Practical Checking using Twin Types

Víctor López Juan Nils Anders Danielsson Chalmers University of Technology University of Gothenburg Gothenburg, Sweden Gothenburg, Sweden [email protected] [email protected]

Abstract ACM Reference Format: People writing proofs or programs in dependently typed lan- Víctor López Juan and Nils Anders Danielsson. 2020. Practical De- guages can omit some function arguments in order to de- pendent Type Checking using Twin Types. In Proceedings of the 5th ACM SIGPLAN International Workshop on Type-Driven Devel- crease the code size and improve readability. Type checking opment (TyDe ’20), August 23, 2020, Virtual Event, USA. ACM, New such a program involves filling in each of these implicit ar- York, NY, USA, 13 pages. https://doi.org/10.1145/3406089.3409030 guments in a type-correct way. This is typically done using some form of unification. One approach to unification, taken by Agda, involves sometimes starting to unify terms before their types are known to be equal: in some cases one can make progress 1 Introduction on unifying the terms, and then use information gleaned in Dependent types are the basis of programming lan- this way to unify the types. This flexibility allows Agda to guages/proof assistants such as Agda, Coq, Idris, Lean and solve implicit arguments that are not found by several other Matita. Such languages typically allow users to omit pieces systems. However, Agda’s implementation is buggy: some- of code, like certain function arguments: this can make code times the solutions chosen are ill-typed, which can cause easier to read and write. Type checking such a program in- the type checker to crash. cludes finding type-correct terms for the omitted pieces of With Gundry and McBride’s twin variable technique one code, and this tends to involve solving higher-order unifica- can also start to unify terms before their types are known to tion problems, which in general is undecidable [14]. Further- be equal, and furthermore this technique is accompanied by more, even if one can find all solutions there might not bea correctness proofs. However, so far this technique has not most general one. If a solution which is not a most general been tested in practice as part of a full type checker. one is picked, then the program might not have the meaning We have reformulated Gundry and McBride’s technique that the programmer intended. without twin variables, using only twin types, with the Some systems, for instance Coq [33], sometimes solve aim of making the technique easier to implement in exist- constraints even if there is not a most general solution. This ing type checkers (in particular Agda). We have also intro- approach can still be predictable, if programmers are famil- duced a type-agnostic syntactic equality rule that seems to iar with the workings of the unification algorithm. Ziliani be useful in practice. The reformulated technique has been and Sozeau [33] argue that even if there is no most general tested in a type checker for a tiny variant of Agda. This type solution there could still be a most natural one, but they checker handles at least one example that Coq, Idris, Lean also claim that the algorithm used in one version of Coq is and Matita cannot handle, and does so in time and space unpredictable, and suggest changes to it. comparable to that used by Agda. This suggests that the re- In another approach solutions are only chosen if they are formulated technique is usable in practice. unique or most general. This approach is for instance taken by Agda (ignoring bugs). The approach has the advantage CCS Concepts: • Theory of computation → . that one does not need to know details of the unification algorithm, such as in what order different things are done, Keywords: type checking, unification, dependent types in order to understand a piece of code. Thus there is perhaps less need to make the unification algorithm predictable to users. A drawback is that sometimes “natural” solutions are TyDe ’20, August 23, 2020, Virtual Event, USA not found. © 2020 Copyright held by the owner/author(s). Publication rights licensed In §2.4 we discuss an example, based on “real” code, to ACM. which is handled by Agda, but for which Coq, Idris, Lean This is the author’s version of the work. It is posted here for your personal and Matita all fail. Agda handles this example because it use. Not for redistribution. The definitive Version of Record was published can start unifying terms before their types are known to be in Proceedings of the 5th ACM SIGPLAN International Workshop on Type- Driven Development (TyDe ’20), August 23, 2020, Virtual Event, USA, https: equal, and in the case of this example work on the terms //doi.org/10.1145/3406089.3409030. uncovers information which is used to unify the types. Un- fortunately this part of Agda is buggy [4, 20]. TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson

Gundry and McBride’s technique with twin types and The first (implicit) argument to replicate determines the twin variables [13] also makes it possible to start unifying length of the resulting vector: replicate {푛 = 5} (−4) gives terms before their types are known to be equal, and further- [−4, −4, −4, −4, −4]. If the argument is not given explic- more Gundry presents correctness proofs [12]. However, so itly, then an attempt is made to infer it from the context: far this technique has not been tested in practice as part of replicate (−4) ∶ Vec 3 Int gives [−4, −4, −4]. a full type checker. In some cases it may not be possible to determine We believe that these are our main contributions: the length uniquely. Let us assume that there is a func- tion rotate90, which rotates a vector 90 degrees clockwise • We present the first implementation of a twin type (rotate90 [1, 2] = [−2, 1]), and a command print, which approach in a type checker for a dependently typed prints a vector, and consider the program main: language (we adapted a pre-existing type checker for a tiny variant of Agda, called Tog [24]). rotate90 ∶ Vec 2 Int → Vec 2 Int • We use a reformulation of the approach of Gundry print ∶ {푛 ∶ Nat} → Vec 푛 Int → IO () and McBride without twin variables. This might make main ∶ IO () the approach a little easier to adopt in existing type main = do checkers that do not already use twin variables, be- print (rotate90 (replicate 1)) cause there might be less need to modify the grammar print (replicate 6) of terms or the algorithms that manipulate them. • The approach can handle at least one example thatis It is easy to figure out that the vector returned by replicate 1 handled by Agda (2.6.1) but not by Coq (8.11.0), Idris should have length 2, and thus print (rotate90 (replicate 1)) (1.3.2), Lean (3.4.2) or Matita (0.99.3); see §2.4. outputs [−1, 1]. However, there is nothing that constrains • A small case study (§4) based on “real” code that a the length of the vector returned by replicate 6. previous version of Agda struggled with suggests that For underspecified programs of this kind we do not want the approach might be feasible in practice: the perfor- the type checker to fill in arbitrary type-correct terms: we mance is similar to that of Agda 2.6.1. do not want it to make unforced choices on behalf of the • We introduce a notion of heterogeneous equality programmer. This applies not only to programs, but also (§3.2) that enables a type-agnostic syntactic equality to statements of theorems, and—in proof-relevant settings— rule (Rule Schema 1). Benchmarks suggest that use of bodies of proofs. (We do not claim that any this rule can, at least in some cases, improve perfor- in use today would make an unforced choice in this partic- mance (§4.2). ular case, this is a contrived example used to illustrate our point.) The text is based on the first author’s forthcoming licen- tiate thesis [18]. The thesis contains detailed proofs ofthe 2.2 Constraints and Solutions main results stated in this paper. However, note that the In our development all judgments about terms and types type theory uses a type-in-type axiom. The results have are formulated with respect to a signature. A signature Σ been proved under the assumption that certain properties contains atom declarations (핒 ∶ 퐴), corresponding to Agda hold, and these properties may not hold for the type the- postulates, and metavariable declarations, where a metavari- ory as given, with the type-in-type axiom. Furthermore the able is either just declared (훼 ∶ 퐴), or declared and instanti- proofs are not machine-checked, and due to their size we ated (훼 ≔ 푡 ∶ 퐴): acknowledge that it is likely that they contain errors. For Σ ∶∶= · | Σ, 핒 ∶ 퐴 | Σ, 훼 ∶ 퐴 | Σ, 훼 ≔ 푡 ∶ 퐴 these reasons we do not claim that the presented approach is correct. We have also not proved that the program used Metavariables can be introduced by the type checker (omit- for the benchmarks implements the theory correctly. ted implicit arguments are often turned into metavariables), or by the unifier (when it “kills” metavariable arguments, 2 Unification see §3.3.2). According to Mazzoli and Abel [23] dependent type Let us begin by discussing our approach to unification in checking with metavariables can be reduced to solving more detail. For the examples in this section we use a syntax a set of higher-order unification constraints of the form inspired by those of Agda and Haskell. ? Γ푖 ⊢ 푡푖 ∶ 퐴푖 ≡ 푢푖 ∶ 퐵푖 with a common signature Σ, where all the constraints are well-typed with respect to Σ: 2.1 Unique Solutions Σ; Γ푖 ⊢ 푡푖 ∶ 퐴푖 and Σ; Γ푖 ⊢ 푢푖 ∶ 퐵푖. As an example, consider the function replicate, which re- A solution to a higher-order unification problem is an turns a vector (a list of fixed length) repeating an element: assignment of terms of appropriate types to all the unin- stantiated metavariables in Σ, yielding a signature Σ′ for replicate ∶ {푛 ∶ Nat} → Int → Vec 푛 Int which all the constraints hold (that is, for each constraint Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

? ′ Γ푖 ⊢ 푡푖 ∶ 퐴푖 ≡ 푢푖 ∶ 퐵푖 we have Σ ;Γ푖 ⊢ 퐴푖 ≡ 퐵푖 type and the term and the type. The following example is a reduced ′ ′ Σ ;Γ푖 ⊢ 푡푖 ≡ 푢푖 ∶ 퐴푖). Σ may contain additional metavari- version of one of these constraints: ables as long as they are instantiated. Example 2.2. BoolOp is a type of optional booleans, and Let us now discuss two goals for our unification algo- get is a function that returns the boolean, if any: rithm: we want to ensure that the algorithm can apply a wide range of techniques (for instance out of order unifi- data BoolOp ∶ Set where get ∶ BoolOp → Bool cation), but at the same time we want to avoid producing None ∶ BoolOp get None = true solutions that are ill-typed. Some ∶ Bool → BoolOp get (Some 푥) = 푥

2.3 Goal #1: Well-Typedness The following constraint is well-formed with respect to the As mentioned above metavariable solutions should be well- signature Σ ≝ 픽 ∶ Bool → Set, 훼 ∶ Bool → BoolOp: typed. However, we do not want to repeatedly check that 푥 ∶ Bool ⊢휆푦.None ∶ 픽 (get (훼 푥)) → BoolOp ≡? all terms are well-typed. Instead we assume that we start ■ with a well-formed signature and well-formed constraints, 휆푦.(훼 푥) ∶ 픽 true → BoolOp and aim to maintain well-typedness as an invariant of the Solving the problem in Example 2.2 entails finding a term unification algorithm. 푡 such that Σ′ ≝ 픽 ∶ Bool → Set, 훼 ≔ 푡 ∶ Bool → BoolOp The current implementation of Agda sometimes con- is well-formed and the following two equalities hold: structs ill-typed solutions, which can lead to crashes. The Σ′; 푥 ∶ Bool ⊢ 픽 (get (훼 푥)) → BoolOp ≡ following example is taken from a currently open bug re- 픽 → ∶ port [20]: true BoolOp Set (1) Σ′; 푥 ∶ Bool ⊢ (휆푦.None) ≡ Example 2.1. Consider the following two functions: (휆푦.(훼 푥)) ∶ 픽 (get (훼 푥)) → BoolOp (2) 퐹 ∶ Bool → Set 푓 ∶ (푥 ∶ Bool) → 퐹 푥 → Nat The first equality (1) does not contain enough information 퐹 false = Bool 푓 false false = 0 to determine 푡; both 푡 = 휆푥.None and 푡 = 휆푥.Some true 퐹 true = Nat 푓 false true = 1 are possible. The second equality (2) does contain enough 푓 true 푥 = 2 information (the only solution is 푡 = 휆푥.None), but the term Using these functions we can form the following con- 휆푦.(훼 푥) is compared at the type 픽 (get (훼 푥)) → BoolOp, straints, which are well-formed with respect to the which is not its original one (픽 true → BoolOp). signature 픻 ∶ Nat → Set, 훼 ∶ Nat → Set, 훽 ∶ Nat → Bool: We ported this example to five different proof assistants, and found that Agda (2.6.1) instantiated 훼, but none of Coq · ⊢ (푥 ∶ Nat) → 훼 푥 ∶ Set ≡? (8.11.0), Idris (1.3.2), Lean (3.4.2), or Matita (0.99.3). Perhaps (푥 ∶ 퐹 (훽 0)) → 픻 (푓 (훽 0) 푥) ∶ Set the proof assistants that did not instantiate 훼 do not unify terms unless they are known to have the same types. · ⊢ 훽 ∶ Nat → Bool ≡? 휆푥.false ∶ Nat → Bool ■ 2.5 Twin Types When tackling the constraints in Example 2.1 Agda first makes 훼 푥 and 픻 (푓 (훽 0) 푥) equal by instantiating 훼 (of Gundry and McBride [13, 12] propose a heterogeneous ap- type Nat → Set) to 휆푥.픻 (푓 (훽 0) 푥) (of type 퐹 (훽 0) → Set). proach to unification, in which constraints have two types, Then it solves the second constraint by instantiating 훽 to one for each side. They also use twin variables, variables 휆푥.false, thus rendering the instantiation of 훼 ill-typed. The with two types ( ̂푥∶ 퐴1‡퐴2), where syntax is used to specify end result is the ill-typed solution 픻 ∶ Nat → Set, 훼 ≔ the type of a specific use of a variable ( ́푥∶ 퐴1 and ̀푥∶ 퐴2). 휆푥.픻 (푓 false 푥) ∶ Nat → Set, 훽 ≔ 휆푥.false ∶ Bool → Set. We propose a variant of this approach in which twin types Note that Agda unifies 훼 푥 and 픻 (푓 (훽 0) 푥) without (퐴1‡퐴2) are only used for constraints and twin variables are knowing that the terms have the same type. Another ap- not used: the type of each occurrence of a variable is instead proach is to only unify terms with equal types. However, determined by the side it occurs on. If twin types are only this could be restrictive in practice, as we explain in the fol- used for constraints, then it might be a little easier to adapt lowing section. existing type checkers to use this approach. In our setting each original well-formed constraint ofthe ? 2.4 Goal #2: Out of Order Unification form Γ ⊢ 푡 ∶ 퐴 ≡ 푢 ∶ 퐵 is elaborated into two well-formed internal constraints, one for the types (Çà ⊢ 퐴 ≅? 퐵 ∶ McBride [25] describes a method for representing depen- Set‡Set) and one for the terms (Çà ⊢ 푡 ≅? 푢 ∶ 퐴‡퐵). The dently typed languages inside dependently typed languages. resulting constraints form an internal unification problem. We have used some programs based on this method in our benchmarks (see §4.2). Some of these programs yield uni- Definition 2.3 (Internal unification problem). An internal fication constraints in which metavariables appear both in (unification) problem is of the form Σ; 풞,⃗ where for each TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson

⃗ ? 풞 ∈ 풞, 풞 has the form Γ1‡Γ2 ⊢ 푡 ≅ 푢 ∶ 퐴‡퐵. The problem axiom. When we write 푡[푢/푥] or 푡 @ ⃗푒 we implicitly as- is well-formed if the signature is well-formed and, for each sume that the process terminates for that particular choice ? ⃗ constraint Γ1‡Γ2 ⊢ 푡 ≅ 푢 ∶ 퐴‡퐵 ∈ 풞, Γ1 and Γ2 have the of terms. The notation 푡[푢] is shorthand for 푡[푢/0]. same length, and we have Σ; Γ1 ⊢ 푡 ∶ 퐴 and Σ; Γ2 ⊢ 푢 ∶ 퐵. Definition 3.1 (Signature). The following rules define (in- ′ ductively) when a signature is well-formed: Notation (Twin context). Given two contexts Γ1 = Γ1, 퐴1 ′ empty and Γ2 = Γ2, 퐴2 of the same length we may write Γ1‡Γ2 · ′ ′ sig as Γ1‡Γ2, 퐴1‡퐴2. Σ sig 핒 is fresh in Σ Σ; · ⊢ 퐴 type The unification problem in Example 2.2 corresponds to atom-decl Σ, 핒 ∶ 퐴 sig the well-formed internal problem Σ; 풞1, 풞2, with 풞1 and 풞2 Σ sig 훼 is fresh in Σ Σ; · ⊢ 퐴 type defined as follows: meta-decl Σ, 훼 ∶ 퐴 ? sig 풞1 ≝ 푥 ∶ Bool‡Bool ⊢ 픽 (get (훼 푥)) → BoolOp ≅ Σ, 훼 ∶ 퐴 sig Σ; · ⊢ 푡 ∶ 퐴 픽 true → BoolOp ∶ Set‡Set meta-inst ? Σ, 훼 ≔ 푡 ∶ 퐴 sig 풞2 ≝ 푥 ∶ Bool‡Bool ⊢ 휆푦.None ≅ 휆푦.(훼 푥) ∶ (픽 (get (훼 푥)) → BoolOp)‡(픽 true → BoolOp) The syntaxes of contexts and terms are not given explic- itly, but they can be read off from the typing rules. All constraints are well-formed, so constraint 풞2 can be tack- led immediately. If 훼 is instantiated with 휆푦.None, then the Definition 3.2 (Context). Σ ⊢ Γ ctx means that the con- two sides of the constraint become heterogeneously equal, as text Γ is well-formed with respect to the signature Σ: defined in §3.2. (This example is discussed further in§3.5.) Σ sig Σ ⊢ Γ ctx Σ; Γ ⊢ 퐴 type Σ ⊢ · ctx Σ ⊢ Γ, 퐴 ctx 3 Dependent Type Checking using Twin Definition 3.3 (Term and neutral term). Σ; Γ ⊢ 푡 ∶ 퐴 Types means that the term 푡 has type 퐴 in context Γ and signa- In this section we describe some details of our approach ture Σ, see Figure 1. We use 푡, 푢, …, 퐴, 퐵‚… or 푓 to denote from a more technical point of view. terms. Terms of the form ℎ , ⃗푒 where the head ℎ is of the form 푛, 핒, 훼 or if and each eliminator in ⃗푒 is of the form 푡, .휋1 or 3.1 Language .휋2, are called neutral terms, and denoted by 푓. We describe a type theory that is based on our implementa- Notation. We may use (푥 ∶ 퐴) → 퐵 or 퐴 → 퐵 instead of tion. It is an intensional type theory with Π-types, Σ-types, Π퐴퐵, and (푥 ∶ 퐴) × 퐵 or 퐴 × 퐵 instead of Σ퐴퐵. η-equality, metavariables and large elimination from Bool. The goal is to have a theory with a small number ofcon- Definition 3.4 (Judgmental equality of terms, types and structs which still gives rise to some of the type-checking contexts). Σ; Γ ⊢ 푡 ≡ 푢 ∶ 퐴 means that the terms 푡 and problems that occur in a full-fledged proof assistant. 푢 are judgmentally equal at type 퐴. Some, but not all, rules For simplicity we use a single universe Set with a type-in- of this relation are given in Figure 2. type axiom. Below we state some properties without proofs Statement 1 (Piecewise well-formedness of judgments). If (e.g. Statement 1). Some of these properties may not hold in Σ; Γ ⊢ 푡 ∶ 퐴, then Σ ⊢ Γ ctx and Σ sig. If Σ; Γ ⊢ 푡 ≡ 푢 ∶ 퐴, the presence of the type-in-type axiom, but we hope they then Σ; Γ ⊢ 푡 ∶ 퐴 and Σ; Γ ⊢ 푢 ∶ 퐴. would hold in a properly stratified version of the theory. In order to stay close to our implementation we represent Statement 2. The relations Σ ⊢ _ ≡ _ ctx, Σ; Γ ⊢ _ ≡ variables using de Bruijn indices (0, 1, 2, …). Indices are ma- _ type and Σ; Γ ⊢ _ ≡ _ ∶ 퐴 are reflexive, symmet- nipulated using weakenings (푡(+푛), increment all indices by ric and transitive with respect to the sets {Γ | Σ ⊢ Γ ctx}, 푛) and renamings (푡[ ⃗푥↦ ⃗푦], replace each variable in ⃗푥 with {퐴 | Σ; Γ ⊢ 퐴 type} and {푡 | Σ; Γ ⊢ 푡 ∶ 퐴}, respectively. the corresponding variable in ,⃗푦 where ⃗푥 and ⃗푦 are lists of (푡) indices of the same length). Notation. We use fv to denote the set of free variables 푡 (휆.(3 0)) = {2} (Δ ⊢ 푡 ∶ 푈) Terms are in β-normal form (following the implemen- of (e.g. fv ). Similarly fv is Δ ⊢ 푡 ∶ 푈 tation of Agda). We use hereditary substitution (푡[푢/푥]) used to denote the set of free variables of (e.g. (픸, 픹 3 ⊢ 9 1 ∶ ℂ) = {7, 2} and application (푡 @) ⃗푒 operations that preserve the in- fv ). variant that terms are in β-normal form [32, 6]. For in- Notation. We use metas(푡) to denote the set of metavari- stance, (푥 푦1 푦2)[휆푧1.휆푧2.푧1/푥] ≝ (휆푧1.휆푧2.푧1) @ 푦1 푦2 ≝ ables occurring in a term (e.g. metas(휆.휆.(훼 핓)) = {훼}), (휆푧2.푧1)[푦1/푧1] @ 푦2 ≝ (휆푧2.푦1) @ 푦2 ≝ 푦1[푦2/푧2] ≝ 푦2. consts(푡) to denote the set of atoms and metavariables Hereditary substitution and application are deterministic, (e.g. consts(휆.휆.(훼 핓)) = {훼, 핓}), and we let decls(Σ) = but are not guaranteed to terminate due to the type-in-type {핒 | 핒 ∶ 퐴 ∈ Σ} ∪ {훼 | 훼 ∶ 퐴 ∈ Σ ∨ 훼 ≔ 푡 ∶ 퐴 ∈ Σ}. Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

Σ ⊢ Γ ctx Σ; Γ ⊢ 퐴 ∶ Set Σ; Γ, 퐴 ⊢ 퐵 ∶ Set bool pi Σ; Γ ⊢ Bool ∶ Set Σ; Γ ⊢ Π퐴퐵 ∶ Set Σ; Γ ⊢ 퐴 ∶ Set Σ; Γ, 퐴 ⊢ 퐵 ∶ Set Σ ⊢ Γ ctx Σ; Γ ⊢ 퐴 ∶ Set sigma set type Σ; Γ ⊢ Σ퐴퐵 ∶ Set Σ; Γ ⊢ Set ∶ Set Σ; Γ ⊢ 퐴 type Σ ⊢ Γ ctx Σ ⊢ Γ ctx Σ; Γ, 퐴 ⊢ 푡 ∶ 퐵 tRue false abs Σ; Γ ⊢ true ∶ Bool Σ; Γ ⊢ false ∶ Bool Σ; Γ ⊢ 휆.푡 ∶ Π퐴퐵 Σ; Γ ⊢ 푡 ∶ 퐴 Σ; Γ, 퐴 ⊢ 퐵 type Σ; Γ ⊢ 푢 ∶ 퐵[푡] Σ; Γ ⊢ 푡 ∶ 퐴 Σ; Γ ⊢ 퐴 ≡ 퐵 type paiR conv Σ; Γ ⊢ ⟨푡, 푢⟩ ∶ Σ퐴퐵 Σ; Γ ⊢ 푡 ∶ 퐵

Σ ⊢ Γ ctx Γ = Γ1, 퐴, Γ2 푛 = |Γ2| Σ ⊢ Γ ctx 핒 ∶ 퐴 ∈ Σ vaR atom Σ; Γ ⊢ 푛 ⇒ 퐴(+(푛+1)) Σ; Γ ⊢ 핒 ⇒ 퐴 Σ ⊢ Γ ctx 훼 ∶ 퐴 ∈ Σ Σ ⊢ Γ ctx 훼 ≔ 푡 ∶ 퐴 ∈ Σ Σ ⊢ Γ ctx meta1 meta2 if Σ; Γ ⊢ 훼 ⇒ 퐴 Σ; Γ ⊢ 훼 ⇒ 퐴 Σ; Γ ⊢ if ⇒ 푇if Σ; Γ ⊢ ℎ ⇒ 퐴 Σ; Γ ⊢ 푓 ∶ Σ퐴퐵 Σ; Γ ⊢ 푓 ∶ Σ퐴퐵 head pRoj1 pRoj2 Σ; Γ ⊢ ℎ ∶ 퐴 Σ; Γ ⊢ 푓 .휋1 ∶ 퐴 Σ; Γ ⊢ 푓 .휋2 ∶ 퐵[푓 .휋1] Σ; Γ ⊢ 푓 ∶ Π퐴퐵 Σ; Γ ⊢ 푡 ∶ 퐴 app Σ; Γ ⊢ 푓 푡 ∶ 퐵[푡]

Figure 1. Typing rules for terms. 푇if ≝ Π(ΠBoolSet)(ΠBool(Π(1 true)(Π(2 false)(3 2)))), or, informally, (푋 ∶ Bool → Set) → (푧 ∶ Bool) → 푋 true → 푋 false → 푋 푧.

Σ; Γ ⊢ 푓 ∶ Π퐴퐵 Σ; Γ ⊢ 푓 ∶ Σ퐴퐵 eta-abs (+1) eta-paiR Σ; Γ ⊢ 푓 ≡ 휆.푓 0 ∶ Π퐴퐵 Σ; Γ ⊢ 푓 ≡ ⟨푓 .휋1, 푓 .휋2⟩ ∶ Σ퐴퐵 Σ; Γ ⊢ 훼 ⃗푒∶ 푇 훼 ≔ 푡 ∶ 퐴 ∈ Σ Σ; Γ ⊢ (푡 @ ⃗푒)∶ 푇 delta-meta Σ; Γ ⊢ 훼 ⃗푒≡ (푡 @ ⃗푒)∶ 푇 Σ; Γ ⊢ if 퐴 true 푢 푢 ⃗푒∶ 푇 Σ; Γ ⊢ (푢 @ ⃗푒)∶ 푇 t f t delta-if-tRue Σ; Γ ⊢ if 퐴 true 푢t 푢f ⃗푒≡ (푢t @ ⃗푒)∶ 푇 Σ; Γ ⊢ if 퐴 false 푢 푢 ⃗푒∶ 푇 Σ; Γ ⊢ (푢 @ ⃗푒)∶ 푇 t f f delta-if-false Σ; Γ ⊢ if 퐴 false 푢t 푢f ⃗푒≡ (푢f @ ⃗푒)∶ 푇 Σ; Γ ⊢ 푡 ≡ 푢 ∶ 퐴 Σ; Γ ⊢ 퐴 ≡ 퐵 type conv-eq Σ; Γ ⊢ 푡 ≡ 푢 ∶ 퐵 Σ ⊢ Γ1 ≡ Γ2 ctx Σ; Γ ⊢ 퐴 ≡ 퐵 ∶ Set ctx-empty-eq type-eq Σ ⊢ · ≡ · Σ; Γ1 ⊢ 퐴1 ≡ 퐴2 type Σ; Γ ⊢ 퐴 ≡ 퐵 type ctx ctx-vaR-eq Σ ⊢ Γ1, 퐴1 ≡ Γ2, 퐴2 ctx

Figure 2. Judgmental equality for terms, types and contexts

3.2 A Heterogeneous Notion of Equality and 푢 are heterogeneously equal with witness 푣, and write As explained in §2.4 we want to unify terms before their Σ; Γ1‡Γ2 ⊢ 푡 ≅{푣}≅ 푢 ∶ 퐴‡퐵. We may also omit 푣 and types are known to be equal. To make sense of what it means write Σ; Γ1‡Γ2 ⊢ 푡 ≅ 푢 ∶ 퐴‡퐵. for two terms of potentially different types to be equal, we Remark 3.6. The heterogeneous equality is symmetric and introduce a notion of heterogeneous equality. satisfies the following form of reflexivity: given Σ; Γ ⊢ 푡 ∶ 퐴 we have Σ; Çà ⊢ 푡 ≅{푡}≅ 푡 ∶ 퐴‡퐴. Definition 3.5 (Heterogeneous equality). If 푡 and 푢 are terms such that Σ; Γ1 ⊢ 푡 ∶ 퐴 and Σ; Γ2 ⊢ 푢 ∶ 퐵, Remark 3.7. If Σ; Γ1‡Γ2 ⊢ 푡 ≅{푣}≅ 푢 ∶ 퐴‡퐵, then by and there exists a term 푣 such that Σ; Γ1 ⊢ 푡 ≡ 푣 ∶ 퐴, Definition 3.5 and Statement 1, we have Σ; Γ1 ⊢ 푣 ∶ 퐴 and Σ; Γ2 ⊢ 푢 ≡ 푣 ∶ 퐵 and fv(푣) ⊆ fv(푡) ∩ fv(푢) (the Σ; Γ2 ⊢ 푣 ∶ 퐵. However, this does not mean that Σ ⊢ Γ1 ≡ latter called the interpolant property), then we say that 푡 Γ2 ctx, or Σ, Γ1 ⊢ 퐴 ≡ 퐵 type. For example (using variable TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson names for clarity), let Σ ≝ 픸 ∶ Set, 픹 ∶ Set, 퐴 ≝ 픸 → 픸, Rule Schema 9 (Rigid-rigid unification). If ℎ ⃗푒 and ℎ 푒⃗⃗⃗⃗⃗⃗′ are ′ 퐵 ≝ 픹, Γ1 ≝ 푥 ∶ 퐵, 푧 ∶ 퐴 and Γ2 ≝ 푥 ∶ 퐴, 푧 ∶ 퐵. Then strongly neutral; | ⃗푒|= |푒⃗⃗⃗⃗⃗⃗| = 푛; 퐽 ⊆ {1, …, 푛}; for each ′ ′ we have Σ; Γ1‡Γ2 ⊢ ⟨푥, 휆푦.푧 푦⟩ ≅{⟨푥,푧⟩}≅ ⟨휆푦.푥 푦, 푧⟩ ∶ 푖 ∈ {1, …, 푛} − 퐽 either 푒푖 = 푒푖 = .휋1 or 푒푖 = 푒푖 = .휋2; ′ ′ (퐵 × 퐴)‡(퐴 × 퐵). and for each 푖 ∈ 퐽 there exist 푡푖, 푢푖, 퐵푖, 퐶푖, 퐵푖, 퐶푖 such that 푒 = 푡 푒′ = 푢 Σ; Γ ⊢ ℎ ⃗푒 ∶ Π퐵 퐶 Σ; Γ′ ⊢ We use Definition 3.5 to formulate the soundness of the 푖 푖, 푖 푖, 1,…,푖−1 푖 푖 and ⃗⃗⃗⃗⃗⃗′ ′ ′ ′ ⃗⃗⃗⃗⃗⃗′ ′ rules given in the following section (Definition 3.14), and, in ℎ 푒 1,…,푖−1 ∶ Π퐵푖퐶푖 , then Σ;Çà ⊢ ℎ ⃗푒≈ ℎ 푒 ∶ 푇 ‡푇 ⇝ Σ; ⋀ Γ‡Γ′ ⊢ 푡 ≈ 푢 ∶ 퐵 ‡퐵′ particular, to describe the conditions under which metavari- 푖∈퐽 푖 푖 푖 푖 ables are instantiated (Rule Schema 11). Some unification rules modify the signature by i) adding 3.3 A Rule Schema Toolkit new metavariable declarations, ii) instantiating existing metavariables, iii) reordering signature entries or iv) replac- Each step of our unification algorithm consists of the appli- ing terms with convertible terms. We call the result of these cation of a (rewrite) rule to a signature and/or one or more operations a signature extension. constraints, producing a new signature and new constraints. ′ Definition 3.8 (Rule). A rule is a four-tuple of the form Definition 3.10 (Signature extension: Σ ⊑ Σ ). We say ′ ′ ′ Σ; 풞⃗ ⇝ Σ′; 풟⃗, where Σ and Σ′ are signatures, and 풞⃗ and that Σ extends Σ (written Σ ⊒ Σ or Σ ⊑ Σ ), iff Σ sig, Σ′ sig and Σ ⊑′ Σ′, where ⊑′ is defined inductively: 풟⃗ are lists of internal constraints. A rule schema is a family ′ of rules. (i) Σ1,Σ2 ⊑ Σ1, 훼 ∶ 퐴, Σ2 (ii) Σ , 훼 ∶ 퐴, Σ ⊑′ Σ , 훼 ≔ 푡 ∶ 퐴, Σ In this section we list some of the rules that are used in the 1 2 1 2 (iii) Σ ⊑′ Σ if Σ ⊑ Σ and Σ ⊑ Σ algorithm (we do not have room to list all of them). These 1 3 1 2 2 3 (iv) Σ , 핒 ∶ 퐴, Σ ⊑′ Σ , 핒 ∶ 퐴′,Σ if Σ ; · ⊢ 퐴 ≡ rules are adaptations to our setting of rules that are used in 1 2 1 2 1 퐴′ type other developments. ′ ′ (v) Σ1, 훼 ∶ 퐴, Σ2 ⊑ Σ1, 훼 ∶ 퐴 ,Σ2 if Σ1; · ⊢ 퐴 ≡ Notation. When writing down a list of constraints, we may 퐴′ type ′ ′ use ∧ as a separator (instead of a comma), and □ to stand (vi) Σ1, 훼 ≔ 푡 ∶ 퐴, Σ2 ⊑ Σ1, 훼 ≔ 푡 ∶ 퐴 ,Σ2 if Σ1; · ⊢ for an empty such list. 퐴 ≡ 퐴′ type (vii) Σ , 훼 ≔ 푡 ∶ 퐴, Σ ⊑′ Σ , 훼 ≔ 푡′ ∶ 퐴, Σ if Σ ; · ⊢ Rule Schema 1 (Syntactic equality). Σ; Γ‡Γ′ ⊢ 푡 ≈ 푡 ∶ 1 2 1 2 1 푡 ≡ 푡′ ∶ 퐴 퐴‡퐴′ ⇝ Σ; □ (viii) Σ ⊑′ Σ′ if Σ′ is a (possibly trivial) reordering of Σ Rule Schema 2 (λ-abstraction). Σ; Γ‡Γ′ ⊢ 휆.푡 ≈ 휆.푢 ∶ Π퐴퐵‡Π퐴′퐵′ ⇝ Σ; Γ‡Γ′, 퐴‡퐴′ ⊢ 푡 ≈ 푢 ∶ 퐵‡퐵′ Definition 3.10 is intended to justify Statement 3: Rule Schema 3 (Term conversion). Σ; Γ‡Γ′ ⊢ 푡 ≈ 푢 ∶ Statement 3 (Signature extension). If Σ ⊢ Γ ctx, Σ; Γ ⊢ 퐴‡퐴′ ⇝ Σ; Γ‡Γ′ ⊢ 푡′ ≈ 푢 ∶ 퐴‡퐴′ where Σ; Γ ⊢ 푡 ≡ 퐴 type, Σ; Γ ⊢ 푡 ∶ 퐴, Σ; Γ ⊢ 퐴 ≡ 퐵 type or Σ; Γ ⊢ 푡 ≡ 푢 ∶ 푡′ ∶ 퐴 and fv(푡) ⊇ fv(푡′) 퐴 and Σ′ ⊒ Σ, then Σ′ ⊢ Γ ctx, Σ′; Γ ⊢ 퐴 type, Σ′; Γ ⊢ 푡 ∶ 퐴, Σ′; Γ ⊢ 퐴 ≡ 퐵 type or Σ′; Γ ⊢ 푡 ≡ 푢 ∶ 퐴, respectively. Rule Schema 4 (Injectivity of Π). Σ; Γ‡Γ′ ⊢ Π퐴퐵 ≈ Π퐴′퐵′ ∶ Set‡Set ⇝ Σ; Γ‡Γ′ ⊢ 퐴 ≈ 퐴′ ∶ Set‡Set ∧ Reordering and normalizing signature entries is allowed: Γ‡Γ′, 퐴‡퐴′ ⊢ 퐵 ≈ 퐵′ ∶ Set‡Set Rule Schema 10 (Signature conversion). Σ; □ ⇝ Σ′; □ Rule Schema 5 (Injectivity of Σ). Analogous to Rule where Σ ⊑ Σ′ and Σ ⊒ Σ′ Schema 4, replacing Π by Σ. 3.3.1 Metavariable Instantiation. Before instantiating Rule Schema 6 (Constraint symmetry). Σ; Γ‡Γ′ ⊢ 푡 ≈ 푢 ∶ 퐴‡퐴′ ⇝ Σ; Γ′‡Γ ⊢ 푢 ≈ 푡 ∶ 퐴′‡퐴 a metavariable we check that the types of the two sides are compatible. However, we do not want to do this for irrel- Rule Schema 7 (Type and context conversion). Σ; Γ‡Γ′ ⊢ evant entries in the context. For this reason we generalize ′ ′ ′ 푡 ≈ 푢 ∶ 퐴‡퐴 ⇝ Σ; Γ0‡Γ ⊢ 푡 ≈ 푢 ∶ 퐴0‡퐴 where the heterogeneous equality to contexts. (Gundry discusses Σ ⊢ Γ, 퐴 ≡ Γ0, 퐴0 ctx a similar idea [12, p. 69], but does not formalize it.) ′ Rule Schema 8 (Pairs). Σ; Çà ⊢ ⟨푡1, 푡2⟩ ≈ ⟨푢1, 푢2⟩ ∶ Definition 3.11 (Heterogeneous context equality for sets of ′ ′ ′ ′ ′ Σ퐴퐵‡Σ퐴 퐵 ⇝ Σ; Çà ⊢ 푡1 ≈ 푢1 ∶ 퐴‡퐴 ∧ Γ ‡ Γ ⊢ variables). Given 푋 ⊆ ℕ, let 푋−1 ≝ {푥−1|푥 ∈ 푋, 푥 > 0}. ′ 푡2 ≈ 푢2 ∶ 퐵[푡1]‡퐵 [푢1] If the contexts Γ1 and Γ2 are well-formed with respect to Definition 3.9 (Strongly neutral term). A neutral term 푓 Σ, then the following rules define when they are hetero- is strongly neutral if 푓 is of the form 푥 , ⃗푒 핒 , ⃗푒 or if , ⃗푒 where geneously equal with respect to the signature Σ and the in the last case either the length of ⃗푒 is less than 2, or the sets of variables 푋1 and 푋2, with Γ as witness (written second element in ⃗푒 (the boolean) is a strongly neutral term. Σ ⊢ Γ1 ≅{Γ}≅ Γ2). 푋1,푋2 Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

Σ sig empty 3.3.2 Other Rules. The following rule, which is based on Σ ⊢ · ≅{· }≅∅,∅ · Abel and Pientka’s rule “Eliminating projections” [5], can be used to deal with metavariable arguments such as 푥 .휋1. 0 ∉ 푋1 ∪ 푋2 Σ ⊢ Γ1 ≅{Γ}≅ Γ2 (The rule is presented using named variables rather thande 푋1−1,푋2−1 unused Bruijn indices in order to make it easier to read.) Σ ⊢ Γ1, 퐴1 ≅{Γ, Set}≅ Γ2, 퐴2 푋1,푋2 Rule Schema 12 (Context variable currying). 0 ∈ 푋 − 푋 2 1 Σ; Γ1‡Γ2, 푥 ∶ Σ푥1 ∶ 푈1.푉1‡Σ푥1 ∶ 푈2.푉2,Δ1‡Δ2 ⊢ 푡1 ≈ Σ ⊢ Γ ≅{Γ}≅ Γ 푡 ∶ 퐴 ‡퐴 ⇝ Σ; Γ ‡Γ , 푥 ∶ 푈 ‡푈 , 푥 ∶ 푉 ‡푉 ,Δ′ ‡Δ′ 1 푋 −1,(푋 −1)∪fv(퐴 ) 2 2 1 2 1 2 1 1 2 2 1 2 1 2 1 2 2 used-R ′ ′ ′ ′ ⊢ 푡1 ≈ 푡2 ∶ 퐴1‡퐴2 Σ ⊢ Γ1, 퐴1 ≅{Γ,퐴2}≅푋 ,푋 Γ2, 퐴2 ′ ′ ′ 1 2 where Δ1 = Δ1[⟨푥1, 푥2⟩/푥], 푡1 = 푡1[⟨푥1, 푥2⟩/푥], 퐴1 = ′ ′ 0 ∈ 푋 − 푋 퐴1[⟨푥1, 푥2⟩/푥], Δ2 = Δ2[⟨푥1, 푥2⟩/푥], 푡2 = 푡2[⟨푥1, 푥2⟩/푥], 1 2 퐴′ = 퐴 [⟨푥 , 푥 ⟩/푥] Σ ⊢ Γ ≅{Γ}≅ Γ 2 2 1 2 1 (푋 −1)∪fv(퐴 ),푋 −1 2 1 1 2 used-l Other rules proposed by Abel and Pientka [5] and Gundry Σ ⊢ Γ1, 퐴1 ≅{Γ,퐴1}≅ Γ2, 퐴2 푋1,푋2 and McBride [13, 12] can be used to remove (“kill”) elimina- tors from a metavariable-headed neutral term. This might 0 ∈ 푋 ∩ 푋 1 2 make it possible to make progress on some constraints. Σ; Γ1‡Γ2 ⊢ 퐴1 ≅{퐴}≅ 퐴2 ∶ Set‡Set These rules are called pruning [5, 12], same metavari- Σ ⊢ Γ1 ≅{Γ}≅ Γ2 able unification [5]/solving flex-flex equations by intersec- (푋1−1)∪fv(퐴1),(푋2−1)∪fv(퐴2) used tion [12], and flattening of Σ-types [5]/metavariable simpli- Σ ⊢ Γ1, 퐴1 ≅{Γ,퐴}≅ Γ2, 퐴2 푋1,푋2 fication [12]. We also use rules of this kind in the implemen- Here are more statements about the theory, and a lemma: tation. Statement 4 (Type of unused variables). If Σ; Γ ⊢ 퐵 type 3.4 A Correctness Property and Σ; Γ, 퐴, Δ ⊢ 푡 ∶ 푇 with 0 ∉ fv(Δ ⊢ 푡 ∶ 푇 ), then In this section we state correctness properties for rule Σ; Γ, 퐵, Δ ⊢ 푡 ∶ 푇 . This property generalizes to other judg- schemas, and for the overall unification algorithm. We also ments. sketch proofs of the soundness of some of the rule schemas. Statement 5 (Context conversion). If Σ; Γ ⊢ 퐵 type and Definition 3.13 (Constraint satisfaction). Given an inter- Σ; Γ, 퐴, Δ ⊢ 푡 ∶ 푇 with Σ; Γ ⊢ 퐴 ≡ 퐵 type, then nal problem Σ; 풞⃗ we say that Σ satisfies 풞⃗ (written Σ ∣≈ 풞)⃗ Σ; Γ, 퐵, Δ ⊢ 푡 ∶ 푇 . This property generalizes to other judg- if, for each constraint 풞 = Γ‡Γ′ ⊢ 푡 ≅? 푢 ∶ 퐴‡퐴′ ∈ 풞,⃗ we ments. have Σ; Γ‡Γ′ ⊢ 푡 ≅ 푢 ∶ 퐴‡퐴′. Lemma 3.12 (Typing in heterogeneously equal contexts). Definition 3.14 (Soundness of a rule schema). A rule Let 푡 and 푢 be terms such that Σ; Γ ⊢ 푡 ∶ 퐵 , Σ; Γ ⊢ 푢 ∶ 퐵 , 1 1 2 2 schema is sound if, for each rule Σ;풞⃗ ⇝ Σ′;풟⃗ in the with |Γ | = |Γ |. 1 2 schema such that Σ;풞⃗is a well-formed internal problem, we Assume that we have (i) Σ; Γ ‡Γ ⊢ 퐵 ≡{퐵}≡ 퐵 ∶ 1 2 1 2 have that (i) Σ ⊑ Σ′ (in particular, Σ′ sig), (ii) Σ′;풟⃗ is a Set‡Set and (ii) Σ ⊢ Γ1 ≡{Γ}≡ Γ2. ″ fv(푡)∪fv(퐵1),fv(푢)∪fv(퐵2) well-formed internal problem, and (iii) for every Σ with Then Σ; Γ ⊢ 푡 ∶ 퐵 and Σ; Γ ⊢ 푢 ∶ 퐵. Σ″ ⊒ Σ′, if Σ″ ∣≈ 풟⃗ then Σ″ ∣≈ 풞.⃗ Proof sketch. By induction on the derivation of (ii), using One of the aims of the definition of heterogeneous equal- Statements 4 and 5 and the interpolant property from Defi- ity (Definition 3.5) is to make Rule Schema 1 sound. nition 3.5. (See the first author’s licentiate thesis [18] for a detailed proof.) □ Lemma 3.15. Rule Schema 1 is sound. Notation. We use “휆푛.” to denote 푛 copies of the binder Proof. By the premises of Definition 3.14, Σ;풞⃗ is a well- “휆.”, and “ 푛⃗푥 ” to denote a vector of 푛 (not necessarily dis- formed internal problem. By Definition 2.3, Σ sig, Σ; Γ ⊢ tinct) variables. 푡 ∶ 퐴 and Σ; Γ′ ⊢ 푡 ∶ 퐴′. Rule Schema 11 (Metavariable instantiation). (i) By Definition 3.10, Σ ⊑ Σ. 푛 ′ Σ; Γ1‡Γ2 ⊢ 훼 ⃗푥 ≈ 푡 ∶ 퐵1‡퐵2 ⇝ Σ ;□ where (ii) We have Σ sig, and the problem Σ; □ has no con- Σ = Σ1, 훼 ∶ 퐴, Σ2, with consts(푡) ⊆ decls(Σ1), straints, so by Definition 2.3 the problem is well- ′ 푛 푛 Σ = Σ1, 훼 ≔ 휆 .(푡[ ⃗푥 ↦ 푛 − 1, …, 0]) ∶ 퐴, Σ2, formed. 푛 푛 ⃗푥 is a list of 푛 distinct variables, fv(푡) ⊆ ⃗푥 , (iii) Assume Σ″ ⊒ Σ. By Statement 3 we have Σ″; Γ ⊢ 푡 ∶ ″ ′ ′ Σ ⊢ Γ1 ≅{Γ}≅ Γ2 and {푥1,…,푥푛}∪fv(퐵1),fv(푡)∪fv(퐵2) 퐴 and Σ ;Γ ⊢ 푡 ≡ 푡 ∶ 퐴 . By reflexivity of equality ″ ″ ′ Σ; Γ1‡Γ2 ⊢ 퐵1 ≅{퐵}≅ 퐵2 ∶ Set‡Set (see Definition 3.4) Σ ; Γ ⊢ 푡 ≡ 푡 ∶ 퐴 and Σ ;Γ ⊢ TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson

′ ″ ′ ′ 푡 ≡ 푡 ∶ 퐴 . By Definition 3.5 we get that Σ ; Çà ⊢ Σ ⊢ Γ1 ctx. By Statement 11 and Statement 3 we ′ ′ 푛 ′ ′ 푡 ≅{푡}≅ 푡 ∶ 퐴‡퐴 (because fv(푡) ⊆ fv(푡) ∩ fv(푡)). By have Σ ;Γ1 ⊢ 휆 .푡 ∶ 퐴. By rule meta2 Σ ;Γ1 ⊢ 훼 ⇒ ″ □ ′ Definition 3.13 we can conclude that Σ ∣≈ 풞. 퐴. By Statement 3 and Statement 10 Σ ;Γ1 ⊢ 푡 ∶ 퐵1. ′ Thus, by rule delta-meta and Statement 3, Σ ;Γ1 ⊢ Statement 6 (λ inversion). If Σ; Γ ⊢ 휆.푡 ∶ Π퐴퐵, then ″ 훼 ⃗푥≡ 푡 ∶ 퐵1. By Statement 3 Σ ;Γ1 ⊢ 훼 ⃗푥≡ 푡 ∶ 퐵1. Σ; Γ, 퐴 ⊢ 푡 ∶ 퐵. ″ By reflexivity and Statement 3 we get that Σ ;Γ2 ⊢ Lemma 3.16. Rule Schema 2 is sound. 푡 ≡ 푡 ∶ 퐵2. Because fv(푡) ⊆ ⃗푥 we have fv(푡) ⊆ Proof sketch. fv(훼 ⃗푥)∩ fv(푡). By Definition 3.13 we can conclude ″ ⃗ 1. By the assumption that Σ;풞⃗ is well-formed we have that Σ ∣≈ 풞. □ Σ sig, and thus (by Definition 3.10) Σ ⊑ Σ. A solution to an internal unification problem may be pro- 2. By the same assumption Σ; Γ ⊢ 휆.푡 ∶ Π퐴퐵 and duced by chaining sound unification rules together. Σ; Γ′ ⊢ 휆.푢 ∶ Π퐴′퐵′, which by Statement 6 gives Σ; Γ, 퐴 ⊢ 푡 ∶ 퐵 and Σ; Γ′, 퐴′ ⊢ 푢 ∶ 퐵′. Because Definition 3.18 (Problem reduction). We say that the prob- Σ sig we get that Σ;풟⃗ is well-formed. lem Σ;ℰ⃗⃗⃗⃗ reduces to Σ′;ℰ⃗⃗⃗⃗⃗⃗⃗′ in one step (written Σ; ℰ⃗⃗⃗⃗ ⇝ ″ ′ ′ ′ 3. If Σ ; Çà , 퐴‡퐴 ⊢ 푡 ≅{푣}≅ 푢 ∶ 퐵‡퐵 then Σ′; ℰ⃗⃗⃗⃗⃗⃗⃗′), if ℰ⃗⃗⃗⃗ = ℰ⃗⃗⃗⃗⃗⃗⃗⃗ ∧ 풞⃗⃗⃗⃗⃗ ∧ ℰ⃗⃗⃗⃗⃗⃗⃗⃗, ℰ⃗⃗⃗⃗⃗⃗⃗′ = ℰ⃗⃗⃗⃗⃗⃗⃗⃗ ∧ 풟⃗⃗⃗⃗⃗⃗⃗ ∧ ℰ⃗⃗⃗⃗⃗⃗⃗⃗, and ″ ′ ′ ′ 1 2 1 2 Σ ; Çà ⊢ 휆.푡 ≅{휆.푣}≅ 휆.푢 ∶ Π퐴퐵‡Π퐴 퐵 (use Σ; 풞⃗⃗⃗⃗⃗ ⇝ Σ′; 풟⃗⃗⃗⃗⃗⃗⃗ is a unification rule. We say that the prob- □ the abs rule twice). lem Σ;ℰ⃗⃗⃗⃗reduces to Σ′;ℰ⃗⃗⃗⃗⃗⃗⃗′ if Σ;ℰ⇝⃗⃗⃗⃗⇝⋆ Σ′;ℰ⃗⃗⃗⃗⃗⃗⃗′, where _⇝⋆ _ is In §2.3 a metavariable is instantiated to a term of a mis- the reflexive, transitive closure of_ ⇝ _. matched type. The constraints placed on the metavariable The issue described in§2.3 can be avoided by using sound instantiation rule are intended to preclude this. rules. Statement 7 (Signature strengthening). If consts(Γ) ∪ Lemma 3.19 (Soundness of unification). If Σ; 풞⇝⃗⇝⋆ Σ′; □, consts(푡) ∪ consts(퐴) ⊆ decls(Σ ), and Σ; Γ ⊢ 푡 ∶ 퐴 1 Σ; 풞⃗ with Σ = Σ ,Σ for some Σ , then Σ ; Γ ⊢ 푡 ∶ 퐴. This prop- where is well-formed and each step in the sequence is 1 2 2 1 ′ ′ ′ ⃗ ⃗ erty generalizes to other judgments. a sound rule, then Σ sig, Σ ⊑ Σ and Σ ∣≈ 풞. If 풞 is elaborated from well-formed constraints (as in §2.5), then Σ′ Statement 8 (No extraneous constants). For any Σ, Γ and is a well-typed solution to the original problem as defined in 퐴, if Σ; Γ ⊢ 퐴 type, then consts(Γ) ∪ consts(퐴) ⊆ §2.2. decls(Σ). This generalizes to other judgments; in particular, Proof. By induction on the length of the sequence, using the if Σ1, 훼 ∶ 퐴, Σ2 sig then consts(퐴) ⊆ decls(Σ1). soundness of each rule. The second statement follows by Statement 9 (Typing of abstractions). If 훼 ∶ 퐴 ∈ Σ, Σ; Γ ⊢ Definition 3.5, Statement 2 and the typing rules. □ 훼 푛 ⃗푥 ∶ 퐵, where all the variables in the vector 푛⃗푥 are distinct, Σ; Γ ⊢ 푡 ∶ 퐵, and fv(푡) ⊆ {푛 ⃗푥 }, then Σ; · ⊢ 휆푛.(푡[푛 ⃗푥 ↦ We want our rules not only to produce well-typed so- 푛 − 1, …, 0]) ∶ 퐴 and 휆푛.(푡[푛 ⃗푥 ↦ 푛 − 1, …, 0]) @푛 ⃗푥 = 푡. lutions, but also to preserve all the possible solutions of the problem to which they are applied. We call this prop- Statement 10 (Replacement of neutrals). If Σ; Γ ⊢ ℎ ⇒ 퐴, erty completeness. This property implies that if the result- Σ; Γ ⊢ 푡 ∶ 퐴 and Σ; Γ ⊢ ℎ ⃗푒∶ 푇 , then Σ; Γ ⊢ 푡 @ ⃗푒∶ 푇 . ing problem has a unique solution, or no solution, then the Statement 11 (Context weakening). If Σ; · ⊢ 푡 ∶ 퐴 and same holds for the original problem. Σ ⊢ Γ ctx, then Σ; Γ ⊢ 푡 ∶ 퐴. With the aim of making the statement of what it means for a rule schema to be complete easier to understand, we de- Lemma 3.17. Rule Schema 11 is sound. fine a notion of signature called metasubstitution in which Proof sketch. all metavariables are instantiated. (i) Because the original problem is well-formed we have Θ Σ sig, Σ; Γ1 ⊢ 훼 ⃗푥∶ 퐵1 and Σ; Γ2 ⊢ 푡 ∶ 퐵2. The Definition 3.20 (Metasubstitution). A metasubstitution rule preconditions and Lemma 3.12 imply that Σ; Γ ⊢ is a signature of the form Θ ∶∶= · | Θ, 핒 ∶ 퐴 | 훼 ≔ 푡 ∶ 퐴, 훼 ⃗푥∶ 퐵 and Σ; Γ ⊢ 푡 ∶ 퐵. Let 푡′ = 푡[ ⃗푥↦ 푛 − 1, …, 0]. where the types and terms in Θ are all metavariable-free. By Statement 9 we have Σ; · ⊢ 휆푛.푡′ ∶ 퐴. By State- We say that Θ is a well-formed metasubstitution (Θ wf) Θ Θ ment 8 consts(퐴) ⊆ decls(Σ1). Statement 7 implies iff is a metasubstitution and sig. that Σ ; · ⊢ 휆푛.푡′ ∶ 퐴, so Σ′ sig. By Definition 3.10 1 Equality of metasubstitutions is defined analogously to we get that Σ ⊑ Σ′. signature extension: (ii) Because Σ′ sig, Σ′; □ is a well-formed problem. (iii) Assume Σ″ ⊒ Σ′. Definition 3.21 (Equality of metasubstitutions). We say By Statement 9 we get that Σ; · ⊢ 휆푛.푡′ ∶ 퐴 (as men- that the metasubstitutions Θ and Θ′ are equal (written Θ ≡ 푛 ′ ′ ′ tioned above) and 휆 .푡 @ ⃗푥= 푡. By Statement 1 Θ ) if Θ1 wf, Θ2 wf and Θ1 ≡ Θ2, where: Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

′ ′ (i) Θ1, 핒 ∶ 퐴, Θ2 ≡ Θ1, 핒 ∶ 퐴 ,Θ2 if §2.5 (ignoring the fact that some features used to state the ′ Θ1; · ⊢ 퐴 ≡ 퐴 type problem are not part of the theory described above). All in- ′ ′ (ii) Θ1, 훼 ≔ 푡 ∶ 퐴, Θ2 ≡ Θ1, 훼 ≔ 푡 ∶ 퐴 ,Θ2 if termediate signatures and constraints are well-formed. ′ Θ1; · ⊢ 퐴 ≡ 퐴 type ′ ′ Example 3.24. As in §2.5, define a problem Σ; 풞1, 풞2: (iii) Θ1, 훼 ≔ 푡 ∶ 퐴, Θ2 ≡ Θ1, 훼 ≔ 푡 ∶ 퐴, Θ2 if ′ Θ1; · ⊢ 푡 ≡ 푡 ∶ 퐴 Σ ≝ 픽 ∶ Bool → Set, 훼 ∶ Bool → BoolOp (iv) Θ ≡′ Θ′ if Θ′ is a reordering of Θ ? 풞1 ≝ 푥 ∶ Bool‡Bool ⊢ 픽 (get (훼 푥)) → BoolOp ≅ (v) Θ ≡′ Θ if Θ ≡ Θ and Θ ≡ Θ 1 3 1 2 2 3 픽 true → BoolOp ∶ Set‡Set Definition 3.22 (Metasubstitution compatibility). A meta- ? 풞2 ≝ 푥 ∶ Bool‡Bool ⊢ 휆푦.None ≅ 휆푦.(훼 푥) ∶ substitution Θ is compatible with an internal problem Σ; 풞⃗ (픽 (get (훼 푥)) → BoolOp)‡(픽 true → BoolOp) (Θ ⊨ Σ; 풞)⃗ if Θ and Σ; 풞⃗ are well-formed and: Θ ⊨ Σ (Θ) = (Σ) Step 1. By applying Rule Schema 2 to 풞2 we get (i) , that is, decls decls and for each ′ ′ 퐷 ∈ Σ 퐷 = 핒 ∶ 퐴 Θ; · ⊢ Σ; 풞1, 풞2 ⇝ Σ; 풞1, 풞2, where 풞2 ≝ 푥 ∶ Bool‡Bool, declaration , either (i) and ? 핒 ∶ 퐴, (ii) 퐷 = 훼 ∶ 퐴 and Θ; · ⊢ 훼 ∶ 퐴, or (iii) 푦 ∶ 픽 (get (훼 푥)) ‡ 픽 true ⊢ None ≅ 훼 푥 ∶ 퐷 = 훼 ≔ 푢 ∶ 퐴 and Θ; · ⊢ 훼 ≡ 푢 ∶ 퐴. BoolOp‡BoolOp. (ii) For each constraint 풞 = Γ‡Γ′ ⊢ 푡 ≅? 푢 ∶ 퐴‡퐴′ ∈ 풞,⃗ Step 2. By applying a symmetric variant of Rule Schema 11 풞′ Σ; 풞 , 풞′ ⇝ Σ′; 풞 Σ′ ≝ 픽 ∶ Θ ⊨ 풞, that is, we have Θ ⊢ Γ ≡ Γ′ ctx, Θ; Γ ⊢ 퐴 ≡ to 2 we get 1 2 1, where ′ Bool → Set, 훼 ≔ 휆푦.None ∶ Bool → BoolOp. 퐴 type, and Θ; Γ ⊢ 푡 ≡ 푢 ∶ 퐴. ′ Step 3. By applying Rule Schema 3 to 풞1 we get Σ ; 풞1 ⇝ We say that a rule schema is complete if it preserves com- ′ ′ ′ Σ ; 풞1, where 풞1 ≝ 푥 ∶ Bool‡Bool ⊢ 픽 true → patible metasubstitutions in the following way: BoolOp ≅? 픽 true → BoolOp ∶ Set‡Set. ′ ′ ′ Definition 3.23 (Completeness of a rule schema). A rule Step 4. By Rule Schema 1 Σ ; 풞1 ⇝ Σ ; □. ⃗ ′ ⃗ ⋆ ′ ′ schema is complete if, for each rule Σ;풞 ⇝ Σ ;풟 in the Thus we have Σ; 풞1, 풞2 ⇝ Σ ; □. Note that Σ is a meta- ⃗ ′ schema and each metasubstitution Θ such that Θ ⊨ Σ;풞, substitution satisfying Σ ⊨ Σ; 풞1, 풞2. By Statement 13 this there is a metasubstitution Θ′ such that Θ′ ⊨ Σ′;풟⃗ and solution is unique (up to ≡). □ ′ Θ = ΘΣ (note the use of = rather than ≡). Here ΘΣ (“Θ restricted to Σ”) is a metasubstitution that contains the same 4 Evaluation declarations as Θ, in the same order, except that declarations To assess the practicality of the unification rules in §3 we of metavariables that are not declared in Σ are omitted. have implemented them in a type checker. (No guarantees We have sketched the soundness of some of the rules from are made that the implementation is free of bugs.) The type §3.3 (see Lemmas 3.15, 3.16 and 3.17). We state that all of checker’s performance has been investigated for a small these rules are correct: number of examples. Note that the type checker’s imple- mentation was tuned based on these examples: we make no Statement 12 (Correctness of rules). The rules described in guarantees that it performs well in other cases. §3.3 are sound and complete. We now state the main correctness property: 4.1 Implementation Statement 13 (Correctness of unification). Let Σ; 풞⃗ be an The type checker Tog [24] was used as a starting point. Tog Π internal problem derived from well-formed constraints of the implements an Agda-like language with -types, records η form Σ; Γ ⊢ 푡 ∶ 퐴 ≡? 푢 ∶ 퐵 as per §2.5. Assume that with -equality (also for the unit type), inductive-recursive data types and an identity type. Σ; 풞⇝⃗⇝⋆ Σ′; □, where each step in the sequence is a sound Tog unifies types before terms, which prevents itfrom and complete rule and Σ′ has no uninstantiated metavariable handling Example 2.2 successfully. We have changed Tog’s declarations. Then Σ′ sig, Σ′ ∣≈ 풞,⃗ and there exists a unique ⃗ constraint solver so that it uses twin types and rules based closed solution to Σ;풞 in the sense that there is (i) a metasubsti- on those discussed in §3.3. We call the resulting implemen- ⃗ ̃ ̃ ⃗ tution Θ such that Θ ⊨ Σ; 풞, and (ii) for every Θ, if Θ ⊨ Σ; 풞 tation Tog+. We do not have room to describe exactly how then Θ ≡ Θ̃. the constraint solver makes use of the rules, but the source + For a proof of Statements 12 and 13 under certain assump- code of Tog is available to download [19]. + tions about the type theory, see the first author’s licentiate Tog differs from the framework described in§3 in some thesis [18]. significant ways: Singleton Types With η-Equality Unit types with η- 3.5 Unification Example equality are tricky to implement correctly. Failure to Here we show how an algorithm may apply the rules from take the effects of the η rule into account may result §3.3 in order to solve the unification problem described in in lack of completeness [3]. In an attempt to address TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson

this we (i) restrict pruning so that it is not applied to Set‡Set, Σ; Γ ⊢ Bool ≈ Bool ∶ Set‡Set, Σ; Γ ⊢ true ≈ true ∶ terms of potentially singleton type and (ii) avoid us- Bool‡Bool and Σ; Γ ⊢ false ≈ false ∶ Bool‡Bool.) age of Rule Schema 9 until it is known that the types Tog+ uses less time than Agda for most of the examples. of both sides are not singletons. However, we are cautious about claiming a performance im- Recursive Definitions Tog and Tog+ admit general recur- provement with respect to Agda, because Agda does certain sion and negative data types. We ignore issues related things that our prototype does not (even though we did turn to this. off Agda’s termination and positivity checkers). Note also Unordered Signatures Signatures are ordered (Defini- that the examples were chosen because they were challeng- tion 3.1). Agda, Tog and Tog+ use unordered signa- ing for a previous version of Agda. Our takeaway is that, for tures. This introduces a possibility of cyclic dependen- these examples, the execution times are comparable. cies between declarations. We use an occurs check to The right column of Figure 3 shows the peak amount of ensure that a metavariable is not used, directly or in- memory used for each implementation. Tog+ uses much less directly, in its own body. However, we do not check memory than Agda, perhaps due to the use of hash-consing. that a metavariable is not used in its own type. Nei- Data and R code used for the figures is available [17]. ther does Agda [1], although such a check could be implemented. 5 Related Work Tog+ also implements a number of optimizations beyond We review the history of higher-order unification in the con- the ones already in Tog, including the following ones: text of dependent types, and then discuss the approaches taken by some popular implementations. (i) We keep track of constraints which it is sufficient to satisfy for both sides of a twin type to become equal, Higher-Order Unification. The problem of higher- and use this information, for instance, when check- order unification is in general undecidable [14]. An al- ing the heterogeneous context equality precondition gorithm for higher-order unification was proposed by of Rule Schema 11 (metavariable instantiation). Huet [15]: the algorithm enumerates all possible unifiers (ii) We use an “unblocker” mechanism, extending the one but, due to the undecidability of the problem, the algorithm implemented in Tog [24]. This mechanism keeps track might not terminate. Miller [26] discovered that, when the of which metavariables and constraints are prevent- constraints are of a specific form (the pattern fragment), the ing a constraint from being reduced, and postpones problem becomes decidable. Reed [30] presented a termi- work on the constraint until the blocking metavari- nating algorithm for dynamic pattern unification. Abel and ables have been instantiated and the blocking con- Pientka [5] extended dynamic pattern unification to handle straints have been solved. Σ-types with η-equality. (iii) We use hash-consing and memoization to (at least in Dependent type checking with metavariables using some cases) speed up common operations on terms higher-order unification was implemented in ALF[22, 21]. and reduce memory usage. In particular this enables In ALF intermediate terms are well-typed only modulo a set us to implement Rule Schema 1 efficiently. of constraints. Muñoz [27] shows how to perform unifica- tion in dependent type theories such as the Calculus of Con- 4.2 Benchmarks structions [9] in a way that is well-typed at every step. As We have benchmarked the implementation using an ex- Norell and Coquand [29, 28] point out, ill-typed terms may ample based on McBride’s method for representing de- cause the type checker to loop. Their solution is to replace pendently typed languages inside dependently typed lan- possibly ill-typed subterms by guarded constants, terms that guages [25]. We defined a small type theory inside+ Tog do not normalize until a given constraint is satisfied. (and Agda) using this technique, and then we defined sev- Uniqueness and the Open-World Assumption. Imple- eral types inside this type theory: partial definitions of “se- mentations of algorithms performing logical reasoning may toid” and “precategory”, and full definitions of other math- or may not conform to the open-world assumption (OWA), ematical structures. Our code makes use of implicit argu- + which is “the assumption that what is not known to be true ments, and some of the constraints produced by Tog are or false might be true” [16]. similar to, or more complicated than, those in Example 2.2. Under the OWA, given the signature Σ = 픸 ∶ Set, 핒 ∶ 픸, The left column of Figure 3 shows the time required to whether “푡 = 핒 is the unique term such that Σ; · ⊢ 푡 ∶ 픸” type check the examples in each of the tested implementa- is unknown, as this will not hold if Σ is extended with, for tions (real execution time). We first observe that, if we com- 핓 ∶ 픸 + example, the declaration . Whether a rule respects the pare Tog with and without the syntactic equality rule (Rule OWA is defined as follows: Schema 1), we observe an increase of execution time across all examples. (When the syntactic equality rule is disabled Definition 5.1. A rule schema respects the open-world as- Tog+ instead uses specific cases such as Σ; Γ ⊢ Set ≈ Set ∶ sumption if, for each rule Σ;풞⃗ ⇝ Σ′;풟⃗, and any declaration Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

Setoid Setoid

Structure Precat. Precat.

0 5000 10000 15000 20000 0 300 600 900 CPU (ms) Memory (MB)

Ref. graph Ref. graph

Multigraph Multigraph

Subset Subset

Pointed Pointed Structure

Type Type

0 200 400 600 0 10 20 30 CPU (ms) Memory (MB)

Implementation Tog⁺ without the syntactic equality rule Tog⁺ Agda

Figure 3. Median resource usage for the examples. The top row shows the resource usage for the two largest examples, while the bottom row shows corresponding information for the rest, using different scales. Each example is benchmarked 40 times. We plot the median value and error bars spanning 95% confidence intervals (bootstrapped, 1000 samples).

퐷 = 핒 ∶ 퐴, 퐷 = 훼 ∶ 퐴, or 퐷 = 훼 ∶ 퐴 with Σ, 퐷 sig and are in the pattern fragment, and are otherwise postponed Σ′, 퐷 sig, it contains the rule Σ, 퐷;풞⃗ ⇝ Σ′, 퐷;풟⃗. until instantiations of metavariables allow these postponed constraints to be simplified. Metavariables are only instanti- The metasubstitutions we define (Definition 3.20) contain ated when the solution is unique (ignoring bugs). Our proto- no uninstantiated metavariables, similarly to the grounding type uses the same technique. However, in Agda constraints metasubstitutions defined by Abel and Pientka [5]. We do have a single context and a single type. Agda instead uses not believe that the resulting notion of completeness (Defi- guarded constants. nition 3.23) necessarily entails the open-world assumption. When subjected to the constraints in Example 2.1 Agda However, it holds for the rules defined in §3.3. replaces the type of 푥 with a guarded constant 푝 of type Set, ? Lemma 5.2. The rule schemas defined in§3.3 respect the yielding the constraint 푥 ∶ 푝 ⊢ 훼 푥 ≡ 픻 (푓 (훽 0) 푥) ∶ Set. open-world assumption. The constant 푝 is convertible to ℕ if the constraint · ⊢ ℕ ≡ 퐹 (훽 0) ∶ Set is solved. Despite guarding the type of 푥, the Proof sketch. Let Σ;풞⃗ ⇝ Σ′;풟⃗ belong to one of the rule type checker still performs the ill-typed instantiation that schemas in §3.3, and let 퐷 be such that Σ, 퐷 sig and we discuss in §2.3. Σ′, 퐷 sig. By definition of the rule schema (and, for Rule In the course of this work the first author discovered that Schemas 3, 7, 9, 10 and 11, by Statement 3) we have that this issue [20] can be solved using further application of the Σ, 퐷;풞⃗ ⇝ Σ′, 퐷;풟⃗ belongs to the same rule schema. (For technique of guarded constants, and proposed a fix to the Rule Schema 10 one can show by induction on the deriva- Agda developers. However, this fix was reverted after the tion, using Statement 3, that for any Σ, Σ′ and 퐷, if Σ ⊑ Σ′, second author found that it caused a regression [2]. For an- Σ, 퐷 sig and Σ′, 퐷 sig, then Σ, 퐷 ⊑ Σ′, 퐷.) □ other open issue [10] we are unaware of any fix not involv- ing a heterogeneous approach to unification such as the one An alternative approach, taken by Gundry [12], is to al- discussed in this paper. low solutions to contain uninstantiated metavariables, and Finally it is not clear how to handle the unit type with η- to discuss most general solutions instead of uniqueness. equality while preserving completeness. Agda is not always Agda. Agda uses dynamic pattern unification with post- complete [3], while we have opted to implement a weaker ponement [28]: constraints are solved immediately if they TyDe ’20, August 23, 2020, Virtual Event, USA Víctor López Juan and Nils Anders Danielsson notion of pruning and of Rule Schema 9 with the aim of as Agda. Note that overly eager normalisation of terms can avoiding the issue. have adverse effects on performance. Rule Schema 12 in this text supports the case where Other Proof Assistants. Other languages/proof assis- the curried variable (e.g. 푥) has a twin type (i.e. 푥 ∶ tants based on intensional type theory include Coq [31], Σ퐴1퐵1‡Σ퐴2퐵2). This contrasts with the rule in the origi- Idris [8], Lean [11] and Matita [7]. All of them handle code nal twin approach [12, expression 4.22] in which the vari- that we created based on Example 2.1 adequately, but they able must have a single type, but instead, the type may fail to type check code that we created based on Example 2.2. be of the form 푥 ∶ Π퐴1…Π퐴푛Σ푈1푈2. We believe that Gundry and McBride. As mentioned above the ap- this difference is not fundamental, presumably both ap- proach used in this text is based on the one by Gundry and proaches could be updated to support both features (i.e. McBride [13, 12]. They use a theory with twin types, twin 푥 ∶ Π퐴1…Π퐴푛Σ푈1푈2‡Π퐵1…Π퐵푛Σ푉1푉2). variables, a ternary notion of judgmental equality, and two Finally we can mention that Gundry gives criteria to de- universe levels, where Π-types and Σ-types may only be tect, in some cases, whether a constraint is unsolvable. formed with types of the first level. They prove that their system only produces well-typed, most general solutions. 6 Conclusions For simplicity we include a type-in-type rule. This allows We have presented an approach to higher-order unifica- us to support complex examples such as the ones we bench- tion with dependent types. Our approach is based on that mark (§4.2), which use terms of the form ΠSet퐵 and Σ퐴Set of Gundry and McBride [13, 12], but it does not use twin which cannot be typed in their theory. We justify the cor- variables. Under certain assumptions—that we hope would rectness of our approach under certain assumptions that we hold in a fully stratified version of the theory—the solu- hope would hold with a proper stratification of the theory. tions produced are well-typed (see Lemma 3.19), fulfilling Gundry and McBride’s judgmental equality is ternary, of Goal #1 (§2.3). The approach allows terms to be (at least the form Θ|Γ ⊢ 퐴 ∋ 푡 ≡[푣]≡ 푢:“푡 is equal to 푢, with η-long partially) unified before their types are known to be (fully) standard form 푣, at type 퐴 in context Γ and metacontext Θ”. equal (see §3.5), fulfilling Goal #2 (§2.4). The metacontext Θ may contain metavariable declarations We have tested the approach by adapting an existing type (훼 ∶ 퐴) and instantiations (훼 ≔ 푡 ∶ 퐴), as well as unification checker for a tiny variant of Agda. The implementation can constraints. The context Γ may contain both single-typed handle at least one example that Coq, Idris, Lean and Matita (푥 ∶ 푇 ) and twin-typed ( ̂푥∶ 푇1‡푇2) variables. cannot. It can also handle an example that a previous ver- The heterogeneous equality introduced above (Defini- sion of Agda struggled with in time and space comparable tion 3.5) is inspired by Gundry and McBride’s ternary equal- to or better than that used by the current version ofAgda. ity. However, there are some differences: (i) Our heterogeneous equality is distinct from the judg- Acknowledgments mental equality. The idea is that it should be possible to use the methods described in this text in the imple- We want to thank Andreas Abel, Jesper Cockx, Ulf Norell mentation of a language like Agda without having to and Andrea Vezzosi for discussions about higher-order uni- switch to a new form of judgmental equality. fication and its implementation in Agda. We also wantto (ii) Our heterogeneous equality can equate terms of dif- thank Adam Gundry for clarifications about his PhD thesis, ferent types. This enables the implementation of Rule which was one of the starting points for this work. Finally Schema 1 as it is, without any need to, say, check that we thank some anonymous reviewers for useful feedback. the types are equal. The second author has been supported by a grant from the Swedish Research Council (621-2013-4879). Our implementation generalizes the approach to support inductive-recursive types and parameterized records with η- equality, including a unit type with η, with the correspond- References ing adaptations and generalizations of the unification rules. [1] Andreas Abel, Jesper Cockx, and Nils Anders Danielsson. 2015. Agda This allowed us to test the implementation with some com- allows “very dependent” types. Agda Issue #1556. Retrieved 2020-06- 30 from https://github.com/agda/agda/issues/1556 plex examples (§4.2). However, we have not proved that [2] Andreas Abel, Jesper Cockx, Nils Anders Danielsson, and Víctor these extensions are implemented correctly. López Juan. 2020. Regression related to fix of #3027. Agda Issue Gundry and McBride’s approach is formulated with fully #4408. Retrieved 2020-06-30 from https://github.com/agda/agda/ βδ-normalized terms (i.e. with all instantiated metavariables issues/4408 immediately replaced by their bodies), and this simplifies [3] Andreas Abel, Nils Anders Danielsson, and Víctor López Juan. 2017. β Overzealous pruning (reprise). Agda Issue #2876. Retrieved 2020-06- some things. We have chosen to use terms in -normal form 30 from https://github.com/agda/agda/issues/2876 but allow δ-redexes to remain in the terms, with the aim of [4] Andreas Abel, Martin Stone Davis, Ulf Norell, et al. 2017. (No longer keeping the theory close to existing implementations such an) Internal error at src/full/Agda/TypeChecking/Substitute.hs:98. Practical Dependent Type Checking using Twin Types TyDe ’20, August 23, 2020, Virtual Event, USA

Agda Issue #2709. Retrieved 2020-06-30 from https://github.com/ [19] Víctor López Juan, Francesco Mazzoli, Nils Anders Danielsson, Ulf agda/agda/issues/2709 Norell, Andrea Vezzosi, Andreas Abel, et al. 2020. Tog+. https: [5] Andreas Abel and Brigitte Pientka. 2011. Higher-Order Dynamic Pat- //doi.org/10.5281/zenodo.3924250 tern Unification for Dependent Types and Records. In Typed Lambda [20] Víctor López Juan and Ulf Norell. 2018. Internal error in the presence Calculi and Applications (TLCA 2011). https://doi.org/10.1007/978-3- of unsatisfiable constraints. Agda Issue #3027. Retrieved 2020-06-30 642-21691-6_5 from https://github.com/agda/agda/issues/3027 [6] Robin Adams. 2004. A modular hierarchy of logical frame- [21] Lena Magnusson. 1994. The Implementation of ALF – a Proof Editor works. Ph.D. Dissertation. Faculty of Engineering and Phys- based on Martin-Löf’s Monomorphic Type Theory with Explicit Substitu- ical Sciences, University of Manchester. Retrieved 2020-06- tion. Ph.D. Dissertation. Department of Computer Science, Chalmers 30 from https://repository.royalholloway.ac.uk/items/2fa04c91-c933- University of Technology. 8da6-3bc4-9d300b20cc54/10/ [22] Lena Magnusson and Bengt Nordström. 1993. The ALF proof editor [7] Andrea Asperti, Wilmer Ricciotti, Claudio Sacerdoti Coen, and Enrico and its proof engine. In International Workshop on Types for Proofs Tassi. 2011. The Matita interactive theorem prover. In International and Programs (TYPES 1993). 213–237. https://doi.org/10.1007/3-540- Conference on Automated Deduction (CADE 2011). https://doi.org/10. 58085-9_78 1007/978-3-642-22438-6_7 [23] Francesco Mazzoli and Andreas Abel. 2016. Type checking through [8] Edwin Brady. 2013. Idris, a general-purpose dependently typed pro- unification. arXiv:1609.09709v1 gramming language: Design and implementation. Journal of Func- [24] Francesco Mazzoli, Nils Anders Danielsson, Ulf Norell, Andrea Vez- tional Programming 23, 5 (2013), 552–593. https://doi.org/10.1017/ zosi, Andreas Abel, et al. 2017. Tog - A prototypical implementation S095679681300018X of dependent types. Retrieved 2020-06-30 from https://github.com/ [9] Thierry Coquand and Gérard Huet. 1988. The calculus of construc- bitonic/tog tions. Information and Computation 76, 2 (1988), 95 – 120. https: [25] Conor McBride. 2010. Outrageous but Meaningful Coincidences: De- //doi.org/10.1016/0890-5401(88)90005-3 pendent type-safe syntax and evaluation. In Proceedings of the 6th [10] Nils Anders Danielsson and Ulf Norell. 2014. Inconsistent constraints ACM SIGPLAN Workshop on Generic Programming (WGP’10). https: leading to violated invariants in conversion checking. Agda Issue //doi.org/10.1145/1863495.1863497 #1467. Retrieved 2020-06-30 from https://github.com/agda/agda/ [26] Dale Miller. 1991. A logic programming language with lambda- issues/1467 abstraction, function variables, and simple unification. Journal of logic [11] Leonardo de Moura, Jeremy Avigad, Soonho Kong, and and computation 1, 4 (1991), 497–536. https://doi.org/10.1093/logcom/ Cody Roux. 2015. Elaboration in Dependent Type Theory. 1.4.497 arXiv:1505.04324 [cs.LO] [27] César Muñoz. 2001. Proof-term synthesis on dependent-type systems [12] Adam Gundry. 2013. Type Inference, Haskell and Dependent Types. via explicit substitutions. Theoretical Computer Science 266, 1-2 (2001), Ph.D. Dissertation. Department of Computer and Information Sci- 407–440. https://doi.org/10.1016/S0304-3975(00)00196-1 ences, University of Strathclyde. Retrieved 2020-06-30 from http: [28] Ulf Norell. 2007. Towards a practical programming language based on //adam.gundry.co.uk/pub/thesis/ dependent type theory. Ph.D. Dissertation. Department of Computer [13] Adam Gundry and Conor McBride. 2012. A tutorial implementation Science and Engineering, Chalmers University of Technology, Swe- of dynamic pattern unification. Unpublished. Retrieved 2020-06-30 den. Retrieved 2020-06-30 from http://www.cse.chalmers.se/~ulfn/ from http://adam.gundry.co.uk/pub/pattern-unify/ papers/thesis.pdf [14] Gérard P Huet. 1973. The undecidability of unification in third order [29] Ulf Norell and Catarina Coquand. 2007. Type checking in the presence logic. Information and control 22, 3 (1973), 257–267. https://doi.org/ of meta-variables. Unpublished. Retrieved 2020-06-30 from http: 10.1016/0304-3975(81)90040-2 //www.cse.chalmers.se/~ulfn/papers/meta-variables.html [15] Gerard P. Huet. 1975. A unification algorithm for typed 휆-calculus. [30] Jason Reed. 2009. Higher-Order Constraint Simplification in Depen- Theoretical Computer Science 1, 1 (1975), 27–57. https://doi.org/10. dent Type Theory. In Proceedings of the Fourth International Work- 1016/0304-3975(75)90011-0 shop on Logical Frameworks and Meta-Languages: Theory and Practice [16] C. Maria Keet. 2013. Open World Assumption. In Encyclopedia of Sys- (LFMTP ’09). 49–56. https://doi.org/10.1145/1577824.1577832 tems Biology. 1567–1567. https://doi.org/10.1007/978-1-4419-9863- [31] The Coq Development Team. 2020. Coq 8.11.0. Retrieved 2020-06-30 7_734 from https://coq.inria.fr/news/coq-8-11-0-is-out.html [17] Víctor López Juan. 2020. Benchmark data for “Practical Dependent [32] Kevin Watkins, Iliano Cervesato, Frank Pfenning, and David Walker. Type Checking Using Twin Types”. https://doi.org/10.5281/zenodo. 2003. A concurrent logical framework: The propositional fragment. In 3924267 International Workshop on Types for Proofs and Programs (TYPES 2003). [18] Víctor López Juan. 2020. Practical Unification for Dependent Type 355–377. https://doi.org/10.1007/978-3-540-24849-1_23 Checking. Licentiate Thesis (draft). Department of Computer Science [33] Beta Ziliani and Matthieu Sozeau. 2017. A comprehensible guide toa and Engineering, Chalmers University of Technology, Sweden. Re- new unifier for CIC including universe polymorphism and overload- trieved 2020-06-30 from https://lopezjuan.com/project/licentiate/ ing. Journal of Functional Programming 27 (2017). https://doi.org/10. 1017/S0956796817000028