into a deterministic algorithm with checks types in time linear to the size of the input expression M plus type τ (modulo context lookup, type matching and subtype checking). Definition 1 (Erasure). Let |M| denote the result of erasing all type annota- tions from M. We define | · | by

|M : τ| = |M|, adding congruences for all other term constructors. Proposition 1 (Soundness of Type Checking). Let Γ be a context, M a term and τ a wellformed-type. 1. If Γ ` M ↓ τ, then Γ ` |M| : τ. 2. If Γ ` M ⇑ τ, then Γ ` |M| : τ. Proof. Simultaneously by induction on Γ ` M ↓⇑ τ. For example, we show case ↓appµ1: Γ ` M : ∀Y ≤µXσ.Y → τ by induction hypothesis Γ ` M : µXσ → τ by rule inst Γ ` N : µXσ by induction hypothesis Γ ` MN : τ by rule app ut

5 Reduction and Type Preservation

For our language Mini-MLµ≤, we give the usual β-reductions for constructor- destructor combinations and one for recursive functions.

(λx.M) N −→β [N/x]M unfold(fold M) −→β M (fix g(x).M)(fold N) −→β [fix g(x).M/g][fold N/x]M

case(inl N) of inl x1 ⇒ M1 | inr x2 ⇒ M2 −→β [N/x1]M1 case(inr N) of inl x1 ⇒ M1 | inr x2 ⇒ M2 −→β [N/x2]M2 fst(M1,M2) −→β M1 snd(M1,M2) −→β M2 Since we intend to prove strong normalization, we need a lazy unrolling of fix- points. Following Mendler [24], we only reduce a fixpoint if applied to inductive data. We obtain one- and multi-step reduction relations by forming the usual closures:

−→β β-reduction −→ one-step reduction: closure of −→β under all term constructors −→+ transitive closure of −→ −→∗ reflexive-transitive closure of −→

12 These relations enjoy the usual substitution properties. In contrast to small-step semantics for functional languages, we also allow reduction under binders. All reductions preserve types; type preservation usually proven by induc- tion on the reduction, using inversion on the typing derivation. However, in the presence of subtyping, the typing rules are no longer invertible. For example, M1 M2 : τ does not directly imply that M1 : σ → τ for some σ and M2 : σ. How- ever, following Davies and Pfenning [15] we can prove some inversion lemmata which provide inferences comparable to inversion. To this end, we introduce the notation D :: J meaning D is the derivation tree for judgment J . Lemma 3 (Inversion of Typing Derivation). In all cases we also state that E, Ei are sub-derivations of D. 1. If D :: Γ ` λx.M : τ 0 then τ 0 = σ → τ for some types σ, τ. Similar lemmata hold for inl, inr, () and ( , ). 0 2. If D :: Γ ` M1 M2 : τ then E1 :: Γ ` M1 : σ → τ and E2 :: Γ ` M2 : σ where Γ ` τ ≤ τ 0. Similar lemmata hold for fst and snd. 0 3. If D :: Γ ` case M of inl x1 ⇒ M1 | inr x2 ⇒ M2 : ρ then E :: Γ ` M : σ + τ, 0 E1 :: Γ, x1 :σ ` M1 : ρ and E2 :: Γ, x2 :τ ` M2 : ρ where Γ ` ρ ≤ ρ . 4. If D :: Γ ` fold N : τ 0 then E :: Γ ` N : σ(ρi) with Γ ` ρ ≤ µXσ and Γ ` ρi+1 ≤ τ 0. 5. If D :: Γ ` unfold M : τ 0 then E :: Γ ` M : σ(ρi+1) with Γ ` ρ ≤ µXσ and Γ ` ρi ≤ τ 0. 6. If D :: Γ ` fix g(x).M : τ 0 then either τ 0 = ∀Y ≤µXσ. Y → τ(Y ) or τ 0 = ρ → τ(ρ) for some Γ ` ρ ≤ µXσ and E :: Γ ` fix g(x).M : ∀Y ≤µXσ. Y → τ(Y ). Proof. By induction on the typing derivation D. Now we are ready to show subject reduction. Theorem 1 (Type Preservation). If Γ ` M : τ and M −→ M 0, then Γ ` M 0 : τ. Proof. By simultaneous induction on Γ ` M : τ and M −→ M 0. We spell out the case for fixpoint reductions: D :: Γ ` GN : τ 0 GN −→ [G/g][N/x]M where G ≡ fix g(x).M and N ≡ fold N 0. Let furthermore Γ 0 ≡ Γ,Y ≤µXσ, g :Y → τ(Y ), x:Y +. Using the inversion lemmata we can ascribe the following form to the typing derivation D. 0 + 0 i Γ ` M : τ(Y ) Γ ` ρ1 ≤ µX.σ Γ ` N : σ(ρ1) 0 0 i+1 Γ ` G : ∀Y ≤µXσ .Y → τ(Y ) Γ ` fold N : ρ1 · · · · · 0 · i+1 · Γ ` ρ2 ≤ µXσ · Γ ` ρ ≤ ρ2 · · 1 · · Γ ` G : ρ2 → τ(ρ2) Γ ` N : ρ2

Γ ` GN : τ(ρ2) · · · 0 · Γ ` τ(ρ2) ≤ τ · · Γ ` GN : τ 0

13 Furthermore, from the shape of approximation types, we infer

i+1 0 Γ ` ρ1 ≤ ρ1 ≤ ρ2 ≤ µXσ = µX.σ

+ Now there exists a type ρ ≤ µXσ such that ρ = ρ2. Using substitution, we can derive the following types:

Γ 0 ` g : Y → τ(Y ) Γ 0 ` x : Y + Γ ` G : ∀Y ≤ µXσ.Y → τ(Y ) Γ ` G : ρ → τ(ρ) Γ ` fold N 0 : ρ+ + Γ ` [G/g][N/x]M : τ(ρ ) = τ(ρ2)

Thus Γ ` [G/g][N/x]M : τ 0.

6 Strong Normalization

Proofs of strong normalization have a long tradition and several method have evolved. We use the saturated sets method based on the notion of weak head reduction as found e.g. in Luo [23] and Altenkirch [5]. Besides the interpreta- tion of inductive and decorated types, we follow the presentation in a previous publication [3].

6.1 Saturated Sets The set of strongly normalizing terms SN is defined inductively by the following rule: ∀M 0.M −→ M 0 ⇒ M 0 ∈ SN M ∈ SN In other words, SN is the wellfounded part of the set of terms wrt. the reduction relation −→. All variables x are strongly normalizing and all subterms of strongly normalizing terms. Furthermore, the set SN is closed under reduction. The notion of weak head reduction can most elegantly be defined with eval- uation contexts E[•], which are generated by the following grammar:

E[•] ::= • | E[•] M | unfold E[•] | (fix g(x).M) E[•]

| (case E[•] of inl x1 ⇒ M1 | inr x2 ⇒ M2) | fst E[•] | snd E[•]

Weak head reduction is a reduction of the form E[M1] −→ E[M2] where M1 −→β M2. Terms of the form E[x] are called neutral. The set SN enjoys the crucial property that it is closed under weak head expansion.

Lemma 4 (Weak Head Expansion). If E[M1] ∈ SN then for all M0 ∈ SN with M0 −→β M1 it holds that E[M0] ∈ SN.

14 This lemma is a consequence of weak standardization, the interested reader is referred to Altenkirch’s thesis [5]. A set of terms P is called saturated, written P ∈ SAT , if it contains only strongly normalizing terms, all strongly normalizing neutral terms, and if it is closed under weak head expansion. The saturation of a set P is defined as the closure under the following rules:

0 0 ∗ M ∈ P E[x] ∈ SN M ∈ SN M −→β M E[M ] ∈ P M ∈ P ∗ E[x] ∈ P ∗ E[M] ∈ P ∗ For sets of terms P , Q we define the function space

P → Q := {M1 ∈ SN : ∀M2 ∈ P.M1 M2 ∈ Q}.

In the following we reuse the well-known fact that the function space constructor → operates on saturated sets.

6.2 Type Interpretation In this section, we give an interpretation [[τ]] for every wellformed type τ. For datatypes σ, the semantics [[σ]] is a monotone operator on saturated sets. In particular, [[µX.σ]] is the fixpoint of an operator derived from [[σ]]. In previous work [4], we obtained this fixpoint by the theorem of Knaster and Tarski, resp. by accessibility inductive definitions. This time we follow an idea of Mendler [24] (reused by Amadio and Coupet-Grimal [6]) and reach the fixpoint by transfinite iteration. This technique enables us to give an interpretation to approximation types Y i ≤ µX.σ. Let O be some set which we call origin set and Φ an operator on sets. For an ordinal number α we define the α-iterate Φα by transfinite recursion on α as follows: Φ0 = O Φα+1 = Φ(Φα) λ S α Φ = α<λ Φ for λ limit ordinal If Φ is monotone, then at some ordinal the least fixpoint is reached. For our purposes, this will be the least uncountable ordinal ω1 and we have

Φ(Φω1 ) = Φω1 .

Furthermore, if O ⊆ Φ(O), then the hierarchy (Φα) is cumulative, that is, Φα ⊆ Φβ for all α < β. In order to define the type interpretation, we need substitutions. For contexts Γ we introduce Γ -substitutions θ : Γ by the following rules: θ : Γ θ : Γ · : · θ, x7→M : Γ, x:τ θ, Y 7→P : Γ,Y ≤σ This notion is extended to contexts triples Γ ; X; Y in the obvious way.

15 In the following we fix the origin set O = ∅∗, the saturation of the empty set. Let τ be a type with free type variables in ∆ and θ : ∆. Then we define the interpretation [[τ]]θ by recursion on τ as follows:

[[Z]]θ = θ(Z) [[1]]θ = {()}∗ [[σ + τ]]θ = {inl M : M ∈ [[σ]]θ}∗ ∪ {inr M : M ∈ [[τ]]θ}∗ ∗ [[σ × τ]]θ = {(M1,M2): M1 ∈ [[σ]]θ, M2 ∈ [[τ]]θ} [[σ → τ]]θ = [[σ]]θ → [[τ]]θ

ω1 [[µXσ]]θ = Φ where Φ = ΦX.σ,θ [[τ i]]θ = Φα+i if [[τ]]θ = Φα \ [[∀Y ≤σ.τ]]θ = [[τ]](θ, Y 7→Φα) if [[σ]]θ = Φβ α≤β where ∗ ΦX.σ,θ(Q) = {fold M : M ∈ [[σ]](θ, X 7→Q)} Example 1. [[0]]θ = [[µX.X]]θ = (Q 7→ {fold M : M ∈ Q}∗)ω. We can show that [[0]] is extensionally equal to O, i.e., for all M ∈ [[0]] exists some N ∈ O such that abort M −→∗ abort N. The proof proceeds by induction on the approximations of [[0]] with a side induction on the saturation. The interpretation is preserved under substitution, that is, for types σ(X) and ρ it holds that

[[σ]](θ, (X 7→[[ρ]]θ), θ0) = [[σ(ρ)]](θ, θ0).

For datatypes σ : itype, the interpretation [[σ]] is monotone, hence also the op- erator ΦX.σ, which additionally has the property O ⊆ ΦX.σ,θ(O). This entails α that the fixpoints exist and (ΦX.σ,θ) form a cumulative hierarchy. A consequence is a fact that will be important for the proof of strong normalization: If data inhabitants an approximation type, it already is found in a successor iterate. Lemma 5. If fold M ∈ Φα then fold M ∈ Φβ+1 for some β < α. Proof. By transfinite induction on α.

6.3 Proof of Strong Normalization To complete the proof of strong normalization, we first ensure that the interpre- tation of every type is a saturated set. Then we show that each well-typed term inhabits the interpretation of its type and therefore is strongly normalizing. Contexts Γ are interpreted as the set of all sound substitutions. We define θ ∈ [[Γ ]] inductively by the following rules. θ ∈ [[Γ ]] M ∈ [[τ]]θ · ∈ [[·]] (θ, x7→M) ∈ [[Γ, x:τ]]

16 θ ∈ [[Γ ]] [[µXσ]]θ = Φω1 (θ, Y 7→Φα) ∈ [[Γ,Y ≤µXσ]] At this point, we can verify that our subtyping calculus is sound: Lemma 6 (Soundness of Subtyping). If Γ ` ρ ≤ σ then for all θ ∈ [[Γ ]] it holds that [[ρ]]θ = Φα ⊆ Φβ = [[σ]]θ for some operator Φ and some ordinals α and β.

Proof. By induction over the derivation of Γ ` ρ ≤ σ.

Lemma 7 (Saturatedness of Type Interpretations). If Γ ` τ : type then for all θ ∈ [[Γ ]]: [[τ]]θ ∈ SAT .

Proof. State similar propositions for the other three type-related judgments on Table 2 and prove all propositions by simultaneous induction.

Now we have assembled all the pieces to prove strong normalization. Theorem 2 (Strong Normalization). If Γ ` M : τ then for all θ ∈ [[Γ ]]: Mθ ∈ [[τ]]θ.

Proof. By induction on Γ ` M : τ. As an example, we show the case for fix.

Γ,Y ≤µXσ, g :∀Y → τ(Y ), x:Y + ` M : τ(Y +) Γ ` fix g(x).M : ∀Y ≤µXσ. Y → τ(Y ) where Y appears only positive in τ. Let Φ = ΦX.σ,θ. Then [[∀Y ≤ µXσ. Y → τ(Y )]]θ = T (Φα → [[τ]](θ, Y 7→Φα)). We show for all ordinals α, α≤ω1 (fix g(x).M)θ ∈ Φα → [[τ]](θ, Y 7→Φα) by a first side induction on α. Fix the ordinal α and some term N ∈ Φα. We show (fix g(x).M)θ N ∈ [[τ]](θ, Y 7→Φα) by a second side induction on the saturation of Φα.

Subcase N = E[x]. Then (fix g(x).Mθ) E[x] is neutral and therefore in [[τ]](θ, Y 7→ Φα). α Subcase N = E[N1] with N1 −→β N2 and E[N2] ∈ Φ . Then (fix g(x).Mθ) E[N2] ∈ [[τ]](θ, Y 7→Φα) by the second side induction hypothesis and by saturat- α edness also (fix g(x).Mθ) E[N1] ∈ [[τ]](θ, Y 7→Φ ). Subcase N = fold N 0 ∈ Φβ+1 ⊆ Φα (with Lemma 5). By the first side induction hypothesis fix g(x).M ∈ (Φβ → [[τ]](θ, Y 7→Φβ)). Hence,

θ0 = (θ, Y 7→Φβ, g 7→ fix g(x).M, x7→N) ∈ [[Γ,Y ≤µXσ, g :∀X≤Y.X → τ(X), x:Y +]]

17 By main induction hypothesis

Mθ0 ∈ [[τ(Y +)]]θ0 = [[τ]](θ, Y 7→Φβ+1) ⊆ [[τ]](θ, Y 7→Φα),

since Y appears only positive in τ. Furthermore, since

0 (fix g(x).M)θ (fold N) −→β Mθ ,

we can conclude by saturation.

The other cases are left to the reader. Hints can be found in [3].

7 Applications

After establishing soundness, we want to show the effectiveness of the presented approach in this section. We sketch how the explored principles could be applied in functional and logic programming, and, as a specific example, for resource bound certification. Without getting into details we want to mention here that the approach also would be suitable for theorem provers based on theories with inductive definitions, e.g. Agda [11], Coq [21] and LEGO [31].

7.1 Functional Programming

One example has been given in Sect. 3 already. In the following we present another example which shows that our system can handle mutual recursion, interleaving inductive types and even non-strictly positive types. We introduce two abbreviations for certain datatypes: X list for lists over some type X and term for first-order terms with continuations.

X list = µY. 1 + X × Y term = µX. int + int ×(X list) + ((X → 0) → 0)

The first-order terms we consider are constructed from variables, n-ary function symbols and continuations.3 We have the three constructors

Var : int → term Func : int × term list → term Mu : ((term → 0) → 0) → term

Var(i) denotes the ith variable, Func(i, l) the ith function symbol applied to the terms of the list l and Mu(λaterm→0. bterm→0 t)

3 The continuations we consider are modeled after the λµ-calculus (Parigot [27]). For a well-understandable paper see Bierman [8]. The chosen representation as positive type is derived from Abel [2].

18 the term that stores the current continuation in a, retrieves a continuation b and throws the term t at b. Note that term is the rare example of a non-strictly positive type, furthermore term and list are interleaving4. Nevertheless, our system accepts the following mutually recursive substitution function.

subst :(int → term) → ∀X≤term .X → term

+ subst f (Var(i))X = f(i)

+ subst f (Func(i, l))X = Func(i, sl(lX list)) where sl : ∀Y ≤X list .Y → term + sl ([])Y = [] + sl (t :: ts)Y = (subst f tX ) :: sl tsY

+ subst f (Mu(t))Y = Mu (λaterm→0. t(Y →0)→0 (λrY. a (subst f rY )))

Recursion over interleaving inductive datatypes is most naturally expressed by mutually recursive functions. In our case it is crucial that this mutual recur- sion is not simultaneous but interleaving, because the approximation of the type of terms X ≤ term must be available with in the inner function sl for the ap- proximation Y ≤ X list. Informally, X contains terms upto a certain height and X list lists of such terms. Hence, Y contains lists of restricted length which consist of terms of bounded height. The typing ensures that the call subst f t within sl terminates, no call graphs are necessary (cf. Abel/Altenkirch [4] or Lee/Jones/Ben-Amram [22]). The last line encodes substitution for continuations, applying our technique for non-strictly positive types. Here termination is not obvious at all and cannot be checked with any untyped notion of subterm ordering, since r is no subterm of t. This example shows the superiority of the type-based termination analysis over one using a subterm ordering. In every-day programming, some functions are not terminating on all inputs. Others may be terminating, but the termination proof may involve complicated arguments and cannot be checked automatically. For that reason, it is desirable to allow both total and partial functions in a program. This can be realized naturally in our system by simply adding the fix-rule of Mini-MLµ which does not impose any restriction on recursion. The user then can define recursive functions which are not checked for termination simply by giving them a type not involving bounded quantification (an itype). In the extended system, functions are total if their typing derivation does not use the liberal fix-rule. To keep efficiency in an implementation of the type system, functions could be tagged as total resp. possibly partial by the compiler.

4 sometimes referred to as nested

19 7.2 Logic Programming Due to the strong relationship between functional and logic programming, it is not surprising that our principles can be applied to typed logic programming, as implemented e.g. Twelf [28]. We give a specification of “insertion sort” in a hypothetical extension of Twelf by approximation types.

list : type . nil : list . ++ : int → list → list . %infix right 100 ++.

insert : int → ∀Y ≤list .Y → Y + → type . %mode insert +A +L −K.

+ ++ insNil : insert A nilY (A ++ nil)Y . + ++ insLe : insert A (X ++ XS Y)Y (A ++ X ++ XS)Y ← X ≥ A. + ++ insGe : insert A (X ++ XS Y)Y (X ++ L)Y ← A ≥ X + ← insert A XS LY .

inssort : ∀Y ≤list .Y → Y → type . %mode inssort +L −K.

+ + sortNil : inssort nilY nilY . + + sortCons : inssort (X ++ XS Y)Y LY ← inssort XS KY + ← insert XKLY .

In its current implementation, Twelf is equipped with termination and reduction checking (as found by Walther [35]) based on the subterm ordering (cf. Pientka [29]). In the given natural specification, insertion sort is not recognized as ter- minating in Twelf. The function insert is strictly increasing the size of its input and thus no preserver. However, our proposed type system can effortlessly keep track of the amount of size change in insert. This information is successfully used to accept inssort as a terminating preserver. How to integrate approximation types into the underlying type theory LF [20] requires a careful investigation. Since dependent types are present in LF, Xi’s type-based termination check [36] might be more suitable. Our approach fits best to simply-typed logic programming.

7.3 Resource Bound Certification Crary and Weirich [14] describe a language LXres for resource bound certifica- tion. To estimate the cost of defined operations they use static cost functions. Technically these cost functions are so-called constructors in their type theory which is based on F ω. For type-checking to be decidable, these constructors must

20 be terminating. Currently they are restricted to Mendler-style primitive recur- sive functions (see Sect. 3). Our extension could be integrated into their type theory with ease. Thus, the expressiveness of their language could be strictly increased.

8 Conclusion

We have presented a method of ensuring termination by types and proven type preservation and strong normalization for our system. The key concept is the use of type variables to restrict the arguments of recursive calls and keep track of size- change information. We have shown its superiority over the reducer/preserver method based on the subterm ordering. Termination by type checking seems to be a practicable method that most probably is more efficient than separate type, termination and reduction checking.

8.1 Related Work The system presented here has several predecessors. The first is Mendler’s con- cept of inductive types for the second-order lambda-calculus [24]. His recursor for inductive types has the form of a fixpoint combinator whose type restricts re- cursive calls to primitive recursion. In his proof of strong normalization—which is based on Girard’s reducibility method [19]—he already defines the semantics of inductive types by transfinite recursion. Gim´eneztransferred Mendler’s concept to the Calculus of Constructions and extended it by subtyping and bounded quantification [18]. By using the approx- imations Y and Y + of inductive types he can handle course-of-value recursion and reducers. We adapted his ideas for the simply-typed setting and generalized the type decorations to track more cases of size-change. In contrast to Gim´enez, our subtyping calculus is restricted to approximation of inductive types, without loss of expressivity. Amadio and Coupet-Grimal [6] present a system derived from Gim´enez’ for coinductive types where recursive calls have to be guarded (cf. Coquand [12]). They give a proof of strong normalization which follows Mendler, but is restricted to the special case of streams. They sketch the idea of arbitrary approximations Y +i but without the type variables. Numerous articles on termination have been published, so we can only give a non-representative overview of work related to ours. Typed functional programming: Xi [36] uses dependent types over the con- straint domain of integers. He encodes termination orderings based on nat- ural numbers and their lexicographic product into decorated types. In pre- vious work [1], we have presented a type system for structurally recursive functions in the context of simple types. Both Xi and we proved termina- tion only for closed terms (no strong normalization). Telford and Turner [34, 33] check termination and productivity of recursive functions by an ab- stract interpretation. They track size-change on an abstract domain; the

21 power of the approach is comparable to the one presented here. Giesl [17], also with Brauburger [10], generate termination predicates by static analysis of functional programs. Termination then can be proven by some external automated theorem prover. The power of their approach is limited only by the theorem prover, but for practical programming we favor transparent and decidable methods. Higher-order logic programming: Pientka [29] has described a calculus for termination and reduction checking of higher-order logic programs which is based on the subterm ordering. Untyped functional programming: Lee, Jones and Ben-Amram [22] inves- tigate termination of untyped functional programs via size-change graphs. They give show that the implicit complexity of termination checking mu- tually recursive functions is PSPACE-hard. Their notion of call graphs is related to Abel and Altenkirch’s [4]. Term rewriting: This is the classical area of investigating termination. We want to accentuate Giesl’s work, for example, with Arts, on dependency pairs [7]. Blanqui, Jouannaud and Okada investigate term rewriting for systems with inductive types [9].

8.2 Further Work

To be applicable in programming practice, our work has to be extended in several areas: We plan to extend our type system by coinductive types and polymor- phism. Furthermore, we will research how to embed other termination orderings, like lexicographic product and recursive path ordering, into the type structure. This seems to be an interesting and challenging problem.

Acknowledgments The author thanks Thorsten Altenkirch for more than one year of joint work on termination, Thierry Coquand for pointing to Gim´enez work, and Martin Hofmann, Frank Pfenning and Brigitte Pientka for helpful discussions.

References

1. A. Abel. Specification and verification of a formal system for structurally recursive functions. In T. Coquand, P. Dybjer, B. Nordstr¨om, and J. Smith, editors, Types for Proof and Programs, International Workshop, TYPES ’99, volume 1956 of Lecture Notes in Computer Science, pages 1–20. Springer-Verlag, 2000. 2. A. Abel. A third-order representation of the λµ-calculus. In R. C. S.J. Ambler and A. Momigliano, editors, Electronic Notes in Theoretical Computer Science, volume 58. Elsevier Science Publishers, 2001. 3. A. Abel and T. Altenkirch. A predicative strong normalisation proof for a λ- calculus with interleaving inductive types. In T. Coquand, P. Dybjer, B. Nord- str¨om,and J. Smith, editors, Types for Proof and Programs, International Work- shop, TYPES ’99, volume 1956 of Lecture Notes in Computer Science, pages 21–40. Springer-Verlag, 2000.

22 4. A. Abel and T. Altenkirch. A predicative analysis of structural recursion. Journal of Functional Programming, 12(1):1–41, January 2002. 5. T. Altenkirch. Constructions, Inductive Types and Strong Normalization. PhD thesis, University of Edinburgh, November 1993. 6. R. M. Amadio and S. Coupet-Grimal. Analysis of a guard condition in type theory. In M. Nivat, editor, Foundations of Software Science and Computation Structures, First International Conference, FoSSaCS’98, volume 1378 of LNCS. Springer-Verlag, 1998. 7. T. Arts and J. Giesl. Termination of term rewriting using dependency pairs. The- oretical Computer Science, 236:133–178, 2000. 8. G. M. Bierman. A computational interpretation of the λµ-calculus. In L. Brim, J. Gruska, and J. Zlatuska, editors, Proceedings of Symposium on Mathematical Foundations of Computer Science, volume 1450 of Lecture Notes in Computer Sci- ence, pages 336–345, Brno, Czech Republic, August 1998. 9. F. Blanqui, J.-P. Jouannaud, and M. Okada. Inductive data type systems. Theo- retical Computer Science, 277, 2001. 10. J. Brauburger and J. Giesl. Termination analysis for partial functions. In Proceed- ings of the Third International Static Analysis Symposium (SAS’96), volume 1145 of Lecture Notes in Computer Science, Aachen, Germany, 1996. Springer-Verlag. 11. C. Coquand. Agda. WWW page, 2000. http://www.cs.chalmers.se/˜catarina/agda/. 12. T. Coquand. Infinite objects in type theory. In H. Barendregt and T. Nipkow, editors, Types for Proofs and Programs (TYPES ’93), volume 806 of Lecture Notes in Computer Science, pages 62–78. Springer-Verlag, 1993. 13. T. Coquand. An algorithm for type-checking dependent types. In Mathematics of Program Construction. Selected Papers from the Third International Conference on the Mathematics of Program Construction (July 17–21, 1995, Kloster Irsee, Ger- many), volume 26 of Science of Computer Programming, pages 167–177. Elsevier Science, May 1996. 14. K. Crary and S. Weirich. Resource bound certification. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 184–198, Boston, Massachusetts, USA, January 2000. 15. R. Davies and F. Pfenning. Intersection types and computational effects. In Pro- ceedings of the International Conference on Functional Programming (ICFP 2000), pages 198–208, Montreal, Canada, September 2000. 16. N. Dershowitz. Termination of rewriting. Journal of Symbolic Computation, 3:69– 115, 1987. 17. J. Giesl. Termination of nested and mutually recursive algorithms. Journal of Automated Reasoning, 19:1–29, 1997. 18. E. Gim´enez. Structural recursive definitions in type theory. In Automata, Lan- guages and Programming, 25th International Colloquium, ICALP’98, Aalborg, Denmark, July 13-17, 1998, Proceedings, volume 1443 of LNCS, pages 397–408. Springer, 1998. 19. J.-Y. Girard. Interpr´etation fonctionnelle et ´elimination des coupures dans l’arithm´etiqued’ordre sup´erieur. Th`ese de Doctorat d’Etat,´ Universit´ede Paris VII, 1972. 20. R. Harper and F. Pfenning. On Equivalence and Canonical Forms in the LF Type Theory. Technical report, Carnegie Mellon University, July 2000. 21. INRIA. The Coq Proof Assistant Reference Manual, version 7.0 edition, April 2001. http://pauillac.inria.fr/coq/doc/main.html.

23 22. C. S. Lee, N. D. Jones, and A. M. Ben-Amram. The size-change principle for pro- gram termination. In ACM Symposium on Principles of Programming Languages (POPL’01), London, UK, January 2001. ACM Press. 23. Z. Luo. ECC: An Extended Calculus of Constructions. PhD thesis, University of Edinburgh, 1990. 24. N. P. Mendler. Inductive types and type constraints in the second-order lambda calculus. Annals of Pure and Applied Logic, 51(1–2):159–172, 1991. 25. R. Milner, M. Tofte, R. Harper, and D. MacQueen. The Definition of Standard ML (Revised). MIT Press, 1997. 26. T. Nipkow and D. von Oheimb. JavaLight is type-safe — definitely. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages, pages 161– 170. ACM Press, New York, 1998. 27. M. Parigot. λµ-calculus: An algorithmic interpretation of classical natural de- duction. In A. Voronkov, editor, Logic Programming and Automated Reasoning: Proc. of the International Conference LPAR’92, pages 190–201. Springer, Berlin, Heidelberg, 1992. 28. F. Pfenning and C. Sch¨urmann. System description: Twelf - a meta-logical frame- work for deductive systems. In H. Ganzinger, editor, Proceedings of the 16th Inter- national Conference on Automated Deduction (CADE-16), volume 1632 of Lecture Note in Artificial Intelligence, pages 202–206, Trento, Italy, July 1999. Springer- Verlag. 29. B. Pientka. Termination and reduction checking for higher-order logic programs. In R. Gor´e,A. Leitsch, and T. Nipkow, editors, Automated Reasoning, First Inter- national Joint Conference, IJCAR 2001, volume 2083 of Lecture Notes in Artificial Intelligence, pages 401–415. Springer-Verlag, 2001. 30. B. C. Pierce and D. N. Turner. Local type inference. In POPL 98: The 25TH ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, California, 1998. 31. R. Pollack. The Theory of LEGO. PhD thesis, University of Edinburgh, 1994. 32. J. Steinbach. Simplification orderings: History of results. Fundamenta Informati- cae, 24(1/2):47–87, 1995. 33. A. Telford. Ensuring the productivity of infinite structures. Submitted to JFP, 2000. 34. A. J. Telford and D. A. Turner. Ensuring Termination in ESFP. Journal of Universal Computer Science, 6(4):474–, 1999. Proceedings of BCTCS 15. 35. C. Walther. Argument-Bounded Algorithms as a Basis for Automated Termination Proofs. In E. L. Lusk and R. A. Overbeek, editors, 9th International Conference on Automated Deduction, volume 310 of Lecture Notes in Computer Science, pages 602–621. Springer-Verlag, 1988. 36. H. Xi. Dependent types for program termination verification. In Proceedings of 16th IEEE Symposium on Logic in Computer Science, Boston, USA, June 2001.

24